release: 2024.10.5

flows: better test stage's challenge responses (#12316)

Signed-off-by: Jens Langhammer <jens@goauthentik.io>
Co-authored-by: Jens L. <jens@goauthentik.io>

.bumpversion.cfg

@@ -1,5 +1,5 @@
 [bumpversion]
-current_version = 2024.10.2
+current_version = 2024.10.5
 tag = True
 commit = True
 parse = (?P<major>\d+)\.(?P<minor>\d+)\.(?P<patch>\d+)(?:-(?P<rc_t>[a-zA-Z-]+)(?P<rc_n>[1-9]\\d*))?

.github/workflows/release-tag.yml

@@ -18,7 +18,7 @@ jobs:
           echo "AUTHENTIK_SECRET_KEY=$(openssl rand 32 | base64 -w 0)" >> .env
           docker buildx install
           mkdir -p ./gen-ts-api
-          docker build -t testing:latest .
+          docker build --no-cache -t testing:latest .
           echo "AUTHENTIK_IMAGE=testing" >> .env
           echo "AUTHENTIK_TAG=latest" >> .env
           docker compose up --no-start

authentik/__init__.py

@@ -2,7 +2,7 @@
 
 from os import environ
 
-__version__ = "2024.10.2"
+__version__ = "2024.10.5"
 ENV_GIT_HASH_KEY = "GIT_BUILD_HASH"
 
 

authentik/brands/middleware.py

@@ -4,7 +4,7 @@ from collections.abc import Callable
 
 from django.http.request import HttpRequest
 from django.http.response import HttpResponse
-from django.utils.translation import activate
+from django.utils.translation import override
 
 from authentik.brands.utils import get_brand_for_request
 
@@ -18,10 +18,12 @@ class BrandMiddleware:
         self.get_response = get_response
 
     def __call__(self, request: HttpRequest) -> HttpResponse:
+        locale_to_set = None
         if not hasattr(request, "brand"):
             brand = get_brand_for_request(request)
             request.brand = brand
             locale = brand.default_locale
             if locale != "":
-                activate(locale)
-        return self.get_response(request)
+                locale_to_set = locale
+        with override(locale_to_set):
+            return self.get_response(request)

authentik/core/middleware.py

@@ -5,7 +5,7 @@ from contextvars import ContextVar
 from uuid import uuid4
 
 from django.http import HttpRequest, HttpResponse
-from django.utils.translation import activate
+from django.utils.translation import override
 from sentry_sdk.api import set_tag
 from structlog.contextvars import STRUCTLOG_KEY_PREFIX
 
@@ -31,17 +31,19 @@ class ImpersonateMiddleware:
     def __call__(self, request: HttpRequest) -> HttpResponse:
         # No permission checks are done here, they need to be checked before
         # SESSION_KEY_IMPERSONATE_USER is set.
+        locale_to_set = None
         if request.user.is_authenticated:
             locale = request.user.locale(request)
             if locale != "":
-                activate(locale)
+                locale_to_set = locale
 
         if SESSION_KEY_IMPERSONATE_USER in request.session:
             request.user = request.session[SESSION_KEY_IMPERSONATE_USER]
             # Ensure that the user is active, otherwise nothing will work
             request.user.is_active = True
 
-        return self.get_response(request)
+        with override(locale_to_set):
+            return self.get_response(request)
 
 
 class RequestIDMiddleware:

authentik/core/sources/flow_manager.py

@@ -129,6 +129,11 @@ class SourceFlowManager:
             )
             new_connection.user = self.request.user
             new_connection = self.update_user_connection(new_connection, **kwargs)
+            if existing := self.user_connection_type.objects.filter(
+                source=self.source, identifier=self.identifier
+            ).first():
+                existing = self.update_user_connection(existing)
+                return Action.AUTH, existing
             return Action.LINK, new_connection
 
         action, connection = self.matcher.get_user_action(self.identifier, self.user_properties)

authentik/core/tests/test_applications_api.py

@@ -12,7 +12,7 @@ from authentik.core.tests.utils import create_test_admin_user, create_test_flow
 from authentik.lib.generators import generate_id
 from authentik.policies.dummy.models import DummyPolicy
 from authentik.policies.models import PolicyBinding
-from authentik.providers.oauth2.models import OAuth2Provider
+from authentik.providers.oauth2.models import OAuth2Provider, RedirectURI, RedirectURIMatchingMode
 from authentik.providers.proxy.models import ProxyProvider
 from authentik.providers.saml.models import SAMLProvider
 
@@ -24,7 +24,7 @@ class TestApplicationsAPI(APITestCase):
         self.user = create_test_admin_user()
         self.provider = OAuth2Provider.objects.create(
             name="test",
-            redirect_uris="http://some-other-domain",
+            redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "http://some-other-domain")],
             authorization_flow=create_test_flow(),
         )
         self.allowed: Application = Application.objects.create(

authentik/core/tests/test_source_flow_manager.py

@@ -81,6 +81,22 @@ class TestSourceFlowManager(TestCase):
             reverse("authentik_core:if-user") + "#/settings;page-sources",
         )
 
+    def test_authenticated_auth(self):
+        """Test authenticated user linking"""
+        user = User.objects.create(username="foo", email="foo@bar.baz")
+        UserOAuthSourceConnection.objects.create(
+            user=user, source=self.source, identifier=self.identifier
+        )
+        request = get_request("/", user=user)
+        flow_manager = OAuthSourceFlowManager(
+            self.source, request, self.identifier, {"info": {}}, {}
+        )
+        action, connection = flow_manager.get_action()
+        self.assertEqual(action, Action.AUTH)
+        self.assertIsNotNone(connection.pk)
+        response = flow_manager.get_flow()
+        self.assertEqual(response.status_code, 302)
+
     def test_unauthenticated_link(self):
         """Test un-authenticated user linking"""
         flow_manager = OAuthSourceFlowManager(

authentik/core/tests/test_transactional_applications_api.py

@@ -31,6 +31,7 @@ class TestTransactionalApplicationsAPI(APITestCase):
                     "name": uid,
                     "authorization_flow": str(create_test_flow().pk),
                     "invalidation_flow": str(create_test_flow().pk),
+                    "redirect_uris": [],
                 },
             },
         )
@@ -57,6 +58,7 @@ class TestTransactionalApplicationsAPI(APITestCase):
                     "name": uid,
                     "authorization_flow": "",
                     "invalidation_flow": "",
+                    "redirect_uris": [],
                 },
             },
         )

authentik/crypto/tests.py

@@ -18,7 +18,7 @@ from authentik.crypto.models import CertificateKeyPair
 from authentik.crypto.tasks import MANAGED_DISCOVERED, certificate_discovery
 from authentik.lib.config import CONFIG
 from authentik.lib.generators import generate_id, generate_key
-from authentik.providers.oauth2.models import OAuth2Provider
+from authentik.providers.oauth2.models import OAuth2Provider, RedirectURI, RedirectURIMatchingMode
 
 
 class TestCrypto(APITestCase):
@@ -274,7 +274,7 @@ class TestCrypto(APITestCase):
             client_id="test",
             client_secret=generate_key(),
             authorization_flow=create_test_flow(),
-            redirect_uris="http://localhost",
+            redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "http://localhost")],
             signing_key=keypair,
         )
         response = self.client.get(
@@ -306,7 +306,7 @@ class TestCrypto(APITestCase):
             client_id="test",
             client_secret=generate_key(),
             authorization_flow=create_test_flow(),
-            redirect_uris="http://localhost",
+            redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "http://localhost")],
             signing_key=keypair,
         )
         response = self.client.get(

authentik/enterprise/middleware.py

@@ -6,6 +6,7 @@ from django.http import HttpRequest, HttpResponse, JsonResponse
 from django.urls import resolve
 from structlog.stdlib import BoundLogger, get_logger
 
+from authentik.core.api.users import UserViewSet
 from authentik.enterprise.api import LicenseViewSet
 from authentik.enterprise.license import LicenseKey
 from authentik.enterprise.models import LicenseUsageStatus
@@ -59,6 +60,9 @@ class EnterpriseMiddleware:
         # Flow executor is mounted as an API path but explicitly allowed
         if request.resolver_match._func_path == class_to_path(FlowExecutorView):
             return True
+        # Always allow making changes to users, even in case the license has ben exceeded
+        if request.resolver_match._func_path == class_to_path(UserViewSet):
+            return True
         # Only apply these restrictions to the API
         if "authentik_api" not in request.resolver_match.app_names:
             return True

authentik/enterprise/stages/authenticator_endpoint_gdtc/views/dtc.py

@@ -4,7 +4,9 @@ from typing import Any
 from django.http import HttpRequest, HttpResponse, HttpResponseRedirect
 from django.template.response import TemplateResponse
 from django.urls import reverse
+from django.utils.decorators import method_decorator
 from django.views import View
+from django.views.decorators.clickjacking import xframe_options_sameorigin
 from googleapiclient.discovery import build
 
 from authentik.enterprise.stages.authenticator_endpoint_gdtc.models import (
@@ -26,6 +28,7 @@ HEADER_ACCESS_CHALLENGE_RESPONSE = "X-Verified-Access-Challenge-Response"
 DEVICE_TRUST_VERIFIED_ACCESS = "VerifiedAccess"
 
 
+@method_decorator(xframe_options_sameorigin, name="dispatch")
 class GoogleChromeDeviceTrustConnector(View):
     """Google Chrome Device-trust connector based endpoint authenticator"""
 

authentik/enterprise/tests/test_read_only.py

@@ -215,3 +215,49 @@ class TestReadOnly(FlowTestCase):
             {"detail": "Request denied due to expired/invalid license.", "code": "denied_license"},
         )
         self.assertEqual(response.status_code, 400)
+
+    @patch(
+        "authentik.enterprise.license.LicenseKey.validate",
+        MagicMock(
+            return_value=LicenseKey(
+                aud="",
+                exp=expiry_valid,
+                name=generate_id(),
+                internal_users=100,
+                external_users=100,
+            )
+        ),
+    )
+    @patch(
+        "authentik.enterprise.license.LicenseKey.get_internal_user_count",
+        MagicMock(return_value=1000),
+    )
+    @patch(
+        "authentik.enterprise.license.LicenseKey.get_external_user_count",
+        MagicMock(return_value=1000),
+    )
+    @patch(
+        "authentik.enterprise.license.LicenseKey.record_usage",
+        MagicMock(),
+    )
+    def test_manage_users(self):
+        """Test that managing users is still possible"""
+        License.objects.create(key=generate_id())
+        usage = LicenseUsage.objects.create(
+            internal_user_count=100,
+            external_user_count=100,
+            status=LicenseUsageStatus.VALID,
+        )
+        usage.record_date = now() - timedelta(weeks=THRESHOLD_READ_ONLY_WEEKS + 1)
+        usage.save(update_fields=["record_date"])
+
+        admin = create_test_admin_user()
+        self.client.force_login(admin)
+
+        # Reading is always allowed
+        response = self.client.get(reverse("authentik_api:user-list"))
+        self.assertEqual(response.status_code, 200)
+
+        # Writing should also be allowed
+        response = self.client.patch(reverse("authentik_api:user-detail", kwargs={"pk": admin.pk}))
+        self.assertEqual(response.status_code, 200)

authentik/flows/stage.py

@@ -2,6 +2,7 @@
 
 from typing import TYPE_CHECKING
 
+from django.conf import settings
 from django.contrib.auth.models import AnonymousUser
 from django.http import HttpRequest
 from django.http.request import QueryDict
@@ -224,6 +225,14 @@ class ChallengeStageView(StageView):
                 full_errors[field].append(field_error)
         challenge_response.initial_data["response_errors"] = full_errors
         if not challenge_response.is_valid():
+            if settings.TEST:
+                raise StageInvalidException(
+                    (
+                        f"Invalid challenge response: \n\t{challenge_response.errors}"
+                        f"\n\nValidated data:\n\t {challenge_response.data}"
+                        f"\n\nInitial data:\n\t {challenge_response.initial_data}"
+                    ),
+                )
             self.logger.error(
                 "f(ch): invalid challenge response",
                 errors=challenge_response.errors,

authentik/providers/ldap/api.py

@@ -159,7 +159,10 @@ class LDAPOutpostConfigViewSet(ListModelMixin, GenericViewSet):
         access_response = PolicyResult(result.passing)
         response = self.LDAPCheckAccessSerializer(
             instance={
-                "has_search_permission": request.user.has_perm("search_full_directory", provider),
+                "has_search_permission": (
+                    request.user.has_perm("search_full_directory", provider)
+                    or request.user.has_perm("authentik_providers_ldap.search_full_directory")
+                ),
                 "access": access_response,
             }
         )

authentik/providers/oauth2/api/providers.py

@@ -1,15 +1,18 @@
 """OAuth2Provider API Views"""
 
 from copy import copy
+from re import compile
+from re import error as RegexError
 
 from django.urls import reverse
 from django.utils import timezone
+from django.utils.translation import gettext_lazy as _
 from drf_spectacular.types import OpenApiTypes
 from drf_spectacular.utils import OpenApiParameter, OpenApiResponse, extend_schema
 from guardian.shortcuts import get_objects_for_user
 from rest_framework.decorators import action
 from rest_framework.exceptions import ValidationError
-from rest_framework.fields import CharField
+from rest_framework.fields import CharField, ChoiceField
 from rest_framework.generics import get_object_or_404
 from rest_framework.request import Request
 from rest_framework.response import Response
@@ -20,13 +23,39 @@ from authentik.core.api.used_by import UsedByMixin
 from authentik.core.api.utils import PassiveSerializer, PropertyMappingPreviewSerializer
 from authentik.core.models import Provider
 from authentik.providers.oauth2.id_token import IDToken
-from authentik.providers.oauth2.models import AccessToken, OAuth2Provider, ScopeMapping
+from authentik.providers.oauth2.models import (
+    AccessToken,
+    OAuth2Provider,
+    RedirectURIMatchingMode,
+    ScopeMapping,
+)
 from authentik.rbac.decorators import permission_required
 
 
+class RedirectURISerializer(PassiveSerializer):
+    """A single allowed redirect URI entry"""
+
+    matching_mode = ChoiceField(choices=RedirectURIMatchingMode.choices)
+    url = CharField()
+
+
 class OAuth2ProviderSerializer(ProviderSerializer):
     """OAuth2Provider Serializer"""
 
+    redirect_uris = RedirectURISerializer(many=True, source="_redirect_uris")
+
+    def validate_redirect_uris(self, data: list) -> list:
+        for entry in data:
+            if entry.get("matching_mode") == RedirectURIMatchingMode.REGEX:
+                url = entry.get("url")
+                try:
+                    compile(url)
+                except RegexError:
+                    raise ValidationError(
+                        _("Invalid Regex Pattern: {url}".format(url=url))
+                    ) from None
+        return data
+
     class Meta:
         model = OAuth2Provider
         fields = ProviderSerializer.Meta.fields + [
@@ -79,7 +108,6 @@ class OAuth2ProviderViewSet(UsedByMixin, ModelViewSet):
         "refresh_token_validity",
         "include_claims_in_id_token",
         "signing_key",
-        "redirect_uris",
         "sub_mode",
         "property_mappings",
         "issuer_mode",

authentik/providers/oauth2/errors.py

@@ -7,7 +7,7 @@ from django.http import HttpRequest, HttpResponse, HttpResponseRedirect
 from authentik.events.models import Event, EventAction
 from authentik.lib.sentry import SentryIgnoredException
 from authentik.lib.views import bad_request_message
-from authentik.providers.oauth2.models import GrantTypes
+from authentik.providers.oauth2.models import GrantTypes, RedirectURI
 
 
 class OAuth2Error(SentryIgnoredException):
@@ -46,9 +46,9 @@ class RedirectUriError(OAuth2Error):
     )
 
     provided_uri: str
-    allowed_uris: list[str]
+    allowed_uris: list[RedirectURI]
 
-    def __init__(self, provided_uri: str, allowed_uris: list[str]) -> None:
+    def __init__(self, provided_uri: str, allowed_uris: list[RedirectURI]) -> None:
         super().__init__()
         self.provided_uri = provided_uri
         self.allowed_uris = allowed_uris

authentik/providers/oauth2/migrations/0022_remove_accesstoken_session_id_and_more.py

@@ -37,7 +37,7 @@ def migrate_session(apps: Apps, schema_editor: BaseDatabaseSchemaEditor):
 class Migration(migrations.Migration):
 
     dependencies = [
-        ("authentik_core", "0040_provider_invalidation_flow"),
+        ("authentik_core", "0039_source_group_matching_mode_alter_group_name_and_more"),
         ("authentik_providers_oauth2", "0021_oauth2provider_encryption_key_and_more"),
     ]
 

authentik/providers/oauth2/migrations/0023_alter_accesstoken_refreshtoken_use_hash_index.py

@@ -8,7 +8,7 @@ from django.db import migrations
 class Migration(migrations.Migration):
 
     dependencies = [
-        ("authentik_core", "0040_provider_invalidation_flow"),
+        ("authentik_core", "0039_source_group_matching_mode_alter_group_name_and_more"),
         ("authentik_providers_oauth2", "0022_remove_accesstoken_session_id_and_more"),
         migrations.swappable_dependency(settings.AUTH_USER_MODEL),
     ]

authentik/providers/oauth2/migrations/0024_remove_oauth2provider_redirect_uris_and_more.py

@@ -0,0 +1,49 @@
+# Generated by Django 5.0.9 on 2024-11-04 12:56
+from dataclasses import asdict
+from django.apps.registry import Apps
+
+from django.db.backends.base.schema import BaseDatabaseSchemaEditor
+
+from django.db import migrations, models
+
+
+def migrate_redirect_uris(apps: Apps, schema_editor: BaseDatabaseSchemaEditor):
+    from authentik.providers.oauth2.models import RedirectURI, RedirectURIMatchingMode
+
+    OAuth2Provider = apps.get_model("authentik_providers_oauth2", "oauth2provider")
+
+    db_alias = schema_editor.connection.alias
+    for provider in OAuth2Provider.objects.using(db_alias).all():
+        uris = []
+        for old in provider.old_redirect_uris.split("\n"):
+            mode = RedirectURIMatchingMode.STRICT
+            if old == "*" or old == ".*":
+                mode = RedirectURIMatchingMode.REGEX
+            uris.append(asdict(RedirectURI(mode, url=old)))
+        provider._redirect_uris = uris
+        provider.save()
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ("authentik_providers_oauth2", "0023_alter_accesstoken_refreshtoken_use_hash_index"),
+    ]
+
+    operations = [
+        migrations.RenameField(
+            model_name="oauth2provider",
+            old_name="redirect_uris",
+            new_name="old_redirect_uris",
+        ),
+        migrations.AddField(
+            model_name="oauth2provider",
+            name="_redirect_uris",
+            field=models.JSONField(default=dict, verbose_name="Redirect URIs"),
+        ),
+        migrations.RunPython(migrate_redirect_uris, lambda *args: ...),
+        migrations.RemoveField(
+            model_name="oauth2provider",
+            name="old_redirect_uris",
+        ),
+    ]

authentik/providers/oauth2/models.py

@@ -3,7 +3,7 @@
 import base64
 import binascii
 import json
-from dataclasses import asdict
+from dataclasses import asdict, dataclass
 from functools import cached_property
 from hashlib import sha256
 from typing import Any
@@ -12,6 +12,7 @@ from urllib.parse import urlparse, urlunparse
 from cryptography.hazmat.primitives.asymmetric.ec import EllipticCurvePrivateKey
 from cryptography.hazmat.primitives.asymmetric.rsa import RSAPrivateKey
 from cryptography.hazmat.primitives.asymmetric.types import PrivateKeyTypes
+from dacite import Config
 from dacite.core import from_dict
 from django.contrib.postgres.indexes import HashIndex
 from django.db import models
@@ -77,11 +78,25 @@ class IssuerMode(models.TextChoices):
     """Configure how the `iss` field is created."""
 
     GLOBAL = "global", _("Same identifier is used for all providers")
-    PER_PROVIDER = "per_provider", _(
-        "Each provider has a different issuer, based on the application slug."
+    PER_PROVIDER = (
+        "per_provider",
+        _("Each provider has a different issuer, based on the application slug."),
     )
 
 
+class RedirectURIMatchingMode(models.TextChoices):
+    STRICT = "strict", _("Strict URL comparison")
+    REGEX = "regex", _("Regular Expression URL matching")
+
+
+@dataclass
+class RedirectURI:
+    """A single redirect URI entry"""
+
+    matching_mode: RedirectURIMatchingMode
+    url: str
+
+
 class ResponseTypes(models.TextChoices):
     """Response Type required by the client."""
 
