Attempting coercion to ESM with Vite & Wdio

```
$ mkdir ./packages/common
$ git mv ./src/common ./packages/common/src
```

... and then added all of the boilerplate needed to drive with Wireit, build with ESlint, typecheck
with TSC, and then spell check documentation and comments, security checks of package.json and
package-lock.json, format.

... and _then_ fix all of the minor, nitpicky things ESLint 9 found in the package.

... and _then_ wire the whole thing into our build so that we can find it as a package, removing
it as an alias from the base package definition and turning it into a workspace.  Although it is
a workspace package, it's currently configured to build completely independently.

It could be published as an independent NPM package, although I don't recommended that at this time.

I've wanted to break the UI up into smaller, more digestible chunks for awhile, but was always
reluctant to, since I didn't want to mess with other teams' mental models of the code layout.
@Beryju, seeing the success of the Simple Flow Executor as an independent package, thought it might
be worthwhile to see what effort it took to break the graph of our independent apps (User, Flow, and
Admin) and their dependencies (Common <- Elements <- Components, Common <- Locales) into packages.

Turns out, it's not too bad.  It's going to be fiddly for awhile until things settle down, but
overall the experiment has been a success.

The `tsconfig.json` doesn't refer to the base because we want this to build independently; tooling
will be needed to ensure all of our `tsconfig` files in the future will be consistent across all
packages.

- We can use the ESLint boilerplate as-is.
- We have to run TSC as a separate (but fortunately parallel) build step, as client code will need
  the built types. Final builds will be fractionally slower, but Wireit can detect when a monorepo
  package is unchanged and can skip rebuilding `common` if it's not needed, so the development loop
  will be faster.
- The ESBuild boilerplate is different for libraries with UI, libraries without UI (like this one),
  and apps, and we'll have to have three different routines for them. Once we are building
  independent _apps_, getting them into the `dist` folder will be an interesting challenge; we may
  end up with two different builds, one to bundle it in *in the app*, and another to bundle it *for
  Django*. That's mostly an issue of targeting and integration, and shouldn't take too much time.
- Spelling, formatting, and package checking aren't affected.
- `Locales` is our biggest challenge, as usual. I have found only [one article on it
  anywhere](https://medium.com/tech-at-zet/streamlining-localization-in-a-monorepo-using-i18n-js-e7c521ff69d4),
  and it recommends creating a single package in which to keep all of the localizations and the
  localization machinery. That seems like a sound approach, but we haven't (yet) gotten there.

`common` is a bit of a junk drawer: there are global utilities in there, there are app-specific
helpers, there are plug-in specific helpers, and so on. Figuring out exactly what does what and
making more specific packages may be in our future.

.bumpversion.cfg

@@ -1,5 +1,5 @@
 [bumpversion]
-current_version = 2024.4.4
+current_version = 2024.6.3
 tag = True
 commit = True
 parse = (?P<major>\d+)\.(?P<minor>\d+)\.(?P<patch>\d+)(?:-(?P<rc_t>[a-zA-Z-]+)(?P<rc_n>[1-9]\\d*))?
@@ -17,6 +17,8 @@ optional_value = final
 
 [bumpversion:file:pyproject.toml]
 
+[bumpversion:file:package.json]
+
 [bumpversion:file:docker-compose.yml]
 
 [bumpversion:file:schema.yml]

.github/actions/comment-pr-instructions/action.yml

@@ -54,9 +54,10 @@ runs:
             authentik:
                 outposts:
                     container_image_base: ghcr.io/goauthentik/dev-%(type)s:gh-%(build_hash)s
-            image:
+            global:
-                repository: ghcr.io/goauthentik/dev-server
+                image:
-                tag: ${{ inputs.tag }}
+                    repository: ghcr.io/goauthentik/dev-server
+                    tag: ${{ inputs.tag }}
             ```
 
             For arm64, use these values:
@@ -65,9 +66,10 @@ runs:
             authentik:
                 outposts:
                     container_image_base: ghcr.io/goauthentik/dev-%(type)s:gh-%(build_hash)s
-            image:
+            global:
-                repository: ghcr.io/goauthentik/dev-server
+                image:
-                tag: ${{ inputs.tag }}-arm64
+                    repository: ghcr.io/goauthentik/dev-server
+                    tag: ${{ inputs.tag }}-arm64
             ```
 
             Afterwards, run the upgrade commands from the latest release notes.

.github/actions/docker-push-variables/action.yml

@@ -29,9 +29,15 @@ outputs:
   imageTags:
     description: "Docker image tags"
     value: ${{ steps.ev.outputs.imageTags }}
+  imageNames:
+    description: "Docker image names"
+    value: ${{ steps.ev.outputs.imageNames }}
   imageMainTag:
     description: "Docker image main tag"
     value: ${{ steps.ev.outputs.imageMainTag }}
+  imageMainName:
+    description: "Docker image main name"
+    value: ${{ steps.ev.outputs.imageMainName }}
 
 runs:
   using: "composite"

.github/actions/docker-push-variables/push_vars.py

@@ -7,7 +7,7 @@ from time import time
 parser = configparser.ConfigParser()
 parser.read(".bumpversion.cfg")
 
-should_build = str(os.environ.get("DOCKER_USERNAME", None) is not None).lower()
+should_build = str(len(os.environ.get("DOCKER_USERNAME", "")) > 0).lower()
 
 branch_name = os.environ["GITHUB_REF"]
 if os.environ.get("GITHUB_HEAD_REF", "") != "":
@@ -50,13 +50,16 @@ else:
             f"{name}:gh-{safe_branch_name}-{int(time())}-{sha[:7]}{suffix}",  # Use by FluxCD
         ]
 
-image_main_tag = image_tags[0]
+image_main_tag = image_tags[0].split(":")[-1]
 image_tags_rendered = ",".join(image_tags)
+image_names_rendered = ",".join(set(name.split(":")[0] for name in image_tags))
 
 with open(os.environ["GITHUB_OUTPUT"], "a+", encoding="utf-8") as _output:
-    print("shouldBuild=%s" % should_build, file=_output)
+    print(f"shouldBuild={should_build}", file=_output)
-    print("sha=%s" % sha, file=_output)
+    print(f"sha={sha}", file=_output)
-    print("version=%s" % version, file=_output)
+    print(f"version={version}", file=_output)
-    print("prerelease=%s" % prerelease, file=_output)
+    print(f"prerelease={prerelease}", file=_output)
-    print("imageTags=%s" % image_tags_rendered, file=_output)
+    print(f"imageTags={image_tags_rendered}", file=_output)
-    print("imageMainTag=%s" % image_main_tag, file=_output)
+    print(f"imageNames={image_names_rendered}", file=_output)
+    print(f"imageMainTag={image_main_tag}", file=_output)
+    print(f"imageMainName={image_tags[0]}", file=_output)

.github/actions/setup/docker-compose.yml

@@ -1,5 +1,3 @@
-version: "3.7"
-
 services:
   postgresql:
     image: docker.io/library/postgres:${PSQL_TAG:-16}

.github/codespell-words.txt

@@ -4,3 +4,4 @@ hass
 warmup
 ontext
 singed
+assertIn

.github/dependabot.yml

@@ -21,7 +21,10 @@ updates:
     labels:
       - dependencies
   - package-ecosystem: npm
-    directory: "/web"
+    directories:
+      - "/web"
+      - "/tests/wdio"
+      - "/web/sfe"
     schedule:
       interval: daily
       time: "04:00"
@@ -30,7 +33,6 @@ updates:
     open-pull-requests-limit: 10
     commit-message:
       prefix: "web:"
-    # TODO: deduplicate these groups
     groups:
       sentry:
         patterns:
@@ -56,38 +58,6 @@ updates:
         patterns:
           - "@rollup/*"
           - "rollup-*"
-  - package-ecosystem: npm
-    directory: "/tests/wdio"
-    schedule:
-      interval: daily
-      time: "04:00"
-    labels:
-      - dependencies
-    open-pull-requests-limit: 10
-    commit-message:
-      prefix: "web:"
-    # TODO: deduplicate these groups
-    groups:
-      sentry:
-        patterns:
-          - "@sentry/*"
-          - "@spotlightjs/*"
-      babel:
-        patterns:
-          - "@babel/*"
-          - "babel-*"
-      eslint:
-        patterns:
-          - "@typescript-eslint/*"
-          - "eslint"
-          - "eslint-*"
-      storybook:
-        patterns:
-          - "@storybook/*"
-          - "*storybook*"
-      esbuild:
-        patterns:
-          - "@esbuild/*"
       wdio:
         patterns:
           - "@wdio/*"

.github/workflows/api-ts-publish.yml

@@ -31,7 +31,12 @@ jobs:
         env:
           NODE_AUTH_TOKEN: ${{ secrets.NPM_PUBLISH_TOKEN }}
       - name: Upgrade /web
-        working-directory: web/
+        working-directory: web
+        run: |
+          export VERSION=`node -e 'console.log(require("../gen-ts-api/package.json").version)'`
+          npm i @goauthentik/api@$VERSION
+      - name: Upgrade /web/packages/sfe
+        working-directory: web/packages/sfe
         run: |
           export VERSION=`node -e 'console.log(require("../gen-ts-api/package.json").version)'`
           npm i @goauthentik/api@$VERSION

.github/workflows/ci-main.yml

@@ -50,7 +50,6 @@ jobs:
       fail-fast: false
       matrix:
         psql:
-          - 12-alpine
           - 15-alpine
           - 16-alpine
     steps:
@@ -104,7 +103,6 @@ jobs:
       fail-fast: false
       matrix:
         psql:
-          - 12-alpine
           - 15-alpine
           - 16-alpine
     steps:
@@ -130,7 +128,7 @@ jobs:
       - name: Setup authentik env
         uses: ./.github/actions/setup
       - name: Create k8s Kind Cluster
-        uses: helm/kind-action@v1.9.0
+        uses: helm/kind-action@v1.10.0
       - name: run integration
         run: |
           poetry run coverage run manage.py test tests/integration
@@ -215,13 +213,16 @@ jobs:
     permissions:
       # Needed to upload contianer images to ghcr.io
       packages: write
+      # Needed for attestation
+      id-token: write
+      attestations: write
     timeout-minutes: 120
     steps:
       - uses: actions/checkout@v4
         with:
           ref: ${{ github.event.pull_request.head.sha }}
       - name: Set up QEMU
-        uses: docker/setup-qemu-action@v3.0.0
+        uses: docker/setup-qemu-action@v3.2.0
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@v3
       - name: prepare variables
@@ -242,7 +243,8 @@ jobs:
       - name: generate ts client
         run: make gen-client-ts
       - name: Build Docker Image
-        uses: docker/build-push-action@v5
+        uses: docker/build-push-action@v6
+        id: push
         with:
           context: .
           secrets: |
@@ -252,9 +254,16 @@ jobs:
           push: ${{ steps.ev.outputs.shouldBuild == 'true' }}
           build-args: |
             GIT_BUILD_HASH=${{ steps.ev.outputs.sha }}
-          cache-from: type=gha
+          cache-from: type=registry,ref=ghcr.io/goauthentik/dev-server:buildcache
-          cache-to: type=gha,mode=max
+          cache-to: ${{ steps.ev.outputs.shouldBuild == 'true' && 'type=registry,ref=ghcr.io/goauthentik/dev-server:buildcache,mode=max' || '' }}
           platforms: linux/${{ matrix.arch }}
+      - uses: actions/attest-build-provenance@v1
+        id: attest
+        if: ${{ steps.ev.outputs.shouldBuild == 'true' }}
+        with:
+          subject-name: ${{ steps.ev.outputs.imageNames }}
+          subject-digest: ${{ steps.push.outputs.digest }}
+          push-to-registry: true
   pr-comment:
     needs:
       - build
@@ -276,6 +285,7 @@ jobs:
         with:
           image-name: ghcr.io/goauthentik/dev-server
       - name: Comment on PR
+        if: ${{ steps.ev.outputs.shouldBuild == 'true' }}
         uses: ./.github/actions/comment-pr-instructions
         with:
-          tag: gh-${{ steps.ev.outputs.imageMainTag }}
+          tag: ${{ steps.ev.outputs.imageMainTag }}

.github/workflows/ci-outpost.yml

@@ -29,7 +29,7 @@ jobs:
       - name: Generate API
         run: make gen-client-go
       - name: golangci-lint
-        uses: golangci/golangci-lint-action@v4
+        uses: golangci/golangci-lint-action@v6
         with:
           version: v1.54.2
           args: --timeout 5000s --verbose
@@ -71,12 +71,15 @@ jobs:
     permissions:
       # Needed to upload contianer images to ghcr.io
       packages: write
+      # Needed for attestation
+      id-token: write
+      attestations: write
     steps:
       - uses: actions/checkout@v4
         with:
           ref: ${{ github.event.pull_request.head.sha }}
       - name: Set up QEMU
-        uses: docker/setup-qemu-action@v3.0.0
+        uses: docker/setup-qemu-action@v3.2.0
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@v3
       - name: prepare variables
@@ -96,7 +99,8 @@ jobs:
       - name: Generate API
         run: make gen-client-go
       - name: Build Docker Image
-        uses: docker/build-push-action@v5
+        id: push
+        uses: docker/build-push-action@v6
         with:
           tags: ${{ steps.ev.outputs.imageTags }}
           file: ${{ matrix.type }}.Dockerfile
@@ -105,8 +109,15 @@ jobs:
             GIT_BUILD_HASH=${{ steps.ev.outputs.sha }}
           platforms: linux/amd64,linux/arm64
           context: .
-          cache-from: type=gha
+          cache-from: type=registry,ref=ghcr.io/goauthentik/dev-${{ matrix.type }}:buildcache
-          cache-to: type=gha,mode=max
+          cache-to: ${{ steps.ev.outputs.shouldBuild == 'true' && format('type=registry,ref=ghcr.io/goauthentik/dev-{0}:buildcache,mode=max', matrix.type) || '' }}
+      - uses: actions/attest-build-provenance@v1
+        id: attest
+        if: ${{ steps.ev.outputs.shouldBuild == 'true' }}
+        with:
+          subject-name: ${{ steps.ev.outputs.imageNames }}
+          subject-digest: ${{ steps.push.outputs.digest }}
+          push-to-registry: true
   build-binary:
     timeout-minutes: 120
     needs:

.github/workflows/ci-web.yml

@@ -12,14 +12,29 @@ on:
       - version-*
 
 jobs:
-  lint-eslint:
+  lint:
     runs-on: ubuntu-latest
     strategy:
       fail-fast: false
       matrix:
+        command:
+          - lint
+          - lint:lockfile
+          - tsc
+          - prettier-check
         project:
           - web
           - tests/wdio
+        include:
+          - command: tsc
+            project: web
+          - command: lit-analyse
+            project: web
+        exclude:
+          - command: lint:lockfile
+            project: tests/wdio
+          - command: tsc
+            project: tests/wdio
     steps:
       - uses: actions/checkout@v4
       - uses: actions/setup-node@v4
@@ -28,85 +43,17 @@ jobs:
           cache: "npm"
           cache-dependency-path: ${{ matrix.project }}/package-lock.json
       - working-directory: ${{ matrix.project }}/
-        run: npm ci
-      - name: Generate API
-        run: make gen-client-ts
-      - name: Eslint
-        working-directory: ${{ matrix.project }}/
-        run: npm run lint
-  lint-lockfile:
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v4
-      - working-directory: web/
-        run: |
-          [ -z "$(jq -r '.packages | to_entries[] | select((.key | startswith("node_modules")) and (.value | has("resolved") | not)) | .key' < package-lock.json)" ]
-  lint-build:
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v4
-      - uses: actions/setup-node@v4
-        with:
-          node-version-file: web/package.json
-          cache: "npm"
-          cache-dependency-path: web/package-lock.json
-      - working-directory: web/
-        run: npm ci
-      - name: Generate API
-        run: make gen-client-ts
-      - name: TSC
-        working-directory: web/
-        run: npm run tsc
-  lint-prettier:
-    runs-on: ubuntu-latest
-    strategy:
-      fail-fast: false
-      matrix:
-        project:
-          - web
-          - tests/wdio
-    steps:
-      - uses: actions/checkout@v4
-      - uses: actions/setup-node@v4
-        with:
-          node-version-file: ${{ matrix.project }}/package.json
-          cache: "npm"
-          cache-dependency-path: ${{ matrix.project }}/package-lock.json
-      - working-directory: ${{ matrix.project }}/
-        run: npm ci
-      - name: Generate API
-        run: make gen-client-ts
-      - name: prettier
-        working-directory: ${{ matrix.project }}/
-        run: npm run prettier-check
-  lint-lit-analyse:
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v4
-      - uses: actions/setup-node@v4
-        with:
-          node-version-file: web/package.json
-          cache: "npm"
-          cache-dependency-path: web/package-lock.json
-      - working-directory: web/
         run: |
           npm ci
-          # lit-analyse doesn't understand path rewrites, so make it
+          ${{ matrix.extra_setup }}
-          # belive it's an actual module
-          cd node_modules/@goauthentik
-          ln -s ../../src/ web
       - name: Generate API
         run: make gen-client-ts
-      - name: lit-analyse
+      - name: Lint
-        working-directory: web/
+        working-directory: ${{ matrix.project }}/
-        run: npm run lit-analyse
+        run: npm run ${{ matrix.command }}
   ci-web-mark:
     needs:
-      - lint-lockfile
+      - lint
-      - lint-eslint
-      - lint-prettier
-      - lint-lit-analyse
-      - lint-build
     runs-on: ubuntu-latest
     steps:
       - run: echo mark
@@ -128,3 +75,21 @@ jobs:
       - name: build
         working-directory: web/
         run: npm run build
+  test:
+    needs:
+      - ci-web-mark
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/setup-node@v4
+        with:
+          node-version-file: web/package.json
+          cache: "npm"
+          cache-dependency-path: web/package-lock.json
+      - working-directory: web/
+        run: npm ci
+      - name: Generate API
+        run: make gen-client-ts
+      - name: test
+        working-directory: web/
+        run: npm run test

.github/workflows/ci-website.yml

@@ -12,27 +12,21 @@ on:
       - version-*
 
 jobs:
-  lint-lockfile:
+  lint:
     runs-on: ubuntu-latest
+    strategy:
+      fail-fast: false
+      matrix:
+        command:
+          - lint:lockfile
+          - prettier-check
     steps:
       - uses: actions/checkout@v4
-      - working-directory: website/
-        run: |
-          [ -z "$(jq -r '.packages | to_entries[] | select((.key | startswith("node_modules")) and (.value | has("resolved") | not)) | .key' < package-lock.json)" ]
-  lint-prettier:
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v4
-      - uses: actions/setup-node@v4
-        with:
-          node-version-file: website/package.json
-          cache: "npm"
-          cache-dependency-path: website/package-lock.json
       - working-directory: website/
         run: npm ci
-      - name: prettier
+      - name: Lint
         working-directory: website/
-        run: npm run prettier-check
+        run: npm run ${{ matrix.command }}
   test:
     runs-on: ubuntu-latest
     steps:
@@ -69,8 +63,7 @@ jobs:
         run: npm run ${{ matrix.job }}
   ci-website-mark:
     needs:
-      - lint-lockfile
+      - lint
-      - lint-prettier
       - test
       - build
     runs-on: ubuntu-latest

.github/workflows/release-publish.yml

@@ -11,10 +11,13 @@ jobs:
     permissions:
       # Needed to upload contianer images to ghcr.io
       packages: write
+      # Needed for attestation
+      id-token: write
+      attestations: write
     steps:
       - uses: actions/checkout@v4
       - name: Set up QEMU
-        uses: docker/setup-qemu-action@v3.0.0
+        uses: docker/setup-qemu-action@v3.2.0
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@v3
       - name: prepare variables
@@ -40,7 +43,8 @@ jobs:
           mkdir -p ./gen-ts-api
           mkdir -p ./gen-go-api
       - name: Build Docker Image
-        uses: docker/build-push-action@v5
+        uses: docker/build-push-action@v6
+        id: push
         with:
           context: .
           push: true
@@ -49,11 +53,20 @@ jobs:
             GEOIPUPDATE_LICENSE_KEY=${{ secrets.GEOIPUPDATE_LICENSE_KEY }}
           tags: ${{ steps.ev.outputs.imageTags }}
           platforms: linux/amd64,linux/arm64
+      - uses: actions/attest-build-provenance@v1
+        id: attest
+        with:
+          subject-name: ${{ steps.ev.outputs.imageNames }}
+          subject-digest: ${{ steps.push.outputs.digest }}
+          push-to-registry: true
   build-outpost:
     runs-on: ubuntu-latest
     permissions:
       # Needed to upload contianer images to ghcr.io
       packages: write
+      # Needed for attestation
+      id-token: write
+      attestations: write
     strategy:
       fail-fast: false
       matrix:
@@ -68,7 +81,7 @@ jobs:
         with:
           go-version-file: "go.mod"
       - name: Set up QEMU
-        uses: docker/setup-qemu-action@v3.0.0
+        uses: docker/setup-qemu-action@v3.2.0
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@v3
       - name: prepare variables
@@ -94,13 +107,20 @@ jobs:
           username: ${{ github.repository_owner }}
           password: ${{ secrets.GITHUB_TOKEN }}
       - name: Build Docker Image
-        uses: docker/build-push-action@v5
+        uses: docker/build-push-action@v6
+        id: push
         with:
           push: true
           tags: ${{ steps.ev.outputs.imageTags }}
           file: ${{ matrix.type }}.Dockerfile
           platforms: linux/amd64,linux/arm64
           context: .
+      - uses: actions/attest-build-provenance@v1
+        id: attest
+        with:
+          subject-name: ${{ steps.ev.outputs.imageNames }}
+          subject-digest: ${{ steps.push.outputs.digest }}
+          push-to-registry: true
   build-outpost-binary:
     timeout-minutes: 120
     runs-on: ubuntu-latest
@@ -155,8 +175,8 @@ jobs:
       - uses: actions/checkout@v4
       - name: Run test suite in final docker images
         run: |
-          echo "PG_PASS=$(openssl rand -base64 32)" >> .env
+          echo "PG_PASS=$(openssl rand 32 | base64 -w 0)" >> .env
-          echo "AUTHENTIK_SECRET_KEY=$(openssl rand -base64 32)" >> .env
+          echo "AUTHENTIK_SECRET_KEY=$(openssl rand 32 | base64 -w 0)" >> .env
           docker compose pull -q
           docker compose up --no-start
           docker compose start postgresql redis
@@ -178,8 +198,8 @@ jobs:
           image-name: ghcr.io/goauthentik/server
       - name: Get static files from docker image
         run: |
-          docker pull ${{ steps.ev.outputs.imageMainTag }}
+          docker pull ${{ steps.ev.outputs.imageMainName }}
-          container=$(docker container create ${{ steps.ev.outputs.imageMainTag }})
+          container=$(docker container create ${{ steps.ev.outputs.imageMainName }})
           docker cp ${container}:web/ .
       - name: Create a Sentry.io release
         uses: getsentry/action-release@v1

.github/workflows/release-tag.yml

@@ -14,8 +14,8 @@ jobs:
       - uses: actions/checkout@v4
       - name: Pre-release test
         run: |
-          echo "PG_PASS=$(openssl rand -base64 32)" >> .env
+          echo "PG_PASS=$(openssl rand 32 | base64 -w 0)" >> .env
-          echo "AUTHENTIK_SECRET_KEY=$(openssl rand -base64 32)" >> .env
+          echo "AUTHENTIK_SECRET_KEY=$(openssl rand 32 | base64 -w 0)" >> .env
           docker buildx install
           mkdir -p ./gen-ts-api
           docker build -t testing:latest .

.vscode/extensions.json

@@ -16,6 +16,6 @@
         "ms-python.black-formatter",
         "redhat.vscode-yaml",
         "Tobermory.es6-string-html",
-        "unifiedjs.vscode-mdx",
+        "unifiedjs.vscode-mdx"
     ]
 }

.vscode/launch.json

@@ -22,6 +22,6 @@
             },
             "justMyCode": true,
             "django": true
-        },
+        }
     ]
 }

.vscode/settings.json

@@ -4,33 +4,35 @@
         "asgi",
         "authentik",
         "authn",
+        "entra",
         "goauthentik",
         "jwks",
+        "kubernetes",
         "oidc",
         "openid",
+        "passwordless",
         "plex",
         "saml",
-        "totp",
-        "webauthn",
-        "traefik",
-        "passwordless",
-        "kubernetes",
-        "sso",
-        "slo",
         "scim",
+        "slo",
+        "sso",
+        "totp",
+        "traefik",
+        "webauthn"
     ],
     "todo-tree.tree.showCountsInTree": true,
     "todo-tree.tree.showBadges": true,
     "yaml.customTags": [
-        "!Find sequence",
-        "!KeyOf scalar",
-        "!Context scalar",
-        "!Context sequence",
-        "!Format sequence",
         "!Condition sequence",
-        "!Env sequence",
+        "!Context scalar",
+        "!Enumerate sequence",
         "!Env scalar",
-        "!If sequence"
+        "!Find sequence",
+        "!Format sequence",
+        "!If sequence",
+        "!Index scalar",
+        "!KeyOf scalar",
+        "!Value scalar"
     ],
     "typescript.preferences.importModuleSpecifier": "non-relative",
     "typescript.preferences.importModuleSpecifierEnding": "index",
@@ -47,9 +49,7 @@
             "ignoreCase": false
         }
     ],
-    "go.testFlags": [
+    "go.testFlags": ["-count=1"],
-        "-count=1"
-    ],
     "github-actions.workflows.pinned.workflows": [
         ".github/workflows/ci-main.yml"
     ]

.vscode/tasks.json

@@ -2,85 +2,67 @@
     "version": "2.0.0",
     "tasks": [
         {
-            "label": "authentik[core]: format & test",
+            "label": "authentik/core: make",
             "command": "poetry",
-            "args": [
+            "args": ["run", "make", "lint-fix", "lint"],
-                "run",
+            "presentation": {
-                "make"
+                "panel": "new"
-            ],
+            },
-            "group": "build",
+            "group": "test"
         },
         {
-            "label": "authentik[core]: run",
+            "label": "authentik/core: run",
             "command": "poetry",
-            "args": [
+            "args": ["run", "ak", "server"],
-                "run",
-                "make",
-                "run",
-            ],
             "group": "build",
             "presentation": {
                 "panel": "dedicated",
                 "group": "running"
-            },
+            }
         },
         {
-            "label": "authentik[web]: format",
+            "label": "authentik/web: make",
             "command": "make",
             "args": ["web"],
-            "group": "build",
+            "group": "build"
         },
         {
-            "label": "authentik[web]: watch",
+            "label": "authentik/web: watch",
             "command": "make",
             "args": ["web-watch"],
             "group": "build",
             "presentation": {
                 "panel": "dedicated",
                 "group": "running"
-            },
+            }
         },
         {
             "label": "authentik: install",
             "command": "make",
-            "args": ["install"],
+            "args": ["install", "-j4"],
-            "group": "build",
+            "group": "build"
         },
         {
-            "label": "authentik: i18n-extract",
+            "label": "authentik/website: make",
-            "command": "poetry",
-            "args": [
-                "run",
-                "make",
-                "i18n-extract"
-            ],
-            "group": "build",
-        },
-        {
-            "label": "authentik[website]: format",
             "command": "make",
             "args": ["website"],
-            "group": "build",
+            "group": "build"
         },
         {
-            "label": "authentik[website]: watch",
+            "label": "authentik/website: watch",
             "command": "make",
             "args": ["website-watch"],
             "group": "build",
             "presentation": {
                 "panel": "dedicated",
                 "group": "running"
-            },
+            }
         },
         {
-            "label": "authentik[api]: generate",
+            "label": "authentik/api: generate",
             "command": "poetry",
-            "args": [
+            "args": ["run", "make", "gen"],
-                "run",
-                "make",
-                "gen"
-            ],
             "group": "build"
-        },
+        }
     ]
 }

Dockerfile

@@ -1,7 +1,7 @@
 # syntax=docker/dockerfile:1
 
 # Stage 1: Build website
-FROM --platform=${BUILDPLATFORM} docker.io/node:21 as website-builder
+FROM --platform=${BUILDPLATFORM} docker.io/library/node:22 as website-builder
 
 ENV NODE_ENV=production
 
@@ -20,17 +20,22 @@ COPY ./SECURITY.md /work/
 RUN npm run build-bundled
 
 # Stage 2: Build webui
-FROM --platform=${BUILDPLATFORM} docker.io/node:21 as web-builder
+FROM --platform=${BUILDPLATFORM} docker.io/library/node:22 as web-builder
 
+ARG GIT_BUILD_HASH
+ENV GIT_BUILD_HASH=$GIT_BUILD_HASH
 ENV NODE_ENV=production
 
 WORKDIR /work/web
 
 RUN --mount=type=bind,target=/work/web/package.json,src=./web/package.json \
     --mount=type=bind,target=/work/web/package-lock.json,src=./web/package-lock.json \
+    --mount=type=bind,target=/work/web/packages/sfe/package.json,src=./web/packages/sfe/package.json \
+    --mount=type=bind,target=/work/web/scripts,src=./web/scripts \
     --mount=type=cache,id=npm-web,sharing=shared,target=/root/.npm \
     npm ci --include=dev
 
+COPY ./package.json /work
 COPY ./web /work/web/
 COPY ./website /work/website/
 COPY ./gen-ts-api /work/web/node_modules/@goauthentik/api
@@ -38,7 +43,7 @@ COPY ./gen-ts-api /work/web/node_modules/@goauthentik/api
 RUN npm run build
 
 # Stage 3: Build go proxy
-FROM --platform=${BUILDPLATFORM} docker.io/golang:1.22.2-bookworm AS go-builder
+FROM --platform=${BUILDPLATFORM} mcr.microsoft.com/oss/go/microsoft/golang:1.22-fips-bookworm AS go-builder
 
 ARG TARGETOS
 ARG TARGETARCH
@@ -49,6 +54,11 @@ ARG GOARCH=$TARGETARCH
 
 WORKDIR /go/src/goauthentik.io
 
+RUN --mount=type=cache,id=apt-$TARGETARCH$TARGETVARIANT,sharing=locked,target=/var/cache/apt \
+    dpkg --add-architecture arm64 && \
+    apt-get update && \
+    apt-get install -y --no-install-recommends crossbuild-essential-arm64 gcc-aarch64-linux-gnu
+
 RUN --mount=type=bind,target=/go/src/goauthentik.io/go.mod,src=./go.mod \
     --mount=type=bind,target=/go/src/goauthentik.io/go.sum,src=./go.sum \
     --mount=type=cache,target=/go/pkg/mod \
@@ -63,11 +73,11 @@ COPY ./internal /go/src/goauthentik.io/internal
 COPY ./go.mod /go/src/goauthentik.io/go.mod
 COPY ./go.sum /go/src/goauthentik.io/go.sum
 
-ENV CGO_ENABLED=0
-
 RUN --mount=type=cache,sharing=locked,target=/go/pkg/mod \
     --mount=type=cache,id=go-build-$TARGETARCH$TARGETVARIANT,sharing=locked,target=/root/.cache/go-build \
-    GOARM="${TARGETVARIANT#v}" go build -o /go/authentik ./cmd/server
+    if [ "$TARGETARCH" = "arm64" ]; then export CC=aarch64-linux-gnu-gcc && export CC_FOR_TARGET=gcc-aarch64-linux-gnu; fi && \
+    CGO_ENABLED=1 GOEXPERIMENT="systemcrypto" GOFLAGS="-tags=requirefips" GOARM="${TARGETVARIANT#v}" \
+    go build -o /go/authentik ./cmd/server
 
 # Stage 4: MaxMind GeoIP
 FROM --platform=${BUILDPLATFORM} ghcr.io/maxmind/geoipupdate:v7.0.1 as geoip
@@ -84,7 +94,7 @@ RUN --mount=type=secret,id=GEOIPUPDATE_ACCOUNT_ID \
     /bin/sh -c "/usr/bin/entry.sh || echo 'Failed to get GeoIP database, disabling'; exit 0"
 
 # Stage 5: Python dependencies
-FROM docker.io/python:3.12.3-slim-bookworm AS python-deps
+FROM ghcr.io/goauthentik/fips-python:3.12.3-slim-bookworm-fips-full AS python-deps
 
 WORKDIR /ak-root/poetry
 
@@ -97,7 +107,7 @@ RUN rm -f /etc/apt/apt.conf.d/docker-clean; echo 'Binary::apt::APT::Keep-Downloa
 RUN --mount=type=cache,id=apt-$TARGETARCH$TARGETVARIANT,sharing=locked,target=/var/cache/apt \
     apt-get update && \
     # Required for installing pip packages
-    apt-get install -y --no-install-recommends build-essential pkg-config libxmlsec1-dev zlib1g-dev libpq-dev
+    apt-get install -y --no-install-recommends build-essential pkg-config libpq-dev
 
 RUN --mount=type=bind,target=./pyproject.toml,src=./pyproject.toml \
     --mount=type=bind,target=./poetry.lock,src=./poetry.lock \
@@ -105,12 +115,13 @@ RUN --mount=type=bind,target=./pyproject.toml,src=./pyproject.toml \
     --mount=type=cache,target=/root/.cache/pypoetry \
     python -m venv /ak-root/venv/ && \
     bash -c "source ${VENV_PATH}/bin/activate && \
-        pip3 install --upgrade pip && \
+    pip3 install --upgrade pip && \
-        pip3 install poetry && \
+    pip3 install poetry && \
-        poetry install --only=main --no-ansi --no-interaction --no-root"
+    poetry install --only=main --no-ansi --no-interaction --no-root && \
+    pip install --force-reinstall /wheels/*"
 
 # Stage 6: Run
-FROM docker.io/python:3.12.3-slim-bookworm AS final-image
+FROM ghcr.io/goauthentik/fips-python:3.12.3-slim-bookworm-fips-full AS final-image
 
 ARG GIT_BUILD_HASH
 ARG VERSION
@@ -127,7 +138,7 @@ WORKDIR /
 # We cannot cache this layer otherwise we'll end up with a bigger image
 RUN apt-get update && \
     # Required for runtime
-    apt-get install -y --no-install-recommends libpq5 openssl libxmlsec1-openssl libmaxminddb0 ca-certificates && \
+    apt-get install -y --no-install-recommends libpq5 libmaxminddb0 ca-certificates && \
     # Required for bootstrap & healtcheck
     apt-get install -y --no-install-recommends runit && \
     apt-get clean && \
@@ -163,6 +174,8 @@ ENV TMPDIR=/dev/shm/ \
     VENV_PATH="/ak-root/venv" \
     POETRY_VIRTUALENVS_CREATE=false
 
+ENV GOFIPS=1
+
 HEALTHCHECK --interval=30s --timeout=30s --start-period=60s --retries=3 CMD [ "ak", "healthcheck" ]
 
 ENTRYPOINT [ "dumb-init", "--", "ak" ]

Makefile

@@ -19,6 +19,7 @@ pg_name := $(shell python -m authentik.lib.config postgresql.name 2>/dev/null)
 CODESPELL_ARGS = -D - -D .github/codespell-dictionary.txt \
 		-I .github/codespell-words.txt \
 		-S 'web/src/locales/**' \
+		-S 'website/developer-docs/api/reference/**' \
 		authentik \
 		internal \
 		cmd \
@@ -46,8 +47,8 @@ test-go:
 	go test -timeout 0 -v -race -cover ./...
 
 test-docker:  ## Run all tests in a docker-compose
-	echo "PG_PASS=$(openssl rand -base64 32)" >> .env
+	echo "PG_PASS=$(shell openssl rand 32 | base64 -w 0)" >> .env
-	echo "AUTHENTIK_SECRET_KEY=$(openssl rand -base64 32)" >> .env
+	echo "AUTHENTIK_SECRET_KEY=$(shell openssl rand 32 | base64 -w 0)" >> .env
 	docker compose pull -q
 	docker compose up --no-start
 	docker compose start postgresql redis
@@ -59,9 +60,11 @@ test: ## Run the server tests and produce a coverage report (locally)
 	coverage html
 	coverage report
 
-lint-fix:  ## Lint and automatically fix errors in the python source code. Reports spelling errors.
+lint-fix: lint-codespell  ## Lint and automatically fix errors in the python source code. Reports spelling errors.
 	black $(PY_SOURCES)
 	ruff check --fix $(PY_SOURCES)
+
+lint-codespell:  ## Reports spelling errors.
 	codespell -w $(CODESPELL_ARGS)
 
 lint: ## Lint the python and golang sources
@@ -238,7 +241,7 @@ website: website-lint-fix website-build  ## Automatically fix formatting issues
 website-install:
 	cd website && npm ci
 
-website-lint-fix:
+website-lint-fix: lint-codespell
 	cd website && npm run prettier
 
 website-build:
@@ -252,6 +255,7 @@ website-watch:  ## Build and watch the documentation website, updating automatic
 #########################
 
 docker:  ## Build a docker image of the current source tree
+	mkdir -p ${GEN_API_TS}
 	DOCKER_BUILDKIT=1 docker build . --progress plain --tag ${DOCKER_IMAGE}
 
 #########################

SECURITY.md

@@ -18,10 +18,10 @@ Even if the issue is not a CVE, we still greatly appreciate your help in hardeni
 
 (.x being the latest patch release for each version)
 
-| Version   | Supported |
+| Version  | Supported |
-| --------- | --------- |
+| -------- | --------- |
-| 2023.10.x | ✅        |
+| 2024.4.x | ✅        |
-| 2024.2.x  | ✅        |
+| 2024.6.x | ✅        |
 
 ## Reporting a Vulnerability
 

authentik/__init__.py

@@ -2,7 +2,7 @@
 
 from os import environ
 
-__version__ = "2024.4.4"
+__version__ = "2024.6.3"
 ENV_GIT_HASH_KEY = "GIT_BUILD_HASH"
 
 

authentik/admin/api/system.py

@@ -2,18 +2,21 @@
 
 import platform
 from datetime import datetime
+from ssl import OPENSSL_VERSION
 from sys import version as python_version
 from typing import TypedDict
 
+from cryptography.hazmat.backends.openssl.backend import backend
 from django.utils.timezone import now
 from drf_spectacular.utils import extend_schema
-from gunicorn import version_info as gunicorn_version
 from rest_framework.fields import SerializerMethodField
 from rest_framework.request import Request
 from rest_framework.response import Response
 from rest_framework.views import APIView
 
+from authentik import get_full_version
 from authentik.core.api.utils import PassiveSerializer
+from authentik.enterprise.license import LicenseKey
 from authentik.lib.config import CONFIG
 from authentik.lib.utils.reflection import get_env
 from authentik.outposts.apps import MANAGED_OUTPOST
@@ -25,11 +28,13 @@ class RuntimeDict(TypedDict):
     """Runtime information"""
 
     python_version: str
-    gunicorn_version: str
     environment: str
     architecture: str
     platform: str
     uname: str
+    openssl_version: str
+    openssl_fips_enabled: bool | None
+    authentik_version: str
 
 
 class SystemInfoSerializer(PassiveSerializer):
@@ -64,11 +69,15 @@ class SystemInfoSerializer(PassiveSerializer):
     def get_runtime(self, request: Request) -> RuntimeDict:
         """Get versions"""
         return {
-            "python_version": python_version,
-            "gunicorn_version": ".".join(str(x) for x in gunicorn_version),
-            "environment": get_env(),
             "architecture": platform.machine(),
+            "authentik_version": get_full_version(),
+            "environment": get_env(),
+            "openssl_fips_enabled": (
+                backend._fips_enabled if LicenseKey.get_total().is_valid() else None
+            ),
+            "openssl_version": OPENSSL_VERSION,
             "platform": platform.platform(),
+            "python_version": python_version,
             "uname": " ".join(platform.uname()),
         }
 

authentik/api/templates/api/browser.html

@@ -1,13 +1,13 @@
 {% extends "base/skeleton.html" %}
 
-{% load static %}
+{% load authentik_core %}
 
 {% block title %}
 API Browser - {{ brand.branding_title }}
 {% endblock %}
 
 {% block head %}
-<script src="{% static 'dist/standalone/api-browser/index.js' %}?version={{ version }}" type="module"></script>
+{% versioned_script "dist/standalone/api-browser/index-%v.js" %}
 <meta name="theme-color" content="#151515" media="(prefers-color-scheme: light)">
 <meta name="theme-color" content="#151515" media="(prefers-color-scheme: dark)">
 {% endblock %}

authentik/blueprints/management/commands/apply_blueprint.py

@@ -23,9 +23,11 @@ class Command(BaseCommand):
                 for blueprint_path in options.get("blueprints", []):
                     content = BlueprintInstance(path=blueprint_path).retrieve()
                     importer = Importer.from_string(content)
-                    valid, _ = importer.validate()
+                    valid, logs = importer.validate()
                     if not valid:
-                        self.stderr.write("blueprint invalid")
+                        self.stderr.write("Blueprint invalid")
+                        for log in logs:
+                            self.stderr.write(f"\t{log.logger}: {log.event}: {log.attributes}")
                         sys_exit(1)
                     importer.apply()
 

authentik/blueprints/management/commands/make_blueprint_schema.py

@@ -113,16 +113,19 @@ class Command(BaseCommand):
             )
             model_path = f"{model._meta.app_label}.{model._meta.model_name}"
             self.schema["properties"]["entries"]["items"]["oneOf"].append(
-                self.template_entry(model_path, serializer)
+                self.template_entry(model_path, model, serializer)
             )
 
-    def template_entry(self, model_path: str, serializer: Serializer) -> dict:
+    def template_entry(self, model_path: str, model: type[Model], serializer: Serializer) -> dict:
         """Template entry for a single model"""
         model_schema = self.to_jsonschema(serializer)
         model_schema["required"] = []
         def_name = f"model_{model_path}"
         def_path = f"#/$defs/{def_name}"
         self.schema["$defs"][def_name] = model_schema
+        def_name_perm = f"model_{model_path}_permissions"
+        def_path_perm = f"#/$defs/{def_name_perm}"
+        self.schema["$defs"][def_name_perm] = self.model_permissions(model)
         return {
             "type": "object",
             "required": ["model", "identifiers"],
@@ -135,6 +138,7 @@ class Command(BaseCommand):
                     "default": "present",
                 },
                 "conditions": {"type": "array", "items": {"type": "boolean"}},
+                "permissions": {"$ref": def_path_perm},
                 "attrs": {"$ref": def_path},
                 "identifiers": {"$ref": def_path},
             },
@@ -185,3 +189,20 @@ class Command(BaseCommand):
         if required:
             result["required"] = required
         return result
+
+    def model_permissions(self, model: type[Model]) -> dict:
+        perms = [x[0] for x in model._meta.permissions]
+        for action in model._meta.default_permissions:
+            perms.append(f"{action}_{model._meta.model_name}")
+        return {
+            "type": "array",
+            "items": {
+                "type": "object",
+                "required": ["permission"],
+                "properties": {
+                    "permission": {"type": "string", "enum": perms},
+                    "user": {"type": "integer"},
+                    "role": {"type": "string"},
+                },
+            },
+        }

authentik/blueprints/tests/fixtures/rbac_object.yaml

@@ -0,0 +1,24 @@
+version: 1
+entries:
+  - model: authentik_core.user
+    id: user
+    identifiers:
+      username: "%(id)s"
+    attrs:
+      name: "%(id)s"
+  - model: authentik_rbac.role
+    id: role
+    identifiers:
+      name: "%(id)s"
+  - model: authentik_flows.flow
+    identifiers:
+      slug: "%(id)s"
+    attrs:
+      designation: authentication
+      name: foo
+      title: foo
+    permissions:
+      - permission: view_flow
+        user: !KeyOf user
+      - permission: view_flow
+        role: !KeyOf role

authentik/blueprints/tests/fixtures/rbac_role.yaml

@@ -0,0 +1,8 @@
+version: 1
+entries:
+  - model: authentik_rbac.role
+    identifiers:
+      name: "%(id)s"
+    attrs:
+      permissions:
+        - authentik_blueprints.view_blueprintinstance

authentik/blueprints/tests/fixtures/rbac_user.yaml

@@ -0,0 +1,9 @@
+version: 1
+entries:
+  - model: authentik_core.user
+    identifiers:
+      username: "%(id)s"
+    attrs:
+      name: "%(id)s"
+      permissions:
+        - authentik_blueprints.view_blueprintinstance

authentik/blueprints/tests/test_v1_rbac.py

@@ -0,0 +1,57 @@
+"""Test blueprints v1"""
+
+from django.test import TransactionTestCase
+from guardian.shortcuts import get_perms
+
+from authentik.blueprints.v1.importer import Importer
+from authentik.core.models import User
+from authentik.flows.models import Flow
+from authentik.lib.generators import generate_id
+from authentik.lib.tests.utils import load_fixture
+from authentik.rbac.models import Role
+
+
+class TestBlueprintsV1RBAC(TransactionTestCase):
+    """Test Blueprints rbac attribute"""
+
+    def test_user_permission(self):
+        """Test permissions"""
+        uid = generate_id()
+        import_yaml = load_fixture("fixtures/rbac_user.yaml", id=uid)
+
+        importer = Importer.from_string(import_yaml)
+        self.assertTrue(importer.validate()[0])
+        self.assertTrue(importer.apply())
+        user = User.objects.filter(username=uid).first()
+        self.assertIsNotNone(user)
+        self.assertTrue(user.has_perms(["authentik_blueprints.view_blueprintinstance"]))
+
+    def test_role_permission(self):
+        """Test permissions"""
+        uid = generate_id()
+        import_yaml = load_fixture("fixtures/rbac_role.yaml", id=uid)
+
+        importer = Importer.from_string(import_yaml)
+        self.assertTrue(importer.validate()[0])
+        self.assertTrue(importer.apply())
+        role = Role.objects.filter(name=uid).first()
+        self.assertIsNotNone(role)
+        self.assertEqual(
+            list(role.group.permissions.all().values_list("codename", flat=True)),
+            ["view_blueprintinstance"],
+        )
+
+    def test_object_permission(self):
+        """Test permissions"""
+        uid = generate_id()
+        import_yaml = load_fixture("fixtures/rbac_object.yaml", id=uid)
+
+        importer = Importer.from_string(import_yaml)
+        self.assertTrue(importer.validate()[0])
+        self.assertTrue(importer.apply())
+        flow = Flow.objects.filter(slug=uid).first()
+        user = User.objects.filter(username=uid).first()
+        role = Role.objects.filter(name=uid).first()
+        self.assertIsNotNone(flow)
+        self.assertEqual(get_perms(user, flow), ["view_flow"])
+        self.assertEqual(get_perms(role.group, flow), ["view_flow"])

authentik/blueprints/v1/common.py

@@ -1,7 +1,7 @@
 """transfer common classes"""
 
 from collections import OrderedDict
-from collections.abc import Iterable, Mapping
+from collections.abc import Generator, Iterable, Mapping
 from copy import copy
 from dataclasses import asdict, dataclass, field, is_dataclass
 from enum import Enum
@@ -58,6 +58,15 @@ class BlueprintEntryDesiredState(Enum):
     MUST_CREATED = "must_created"
 