@@ -156,11 +171,9 @@ class OAuth2Provider(WebfingerProvider, Provider):
         verbose_name=_("Client Secret"),
         default=generate_client_secret,
     )
-    redirect_uris = models.TextField(
-        default="",
-        blank=True,
+    _redirect_uris = models.JSONField(
+        default=dict,
         verbose_name=_("Redirect URIs"),
-        help_text=_("Enter each URI on a new line."),
     )
 
     include_claims_in_id_token = models.BooleanField(
@@ -271,12 +284,33 @@ class OAuth2Provider(WebfingerProvider, Provider):
         except Provider.application.RelatedObjectDoesNotExist:
             return None
 
+    @property
+    def redirect_uris(self) -> list[RedirectURI]:
+        uris = []
+        for entry in self._redirect_uris:
+            uris.append(
+                from_dict(
+                    RedirectURI,
+                    entry,
+                    config=Config(type_hooks={RedirectURIMatchingMode: RedirectURIMatchingMode}),
+                )
+            )
+        return uris
+
+    @redirect_uris.setter
+    def redirect_uris(self, value: list[RedirectURI]):
+        cleansed = []
+        for entry in value:
+            cleansed.append(asdict(entry))
+        self._redirect_uris = cleansed
+
     @property
     def launch_url(self) -> str | None:
         """Guess launch_url based on first redirect_uri"""
-        if self.redirect_uris == "":
+        redirects = self.redirect_uris
+        if len(redirects) < 1:
             return None
-        main_url = self.redirect_uris.split("\n", maxsplit=1)[0]
+        main_url = redirects[0].url
         try:
             launch_url = urlparse(main_url)._replace(path="")
             return urlunparse(launch_url)

authentik/providers/oauth2/tests/test_api.py

@@ -10,7 +10,13 @@ from rest_framework.test import APITestCase
 from authentik.blueprints.tests import apply_blueprint
 from authentik.core.models import Application
 from authentik.core.tests.utils import create_test_admin_user, create_test_flow
-from authentik.providers.oauth2.models import OAuth2Provider, ScopeMapping
+from authentik.lib.generators import generate_id
+from authentik.providers.oauth2.models import (
+    OAuth2Provider,
+    RedirectURI,
+    RedirectURIMatchingMode,
+    ScopeMapping,
+)
 
 
 class TestAPI(APITestCase):
@@ -21,7 +27,7 @@ class TestAPI(APITestCase):
         self.provider: OAuth2Provider = OAuth2Provider.objects.create(
             name="test",
             authorization_flow=create_test_flow(),
-            redirect_uris="http://testserver",
+            redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "http://testserver")],
         )
         self.provider.property_mappings.set(ScopeMapping.objects.all())
         self.app = Application.objects.create(name="test", slug="test", provider=self.provider)
@@ -50,9 +56,29 @@ class TestAPI(APITestCase):
     @skipUnless(version_info >= (3, 11, 4), "This behaviour is only Python 3.11.4 and up")
     def test_launch_url(self):
         """Test launch_url"""
-        self.provider.redirect_uris = (
-            "https://[\\d\\w]+.pr.test.goauthentik.io/source/oauth/callback/authentik/\n"
-        )
+        self.provider.redirect_uris = [
+            RedirectURI(
+                RedirectURIMatchingMode.REGEX,
+                "https://[\\d\\w]+.pr.test.goauthentik.io/source/oauth/callback/authentik/",
+            ),
+        ]
         self.provider.save()
         self.provider.refresh_from_db()
         self.assertIsNone(self.provider.launch_url)
+
+    def test_validate_redirect_uris(self):
+        """Test redirect_uris API"""
+        response = self.client.post(
+            reverse("authentik_api:oauth2provider-list"),
+            data={
+                "name": generate_id(),
+                "authorization_flow": create_test_flow().pk,
+                "invalidation_flow": create_test_flow().pk,
+                "redirect_uris": [
+                    {"matching_mode": "strict", "url": "http://goauthentik.io"},
+                    {"matching_mode": "regex", "url": "**"},
+                ],
+            },
+        )
+        self.assertJSONEqual(response.content, {"redirect_uris": ["Invalid Regex Pattern: **"]})
+        self.assertEqual(response.status_code, 400)

authentik/providers/oauth2/tests/test_authorize.py

@@ -19,6 +19,8 @@ from authentik.providers.oauth2.models import (
     AuthorizationCode,
     GrantTypes,
     OAuth2Provider,
+    RedirectURI,
+    RedirectURIMatchingMode,
     ScopeMapping,
 )
 from authentik.providers.oauth2.tests.utils import OAuthTestCase
@@ -39,7 +41,7 @@ class TestAuthorize(OAuthTestCase):
             name=generate_id(),
             client_id="test",
             authorization_flow=create_test_flow(),
-            redirect_uris="http://local.invalid/Foo",
+            redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "http://local.invalid/Foo")],
         )
         with self.assertRaises(AuthorizeError):
             request = self.factory.get(
@@ -64,7 +66,7 @@ class TestAuthorize(OAuthTestCase):
             name=generate_id(),
             client_id="test",
             authorization_flow=create_test_flow(),
-            redirect_uris="http://local.invalid/Foo",
+            redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "http://local.invalid/Foo")],
         )
         with self.assertRaises(AuthorizeError):
             request = self.factory.get(
@@ -84,7 +86,7 @@ class TestAuthorize(OAuthTestCase):
             name=generate_id(),
             client_id="test",
             authorization_flow=create_test_flow(),
-            redirect_uris="http://local.invalid",
+            redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "http://local.invalid")],
         )
         with self.assertRaises(RedirectUriError):
             request = self.factory.get("/", data={"response_type": "code", "client_id": "test"})
@@ -106,7 +108,7 @@ class TestAuthorize(OAuthTestCase):
             name=generate_id(),
             client_id="test",
             authorization_flow=create_test_flow(),
-            redirect_uris="data:local.invalid",
+            redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "data:local.invalid")],
         )
         with self.assertRaises(RedirectUriError):
             request = self.factory.get(
@@ -125,7 +127,7 @@ class TestAuthorize(OAuthTestCase):
             name=generate_id(),
             client_id="test",
             authorization_flow=create_test_flow(),
-            redirect_uris="",
+            redirect_uris=[],
         )
         with self.assertRaises(RedirectUriError):
             request = self.factory.get("/", data={"response_type": "code", "client_id": "test"})
@@ -140,7 +142,7 @@ class TestAuthorize(OAuthTestCase):
         )
         OAuthAuthorizationParams.from_request(request)
         provider.refresh_from_db()
-        self.assertEqual(provider.redirect_uris, "+")
+        self.assertEqual(provider.redirect_uris, [RedirectURI(RedirectURIMatchingMode.STRICT, "+")])
 
     def test_invalid_redirect_uri_regex(self):
         """test missing/invalid redirect URI"""
@@ -148,7 +150,7 @@ class TestAuthorize(OAuthTestCase):
             name=generate_id(),
             client_id="test",
             authorization_flow=create_test_flow(),
-            redirect_uris="http://local.invalid?",
+            redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "http://local.invalid?")],
         )
         with self.assertRaises(RedirectUriError):
             request = self.factory.get("/", data={"response_type": "code", "client_id": "test"})
@@ -170,7 +172,7 @@ class TestAuthorize(OAuthTestCase):
             name=generate_id(),
             client_id="test",
             authorization_flow=create_test_flow(),
-            redirect_uris="+",
+            redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "+")],
         )
         with self.assertRaises(RedirectUriError):
             request = self.factory.get("/", data={"response_type": "code", "client_id": "test"})
@@ -213,7 +215,7 @@ class TestAuthorize(OAuthTestCase):
             name=generate_id(),
             client_id="test",
             authorization_flow=create_test_flow(),
-            redirect_uris="http://local.invalid/Foo",
+            redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "http://local.invalid/Foo")],
         )
         provider.property_mappings.set(
             ScopeMapping.objects.filter(
@@ -301,7 +303,7 @@ class TestAuthorize(OAuthTestCase):
             name=generate_id(),
             client_id="test",
             authorization_flow=flow,
-            redirect_uris="foo://localhost",
+            redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "foo://localhost")],
             access_code_validity="seconds=100",
         )
         Application.objects.create(name="app", slug="app", provider=provider)
@@ -343,7 +345,7 @@ class TestAuthorize(OAuthTestCase):
             name=generate_id(),
             client_id="test",
             authorization_flow=flow,
-            redirect_uris="http://localhost",
+            redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "http://localhost")],
             signing_key=self.keypair,
         )
         provider.property_mappings.set(
@@ -420,7 +422,7 @@ class TestAuthorize(OAuthTestCase):
             name=generate_id(),
             client_id="test",
             authorization_flow=flow,
-            redirect_uris="http://localhost",
+            redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "http://localhost")],
             signing_key=self.keypair,
             encryption_key=self.keypair,
         )
@@ -486,7 +488,7 @@ class TestAuthorize(OAuthTestCase):
             name=generate_id(),
             client_id="test",
             authorization_flow=flow,
-            redirect_uris="http://localhost",
+            redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "http://localhost")],
             signing_key=self.keypair,
         )
         Application.objects.create(name="app", slug="app", provider=provider)
@@ -541,7 +543,7 @@ class TestAuthorize(OAuthTestCase):
             name=generate_id(),
             client_id=generate_id(),
             authorization_flow=flow,
-            redirect_uris="http://localhost",
+            redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "http://localhost")],
             signing_key=self.keypair,
         )
         provider.property_mappings.set(
@@ -599,7 +601,7 @@ class TestAuthorize(OAuthTestCase):
             name=generate_id(),
             client_id=generate_id(),
             authorization_flow=flow,
-            redirect_uris="http://localhost",
+            redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "http://localhost")],
             signing_key=self.keypair,
         )
         app = Application.objects.create(name=generate_id(), slug=generate_id(), provider=provider)

authentik/providers/oauth2/tests/test_introspect.py

@@ -11,7 +11,14 @@ from authentik.core.models import Application
 from authentik.core.tests.utils import create_test_admin_user, create_test_cert, create_test_flow
 from authentik.lib.generators import generate_id
 from authentik.providers.oauth2.constants import ACR_AUTHENTIK_DEFAULT
-from authentik.providers.oauth2.models import AccessToken, IDToken, OAuth2Provider, RefreshToken
+from authentik.providers.oauth2.models import (
+    AccessToken,
+    IDToken,
+    OAuth2Provider,
+    RedirectURI,
+    RedirectURIMatchingMode,
+    RefreshToken,
+)
 from authentik.providers.oauth2.tests.utils import OAuthTestCase
 
 
@@ -23,7 +30,7 @@ class TesOAuth2Introspection(OAuthTestCase):
         self.provider: OAuth2Provider = OAuth2Provider.objects.create(
             name=generate_id(),
             authorization_flow=create_test_flow(),
-            redirect_uris="",
+            redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "")],
             signing_key=create_test_cert(),
         )
         self.app = Application.objects.create(
@@ -118,7 +125,7 @@ class TesOAuth2Introspection(OAuthTestCase):
         provider: OAuth2Provider = OAuth2Provider.objects.create(
             name=generate_id(),
             authorization_flow=create_test_flow(),
-            redirect_uris="",
+            redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "")],
             signing_key=create_test_cert(),
         )
         auth = b64encode(f"{provider.client_id}:{provider.client_secret}".encode()).decode()

authentik/providers/oauth2/tests/test_jwks.py

@@ -13,7 +13,7 @@ from authentik.core.tests.utils import create_test_cert, create_test_flow
 from authentik.crypto.builder import PrivateKeyAlg
 from authentik.crypto.models import CertificateKeyPair
 from authentik.lib.generators import generate_id
-from authentik.providers.oauth2.models import OAuth2Provider
+from authentik.providers.oauth2.models import OAuth2Provider, RedirectURI, RedirectURIMatchingMode
 from authentik.providers.oauth2.tests.utils import OAuthTestCase
 
 TEST_CORDS_CERT = """
@@ -49,7 +49,7 @@ class TestJWKS(OAuthTestCase):
             name="test",
             client_id="test",
             authorization_flow=create_test_flow(),
-            redirect_uris="http://local.invalid",
+            redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "http://local.invalid")],
             signing_key=create_test_cert(),
         )
         app = Application.objects.create(name="test", slug="test", provider=provider)
@@ -68,7 +68,7 @@ class TestJWKS(OAuthTestCase):
             name="test",
             client_id="test",
             authorization_flow=create_test_flow(),
-            redirect_uris="http://local.invalid",
+            redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "http://local.invalid")],
         )
         app = Application.objects.create(name="test", slug="test", provider=provider)
         response = self.client.get(
@@ -82,7 +82,7 @@ class TestJWKS(OAuthTestCase):
             name="test",
             client_id="test",
             authorization_flow=create_test_flow(),
-            redirect_uris="http://local.invalid",
+            redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "http://local.invalid")],
             signing_key=create_test_cert(PrivateKeyAlg.ECDSA),
         )
         app = Application.objects.create(name="test", slug="test", provider=provider)
@@ -99,7 +99,7 @@ class TestJWKS(OAuthTestCase):
             name="test",
             client_id="test",
             authorization_flow=create_test_flow(),
-            redirect_uris="http://local.invalid",
+            redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "http://local.invalid")],
             signing_key=create_test_cert(PrivateKeyAlg.ECDSA),
             encryption_key=create_test_cert(PrivateKeyAlg.ECDSA),
         )
@@ -122,7 +122,7 @@ class TestJWKS(OAuthTestCase):
             name="test",
             client_id="test",
             authorization_flow=create_test_flow(),
-            redirect_uris="http://local.invalid",
+            redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "http://local.invalid")],
             signing_key=cert,
         )
         app = Application.objects.create(name="test", slug="test", provider=provider)

authentik/providers/oauth2/tests/test_revoke.py

@@ -10,7 +10,14 @@ from django.utils import timezone
 from authentik.core.models import Application
 from authentik.core.tests.utils import create_test_admin_user, create_test_cert, create_test_flow
 from authentik.lib.generators import generate_id
-from authentik.providers.oauth2.models import AccessToken, IDToken, OAuth2Provider, RefreshToken
+from authentik.providers.oauth2.models import (
+    AccessToken,
+    IDToken,
+    OAuth2Provider,
+    RedirectURI,
+    RedirectURIMatchingMode,
+    RefreshToken,
+)
 from authentik.providers.oauth2.tests.utils import OAuthTestCase
 
 
@@ -22,7 +29,7 @@ class TesOAuth2Revoke(OAuthTestCase):
         self.provider: OAuth2Provider = OAuth2Provider.objects.create(
             name=generate_id(),
             authorization_flow=create_test_flow(),
-            redirect_uris="",
+            redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "")],
             signing_key=create_test_cert(),
         )
         self.app = Application.objects.create(

authentik/providers/oauth2/tests/test_token.py

@@ -22,6 +22,8 @@ from authentik.providers.oauth2.models import (
     AccessToken,
     AuthorizationCode,
     OAuth2Provider,
+    RedirectURI,
+    RedirectURIMatchingMode,
     RefreshToken,
     ScopeMapping,
 )
@@ -42,7 +44,7 @@ class TestToken(OAuthTestCase):
         provider = OAuth2Provider.objects.create(
             name=generate_id(),
             authorization_flow=create_test_flow(),
-            redirect_uris="http://TestServer",
+            redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "http://TestServer")],
             signing_key=self.keypair,
         )
         header = b64encode(f"{provider.client_id}:{provider.client_secret}".encode()).decode()
@@ -69,7 +71,7 @@ class TestToken(OAuthTestCase):
         provider = OAuth2Provider.objects.create(
             name=generate_id(),
             authorization_flow=create_test_flow(),
-            redirect_uris="http://testserver",
+            redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "http://testserver")],
             signing_key=self.keypair,
         )
         header = b64encode(f"{provider.client_id}:{provider.client_secret}".encode()).decode()
@@ -90,7 +92,7 @@ class TestToken(OAuthTestCase):
         provider = OAuth2Provider.objects.create(
             name=generate_id(),
             authorization_flow=create_test_flow(),
-            redirect_uris="http://local.invalid",
+            redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "http://local.invalid")],
             signing_key=self.keypair,
         )
         header = b64encode(f"{provider.client_id}:{provider.client_secret}".encode()).decode()
@@ -118,7 +120,7 @@ class TestToken(OAuthTestCase):
         provider = OAuth2Provider.objects.create(
             name=generate_id(),
             authorization_flow=create_test_flow(),
-            redirect_uris="http://local.invalid",
+            redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "http://local.invalid")],
             signing_key=self.keypair,
         )
         # Needs to be assigned to an application for iss to be set
@@ -157,7 +159,7 @@ class TestToken(OAuthTestCase):
         provider = OAuth2Provider.objects.create(
             name=generate_id(),
             authorization_flow=create_test_flow(),
-            redirect_uris="http://local.invalid",
+            redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "http://local.invalid")],
             signing_key=self.keypair,
             encryption_key=self.keypair,
         )
@@ -188,7 +190,7 @@ class TestToken(OAuthTestCase):
         provider = OAuth2Provider.objects.create(
             name=generate_id(),
             authorization_flow=create_test_flow(),
-            redirect_uris="http://local.invalid",
+            redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "http://local.invalid")],
             signing_key=self.keypair,
         )
         provider.property_mappings.set(
@@ -250,7 +252,7 @@ class TestToken(OAuthTestCase):
         provider = OAuth2Provider.objects.create(
             name=generate_id(),
             authorization_flow=create_test_flow(),
-            redirect_uris="http://local.invalid",
+            redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "http://local.invalid")],
             signing_key=self.keypair,
         )
         provider.property_mappings.set(
@@ -308,7 +310,7 @@ class TestToken(OAuthTestCase):
         provider = OAuth2Provider.objects.create(
             name=generate_id(),
             authorization_flow=create_test_flow(),
-            redirect_uris="http://testserver",
+            redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "http://testserver")],
             signing_key=self.keypair,
         )
         provider.property_mappings.set(

authentik/providers/oauth2/tests/test_token_cc_jwt_source.py

@@ -19,7 +19,12 @@ from authentik.providers.oauth2.constants import (
     SCOPE_OPENID_PROFILE,
     TOKEN_TYPE,
 )
-from authentik.providers.oauth2.models import OAuth2Provider, ScopeMapping
+from authentik.providers.oauth2.models import (
+    OAuth2Provider,
+    RedirectURI,
+    RedirectURIMatchingMode,
+    ScopeMapping,
+)
 from authentik.providers.oauth2.tests.utils import OAuthTestCase
 from authentik.providers.oauth2.views.jwks import JWKSView
 from authentik.sources.oauth.models import OAuthSource
@@ -54,7 +59,7 @@ class TestTokenClientCredentialsJWTSource(OAuthTestCase):
         self.provider: OAuth2Provider = OAuth2Provider.objects.create(
             name="test",
             authorization_flow=create_test_flow(),
-            redirect_uris="http://testserver",
+            redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "http://testserver")],
             signing_key=self.cert,
         )
         self.provider.jwks_sources.add(self.source)

authentik/providers/oauth2/tests/test_token_cc_standard.py

@@ -19,7 +19,13 @@ from authentik.providers.oauth2.constants import (
     TOKEN_TYPE,
 )
 from authentik.providers.oauth2.errors import TokenError
-from authentik.providers.oauth2.models import OAuth2Provider, ScopeMapping
+from authentik.providers.oauth2.models import (
+    AccessToken,
+    OAuth2Provider,
+    RedirectURI,
+    RedirectURIMatchingMode,
+    ScopeMapping,
+)
 from authentik.providers.oauth2.tests.utils import OAuthTestCase
 
 
@@ -33,7 +39,7 @@ class TestTokenClientCredentialsStandard(OAuthTestCase):
         self.provider = OAuth2Provider.objects.create(
             name="test",
             authorization_flow=create_test_flow(),
-            redirect_uris="http://testserver",
+            redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "http://testserver")],
             signing_key=create_test_cert(),
         )
         self.provider.property_mappings.set(ScopeMapping.objects.all())
@@ -107,6 +113,48 @@ class TestTokenClientCredentialsStandard(OAuthTestCase):
             {"error": "invalid_grant", "error_description": TokenError.errors["invalid_grant"]},
         )
 
+    def test_incorrect_scopes(self):
+        """test scope that isn't configured"""
+        response = self.client.post(
+            reverse("authentik_providers_oauth2:token"),
+            {
+                "grant_type": GRANT_TYPE_CLIENT_CREDENTIALS,
+                "scope": f"{SCOPE_OPENID} {SCOPE_OPENID_EMAIL} {SCOPE_OPENID_PROFILE} extra_scope",
+                "client_id": self.provider.client_id,
+                "client_secret": self.provider.client_secret,
+            },
+        )
+        self.assertEqual(response.status_code, 200)
+        body = loads(response.content.decode())
+        self.assertEqual(body["token_type"], TOKEN_TYPE)
+        token = AccessToken.objects.filter(
+            provider=self.provider, token=body["access_token"]
+        ).first()
+        self.assertSetEqual(
+            set(token.scope), {SCOPE_OPENID, SCOPE_OPENID_EMAIL, SCOPE_OPENID_PROFILE}
+        )
+        _, alg = self.provider.jwt_key
+        jwt = decode(
+            body["access_token"],
+            key=self.provider.signing_key.public_key,
+            algorithms=[alg],
+            audience=self.provider.client_id,
+        )
+        self.assertEqual(
+            jwt["given_name"], "Autogenerated user from application test (client credentials)"
+        )
+        self.assertEqual(jwt["preferred_username"], "ak-test-client_credentials")
+        jwt = decode(
+            body["id_token"],
+            key=self.provider.signing_key.public_key,
+            algorithms=[alg],
+            audience=self.provider.client_id,
+        )
+        self.assertEqual(
+            jwt["given_name"], "Autogenerated user from application test (client credentials)"
+        )
+        self.assertEqual(jwt["preferred_username"], "ak-test-client_credentials")
+
     def test_successful(self):
         """test successful"""
         response = self.client.post(

authentik/providers/oauth2/tests/test_token_cc_standard_compat.py

@@ -20,7 +20,12 @@ from authentik.providers.oauth2.constants import (
     TOKEN_TYPE,
 )
 from authentik.providers.oauth2.errors import TokenError
-from authentik.providers.oauth2.models import OAuth2Provider, ScopeMapping
+from authentik.providers.oauth2.models import (
+    OAuth2Provider,
+    RedirectURI,
+    RedirectURIMatchingMode,
+    ScopeMapping,
+)
 from authentik.providers.oauth2.tests.utils import OAuthTestCase
 
 
@@ -34,7 +39,7 @@ class TestTokenClientCredentialsStandardCompat(OAuthTestCase):
         self.provider = OAuth2Provider.objects.create(
             name="test",
             authorization_flow=create_test_flow(),
-            redirect_uris="http://testserver",
+            redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "http://testserver")],
             signing_key=create_test_cert(),
         )
         self.provider.property_mappings.set(ScopeMapping.objects.all())

authentik/providers/oauth2/tests/test_token_cc_user_pw.py

@@ -19,7 +19,12 @@ from authentik.providers.oauth2.constants import (
     TOKEN_TYPE,
 )
 from authentik.providers.oauth2.errors import TokenError
-from authentik.providers.oauth2.models import OAuth2Provider, ScopeMapping
+from authentik.providers.oauth2.models import (
+    OAuth2Provider,
+    RedirectURI,
+    RedirectURIMatchingMode,
+    ScopeMapping,
+)
 from authentik.providers.oauth2.tests.utils import OAuthTestCase
 
 
@@ -33,7 +38,7 @@ class TestTokenClientCredentialsUserNamePassword(OAuthTestCase):
         self.provider = OAuth2Provider.objects.create(
             name="test",
             authorization_flow=create_test_flow(),
-            redirect_uris="http://testserver",
+            redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "http://testserver")],
             signing_key=create_test_cert(),
         )
         self.provider.property_mappings.set(ScopeMapping.objects.all())

authentik/providers/oauth2/tests/test_token_device.py

@@ -9,8 +9,19 @@ from authentik.blueprints.tests import apply_blueprint
 from authentik.core.models import Application
 from authentik.core.tests.utils import create_test_admin_user, create_test_cert, create_test_flow
 from authentik.lib.generators import generate_code_fixed_length, generate_id
-from authentik.providers.oauth2.constants import GRANT_TYPE_DEVICE_CODE
-from authentik.providers.oauth2.models import DeviceToken, OAuth2Provider, ScopeMapping
+from authentik.providers.oauth2.constants import (
+    GRANT_TYPE_DEVICE_CODE,
+    SCOPE_OPENID,
+    SCOPE_OPENID_EMAIL,
+)
+from authentik.providers.oauth2.models import (
+    AccessToken,
+    DeviceToken,
+    OAuth2Provider,
+    RedirectURI,
+    RedirectURIMatchingMode,
+    ScopeMapping,
+)
 from authentik.providers.oauth2.tests.utils import OAuthTestCase
 
 
@@ -24,7 +35,7 @@ class TestTokenDeviceCode(OAuthTestCase):
         self.provider = OAuth2Provider.objects.create(
             name="test",
             authorization_flow=create_test_flow(),
-            redirect_uris="http://testserver",
+            redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "http://testserver")],
             signing_key=create_test_cert(),
         )
         self.provider.property_mappings.set(ScopeMapping.objects.all())
@@ -80,3 +91,28 @@ class TestTokenDeviceCode(OAuthTestCase):
             },
         )
         self.assertEqual(res.status_code, 200)
+
+    def test_code_mismatched_scope(self):
+        """Test code with user (mismatched scopes)"""
+        device_token = DeviceToken.objects.create(
+            provider=self.provider,
+            user_code=generate_code_fixed_length(),
+            device_code=generate_id(),
+            user=self.user,
+            scope=[SCOPE_OPENID, SCOPE_OPENID_EMAIL],
+        )
+        res = self.client.post(
+            reverse("authentik_providers_oauth2:token"),
+            data={
+                "client_id": self.provider.client_id,
+                "grant_type": GRANT_TYPE_DEVICE_CODE,
+                "device_code": device_token.device_code,
+                "scope": f"{SCOPE_OPENID} {SCOPE_OPENID_EMAIL} invalid",
+            },
+        )
+        self.assertEqual(res.status_code, 200)
+        body = loads(res.content)
+        token = AccessToken.objects.filter(
+            provider=self.provider, token=body["access_token"]
+        ).first()
+        self.assertSetEqual(set(token.scope), {SCOPE_OPENID, SCOPE_OPENID_EMAIL})

authentik/providers/oauth2/tests/test_token_pkce.py

@@ -10,7 +10,12 @@ from authentik.core.models import Application
 from authentik.core.tests.utils import create_test_admin_user, create_test_flow
 from authentik.lib.generators import generate_id
 from authentik.providers.oauth2.constants import GRANT_TYPE_AUTHORIZATION_CODE
-from authentik.providers.oauth2.models import AuthorizationCode, OAuth2Provider
+from authentik.providers.oauth2.models import (
+    AuthorizationCode,
+    OAuth2Provider,
+    RedirectURI,
+    RedirectURIMatchingMode,
+)
 from authentik.providers.oauth2.tests.utils import OAuthTestCase
 
 
@@ -30,7 +35,7 @@ class TestTokenPKCE(OAuthTestCase):
             name=generate_id(),
             client_id="test",
             authorization_flow=flow,
-            redirect_uris="foo://localhost",
+            redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "foo://localhost")],
             access_code_validity="seconds=100",
         )
         Application.objects.create(name="app", slug="app", provider=provider)
@@ -93,7 +98,7 @@ class TestTokenPKCE(OAuthTestCase):
             name=generate_id(),
             client_id="test",
             authorization_flow=flow,
-            redirect_uris="foo://localhost",
+            redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "foo://localhost")],
             access_code_validity="seconds=100",
         )
         Application.objects.create(name="app", slug="app", provider=provider)
@@ -154,7 +159,7 @@ class TestTokenPKCE(OAuthTestCase):
             name=generate_id(),
             client_id="test",
             authorization_flow=flow,
-            redirect_uris="foo://localhost",
+            redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "foo://localhost")],
             access_code_validity="seconds=100",
         )
         Application.objects.create(name="app", slug="app", provider=provider)
@@ -210,7 +215,7 @@ class TestTokenPKCE(OAuthTestCase):
             name=generate_id(),
             client_id="test",
             authorization_flow=flow,
-            redirect_uris="foo://localhost",
+            redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "foo://localhost")],
             access_code_validity="seconds=100",
         )
         Application.objects.create(name="app", slug="app", provider=provider)

authentik/providers/oauth2/tests/test_userinfo.py

@@ -11,7 +11,14 @@ from authentik.core.models import Application
 from authentik.core.tests.utils import create_test_admin_user, create_test_cert, create_test_flow
 from authentik.events.models import Event, EventAction
 from authentik.lib.generators import generate_id
-from authentik.providers.oauth2.models import AccessToken, IDToken, OAuth2Provider, ScopeMapping
+from authentik.providers.oauth2.models import (
+    AccessToken,
+    IDToken,
+    OAuth2Provider,
+    RedirectURI,
+    RedirectURIMatchingMode,
+    ScopeMapping,
+)
 from authentik.providers.oauth2.tests.utils import OAuthTestCase
 
 
@@ -25,7 +32,7 @@ class TestUserinfo(OAuthTestCase):
         self.provider: OAuth2Provider = OAuth2Provider.objects.create(
             name=generate_id(),
             authorization_flow=create_test_flow(),
-            redirect_uris="",
+            redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "")],
             signing_key=create_test_cert(),
         )
         self.provider.property_mappings.set(ScopeMapping.objects.all())

authentik/providers/oauth2/views/authorize.py

@@ -56,6 +56,8 @@ from authentik.providers.oauth2.models import (
     AuthorizationCode,
     GrantTypes,
     OAuth2Provider,
+    RedirectURI,
+    RedirectURIMatchingMode,
     ResponseMode,
     ResponseTypes,
     ScopeMapping,
@@ -187,40 +189,39 @@ class OAuthAuthorizationParams:
 
     def check_redirect_uri(self):
         """Redirect URI validation."""
-        allowed_redirect_urls = self.provider.redirect_uris.split()
+        allowed_redirect_urls = self.provider.redirect_uris
         if not self.redirect_uri:
             LOGGER.warning("Missing redirect uri.")
             raise RedirectUriError("", allowed_redirect_urls)
 
-        if self.provider.redirect_uris == "":
+        if len(allowed_redirect_urls) < 1:
             LOGGER.info("Setting redirect for blank redirect_uris", redirect=self.redirect_uri)
-            self.provider.redirect_uris = self.redirect_uri
+            self.provider.redirect_uris = [
+                RedirectURI(RedirectURIMatchingMode.STRICT, self.redirect_uri)
+            ]
             self.provider.save()
-            allowed_redirect_urls = self.provider.redirect_uris.split()
+            allowed_redirect_urls = self.provider.redirect_uris
 
-        if self.provider.redirect_uris == "*":
-            LOGGER.info("Converting redirect_uris to regex", redirect=self.redirect_uri)
-            self.provider.redirect_uris = ".*"
-            self.provider.save()
-            allowed_redirect_urls = self.provider.redirect_uris.split()
-
-        try:
-            if not any(fullmatch(x, self.redirect_uri) for x in allowed_redirect_urls):
-                LOGGER.warning(
-                    "Invalid redirect uri (regex comparison)",
-                    redirect_uri_given=self.redirect_uri,
-                    redirect_uri_expected=allowed_redirect_urls,
-                )
-                raise RedirectUriError(self.redirect_uri, allowed_redirect_urls)
-        except RegexError as exc:
-            LOGGER.info("Failed to parse regular expression, checking directly", exc=exc)
-            if not any(x == self.redirect_uri for x in allowed_redirect_urls):
-                LOGGER.warning(
-                    "Invalid redirect uri (strict comparison)",
-                    redirect_uri_given=self.redirect_uri,
-                    redirect_uri_expected=allowed_redirect_urls,
-                )
-                raise RedirectUriError(self.redirect_uri, allowed_redirect_urls) from None
+        match_found = False
+        for allowed in allowed_redirect_urls:
+            if allowed.matching_mode == RedirectURIMatchingMode.STRICT:
+                if self.redirect_uri == allowed.url:
+                    match_found = True
+                    break
+            if allowed.matching_mode == RedirectURIMatchingMode.REGEX:
+                try:
+                    if fullmatch(allowed.url, self.redirect_uri):
+                        match_found = True
+                        break
+                except RegexError as exc:
+                    LOGGER.warning(
+                        "Failed to parse regular expression",
+                        exc=exc,
+                        url=allowed.url,
+                        provider=self.provider,
+                    )
+        if not match_found:
+            raise RedirectUriError(self.redirect_uri, allowed_redirect_urls)
         # Check against forbidden schemes
         if urlparse(self.redirect_uri).scheme in FORBIDDEN_URI_SCHEMES:
             raise RedirectUriError(self.redirect_uri, allowed_redirect_urls)

authentik/providers/oauth2/views/provider.py

@@ -162,5 +162,5 @@ class ProviderInfoView(View):
             OAuth2Provider, pk=application.provider_id
         )
         response = super().dispatch(request, *args, **kwargs)
-        cors_allow(request, response, *self.provider.redirect_uris.split("\n"))
+        cors_allow(request, response, *[x.url for x in self.provider.redirect_uris])
         return response

authentik/providers/oauth2/views/token.py

@@ -58,7 +58,9 @@ from authentik.providers.oauth2.models import (
     ClientTypes,
     DeviceToken,
     OAuth2Provider,
+    RedirectURIMatchingMode,
     RefreshToken,
+    ScopeMapping,
 )
 from authentik.providers.oauth2.utils import TokenResponse, cors_allow, extract_client_auth
 from authentik.providers.oauth2.views.authorize import FORBIDDEN_URI_SCHEMES
@@ -77,7 +79,7 @@ class TokenParams:
     redirect_uri: str
     grant_type: str
     state: str
-    scope: list[str]
+    scope: set[str]
 
     provider: OAuth2Provider
 
@@ -112,11 +114,26 @@ class TokenParams:
             redirect_uri=request.POST.get("redirect_uri", ""),
             grant_type=request.POST.get("grant_type", ""),
             state=request.POST.get("state", ""),
-            scope=request.POST.get("scope", "").split(),
+            scope=set(request.POST.get("scope", "").split()),
             # PKCE parameter.
             code_verifier=request.POST.get("code_verifier"),
         )
 
+    def __check_scopes(self):
+        allowed_scope_names = set(
+            ScopeMapping.objects.filter(provider__in=[self.provider]).values_list(
+                "scope_name", flat=True
+            )
+        )
+        scopes_to_check = self.scope
+        if not scopes_to_check.issubset(allowed_scope_names):
+            LOGGER.info(
+                "Application requested scopes not configured, setting to overlap",
+                scope_allowed=allowed_scope_names,
+                scope_given=self.scope,
+            )
+            self.scope = self.scope.intersection(allowed_scope_names)
+
     def __check_policy_access(self, app: Application, request: HttpRequest, **kwargs):
         with start_span(
             op="authentik.providers.oauth2.token.policy",
@@ -149,7 +166,7 @@ class TokenParams:
                     client_id=self.provider.client_id,
                 )
                 raise TokenError("invalid_client")
-
+        self.__check_scopes()
         if self.grant_type == GRANT_TYPE_AUTHORIZATION_CODE:
             with start_span(
                 op="authentik.providers.oauth2.post.parse.code",
@@ -179,42 +196,7 @@ class TokenParams:
             LOGGER.warning("Missing authorization code")
             raise TokenError("invalid_grant")
 
-        allowed_redirect_urls = self.provider.redirect_uris.split()
-        # At this point, no provider should have a blank redirect_uri, in case they do
-        # this will check an empty array and raise an error
-        try:
-            if not any(fullmatch(x, self.redirect_uri) for x in allowed_redirect_urls):
-                LOGGER.warning(
-                    "Invalid redirect uri (regex comparison)",
-                    redirect_uri=self.redirect_uri,
-                    expected=allowed_redirect_urls,
-                )
-                Event.new(
-                    EventAction.CONFIGURATION_ERROR,
-                    message="Invalid redirect URI used by provider",
-                    provider=self.provider,
-                    redirect_uri=self.redirect_uri,
-                    expected=allowed_redirect_urls,
-                ).from_http(request)
-                raise TokenError("invalid_client")
-        except RegexError as exc:
-            LOGGER.info("Failed to parse regular expression, checking directly", exc=exc)
-            if not any(x == self.redirect_uri for x in allowed_redirect_urls):
-                LOGGER.warning(
-                    "Invalid redirect uri (strict comparison)",
-                    redirect_uri=self.redirect_uri,
-                    expected=allowed_redirect_urls,
-                )
-                Event.new(
-                    EventAction.CONFIGURATION_ERROR,
-                    message="Invalid redirect_uri configured",
-                    provider=self.provider,
-                ).from_http(request)
-                raise TokenError("invalid_client") from None
-
-        # Check against forbidden schemes
-        if urlparse(self.redirect_uri).scheme in FORBIDDEN_URI_SCHEMES:
-            raise TokenError("invalid_request")
+        self.__check_redirect_uri(request)
 
         self.authorization_code = AuthorizationCode.objects.filter(code=raw_code).first()
         if not self.authorization_code:
@@ -254,6 +236,48 @@ class TokenParams:
         if not self.authorization_code.code_challenge and self.code_verifier:
             raise TokenError("invalid_grant")
 
+    def __check_redirect_uri(self, request: HttpRequest):
+        allowed_redirect_urls = self.provider.redirect_uris
+        # At this point, no provider should have a blank redirect_uri, in case they do
+        # this will check an empty array and raise an error
+
+        match_found = False
+        for allowed in allowed_redirect_urls:
+            if allowed.matching_mode == RedirectURIMatchingMode.STRICT:
+                if self.redirect_uri == allowed.url:
+                    match_found = True
+                    break
+            if allowed.matching_mode == RedirectURIMatchingMode.REGEX:
+                try:
+                    if fullmatch(allowed.url, self.redirect_uri):
+                        match_found = True
+                        break
+                except RegexError as exc:
+                    LOGGER.warning(
+                        "Failed to parse regular expression",
+                        exc=exc,
+                        url=allowed.url,
+                        provider=self.provider,
+                    )
+                    Event.new(
+                        EventAction.CONFIGURATION_ERROR,
+                        message="Invalid redirect_uri configured",
+                        provider=self.provider,
+                    ).from_http(request)
+        if not match_found:
+            Event.new(
+                EventAction.CONFIGURATION_ERROR,
+                message="Invalid redirect URI used by provider",
+                provider=self.provider,
+                redirect_uri=self.redirect_uri,
+                expected=allowed_redirect_urls,
+            ).from_http(request)
+            raise TokenError("invalid_client")
+
+        # Check against forbidden schemes
+        if urlparse(self.redirect_uri).scheme in FORBIDDEN_URI_SCHEMES:
+            raise TokenError("invalid_request")
+
     def __post_init_refresh(self, raw_token: str, request: HttpRequest):
         if not raw_token:
             LOGGER.warning("Missing refresh token")
@@ -497,7 +521,7 @@ class TokenView(View):
         response = super().dispatch(request, *args, **kwargs)
         allowed_origins = []
         if self.provider:
-            allowed_origins = self.provider.redirect_uris.split("\n")
+            allowed_origins = [x.url for x in self.provider.redirect_uris]
         cors_allow(self.request, response, *allowed_origins)
         return response
 
@@ -710,7 +734,7 @@ class TokenView(View):
             "id_token": access_token.id_token.to_jwt(self.provider),
         }
 
-        if SCOPE_OFFLINE_ACCESS in self.params.scope:
+        if SCOPE_OFFLINE_ACCESS in self.params.device_code.scope:
             refresh_token_expiry = now + timedelta_from_string(self.provider.refresh_token_validity)
             refresh_token = RefreshToken(
                 user=self.params.device_code.user,

authentik/providers/oauth2/views/userinfo.py

@@ -108,7 +108,7 @@ class UserInfoView(View):
         response = super().dispatch(request, *args, **kwargs)
         allowed_origins = []
         if self.token:
-            allowed_origins = self.token.provider.redirect_uris.split("\n")
+            allowed_origins = [x.url for x in self.token.provider.redirect_uris]
         cors_allow(self.request, response, *allowed_origins)
         return response
 

authentik/providers/proxy/api.py

@@ -13,6 +13,7 @@ from authentik.core.api.providers import ProviderSerializer
 from authentik.core.api.used_by import UsedByMixin
 from authentik.core.api.utils import ModelSerializer, PassiveSerializer
 from authentik.lib.utils.time import timedelta_from_string
+from authentik.providers.oauth2.api.providers import RedirectURISerializer
 from authentik.providers.oauth2.models import ScopeMapping
 from authentik.providers.oauth2.views.provider import ProviderInfoView
 from authentik.providers.proxy.models import ProxyMode, ProxyProvider
@@ -39,7 +40,7 @@ class ProxyProviderSerializer(ProviderSerializer):
     """ProxyProvider Serializer"""
 
     client_id = CharField(read_only=True)
-    redirect_uris = CharField(read_only=True)
+    redirect_uris = RedirectURISerializer(many=True, read_only=True, source="_redirect_uris")
     outpost_set = ListField(child=CharField(), read_only=True, source="outpost_set.all")
 
     def validate_basic_auth_enabled(self, value: bool) -> bool:
@@ -121,7 +122,6 @@ class ProxyProviderViewSet(UsedByMixin, ModelViewSet):
         "basic_auth_password_attribute": ["iexact"],
         "basic_auth_user_attribute": ["iexact"],
         "mode": ["iexact"],
-        "redirect_uris": ["iexact"],
         "cookie_domain": ["iexact"],
     }
     search_fields = ["name"]

authentik/providers/proxy/models.py

@@ -13,7 +13,13 @@ from rest_framework.serializers import Serializer
 from authentik.crypto.models import CertificateKeyPair
 from authentik.lib.models import DomainlessURLValidator
 from authentik.outposts.models import OutpostModel
-from authentik.providers.oauth2.models import ClientTypes, OAuth2Provider, ScopeMapping
+from authentik.providers.oauth2.models import (
+    ClientTypes,
+    OAuth2Provider,
+    RedirectURI,
+    RedirectURIMatchingMode,
+    ScopeMapping,
+)
 
 SCOPE_AK_PROXY = "ak_proxy"
 OUTPOST_CALLBACK_SIGNATURE = "X-authentik-auth-callback"
@@ -24,14 +30,14 @@ def get_cookie_secret():
     return "".join(SystemRandom().choice(string.ascii_uppercase + string.digits) for _ in range(32))
 
 
-def _get_callback_url(uri: str) -> str:
-    return "\n".join(
-        [
-            urljoin(uri, "outpost.goauthentik.io/callback")
-            + f"\\?{OUTPOST_CALLBACK_SIGNATURE}=true",
-            uri + f"\\?{OUTPOST_CALLBACK_SIGNATURE}=true",
-        ]
-    )
+def _get_callback_url(uri: str) -> list[RedirectURI]:
+    return [
+        RedirectURI(
+            RedirectURIMatchingMode.STRICT,
+            urljoin(uri, "outpost.goauthentik.io/callback") + f"?{OUTPOST_CALLBACK_SIGNATURE}=true",
+        ),
+        RedirectURI(RedirectURIMatchingMode.STRICT, uri + f"?{OUTPOST_CALLBACK_SIGNATURE}=true"),
+    ]
 
 
 class ProxyMode(models.TextChoices):

authentik/providers/scim/clients/schema.py

@@ -19,6 +19,7 @@ SCIM_GROUP_SCHEMA = "urn:ietf:params:scim:schemas:core:2.0:Group"
 class User(BaseUser):
     """Modified User schema with added externalId field"""
 
+    id: str | int | None = None
     schemas: list[str] = [SCIM_USER_SCHEMA]
     externalId: str | None = None
     meta: dict | None = None
@@ -27,6 +28,7 @@ class User(BaseUser):
 class Group(BaseGroup):
     """Modified Group schema with added externalId field"""
 
+    id: str | int | None = None
     schemas: list[str] = [SCIM_GROUP_SCHEMA]
     externalId: str | None = None
     meta: dict | None = None

authentik/rbac/api/rbac_roles.py

@@ -53,7 +53,7 @@ class ExtraRoleObjectPermissionSerializer(RoleObjectPermissionSerializer):
         except LookupError:
             return None
         objects = get_objects_for_group(instance.group, f"{app_label}.view_{model}", model_class)
-        obj = objects.first()
+        obj = objects.filter(pk=instance.object_pk).first()
         if not obj:
             return None
         return str(obj)

authentik/rbac/api/rbac_users.py

@@ -53,7 +53,7 @@ class ExtraUserObjectPermissionSerializer(UserObjectPermissionSerializer):
         except LookupError:
             return None
         objects = get_objects_for_user(instance.user, f"{app_label}.view_{model}", model_class)
-        obj = objects.first()
+        obj = objects.filter(pk=instance.object_pk).first()
         if not obj:
             return None
         return str(obj)

authentik/root/monitoring.py

@@ -1,6 +1,8 @@
 """Metrics view"""
 
-from base64 import b64encode
+from hmac import compare_digest
+from pathlib import Path
+from tempfile import gettempdir
 
 from django.conf import settings
 from django.db import connections
@@ -16,22 +18,21 @@ monitoring_set = Signal()
 
 
 class MetricsView(View):
-    """Wrapper around ExportToDjangoView, using http-basic auth"""
+    """Wrapper around ExportToDjangoView with authentication, accessed by the authentik router"""
+
+    def __init__(self, **kwargs):
+        _tmp = Path(gettempdir())
+        with open(_tmp / "authentik-core-metrics.key") as _f:
+            self.monitoring_key = _f.read()
 
     def get(self, request: HttpRequest) -> HttpResponse:
         """Check for HTTP-Basic auth"""
         auth_header = request.META.get("HTTP_AUTHORIZATION", "")
         auth_type, _, given_credentials = auth_header.partition(" ")
-        credentials = f"monitor:{settings.SECRET_KEY}"
-        expected = b64encode(str.encode(credentials)).decode()
-        authed = auth_type == "Basic" and given_credentials == expected
+        authed = auth_type == "Bearer" and compare_digest(given_credentials, self.monitoring_key)
         if not authed and not settings.DEBUG:
-            response = HttpResponse(status=401)
-            response["WWW-Authenticate"] = 'Basic realm="authentik-monitoring"'
-            return response
-
+            return HttpResponse(status=401)
         monitoring_set.send_robust(self)
-
         return ExportToDjangoView(request)
 