 
+@dataclass
+class BlueprintEntryPermission:
+    """Describe object-level permissions"""
+
+    permission: Union[str, "YAMLTag"]
+    user: Union[int, "YAMLTag", None] = field(default=None)
+    role: Union[str, "YAMLTag", None] = field(default=None)
+
+
 @dataclass
 class BlueprintEntry:
     """Single entry of a blueprint"""
@@ -69,13 +78,14 @@ class BlueprintEntry:
     conditions: list[Any] = field(default_factory=list)
     identifiers: dict[str, Any] = field(default_factory=dict)
     attrs: dict[str, Any] | None = field(default_factory=dict)
+    permissions: list[BlueprintEntryPermission] = field(default_factory=list)
 
     id: str | None = None
 
     _state: BlueprintEntryState = field(default_factory=BlueprintEntryState)
 
     def __post_init__(self, *args, **kwargs) -> None:
-        self.__tag_contexts: list["YAMLTagContext"] = []
+        self.__tag_contexts: list[YAMLTagContext] = []
 
     @staticmethod
     def from_model(model: SerializerModel, *extra_identifier_names: str) -> "BlueprintEntry":
@@ -150,6 +160,17 @@ class BlueprintEntry:
         """Get the blueprint model, with yaml tags resolved if present"""
         return str(self.tag_resolver(self.model, blueprint))
 
+    def get_permissions(
+        self, blueprint: "Blueprint"
+    ) -> Generator[BlueprintEntryPermission, None, None]:
+        """Get permissions of this entry, with all yaml tags resolved"""
+        for perm in self.permissions:
+            yield BlueprintEntryPermission(
+                permission=self.tag_resolver(perm.permission, blueprint),
+                user=self.tag_resolver(perm.user, blueprint),
+                role=self.tag_resolver(perm.role, blueprint),
+            )
+
     def check_all_conditions_match(self, blueprint: "Blueprint") -> bool:
         """Check all conditions of this entry match (evaluate to True)"""
         return all(self.tag_resolver(self.conditions, blueprint))
@@ -307,7 +328,10 @@ class Find(YAMLTag):
         else:
             model_name = self.model_name
 
-        model_class = apps.get_model(*model_name.split("."))
+        try:
+            model_class = apps.get_model(*model_name.split("."))
+        except LookupError as exc:
+            raise EntryInvalidError.from_entry(exc, entry) from exc
 
         query = Q()
         for cond in self.conditions:

authentik/blueprints/v1/importer.py

@@ -16,6 +16,7 @@ from django.db.models.query_utils import Q
 from django.db.transaction import atomic
 from django.db.utils import IntegrityError
 from guardian.models import UserObjectPermission
+from guardian.shortcuts import assign_perm
 from rest_framework.exceptions import ValidationError
 from rest_framework.serializers import BaseSerializer, Serializer
 from structlog.stdlib import BoundLogger, get_logger
@@ -32,13 +33,23 @@ from authentik.blueprints.v1.common import (
 from authentik.blueprints.v1.meta.registry import BaseMetaModel, registry
 from authentik.core.models import (
     AuthenticatedSession,
+    GroupSourceConnection,
     PropertyMapping,
     Provider,
     Source,
+    User,
     UserSourceConnection,
 )
 from authentik.enterprise.license import LicenseKey
 from authentik.enterprise.models import LicenseUsage
+from authentik.enterprise.providers.google_workspace.models import (
+    GoogleWorkspaceProviderGroup,
+    GoogleWorkspaceProviderUser,
+)
+from authentik.enterprise.providers.microsoft_entra.models import (
+    MicrosoftEntraProviderGroup,
+    MicrosoftEntraProviderUser,
+)
 from authentik.enterprise.providers.rac.models import ConnectionToken
 from authentik.events.logs import LogEvent, capture_logs
 from authentik.events.models import SystemTask
@@ -46,11 +57,13 @@ from authentik.events.utils import cleanse_dict
 from authentik.flows.models import FlowToken, Stage
 from authentik.lib.models import SerializerModel
 from authentik.lib.sentry import SentryIgnoredException
+from authentik.lib.utils.reflection import get_apps
 from authentik.outposts.models import OutpostServiceConnection
 from authentik.policies.models import Policy, PolicyBindingModel
 from authentik.policies.reputation.models import Reputation
 from authentik.providers.oauth2.models import AccessToken, AuthorizationCode, RefreshToken
-from authentik.providers.scim.models import SCIMGroup, SCIMUser
+from authentik.providers.scim.models import SCIMProviderGroup, SCIMProviderUser
+from authentik.rbac.models import Role
 from authentik.sources.scim.models import SCIMSourceGroup, SCIMSourceUser
 from authentik.stages.authenticator_webauthn.models import WebAuthnDeviceType
 from authentik.tenants.models import Tenant
@@ -79,6 +92,7 @@ def excluded_models() -> list[type[Model]]:
         Source,
         PropertyMapping,
         UserSourceConnection,
+        GroupSourceConnection,
         Stage,
         OutpostServiceConnection,
         Policy,
@@ -86,10 +100,11 @@ def excluded_models() -> list[type[Model]]:
         # Classes that have other dependencies
         AuthenticatedSession,
         # Classes which are only internally managed
+        # FIXME: these shouldn't need to be explicitly listed, but rather based off of a mixin
         FlowToken,
         LicenseUsage,
-        SCIMGroup,
+        SCIMProviderGroup,
-        SCIMUser,
+        SCIMProviderUser,
         Tenant,
         SystemTask,
         ConnectionToken,
@@ -100,6 +115,10 @@ def excluded_models() -> list[type[Model]]:
         WebAuthnDeviceType,
         SCIMSourceUser,
         SCIMSourceGroup,
+        GoogleWorkspaceProviderUser,
+        GoogleWorkspaceProviderGroup,
+        MicrosoftEntraProviderUser,
+        MicrosoftEntraProviderGroup,
     )
 
 
@@ -123,6 +142,16 @@ def transaction_rollback():
         pass
 
 
+def rbac_models() -> dict:
+    models = {}
+    for app in get_apps():
+        for model in app.get_models():
+            if not is_model_allowed(model):
+                continue
+            models[model._meta.model_name] = app.label
+    return models
+
+
 class Importer:
     """Import Blueprint from raw dict or YAML/JSON"""
 
@@ -141,7 +170,10 @@ class Importer:
 
     def default_context(self):
         """Default context"""
-        return {"goauthentik.io/enterprise/licensed": LicenseKey.get_total().is_valid()}
+        return {
+            "goauthentik.io/enterprise/licensed": LicenseKey.get_total().is_valid(),
+            "goauthentik.io/rbac/models": rbac_models(),
+        }
 
     @staticmethod
     def from_string(yaml_input: str, context: dict | None = None) -> "Importer":
@@ -201,14 +233,17 @@ class Importer:
 
         return main_query | sub_query
 
-    def _validate_single(self, entry: BlueprintEntry) -> BaseSerializer | None:
+    def _validate_single(self, entry: BlueprintEntry) -> BaseSerializer | None:  # noqa: PLR0915
         """Validate a single entry"""
         if not entry.check_all_conditions_match(self._import):
             self.logger.debug("One or more conditions of this entry are not fulfilled, skipping")
             return None
 
         model_app_label, model_name = entry.get_model(self._import).split(".")
-        model: type[SerializerModel] = registry.get_model(model_app_label, model_name)
+        try:
+            model: type[SerializerModel] = registry.get_model(model_app_label, model_name)
+        except LookupError as exc:
+            raise EntryInvalidError.from_entry(exc, entry) from exc
         # Don't use isinstance since we don't want to check for inheritance
         if not is_model_allowed(model):
             raise EntryInvalidError.from_entry(f"Model {model} not allowed", entry)
@@ -283,10 +318,7 @@ class Importer:
         try:
             full_data = self.__update_pks_for_attrs(entry.get_attrs(self._import))
         except ValueError as exc:
-            raise EntryInvalidError.from_entry(
+            raise EntryInvalidError.from_entry(exc, entry) from exc
-                exc,
-                entry,
-            ) from exc
         always_merger.merge(full_data, updated_identifiers)
         serializer_kwargs["data"] = full_data
 
@@ -307,6 +339,15 @@ class Importer:
             ) from exc
         return serializer
 
+    def _apply_permissions(self, instance: Model, entry: BlueprintEntry):
+        """Apply object-level permissions for an entry"""
+        for perm in entry.get_permissions(self._import):
+            if perm.user is not None:
+                assign_perm(perm.permission, User.objects.get(pk=perm.user), instance)
+            if perm.role is not None:
+                role = Role.objects.get(pk=perm.role)
+                role.assign_permission(perm.permission, obj=instance)
+
     def apply(self) -> bool:
         """Apply (create/update) models yaml, in database transaction"""
         try:
@@ -371,6 +412,7 @@ class Importer:
                 if "pk" in entry.identifiers:
                     self.__pk_map[entry.identifiers["pk"]] = instance.pk
                 entry._state = BlueprintEntryState(instance)
+                self._apply_permissions(instance, entry)
             elif state == BlueprintEntryDesiredState.ABSENT:
                 instance: Model | None = serializer.instance
                 if instance.pk:

authentik/brands/api.py

@@ -11,21 +11,20 @@ from rest_framework.filters import OrderingFilter, SearchFilter
 from rest_framework.permissions import AllowAny
 from rest_framework.request import Request
 from rest_framework.response import Response
-from rest_framework.serializers import ModelSerializer
 from rest_framework.validators import UniqueValidator
 from rest_framework.viewsets import ModelViewSet
 
 from authentik.api.authorization import SecretKeyFilter
 from authentik.brands.models import Brand
 from authentik.core.api.used_by import UsedByMixin
-from authentik.core.api.utils import PassiveSerializer
+from authentik.core.api.utils import ModelSerializer, PassiveSerializer
 from authentik.tenants.utils import get_current_tenant
 
 
 class FooterLinkSerializer(PassiveSerializer):
     """Links returned in Config API"""
 
-    href = CharField(read_only=True)
+    href = CharField(read_only=True, allow_null=True)
     name = CharField(read_only=True)
 
 
@@ -56,6 +55,7 @@ class BrandSerializer(ModelSerializer):
             "flow_unenrollment",
             "flow_user_settings",
             "flow_device_code",
+            "default_application",
             "web_certificate",
             "attributes",
         ]

authentik/brands/apps.py

@@ -9,3 +9,6 @@ class AuthentikBrandsConfig(AppConfig):
     name = "authentik.brands"
     label = "authentik_brands"
     verbose_name = "authentik Brands"
+    mountpoints = {
+        "authentik.brands.urls_root": "",
+    }

authentik/brands/migrations/0007_brand_default_application.py

@@ -0,0 +1,26 @@
+# Generated by Django 5.0.6 on 2024-07-04 20:32
+
+import django.db.models.deletion
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ("authentik_brands", "0006_brand_authentik_b_domain_b9b24a_idx_and_more"),
+        ("authentik_core", "0035_alter_group_options_and_more"),
+    ]
+
+    operations = [
+        migrations.AddField(
+            model_name="brand",
+            name="default_application",
+            field=models.ForeignKey(
+                default=None,
+                help_text="When set, external users will be redirected to this application after authenticating.",
+                null=True,
+                on_delete=django.db.models.deletion.SET_DEFAULT,
+                to="authentik_core.application",
+            ),
+        ),
+    ]

authentik/brands/models.py

@@ -3,6 +3,7 @@
 from uuid import uuid4
 
 from django.db import models
+from django.http import HttpRequest
 from django.utils.translation import gettext_lazy as _
 from rest_framework.serializers import Serializer
 from structlog.stdlib import get_logger
@@ -51,6 +52,16 @@ class Brand(SerializerModel):
         Flow, null=True, on_delete=models.SET_NULL, related_name="brand_device_code"
     )
 
+    default_application = models.ForeignKey(
+        "authentik_core.Application",
+        null=True,
+        default=None,
+        on_delete=models.SET_DEFAULT,
+        help_text=_(
+            "When set, external users will be redirected to this application after authenticating."
+        ),
+    )
+
     web_certificate = models.ForeignKey(
         CertificateKeyPair,
         null=True,
@@ -88,3 +99,13 @@ class Brand(SerializerModel):
             models.Index(fields=["domain"]),
             models.Index(fields=["default"]),
         ]
+
+
+class WebfingerProvider(models.Model):
+    """Provider which supports webfinger discovery"""
+
+    class Meta:
+        abstract = True
+
+    def webfinger(self, resource: str, request: HttpRequest) -> dict:
+        raise NotImplementedError()

authentik/brands/tests.py

@@ -5,7 +5,11 @@ from rest_framework.test import APITestCase
 
 from authentik.brands.api import Themes
 from authentik.brands.models import Brand
+from authentik.core.models import Application
 from authentik.core.tests.utils import create_test_admin_user, create_test_brand
+from authentik.lib.generators import generate_id
+from authentik.providers.oauth2.models import OAuth2Provider
+from authentik.providers.saml.models import SAMLProvider
 
 
 class TestBrands(APITestCase):
@@ -75,3 +79,45 @@ class TestBrands(APITestCase):
             reverse("authentik_api:brand-list"), data={"domain": "bar", "default": True}
         )
         self.assertEqual(response.status_code, 400)
+
+    def test_webfinger_no_app(self):
+        """Test Webfinger"""
+        create_test_brand()
+        self.assertJSONEqual(
+            self.client.get(reverse("authentik_brands:webfinger")).content.decode(), {}
+        )
+
+    def test_webfinger_not_supported(self):
+        """Test Webfinger"""
+        brand = create_test_brand()
+        provider = SAMLProvider.objects.create(
+            name=generate_id(),
+        )
+        app = Application.objects.create(name=generate_id(), slug=generate_id(), provider=provider)
+        brand.default_application = app
+        brand.save()
+        self.assertJSONEqual(
+            self.client.get(reverse("authentik_brands:webfinger")).content.decode(), {}
+        )
+
+    def test_webfinger_oidc(self):
+        """Test Webfinger"""
+        brand = create_test_brand()
+        provider = OAuth2Provider.objects.create(
+            name=generate_id(),
+        )
+        app = Application.objects.create(name=generate_id(), slug=generate_id(), provider=provider)
+        brand.default_application = app
+        brand.save()
+        self.assertJSONEqual(
+            self.client.get(reverse("authentik_brands:webfinger")).content.decode(),
+            {
+                "links": [
+                    {
+                        "href": f"http://testserver/application/o/{app.slug}/",
+                        "rel": "http://openid.net/specs/connect/1.0/issuer",
+                    }
+                ],
+                "subject": None,
+            },
+        )

authentik/brands/urls_root.py

@@ -0,0 +1,9 @@
+"""authentik brand root URLs"""
+
+from django.urls import path
+
+from authentik.brands.views.webfinger import WebFingerView
+
+urlpatterns = [
+    path(".well-known/webfinger", WebFingerView.as_view(), name="webfinger"),
+]

authentik/brands/utils.py

@@ -5,7 +5,7 @@ from typing import Any
 from django.db.models import F, Q
 from django.db.models import Value as V
 from django.http.request import HttpRequest
-from sentry_sdk.hub import Hub
+from sentry_sdk import get_current_span
 
 from authentik import get_full_version
 from authentik.brands.models import Brand
@@ -33,7 +33,7 @@ def context_processor(request: HttpRequest) -> dict[str, Any]:
     brand = getattr(request, "brand", DEFAULT_BRAND)
     tenant = getattr(request, "tenant", Tenant())
     trace = ""
-    span = Hub.current.scope.span
+    span = get_current_span()
     if span:
         trace = span.to_traceparent()
     return {

authentik/brands/views/webfinger.py

@@ -0,0 +1,29 @@
+from typing import Any
+
+from django.http import HttpRequest, HttpResponse, JsonResponse
+from django.views import View
+
+from authentik.brands.models import Brand, WebfingerProvider
+from authentik.core.models import Application
+
+
+class WebFingerView(View):
+    """Webfinger endpoint"""
+
+    def get(self, request: HttpRequest) -> HttpResponse:
+        brand: Brand = request.brand
+        if not brand.default_application:
+            return JsonResponse({})
+        application: Application = brand.default_application
+        provider = application.get_provider()
+        if not provider or not isinstance(provider, WebfingerProvider):
+            return JsonResponse({})
+        webfinger_data = provider.webfinger(request.GET.get("resource"), request)
+        return JsonResponse(webfinger_data)
+
+    def dispatch(self, request: HttpRequest, *args: Any, **kwargs: Any) -> HttpResponse:
+        response = super().dispatch(request, *args, **kwargs)
+        # RFC7033 spec
+        response["Access-Control-Allow-Origin"] = "*"
+        response["Content-Type"] = "application/jrd+json"
+        return response

authentik/core/api/applications.py

@@ -17,7 +17,6 @@ from rest_framework.fields import CharField, ReadOnlyField, SerializerMethodFiel
 from rest_framework.parsers import MultiPartParser
 from rest_framework.request import Request
 from rest_framework.response import Response
-from rest_framework.serializers import ModelSerializer
 from rest_framework.viewsets import ModelViewSet
 from structlog.stdlib import get_logger
 
@@ -26,6 +25,7 @@ from authentik.api.pagination import Pagination
 from authentik.blueprints.v1.importer import SERIALIZER_CONTEXT_BLUEPRINT
 from authentik.core.api.providers import ProviderSerializer
 from authentik.core.api.used_by import UsedByMixin
+from authentik.core.api.utils import ModelSerializer
 from authentik.core.models import Application, User
 from authentik.events.logs import LogEventSerializer, capture_logs
 from authentik.events.models import EventAction
@@ -103,7 +103,12 @@ class ApplicationSerializer(ModelSerializer):
 class ApplicationViewSet(UsedByMixin, ModelViewSet):
     """Application Viewset"""
 
-    queryset = Application.objects.all().prefetch_related("provider")
+    queryset = (
+        Application.objects.all()
+        .with_provider()
+        .prefetch_related("policies")
+        .prefetch_related("backchannel_providers")
+    )
     serializer_class = ApplicationSerializer
     search_fields = [
         "name",
@@ -147,6 +152,15 @@ class ApplicationViewSet(UsedByMixin, ModelViewSet):
                 applications.append(application)
         return applications
 
+    def _filter_applications_with_launch_url(
+        self, pagined_apps: Iterator[Application]
+    ) -> list[Application]:
+        applications = []
+        for app in pagined_apps:
+            if app.get_launch_url():
+                applications.append(app)
+        return applications
+
     @extend_schema(
         parameters=[
             OpenApiParameter(
@@ -204,6 +218,11 @@ class ApplicationViewSet(UsedByMixin, ModelViewSet):
                 location=OpenApiParameter.QUERY,
                 type=OpenApiTypes.INT,
             ),
+            OpenApiParameter(
+                name="only_with_launch_url",
+                location=OpenApiParameter.QUERY,
+                type=OpenApiTypes.BOOL,
+            ),
         ]
     )
     def list(self, request: Request) -> Response:
@@ -216,6 +235,10 @@ class ApplicationViewSet(UsedByMixin, ModelViewSet):
         if superuser_full_list and request.user.is_superuser:
             return super().list(request)
 
+        only_with_launch_url = str(
+            request.query_params.get("only_with_launch_url", "false")
+        ).lower()
+
         queryset = self._filter_queryset_for_list(self.get_queryset())
         paginator: Pagination = self.paginator
         paginated_apps = paginator.paginate_queryset(queryset, request)
@@ -251,6 +274,10 @@ class ApplicationViewSet(UsedByMixin, ModelViewSet):
                     allowed_applications,
                     timeout=86400,
                 )
+
+        if only_with_launch_url == "true":
+            allowed_applications = self._filter_applications_with_launch_url(allowed_applications)
+
         serializer = self.get_serializer(allowed_applications, many=True)
         return self.get_paginated_response(serializer.data)
 

authentik/core/api/authenticated_sessions.py

@@ -8,12 +8,12 @@ from rest_framework import mixins
 from rest_framework.fields import SerializerMethodField
 from rest_framework.filters import OrderingFilter, SearchFilter
 from rest_framework.request import Request
-from rest_framework.serializers import ModelSerializer
 from rest_framework.viewsets import GenericViewSet
 from ua_parser import user_agent_parser
 
 from authentik.api.authorization import OwnerSuperuserPermissions
 from authentik.core.api.used_by import UsedByMixin
+from authentik.core.api.utils import ModelSerializer
 from authentik.core.models import AuthenticatedSession
 from authentik.events.context_processors.asn import ASN_CONTEXT_PROCESSOR, ASNDict
 from authentik.events.context_processors.geoip import GEOIP_CONTEXT_PROCESSOR, GeoIPDict

authentik/core/api/devices.py

@@ -2,7 +2,13 @@
 
 from drf_spectacular.types import OpenApiTypes
 from drf_spectacular.utils import OpenApiParameter, extend_schema
-from rest_framework.fields import BooleanField, CharField, IntegerField, SerializerMethodField
+from rest_framework.fields import (
+    BooleanField,
+    CharField,
+    DateTimeField,
+    IntegerField,
+    SerializerMethodField,
+)
 from rest_framework.permissions import IsAdminUser, IsAuthenticated
 from rest_framework.request import Request
 from rest_framework.response import Response
@@ -20,6 +26,9 @@ class DeviceSerializer(MetaNameSerializer):
     name = CharField()
     type = SerializerMethodField()
     confirmed = BooleanField()
+    created = DateTimeField(read_only=True)
+    last_updated = DateTimeField(read_only=True)
+    last_used = DateTimeField(read_only=True, allow_null=True)
 
     def get_type(self, instance: Device) -> str:
         """Get type of device"""

authentik/core/api/groups.py

@@ -2,6 +2,7 @@
 
 from json import loads
 
+from django.db.models import Prefetch
 from django.http import Http404
 from django_filters.filters import CharFilter, ModelMultipleChoiceFilter
 from django_filters.filterset import FilterSet
@@ -16,11 +17,12 @@ from rest_framework.decorators import action
 from rest_framework.fields import CharField, IntegerField, SerializerMethodField
 from rest_framework.request import Request
 from rest_framework.response import Response
-from rest_framework.serializers import ListSerializer, ModelSerializer, ValidationError
+from rest_framework.serializers import ListSerializer, ValidationError
+from rest_framework.validators import UniqueValidator
 from rest_framework.viewsets import ModelViewSet
 
 from authentik.core.api.used_by import UsedByMixin
-from authentik.core.api.utils import JSONDictField, PassiveSerializer
+from authentik.core.api.utils import JSONDictField, ModelSerializer, PassiveSerializer
 from authentik.core.models import Group, User
 from authentik.rbac.api.roles import RoleSerializer
 from authentik.rbac.decorators import permission_required
@@ -100,7 +102,10 @@ class GroupSerializer(ModelSerializer):
         extra_kwargs = {
             "users": {
                 "default": list,
-            }
+            },
+            # TODO: This field isn't unique on the database which is hard to backport
+            # hence we just validate the uniqueness here
+            "name": {"validators": [UniqueValidator(Group.objects.all())]},
         }
 
 
@@ -162,8 +167,14 @@ class GroupViewSet(UsedByMixin, ModelViewSet):
 
     def get_queryset(self):
         base_qs = Group.objects.all().select_related("parent").prefetch_related("roles")
+
         if self.serializer_class(context={"request": self.request})._should_include_users:
             base_qs = base_qs.prefetch_related("users")
+        else:
+            base_qs = base_qs.prefetch_related(
+                Prefetch("users", queryset=User.objects.all().only("id"))
+            )
+
         return base_qs
 
     @extend_schema(
@@ -174,6 +185,14 @@ class GroupViewSet(UsedByMixin, ModelViewSet):
     def list(self, request, *args, **kwargs):
         return super().list(request, *args, **kwargs)
 
+    @extend_schema(
+        parameters=[
+            OpenApiParameter("include_users", bool, default=True),
+        ]
+    )
+    def retrieve(self, request, *args, **kwargs):
+        return super().retrieve(request, *args, **kwargs)
+
     @permission_required("authentik_core.add_user_to_group")
     @extend_schema(
         request=UserAccountSerializer,

authentik/core/api/object_types.py

@@ -0,0 +1,79 @@
+"""API Utilities"""
+
+from drf_spectacular.utils import extend_schema
+from rest_framework.decorators import action
+from rest_framework.fields import (
+    BooleanField,
+    CharField,
+)
+from rest_framework.request import Request
+from rest_framework.response import Response
+
+from authentik.core.api.utils import PassiveSerializer
+from authentik.enterprise.apps import EnterpriseConfig
+from authentik.lib.utils.reflection import all_subclasses
+
+
+class TypeCreateSerializer(PassiveSerializer):
+    """Types of an object that can be created"""
+
+    name = CharField(required=True)
+    description = CharField(required=True)
+    component = CharField(required=True)
+    model_name = CharField(required=True)
+
+    icon_url = CharField(required=False)
+    requires_enterprise = BooleanField(default=False)
+
+
+class CreatableType:
+    """Class to inherit from to mark a model as creatable, even if the model itself is marked
+    as abstract"""
+
+
+class NonCreatableType:
+    """Class to inherit from to mark a model as non-creatable even if it is not abstract"""
+
+
+class TypesMixin:
+    """Mixin which adds an API endpoint to list all possible types that can be created"""
+
+    @extend_schema(responses={200: TypeCreateSerializer(many=True)})
+    @action(detail=False, pagination_class=None, filter_backends=[])
+    def types(self, request: Request, additional: list[dict] | None = None) -> Response:
+        """Get all creatable types"""
+        data = []
+        for subclass in all_subclasses(self.queryset.model):
+            instance = None
+            if subclass._meta.abstract:
+                if not issubclass(subclass, CreatableType):
+                    continue
+                # Circumvent the django protection for not being able to instantiate
+                # abstract models. We need a model instance to access .component
+                # and further down .icon_url
+                instance = subclass.__new__(subclass)
+                # Django re-sets abstract = False so we need to override that
+                instance.Meta.abstract = True
+            else:
+                if issubclass(subclass, NonCreatableType):
+                    continue
+                instance = subclass()
+            try:
+                data.append(
+                    {
+                        "name": subclass._meta.verbose_name,
+                        "description": subclass.__doc__,
+                        "component": instance.component,
+                        "model_name": subclass._meta.model_name,
+                        "icon_url": getattr(instance, "icon_url", None),
+                        "requires_enterprise": isinstance(
+                            subclass._meta.app_config, EnterpriseConfig
+                        ),
+                    }
+                )
+            except NotImplementedError:
+                continue
+        if additional:
+            data.extend(additional)
+        data = sorted(data, key=lambda x: x["name"])
+        return Response(TypeCreateSerializer(data, many=True).data)

authentik/core/api/property_mappings.py

@@ -2,25 +2,36 @@
 
 from json import dumps
 
+from django_filters.filters import AllValuesMultipleFilter, BooleanFilter
+from django_filters.filterset import FilterSet
 from drf_spectacular.types import OpenApiTypes
-from drf_spectacular.utils import OpenApiParameter, OpenApiResponse, extend_schema
+from drf_spectacular.utils import (
+    OpenApiParameter,
+    OpenApiResponse,
+    extend_schema,
+    extend_schema_field,
+)
 from guardian.shortcuts import get_objects_for_user
 from rest_framework import mixins
 from rest_framework.decorators import action
 from rest_framework.exceptions import PermissionDenied
-from rest_framework.fields import BooleanField, CharField
+from rest_framework.fields import BooleanField, CharField, SerializerMethodField
+from rest_framework.relations import PrimaryKeyRelatedField
 from rest_framework.request import Request
 from rest_framework.response import Response
-from rest_framework.serializers import ModelSerializer, SerializerMethodField
 from rest_framework.viewsets import GenericViewSet
 
 from authentik.blueprints.api import ManagedSerializer
+from authentik.core.api.object_types import TypesMixin
 from authentik.core.api.used_by import UsedByMixin
-from authentik.core.api.utils import MetaNameSerializer, PassiveSerializer, TypeCreateSerializer
+from authentik.core.api.utils import (
+    MetaNameSerializer,
+    ModelSerializer,
+    PassiveSerializer,
+)
 from authentik.core.expression.evaluator import PropertyMappingEvaluator
-from authentik.core.models import PropertyMapping
+from authentik.core.models import Group, PropertyMapping, User
 from authentik.events.utils import sanitize_item
-from authentik.lib.utils.reflection import all_subclasses
 from authentik.policies.api.exec import PolicyTestSerializer
 from authentik.rbac.decorators import permission_required
 
@@ -63,7 +74,20 @@ class PropertyMappingSerializer(ManagedSerializer, ModelSerializer, MetaNameSeri
         ]
 
 
+class PropertyMappingFilterSet(FilterSet):
+    """Filter for PropertyMapping"""
+
+    managed = extend_schema_field(OpenApiTypes.STR)(AllValuesMultipleFilter(field_name="managed"))
+
+    managed__isnull = BooleanFilter(field_name="managed", lookup_expr="isnull")
+
+    class Meta:
+        model = PropertyMapping
+        fields = ["name", "managed"]
+
+
 class PropertyMappingViewSet(
+    TypesMixin,
     mixins.RetrieveModelMixin,
     mixins.DestroyModelMixin,
     UsedByMixin,
@@ -72,37 +96,23 @@ class PropertyMappingViewSet(
 ):
     """PropertyMapping Viewset"""
 
-    queryset = PropertyMapping.objects.none()
+    class PropertyMappingTestSerializer(PolicyTestSerializer):
+        """Test property mapping execution for a user/group with context"""
+
+        user = PrimaryKeyRelatedField(queryset=User.objects.all(), required=False, allow_null=True)
+        group = PrimaryKeyRelatedField(
+            queryset=Group.objects.all(), required=False, allow_null=True
+        )
+
+    queryset = PropertyMapping.objects.select_subclasses()
     serializer_class = PropertyMappingSerializer
-    search_fields = [
+    filterset_class = PropertyMappingFilterSet
-        "name",
-    ]
-    filterset_fields = {"managed": ["isnull"]}
     ordering = ["name"]
-
+    search_fields = ["name"]
-    def get_queryset(self):  # pragma: no cover
-        return PropertyMapping.objects.select_subclasses()
-
-    @extend_schema(responses={200: TypeCreateSerializer(many=True)})
-    @action(detail=False, pagination_class=None, filter_backends=[])
-    def types(self, request: Request) -> Response:
-        """Get all creatable property-mapping types"""
-        data = []
-        for subclass in all_subclasses(self.queryset.model):
-            subclass: PropertyMapping
-            data.append(
-                {
-                    "name": subclass._meta.verbose_name,
-                    "description": subclass.__doc__,
-                    "component": subclass().component,
-                    "model_name": subclass._meta.model_name,
-                }
-            )
-        return Response(TypeCreateSerializer(data, many=True).data)
 
     @permission_required("authentik_core.view_propertymapping")
     @extend_schema(
-        request=PolicyTestSerializer(),
+        request=PropertyMappingTestSerializer(),
         responses={
             200: PropertyMappingTestResultSerializer,
             400: OpenApiResponse(description="Invalid parameters"),
@@ -120,29 +130,39 @@ class PropertyMappingViewSet(
         """Test Property Mapping"""
         _mapping: PropertyMapping = self.get_object()
         # Use `get_subclass` to get correct class and correct `.evaluate` implementation
-        mapping = PropertyMapping.objects.get_subclass(pk=_mapping.pk)
+        mapping: PropertyMapping = PropertyMapping.objects.get_subclass(pk=_mapping.pk)
         # FIXME: when we separate policy mappings between ones for sources
         # and ones for providers, we need to make the user field optional for the source mapping
-        test_params = PolicyTestSerializer(data=request.data)
+        test_params = self.PropertyMappingTestSerializer(data=request.data)
         if not test_params.is_valid():
             return Response(test_params.errors, status=400)
 
         format_result = str(request.GET.get("format_result", "false")).lower() == "true"
 
-        # User permission check, only allow mapping testing for users that are readable
+        context: dict = test_params.validated_data.get("context", {})
-        users = get_objects_for_user(request.user, "authentik_core.view_user").filter(
+        context.setdefault("user", None)
-            pk=test_params.validated_data["user"].pk
+
-        )
+        if user := test_params.validated_data.get("user"):
-        if not users.exists():
+            # User permission check, only allow mapping testing for users that are readable
-            raise PermissionDenied()
+            users = get_objects_for_user(request.user, "authentik_core.view_user").filter(
+                pk=user.pk
+            )
+            if not users.exists():
+                raise PermissionDenied()
+            context["user"] = user
+        if group := test_params.validated_data.get("group"):
+            # Group permission check, only allow mapping testing for groups that are readable
+            groups = get_objects_for_user(request.user, "authentik_core.view_group").filter(
+                pk=group.pk
+            )
+            if not groups.exists():
+                raise PermissionDenied()
+            context["group"] = group
+        context["request"] = self.request
 
         response_data = {"successful": True, "result": ""}
         try:
-            result = mapping.evaluate(
+            result = mapping.evaluate(**context)
-                users.first(),
-                self.request,
-                **test_params.validated_data.get("context", {}),
-            )
             response_data["result"] = dumps(
                 sanitize_item(result), indent=(4 if format_result else None)
             )

authentik/core/api/providers.py

@@ -5,20 +5,14 @@ from django.db.models.query import Q
 from django.utils.translation import gettext_lazy as _
 from django_filters.filters import BooleanFilter
 from django_filters.filterset import FilterSet
-from drf_spectacular.utils import extend_schema
 from rest_framework import mixins
-from rest_framework.decorators import action
+from rest_framework.fields import ReadOnlyField, SerializerMethodField
-from rest_framework.fields import ReadOnlyField
-from rest_framework.request import Request
-from rest_framework.response import Response
-from rest_framework.serializers import ModelSerializer, SerializerMethodField
 from rest_framework.viewsets import GenericViewSet
 
+from authentik.core.api.object_types import TypesMixin
 from authentik.core.api.used_by import UsedByMixin
-from authentik.core.api.utils import MetaNameSerializer, TypeCreateSerializer
+from authentik.core.api.utils import MetaNameSerializer, ModelSerializer
 from authentik.core.models import Provider
-from authentik.enterprise.apps import EnterpriseConfig
-from authentik.lib.utils.reflection import all_subclasses
 
 
 class ProviderSerializer(ModelSerializer, MetaNameSerializer):
@@ -63,8 +57,12 @@ class ProviderFilter(FilterSet):
     """Filter for providers"""
 
     application__isnull = BooleanFilter(method="filter_application__isnull")
-    backchannel_only = BooleanFilter(
+    backchannel = BooleanFilter(
-        method="filter_backchannel_only",
+        method="filter_backchannel",
+        label=_(
+            "When not set all providers are returned. When set to true, only backchannel "
+            "providers are returned. When set to false, backchannel providers are excluded"
+        ),
     )
 
     def filter_application__isnull(self, queryset: QuerySet, name, value):
@@ -75,12 +73,14 @@ class ProviderFilter(FilterSet):
             | Q(application__isnull=value)
         )
 
-    def filter_backchannel_only(self, queryset: QuerySet, name, value):
+    def filter_backchannel(self, queryset: QuerySet, name, value):
-        """Only return backchannel providers"""
+        """By default all providers are returned. When set to true, only backchannel providers are
+        returned. When set to false, backchannel providers are excluded"""
         return queryset.filter(is_backchannel=value)
 
 
 class ProviderViewSet(
+    TypesMixin,
     mixins.RetrieveModelMixin,
     mixins.DestroyModelMixin,
     UsedByMixin,
@@ -99,31 +99,3 @@ class ProviderViewSet(
 
     def get_queryset(self):  # pragma: no cover
         return Provider.objects.select_subclasses()
-
-    @extend_schema(responses={200: TypeCreateSerializer(many=True)})
-    @action(detail=False, pagination_class=None, filter_backends=[])
-    def types(self, request: Request) -> Response:
-        """Get all creatable provider types"""
-        data = []
-        for subclass in all_subclasses(self.queryset.model):
-            subclass: Provider
-            if subclass._meta.abstract:
-                continue
-            data.append(
-                {
-                    "name": subclass._meta.verbose_name,
-                    "description": subclass.__doc__,
-                    "component": subclass().component,
-                    "model_name": subclass._meta.model_name,
-                    "requires_enterprise": isinstance(subclass._meta.app_config, EnterpriseConfig),
-                }
-            )
-        data.append(
-            {
-                "name": _("SAML Provider from Metadata"),
-                "description": _("Create a SAML Provider by importing its Metadata."),
-                "component": "ak-provider-saml-import-form",
-                "model_name": "",
-            }
-        )
-        return Response(TypeCreateSerializer(data, many=True).data)

authentik/core/api/sources.py

@@ -11,15 +11,15 @@ from rest_framework.filters import OrderingFilter, SearchFilter
 from rest_framework.parsers import MultiPartParser
 from rest_framework.request import Request
 from rest_framework.response import Response
-from rest_framework.serializers import ModelSerializer
 from rest_framework.viewsets import GenericViewSet
 from structlog.stdlib import get_logger
 
 from authentik.api.authorization import OwnerFilter, OwnerSuperuserPermissions
 from authentik.blueprints.v1.importer import SERIALIZER_CONTEXT_BLUEPRINT
+from authentik.core.api.object_types import TypesMixin
 from authentik.core.api.used_by import UsedByMixin
-from authentik.core.api.utils import MetaNameSerializer, TypeCreateSerializer
+from authentik.core.api.utils import MetaNameSerializer, ModelSerializer
-from authentik.core.models import Source, UserSourceConnection
+from authentik.core.models import GroupSourceConnection, Source, UserSourceConnection
 from authentik.core.types import UserSettingSerializer
 from authentik.lib.utils.file import (
     FilePathSerializer,
@@ -27,7 +27,6 @@ from authentik.lib.utils.file import (
     set_file,
     set_file_url,
 )
-from authentik.lib.utils.reflection import all_subclasses
 from authentik.policies.engine import PolicyEngine
 from authentik.rbac.decorators import permission_required
 
@@ -61,6 +60,8 @@ class SourceSerializer(ModelSerializer, MetaNameSerializer):
             "enabled",
             "authentication_flow",
             "enrollment_flow",
+            "user_property_mappings",
+            "group_property_mappings",
             "component",
             "verbose_name",
             "verbose_name_plural",
@@ -74,6 +75,7 @@ class SourceSerializer(ModelSerializer, MetaNameSerializer):
 
 
 class SourceViewSet(
+    TypesMixin,
     mixins.RetrieveModelMixin,
     mixins.DestroyModelMixin,
     UsedByMixin,
@@ -132,30 +134,6 @@ class SourceViewSet(
         source: Source = self.get_object()
         return set_file_url(request, source, "icon")
 