 

authentik/root/settings.py

@@ -38,7 +38,6 @@ LANGUAGE_COOKIE_NAME = "authentik_language"
 SESSION_COOKIE_NAME = "authentik_session"
 SESSION_COOKIE_DOMAIN = CONFIG.get("cookie_domain", None)
 APPEND_SLASH = False
-X_FRAME_OPTIONS = "SAMEORIGIN"
 
 AUTHENTICATION_BACKENDS = [
     "django.contrib.auth.backends.ModelBackend",
@@ -304,10 +303,12 @@ DATABASES = {
         "USER": CONFIG.get("postgresql.user"),
         "PASSWORD": CONFIG.get("postgresql.password"),
         "PORT": CONFIG.get("postgresql.port"),
-        "SSLMODE": CONFIG.get("postgresql.sslmode"),
-        "SSLROOTCERT": CONFIG.get("postgresql.sslrootcert"),
-        "SSLCERT": CONFIG.get("postgresql.sslcert"),
-        "SSLKEY": CONFIG.get("postgresql.sslkey"),
+        "OPTIONS": {
+            "sslmode": CONFIG.get("postgresql.sslmode"),
+            "sslrootcert": CONFIG.get("postgresql.sslrootcert"),
+            "sslcert": CONFIG.get("postgresql.sslcert"),
+            "sslkey": CONFIG.get("postgresql.sslkey"),
+        },
         "TEST": {
             "NAME": CONFIG.get("postgresql.test.name"),
         },

authentik/root/tests.py

@@ -1,8 +1,9 @@
 """root tests"""
 
-from base64 import b64encode
+from pathlib import Path
+from secrets import token_urlsafe
+from tempfile import gettempdir
 
-from django.conf import settings
 from django.test import TestCase
 from django.urls import reverse
 
@@ -10,6 +11,16 @@ from django.urls import reverse
 class TestRoot(TestCase):
     """Test root application"""
 
+    def setUp(self):
+        _tmp = Path(gettempdir())
+        self.token = token_urlsafe(32)
+        with open(_tmp / "authentik-core-metrics.key", "w") as _f:
+            _f.write(self.token)
+
+    def tearDown(self):
+        _tmp = Path(gettempdir())
+        (_tmp / "authentik-core-metrics.key").unlink()
+
     def test_monitoring_error(self):
         """Test monitoring without any credentials"""
         response = self.client.get(reverse("metrics"))
@@ -17,8 +28,7 @@ class TestRoot(TestCase):
 
     def test_monitoring_ok(self):
         """Test monitoring with credentials"""
-        creds = "Basic " + b64encode(f"monitor:{settings.SECRET_KEY}".encode()).decode("utf-8")
-        auth_headers = {"HTTP_AUTHORIZATION": creds}
+        auth_headers = {"HTTP_AUTHORIZATION": f"Bearer {self.token}"}
         response = self.client.get(reverse("metrics"), **auth_headers)
         self.assertEqual(response.status_code, 200)
 

authentik/stages/authenticator_validate/stage.py

@@ -332,7 +332,7 @@ class AuthenticatorValidateStageView(ChallengeStageView):
             serializer = SelectableStageSerializer(
                 data={
                     "pk": stage.pk,
-                    "name": getattr(stage, "friendly_name", stage.name),
+                    "name": getattr(stage, "friendly_name", stage.name) or stage.name,
                     "verbose_name": str(stage._meta.verbose_name)
                     .replace("Setup Stage", "")
                     .strip(),

authentik/stages/authenticator_validate/tests/test_stage.py

@@ -4,6 +4,7 @@ from unittest.mock import MagicMock, patch
 
 from django.test.client import RequestFactory
 from django.urls.base import reverse
+from django.utils.timezone import now
 
 from authentik.core.tests.utils import create_test_admin_user, create_test_flow
 from authentik.flows.models import FlowDesignation, FlowStageBinding, NotConfiguredAction
@@ -13,6 +14,7 @@ from authentik.flows.views.executor import SESSION_KEY_PLAN
 from authentik.lib.generators import generate_id, generate_key
 from authentik.stages.authenticator_duo.models import AuthenticatorDuoStage, DuoDevice
 from authentik.stages.authenticator_static.models import AuthenticatorStaticStage
+from authentik.stages.authenticator_totp.models import AuthenticatorTOTPStage, TOTPDigits
 from authentik.stages.authenticator_validate.api import AuthenticatorValidateStageSerializer
 from authentik.stages.authenticator_validate.models import AuthenticatorValidateStage, DeviceClasses
 from authentik.stages.authenticator_validate.stage import PLAN_CONTEXT_DEVICE_CHALLENGES
@@ -76,8 +78,8 @@ class AuthenticatorValidateStageTests(FlowTestCase):
         conf_stage = AuthenticatorStaticStage.objects.create(
             name=generate_id(),
         )
-        conf_stage2 = AuthenticatorStaticStage.objects.create(
-            name=generate_id(),
+        conf_stage2 = AuthenticatorTOTPStage.objects.create(
+            name=generate_id(), digits=TOTPDigits.SIX
         )
         stage = AuthenticatorValidateStage.objects.create(
             name=generate_id(),
@@ -153,10 +155,14 @@ class AuthenticatorValidateStageTests(FlowTestCase):
             {
                 "device_class": "static",
                 "device_uid": "1",
+                "challenge": {},
+                "last_used": now(),
             },
             {
                 "device_class": "totp",
                 "device_uid": "2",
+                "challenge": {},
+                "last_used": now(),
             },
         ]
         session[SESSION_KEY_PLAN] = plan

authentik/stages/identification/stage.py

@@ -26,6 +26,7 @@ from authentik.flows.models import FlowDesignation
 from authentik.flows.planner import PLAN_CONTEXT_PENDING_USER
 from authentik.flows.stage import PLAN_CONTEXT_PENDING_USER_IDENTIFIER, ChallengeStageView
 from authentik.flows.views.executor import SESSION_KEY_APPLICATION_PRE, SESSION_KEY_GET
+from authentik.lib.avatars import DEFAULT_AVATAR
 from authentik.lib.utils.reflection import all_subclasses
 from authentik.lib.utils.urls import reverse_with_qs
 from authentik.root.middleware import ClientIPMiddleware
@@ -76,7 +77,7 @@ class IdentificationChallenge(Challenge):
     allow_show_password = BooleanField(default=False)
     application_pre = CharField(required=False)
     flow_designation = ChoiceField(FlowDesignation.choices)
-    captcha_stage = CaptchaChallenge(required=False)
+    captcha_stage = CaptchaChallenge(required=False, allow_null=True)
 
     enroll_url = CharField(required=False)
     recovery_url = CharField(required=False)
@@ -224,6 +225,8 @@ class IdentificationStageView(ChallengeStageView):
                         "js_url": current_stage.captcha_stage.js_url,
                         "site_key": current_stage.captcha_stage.public_key,
                         "interactive": current_stage.captcha_stage.interactive,
+                        "pending_user": "",
+                        "pending_user_avatar": DEFAULT_AVATAR,
                     }
                     if current_stage.captcha_stage
                     else None

blueprints/schema.json

@@ -2,7 +2,7 @@
     "$schema": "http://json-schema.org/draft-07/schema",
     "$id": "https://goauthentik.io/blueprints/schema.json",
     "type": "object",
-    "title": "authentik 2024.10.2 Blueprint schema",
+    "title": "authentik 2024.10.5 Blueprint schema",
     "required": [
         "version",
         "entries"
@@ -5570,9 +5570,30 @@
                     "description": "Key used to encrypt the tokens. When set, tokens will be encrypted and returned as JWEs."
                 },
                 "redirect_uris": {
-                    "type": "string",
-                    "title": "Redirect URIs",
-                    "description": "Enter each URI on a new line."
+                    "type": "array",
+                    "items": {
+                        "type": "object",
+                        "properties": {
+                            "matching_mode": {
+                                "type": "string",
+                                "enum": [
+                                    "strict",
+                                    "regex"
+                                ],
+                                "title": "Matching mode"
+                            },
+                            "url": {
+                                "type": "string",
+                                "minLength": 1,
+                                "title": "Url"
+                            }
+                        },
+                        "required": [
+                            "matching_mode",
+                            "url"
+                        ]
+                    },
+                    "title": "Redirect uris"
                 },
                 "sub_mode": {
                     "type": "string",

docker-compose.yml

@@ -31,7 +31,7 @@ services:
     volumes:
       - redis:/data
   server:
-    image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2024.10.2}
+    image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2024.10.5}
     restart: unless-stopped
     command: server
     environment:
@@ -52,7 +52,7 @@ services:
       - postgresql
       - redis
   worker:
-    image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2024.10.2}
+    image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2024.10.5}
     restart: unless-stopped
     command: worker
     environment:

internal/constants/constants.go

@@ -29,4 +29,4 @@ func UserAgent() string {
 	return fmt.Sprintf("authentik@%s", FullVersion())
 }
 
-const VERSION = "2024.10.2"
+const VERSION = "2024.10.5"

internal/outpost/ldap/ldap.go

@@ -65,7 +65,7 @@ func (ls *LDAPServer) StartLDAPServer() error {
 		ls.log.WithField("listen", listen).WithError(err).Warning("Failed to listen (SSL)")
 		return err
 	}
-	proxyListener := &proxyproto.Listener{Listener: ln}
+	proxyListener := &proxyproto.Listener{Listener: ln, ConnPolicy: utils.GetProxyConnectionPolicy()}
 	defer proxyListener.Close()
 
 	ls.log.WithField("listen", listen).Info("Starting LDAP server")

internal/outpost/ldap/ldap_tls.go

@@ -48,7 +48,7 @@ func (ls *LDAPServer) StartLDAPTLSServer() error {
 		return err
 	}
 
-	proxyListener := &proxyproto.Listener{Listener: ln}
+	proxyListener := &proxyproto.Listener{Listener: ln, ConnPolicy: utils.GetProxyConnectionPolicy()}
 	defer proxyListener.Close()
 
 	tln := tls.NewListener(proxyListener, tlsConfig)

internal/outpost/proxyv2/proxyv2.go

@@ -129,7 +129,7 @@ func (ps *ProxyServer) ServeHTTP() {
 		ps.log.WithField("listen", listenAddress).WithError(err).Warning("Failed to listen")
 		return
 	}
-	proxyListener := &proxyproto.Listener{Listener: listener}
+	proxyListener := &proxyproto.Listener{Listener: listener, ConnPolicy: utils.GetProxyConnectionPolicy()}
 	defer proxyListener.Close()
 
 	ps.log.WithField("listen", listenAddress).Info("Starting HTTP server")
@@ -148,7 +148,7 @@ func (ps *ProxyServer) ServeHTTPS() {
 		ps.log.WithError(err).Warning("Failed to listen (TLS)")
 		return
 	}
-	proxyListener := &proxyproto.Listener{Listener: web.TCPKeepAliveListener{TCPListener: ln.(*net.TCPListener)}}
+	proxyListener := &proxyproto.Listener{Listener: web.TCPKeepAliveListener{TCPListener: ln.(*net.TCPListener)}, ConnPolicy: utils.GetProxyConnectionPolicy()}
 	defer proxyListener.Close()
 
 	tlsListener := tls.NewListener(proxyListener, tlsConfig)

internal/utils/proxy.go

@@ -0,0 +1,34 @@
+package utils
+
+import (
+	"net"
+
+	"github.com/pires/go-proxyproto"
+	log "github.com/sirupsen/logrus"
+	"goauthentik.io/internal/config"
+)
+
+func GetProxyConnectionPolicy() proxyproto.ConnPolicyFunc {
+	nets := []*net.IPNet{}
+	for _, rn := range config.Get().Listen.TrustedProxyCIDRs {
+		_, cidr, err := net.ParseCIDR(rn)
+		if err != nil {
+			continue
+		}
+		nets = append(nets, cidr)
+	}
+	return func(connPolicyOptions proxyproto.ConnPolicyOptions) (proxyproto.Policy, error) {
+		host, _, err := net.SplitHostPort(connPolicyOptions.Upstream.String())
+		if err == nil {
+			// remoteAddr will be nil if the IP cannot be parsed
+			remoteAddr := net.ParseIP(host)
+			for _, allowedCidr := range nets {
+				if remoteAddr != nil && allowedCidr.Contains(remoteAddr) {
+					log.WithField("remoteAddr", remoteAddr).WithField("cidr", allowedCidr.String()).Trace("Using remote IP from proxy protocol")
+					return proxyproto.USE, nil
+				}
+			}
+		}
+		return proxyproto.SKIP, nil
+	}
+}

internal/web/metrics.go

@@ -1,11 +1,15 @@
 package web
 
 import (
+	"encoding/base64"
 	"fmt"
 	"io"
 	"net/http"
+	"os"
+	"path"
 
 	"github.com/gorilla/mux"
+	"github.com/gorilla/securecookie"
 	"github.com/prometheus/client_golang/prometheus"
 	"github.com/prometheus/client_golang/prometheus/promauto"
 	"github.com/prometheus/client_golang/prometheus/promhttp"
@@ -14,14 +18,25 @@ import (
 	"goauthentik.io/internal/utils/sentry"
 )
 
+const MetricsKeyFile = "authentik-core-metrics.key"
+
 var Requests = promauto.NewHistogramVec(prometheus.HistogramOpts{
 	Name: "authentik_main_request_duration_seconds",
 	Help: "API request latencies in seconds",
 }, []string{"dest"})
 
 func (ws *WebServer) runMetricsServer() {
-	m := mux.NewRouter()
 	l := log.WithField("logger", "authentik.router.metrics")
+	tmp := os.TempDir()
+	key := base64.StdEncoding.EncodeToString(securecookie.GenerateRandomKey(64))
+	keyPath := path.Join(tmp, MetricsKeyFile)
+	err := os.WriteFile(keyPath, []byte(key), 0o600)
+	if err != nil {
+		l.WithError(err).Warning("failed to save metrics key")
+		return
+	}
+
+	m := mux.NewRouter()
 	m.Use(sentry.SentryNoSampleMiddleware)
 	m.Path("/metrics").HandlerFunc(func(rw http.ResponseWriter, r *http.Request) {
 		promhttp.InstrumentMetricHandler(
@@ -36,7 +51,7 @@ func (ws *WebServer) runMetricsServer() {
 			l.WithError(err).Warning("failed to get upstream metrics")
 			return
 		}
-		re.SetBasicAuth("monitor", config.Get().SecretKey)
+		re.Header.Set("Authorization", fmt.Sprintf("Bearer %s", key))
 		res, err := ws.upstreamHttpClient().Do(re)
 		if err != nil {
 			l.WithError(err).Warning("failed to get upstream metrics")
@@ -49,9 +64,13 @@ func (ws *WebServer) runMetricsServer() {
 		}
 	})
 	l.WithField("listen", config.Get().Listen.Metrics).Info("Starting Metrics server")
-	err := http.ListenAndServe(config.Get().Listen.Metrics, m)
+	err = http.ListenAndServe(config.Get().Listen.Metrics, m)
 	if err != nil {
 		l.WithError(err).Warning("Failed to start metrics server")
 	}
 	l.WithField("listen", config.Get().Listen.Metrics).Info("Stopping Metrics server")
+	err = os.Remove(keyPath)
+	if err != nil {
+		l.WithError(err).Warning("failed to remove metrics key file")
+	}
 }

internal/web/static.go

@@ -42,8 +42,11 @@ func (ws *WebServer) configureStatic() {
 
 	// Media files, if backend is file
 	if config.Get().Storage.Media.Backend == "file" {
-		fsMedia := http.FileServer(http.Dir(config.Get().Storage.Media.File.Path))
-		staticRouter.PathPrefix("/media/").Handler(http.StripPrefix("/media", fsMedia))
+		fsMedia := http.StripPrefix("/media", http.FileServer(http.Dir(config.Get().Storage.Media.File.Path)))
+		staticRouter.PathPrefix("/media/").HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		    w.Header().Set("Content-Security-Policy", "default-src 'none'; style-src 'unsafe-inline'; sandbox")
+		    fsMedia.ServeHTTP(w, r)
+		})
 	}
 
 	staticRouter.PathPrefix("/if/help/").Handler(http.StripPrefix("/if/help/", http.FileServer(http.Dir("./website/help/"))))

internal/web/web.go

@@ -19,6 +19,7 @@ import (
 	"goauthentik.io/internal/config"
 	"goauthentik.io/internal/gounicorn"
 	"goauthentik.io/internal/outpost/proxyv2"
+	"goauthentik.io/internal/utils"
 	"goauthentik.io/internal/utils/web"
 	"goauthentik.io/internal/web/brand_tls"
 )
@@ -52,7 +53,7 @@ func NewWebServer() *WebServer {
 	loggingHandler.Use(web.NewLoggingHandler(l, nil))
 
 	tmp := os.TempDir()
-	socketPath := path.Join(tmp, "authentik-core.sock")
+	socketPath := path.Join(tmp, UnixSocketName)
 
 	// create http client to talk to backend, normal client if we're in debug more
 	// and a client that connects to our socket when in non debug mode
@@ -149,7 +150,7 @@ func (ws *WebServer) listenPlain() {
 		ws.log.WithError(err).Warning("failed to listen")
 		return
 	}
-	proxyListener := &proxyproto.Listener{Listener: ln}
+	proxyListener := &proxyproto.Listener{Listener: ln, ConnPolicy: utils.GetProxyConnectionPolicy()}
 	defer proxyListener.Close()
 
 	ws.log.WithField("listen", config.Get().Listen.HTTP).Info("Starting HTTP server")

internal/web/web_tls.go

@@ -45,7 +45,7 @@ func (ws *WebServer) listenTLS() {
 		ws.log.WithError(err).Warning("failed to listen (TLS)")
 		return
 	}
-	proxyListener := &proxyproto.Listener{Listener: web.TCPKeepAliveListener{TCPListener: ln.(*net.TCPListener)}}
+	proxyListener := &proxyproto.Listener{Listener: web.TCPKeepAliveListener{TCPListener: ln.(*net.TCPListener)}, ConnPolicy: utils.GetProxyConnectionPolicy()}
 	defer proxyListener.Close()
 
 	tlsListener := tls.NewListener(proxyListener, tlsConfig)

package.json

@@ -1,5 +1,5 @@
 {
     "name": "@goauthentik/authentik",
-    "version": "2024.10.2",
+    "version": "2024.10.5",
     "private": true
 }

poetry.lock

@@ -1,4 +1,4 @@
-# This file is automatically @generated by Poetry 1.8.3 and should not be changed by hand.
+# This file is automatically @generated by Poetry 1.8.5 and should not be changed by hand.
 