-    @extend_schema(responses={200: TypeCreateSerializer(many=True)})
-    @action(detail=False, pagination_class=None, filter_backends=[])
-    def types(self, request: Request) -> Response:
-        """Get all creatable source types"""
-        data = []
-        for subclass in all_subclasses(self.queryset.model):
-            subclass: Source
-            component = ""
-            if len(subclass.__subclasses__()) > 0:
-                continue
-            if subclass._meta.abstract:
-                component = subclass.__bases__[0]().component
-            else:
-                component = subclass().component
-            data.append(
-                {
-                    "name": subclass._meta.verbose_name,
-                    "description": subclass.__doc__,
-                    "component": component,
-                    "model_name": subclass._meta.model_name,
-                }
-            )
-        return Response(TypeCreateSerializer(data, many=True).data)
-
     @extend_schema(responses={200: UserSettingSerializer(many=True)})
     @action(detail=False, pagination_class=None, filter_backends=[])
     def user_settings(self, request: Request) -> Response:
@@ -212,6 +190,47 @@ class UserSourceConnectionViewSet(
     queryset = UserSourceConnection.objects.all()
     serializer_class = UserSourceConnectionSerializer
     permission_classes = [OwnerSuperuserPermissions]
-    filterset_fields = ["user"]
+    filterset_fields = ["user", "source__slug"]
+    search_fields = ["source__slug"]
     filter_backends = [OwnerFilter, DjangoFilterBackend, OrderingFilter, SearchFilter]
-    ordering = ["pk"]
+    ordering = ["source__slug", "pk"]
+
+
+class GroupSourceConnectionSerializer(SourceSerializer):
+    """Group Source Connection Serializer"""
+
+    source = SourceSerializer(read_only=True)
+
+    class Meta:
+        model = GroupSourceConnection
+        fields = [
+            "pk",
+            "group",
+            "source",
+            "identifier",
+            "created",
+        ]
+        extra_kwargs = {
+            "group": {"read_only": True},
+            "identifier": {"read_only": True},
+            "created": {"read_only": True},
+        }
+
+
+class GroupSourceConnectionViewSet(
+    mixins.RetrieveModelMixin,
+    mixins.UpdateModelMixin,
+    mixins.DestroyModelMixin,
+    UsedByMixin,
+    mixins.ListModelMixin,
+    GenericViewSet,
+):
+    """Group-source connection Viewset"""
+
+    queryset = GroupSourceConnection.objects.all()
+    serializer_class = GroupSourceConnectionSerializer
+    permission_classes = [OwnerSuperuserPermissions]
+    filterset_fields = ["group", "source__slug"]
+    search_fields = ["source__slug"]
+    filter_backends = [OwnerFilter, DjangoFilterBackend, OrderingFilter, SearchFilter]
+    ordering = ["source__slug", "pk"]

authentik/core/api/tokens.py

@@ -12,7 +12,6 @@ from rest_framework.fields import CharField
 from rest_framework.filters import OrderingFilter, SearchFilter
 from rest_framework.request import Request
 from rest_framework.response import Response
-from rest_framework.serializers import ModelSerializer
 from rest_framework.viewsets import ModelViewSet
 
 from authentik.api.authorization import OwnerSuperuserPermissions
@@ -20,7 +19,7 @@ from authentik.blueprints.api import ManagedSerializer
 from authentik.blueprints.v1.importer import SERIALIZER_CONTEXT_BLUEPRINT
 from authentik.core.api.used_by import UsedByMixin
 from authentik.core.api.users import UserSerializer
-from authentik.core.api.utils import PassiveSerializer
+from authentik.core.api.utils import ModelSerializer, PassiveSerializer
 from authentik.core.models import (
     USER_ATTRIBUTE_TOKEN_EXPIRING,
     USER_ATTRIBUTE_TOKEN_MAXIMUM_LIFETIME,

authentik/core/api/used_by.py

@@ -14,7 +14,6 @@ from rest_framework.request import Request
 from rest_framework.response import Response
 
 from authentik.core.api.utils import PassiveSerializer
-from authentik.rbac.filters import ObjectFilter
 
 
 class DeleteAction(Enum):
@@ -40,12 +39,12 @@ def get_delete_action(manager: Manager) -> str:
     """Get the delete action from the Foreign key, falls back to cascade"""
     if hasattr(manager, "field"):
         if manager.field.remote_field.on_delete.__name__ == SET_NULL.__name__:
-            return DeleteAction.SET_NULL.name
+            return DeleteAction.SET_NULL.value
         if manager.field.remote_field.on_delete.__name__ == SET_DEFAULT.__name__:
-            return DeleteAction.SET_DEFAULT.name
+            return DeleteAction.SET_DEFAULT.value
     if hasattr(manager, "source_field"):
-        return DeleteAction.CASCADE_MANY.name
+        return DeleteAction.CASCADE_MANY.value
-    return DeleteAction.CASCADE.name
+    return DeleteAction.CASCADE.value
 
 
 class UsedByMixin:
@@ -54,7 +53,7 @@ class UsedByMixin:
     @extend_schema(
         responses={200: UsedBySerializer(many=True)},
     )
-    @action(detail=True, pagination_class=None, filter_backends=[ObjectFilter])
+    @action(detail=True, pagination_class=None, filter_backends=[])
     def used_by(self, request: Request, *args, **kwargs) -> Response:
         """Get a list of all objects that use this object"""
         model: Model = self.get_object()

authentik/core/api/users.py

@@ -5,6 +5,7 @@ from json import loads
 from typing import Any
 
 from django.contrib.auth import update_session_auth_hash
+from django.contrib.auth.models import Permission
 from django.contrib.sessions.backends.cache import KEY_PREFIX
 from django.core.cache import cache
 from django.db.models.functions import ExtractHour
@@ -33,16 +34,21 @@ from drf_spectacular.utils import (
 )
 from guardian.shortcuts import get_objects_for_user
 from rest_framework.decorators import action
-from rest_framework.fields import CharField, IntegerField, ListField, SerializerMethodField
+from rest_framework.exceptions import ValidationError
+from rest_framework.fields import (
+    BooleanField,
+    CharField,
+    ChoiceField,
+    DateTimeField,
+    IntegerField,
+    ListField,
+    SerializerMethodField,
+)
 from rest_framework.request import Request
 from rest_framework.response import Response
 from rest_framework.serializers import (
-    BooleanField,
-    DateTimeField,
     ListSerializer,
-    ModelSerializer,
     PrimaryKeyRelatedField,
-    ValidationError,
 )
 from rest_framework.validators import UniqueValidator
 from rest_framework.viewsets import ModelViewSet
@@ -52,7 +58,12 @@ from authentik.admin.api.metrics import CoordinateSerializer
 from authentik.blueprints.v1.importer import SERIALIZER_CONTEXT_BLUEPRINT
 from authentik.brands.models import Brand
 from authentik.core.api.used_by import UsedByMixin
-from authentik.core.api.utils import JSONDictField, LinkSerializer, PassiveSerializer
+from authentik.core.api.utils import (
+    JSONDictField,
+    LinkSerializer,
+    ModelSerializer,
+    PassiveSerializer,
+)
 from authentik.core.middleware import (
     SESSION_KEY_IMPERSONATE_ORIGINAL_USER,
     SESSION_KEY_IMPERSONATE_USER,
@@ -74,6 +85,7 @@ from authentik.flows.planner import PLAN_CONTEXT_PENDING_USER, FlowPlanner
 from authentik.flows.views.executor import QS_KEY_TOKEN
 from authentik.lib.avatars import get_avatar
 from authentik.rbac.decorators import permission_required
+from authentik.rbac.models import get_permission_choices
 from authentik.stages.email.models import EmailStage
 from authentik.stages.email.tasks import send_mails
 from authentik.stages.email.utils import TemplateEmailMessage
@@ -137,12 +149,19 @@ class UserSerializer(ModelSerializer):
         super().__init__(*args, **kwargs)
         if SERIALIZER_CONTEXT_BLUEPRINT in self.context:
             self.fields["password"] = CharField(required=False, allow_null=True)
+            self.fields["permissions"] = ListField(
+                required=False, child=ChoiceField(choices=get_permission_choices())
+            )
 
     def create(self, validated_data: dict) -> User:
         """If this serializer is used in the blueprint context, we allow for
         directly setting a password. However should be done via the `set_password`
         method instead of directly setting it like rest_framework."""
         password = validated_data.pop("password", None)
+        permissions = Permission.objects.filter(
+            codename__in=[x.split(".")[1] for x in validated_data.pop("permissions", [])]
+        )
+        validated_data["user_permissions"] = permissions
         instance: User = super().create(validated_data)
         self._set_password(instance, password)
         return instance
@@ -151,6 +170,10 @@ class UserSerializer(ModelSerializer):
         """Same as `create` above, set the password directly if we're in a blueprint
         context"""
         password = validated_data.pop("password", None)
+        permissions = Permission.objects.filter(
+            codename__in=[x.split(".")[1] for x in validated_data.pop("permissions", [])]
+        )
+        validated_data["user_permissions"] = permissions
         instance = super().update(instance, validated_data)
         self._set_password(instance, password)
         return instance

authentik/core/api/utils.py

@@ -6,8 +6,19 @@ from django.db.models import Model
 from drf_spectacular.extensions import OpenApiSerializerFieldExtension
 from drf_spectacular.plumbing import build_basic_type
 from drf_spectacular.types import OpenApiTypes
-from rest_framework.fields import BooleanField, CharField, IntegerField, JSONField
+from rest_framework.fields import (
-from rest_framework.serializers import Serializer, SerializerMethodField, ValidationError
+    CharField,
+    IntegerField,
+    JSONField,
+    SerializerMethodField,
+)
+from rest_framework.serializers import ModelSerializer as BaseModelSerializer
+from rest_framework.serializers import (
+    Serializer,
+    ValidationError,
+    model_meta,
+    raise_errors_on_nested_writes,
+)
 
 
 def is_dict(value: Any):
@@ -17,6 +28,39 @@ def is_dict(value: Any):
     raise ValidationError("Value must be a dictionary, and not have any duplicate keys.")
 
 
+class ModelSerializer(BaseModelSerializer):
+
+    def update(self, instance: Model, validated_data):
+        raise_errors_on_nested_writes("update", self, validated_data)
+        info = model_meta.get_field_info(instance)
+
+        # Simply set each attribute on the instance, and then save it.
+        # Note that unlike `.create()` we don't need to treat many-to-many
+        # relationships as being a special case. During updates we already
+        # have an instance pk for the relationships to be associated with.
+        m2m_fields = []
+        for attr, value in validated_data.items():
+            if attr in info.relations and info.relations[attr].to_many:
+                m2m_fields.append((attr, value))
+            else:
+                setattr(instance, attr, value)
+
+        instance.save()
+
+        # Note that many-to-many fields are set after updating instance.
+        # Setting m2m fields triggers signals which could potentially change
+        # updated instance and we do not want it to collide with .update()
+        for attr, value in m2m_fields:
+            field = getattr(instance, attr)
+            # We can't check for inheritance here as m2m managers are generated dynamically
+            if field.__class__.__name__ == "RelatedManager":
+                field.set(value, bulk=False)
+            else:
+                field.set(value)
+
+        return instance
+
+
 class JSONDictField(JSONField):
     """JSON Field which only allows dictionaries"""
 
@@ -68,16 +112,6 @@ class MetaNameSerializer(PassiveSerializer):
         return f"{obj._meta.app_label}.{obj._meta.model_name}"
 
 
-class TypeCreateSerializer(PassiveSerializer):
-    """Types of an object that can be created"""
-
-    name = CharField(required=True)
-    description = CharField(required=True)
-    component = CharField(required=True)
-    model_name = CharField(required=True)
-    requires_enterprise = BooleanField(default=False)
-
-
 class CacheSerializer(PassiveSerializer):
     """Generic cache stats for an object"""
 

authentik/core/auth.py

@@ -31,8 +31,9 @@ class InbuiltBackend(ModelBackend):
         # Since we can't directly pass other variables to signals, and we want to log the method
         # and the token used, we assume we're running in a flow and set a variable in the context
         flow_plan: FlowPlan = request.session.get(SESSION_KEY_PLAN, FlowPlan(""))
-        flow_plan.context[PLAN_CONTEXT_METHOD] = method
+        flow_plan.context.setdefault(PLAN_CONTEXT_METHOD, method)
-        flow_plan.context[PLAN_CONTEXT_METHOD_ARGS] = cleanse_dict(sanitize_dict(kwargs))
+        flow_plan.context.setdefault(PLAN_CONTEXT_METHOD_ARGS, {})
+        flow_plan.context[PLAN_CONTEXT_METHOD_ARGS].update(cleanse_dict(sanitize_dict(kwargs)))
         request.session[SESSION_KEY_PLAN] = flow_plan
 
 

authentik/core/exceptions.py

@@ -1,7 +0,0 @@
-"""authentik core exceptions"""
-
-from authentik.lib.sentry import SentryIgnoredException
-
-
-class PropertyMappingExpressionException(SentryIgnoredException):
-    """Error when a PropertyMapping Exception expression could not be parsed or evaluated."""

authentik/core/expression/evaluator.py

@@ -1,11 +1,13 @@
 """Property Mapping Evaluator"""
 
+from types import CodeType
 from typing import Any
 
 from django.db.models import Model
 from django.http import HttpRequest
 from prometheus_client import Histogram
 
+from authentik.core.expression.exceptions import SkipObjectException
 from authentik.core.models import User
 from authentik.events.models import Event, EventAction
 from authentik.lib.expression.evaluator import BaseEvaluator
@@ -23,6 +25,8 @@ class PropertyMappingEvaluator(BaseEvaluator):
     """Custom Evaluator that adds some different context variables."""
 
     dry_run: bool
+    model: Model
+    _compiled: CodeType | None = None
 
     def __init__(
         self,
@@ -32,22 +36,32 @@ class PropertyMappingEvaluator(BaseEvaluator):
         dry_run: bool | None = False,
         **kwargs,
     ):
+        self.model = model
         if hasattr(model, "name"):
             _filename = model.name
         else:
             _filename = str(model)
         super().__init__(filename=_filename)
+        self.dry_run = dry_run
+        self.set_context(user, request, **kwargs)
+
+    def set_context(
+        self,
+        user: User | None = None,
+        request: HttpRequest | None = None,
+        **kwargs,
+    ):
         req = PolicyRequest(user=User())
-        req.obj = model
+        req.obj = self.model
         if user:
             req.user = user
             self._context["user"] = user
         if request:
             req.http_request = request
-        self._context["request"] = req
         req.context.update(**kwargs)
+        self._context["request"] = req
         self._context.update(**kwargs)
-        self.dry_run = dry_run
+        self._globals["SkipObject"] = SkipObjectException
 
     def handle_error(self, exc: Exception, expression_source: str):
         """Exception Handler"""
@@ -62,10 +76,19 @@ class PropertyMappingEvaluator(BaseEvaluator):
         )
         if "request" in self._context:
             req: PolicyRequest = self._context["request"]
-            event.from_http(req.http_request, req.user)
+            if req.http_request:
-            return
+                event.from_http(req.http_request, req.user)
+                return
+            elif req.user:
+                event.set_user(req.user)
         event.save()
 
     def evaluate(self, *args, **kwargs) -> Any:
         with PROPERTY_MAPPING_TIME.labels(mapping_name=self._filename).time():
             return super().evaluate(*args, **kwargs)
+
+    def compile(self, expression: str | None = None) -> Any:
+        if not self._compiled:
+            compiled = super().compile(expression or self.model.expression)
+            self._compiled = compiled
+        return self._compiled

authentik/core/expression/exceptions.py

@@ -0,0 +1,19 @@
+"""authentik core exceptions"""
+
+from authentik.lib.expression.exceptions import ControlFlowException
+from authentik.lib.sentry import SentryIgnoredException
+
+
+class PropertyMappingExpressionException(SentryIgnoredException):
+    """Error when a PropertyMapping Exception expression could not be parsed or evaluated."""
+
+    def __init__(self, exc: Exception, mapping) -> None:
+        super().__init__()
+        self.exc = exc
+        self.mapping = mapping
+
+
+class SkipObjectException(ControlFlowException):
+    """Exception which can be raised in a property mapping to skip syncing an object.
+    Only applies to Property mappings which sync objects, and not on mappings which transitively
+    apply to a single user"""

authentik/core/management/commands/change_user_type.py

@@ -0,0 +1,28 @@
+"""Change user type"""
+
+from authentik.core.models import User, UserTypes
+from authentik.tenants.management import TenantCommand
+
+
+class Command(TenantCommand):
+    """Change user type"""
+
+    def add_arguments(self, parser):
+        parser.add_argument("--type", type=str, required=True)
+        parser.add_argument("--all", action="store_true")
+        parser.add_argument("usernames", nargs="+", type=str)
+
+    def handle_per_tenant(self, **options):
+        new_type = UserTypes(options["type"])
+        qs = (
+            User.objects.exclude_anonymous()
+            .exclude(type=UserTypes.SERVICE_ACCOUNT)
+            .exclude(type=UserTypes.INTERNAL_SERVICE_ACCOUNT)
+        )
+        if options["usernames"] and options["all"]:
+            self.stderr.write("--all and usernames specified, only one can be specified")
+            return
+        if options["usernames"] and not options["all"]:
+            qs = qs.filter(username__in=options["usernames"])
+        updated = qs.update(type=new_type)
+        self.stdout.write(f"Updated {updated} users.")

authentik/core/migrations/0029_provider_backchannel_applications_and_more.py

@@ -7,11 +7,13 @@ from django.db.backends.base.schema import BaseDatabaseSchemaEditor
 
 
 def backport_is_backchannel(apps: Apps, schema_editor: BaseDatabaseSchemaEditor):
-    from authentik.core.models import BackchannelProvider
+    db_alias = schema_editor.connection.alias
+    from authentik.providers.ldap.models import LDAPProvider
+    from authentik.providers.scim.models import SCIMProvider
 
-    for model in BackchannelProvider.__subclasses__():
+    for model in [LDAPProvider, SCIMProvider]:
         try:
-            for obj in model.objects.only("is_backchannel"):
+            for obj in model.objects.using(db_alias).only("is_backchannel"):
                 obj.is_backchannel = True
                 obj.save()
         except (DatabaseError, InternalError, ProgrammingError):

authentik/core/migrations/0036_source_group_property_mappings_and_more.py

@@ -0,0 +1,43 @@
+# Generated by Django 5.0.2 on 2024-02-29 11:05
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ("authentik_core", "0035_alter_group_options_and_more"),
+    ]
+
+    operations = [
+        migrations.AddField(
+            model_name="source",
+            name="group_property_mappings",
+            field=models.ManyToManyField(
+                blank=True,
+                default=None,
+                related_name="source_grouppropertymappings_set",
+                to="authentik_core.propertymapping",
+            ),
+        ),
+        migrations.AddField(
+            model_name="source",
+            name="user_property_mappings",
+            field=models.ManyToManyField(
+                blank=True,
+                default=None,
+                related_name="source_userpropertymappings_set",
+                to="authentik_core.propertymapping",
+            ),
+        ),
+        migrations.AlterField(
+            model_name="source",
+            name="property_mappings",
+            field=models.ManyToManyField(
+                blank=True,
+                default=None,
+                related_name="source_set",
+                to="authentik_core.propertymapping",
+            ),
+        ),
+    ]

authentik/core/migrations/0037_remove_source_property_mappings.py

@@ -0,0 +1,18 @@
+# Generated by Django 5.0.2 on 2024-02-29 11:21
+
+from django.db import migrations
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ("authentik_sources_ldap", "0005_remove_ldappropertymapping_object_field_and_more"),
+        ("authentik_core", "0036_source_group_property_mappings_and_more"),
+    ]
+
+    operations = [
+        migrations.RemoveField(
+            model_name="source",
+            name="property_mappings",
+        ),
+    ]

authentik/core/migrations/0038_source_authentik_c_enabled_d72365_idx.py

@@ -0,0 +1,19 @@
+# Generated by Django 5.0.7 on 2024-07-22 13:32
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ("authentik_core", "0037_remove_source_property_mappings"),
+        ("authentik_flows", "0027_auto_20231028_1424"),
+        ("authentik_policies", "0011_policybinding_failure_result_and_more"),
+    ]
+
+    operations = [
+        migrations.AddIndex(
+            model_name="source",
+            index=models.Index(fields=["enabled"], name="authentik_c_enabled_d72365_idx"),
+        ),
+    ]

authentik/core/migrations/0039_source_group_matching_mode_alter_group_name_and_more.py

@@ -0,0 +1,67 @@
+# Generated by Django 5.0.7 on 2024-08-01 18:52
+
+import django.db.models.deletion
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ("authentik_core", "0038_source_authentik_c_enabled_d72365_idx"),
+    ]
+
+    operations = [
+        migrations.AddField(
+            model_name="source",
+            name="group_matching_mode",
+            field=models.TextField(
+                choices=[
+                    ("identifier", "Use the source-specific identifier"),
+                    (
+                        "name_link",
+                        "Link to a group with identical name. Can have security implications when a group name is used with another source.",
+                    ),
+                    (
+                        "name_deny",
+                        "Use the group name, but deny enrollment when the name already exists.",
+                    ),
+                ],
+                default="identifier",
+                help_text="How the source determines if an existing group should be used or a new group created.",
+            ),
+        ),
+        migrations.AlterField(
+            model_name="group",
+            name="name",
+            field=models.TextField(verbose_name="name"),
+        ),
+        migrations.CreateModel(
+            name="GroupSourceConnection",
+            fields=[
+                (
+                    "id",
+                    models.AutoField(
+                        auto_created=True, primary_key=True, serialize=False, verbose_name="ID"
+                    ),
+                ),
+                ("created", models.DateTimeField(auto_now_add=True)),
+                ("last_updated", models.DateTimeField(auto_now=True)),
+                ("identifier", models.TextField()),
+                (
+                    "group",
+                    models.ForeignKey(
+                        on_delete=django.db.models.deletion.CASCADE, to="authentik_core.group"
+                    ),
+                ),
+                (
+                    "source",
+                    models.ForeignKey(
+                        on_delete=django.db.models.deletion.CASCADE, to="authentik_core.source"
+                    ),
+                ),
+            ],
+            options={
+                "unique_together": {("group", "source")},
+            },
+        ),
+    ]

authentik/core/models.py

@@ -11,10 +11,12 @@ from django.contrib.auth.models import AbstractUser
 from django.contrib.auth.models import UserManager as DjangoUserManager
 from django.db import models
 from django.db.models import Q, QuerySet, options
+from django.db.models.constants import LOOKUP_SEP
 from django.http import HttpRequest
 from django.utils.functional import SimpleLazyObject, cached_property
 from django.utils.timezone import now
 from django.utils.translation import gettext_lazy as _
+from django_cte import CTEQuerySet, With
 from guardian.conf import settings
 from guardian.mixins import GuardianUserMixin
 from model_utils.managers import InheritanceManager
@@ -22,10 +24,12 @@ from rest_framework.serializers import Serializer
 from structlog.stdlib import get_logger
 
 from authentik.blueprints.models import ManagedModel
-from authentik.core.exceptions import PropertyMappingExpressionException
+from authentik.core.expression.exceptions import PropertyMappingExpressionException
 from authentik.core.types import UILoginButton, UserSettingSerializer
 from authentik.lib.avatars import get_avatar
+from authentik.lib.expression.exceptions import ControlFlowException
 from authentik.lib.generators import generate_id
+from authentik.lib.merge import MERGE_LIST_UNIQUE
 from authentik.lib.models import (
     CreatedUpdatedModel,
     DomainlessFormattedURLValidator,
@@ -56,6 +60,8 @@ options.DEFAULT_NAMES = options.DEFAULT_NAMES + (
     "authentik_used_by_shadows",
 )
 
+GROUP_RECURSION_LIMIT = 20
+
 
 def default_token_duration() -> datetime:
     """Default duration a Token is valid"""
@@ -96,12 +102,78 @@ class UserTypes(models.TextChoices):
     INTERNAL_SERVICE_ACCOUNT = "internal_service_account"
 
 
-class Group(SerializerModel):
+class AttributesMixin(models.Model):
+    """Adds an attributes property to a model"""
+
+    attributes = models.JSONField(default=dict, blank=True)
+
+    class Meta:
+        abstract = True
+
+    def update_attributes(self, properties: dict[str, Any]):
+        """Update fields and attributes, but correctly by merging dicts"""
+        for key, value in properties.items():
+            if key == "attributes":
+                continue
+            setattr(self, key, value)
+        final_attributes = {}
+        MERGE_LIST_UNIQUE.merge(final_attributes, self.attributes)
+        MERGE_LIST_UNIQUE.merge(final_attributes, properties.get("attributes", {}))
+        self.attributes = final_attributes
+        self.save()
+
+    @classmethod
+    def update_or_create_attributes(
+        cls, query: dict[str, Any], properties: dict[str, Any]
+    ) -> tuple[models.Model, bool]:
+        """Same as django's update_or_create but correctly updates attributes by merging dicts"""
+        instance = cls.objects.filter(**query).first()
+        if not instance:
+            return cls.objects.create(**properties), True
+        instance.update_attributes(properties)
+        return instance, False
+
+
+class GroupQuerySet(CTEQuerySet):
+    def with_children_recursive(self):
+        """Recursively get all groups that have the current queryset as parents
+        or are indirectly related."""
+
+        def make_cte(cte):
+            """Build the query that ends up in WITH RECURSIVE"""
+            # Start from self, aka the current query
+            # Add a depth attribute to limit the recursion
+            return self.annotate(
+                relative_depth=models.Value(0, output_field=models.IntegerField())
+            ).union(
+                # Here is the recursive part of the query. cte refers to the previous iteration
+                # Only select groups for which the parent is part of the previous iteration
+                # and increase the depth
+                # Finally, limit the depth
+                cte.join(Group, group_uuid=cte.col.parent_id)
+                .annotate(
+                    relative_depth=models.ExpressionWrapper(
+                        cte.col.relative_depth
+                        + models.Value(1, output_field=models.IntegerField()),
+                        output_field=models.IntegerField(),
+                    )
+                )
+                .filter(relative_depth__lt=GROUP_RECURSION_LIMIT),
+                all=True,
+            )
+
+        # Build the recursive query, see above
+        cte = With.recursive(make_cte)
+        # Return the result, as a usable queryset for Group.
+        return cte.join(Group, group_uuid=cte.col.group_uuid).with_cte(cte)
+
+
+class Group(SerializerModel, AttributesMixin):
     """Group model which supports a basic hierarchy and has attributes"""
 
     group_uuid = models.UUIDField(primary_key=True, editable=False, default=uuid4)
 
-    name = models.CharField(_("name"), max_length=80)
+    name = models.TextField(_("name"))
     is_superuser = models.BooleanField(
         default=False, help_text=_("Users added to this group will be superusers.")
     )
@@ -116,7 +188,26 @@ class Group(SerializerModel):
         on_delete=models.SET_NULL,
         related_name="children",
     )
-    attributes = models.JSONField(default=dict, blank=True)
+
+    objects = GroupQuerySet.as_manager()
+
+    class Meta:
+        unique_together = (
+            (
+                "name",
+                "parent",
+            ),
+        )
+        indexes = [models.Index(fields=["name"])]
+        verbose_name = _("Group")
+        verbose_name_plural = _("Groups")
+        permissions = [
+            ("add_user_to_group", _("Add user to group")),
+            ("remove_user_from_group", _("Remove user from group")),
+        ]
+
+    def __str__(self):
+        return f"Group {self.name}"
 
     @property
     def serializer(self) -> Serializer:
@@ -136,54 +227,11 @@ class Group(SerializerModel):
         return user.all_groups().filter(group_uuid=self.group_uuid).exists()
 
     def children_recursive(self: Self | QuerySet["Group"]) -> QuerySet["Group"]:
-        """Recursively get all groups that have this as parent or are indirectly related"""
+        """Compatibility layer for Group.objects.with_children_recursive()"""
-        direct_groups = []
+        qs = self
-        if isinstance(self, QuerySet):
+        if not isinstance(self, QuerySet):
-            direct_groups = list(x for x in self.all().values_list("pk", flat=True).iterator())
+            qs = Group.objects.filter(group_uuid=self.group_uuid)
-        else:
+        return qs.with_children_recursive()
-            direct_groups = [self.pk]
-        if len(direct_groups) < 1:
-            return Group.objects.none()
-        query = """
-        WITH RECURSIVE parents AS (
-            SELECT authentik_core_group.*, 0 AS relative_depth
-            FROM authentik_core_group
-            WHERE authentik_core_group.group_uuid = ANY(%s)
-
-            UNION ALL
-
-            SELECT authentik_core_group.*, parents.relative_depth + 1
-            FROM authentik_core_group, parents
-            WHERE (
-                authentik_core_group.group_uuid = parents.parent_id and
-                parents.relative_depth < 20
-            )
-        )
-        SELECT group_uuid
-        FROM parents
-        GROUP BY group_uuid, name
-        ORDER BY name;
-        """
-        group_pks = [group.pk for group in Group.objects.raw(query, [direct_groups]).iterator()]
-        return Group.objects.filter(pk__in=group_pks)
-
-    def __str__(self):
-        return f"Group {self.name}"
-
-    class Meta:
-        unique_together = (
-            (
-                "name",
-                "parent",
-            ),
-        )
-        indexes = [models.Index(fields=["name"])]
-        verbose_name = _("Group")
-        verbose_name_plural = _("Groups")
-        permissions = [
-            ("add_user_to_group", _("Add user to group")),
-            ("remove_user_from_group", _("Remove user from group")),
-        ]
 
 
 class UserQuerySet(models.QuerySet):
@@ -210,7 +258,7 @@ class UserManager(DjangoUserManager):
         return self.get_queryset().exclude_anonymous()
 
 
-class User(SerializerModel, GuardianUserMixin, AbstractUser):
+class User(SerializerModel, GuardianUserMixin, AttributesMixin, AbstractUser):
     """authentik User model, based on django's contrib auth user model."""
 
     uuid = models.UUIDField(default=uuid4, editable=False, unique=True)
@@ -222,20 +270,38 @@ class User(SerializerModel, GuardianUserMixin, AbstractUser):
     ak_groups = models.ManyToManyField("Group", related_name="users")
     password_change_date = models.DateTimeField(auto_now_add=True)
 
-    attributes = models.JSONField(default=dict, blank=True)
-
     objects = UserManager()
 
+    class Meta:
+        verbose_name = _("User")
+        verbose_name_plural = _("Users")
+        permissions = [
+            ("reset_user_password", _("Reset Password")),
+            ("impersonate", _("Can impersonate other users")),
+            ("assign_user_permissions", _("Can assign permissions to users")),
+            ("unassign_user_permissions", _("Can unassign permissions from users")),
+            ("preview_user", _("Can preview user data sent to providers")),
+            ("view_user_applications", _("View applications the user has access to")),
+        ]
+        indexes = [
+            models.Index(fields=["last_login"]),
+            models.Index(fields=["password_change_date"]),
+            models.Index(fields=["uuid"]),
+            models.Index(fields=["path"]),
+            models.Index(fields=["type"]),
+        ]
+
+    def __str__(self):
+        return self.username
+
     @staticmethod
     def default_path() -> str:
         """Get the default user path"""
         return User._meta.get_field("path").default
 
     def all_groups(self) -> QuerySet[Group]:
-        """Recursively get all groups this user is a member of.
+        """Recursively get all groups this user is a member of."""
-        At least one query is done to get the direct groups of the user, with groups
+        return self.ak_groups.all().with_children_recursive()
-        there are at most 3 queries done"""
-        return Group.children_recursive(self.ak_groups.all())
 
     def group_attributes(self, request: HttpRequest | None = None) -> dict[str, Any]:
         """Get a dictionary containing the attributes from all groups the user belongs to,
@@ -309,25 +375,6 @@ class User(SerializerModel, GuardianUserMixin, AbstractUser):
         """Get avatar, depending on authentik.avatar setting"""
         return get_avatar(self)
 
-    class Meta:
-        verbose_name = _("User")
-        verbose_name_plural = _("Users")
-        permissions = [
-            ("reset_user_password", _("Reset Password")),
-            ("impersonate", _("Can impersonate other users")),
-            ("assign_user_permissions", _("Can assign permissions to users")),
-            ("unassign_user_permissions", _("Can unassign permissions from users")),
-            ("preview_user", _("Can preview user data sent to providers")),
-            ("view_user_applications", _("View applications the user has access to")),
-        ]
-        indexes = [
-            models.Index(fields=["last_login"]),
-            models.Index(fields=["password_change_date"]),
-            models.Index(fields=["uuid"]),
-            models.Index(fields=["path"]),
-            models.Index(fields=["type"]),
-        ]
-
 
 class Provider(SerializerModel):
     """Application-independent Provider instance. For example SAML2 Remote, OAuth2 Application"""
@@ -377,6 +424,10 @@ class Provider(SerializerModel):
         Can return None for providers that are not URL-based"""
         return None
 
+    @property
+    def icon_url(self) -> str | None:
+        return None
+
     @property
     def component(self) -> str:
         """Return component used to edit this object"""
@@ -411,6 +462,16 @@ class BackchannelProvider(Provider):
         abstract = True
 
 
+class ApplicationQuerySet(QuerySet):
+    def with_provider(self) -> "QuerySet[Application]":
+        qs = self.select_related("provider")
+        for subclass in Provider.objects.get_queryset()._get_subclasses_recurse(Provider):
+            if LOOKUP_SEP in subclass:
+                continue
+            qs = qs.select_related(f"provider__{subclass}")
+        return qs
+
+
 class Application(SerializerModel, PolicyBindingModel):
     """Every Application which uses authentik for authentication/identification/authorization
     needs an Application record. Other authentication types can subclass this Model to
@@ -442,6 +503,8 @@ class Application(SerializerModel, PolicyBindingModel):
     meta_description = models.TextField(default="", blank=True)
     meta_publisher = models.TextField(default="", blank=True)
 
+    objects = ApplicationQuerySet.as_manager()
+
     @property
     def serializer(self) -> Serializer:
         from authentik.core.api.applications import ApplicationSerializer
@@ -478,16 +541,19 @@ class Application(SerializerModel, PolicyBindingModel):
         return url
 
     def get_provider(self) -> Provider | None:
-        """Get casted provider instance"""
+        """Get casted provider instance. Needs Application queryset with_provider"""
         if not self.provider:
             return None
-        # if the Application class has been cache, self.provider is set
+
-        # but doing a direct query lookup will fail.
+        for subclass in Provider.objects.get_queryset()._get_subclasses_recurse(Provider):
-        # In that case, just return None
+            # We don't care about recursion, skip nested models
-        try:
+            if LOOKUP_SEP in subclass:
-            return Provider.objects.get_subclass(pk=self.provider.pk)
+                continue
-        except Provider.DoesNotExist:
+            try:
-            return None
+                return getattr(self.provider, subclass)
+            except AttributeError:
+                pass
+        return None
 
     def __str__(self):
         return str(self.name)
@@ -517,6 +583,19 @@ class SourceUserMatchingModes(models.TextChoices):
     )
 
 
+class SourceGroupMatchingModes(models.TextChoices):
+    """Different modes a source can handle new/returning groups"""
+
+    IDENTIFIER = "identifier", _("Use the source-specific identifier")
+    NAME_LINK = "name_link", _(
+        "Link to a group with identical name. Can have security implications "
+        "when a group name is used with another source."
+    )
+    NAME_DENY = "name_deny", _(
+        "Use the group name, but deny enrollment when the name already exists."
+    )
+
+
 class Source(ManagedModel, SerializerModel, PolicyBindingModel):
     """Base Authentication source, i.e. an OAuth Provider, SAML Remote or LDAP Server"""
 
@@ -526,7 +605,12 @@ class Source(ManagedModel, SerializerModel, PolicyBindingModel):
     user_path_template = models.TextField(default="goauthentik.io/sources/%(slug)s")
 
     enabled = models.BooleanField(default=True)
-    property_mappings = models.ManyToManyField("PropertyMapping", default=None, blank=True)
+    user_property_mappings = models.ManyToManyField(
+        "PropertyMapping", default=None, blank=True, related_name="source_userpropertymappings_set"
+    )
+    group_property_mappings = models.ManyToManyField(
+        "PropertyMapping", default=None, blank=True, related_name="source_grouppropertymappings_set"
+    )
     icon = models.FileField(
         upload_to="source-icons/",
         default=None,
@@ -561,6 +645,14 @@ class Source(ManagedModel, SerializerModel, PolicyBindingModel):
             "a new user enrolled."
         ),
     )
+    group_matching_mode = models.TextField(
+        choices=SourceGroupMatchingModes.choices,
+        default=SourceGroupMatchingModes.IDENTIFIER,
+        help_text=_(
+            "How the source determines if an existing group should be used or "
+            "a new group created."
+        ),
+    )
 
     objects = InheritanceManager()
 
@@ -590,6 +682,11 @@ class Source(ManagedModel, SerializerModel, PolicyBindingModel):
         """Return component used to edit this object"""
         raise NotImplementedError
 
+    @property
+    def property_mapping_type(self) -> "type[PropertyMapping]":
+        """Return property mapping type used by this object"""
+        raise NotImplementedError
+
     def ui_login_button(self, request: HttpRequest) -> UILoginButton | None:
         """If source uses a http-based flow, return UI Information about the login
         button. If source doesn't use http-based flow, return None."""
@@ -600,6 +697,14 @@ class Source(ManagedModel, SerializerModel, PolicyBindingModel):
         user settings are available, or UserSettingSerializer."""
         return None
 
+    def get_base_user_properties(self, **kwargs) -> dict[str, Any | dict[str, Any]]:
+        """Get base properties for a user to build final properties upon."""
+        raise NotImplementedError
+
+    def get_base_group_properties(self, **kwargs) -> dict[str, Any | dict[str, Any]]:
+        """Get base properties for a group to build final properties upon."""
+        raise NotImplementedError
+
     def __str__(self):
         return str(self.name)
 
@@ -615,6 +720,11 @@ class Source(ManagedModel, SerializerModel, PolicyBindingModel):
                     "name",
                 ]
             ),
+            models.Index(
+                fields=[
+                    "enabled",
+                ]
+            ),
         ]
 
 
@@ -638,6 +748,27 @@ class UserSourceConnection(SerializerModel, CreatedUpdatedModel):
         unique_together = (("user", "source"),)
 
 
+class GroupSourceConnection(SerializerModel, CreatedUpdatedModel):
+    """Connection between Group and Source."""
+
+    group = models.ForeignKey(Group, on_delete=models.CASCADE)
+    source = models.ForeignKey(Source, on_delete=models.CASCADE)
+    identifier = models.TextField()
+
+    objects = InheritanceManager()
+
+    @property
+    def serializer(self) -> type[Serializer]:
+        """Get serializer for this model"""
+        raise NotImplementedError
+
+    def __str__(self) -> str:
+        return f"Group-source connection (group={self.group_id}, source={self.source_id})"
+
+    class Meta:
+        unique_together = (("group", "source"),)
+
+
 class ExpiringModel(models.Model):
     """Base Model which can expire, and is automatically cleaned up."""
 
@@ -767,8 +898,10 @@ class PropertyMapping(SerializerModel, ManagedModel):
         evaluator = PropertyMappingEvaluator(self, user, request, **kwargs)
         try:
             return evaluator.evaluate(self.expression)
+        except ControlFlowException as exc:
+            raise exc
         except Exception as exc:
-            raise PropertyMappingExpressionException(exc) from exc
+            raise PropertyMappingExpressionException(self, exc) from exc
 
     def __str__(self):
         return f"Property Mapping {self.name}"

authentik/core/signals.py

@@ -52,6 +52,8 @@ def user_logged_in_session(sender, request: HttpRequest, user: User, **_):
 @receiver(user_logged_out)
 def user_logged_out_session(sender, request: HttpRequest, user: User, **_):
     """Delete AuthenticatedSession if it exists"""
+    if not request.session or not request.session.session_key:
+        return
     AuthenticatedSession.objects.filter(session_key=request.session.session_key).delete()
 
 

authentik/core/sources/flow_manager.py

@@ -4,7 +4,7 @@ from enum import Enum
 from typing import Any
 
 from django.contrib import messages
-from django.db import IntegrityError
+from django.db import IntegrityError, transaction
 from django.db.models.query_utils import Q
 from django.http import HttpRequest, HttpResponse
 from django.shortcuts import redirect
@@ -12,8 +12,20 @@ from django.urls import reverse
 from django.utils.translation import gettext as _
 from structlog.stdlib import get_logger
 
-from authentik.core.models import Source, SourceUserMatchingModes, User, UserSourceConnection
+from authentik.core.models import (
-from authentik.core.sources.stage import PLAN_CONTEXT_SOURCES_CONNECTION, PostSourceStage
+    Group,
+    GroupSourceConnection,
+    Source,
+    SourceGroupMatchingModes,
+    SourceUserMatchingModes,
+    User,
+    UserSourceConnection,
+)
+from authentik.core.sources.mapper import SourceMapper
+from authentik.core.sources.stage import (
+    PLAN_CONTEXT_SOURCES_CONNECTION,
+    PostSourceStage,
+)
 from authentik.events.models import Event, EventAction
 from authentik.flows.exceptions import FlowNonApplicableException
 from authentik.flows.models import Flow, FlowToken, Stage, in_memory_stage
@@ -36,7 +48,10 @@ from authentik.stages.password.stage import PLAN_CONTEXT_AUTHENTICATION_BACKEND
 from authentik.stages.prompt.stage import PLAN_CONTEXT_PROMPT
 from authentik.stages.user_write.stage import PLAN_CONTEXT_USER_PATH
 
+LOGGER = get_logger()
+
 SESSION_KEY_OVERRIDE_FLOW_TOKEN = "authentik/flows/source_override_flow_token"  # nosec
+PLAN_CONTEXT_SOURCE_GROUPS = "source_groups"
 
 
 class Action(Enum):
@@ -70,48 +85,69 @@ class SourceFlowManager:
     or deny the request."""
 
     source: Source
+    mapper: SourceMapper
     request: HttpRequest
 
     identifier: str
 
-    connection_type: type[UserSourceConnection] = UserSourceConnection
+    user_connection_type: type[UserSourceConnection] = UserSourceConnection
+    group_connection_type: type[GroupSourceConnection] = GroupSourceConnection
 
-    enroll_info: dict[str, Any]
+    user_info: dict[str, Any]
     policy_context: dict[str, Any]
+    user_properties: dict[str, Any | dict[str, Any]]
+    groups_properties: dict[str, dict[str, Any | dict[str, Any]]]
 
     def __init__(
         self,
         source: Source,
         request: HttpRequest,
         identifier: str,
-        enroll_info: dict[str, Any],
+        user_info: dict[str, Any],
+        policy_context: dict[str, Any],
     ) -> None:
         self.source = source
+        self.mapper = SourceMapper(self.source)
         self.request = request
         self.identifier = identifier
-        self.enroll_info = enroll_info
+        self.user_info = user_info
         self._logger = get_logger().bind(source=source, identifier=identifier)
-        self.policy_context = {}
+        self.policy_context = policy_context
+
+        self.user_properties = self.mapper.build_object_properties(
+            object_type=User, request=request, user=None, **self.user_info
+        )
+        self.groups_properties = {
+            group_id: self.mapper.build_object_properties(
+                object_type=Group,
+                request=request,
+                user=None,
+                group_id=group_id,
+                **self.user_info,
+            )
+            for group_id in self.user_properties.setdefault("groups", [])
+        }
+        del self.user_properties["groups"]
 
     def get_action(self, **kwargs) -> tuple[Action, UserSourceConnection | None]:  # noqa: PLR0911
         """decide which action should be taken"""
-        new_connection = self.connection_type(source=self.source, identifier=self.identifier)
+        new_connection = self.user_connection_type(source=self.source, identifier=self.identifier)
         # When request is authenticated, always link
         if self.request.user.is_authenticated:
             new_connection.user = self.request.user
-            new_connection = self.update_connection(new_connection, **kwargs)
+            new_connection = self.update_user_connection(new_connection, **kwargs)
             return Action.LINK, new_connection
 
-        existing_connections = self.connection_type.objects.filter(
+        existing_connections = self.user_connection_type.objects.filter(
             source=self.source, identifier=self.identifier
         )
         if existing_connections.exists():
             connection = existing_connections.first()
-            return Action.AUTH, self.update_connection(connection, **kwargs)
+            return Action.AUTH, self.update_user_connection(connection, **kwargs)
         # No connection exists, but we match on identifier, so enroll
         if self.source.user_matching_mode == SourceUserMatchingModes.IDENTIFIER:
             # We don't save the connection here cause it doesn't have a user assigned yet
-            return Action.ENROLL, self.update_connection(new_connection, **kwargs)
+            return Action.ENROLL, self.update_user_connection(new_connection, **kwargs)
 
         # Check for existing users with matching attributes
         query = Q()
@@ -120,24 +156,24 @@ class SourceFlowManager:
             SourceUserMatchingModes.EMAIL_LINK,
             SourceUserMatchingModes.EMAIL_DENY,
         ]:
-            if not self.enroll_info.get("email", None):
+            if not self.user_properties.get("email", None):
-                self._logger.warning("Refusing to use none email", source=self.source)
+                self._logger.warning("Refusing to use none email")
                 return Action.DENY, None
-            query = Q(email__exact=self.enroll_info.get("email", None))
+            query = Q(email__exact=self.user_properties.get("email", None))
         if self.source.user_matching_mode in [
             SourceUserMatchingModes.USERNAME_LINK,
             SourceUserMatchingModes.USERNAME_DENY,
         ]:
-            if not self.enroll_info.get("username", None):
+            if not self.user_properties.get("username", None):
-                self._logger.warning("Refusing to use none username", source=self.source)
+                self._logger.warning("Refusing to use none username")
                 return Action.DENY, None
-            query = Q(username__exact=self.enroll_info.get("username", None))
+            query = Q(username__exact=self.user_properties.get("username", None))
         self._logger.debug("trying to link with existing user", query=query)
         matching_users = User.objects.filter(query)
         # No matching users, always enroll
         if not matching_users.exists():
             self._logger.debug("no matching users found, enrolling")
-            return Action.ENROLL, self.update_connection(new_connection, **kwargs)
+            return Action.ENROLL, self.update_user_connection(new_connection, **kwargs)
 
         user = matching_users.first()
         if self.source.user_matching_mode in [
@@ -145,7 +181,7 @@ class SourceFlowManager:
             SourceUserMatchingModes.USERNAME_LINK,
         ]:
             new_connection.user = user
-            new_connection = self.update_connection(new_connection, **kwargs)
+            new_connection = self.update_user_connection(new_connection, **kwargs)
             return Action.LINK, new_connection
         if self.source.user_matching_mode in [
             SourceUserMatchingModes.EMAIL_DENY,
@@ -156,10 +192,10 @@ class SourceFlowManager:
         # Should never get here as default enroll case is returned above.
         return Action.DENY, None  # pragma: no cover
 