 [[package]]
 name = "aiohappyeyeballs"
@@ -4549,19 +4549,19 @@ test = ["pytest"]
 
 [[package]]
 name = "setuptools"
-version = "72.1.0"
+version = "69.1.1"
 description = "Easily download, build, install, upgrade, and uninstall Python packages"
 optional = false
 python-versions = ">=3.8"
 files = [
-    {file = "setuptools-72.1.0-py3-none-any.whl", hash = "sha256:5a03e1860cf56bb6ef48ce186b0e557fdba433237481a9a625176c2831be15d1"},
-    {file = "setuptools-72.1.0.tar.gz", hash = "sha256:8d243eff56d095e5817f796ede6ae32941278f542e0f941867cc05ae52b162ec"},
+    {file = "setuptools-69.1.1-py3-none-any.whl", hash = "sha256:02fa291a0471b3a18b2b2481ed902af520c69e8ae0919c13da936542754b4c56"},
+    {file = "setuptools-69.1.1.tar.gz", hash = "sha256:5c0806c7d9af348e6dd3777b4f4dbb42c7ad85b190104837488eab9a7c945cf8"},
 ]
 
 [package.extras]
-core = ["importlib-metadata (>=6)", "importlib-resources (>=5.10.2)", "jaraco.text (>=3.7)", "more-itertools (>=8.8)", "ordered-set (>=3.1.1)", "packaging (>=24)", "platformdirs (>=2.6.2)", "tomli (>=2.0.1)", "wheel (>=0.43.0)"]
-doc = ["furo", "jaraco.packaging (>=9.3)", "jaraco.tidelift (>=1.4)", "pygments-github-lexers (==0.0.5)", "pyproject-hooks (!=1.1)", "rst.linker (>=1.9)", "sphinx (>=3.5)", "sphinx-favicon", "sphinx-inline-tabs", "sphinx-lint", "sphinx-notfound-page (>=1,<2)", "sphinx-reredirects", "sphinxcontrib-towncrier"]
-test = ["build[virtualenv] (>=1.0.3)", "filelock (>=3.4.0)", "importlib-metadata", "ini2toml[lite] (>=0.14)", "jaraco.develop (>=7.21)", "jaraco.envs (>=2.2)", "jaraco.path (>=3.2.0)", "jaraco.test", "mypy (==1.11.*)", "packaging (>=23.2)", "pip (>=19.1)", "pyproject-hooks (!=1.1)", "pytest (>=6,!=8.1.*)", "pytest-checkdocs (>=2.4)", "pytest-cov", "pytest-enabler (>=2.2)", "pytest-home (>=0.5)", "pytest-mypy", "pytest-perf", "pytest-ruff (<0.4)", "pytest-ruff (>=0.2.1)", "pytest-ruff (>=0.3.2)", "pytest-subprocess", "pytest-timeout", "pytest-xdist (>=3)", "tomli", "tomli-w (>=1.0.0)", "virtualenv (>=13.0.0)", "wheel"]
+docs = ["furo", "jaraco.packaging (>=9.3)", "jaraco.tidelift (>=1.4)", "pygments-github-lexers (==0.0.5)", "rst.linker (>=1.9)", "sphinx (<7.2.5)", "sphinx (>=3.5)", "sphinx-favicon", "sphinx-inline-tabs", "sphinx-lint", "sphinx-notfound-page (>=1,<2)", "sphinx-reredirects", "sphinxcontrib-towncrier"]
+testing = ["build[virtualenv]", "filelock (>=3.4.0)", "flake8-2020", "ini2toml[lite] (>=0.9)", "jaraco.develop (>=7.21)", "jaraco.envs (>=2.2)", "jaraco.path (>=3.2.0)", "packaging (>=23.2)", "pip (>=19.1)", "pytest (>=6)", "pytest-checkdocs (>=2.4)", "pytest-cov", "pytest-enabler (>=2.2)", "pytest-home (>=0.5)", "pytest-mypy (>=0.9.1)", "pytest-perf", "pytest-ruff (>=0.2.1)", "pytest-timeout", "pytest-xdist", "tomli-w (>=1.0.0)", "virtualenv (>=13.0.0)", "wheel"]
+testing-integration = ["build[virtualenv] (>=1.0.3)", "filelock (>=3.4.0)", "jaraco.envs (>=2.2)", "jaraco.path (>=3.2.0)", "packaging (>=23.2)", "pytest", "pytest-enabler", "pytest-xdist", "tomli", "virtualenv (>=13.0.0)", "wheel"]
 
 [[package]]
 name = "six"
@@ -5565,4 +5565,4 @@ files = [
 [metadata]
 lock-version = "2.0"
 python-versions = "~3.12"
-content-hash = "10aa88f2f0e56cddd91adba8c39c52de92763429fb615a27c3dc218952cff808"
+content-hash = "32f3901cb944de57ed5cb11dde3a2010de845b04adf557b7e3a701581e260613"

pyproject.toml

@@ -1,6 +1,6 @@
 [tool.poetry]
 name = "authentik"
-version = "2024.10.2"
+version = "2024.10.5"
 description = ""
 authors = ["authentik Team <hello@goauthentik.io>"]
 
@@ -139,6 +139,7 @@ scim2-filter-parser = "*"
 sentry-sdk = "*"
 service_identity = "*"
 setproctitle = "*"
+setuptools = "~69.1"
 structlog = "*"
 swagger-spec-validator = "*"
 tenant-schemas-celery = "*"

schema.yml

@@ -1,7 +1,7 @@
 openapi: 3.0.3
 info:
   title: authentik
-  version: 2024.10.2
+  version: 2024.10.5
   description: Making authentication simple.
   contact:
     email: hello@goauthentik.io
@@ -20218,10 +20218,6 @@ paths:
             format: uuid
         explode: true
         style: form
-      - in: query
-        name: redirect_uris
-        schema:
-          type: string
       - in: query
         name: refresh_token_validity
         schema:
@@ -20637,10 +20633,6 @@ paths:
             format: uuid
         explode: true
         style: form
-      - in: query
-        name: redirect_uris__iexact
-        schema:
-          type: string
       - name: search
         required: false
         in: query
@@ -44060,6 +44052,11 @@ components:
       required:
       - challenge
       - name
+    MatchingModeEnum:
+      enum:
+      - strict
+      - regex
+      type: string
     Metadata:
       type: object
       description: Serializer for blueprint metadata
@@ -44762,8 +44759,9 @@ components:
           description: Key used to encrypt the tokens. When set, tokens will be encrypted
             and returned as JWEs.
         redirect_uris:
-          type: string
-          description: Enter each URI on a new line.
+          type: array
+          items:
+            $ref: '#/components/schemas/RedirectURI'
         sub_mode:
           allOf:
           - $ref: '#/components/schemas/SubModeEnum'
@@ -44792,6 +44790,7 @@ components:
       - meta_model_name
       - name
       - pk
+      - redirect_uris
       - verbose_name
       - verbose_name_plural
     OAuth2ProviderRequest:
@@ -44863,8 +44862,9 @@ components:
           description: Key used to encrypt the tokens. When set, tokens will be encrypted
             and returned as JWEs.
         redirect_uris:
-          type: string
-          description: Enter each URI on a new line.
+          type: array
+          items:
+            $ref: '#/components/schemas/RedirectURIRequest'
         sub_mode:
           allOf:
           - $ref: '#/components/schemas/SubModeEnum'
@@ -44886,6 +44886,7 @@ components:
       - authorization_flow
       - invalidation_flow
       - name
+      - redirect_uris
     OAuth2ProviderSetupURLs:
       type: object
       description: OAuth2 Provider Metadata serializer
@@ -48884,8 +48885,9 @@ components:
           description: Key used to encrypt the tokens. When set, tokens will be encrypted
             and returned as JWEs.
         redirect_uris:
-          type: string
-          description: Enter each URI on a new line.
+          type: array
+          items:
+            $ref: '#/components/schemas/RedirectURIRequest'
         sub_mode:
           allOf:
           - $ref: '#/components/schemas/SubModeEnum'
@@ -51478,7 +51480,9 @@ components:
           description: When enabled, this provider will intercept the authorization
             header and authenticate requests based on its value.
         redirect_uris:
-          type: string
+          type: array
+          items:
+            $ref: '#/components/schemas/RedirectURI'
           readOnly: true
         cookie_domain:
           type: string
@@ -52074,6 +52078,29 @@ components:
           type: string
       required:
       - to
+    RedirectURI:
+      type: object
+      description: A single allowed redirect URI entry
+      properties:
+        matching_mode:
+          $ref: '#/components/schemas/MatchingModeEnum'
+        url:
+          type: string
+      required:
+      - matching_mode
+      - url
+    RedirectURIRequest:
+      type: object
+      description: A single allowed redirect URI entry
+      properties:
+        matching_mode:
+          $ref: '#/components/schemas/MatchingModeEnum'
+        url:
+          type: string
+          minLength: 1
+      required:
+      - matching_mode
+      - url
     Reputation:
       type: object
       description: Reputation Serializer

tests/e2e/test_provider_oauth2_github.py

@@ -12,7 +12,12 @@ from authentik.flows.models import Flow
 from authentik.lib.generators import generate_id, generate_key
 from authentik.policies.expression.models import ExpressionPolicy
 from authentik.policies.models import PolicyBinding
-from authentik.providers.oauth2.models import ClientTypes, OAuth2Provider
+from authentik.providers.oauth2.models import (
+    ClientTypes,
+    OAuth2Provider,
+    RedirectURI,
+    RedirectURIMatchingMode,
+)
 from tests.e2e.utils import SeleniumTestCase, retry
 
 
@@ -73,7 +78,9 @@ class TestProviderOAuth2Github(SeleniumTestCase):
             client_id=self.client_id,
             client_secret=self.client_secret,
             client_type=ClientTypes.CONFIDENTIAL,
-            redirect_uris="http://localhost:3000/login/github",
+            redirect_uris=[
+                RedirectURI(RedirectURIMatchingMode.STRICT, "http://localhost:3000/login/github")
+            ],
             authorization_flow=authorization_flow,
         )
         Application.objects.create(
@@ -128,7 +135,9 @@ class TestProviderOAuth2Github(SeleniumTestCase):
             client_id=self.client_id,
             client_secret=self.client_secret,
             client_type=ClientTypes.CONFIDENTIAL,
-            redirect_uris="http://localhost:3000/login/github",
+            redirect_uris=[
+                RedirectURI(RedirectURIMatchingMode.STRICT, "http://localhost:3000/login/github")
+            ],
             authorization_flow=authorization_flow,
         )
         app = Application.objects.create(
@@ -199,7 +208,9 @@ class TestProviderOAuth2Github(SeleniumTestCase):
             client_id=self.client_id,
             client_secret=self.client_secret,
             client_type=ClientTypes.CONFIDENTIAL,
-            redirect_uris="http://localhost:3000/login/github",
+            redirect_uris=[
+                RedirectURI(RedirectURIMatchingMode.STRICT, "http://localhost:3000/login/github")
+            ],
             authorization_flow=authorization_flow,
         )
         app = Application.objects.create(

tests/e2e/test_provider_oauth2_grafana.py

@@ -19,7 +19,13 @@ from authentik.providers.oauth2.constants import (
     SCOPE_OPENID_EMAIL,
     SCOPE_OPENID_PROFILE,
 )
-from authentik.providers.oauth2.models import ClientTypes, OAuth2Provider, ScopeMapping
+from authentik.providers.oauth2.models import (
+    ClientTypes,
+    OAuth2Provider,
+    RedirectURI,
+    RedirectURIMatchingMode,
+    ScopeMapping,
+)
 from tests.e2e.utils import SeleniumTestCase, retry
 
 
@@ -82,7 +88,7 @@ class TestProviderOAuth2OAuth(SeleniumTestCase):
             client_id=self.client_id,
             client_secret=self.client_secret,
             signing_key=create_test_cert(),
-            redirect_uris="http://localhost:3000/",
+            redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "http://localhost:3000/")],
             authorization_flow=authorization_flow,
         )
         provider.property_mappings.set(
@@ -131,7 +137,11 @@ class TestProviderOAuth2OAuth(SeleniumTestCase):
             client_id=self.client_id,
             client_secret=self.client_secret,
             signing_key=create_test_cert(),
-            redirect_uris="http://localhost:3000/login/generic_oauth",
+            redirect_uris=[
+                RedirectURI(
+                    RedirectURIMatchingMode.STRICT, "http://localhost:3000/login/generic_oauth"
+                )
+            ],
             authorization_flow=authorization_flow,
         )
         provider.property_mappings.set(
@@ -200,7 +210,11 @@ class TestProviderOAuth2OAuth(SeleniumTestCase):
             client_id=self.client_id,
             client_secret=self.client_secret,
             signing_key=create_test_cert(),
-            redirect_uris="http://localhost:3000/login/generic_oauth",
+            redirect_uris=[
+                RedirectURI(
+                    RedirectURIMatchingMode.STRICT, "http://localhost:3000/login/generic_oauth"
+                )
+            ],
             authorization_flow=authorization_flow,
             invalidation_flow=invalidation_flow,
         )
@@ -275,7 +289,11 @@ class TestProviderOAuth2OAuth(SeleniumTestCase):
             client_id=self.client_id,
             client_secret=self.client_secret,
             signing_key=create_test_cert(),
-            redirect_uris="http://localhost:3000/login/generic_oauth",
+            redirect_uris=[
+                RedirectURI(
+                    RedirectURIMatchingMode.STRICT, "http://localhost:3000/login/generic_oauth"
+                )
+            ],
         )
         provider.property_mappings.set(
             ScopeMapping.objects.filter(
@@ -355,7 +373,11 @@ class TestProviderOAuth2OAuth(SeleniumTestCase):
             client_id=self.client_id,
             client_secret=self.client_secret,
             signing_key=create_test_cert(),
-            redirect_uris="http://localhost:3000/login/generic_oauth",
+            redirect_uris=[
+                RedirectURI(
+                    RedirectURIMatchingMode.STRICT, "http://localhost:3000/login/generic_oauth"
+                )
+            ],
         )
         provider.property_mappings.set(
             ScopeMapping.objects.filter(

tests/e2e/test_provider_oidc.py

@@ -19,7 +19,13 @@ from authentik.providers.oauth2.constants import (
     SCOPE_OPENID_EMAIL,
     SCOPE_OPENID_PROFILE,
 )
-from authentik.providers.oauth2.models import ClientTypes, OAuth2Provider, ScopeMapping
+from authentik.providers.oauth2.models import (
+    ClientTypes,
+    OAuth2Provider,
+    RedirectURI,
+    RedirectURIMatchingMode,
+    ScopeMapping,
+)
 from tests.e2e.utils import SeleniumTestCase, retry
 
 
@@ -67,7 +73,7 @@ class TestProviderOAuth2OIDC(SeleniumTestCase):
             client_id=self.client_id,
             client_secret=self.client_secret,
             signing_key=create_test_cert(),
-            redirect_uris="http://localhost:9009/",
+            redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "http://localhost:9009/")],
             authorization_flow=authorization_flow,
         )
         provider.property_mappings.set(
@@ -116,7 +122,9 @@ class TestProviderOAuth2OIDC(SeleniumTestCase):
             client_id=self.client_id,
             client_secret=self.client_secret,
             signing_key=create_test_cert(),
-            redirect_uris="http://localhost:9009/auth/callback",
+            redirect_uris=[
+                RedirectURI(RedirectURIMatchingMode.STRICT, "http://localhost:9009/auth/callback")
+            ],
             authorization_flow=authorization_flow,
         )
         provider.property_mappings.set(
@@ -188,7 +196,9 @@ class TestProviderOAuth2OIDC(SeleniumTestCase):
             client_id=self.client_id,
             client_secret=self.client_secret,
             signing_key=create_test_cert(),
-            redirect_uris="http://localhost:9009/auth/callback",
+            redirect_uris=[
+                RedirectURI(RedirectURIMatchingMode.STRICT, "http://localhost:9009/auth/callback")
+            ],
         )
         provider.property_mappings.set(
             ScopeMapping.objects.filter(
@@ -259,7 +269,9 @@ class TestProviderOAuth2OIDC(SeleniumTestCase):
             client_id=self.client_id,
             client_secret=self.client_secret,
             signing_key=create_test_cert(),
-            redirect_uris="http://localhost:9009/auth/callback",
+            redirect_uris=[
+                RedirectURI(RedirectURIMatchingMode.STRICT, "http://localhost:9009/auth/callback")
+            ],
         )
         provider.property_mappings.set(
             ScopeMapping.objects.filter(

tests/e2e/test_provider_oidc_implicit.py

@@ -19,7 +19,13 @@ from authentik.providers.oauth2.constants import (
     SCOPE_OPENID_EMAIL,
     SCOPE_OPENID_PROFILE,
 )
-from authentik.providers.oauth2.models import ClientTypes, OAuth2Provider, ScopeMapping
+from authentik.providers.oauth2.models import (
+    ClientTypes,
+    OAuth2Provider,
+    RedirectURI,
+    RedirectURIMatchingMode,
+    ScopeMapping,
+)
 from tests.e2e.utils import SeleniumTestCase, retry
 
 
@@ -68,7 +74,7 @@ class TestProviderOAuth2OIDCImplicit(SeleniumTestCase):
             client_id=self.client_id,
             client_secret=self.client_secret,
             signing_key=create_test_cert(),
-            redirect_uris="http://localhost:9009/",
+            redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "http://localhost:9009/")],
             authorization_flow=authorization_flow,
         )
         provider.property_mappings.set(
@@ -117,7 +123,9 @@ class TestProviderOAuth2OIDCImplicit(SeleniumTestCase):
             client_id=self.client_id,
             client_secret=self.client_secret,
             signing_key=create_test_cert(),
-            redirect_uris="http://localhost:9009/implicit/",
+            redirect_uris=[
+                RedirectURI(RedirectURIMatchingMode.STRICT, "http://localhost:9009/implicit/")
+            ],
             authorization_flow=authorization_flow,
         )
         provider.property_mappings.set(
@@ -170,7 +178,9 @@ class TestProviderOAuth2OIDCImplicit(SeleniumTestCase):
             client_id=self.client_id,
             client_secret=self.client_secret,
             signing_key=create_test_cert(),
-            redirect_uris="http://localhost:9009/implicit/",
+            redirect_uris=[
+                RedirectURI(RedirectURIMatchingMode.STRICT, "http://localhost:9009/implicit/")
+            ],
         )
         provider.property_mappings.set(
             ScopeMapping.objects.filter(
@@ -238,7 +248,9 @@ class TestProviderOAuth2OIDCImplicit(SeleniumTestCase):
             client_id=self.client_id,
             client_secret=self.client_secret,
             signing_key=create_test_cert(),
-            redirect_uris="http://localhost:9009/implicit/",
+            redirect_uris=[
+                RedirectURI(RedirectURIMatchingMode.STRICT, "http://localhost:9009/implicit/")
+            ],
         )
         provider.property_mappings.set(
             ScopeMapping.objects.filter(

web/package-lock.json

@@ -23,7 +23,7 @@
                 "@floating-ui/dom": "^1.6.11",
                 "@formatjs/intl-listformat": "^7.5.7",
                 "@fortawesome/fontawesome-free": "^6.6.0",
-                "@goauthentik/api": "^2024.10.1-1731327664",
+                "@goauthentik/api": "^2024.10.2-1732206118",
                 "@lit-labs/ssr": "^3.2.2",
                 "@lit/context": "^1.1.2",
                 "@lit/localize": "^0.12.2",
@@ -84,7 +84,7 @@
                 "@wdio/cli": "^9.1.2",
                 "@wdio/spec-reporter": "^9.1.2",
                 "chokidar": "^4.0.1",
-                "chromedriver": "^129.0.2",
+                "chromedriver": "^130.0.4",
                 "esbuild": "^0.24.0",
                 "eslint": "^9.11.1",
                 "eslint-plugin-lit": "^1.15.0",
@@ -1775,9 +1775,9 @@
             }
         },
         "node_modules/@goauthentik/api": {
-            "version": "2024.10.1-1731327664",
-            "resolved": "https://registry.npmjs.org/@goauthentik/api/-/api-2024.10.1-1731327664.tgz",
-            "integrity": "sha512-svzKZAXsmsrSfGbTOhhFgE5kAb0vv2sIJAhXSYd1i7ua6OglZV6Qs531XhoK5QU8AFL55D8Un1U5QZ16ZFGANA=="
+            "version": "2024.10.2-1732206118",
+            "resolved": "https://registry.npmjs.org/@goauthentik/api/-/api-2024.10.2-1732206118.tgz",
+            "integrity": "sha512-Zg90AJvGDquD3u73yIBKXFBDxsCljPxVqylylS6hgPzkLSogKVVkjhmKteWFXDrVxxsxo5XIa4FuTe3wAERyzw=="
         },
         "node_modules/@goauthentik/web": {
             "resolved": "",
@@ -8699,9 +8699,9 @@
             }
         },
         "node_modules/chromedriver": {
-            "version": "129.0.2",
-            "resolved": "https://registry.npmjs.org/chromedriver/-/chromedriver-129.0.2.tgz",
-            "integrity": "sha512-rUEFCJAmAwOdFfaDFtveT97fFeA7NOxlkgyPyN+G09Ws4qGW39aLDxMQBbS9cxQQHhTihqZZobgF5CLVYXnmGA==",
+            "version": "130.0.4",
+            "resolved": "https://registry.npmjs.org/chromedriver/-/chromedriver-130.0.4.tgz",
+            "integrity": "sha512-lpR+PWXszij1k4Ig3t338Zvll9HtCTiwoLM7n4pCCswALHxzmgwaaIFBh3rt9+5wRk9D07oFblrazrBxwaYYAQ==",
             "dev": true,
             "hasInstallScript": true,
             "dependencies": {

web/package.json

@@ -11,7 +11,7 @@
         "@floating-ui/dom": "^1.6.11",
         "@formatjs/intl-listformat": "^7.5.7",
         "@fortawesome/fontawesome-free": "^6.6.0",
-        "@goauthentik/api": "^2024.10.1-1731327664",
+        "@goauthentik/api": "^2024.10.2-1732206118",
         "@lit-labs/ssr": "^3.2.2",
         "@lit/context": "^1.1.2",
         "@lit/localize": "^0.12.2",
@@ -72,7 +72,7 @@
         "@wdio/cli": "^9.1.2",
         "@wdio/spec-reporter": "^9.1.2",
         "chokidar": "^4.0.1",
-        "chromedriver": "^129.0.2",
+        "chromedriver": "^130.0.4",
         "esbuild": "^0.24.0",
         "eslint": "^9.11.1",
         "eslint-plugin-lit": "^1.15.0",
@@ -328,12 +328,18 @@
         },
         "test:e2e:watch": {
             "command": "wdio run ./tests/wdio.conf.ts",
+            "dependencies": [
+                "build"
+            ],
             "env": {
                 "TS_NODE_PROJECT": "./tests/tsconfig.test.json"
             }
         },
         "test:watch": {
             "command": "wdio run ./wdio.conf.ts",
+            "dependencies": [
+                "build"
+            ],
             "env": {
                 "TS_NODE_PROJECT": "tsconfig.test.json"
             }

web/src/admin/admin-settings/AdminSettingsFooterLinks.ts

@@ -0,0 +1,100 @@
+import { AkControlElement } from "@goauthentik/elements/AkControlElement.js";
+import { type Spread } from "@goauthentik/elements/types";
+import { spread } from "@open-wc/lit-helpers";
+
+import { msg } from "@lit/localize";
+import { css, html } from "lit";
+import { customElement, property, queryAll } from "lit/decorators.js";
+import { ifDefined } from "lit/directives/if-defined.js";
+
+import PFFormControl from "@patternfly/patternfly/components/FormControl/form-control.css";
+import PFInputGroup from "@patternfly/patternfly/components/InputGroup/input-group.css";
+import PFBase from "@patternfly/patternfly/patternfly-base.css";
+
+import { FooterLink } from "@goauthentik/api";
+
+export interface IFooterLinkInput {
+    footerLink: FooterLink;
+}
+
+const LEGAL_SCHEMES = ["http://", "https://", "mailto:"];
+const hasLegalScheme = (url: string) =>
+    LEGAL_SCHEMES.some((scheme) => url.substr(0, scheme.length).toLowerCase() === scheme);
+
+@customElement("ak-admin-settings-footer-link")
+export class FooterLinkInput extends AkControlElement<FooterLink> {
+    static get styles() {
+        return [
+            PFBase,
+            PFInputGroup,
+            PFFormControl,
+            css`
+                .pf-c-input-group input#linkname {
+                    flex-grow: 1;
+                    width: 8rem;
+                }
+            `,
+        ];
+    }
+
+    @property({ type: Object, attribute: false })
+    footerLink: FooterLink = {
+        name: "",
+        href: "",
+    };
+
+    @queryAll(".ak-form-control")
+    controls?: HTMLInputElement[];
+
+    json() {
+        return Object.fromEntries(
+            Array.from(this.controls ?? []).map((control) => [control.name, control.value]),
+        ) as unknown as FooterLink;
+    }
+
+    get isValid() {
+        const href = this.json()?.href ?? "";
+        return hasLegalScheme(href) && URL.canParse(href);
+    }
+
+    render() {
+        const onChange = () => {
+            this.dispatchEvent(new Event("change", { composed: true, bubbles: true }));
+        };
+
+        return html` <div class="pf-c-input-group">
+            <input
+                type="text"
+                @change=${onChange}
+                value=${this.footerLink.name}
+                id="linkname"
+                class="pf-c-form-control ak-form-control"
+                name="name"
+                placeholder=${msg("Link Title")}
+                tabindex="1"
+            />
+            <input
+                type="text"
+                @change=${onChange}
+                value="${ifDefined(this.footerLink.href ?? undefined)}"
+                class="pf-c-form-control ak-form-control"
+                required
+                placeholder=${msg("URL")}
+                name="href"
+                tabindex="1"
+            />
+        </div>`;
+    }
+}
+
+export function akFooterLinkInput(properties: IFooterLinkInput) {
+    return html`<ak-admin-settings-footer-link
+        ${spread(properties as unknown as Spread)}
+    ></ak-admin-settings-footer-link>`;
+}
+
+declare global {
+    interface HTMLElementTagNameMap {
+        "ak-admin-settings-footer-link": FooterLinkInput;
+    }
+}

web/src/admin/admin-settings/AdminSettingsForm.ts

@@ -3,8 +3,7 @@ import { first } from "@goauthentik/common/utils";
 import "@goauthentik/components/ak-number-input";
 import "@goauthentik/components/ak-switch-input";
 import "@goauthentik/components/ak-text-input";
-import "@goauthentik/elements/CodeMirror";
-import { CodeMirrorMode } from "@goauthentik/elements/CodeMirror";
+import "@goauthentik/elements/ak-array-input.js";
 import { Form } from "@goauthentik/elements/forms/Form";
 import "@goauthentik/elements/forms/FormGroup";
 import "@goauthentik/elements/forms/HorizontalFormElement";
@@ -13,13 +12,16 @@ import "@goauthentik/elements/forms/SearchSelect";
 import "@goauthentik/elements/utils/TimeDeltaHelp";
 
 import { msg } from "@lit/localize";
-import { CSSResult, TemplateResult, html } from "lit";
+import { CSSResult, TemplateResult, css, html } from "lit";
 import { customElement, property } from "lit/decorators.js";
 import { ifDefined } from "lit/directives/if-defined.js";
 
 import PFList from "@patternfly/patternfly/components/List/list.css";
 