-    def update_connection(
+    def update_user_connection(
         self, connection: UserSourceConnection, **kwargs
     ) -> UserSourceConnection:  # pragma: no cover
-        """Optionally make changes to the connection after it is looked up/created."""
+        """Optionally make changes to the user connection after it is looked up/created."""
         return connection
 
     def get_flow(self, **kwargs) -> HttpResponse:
@@ -212,28 +248,34 @@ class SourceFlowManager:
 
     def _prepare_flow(
         self,
-        flow: Flow,
+        flow: Flow | None,
         connection: UserSourceConnection,
         stages: list[StageView] | None = None,
-        **kwargs,
+        **flow_context,
     ) -> HttpResponse:
         """Prepare Authentication Plan, redirect user FlowExecutor"""
-        kwargs.update(
+        # Ensure redirect is carried through when user was trying to
+        # authorize application
+        final_redirect = self.request.session.get(SESSION_KEY_GET, {}).get(
+            NEXT_ARG_NAME, "authentik_core:if-user"
+        )
+        flow_context.update(
             {
                 # Since we authenticate the user by their token, they have no backend set
                 PLAN_CONTEXT_AUTHENTICATION_BACKEND: BACKEND_INBUILT,
                 PLAN_CONTEXT_SSO: True,
                 PLAN_CONTEXT_SOURCE: self.source,
                 PLAN_CONTEXT_SOURCES_CONNECTION: connection,
+                PLAN_CONTEXT_SOURCE_GROUPS: self.groups_properties,
             }
         )
-        kwargs.update(self.policy_context)
+        flow_context.update(self.policy_context)
         if SESSION_KEY_OVERRIDE_FLOW_TOKEN in self.request.session:
             token: FlowToken = self.request.session.get(SESSION_KEY_OVERRIDE_FLOW_TOKEN)
             self._logger.info("Replacing source flow with overridden flow", flow=token.flow.slug)
             plan = token.plan
             plan.context[PLAN_CONTEXT_IS_RESTORED] = token
-            plan.context.update(kwargs)
+            plan.context.update(flow_context)
             for stage in self.get_stages_to_append(flow):
                 plan.append_stage(stage)
             if stages:
@@ -252,8 +294,8 @@ class SourceFlowManager:
         final_redirect = self.request.session.get(SESSION_KEY_GET, {}).get(
             NEXT_ARG_NAME, "authentik_core:if-user"
         )
-        if PLAN_CONTEXT_REDIRECT not in kwargs:
+        if PLAN_CONTEXT_REDIRECT not in flow_context:
-            kwargs[PLAN_CONTEXT_REDIRECT] = final_redirect
+            flow_context[PLAN_CONTEXT_REDIRECT] = final_redirect
 
         if not flow:
             return bad_request_message(
@@ -265,9 +307,12 @@ class SourceFlowManager:
         # We append some stages so the initial flow we get might be empty
         planner.allow_empty_flows = True
         planner.use_cache = False
-        plan = planner.plan(self.request, kwargs)
+        plan = planner.plan(self.request, flow_context)
         for stage in self.get_stages_to_append(flow):
             plan.append_stage(stage)
+        plan.append_stage(
+            in_memory_stage(GroupUpdateStage, group_connection_type=self.group_connection_type)
+        )
         if stages:
             for stage in stages:
                 plan.append_stage(stage)
@@ -309,7 +354,9 @@ class SourceFlowManager:
         # When request isn't authenticated we jump straight to auth
         if not self.request.user.is_authenticated:
             return self.handle_auth(connection)
-        # Connection has already been saved
+        if SESSION_KEY_OVERRIDE_FLOW_TOKEN in self.request.session:
+            return self._prepare_flow(None, connection)
+        connection.save()
         Event.new(
             EventAction.SOURCE_LINKED,
             message="Linked Source",
@@ -352,7 +399,123 @@ class SourceFlowManager:
                 )
             ],
             **{
-                PLAN_CONTEXT_PROMPT: delete_none_values(self.enroll_info),
+                PLAN_CONTEXT_PROMPT: delete_none_values(self.user_properties),
                 PLAN_CONTEXT_USER_PATH: self.source.get_user_path(),
             },
         )
+
+
+class GroupUpdateStage(StageView):
+    """Dynamically injected stage which updates the user after enrollment/authentication."""
+
+    def get_action(
+        self, group_id: str, group_properties: dict[str, Any | dict[str, Any]]
+    ) -> tuple[Action, GroupSourceConnection | None]:
+        """decide which action should be taken"""
+        new_connection = self.group_connection_type(source=self.source, identifier=group_id)
+
+        existing_connections = self.group_connection_type.objects.filter(
+            source=self.source, identifier=group_id
+        )
+        if existing_connections.exists():
+            return Action.LINK, existing_connections.first()
+        # No connection exists, but we match on identifier, so enroll
+        if self.source.group_matching_mode == SourceGroupMatchingModes.IDENTIFIER:
+            # We don't save the connection here cause it doesn't have a user assigned yet
+            return Action.ENROLL, new_connection
+
+        # Check for existing groups with matching attributes
+        query = Q()
+        if self.source.group_matching_mode in [
+            SourceGroupMatchingModes.NAME_LINK,
+            SourceGroupMatchingModes.NAME_DENY,
+        ]:
+            if not group_properties.get("name", None):
+                LOGGER.warning(
+                    "Refusing to use none group name", source=self.source, group_id=group_id
+                )
+                return Action.DENY, None
+            query = Q(name__exact=group_properties.get("name"))
+        LOGGER.debug(
+            "trying to link with existing group", source=self.source, query=query, group_id=group_id
+        )
+        matching_groups = Group.objects.filter(query)
+        # No matching groups, always enroll
+        if not matching_groups.exists():
+            LOGGER.debug(
+                "no matching groups found, enrolling", source=self.source, group_id=group_id
+            )
+            return Action.ENROLL, new_connection
+
+        group = matching_groups.first()
+        if self.source.group_matching_mode in [
+            SourceGroupMatchingModes.NAME_LINK,
+        ]:
+            new_connection.group = group
+            return Action.LINK, new_connection
+        if self.source.group_matching_mode in [
+            SourceGroupMatchingModes.NAME_DENY,
+        ]:
+            LOGGER.info(
+                "denying source because group exists",
+                source=self.source,
+                group=group,
+                group_id=group_id,
+            )
+            return Action.DENY, None
+        # Should never get here as default enroll case is returned above.
+        return Action.DENY, None  # pragma: no cover
+
+    def handle_group(
+        self, group_id: str, group_properties: dict[str, Any | dict[str, Any]]
+    ) -> Group | None:
+        action, connection = self.get_action(group_id, group_properties)
+        if action == Action.ENROLL:
+            group = Group.objects.create(**group_properties)
+            connection.group = group
+            connection.save()
+            return group
+        elif action == Action.LINK:
+            group = connection.group
+            group.update_attributes(group_properties)
+            connection.save()
+            return group
+
+        return None
+
+    def handle_groups(self) -> bool:
+        self.source: Source = self.executor.plan.context[PLAN_CONTEXT_SOURCE]
+        self.user: User = self.executor.plan.context[PLAN_CONTEXT_PENDING_USER]
+        self.group_connection_type: GroupSourceConnection = (
+            self.executor.current_stage.group_connection_type
+        )
+
+        raw_groups: dict[str, dict[str, Any | dict[str, Any]]] = self.executor.plan.context[
+            PLAN_CONTEXT_SOURCE_GROUPS
+        ]
+        groups: list[Group] = []
+
+        for group_id, group_properties in raw_groups.items():
+            group = self.handle_group(group_id, group_properties)
+            if not group:
+                return False
+            groups.append(group)
+
+        with transaction.atomic():
+            self.user.ak_groups.remove(
+                *self.user.ak_groups.filter(groupsourceconnection__source=self.source)
+            )
+            self.user.ak_groups.add(*groups)
+
+        return True
+
+    def get(self, request: HttpRequest, *args, **kwargs) -> HttpResponse:
+        """Stage used after the user has been enrolled to sync their groups from source data"""
+        if self.handle_groups():
+            return self.executor.stage_ok()
+        else:
+            return self.executor.stage_invalid("Failed to update groups. Please try again later.")
+
+    def post(self, request: HttpRequest) -> HttpResponse:
+        """Wrapper for post requests"""
+        return self.get(request)

authentik/core/sources/mapper.py

@@ -0,0 +1,103 @@
+from typing import Any
+
+from django.http import HttpRequest
+from structlog.stdlib import get_logger
+
+from authentik.core.expression.exceptions import PropertyMappingExpressionException
+from authentik.core.models import Group, PropertyMapping, Source, User
+from authentik.events.models import Event, EventAction
+from authentik.lib.merge import MERGE_LIST_UNIQUE
+from authentik.lib.sync.mapper import PropertyMappingManager
+from authentik.policies.utils import delete_none_values
+
+LOGGER = get_logger()
+
+
+class SourceMapper:
+    def __init__(self, source: Source):
+        self.source = source
+
+    def get_manager(
+        self, object_type: type[User | Group], context_keys: list[str]
+    ) -> PropertyMappingManager:
+        """Get property mapping manager for this source."""
+
+        qs = PropertyMapping.objects.none()
+        if object_type == User:
+            qs = self.source.user_property_mappings.all().select_subclasses()
+        elif object_type == Group:
+            qs = self.source.group_property_mappings.all().select_subclasses()
+        qs = qs.order_by("name")
+        return PropertyMappingManager(
+            qs,
+            self.source.property_mapping_type,
+            ["source", "properties"] + context_keys,
+        )
+
+    def get_base_properties(
+        self, object_type: type[User | Group], **kwargs
+    ) -> dict[str, Any | dict[str, Any]]:
+        """Get base properties for a user or a group to build final properties upon."""
+        if object_type == User:
+            properties = self.source.get_base_user_properties(**kwargs)
+            properties.setdefault("path", self.source.get_user_path())
+            return properties
+        if object_type == Group:
+            return self.source.get_base_group_properties(**kwargs)
+        return {}
+
+    def build_object_properties(
+        self,
+        object_type: type[User | Group],
+        manager: "PropertyMappingManager | None" = None,
+        user: User | None = None,
+        request: HttpRequest | None = None,
+        **kwargs,
+    ) -> dict[str, Any | dict[str, Any]]:
+        """Build a user or group properties from the source configured property mappings."""
+
+        properties = self.get_base_properties(object_type, **kwargs)
+        if "attributes" not in properties:
+            properties["attributes"] = {}
+
+        if not manager:
+            manager = self.get_manager(object_type, list(kwargs.keys()))
+        evaluations = manager.iter_eval(
+            user=user,
+            request=request,
+            return_mapping=True,
+            source=self.source,
+            properties=properties,
+            **kwargs,
+        )
+        while True:
+            try:
+                value, mapping = next(evaluations)
+            except StopIteration:
+                break
+            except PropertyMappingExpressionException as exc:
+                Event.new(
+                    EventAction.CONFIGURATION_ERROR,
+                    message=f"Failed to evaluate property mapping: '{exc.mapping.name}'",
+                    source=self,
+                    mapping=exc.mapping,
+                ).save()
+                LOGGER.warning(
+                    "Mapping failed to evaluate",
+                    exc=exc,
+                    source=self,
+                    mapping=exc.mapping,
+                )
+                raise exc
+
+            if not value or not isinstance(value, dict):
+                LOGGER.debug(
+                    "Mapping evaluated to None or is not a dict. Skipping",
+                    source=self,
+                    mapping=mapping,
+                )
+                continue
+
+            MERGE_LIST_UNIQUE.merge(properties, value)
+
+        return delete_none_values(properties)

authentik/core/templates/base/header_js.html

@@ -10,7 +10,7 @@
         versionSubdomain: "{{ version_subdomain }}",
         build: "{{ build }}",
     };
-    window.addEventListener("DOMContentLoaded", () => {
+    window.addEventListener("DOMContentLoaded", function () {
         {% for message in messages %}
         window.dispatchEvent(
             new CustomEvent("ak-message", {

authentik/core/templates/base/skeleton.html

@@ -1,9 +1,10 @@
 {% load static %}
 {% load i18n %}
+{% load authentik_core %}
 
 <!DOCTYPE html>
 
-<html lang="en">
+<html>
     <head>
         <meta charset="UTF-8">
         <meta name="viewport" content="width=device-width, initial-scale=1, maximum-scale=1">
@@ -14,8 +15,8 @@
         {% endblock %}
         <link rel="stylesheet" type="text/css" href="{% static 'dist/authentik.css' %}">
         <link rel="stylesheet" type="text/css" href="{% static 'dist/custom.css' %}" data-inject>
-        <script src="{% static 'dist/poly.js' %}?version={{ version }}" type="module"></script>
+        {% versioned_script "dist/poly-%v.js" %}
-        <script src="{% static 'dist/standalone/loading/index.js' %}?version={{ version }}" type="module"></script>
+        {% versioned_script "dist/standalone/loading/index-%v.js" %}
         {% block head %}
         {% endblock %}
         <meta name="sentry-trace" content="{{ sentry_trace }}" />

authentik/core/templates/if/admin.html

@@ -1,9 +1,9 @@
 {% extends "base/skeleton.html" %}
 
-{% load static %}
+{% load authentik_core %}
 
 {% block head %}
-<script src="{% static 'dist/admin/AdminInterface.js' %}?version={{ version }}" type="module"></script>
+{% versioned_script "dist/admin/AdminInterface-%v.js" %}
 <meta name="theme-color" content="#18191a" media="(prefers-color-scheme: dark)">
 <meta name="theme-color" content="#ffffff" media="(prefers-color-scheme: light)">
 {% include "base/header_js.html" %}

authentik/core/templates/if/user.html

@@ -1,9 +1,9 @@
 {% extends "base/skeleton.html" %}
 
-{% load static %}
+{% load authentik_core %}
 
 {% block head %}
-<script src="{% static 'dist/user/UserInterface.js' %}?version={{ version }}" type="module"></script>
+{% versioned_script "dist/user/UserInterface-%v.js" %}
 <meta name="theme-color" content="#1c1e21" media="(prefers-color-scheme: light)">
 <meta name="theme-color" content="#1c1e21" media="(prefers-color-scheme: dark)">
 {% include "base/header_js.html" %}

authentik/core/templates/login/base_full.html

@@ -71,9 +71,9 @@
                 </li>
                 {% endfor %}
                 <li>
-                    <a href="https://goauthentik.io?utm_source=authentik">
+                    <span>
                         {% trans 'Powered by authentik' %}
-                    </a>
+                    </span>
                 </li>
             </ul>
         </footer>

authentik/core/templatetags/authentik_core.py

@@ -0,0 +1,21 @@
+"""authentik core tags"""
+
+from django import template
+from django.templatetags.static import static as static_loader
+from django.utils.safestring import mark_safe
+
+from authentik import get_full_version
+
+register = template.Library()
+
+
+@register.simple_tag()
+def versioned_script(path: str) -> str:
+    """Wrapper around {% static %} tag that supports setting the version"""
+    returned_lines = [
+        (
+            f'<script src="{static_loader(path.replace("%v", get_full_version()))}'
+            '" type="module"></script>'
+        ),
+    ]
+    return mark_safe("".join(returned_lines))  # nosec

authentik/core/tests/test_groups_api.py

@@ -23,6 +23,17 @@ class TestGroupsAPI(APITestCase):
         response = self.client.get(reverse("authentik_api:group-list"), {"include_users": "true"})
         self.assertEqual(response.status_code, 200)
 
+    def test_retrieve_with_users(self):
+        """Test retrieve with users"""
+        admin = create_test_admin_user()
+        group = Group.objects.create(name=generate_id())
+        self.client.force_login(admin)
+        response = self.client.get(
+            reverse("authentik_api:group-detail", kwargs={"pk": group.pk}),
+            {"include_users": "true"},
+        )
+        self.assertEqual(response.status_code, 200)
+
     def test_add_user(self):
         """Test add_user"""
         group = Group.objects.create(name=generate_id())

authentik/core/tests/test_models.py

@@ -1,14 +1,14 @@
 """authentik core models tests"""
 
 from collections.abc import Callable
-from time import sleep
+from datetime import timedelta
 
 from django.test import RequestFactory, TestCase
 from django.utils.timezone import now
+from freezegun import freeze_time
 from guardian.shortcuts import get_anonymous_user
 
 from authentik.core.models import Provider, Source, Token
-from authentik.flows.models import Stage
 from authentik.lib.utils.reflection import all_subclasses
 
 
@@ -17,18 +17,20 @@ class TestModels(TestCase):
 
     def test_token_expire(self):
         """Test token expiring"""
-        token = Token.objects.create(expires=now(), user=get_anonymous_user())
+        with freeze_time() as freeze:
-        sleep(0.5)
+            token = Token.objects.create(expires=now(), user=get_anonymous_user())
-        self.assertTrue(token.is_expired)
+            freeze.tick(timedelta(seconds=1))
+            self.assertTrue(token.is_expired)
 
     def test_token_expire_no_expire(self):
         """Test token expiring with "expiring" set"""
-        token = Token.objects.create(expires=now(), user=get_anonymous_user(), expiring=False)
+        with freeze_time() as freeze:
-        sleep(0.5)
+            token = Token.objects.create(expires=now(), user=get_anonymous_user(), expiring=False)
-        self.assertFalse(token.is_expired)
+            freeze.tick(timedelta(seconds=1))
+            self.assertFalse(token.is_expired)
 
 
-def source_tester_factory(test_model: type[Stage]) -> Callable:
+def source_tester_factory(test_model: type[Source]) -> Callable:
     """Test source"""
 
     factory = RequestFactory()
@@ -36,19 +38,19 @@ def source_tester_factory(test_model: type[Stage]) -> Callable:
 
     def tester(self: TestModels):
         model_class = None
-        if test_model._meta.abstract:  # pragma: no cover
+        if test_model._meta.abstract:
-            model_class = test_model.__bases__[0]()
+            model_class = [x for x in test_model.__bases__ if issubclass(x, Source)][0]()
         else:
             model_class = test_model()
         model_class.slug = "test"
         self.assertIsNotNone(model_class.component)
-        _ = model_class.ui_login_button(request)
+        model_class.ui_login_button(request)
-        _ = model_class.ui_user_settings()
+        model_class.ui_user_settings()
 
     return tester
 
 
-def provider_tester_factory(test_model: type[Stage]) -> Callable:
+def provider_tester_factory(test_model: type[Provider]) -> Callable:
     """Test provider"""
 
     def tester(self: TestModels):

authentik/core/tests/test_property_mapping.py

@@ -3,7 +3,10 @@
 from django.test import RequestFactory, TestCase
 from guardian.shortcuts import get_anonymous_user
 
-from authentik.core.exceptions import PropertyMappingExpressionException
+from authentik.core.expression.exceptions import (
+    PropertyMappingExpressionException,
+    SkipObjectException,
+)
 from authentik.core.models import PropertyMapping
 from authentik.core.tests.utils import create_test_admin_user
 from authentik.events.models import Event, EventAction
@@ -42,6 +45,17 @@ class TestPropertyMappings(TestCase):
         self.assertTrue(events.exists())
         self.assertEqual(len(events), 1)
 
+    def test_expression_skip(self):
+        """Test expression error"""
+        expr = "raise SkipObject"
+        mapping = PropertyMapping.objects.create(name=generate_id(), expression=expr)
+        with self.assertRaises(SkipObjectException):
+            mapping.evaluate(None, None)
+        events = Event.objects.filter(
+            action=EventAction.PROPERTY_MAPPING_EXCEPTION, context__expression=expr
+        )
+        self.assertFalse(events.exists())
+
     def test_expression_error_extended(self):
         """Test expression error (with user and http request"""
         expr = "return aaa"
@@ -66,14 +80,11 @@ class TestPropertyMappings(TestCase):
             expression="return request.http_request.path",
         )
         http_request = self.factory.get("/")
-        tmpl = (
+        tmpl = f"""
-            """
+        res = ak_call_policy('{expr.name}')
-        res = ak_call_policy('%s')
         result = [request.http_request.path, res.raw_result]
         return result
         """
-            % expr.name
-        )
         evaluator = PropertyMapping(expression=tmpl, name=generate_id())
         res = evaluator.evaluate(self.user, http_request)
         self.assertEqual(res, ["/", "/"])

authentik/core/tests/test_property_mapping_api.py

@@ -6,9 +6,10 @@ from django.urls import reverse
 from rest_framework.serializers import ValidationError
 from rest_framework.test import APITestCase
 
-from authentik.core.api.propertymappings import PropertyMappingSerializer
+from authentik.core.api.property_mappings import PropertyMappingSerializer
-from authentik.core.models import PropertyMapping
+from authentik.core.models import Group, PropertyMapping
 from authentik.core.tests.utils import create_test_admin_user
+from authentik.lib.generators import generate_id
 
 
 class TestPropertyMappingAPI(APITestCase):
@@ -16,23 +17,40 @@ class TestPropertyMappingAPI(APITestCase):
 
     def setUp(self) -> None:
         super().setUp()
-        self.mapping = PropertyMapping.objects.create(
-            name="dummy", expression="""return {'foo': 'bar'}"""
-        )
         self.user = create_test_admin_user()
         self.client.force_login(self.user)
 
     def test_test_call(self):
-        """Test PropertMappings's test endpoint"""
+        """Test PropertyMappings's test endpoint"""
+        mapping = PropertyMapping.objects.create(
+            name="dummy", expression="""return {'foo': 'bar', 'baz': user.username}"""
+        )
         response = self.client.post(
-            reverse("authentik_api:propertymapping-test", kwargs={"pk": self.mapping.pk}),
+            reverse("authentik_api:propertymapping-test", kwargs={"pk": mapping.pk}),
             data={
                 "user": self.user.pk,
             },
         )
         self.assertJSONEqual(
             response.content.decode(),
-            {"result": dumps({"foo": "bar"}), "successful": True},
+            {"result": dumps({"foo": "bar", "baz": self.user.username}), "successful": True},
+        )
+
+    def test_test_call_group(self):
+        """Test PropertyMappings's test endpoint"""
+        mapping = PropertyMapping.objects.create(
+            name="dummy", expression="""return {'foo': 'bar', 'baz': group.name}"""
+        )
+        group = Group.objects.create(name=generate_id())
+        response = self.client.post(
+            reverse("authentik_api:propertymapping-test", kwargs={"pk": mapping.pk}),
+            data={
+                "group": group.pk,
+            },
+        )
+        self.assertJSONEqual(
+            response.content.decode(),
+            {"result": dumps({"foo": "bar", "baz": group.name}), "successful": True},
         )
 
     def test_validate(self):

authentik/core/tests/test_source_flow_manager.py

@@ -38,7 +38,9 @@ class TestSourceFlowManager(TestCase):
     def test_unauthenticated_enroll(self):
         """Test un-authenticated user enrolling"""
         request = get_request("/", user=AnonymousUser())
-        flow_manager = OAuthSourceFlowManager(self.source, request, self.identifier, {})
+        flow_manager = OAuthSourceFlowManager(
+            self.source, request, self.identifier, {"info": {}}, {}
+        )
         action, _ = flow_manager.get_action()
         self.assertEqual(action, Action.ENROLL)
         response = flow_manager.get_flow()
@@ -52,7 +54,9 @@ class TestSourceFlowManager(TestCase):
             user=get_anonymous_user(), source=self.source, identifier=self.identifier
         )
         request = get_request("/", user=AnonymousUser())
-        flow_manager = OAuthSourceFlowManager(self.source, request, self.identifier, {})
+        flow_manager = OAuthSourceFlowManager(
+            self.source, request, self.identifier, {"info": {}}, {}
+        )
         action, _ = flow_manager.get_action()
         self.assertEqual(action, Action.AUTH)
         response = flow_manager.get_flow()
@@ -64,7 +68,9 @@ class TestSourceFlowManager(TestCase):
         """Test authenticated user linking"""
         user = User.objects.create(username="foo", email="foo@bar.baz")
         request = get_request("/", user=user)
-        flow_manager = OAuthSourceFlowManager(self.source, request, self.identifier, {})
+        flow_manager = OAuthSourceFlowManager(
+            self.source, request, self.identifier, {"info": {}}, {}
+        )
         action, connection = flow_manager.get_action()
         self.assertEqual(action, Action.LINK)
         self.assertIsNone(connection.pk)
@@ -77,7 +83,9 @@ class TestSourceFlowManager(TestCase):
 
     def test_unauthenticated_link(self):
         """Test un-authenticated user linking"""
-        flow_manager = OAuthSourceFlowManager(self.source, get_request("/"), self.identifier, {})
+        flow_manager = OAuthSourceFlowManager(
+            self.source, get_request("/"), self.identifier, {"info": {}}, {}
+        )
         action, connection = flow_manager.get_action()
         self.assertEqual(action, Action.LINK)
         self.assertIsNone(connection.pk)
@@ -90,7 +98,7 @@ class TestSourceFlowManager(TestCase):
 