-import { AdminApi, Settings, SettingsRequest } from "@goauthentik/api";
+import { AdminApi, FooterLink, Settings, SettingsRequest } from "@goauthentik/api";
+
+import "./AdminSettingsFooterLinks.js";
+import { IFooterLinkInput, akFooterLinkInput } from "./AdminSettingsFooterLinks.js";
 
 @customElement("ak-admin-settings-form")
 export class AdminSettingsForm extends Form<SettingsRequest> {
@@ -40,7 +42,14 @@ export class AdminSettingsForm extends Form<SettingsRequest> {
     private _settings?: Settings;
 
     static get styles(): CSSResult[] {
-        return super.styles.concat(PFList);
+        return super.styles.concat(
+            PFList,
+            css`
+                ak-array-input {
+                    width: 100%;
+                }
+            `,
+        );
     }
 
     getSuccessMessage(): string {
@@ -166,15 +175,21 @@ export class AdminSettingsForm extends Form<SettingsRequest> {
             >
             </ak-text-input>
             <ak-form-element-horizontal label=${msg("Footer links")} name="footerLinks">
-                <ak-codemirror
-                    mode=${CodeMirrorMode.YAML}
-                    .value="${first(this._settings?.footerLinks, [])}"
-                ></ak-codemirror>
+                <ak-array-input
+                    .items=${this._settings?.footerLinks ?? []}
+                    .newItem=${() => ({ name: "", href: "" })}
+                    .row=${(f?: FooterLink) =>
+                        akFooterLinkInput({
+                            ".footerLink": f,
+                            "style": "width: 100%",
+                            "name": "footer-link",
+                        } as unknown as IFooterLinkInput)}
+                >
+                </ak-array-input>
                 <p class="pf-c-form__helper-text">
                     ${msg(
-                        "This option configures the footer links on the flow executor pages. It must be a valid YAML or JSON list and can be used as follows:",
+                        "This option configures the footer links on the flow executor pages. The URL is limited to web and mail addresses. If the name is left blank, the URL will be shown.",
                     )}
-                    <code>[{"name": "Link Name","href":"https://goauthentik.io"}]</code>
                 </p>
             </ak-form-element-horizontal>
             <ak-switch-input

web/src/admin/admin-settings/stories/AdminSettingsFooterLinks.stories.ts

@@ -0,0 +1,80 @@
+import "@goauthentik/elements/messages/MessageContainer";
+import { Meta, StoryObj, WebComponentsRenderer } from "@storybook/web-components";
+import { DecoratorFunction } from "storybook/internal/types";
+
+import { html } from "lit";
+
+import { FooterLinkInput } from "../AdminSettingsFooterLinks.js";
+import "../AdminSettingsFooterLinks.js";
+
+// eslint-disable-next-line @typescript-eslint/no-explicit-any
+type Decorator = DecoratorFunction<WebComponentsRenderer, any>;
+
+const metadata: Meta<FooterLinkInput> = {
+    title: "Components / Footer Link Input",
+    component: "ak-admin-settings-footer-link",
+    parameters: {
+        docs: {
+            description: {
+                component: "A stylized control for the footer links",
+            },
+        },
+    },
+    decorators: [
+        (story: Decorator) => {
+            window.setTimeout(() => {
+                const control = document.getElementById("footer-link");
+                if (!control) {
+                    throw new Error("Test was not initialized correctly.");
+                }
+                const messages = document.getElementById("reported-value");
+                control.addEventListener("change", (event: Event) => {
+                    if (!event.target) {
+                        return;
+                    }
+                    const target = event.target as FooterLinkInput;
+                    messages!.innerText = `${JSON.stringify(target.json(), null, 2)}\n\nValid: ${target.isValid ? "Yes" : "No"}`;
+                });
+            }, 250);
+
+            return html`<div
+                style="background: #fff; padding: 2em; position: relative"
+                id="the-main-event"
+            >
+                <style>
+                    li {
+                        display: block;
+                    }
+                    p {
+                        margin-top: 1em;
+                    }
+                    #the-answer-block {
+                        padding-top: 3em;
+                    }
+                </style>
+                <div>
+                    ${
+                        // @ts-expect-error The types for web components are not well-defined }
+                        story()
+                    }
+                </div>
+                <div style="margin-top: 2rem">
+                    <p>Reported value:</p>
+                    <pre id="reported-value"></pre>
+                </div>
+            </div>`;
+        },
+    ],
+};
+
+export default metadata;
+
+type Story = StoryObj;
+
+export const Default: Story = {
+    render: () =>
+        html` <ak-admin-settings-footer-link
+            id="footer-link"
+            name="the-footer"
+        ></ak-admin-settings-footer-link>`,
+};

web/src/admin/admin-settings/stories/AdminSettingsFooterLinks.test.ts

@@ -0,0 +1,68 @@
+import { render } from "@goauthentik/elements/tests/utils.js";
+import { $, expect } from "@wdio/globals";
+
+import { html } from "lit";
+
+import "../AdminSettingsFooterLinks.js";
+
+describe("ak-admin-settings-footer-link", () => {
+    afterEach(async () => {
+        await browser.execute(async () => {
+            await document.body.querySelector("ak-admin-settings-footer-link")?.remove();
+            if (document.body["_$litPart$"]) {
+                // @ts-expect-error expression of type '"_$litPart$"' is added by Lit
+                await delete document.body["_$litPart$"];
+            }
+        });
+    });
+
+    it("should render an empty control", async () => {
+        render(html`<ak-admin-settings-footer-link name="link"></ak-admin-settings-footer-link>`);
+        const link = await $("ak-admin-settings-footer-link");
+        await expect(await link.getProperty("isValid")).toStrictEqual(false);
+        await expect(await link.getProperty("toJson")).toEqual({ name: "", href: "" });
+    });
+
+    it("should not be valid if just a name is filled in", async () => {
+        render(html`<ak-admin-settings-footer-link name="link"></ak-admin-settings-footer-link>`);
+        const link = await $("ak-admin-settings-footer-link");
+        await link.$('input[name="name"]').setValue("foo");
+        await expect(await link.getProperty("isValid")).toStrictEqual(false);
+        await expect(await link.getProperty("toJson")).toEqual({ name: "foo", href: "" });
+    });
+
+    it("should be valid if just a URL is filled in", async () => {
+        render(html`<ak-admin-settings-footer-link name="link"></ak-admin-settings-footer-link>`);
+        const link = await $("ak-admin-settings-footer-link");
+        await link.$('input[name="href"]').setValue("https://foo.com");
+        await expect(await link.getProperty("isValid")).toStrictEqual(true);
+        await expect(await link.getProperty("toJson")).toEqual({
+            name: "",
+            href: "https://foo.com",
+        });
+    });
+
+    it("should be valid if both are filled in", async () => {
+        render(html`<ak-admin-settings-footer-link name="link"></ak-admin-settings-footer-link>`);
+        const link = await $("ak-admin-settings-footer-link");
+        await link.$('input[name="name"]').setValue("foo");
+        await link.$('input[name="href"]').setValue("https://foo.com");
+        await expect(await link.getProperty("isValid")).toStrictEqual(true);
+        await expect(await link.getProperty("toJson")).toEqual({
+            name: "foo",
+            href: "https://foo.com",
+        });
+    });
+
+    it("should not be valid if the URL is not valid", async () => {
+        render(html`<ak-admin-settings-footer-link name="link"></ak-admin-settings-footer-link>`);
+        const link = await $("ak-admin-settings-footer-link");
+        await link.$('input[name="name"]').setValue("foo");
+        await link.$('input[name="href"]').setValue("never://foo.com");
+        await expect(await link.getProperty("toJson")).toEqual({
+            name: "foo",
+            href: "never://foo.com",
+        });
+        await expect(await link.getProperty("isValid")).toStrictEqual(false);
+    });
+});

web/src/admin/applications/wizard/methods/oauth/ak-application-wizard-authentication-by-oauth.ts

@@ -11,6 +11,10 @@ import {
     redirectUriHelp,
     subjectModeOptions,
 } from "@goauthentik/admin/providers/oauth2/OAuth2ProviderForm";
+import {
+    IRedirectURIInput,
+    akOAuthRedirectURIInput,
+} from "@goauthentik/admin/providers/oauth2/OAuth2ProviderRedirectURI";
 import {
     makeSourceSelector,
     oauth2SourcesProvider,
@@ -31,7 +35,13 @@ import { customElement, state } from "@lit/reactive-element/decorators.js";
 import { html, nothing } from "lit";
 import { ifDefined } from "lit/directives/if-defined.js";
 
-import { ClientTypeEnum, FlowsInstancesListDesignationEnum, SourcesApi } from "@goauthentik/api";
+import {
+    ClientTypeEnum,
+    FlowsInstancesListDesignationEnum,
+    MatchingModeEnum,
+    RedirectURI,
+    SourcesApi,
+} from "@goauthentik/api";
 import { type OAuth2Provider, type PaginatedOAuthSourceList } from "@goauthentik/api";
 
 import BaseProviderPanel from "../BaseProviderPanel";
@@ -120,14 +130,27 @@ export class ApplicationWizardAuthenticationByOauth extends BaseProviderPanel {
                         >
                         </ak-text-input>
 
-                        <ak-textarea-input
+                        <ak-form-element-horizontal
+                            label=${msg("Redirect URIs/Origins")}
+                            required
                             name="redirectUris"
-                            label=${msg("Redirect URIs/Origins (RegEx)")}
-                            .value=${provider?.redirectUris}
-                            .errorMessages=${errors?.redirectUriHelp ?? []}
-                            .bighelp=${redirectUriHelp}
                         >
-                        </ak-textarea-input>
+                            <ak-array-input
+                                .items=${[]}
+                                .newItem=${() => ({
+                                    matchingMode: MatchingModeEnum.Strict,
+                                    url: "",
+                                })}
+                                .row=${(f?: RedirectURI) =>
+                                    akOAuthRedirectURIInput({
+                                        ".redirectURI": f,
+                                        "style": "width: 100%",
+                                        "name": "oauth2-redirect-uri",
+                                    } as unknown as IRedirectURIInput)}
+                            >
+                            </ak-array-input>
+                            ${redirectUriHelp}
+                        </ak-form-element-horizontal>
 
                         <ak-form-element-horizontal
                             label=${msg("Signing Key")}

web/src/admin/groups/RelatedUserList.ts

@@ -219,6 +219,7 @@ export class RelatedUserList extends WithBrandConfig(WithCapabilitiesConfig(Tabl
                                   return new CoreApi(DEFAULT_CONFIG)
                                       .coreUsersImpersonateCreate({
                                           id: item.pk,
+                                          impersonationRequest: { reason: "" },
                                       })
                                       .then(() => {
                                           window.location.href = "/";

web/src/admin/providers/oauth2/OAuth2ProviderForm.ts

@@ -1,11 +1,16 @@
 import "@goauthentik/admin/common/ak-crypto-certificate-search";
 import "@goauthentik/admin/common/ak-flow-search/ak-flow-search";
 import { BaseProviderForm } from "@goauthentik/admin/providers/BaseProviderForm";
+import {
+    IRedirectURIInput,
+    akOAuthRedirectURIInput,
+} from "@goauthentik/admin/providers/oauth2/OAuth2ProviderRedirectURI";
 import { DEFAULT_CONFIG } from "@goauthentik/common/api/config";
 import { ascii_letters, digits, first, randomString } from "@goauthentik/common/utils";
 import "@goauthentik/components/ak-radio-input";
 import "@goauthentik/components/ak-text-input";
 import "@goauthentik/components/ak-textarea-input";
+import "@goauthentik/elements/ak-array-input.js";
 import "@goauthentik/elements/ak-dual-select/ak-dual-select-dynamic-selected-provider.js";
 import "@goauthentik/elements/ak-dual-select/ak-dual-select-provider.js";
 import "@goauthentik/elements/forms/FormGroup";
@@ -15,7 +20,7 @@ import "@goauthentik/elements/forms/SearchSelect";
 import "@goauthentik/elements/utils/TimeDeltaHelp";
 
 import { msg } from "@lit/localize";
-import { TemplateResult, html } from "lit";
+import { TemplateResult, css, html } from "lit";
 import { customElement, state } from "lit/decorators.js";
 import { ifDefined } from "lit/directives/if-defined.js";
 
@@ -23,8 +28,10 @@ import {
     ClientTypeEnum,
     FlowsInstancesListDesignationEnum,
     IssuerModeEnum,
+    MatchingModeEnum,
     OAuth2Provider,
     ProvidersApi,
+    RedirectURI,
     SubModeEnum,
 } from "@goauthentik/api";
 
@@ -98,13 +105,13 @@ export const issuerModeOptions = [
 
 const redirectUriHelpMessages = [
     msg(
-        "Valid redirect URLs after a successful authorization flow. Also specify any origins here for Implicit flows.",
+        "Valid redirect URIs after a successful authorization flow. Also specify any origins here for Implicit flows.",
     ),
     msg(
         "If no explicit redirect URIs are specified, the first successfully used redirect URI will be saved.",
     ),
     msg(
-        'To allow any redirect URI, set this value to ".*". Be aware of the possible security implications this can have.',
+        'To allow any redirect URI, set the mode to Regex and the value to ".*". Be aware of the possible security implications this can have.',
     ),
 ];
 
@@ -124,11 +131,23 @@ export class OAuth2ProviderFormPage extends BaseProviderForm<OAuth2Provider> {
     @state()
     showClientSecret = true;
 
+    @state()
+    redirectUris: RedirectURI[] = [];
+
+    static get styles() {
+        return super.styles.concat(css`
+            ak-array-input {
+                width: 100%;
+            }
+        `);
+    }
+
     async loadInstance(pk: number): Promise<OAuth2Provider> {
         const provider = await new ProvidersApi(DEFAULT_CONFIG).providersOauth2Retrieve({
             id: pk,
         });
         this.showClientSecret = provider.clientType === ClientTypeEnum.Confidential;
+        this.redirectUris = provider.redirectUris;
         return provider;
     }
 
@@ -203,13 +222,24 @@ export class OAuth2ProviderFormPage extends BaseProviderForm<OAuth2Provider> {
                         ?hidden=${!this.showClientSecret}
                     >
                     </ak-text-input>
-                    <ak-textarea-input
+                    <ak-form-element-horizontal
+                        label=${msg("Redirect URIs/Origins")}
+                        required
                         name="redirectUris"
-                        label=${msg("Redirect URIs/Origins (RegEx)")}
-                        .value=${provider?.redirectUris}
-                        .bighelp=${redirectUriHelp}
                     >
-                    </ak-textarea-input>
+                        <ak-array-input
+                            .items=${this.instance?.redirectUris ?? []}
+                            .newItem=${() => ({ matchingMode: MatchingModeEnum.Strict, url: "" })}
+                            .row=${(f?: RedirectURI) =>
+                                akOAuthRedirectURIInput({
+                                    ".redirectURI": f,
+                                    "style": "width: 100%",
+                                    "name": "oauth2-redirect-uri",
+                                } as unknown as IRedirectURIInput)}
+                        >
+                        </ak-array-input>
+                        ${redirectUriHelp}
+                    </ak-form-element-horizontal>
 
                     <ak-form-element-horizontal label=${msg("Signing Key")} name="signingKey">
                         <!-- NOTE: 'null' cast to 'undefined' on signingKey to satisfy Lit requirements -->

web/src/admin/providers/oauth2/OAuth2ProviderRedirectURI.ts

@@ -0,0 +1,104 @@
+import "@goauthentik/admin/providers/oauth2/OAuth2ProviderRedirectURI";
+import { AkControlElement } from "@goauthentik/elements/AkControlElement.js";
+import { type Spread } from "@goauthentik/elements/types";
+import { spread } from "@open-wc/lit-helpers";
+
+import { msg } from "@lit/localize";
+import { css, html } from "lit";
+import { customElement, property, queryAll } from "lit/decorators.js";
+import { ifDefined } from "lit/directives/if-defined.js";
+
+import PFFormControl from "@patternfly/patternfly/components/FormControl/form-control.css";
+import PFInputGroup from "@patternfly/patternfly/components/InputGroup/input-group.css";
+import PFBase from "@patternfly/patternfly/patternfly-base.css";
+
+import { MatchingModeEnum, RedirectURI } from "@goauthentik/api";
+
+export interface IRedirectURIInput {
+    redirectURI: RedirectURI;
+}
+
+@customElement("ak-provider-oauth2-redirect-uri")
+export class OAuth2ProviderRedirectURI extends AkControlElement<RedirectURI> {
+    static get styles() {
+        return [
+            PFBase,
+            PFInputGroup,
+            PFFormControl,
+            css`
+                .pf-c-input-group select {
+                    width: 10em;
+                }
+            `,
+        ];
+    }
+
+    @property({ type: Object, attribute: false })
+    redirectURI: RedirectURI = {
+        matchingMode: MatchingModeEnum.Strict,
+        url: "",
+    };
+
+    @queryAll(".ak-form-control")
+    controls?: HTMLInputElement[];
+
+    json() {
+        return Object.fromEntries(
+            Array.from(this.controls ?? []).map((control) => [control.name, control.value]),
+        ) as unknown as RedirectURI;
+    }
+
+    get isValid() {
+        return true;
+    }
+
+    render() {
+        const onChange = () => {
+            this.dispatchEvent(new Event("change", { composed: true, bubbles: true }));
+        };
+
+        return html`<div class="pf-c-input-group">
+            <select
+                name="matchingMode"
+                class="pf-c-form-control ak-form-control"
+                @change=${onChange}
+            >
+                <option
+                    value="${MatchingModeEnum.Strict}"
+                    ?selected=${this.redirectURI.matchingMode === MatchingModeEnum.Strict}
+                >
+                    ${msg("Strict")}
+                </option>
+                <option
+                    value="${MatchingModeEnum.Regex}"
+                    ?selected=${this.redirectURI.matchingMode === MatchingModeEnum.Regex}
+                >
+                    ${msg("Regex")}
+                </option>
+            </select>
+            <input
+                type="text"
+                @change=${onChange}
+                value="${ifDefined(this.redirectURI.url ?? undefined)}"
+                class="pf-c-form-control ak-form-control"
+                required
+                id="url"
+                placeholder=${msg("URL")}
+                name="url"
+                tabindex="1"
+            />
+        </div>`;
+    }
+}
+
+export function akOAuthRedirectURIInput(properties: IRedirectURIInput) {
+    return html`<ak-provider-oauth2-redirect-uri
+        ${spread(properties as unknown as Spread)}
+    ></ak-provider-oauth2-redirect-uri>`;
+}
+
+declare global {
+    interface HTMLElementTagNameMap {
+        "ak-provider-oauth2-redirect-uri": OAuth2ProviderRedirectURI;
+    }
+}

web/src/admin/providers/oauth2/OAuth2ProviderViewPage.ts

@@ -234,7 +234,11 @@ export class OAuth2ProviderViewPage extends AKElement {
                                 </dt>
                                 <dd class="pf-c-description-list__description">
                                     <div class="pf-c-description-list__text">
-                                        ${this.provider.redirectUris}
+                                        <ul>
+                                            ${this.provider.redirectUris.map((ru) => {
+                                                return html`<li>${ru.matchingMode}: ${ru.url}</li>`;
+                                            })}
+                                        </ul>
                                     </div>
                                 </dd>
                             </div>

web/src/admin/providers/proxy/ProxyProviderViewPage.ts

@@ -392,9 +392,13 @@ export class ProxyProviderViewPage extends AKElement {
                                 <dd class="pf-c-description-list__description">
                                     <div class="pf-c-description-list__text">
                                         <ul class="pf-c-list">
-                                            ${this.provider.redirectUris.split("\n").map((url) => {
-                                                return html`<li><pre>${url}</pre></li>`;
-                                            })}
+                                            <ul>
+                                                ${this.provider.redirectUris.map((ru) => {
+                                                    return html`<li>
+                                                        ${ru.matchingMode}: ${ru.url}
+                                                    </li>`;
+                                                })}
+                                            </ul>
                                         </ul>
                                     </div>
                                 </dd>

web/src/admin/users/UserListPage.ts

@@ -272,6 +272,7 @@ export class UserListPage extends WithBrandConfig(WithCapabilitiesConfig(TablePa
                                   return new CoreApi(DEFAULT_CONFIG)
                                       .coreUsersImpersonateCreate({
                                           id: item.pk,
+                                          impersonationRequest: { reason: "" },
                                       })
                                       .then(() => {
                                           window.location.href = "/";

web/src/admin/users/UserViewPage.ts

@@ -215,6 +215,7 @@ export class UserViewPage extends WithCapabilitiesConfig(AKElement) {
                               return new CoreApi(DEFAULT_CONFIG)
                                   .coreUsersImpersonateCreate({
                                       id: user.pk,
+                                      impersonationRequest: { reason: "" },
                                   })
                                   .then(() => {
                                       window.location.href = "/";

web/src/common/constants.ts

@@ -3,7 +3,7 @@ export const SUCCESS_CLASS = "pf-m-success";
 export const ERROR_CLASS = "pf-m-danger";
 export const PROGRESS_CLASS = "pf-m-in-progress";
 export const CURRENT_CLASS = "pf-m-current";
-export const VERSION = "2024.10.2";
+export const VERSION = "2024.10.5";
 export const TITLE_DEFAULT = "authentik";
 export const ROUTE_SEPARATOR = ";";
 

web/src/elements/AkControlElement.ts

@@ -8,13 +8,21 @@ import { AKElement } from "./Base";
  * extracting the value.
  *
  */
-export class AkControlElement extends AKElement {
+export class AkControlElement<T = string | string[]> extends AKElement {
     constructor() {
         super();
         this.dataset.akControl = "true";
     }
 
-    json() {
+    json(): T {
         throw new Error("Controllers using this protocol must override this method");
     }
+
+    get toJson(): T {
+        return this.json();
+    }
+
+    get isValid(): boolean {
+        return true;
+    }
 }

web/src/elements/ak-array-input.ts

@@ -0,0 +1,173 @@
+import { AkControlElement } from "@goauthentik/elements/AkControlElement";
+import { bound } from "@goauthentik/elements/decorators/bound";
+import { type Spread } from "@goauthentik/elements/types";
+import { randomId } from "@goauthentik/elements/utils/randomId.js";
+import { spread } from "@open-wc/lit-helpers";
+
+import { msg } from "@lit/localize";
+import { TemplateResult, css, html, nothing } from "lit";
+import { customElement, property, queryAll } from "lit/decorators.js";
+import { repeat } from "lit/directives/repeat.js";
+
+import PFButton from "@patternfly/patternfly/components/Button/button.css";
+import PFFormControl from "@patternfly/patternfly/components/FormControl/form-control.css";
+import PFInputGroup from "@patternfly/patternfly/components/InputGroup/input-group.css";
+import PFBase from "@patternfly/patternfly/patternfly-base.css";
+
+type InputCell<T> = (el: T) => TemplateResult | typeof nothing;
+
+export interface IArrayInput<T> {
+    row: InputCell<T>;
+    newItem: () => T;
+    items: T[];
+    validate?: boolean;
+    validator?: (_: T[]) => boolean;
+}
+
+type Keyed<T> = { key: string; item: T };
+
+@customElement("ak-array-input")
+export class ArrayInput<T> extends AkControlElement<T[]> implements IArrayInput<T> {
+    static get styles() {
+        return [
+            PFBase,
+            PFButton,
+            PFInputGroup,
+            PFFormControl,
+            css`
+                select.pf-c-form-control {
+                    width: 100px;
+                }
+                .pf-c-input-group {
+                    padding-bottom: 0;
+                }
+                .ak-plus-button {
+                    display: flex;
+                    justify-content: flex-end;
+                    flex-direction: row;
+                }
+                .ak-input-group {
+                    display: flex;
+                    flex-direction: row;
+                    flex-wrap: nowrap;
+                }
+            `,
+        ];
+    }
+
+    @property({ type: Boolean })
+    validate = false;
+
+    @property({ type: Object, attribute: false })
+    validator?: (_: T[]) => boolean;
+
+    @property({ type: Array, attribute: false })
+    row!: InputCell<T>;
+
+    @property({ type: Object, attribute: false })
+    newItem!: () => T;
+
+    _items: Keyed<T>[] = [];
+
+    // This magic creates a semi-reliable key on which Lit's `repeat` directive can control its
+    // interaction. Without it, we get undefined behavior in the re-rendering of the array.
+    @property({ type: Array, attribute: false })
+    set items(items: T[]) {
+        const olditems = new Map(
+            (this._items ?? []).map((key, item) => [JSON.stringify(item), key]),
+        );
+        const newitems = items.map((item) => ({
+            item,
+            key: olditems.get(JSON.stringify(item))?.key ?? randomId(),
+        }));
+        this._items = newitems;
+    }
+
+    get items() {
+        return this._items.map(({ item }) => item);
+    }
+
+    @queryAll("div.ak-input-group")
+    inputGroups?: HTMLDivElement[];
+
+    json() {
+        if (!this.inputGroups) {
+            throw new Error("Could not find input group collection in ak-array-input");
+        }
+        return this.items;
+    }
+
+    get isValid() {
+        if (!this.validate) {
+            return true;
+        }
+
+        const oneIsValid = (g: HTMLDivElement) =>
+            g.querySelector<HTMLInputElement & AkControlElement<T>>("[name]")?.isValid ?? true;
+        const allAreValid = Array.from(this.inputGroups ?? []).every(oneIsValid);
+        return allAreValid && (this.validator ? this.validator(this.items) : true);
+    }
+
+    itemsFromDom(): T[] {
+        return Array.from(this.inputGroups ?? [])
+            .map(
+                (group) =>
+                    group.querySelector<HTMLInputElement & AkControlElement<T>>("[name]")?.json() ??
+                    null,
+            )
+            .filter((i) => i !== null);
+    }
+
+    sendChange() {
+        this.dispatchEvent(new Event("change", { composed: true, bubbles: true }));
+    }
+
+    @bound
+    onChange() {
+        this.items = this.itemsFromDom();
+        this.sendChange();
+    }
+
+    @bound
+    addNewGroup() {
+        this.items = [...this.itemsFromDom(), this.newItem()];
+        this.sendChange();
+    }
+
+    renderDeleteButton(idx: number) {
+        const deleteOneGroup = () => {
+            this.items = [...this.items.slice(0, idx), ...this.items.slice(idx + 1)];
+            this.sendChange();
+        };
+
+        return html`<button class="pf-c-button pf-m-control" type="button" @click=${deleteOneGroup}>
+            <i class="fas fa-minus" aria-hidden="true"></i>
+        </button>`;
+    }
+
+    render() {
+        return html` <div class="pf-l-stack">
+            ${repeat(
+                this._items,
+                (item: Keyed<T>) => item.key,
+                (item: Keyed<T>, idx) =>
+                    html` <div class="ak-input-group" @change=${() => this.onChange()}>
+                        ${this.row(item.item)}${this.renderDeleteButton(idx)}
+                    </div>`,
+            )}
+            <button class="pf-c-button pf-m-link" type="button" @click=${this.addNewGroup}>
+                <i class="fas fa-plus" aria-hidden="true"></i>&nbsp; ${msg("Add entry")}
+            </button>
+        </div>`;
+    }
+}
+
+export function akArrayInput<T>(properties: IArrayInput<T>) {
+    return html`<ak-array-input ${spread(properties as unknown as Spread)}></ak-array-input>`;
+}
+
+declare global {
+    interface HTMLElementTagNameMap {
+        "ak-array-input": ArrayInput<unknown>;
+    }
+}

web/src/elements/forms/Form.ts

@@ -35,7 +35,7 @@ export interface KeyUnknown {
 // Literally the only field `assignValue()` cares about.
 type HTMLNamedElement = Pick<HTMLInputElement, "name">;
 
-type AkControlElement = HTMLInputElement & { json: () => string | string[] };
+export type AkControlElement<T = string | string[]> = HTMLInputElement & { json: () => T };
 
 /**
  * Recursively assign `value` into `json` while interpreting the dot-path of `element.name`

web/src/elements/forms/HorizontalFormElement.ts

@@ -2,7 +2,7 @@ import { convertToSlug } from "@goauthentik/common/utils";
 import { AKElement } from "@goauthentik/elements/Base";
 import { FormGroup } from "@goauthentik/elements/forms/FormGroup";
 
-import { msg } from "@lit/localize";
+import { msg, str } from "@lit/localize";
 import { CSSResult, css } from "lit";
 import { TemplateResult, html } from "lit";
 import { customElement, property } from "lit/decorators.js";
@@ -33,7 +33,7 @@ import PFBase from "@patternfly/patternfly/patternfly-base.css";
  *    where the field isn't available for the user to view unless they explicitly request to be able
  *    to see the content; otherwise, a dead password field is shown. There are 10 uses of this
  *    feature.
- * 
+ *
  */
 
 const isAkControl = (el: unknown): boolean =>
@@ -86,7 +86,7 @@ export class HorizontalFormElement extends AKElement {
     writeOnlyActivated = false;
 
     @property({ attribute: false })
-    errorMessages: string[] = [];
+    errorMessages: string[] | string[][] = [];
 
     @property({ type: Boolean })
     slugMode = false;
@@ -183,6 +183,16 @@ export class HorizontalFormElement extends AKElement {
                           </p>`
                         : html``}
                     ${this.errorMessages.map((message) => {
+                        if (message instanceof Object) {
+                            return html`${Object.entries(message).map(([field, errMsg]) => {
+                                return html`<p
+                                    class="pf-c-form__helper-text pf-m-error"
+                                    aria-live="polite"
+                                >
+                                    ${msg(str`${field}: ${errMsg}`)}
+                                </p>`;
+                            })}`;
+                        }
                         return html`<p class="pf-c-form__helper-text pf-m-error" aria-live="polite">
                             ${message}
                         </p>`;

web/src/elements/forms/SearchSelect/SearchSelect.ts

@@ -4,7 +4,6 @@ import { groupBy } from "@goauthentik/common/utils";
 import { AkControlElement } from "@goauthentik/elements/AkControlElement.js";
 import { PreventFormSubmit } from "@goauthentik/elements/forms/helpers";
 import type { GroupedOptions, SelectGroup, SelectOption } from "@goauthentik/elements/types.js";
-import { CustomEmitterElement } from "@goauthentik/elements/utils/eventEmitter";
 import { randomId } from "@goauthentik/elements/utils/randomId.js";
 
 import { msg } from "@lit/localize";
@@ -32,10 +31,7 @@ export interface ISearchSelectBase<T> {
     emptyOption: string;
 }
 
-export class SearchSelectBase<T>
-    extends CustomEmitterElement(AkControlElement)
-    implements ISearchSelectBase<T>
-{
+export class SearchSelectBase<T> extends AkControlElement<string> implements ISearchSelectBase<T> {
     static get styles() {
         return [PFBase];
     }
@@ -54,7 +50,7 @@ export class SearchSelectBase<T>
 
     // A function which returns the currently selected object's primary key, used for serialization
     // into forms.
-    value!: (element: T | undefined) => unknown;
+    value!: (element: T | undefined) => string;
 
     // A function passed to this object that determines an object in the collection under search
     // should be automatically selected. Only used when the search itself is responsible for
@@ -105,7 +101,7 @@ export class SearchSelectBase<T>
     @state()
     error?: APIErrorTypes;
 
-    public toForm(): unknown {
+    public toForm(): string {
         if (!this.objects) {
             throw new PreventFormSubmit(msg("Loading options..."));
         }
@@ -116,6 +112,16 @@ export class SearchSelectBase<T>
         return this.toForm();
     }
 
+    protected dispatchChangeEvent(value: T | undefined) {
+        this.dispatchEvent(
+            new CustomEvent("ak-change", {
+                composed: true,
+                bubbles: true,
+                detail: { value },
+            }),
+        );
+    }
+
     public async updateData() {
         if (this.isFetchingData) {
             return Promise.resolve();
@@ -127,7 +133,7 @@ export class SearchSelectBase<T>
                 objects.forEach((obj) => {
                     if (this.selected && this.selected(obj, objects || [])) {
                         this.selectedObject = obj;
-                        this.dispatchCustomEvent("ak-change", { value: this.selectedObject });
+                        this.dispatchChangeEvent(this.selectedObject);
                     }
                 });
                 this.objects = objects;
@@ -165,7 +171,7 @@ export class SearchSelectBase<T>
 
         this.query = value;
         this.updateData()?.then(() => {
-            this.dispatchCustomEvent("ak-change", { value: this.selectedObject });
+            this.dispatchChangeEvent(this.selectedObject);
         });
     }
 
@@ -173,7 +179,7 @@ export class SearchSelectBase<T>
         const value = (event.target as SearchSelectView).value;
         if (value === undefined) {
             this.selectedObject = undefined;
-            this.dispatchCustomEvent("ak-change", { value: undefined });
+            this.dispatchChangeEvent(undefined);
             return;
         }
         const selected = (this.objects ?? []).find((obj) => `${this.value(obj)}` === value);
@@ -181,7 +187,7 @@ export class SearchSelectBase<T>
             console.warn(`ak-search-select: No corresponding object found for value (${value}`);
         }
         this.selectedObject = selected;
-        this.dispatchCustomEvent("ak-change", { value: this.selectedObject });
+        this.dispatchChangeEvent(this.selectedObject);
     }
 
     private getGroupedItems(): GroupedOptions {

web/src/elements/forms/SearchSelect/ak-search-select-ez.ts

@@ -7,7 +7,7 @@ export interface ISearchSelectApi<T> {
     fetchObjects: (query?: string) => Promise<T[]>;
     renderElement: (element: T) => string;
     renderDescription?: (element: T) => string | TemplateResult;
-    value: (element: T | undefined) => unknown;
+    value: (element: T | undefined) => string;
     selected?: (element: T, elements: T[]) => boolean;
     groupBy?: (items: T[]) => [string, T[]][];
 }

web/src/elements/forms/SearchSelect/ak-search-select.ts

@@ -9,7 +9,7 @@ export interface ISearchSelect<T> extends ISearchSelectBase<T> {
     fetchObjects: (query?: string) => Promise<T[]>;
     renderElement: (element: T) => string;
     renderDescription?: (element: T) => string | TemplateResult;
-    value: (element: T | undefined) => unknown;
+    value: (element: T | undefined) => string;
     selected?: (element: T, elements: T[]) => boolean;
     groupBy: (items: T[]) => [string, T[]][];
 }
@@ -69,7 +69,7 @@ export class SearchSelect<T> extends SearchSelectBase<T> implements ISearchSelec
     // A function which returns the currently selected object's primary key, used for serialization
     // into forms.
     @property({ attribute: false })
-    value!: (element: T | undefined) => unknown;
+    value!: (element: T | undefined) => string;
 
     // A function passed to this object that determines an object in the collection under search
     // should be automatically selected. Only used when the search itself is responsible for

web/src/elements/forms/SearchSelect/stories/ak-search-select.stories.ts

@@ -92,7 +92,7 @@ export const GroupedAndEz = () => {
     const config: ISearchSelectApi<Sample> = {
         fetchObjects: getSamples,
         renderElement: (sample: Sample) => sample.name,
-        value: (sample: Sample | undefined) => sample?.pk,
+        value: (sample: Sample | undefined) => sample?.pk ?? "",
         groupBy: (samples: Sample[]) =>
             groupBy(samples, (sample: Sample) => sample.season[0] ?? ""),
     };

web/src/elements/stories/ak-array-input.stories.ts

@@ -0,0 +1,96 @@
+import "@goauthentik/admin/admin-settings/AdminSettingsFooterLinks.js";
+import { FooterLinkInput } from "@goauthentik/admin/admin-settings/AdminSettingsFooterLinks.js";
+import "@goauthentik/elements/messages/MessageContainer";
+import { Meta, StoryObj, WebComponentsRenderer } from "@storybook/web-components";
+import { DecoratorFunction } from "storybook/internal/types";
+
+import { html } from "lit";
+
+import { FooterLink } from "@goauthentik/api";
+
+import "../ak-array-input.js";
+import { IArrayInput } from "../ak-array-input.js";
+
+// eslint-disable-next-line @typescript-eslint/no-explicit-any
+type Decorator = DecoratorFunction<WebComponentsRenderer, any>;
+
+const metadata: Meta<IArrayInput<unknown>> = {
+    title: "Elements / Array Input",
+    component: "ak-array-input",
+    parameters: {
+        docs: {
+            description: {
+                component:
+                    "A table input object, in which multiple rows of related inputs can be grouped.",
+            },
+        },
+    },
+    decorators: [
+        (story: Decorator) => {
+            window.setTimeout(() => {
+                const menu = document.getElementById("ak-array-input");
+                if (!menu) {
+                    throw new Error("Test was not initialized correctly.");
+                }
+                const messages = document.getElementById("reported-value");
+                menu.addEventListener("change", (event: Event) => {
+                    if (!event?.target) {
+                        return;
+                    }
+                    const target = event.target as FooterLinkInput;
+                    messages!.innerText = `${JSON.stringify(target.json(), null, 2)}\n\nValid: ${target.isValid ? "Yes" : "No"}`;
+                });
+            }, 250);
+
+            return html`<div
+                style="background: #fff; padding: 2em; position: relative"
+                id="the-main-event"
+            >
+                <style>
+                    li {
+                        display: block;
+                    }
+                    p {
+                        margin-top: 1em;
+                    }
+                    #the-answer-block {
+                        padding-top: 3em;
+                    }
+                </style>
+                <div>
+                    <p>Story:</p>
+                    ${
+                        // @ts-expect-error The types for web components are not well-defined in Storybook yet }
+                        story()
+                    }
+                    <div style="margin-top: 2rem">
+                        <p>Reported value:</p>
+                        <pre id="reported-value"></pre>
+                    </div>
+                </div>
+            </div>`;
+        },
+    ],
+};
+
+export default metadata;
+
+type Story = StoryObj;
+
+const items: FooterLink[] = [
+    { name: "authentik", href: "https://goauthentik.io" },
+    { name: "authentik docs", href: "https://docs.goauthentik.io/docs/" },
+];
+
+export const Default: Story = {
+    render: () =>
+        html` <ak-array-input
+            id="ak-array-input"
+            .items=${items}
+            .newItem=${() => ({ name: "", href: "" })}
+            .row=${(f?: FooterLink) =>
+                html`<ak-admin-settings-footer-link name="footerLink" .footerLink=${f}>
+                </ak-admin-settings-footer-link>`}
+            validate
+        ></ak-array-input>`,
+};

web/src/elements/tests/ak-array-input.test.ts

@@ -0,0 +1,55 @@
+import "@goauthentik/admin/admin-settings/AdminSettingsFooterLinks.js";
+import { render } from "@goauthentik/elements/tests/utils.js";
+import { $, expect } from "@wdio/globals";
+
+import { html } from "lit";
+
+import { FooterLink } from "@goauthentik/api";
+
+import "../ak-array-input.js";
+
+const sampleItems: FooterLink[] = [
+    { name: "authentik", href: "https://goauthentik.io" },
+    { name: "authentik docs", href: "https://docs.goauthentik.io/docs/" },
+];
+
+describe("ak-array-input", () => {
+    afterEach(async () => {
+        await browser.execute(async () => {
+            await document.body.querySelector("ak-array-input")?.remove();
+            if (document.body["_$litPart$"]) {
+                // @ts-expect-error expression of type '"_$litPart$"' is added by Lit
+                await delete document.body["_$litPart$"];
+            }
+        });
+    });
+
+    const component = (items: FooterLink[] = []) =>
+        render(
+            html` <ak-array-input
+                id="ak-array-input"
+                .items=${items}
+                .newItem=${() => ({ name: "", href: "" })}
+                .row=${(f?: FooterLink) =>
+                    html`<ak-admin-settings-footer-link name="footerLink" .footerLink=${f}>
+                    </ak-admin-settings-footer-link>`}
+                validate
+            ></ak-array-input>`,
+        );
+
+    it("should render an empty control", async () => {
+        await component();
+        const link = await $("ak-array-input");
+        await browser.pause(500);
+        await expect(await link.getProperty("isValid")).toStrictEqual(true);
+        await expect(await link.getProperty("toJson")).toEqual([]);
+    });
+
+    it("should render a populated component", async () => {
+        await component(sampleItems);
+        const link = await $("ak-array-input");
+        await browser.pause(500);
+        await expect(await link.getProperty("isValid")).toStrictEqual(true);
+        await expect(await link.getProperty("toJson")).toEqual(sampleItems);
+    });
+});

web/src/elements/utils/listenerController.ts

@@ -0,0 +1,41 @@
+// This is a more modern way to handle disconnecting listeners on demand.
+
+// example usage:
+
+/*
+export class MyElement extends LitElement {
+
+   this.listenerController = new ListenerController();
+
+   connectedCallback() {
+      super.connectedCallback();
+      window.addEventListener("event-1", handler1, { signal: this.listenerController.signal });
+      window.addEventListener("event-2", handler2, { signal: this.listenerController.signal });
+      window.addEventListener("event-3", handler3, { signal: this.listenerController.signal });
+   }
+
+   disconnectedCallback() {
+      // This will disconnect *all* the event listeners at once, and resets the listenerController,
+      // releasing the memory used for the signal as well. No more trying to map all the
+      // `addEventListener` to `removeEventListener` tediousness!
+      this.listenerController.abort();
+      super.disconnectedCallback();
+   }
+}
+*/
+
+export class ListenerController {
+    listenerController?: AbortController;
+
+    get signal() {
+        if (!this.listenerController) {
+            this.listenerController = new AbortController();
+        }
+        return this.listenerController.signal;
+    }
+
+    abort() {
+        this.listenerController?.abort();
+        this.listenerController = undefined;
+    }
+}

web/src/flow/stages/captcha/CaptchaStage.ts

@@ -1,14 +1,18 @@
 ///<reference types="@hcaptcha/types"/>
 import { renderStatic } from "@goauthentik/common/purify";
 import "@goauthentik/elements/EmptyState";
+import { akEmptyState } from "@goauthentik/elements/EmptyState";
+import { bound } from "@goauthentik/elements/decorators/bound";
 import "@goauthentik/elements/forms/FormElement";
+import { ListenerController } from "@goauthentik/elements/utils/listenerController.js";
 import { randomId } from "@goauthentik/elements/utils/randomId";
 import "@goauthentik/flow/FormStatic";
 import { BaseStage } from "@goauthentik/flow/stages/base";
+import { P, match } from "ts-pattern";
 import type { TurnstileObject } from "turnstile-types";
 
 import { msg } from "@lit/localize";
-import { CSSResult, PropertyValues, TemplateResult, css, html } from "lit";
+import { CSSResult, PropertyValues, TemplateResult, css, html, nothing } from "lit";
 import { customElement, property, state } from "lit/decorators.js";
 import { ifDefined } from "lit/directives/if-defined.js";
 
@@ -23,8 +27,72 @@ import { CaptchaChallenge, CaptchaChallengeResponseRequest } from "@goauthentik/
 interface TurnstileWindow extends Window {
     turnstile: TurnstileObject;
 }
+
 type TokenHandler = (token: string) => void;
 
+type Dims = { height: number };
+
+type IframeCaptchaMessage = {
+    source?: string;
+    context?: string;
+    message: "captcha";
+    token: string;
+};
+
+type IframeResizeMessage = {
+    source?: string;
+    context?: string;
+    message: "resize";
+    size: Dims;
+};
+
+type IframeMessageEvent = MessageEvent<IframeCaptchaMessage | IframeResizeMessage>;
+
+type CaptchaHandler = {
+    name: string;
+    interactive: () => Promise<unknown>;
+    execute: () => Promise<unknown>;
+};
+
+// A container iframe for a hosted Captcha, with an event emitter to monitor when the Captcha forces
+// a resize. Because the Captcha is itself in an iframe, the reported height is often off by some
+// margin, so adding 2rem of height to our container adds padding and prevents scroll bars or hidden
+// rendering.
+
+const iframeTemplate = (captchaElement: TemplateResult, challengeUrl: string) =>
+    html`<!doctype html>
+        <head>
+            <html>
+                <body style="display:flex;flex-direction:row;justify-content:center;">
+                    ${captchaElement}
+                    <script>
+                        new ResizeObserver((entries) => {
+                            const height =
+                                document.body.offsetHeight +
+                                parseFloat(getComputedStyle(document.body).fontSize) * 2;
+                            window.parent.postMessage({
+                                message: "resize",
+                                source: "goauthentik.io",
+                                context: "flow-executor",
+                                size: { height },
+                            });
+                        }).observe(document.querySelector(".ak-captcha-container"));
+                    </script>
+                    <script src=${challengeUrl}></script>
+                    <script>
+                        function callback(token) {
+                            window.parent.postMessage({
+                                message: "captcha",
+                                source: "goauthentik.io",
+                                context: "flow-executor",
+                                token: token,
+                            });
+                        }
+                    </script>
+                </body>
+            </html>
+        </head>`;
+
 @customElement("ak-stage-captcha")
 export class CaptchaStage extends BaseStage<CaptchaChallenge, CaptchaChallengeResponseRequest> {
     static get styles(): CSSResult[] {
@@ -37,26 +105,12 @@ export class CaptchaStage extends BaseStage<CaptchaChallenge, CaptchaChallengeRe
             css`
                 iframe {
                     width: 100%;
-                    height: 73px; /* tmp */
+                    height: 0;
                 }
             `,
         ];
     }
 
-    handlers = [this.handleGReCaptcha, this.handleHCaptcha, this.handleTurnstile];
-
-    @state()
-    error?: string;
-
-    @state()
-    captchaFrame: HTMLIFrameElement;
-
-    @state()
-    captchaDocumentContainer: HTMLDivElement;
-
-    @state()
-    scriptElement?: HTMLScriptElement;
-
     @property({ type: Boolean })
     embedded = false;
 
@@ -65,209 +119,177 @@ export class CaptchaStage extends BaseStage<CaptchaChallenge, CaptchaChallengeRe
         this.host.submit({ component: "ak-stage-captcha", token });
     };
 
-    constructor() {
-        super();
-        this.captchaFrame = document.createElement("iframe");
-        this.captchaFrame.src = "about:blank";
-        this.captchaFrame.id = `ak-captcha-${randomId()}`;
+    @state()
+    error?: string;
 
-        this.captchaDocumentContainer = document.createElement("div");
-        this.captchaDocumentContainer.id = `ak-captcha-${randomId()}`;
-        this.messageCallback = this.messageCallback.bind(this);
-    }
+    handlers: CaptchaHandler[] = [
+        {
+            name: "grecaptcha",
+            interactive: this.renderGReCaptchaFrame,
+            execute: this.executeGReCaptcha,
+        },
+        {
+            name: "hcaptcha",
+            interactive: this.renderHCaptchaFrame,
+            execute: this.executeHCaptcha,
+        },
+        {
+            name: "turnstile",
+            interactive: this.renderTurnstileFrame,
+            execute: this.executeTurnstile,
+        },
+    ];
+
+    _captchaFrame?: HTMLIFrameElement;
+    _captchaDocumentContainer?: HTMLDivElement;
+    _listenController = new ListenerController();
 
     connectedCallback(): void {
         super.connectedCallback();
-        window.addEventListener("message", this.messageCallback);
+        window.addEventListener("message", this.onIframeMessage, {
+            signal: this._listenController.signal,
+        });
     }
 
     disconnectedCallback(): void {
-        super.disconnectedCallback();
-        window.removeEventListener("message", this.messageCallback);
-        if (!this.challenge.interactive) {
-            document.removeChild(this.captchaDocumentContainer);
+        this._listenController.abort();
+        if (!this.challenge?.interactive) {
+            if (document.body.contains(this.captchaDocumentContainer)) {
+                document.body.removeChild(this.captchaDocumentContainer);
+            }
         }
+        super.disconnectedCallback();
     }
 
-    messageCallback(
-        ev: MessageEvent<{
-            source?: string;
-            context?: string;
-            message: string;
-            token: string;
-        }>,
-    ) {
-        const msg = ev.data;
-        if (msg.source !== "goauthentik.io" || msg.context !== "flow-executor") {
-            return;
+    get captchaDocumentContainer() {
+        if (this._captchaDocumentContainer) {
+            return this._captchaDocumentContainer;
         }
-        if (msg.message !== "captcha") {
-            return;
+        this._captchaDocumentContainer = document.createElement("div");
+        this._captchaDocumentContainer.id = `ak-captcha-${randomId()}`;
+        return this._captchaDocumentContainer;
+    }
+
+    get captchaFrame() {
+        if (this._captchaFrame) {
+            return this._captchaFrame;
         }
-        this.onTokenChange(msg.token);
+        this._captchaFrame = document.createElement("iframe");
+        this._captchaFrame.src = "about:blank";
+        this._captchaFrame.id = `ak-captcha-${randomId()}`;
+        return this._captchaFrame;
+    }
+
+    onFrameResize({ height }: Dims) {
+        this.captchaFrame.style.height = `${height}px`;
+    }
+
+    // ADR: Did not to put anything into `otherwise` or `exhaustive` here because iframe messages
+    // that were not of interest to us also weren't necessarily corrupt or suspicious. For example,
+    // during testing Storybook throws a lot of cross-iframe messages that we don't care about.
+
+    @bound
+    onIframeMessage({ data }: IframeMessageEvent) {
+        match(data)
+            .with(
+                { source: "goauthentik.io", context: "flow-executor", message: "captcha" },
+                ({ token }) => this.onTokenChange(token),
+            )
+            .with(
+                { source: "goauthentik.io", context: "flow-executor", message: "resize" },
+                ({ size }) => this.onFrameResize(size),
+            )
+            .with(
+                { source: "goauthentik.io", context: "flow-executor", message: P.any },
+                ({ message }) => {
+                    console.debug(`authentik/stages/captcha: Unknown message: ${message}`);
+                },
+            )
+            .otherwise(() => {});
+    }
+
+    async renderGReCaptchaFrame() {
+        this.renderFrame(
+            html`<div
+                class="g-recaptcha ak-captcha-container"
+                data-sitekey="${this.challenge.siteKey}"
+                data-callback="callback"
+            ></div>`,
+        );
+    }
+
+    async executeGReCaptcha() {
+        return grecaptcha.ready(() => {
+            grecaptcha.execute(
+                grecaptcha.render(this.captchaDocumentContainer, {
+                    sitekey: this.challenge.siteKey,
+                    callback: this.onTokenChange,
+                    size: "invisible",
+                }),
+            );
+        });
+    }
+
+    async renderHCaptchaFrame() {
+        this.renderFrame(
+            html`<div
+                class="h-captcha ak-captcha-container"
+                data-sitekey="${this.challenge.siteKey}"
+                data-theme="${this.activeTheme ? this.activeTheme : "light"}"
+                data-callback="callback"
+            ></div> `,
+        );
+    }
+
+    async executeHCaptcha() {
+        return hcaptcha.execute(
+            hcaptcha.render(this.captchaDocumentContainer, {
+                sitekey: this.challenge.siteKey,
+                callback: this.onTokenChange,
+                size: "invisible",
+            }),
+        );
+    }
+
+    async renderTurnstileFrame() {
+        this.renderFrame(
+            html`<div
+                class="cf-turnstile ak-captcha-container"
+                data-sitekey="${this.challenge.siteKey}"
+                data-callback="callback"
+            ></div>`,
+        );
+    }
+
+    async executeTurnstile() {
+        return (window as unknown as TurnstileWindow).turnstile.render(
+            this.captchaDocumentContainer,
+            {
+                sitekey: this.challenge.siteKey,
+                callback: this.onTokenChange,
+            },
+        );
     }
 
     async renderFrame(captchaElement: TemplateResult) {
         this.captchaFrame.contentWindow?.document.open();
         this.captchaFrame.contentWindow?.document.write(
-            await renderStatic(
-                html`<!doctype html>
-                    <html>
-                        <body style="display:flex;flex-direction:row;justify-content:center;">
-                            ${captchaElement}
-                            <script src=${this.challenge.jsUrl}></script>
-                            <script>
-                                function callback(token) {
-                                    window.parent.postMessage({
-                                        message: "captcha",
-                                        source: "goauthentik.io",
-                                        context: "flow-executor",
-                                        token: token,
-                                    });
-                                }
-                            </script>
-                        </body>
-                    </html>`,
-            ),
+            await renderStatic(iframeTemplate(captchaElement, this.challenge.jsUrl)),
         );
         this.captchaFrame.contentWindow?.document.close();
     }
 
-    updated(changedProperties: PropertyValues<this>) {
-        if (changedProperties.has("challenge") && this.challenge !== undefined) {
-            this.scriptElement = document.createElement("script");
-            this.scriptElement.src = this.challenge.jsUrl;
-            this.scriptElement.async = true;
-            this.scriptElement.defer = true;
-            this.scriptElement.dataset.akCaptchaScript = "true";
-            this.scriptElement.onload = async () => {
-                console.debug("authentik/stages/captcha: script loaded");
-                let found = false;
-                let lastError = undefined;
-                this.handlers.forEach(async (handler) => {
-                    let handlerFound = false;
-                    try {
-                        console.debug(`authentik/stages/captcha[${handler.name}]: trying handler`);
-                        handlerFound = await handler.apply(this);
-                        if (handlerFound) {
-                            console.debug(
-                                `authentik/stages/captcha[${handler.name}]: handler succeeded`,
-                            );
-                            found = true;
-                        }
-                    } catch (exc) {
-                        console.debug(
-                            `authentik/stages/captcha[${handler.name}]: handler failed: ${exc}`,
-                        );
-                        if (handlerFound) {
-                            lastError = exc;
-                        }
-                    }
-                });
-                if (!found && lastError) {
-                    this.error = (lastError as Error).toString();
-                }
-            };
-            document.head
-                .querySelectorAll("[data-ak-captcha-script=true]")
-                .forEach((el) => el.remove());
-            document.head.appendChild(this.scriptElement);
-            if (!this.challenge.interactive) {
-                document.appendChild(this.captchaDocumentContainer);
-            }
-        }
-    }
-
-    async handleGReCaptcha(): Promise<boolean> {
-        if (!Object.hasOwn(window, "grecaptcha")) {
-            return false;
-        }
-        if (this.challenge.interactive) {
-            this.renderFrame(
-                html`<div
-                    class="g-recaptcha"
-                    data-sitekey="${this.challenge.siteKey}"
-                    data-callback="callback"
-                ></div>`,
-            );
-        } else {
-            grecaptcha.ready(() => {
-                const captchaId = grecaptcha.render(this.captchaDocumentContainer, {
-                    sitekey: this.challenge.siteKey,
-                    callback: this.onTokenChange,
-                    size: "invisible",
-                });
-                grecaptcha.execute(captchaId);
-            });
-        }
-        return true;
-    }
-
-    async handleHCaptcha(): Promise<boolean> {
-        if (!Object.hasOwn(window, "hcaptcha")) {
-            return false;
-        }
-        if (this.challenge.interactive) {
-            this.renderFrame(
-                html`<div
-                    class="h-captcha"
-                    data-sitekey="${this.challenge.siteKey}"
-                    data-theme="${this.activeTheme ? this.activeTheme : "light"}"
-                    data-callback="callback"
-                ></div> `,
-            );
-        } else {
-            const captchaId = hcaptcha.render(this.captchaDocumentContainer, {
-                sitekey: this.challenge.siteKey,
-                callback: this.onTokenChange,
-                size: "invisible",
-            });
-            hcaptcha.execute(captchaId);
-        }
-        return true;
-    }
-
-    async handleTurnstile(): Promise<boolean> {
-        if (!Object.hasOwn(window, "turnstile")) {
-            return false;
-        }
-        if (this.challenge.interactive) {
-            this.renderFrame(
-                html`<div
-                    class="cf-turnstile"
-                    data-sitekey="${this.challenge.siteKey}"
-                    data-callback="callback"
-                ></div>`,
-            );
-        } else {
-            (window as unknown as TurnstileWindow).turnstile.render(this.captchaDocumentContainer, {
-                sitekey: this.challenge.siteKey,
-                callback: this.onTokenChange,
-            });
-        }
-        return true;
-    }
-
     renderBody() {
-        if (this.error) {
-            return html`<ak-empty-state icon="fa-times" header=${this.error}> </ak-empty-state>`;
-        }
-        if (this.challenge.interactive) {
-            return html`${this.captchaFrame}`;
-        }
-        return html`<ak-empty-state loading header=${msg("Verifying...")}></ak-empty-state>`;
+        // [hasError, isInteractive]
+        // prettier-ignore
+        return match([Boolean(this.error), Boolean(this.challenge?.interactive)])
+            .with([true,  P.any], () => akEmptyState({ icon: "fa-times", header: this.error }))
+            .with([false, true],  () => html`${this.captchaFrame}`)
+            .with([false, false], () => akEmptyState({ loading: true, header: msg("Verifying...") }))
+            .exhaustive();
     }
 
-    render() {
-        if (this.embedded) {
-            if (!this.challenge.interactive) {
-                return html``;
-            }
-            return this.renderBody();
-        }
-        if (!this.challenge) {
-            return html`<ak-empty-state loading> </ak-empty-state>`;
-        }
+    renderMain() {
         return html`<header class="pf-c-login__main-header">
                 <h1 class="pf-c-title pf-m-3xl">${this.challenge.flowInfo?.title}</h1>
             </header>
@@ -291,6 +313,63 @@ export class CaptchaStage extends BaseStage<CaptchaChallenge, CaptchaChallengeRe
                 <ul class="pf-c-login__main-footer-links"></ul>
             </footer>`;
     }
+
+    render() {
+        // [isEmbedded, hasChallenge, isInteractive]
+        // prettier-ignore
+        return match([this.embedded, Boolean(this.challenge), Boolean(this.challenge?.interactive)])
+            .with([true,  false, P.any], () => nothing)
+            .with([true,  true,  false], () => nothing)
+            .with([true,  true,  true],  () => this.renderBody())
+            .with([false, false, P.any], () => akEmptyState({ loading: true }))
+            .with([false, true,  P.any], () => this.renderMain())
+            .exhaustive();
+    }
+
+    updated(changedProperties: PropertyValues<this>) {
+        if (!(changedProperties.has("challenge") && this.challenge !== undefined)) {
+            return;
+        }
+
+        const attachCaptcha = async () => {
+            console.debug("authentik/stages/captcha: script loaded");
+            const handlers = this.handlers.filter(({ name }) => Object.hasOwn(window, name));
+            let lastError = undefined;
+            let found = false;
+            for (const { name, interactive, execute } of handlers) {
+                console.debug(`authentik/stages/captcha: trying handler ${name}`);
+                try {
+                    const runner = this.challenge.interactive ? interactive : execute;
+                    await runner.apply(this);
+                    console.debug(`authentik/stages/captcha[${name}]: handler succeeded`);
+                    found = true;
+                    break;
+                } catch (exc) {
+                    console.debug(`authentik/stages/captcha[${name}]: handler failed`);
+                    console.debug(exc);
+                    lastError = exc;
+                }
+            }
+            this.error = found ? undefined : (lastError ?? "Unspecified error").toString();
+        };
+
+        const scriptElement = document.createElement("script");
+        scriptElement.src = this.challenge.jsUrl;
+        scriptElement.async = true;
+        scriptElement.defer = true;
+        scriptElement.dataset.akCaptchaScript = "true";
+        scriptElement.onload = attachCaptcha;
+
+        document.head
+            .querySelectorAll("[data-ak-captcha-script=true]")
+            .forEach((el) => el.remove());
+
+        document.head.appendChild(scriptElement);
+
+        if (!this.challenge.interactive) {
+            document.body.appendChild(this.captchaDocumentContainer);
+        }
+    }
 }
 
 declare global {

web/tests/blueprints/test-admin-user.yaml

@@ -0,0 +1,16 @@
+version: 1
+entries:
+    - attrs:
+          email: test-admin@goauthentik.io
+          is_active: true
+          name: authentik Default Admin
+          password: test-runner
+          path: users
+          type: internal
+          groups:
+              - !Find [authentik_core.group, [name, "authentik Admins"]]
+          conditions: []
+      identifiers:
+          username: akadmin
+      model: authentik_core.user
+      state: present

website/docs/developer-docs/releases/index.md

@@ -78,7 +78,7 @@ Short summary of the issue
 
 ### Patches
 
-authentik x, y and z fix this issue, for other versions the workaround can be used.
+authentik x, y and z fix this issue, for other versions the workaround below can be used.
 
 ### Impact
 
@@ -96,7 +96,7 @@ Describe a workaround if possible
 
 If you have any questions or comments about this advisory:
 
--   Email us at [security@goauthentik.io](mailto:security@goauthentik.io)
+-   Email us at [security@goauthentik.io](mailto:security@goauthentik.io).
 ```
 
 </details>

website/docs/enterprise/manage-enterprise.md

@@ -101,7 +101,15 @@ The following events occur when a license expires or the internal/external user
 
 -   After another 2 weeks, users get a warning banner
 
--   After another 2 weeks, the authentik Enterprise instance becomes “read-only”
+-   After another 2 weeks, the authentik Enterprise instance becomes "read-only"
+
+    When an authentik instance is in read-only mode, the following actions are still possible:
+
+    -   Users can authenticate and authorize applications
+    -   Licenses can be modified
+    -   Users can be modified/deleted <span class="badge badge--version">authentik 2024.10.5+</span>
+
+    After the violation is corrected (either the user count returns to be within the limits of the license or the license is renewed), authentik will return to the standard read-write mode and the notification will disappear.
 
 ### About users and licenses
 

website/docs/security/cves/CVE-2024-52287.md

@@ -0,0 +1,27 @@
+# CVE-2024-52287
+
+_Reported by [@matt1097](https://github.com/matt1097)_
+
+## Insufficient validation of OAuth scopes for client_credentials and device_code grants
+
+### Summary
+
+When using the `client_credentials` or `device_code` OAuth grants, it was possible for an attacker to get a token from authentik with scopes that haven't been configured in authentik.
+
+### Details
+
+With the `device_code` grant, it was possible to have a user authorize a set of permitted scopes, and then acquire a token with a different set of scopes, including scopes not configured. This token could potentially be used to send requests to another system which trusts tokens signed by authentik and execute malicious actions on behalf of the user.
+
+With the `client_credentials` grant, because there is no user authorization process, authentik would not validate the scopes requested for the token, allowing tokens to be issued with scopes not configured in authentik. These could similarly be used to execute malicious actions in other systems.
+
+There is no workaround for this issue; however this issue could only be exploited if an attacker possesses a valid set of OAuth2 `client_id` and `client_secret` credentials, and has the knowledge of another system that trusts tokens issued by authentik and what scopes it checks for.
+
+### Patches
+
+authentik 2024.8.5 and 2024.10.3 fix this issue.
+
+### For more information
+
+If you have any questions or comments about this advisory:
+
+-   Email us at [security@goauthentik.io](mailto:security@goauthentik.io)

website/docs/security/cves/CVE-2024-52289.md

@@ -0,0 +1,30 @@
+# CVE-2024-52289
+
+_Reported by [@PontusHanssen](https://github.com/PontusHanssen)_
+
+## Insecure default configuration for OAuth2 Redirect URIs
+
+### Summary
+
+Redirect URIs in the OAuth2 provider in authentik are checked by RegEx comparison.
+When no Redirect URIs are configured in a provider, authentik will automatically use the first `redirect_uri` value received as an allowed redirect URI, without escaping characters that have a special meaning in RegEx. Similarly, the documentation did not take this into consideration either.
+
+Given a provider with the Redirect URIs set to `https://foo.example.com`, an attacker can register a domain `fooaexample.com`, and it will correctly pass validation.
+
+### Patches
+
+authentik 2024.8.5 and 2024.10.3 fix this issue.
+
+The patched versions remedy this issue by changing the format that the Redirect URIs are saved in, allowing for the explicit configuration if the URL should be checked strictly or as a RegEx. This means that these patches include a backwards-incompatible database change and API change.
+
+Manual action _is required_ if any provider is intended to use RegEx for Redirect URIs because the migration will set the comparison type to strict for every Redirect URI.
+
+### Workarounds
+
+When configuring OAuth2 providers, make sure to escape any wildcard characters that are not intended to function as a wildcard, for example replace `.` with `\.`.
+
+### For more information
+
+If you have any questions or comments about this advisory:
+
+-   Email us at [security@goauthentik.io](mailto:security@goauthentik.io)