         # Without email, deny
         flow_manager = OAuthSourceFlowManager(
-            self.source, get_request("/", user=AnonymousUser()), self.identifier, {}
+            self.source, get_request("/", user=AnonymousUser()), self.identifier, {"info": {}}, {}
         )
         action, _ = flow_manager.get_action()
         self.assertEqual(action, Action.DENY)
@@ -100,7 +108,12 @@ class TestSourceFlowManager(TestCase):
             self.source,
             get_request("/", user=AnonymousUser()),
             self.identifier,
-            {"email": "foo@bar.baz"},
+            {
+                "info": {
+                    "email": "foo@bar.baz",
+                },
+            },
+            {},
         )
         action, _ = flow_manager.get_action()
         self.assertEqual(action, Action.LINK)
@@ -113,7 +126,7 @@ class TestSourceFlowManager(TestCase):
 
         # Without username, deny
         flow_manager = OAuthSourceFlowManager(
-            self.source, get_request("/", user=AnonymousUser()), self.identifier, {}
+            self.source, get_request("/", user=AnonymousUser()), self.identifier, {"info": {}}, {}
         )
         action, _ = flow_manager.get_action()
         self.assertEqual(action, Action.DENY)
@@ -123,7 +136,10 @@ class TestSourceFlowManager(TestCase):
             self.source,
             get_request("/", user=AnonymousUser()),
             self.identifier,
-            {"username": "foo"},
+            {
+                "info": {"username": "foo"},
+            },
+            {},
         )
         action, _ = flow_manager.get_action()
         self.assertEqual(action, Action.LINK)
@@ -140,8 +156,11 @@ class TestSourceFlowManager(TestCase):
             get_request("/", user=AnonymousUser()),
             self.identifier,
             {
-                "username": "bar",
+                "info": {
+                    "username": "bar",
+                },
             },
+            {},
         )
         action, _ = flow_manager.get_action()
         self.assertEqual(action, Action.ENROLL)
@@ -151,7 +170,10 @@ class TestSourceFlowManager(TestCase):
             self.source,
             get_request("/", user=AnonymousUser()),
             self.identifier,
-            {"username": "foo"},
+            {
+                "info": {"username": "foo"},
+            },
+            {},
         )
         action, _ = flow_manager.get_action()
         self.assertEqual(action, Action.DENY)
@@ -165,7 +187,10 @@ class TestSourceFlowManager(TestCase):
             self.source,
             get_request("/", user=AnonymousUser()),
             self.identifier,
-            {"username": "foo"},
+            {
+                "info": {"username": "foo"},
+            },
+            {},
         )
         action, _ = flow_manager.get_action()
         self.assertEqual(action, Action.ENROLL)
@@ -191,7 +216,10 @@ class TestSourceFlowManager(TestCase):
             self.source,
             get_request("/", user=AnonymousUser()),
             self.identifier,
-            {"username": "foo"},
+            {
+                "info": {"username": "foo"},
+            },
+            {},
         )
         action, _ = flow_manager.get_action()
         self.assertEqual(action, Action.ENROLL)

authentik/core/tests/test_source_flow_manager_group_update_stage.py

@@ -0,0 +1,237 @@
+"""Test Source flow_manager group update stage"""
+
+from django.test import RequestFactory
+
+from authentik.core.models import Group, SourceGroupMatchingModes
+from authentik.core.sources.flow_manager import PLAN_CONTEXT_SOURCE_GROUPS, GroupUpdateStage
+from authentik.core.tests.utils import create_test_admin_user, create_test_flow
+from authentik.flows.models import in_memory_stage
+from authentik.flows.planner import PLAN_CONTEXT_PENDING_USER, PLAN_CONTEXT_SOURCE, FlowPlan
+from authentik.flows.tests import FlowTestCase
+from authentik.flows.views.executor import FlowExecutorView
+from authentik.lib.generators import generate_id
+from authentik.sources.oauth.models import GroupOAuthSourceConnection, OAuthSource
+
+
+class TestSourceFlowManager(FlowTestCase):
+    """Test Source flow_manager group update stage"""
+
+    def setUp(self) -> None:
+        super().setUp()
+        self.factory = RequestFactory()
+        self.authentication_flow = create_test_flow()
+        self.enrollment_flow = create_test_flow()
+        self.source: OAuthSource = OAuthSource.objects.create(
+            name=generate_id(),
+            slug=generate_id(),
+            authentication_flow=self.authentication_flow,
+            enrollment_flow=self.enrollment_flow,
+        )
+        self.identifier = generate_id()
+        self.user = create_test_admin_user()
+
+    def test_nonexistant_group(self):
+        request = self.factory.get("/")
+        stage = GroupUpdateStage(
+            FlowExecutorView(
+                current_stage=in_memory_stage(
+                    GroupUpdateStage, group_connection_type=GroupOAuthSourceConnection
+                ),
+                plan=FlowPlan(
+                    flow_pk=generate_id(),
+                    context={
+                        PLAN_CONTEXT_SOURCE: self.source,
+                        PLAN_CONTEXT_PENDING_USER: self.user,
+                        PLAN_CONTEXT_SOURCE_GROUPS: {
+                            "group 1": {
+                                "name": "group 1",
+                            },
+                        },
+                    },
+                ),
+            ),
+            request=request,
+        )
+        self.assertTrue(stage.handle_groups())
+        self.assertTrue(Group.objects.filter(name="group 1").exists())
+        self.assertTrue(self.user.ak_groups.filter(name="group 1").exists())
+        self.assertTrue(
+            GroupOAuthSourceConnection.objects.filter(
+                group=Group.objects.get(name="group 1"), source=self.source
+            ).exists()
+        )
+
+    def test_nonexistant_group_name_link(self):
+        self.source.group_matching_mode = SourceGroupMatchingModes.NAME_LINK
+        self.source.save()
+
+        request = self.factory.get("/")
+        stage = GroupUpdateStage(
+            FlowExecutorView(
+                current_stage=in_memory_stage(
+                    GroupUpdateStage, group_connection_type=GroupOAuthSourceConnection
+                ),
+                plan=FlowPlan(
+                    flow_pk=generate_id(),
+                    context={
+                        PLAN_CONTEXT_SOURCE: self.source,
+                        PLAN_CONTEXT_PENDING_USER: self.user,
+                        PLAN_CONTEXT_SOURCE_GROUPS: {
+                            "group 1": {
+                                "name": "group 1",
+                            },
+                        },
+                    },
+                ),
+            ),
+            request=request,
+        )
+        self.assertTrue(stage.handle_groups())
+        self.assertTrue(Group.objects.filter(name="group 1").exists())
+        self.assertTrue(self.user.ak_groups.filter(name="group 1").exists())
+        self.assertTrue(
+            GroupOAuthSourceConnection.objects.filter(
+                group=Group.objects.get(name="group 1"), source=self.source
+            ).exists()
+        )
+
+    def test_existant_group_name_link(self):
+        self.source.group_matching_mode = SourceGroupMatchingModes.NAME_LINK
+        self.source.save()
+        group = Group.objects.create(name="group 1")
+
+        request = self.factory.get("/")
+        stage = GroupUpdateStage(
+            FlowExecutorView(
+                current_stage=in_memory_stage(
+                    GroupUpdateStage, group_connection_type=GroupOAuthSourceConnection
+                ),
+                plan=FlowPlan(
+                    flow_pk=generate_id(),
+                    context={
+                        PLAN_CONTEXT_SOURCE: self.source,
+                        PLAN_CONTEXT_PENDING_USER: self.user,
+                        PLAN_CONTEXT_SOURCE_GROUPS: {
+                            "group 1": {
+                                "name": "group 1",
+                            },
+                        },
+                    },
+                ),
+            ),
+            request=request,
+        )
+        self.assertTrue(stage.handle_groups())
+        self.assertTrue(Group.objects.filter(name="group 1").exists())
+        self.assertTrue(self.user.ak_groups.filter(name="group 1").exists())
+        self.assertTrue(
+            GroupOAuthSourceConnection.objects.filter(group=group, source=self.source).exists()
+        )
+
+    def test_nonexistant_group_name_deny(self):
+        self.source.group_matching_mode = SourceGroupMatchingModes.NAME_DENY
+        self.source.save()
+
+        request = self.factory.get("/")
+        stage = GroupUpdateStage(
+            FlowExecutorView(
+                current_stage=in_memory_stage(
+                    GroupUpdateStage, group_connection_type=GroupOAuthSourceConnection
+                ),
+                plan=FlowPlan(
+                    flow_pk=generate_id(),
+                    context={
+                        PLAN_CONTEXT_SOURCE: self.source,
+                        PLAN_CONTEXT_PENDING_USER: self.user,
+                        PLAN_CONTEXT_SOURCE_GROUPS: {
+                            "group 1": {
+                                "name": "group 1",
+                            },
+                        },
+                    },
+                ),
+            ),
+            request=request,
+        )
+        self.assertTrue(stage.handle_groups())
+        self.assertTrue(Group.objects.filter(name="group 1").exists())
+        self.assertTrue(self.user.ak_groups.filter(name="group 1").exists())
+        self.assertTrue(
+            GroupOAuthSourceConnection.objects.filter(
+                group=Group.objects.get(name="group 1"), source=self.source
+            ).exists()
+        )
+
+    def test_existant_group_name_deny(self):
+        self.source.group_matching_mode = SourceGroupMatchingModes.NAME_DENY
+        self.source.save()
+        group = Group.objects.create(name="group 1")
+
+        request = self.factory.get("/")
+        stage = GroupUpdateStage(
+            FlowExecutorView(
+                current_stage=in_memory_stage(
+                    GroupUpdateStage, group_connection_type=GroupOAuthSourceConnection
+                ),
+                plan=FlowPlan(
+                    flow_pk=generate_id(),
+                    context={
+                        PLAN_CONTEXT_SOURCE: self.source,
+                        PLAN_CONTEXT_PENDING_USER: self.user,
+                        PLAN_CONTEXT_SOURCE_GROUPS: {
+                            "group 1": {
+                                "name": "group 1",
+                            },
+                        },
+                    },
+                ),
+            ),
+            request=request,
+        )
+        self.assertFalse(stage.handle_groups())
+        self.assertFalse(self.user.ak_groups.filter(name="group 1").exists())
+        self.assertFalse(
+            GroupOAuthSourceConnection.objects.filter(group=group, source=self.source).exists()
+        )
+
+    def test_group_updates(self):
+        self.source.group_matching_mode = SourceGroupMatchingModes.NAME_LINK
+        self.source.save()
+
+        other_group = Group.objects.create(name="other group")
+        old_group = Group.objects.create(name="old group")
+        new_group = Group.objects.create(name="new group")
+        self.user.ak_groups.set([other_group, old_group])
+        GroupOAuthSourceConnection.objects.create(
+            group=old_group, source=self.source, identifier=old_group.name
+        )
+        GroupOAuthSourceConnection.objects.create(
+            group=new_group, source=self.source, identifier=new_group.name
+        )
+
+        request = self.factory.get("/")
+        stage = GroupUpdateStage(
+            FlowExecutorView(
+                current_stage=in_memory_stage(
+                    GroupUpdateStage, group_connection_type=GroupOAuthSourceConnection
+                ),
+                plan=FlowPlan(
+                    flow_pk=generate_id(),
+                    context={
+                        PLAN_CONTEXT_SOURCE: self.source,
+                        PLAN_CONTEXT_PENDING_USER: self.user,
+                        PLAN_CONTEXT_SOURCE_GROUPS: {
+                            "new group": {
+                                "name": "new group",
+                            },
+                        },
+                    },
+                ),
+            ),
+            request=request,
+        )
+        self.assertTrue(stage.handle_groups())
+        self.assertFalse(self.user.ak_groups.filter(name="old group").exists())
+        self.assertTrue(self.user.ak_groups.filter(name="other group").exists())
+        self.assertTrue(self.user.ak_groups.filter(name="new group").exists())
+        self.assertEqual(self.user.ak_groups.count(), 2)

authentik/core/tests/test_source_property_mappings.py

@@ -0,0 +1,72 @@
+"""Test Source Property mappings"""
+
+from django.test import TestCase
+
+from authentik.core.models import Group, PropertyMapping, Source, User
+from authentik.core.sources.mapper import SourceMapper
+from authentik.lib.generators import generate_id
+
+
+class ProxySource(Source):
+    @property
+    def property_mapping_type(self):
+        return PropertyMapping
+
+    def get_base_user_properties(self, **kwargs):
+        return {
+            "username": kwargs.get("username", None),
+            "email": kwargs.get("email", "default@authentik"),
+        }
+
+    def get_base_group_properties(self, **kwargs):
+        return {"name": kwargs.get("name", None)}
+
+    class Meta:
+        proxy = True
+
+
+class TestSourcePropertyMappings(TestCase):
+    """Test Source PropertyMappings"""
+
+    def test_base_properties(self):
+        source = ProxySource.objects.create(name=generate_id(), slug=generate_id(), enabled=True)
+        mapper = SourceMapper(source)
+
+        user_base_properties = mapper.get_base_properties(User, username="test1")
+        self.assertEqual(
+            user_base_properties,
+            {
+                "username": "test1",
+                "email": "default@authentik",
+                "path": f"goauthentik.io/sources/{source.slug}",
+            },
+        )
+
+        group_base_properties = mapper.get_base_properties(Group)
+        self.assertEqual(group_base_properties, {"name": None})
+
+    def test_build_properties(self):
+        source = ProxySource.objects.create(name=generate_id(), slug=generate_id(), enabled=True)
+        mapper = SourceMapper(source)
+
+        source.user_property_mappings.add(
+            PropertyMapping.objects.create(
+                name=generate_id(),
+                expression="""
+                    return {"username": data.get("username", None), "email": None}
+                """,
+            )
+        )
+
+        properties = mapper.build_object_properties(
+            object_type=User, user=None, request=None, username="test1", data={"username": "test2"}
+        )
+
+        self.assertEqual(
+            properties,
+            {
+                "username": "test2",
+                "path": f"goauthentik.io/sources/{source.slug}",
+                "attributes": {},
+            },
+        )

authentik/core/tests/test_users_avatars.py

@@ -42,8 +42,8 @@ class TestUsersAvatars(APITestCase):
         with Mocker() as mocker:
             mocker.head(
                 (
-                    "https://secure.gravatar.com/avatar/84730f9c1851d1ea03f1a"
+                    "https://www.gravatar.com/avatar/76eb3c74c8beb6faa037f1b6e2ecb3e252bdac"
-                    "a9ed85bd1ea?size=158&rating=g&default=404"
+                    "6cf71fb567ae36025a9d4ea86b?size=158&rating=g&default=404"
                 ),
                 text="foo",
             )

authentik/core/urls.py

@@ -6,22 +6,26 @@ from django.conf import settings
 from django.contrib.auth.decorators import login_required
 from django.urls import path
 from django.views.decorators.csrf import ensure_csrf_cookie
-from django.views.generic import RedirectView
 
 from authentik.core.api.applications import ApplicationViewSet
 from authentik.core.api.authenticated_sessions import AuthenticatedSessionViewSet
 from authentik.core.api.devices import AdminDeviceViewSet, DeviceViewSet
 from authentik.core.api.groups import GroupViewSet
-from authentik.core.api.propertymappings import PropertyMappingViewSet
+from authentik.core.api.property_mappings import PropertyMappingViewSet
 from authentik.core.api.providers import ProviderViewSet
 from authentik.core.api.sources import SourceViewSet, UserSourceConnectionViewSet
 from authentik.core.api.tokens import TokenViewSet
 from authentik.core.api.transactional_applications import TransactionalApplicationView
 from authentik.core.api.users import UserViewSet
-from authentik.core.views import apps
+from authentik.core.views.apps import RedirectToAppLaunch
 from authentik.core.views.debug import AccessDeniedView
-from authentik.core.views.interface import FlowInterfaceView, InterfaceView
+from authentik.core.views.interface import (
+    BrandDefaultRedirectView,
+    InterfaceView,
+    RootRedirectView,
+)
 from authentik.core.views.session import EndSessionView
+from authentik.flows.views.interface import FlowInterfaceView
 from authentik.root.asgi_middleware import SessionMiddleware
 from authentik.root.messages.consumer import MessageConsumer
 from authentik.root.middleware import ChannelsLoggingMiddleware
@@ -29,30 +33,30 @@ from authentik.root.middleware import ChannelsLoggingMiddleware
 urlpatterns = [
     path(
         "",
-        login_required(
+        login_required(RootRedirectView.as_view()),
-            RedirectView.as_view(pattern_name="authentik_core:if-user", query_string=True)
-        ),
         name="root-redirect",
     ),
     path(
-        # We have to use this format since everything else uses applications/o or applications/saml
+        # We have to use this format since everything else uses application/o or application/saml
         "application/launch/<slug:application_slug>/",
-        apps.RedirectToAppLaunch.as_view(),
+        RedirectToAppLaunch.as_view(),
         name="application-launch",
     ),
     # Interfaces
     path(
         "if/admin/",
-        ensure_csrf_cookie(InterfaceView.as_view(template_name="if/admin.html")),
+        ensure_csrf_cookie(BrandDefaultRedirectView.as_view(template_name="if/admin.html")),
         name="if-admin",
     ),
     path(
         "if/user/",
-        ensure_csrf_cookie(InterfaceView.as_view(template_name="if/user.html")),
+        ensure_csrf_cookie(BrandDefaultRedirectView.as_view(template_name="if/user.html")),
         name="if-user",
     ),
     path(
         "if/flow/<slug:flow_slug>/",
+        # FIXME: move this url to the flows app...also will cause all
+        # of the reverse calls to be adjusted
         ensure_csrf_cookie(FlowInterfaceView.as_view()),
         name="if-flow",
     ),

authentik/core/views/apps.py

@@ -8,7 +8,6 @@ from django.views import View
 from authentik.core.models import Application
 from authentik.flows.challenge import (
     ChallengeResponse,
-    ChallengeTypes,
     HttpChallengeResponse,
     RedirectChallenge,
 )
@@ -74,7 +73,6 @@ class RedirectToAppStage(ChallengeStageView):
             raise Http404
         return RedirectChallenge(
             instance={
-                "type": ChallengeTypes.REDIRECT.value,
                 "to": launch,
             }
         )

authentik/core/views/interface.py

@@ -3,15 +3,42 @@
 from json import dumps
 from typing import Any
 
-from django.shortcuts import get_object_or_404
+from django.http import HttpRequest
-from django.views.generic.base import TemplateView
+from django.http.response import HttpResponse
+from django.shortcuts import redirect
+from django.utils.translation import gettext as _
+from django.views.generic.base import RedirectView, TemplateView
 from rest_framework.request import Request
 
 from authentik import get_build_hash
 from authentik.admin.tasks import LOCAL_VERSION
 from authentik.api.v3.config import ConfigView
 from authentik.brands.api import CurrentBrandSerializer
-from authentik.flows.models import Flow
+from authentik.brands.models import Brand
+from authentik.core.models import UserTypes
+from authentik.policies.denied import AccessDeniedResponse
+
+
+class RootRedirectView(RedirectView):
+    """Root redirect view, redirect to brand's default application if set"""
+
+    pattern_name = "authentik_core:if-user"
+    query_string = True
+
+    def redirect_to_app(self, request: HttpRequest):
+        if request.user.is_authenticated and request.user.type == UserTypes.EXTERNAL:
+            brand: Brand = request.brand
+            if brand.default_application:
+                return redirect(
+                    "authentik_core:application-launch",
+                    application_slug=brand.default_application.slug,
+                )
+        return None
+
+    def dispatch(self, request: HttpRequest, *args: Any, **kwargs: Any) -> HttpResponse:
+        if redirect_response := RootRedirectView().redirect_to_app(request):
+            return redirect_response
+        return super().dispatch(request, *args, **kwargs)
 
 
 class InterfaceView(TemplateView):
@@ -27,12 +54,18 @@ class InterfaceView(TemplateView):
         return super().get_context_data(**kwargs)
 
 
-class FlowInterfaceView(InterfaceView):
+class BrandDefaultRedirectView(InterfaceView):
-    """Flow interface"""
+    """By default redirect to default app"""
 
-    template_name = "if/flow.html"
+    def dispatch(self, request: HttpRequest, *args: Any, **kwargs: Any) -> HttpResponse:
-
+        if request.user.is_authenticated and request.user.type == UserTypes.EXTERNAL:
-    def get_context_data(self, **kwargs: Any) -> dict[str, Any]:
+            brand: Brand = request.brand
-        kwargs["flow"] = get_object_or_404(Flow, slug=self.kwargs.get("flow_slug"))
+            if brand.default_application:
-        kwargs["inspector"] = "inspector" in self.request.GET
+                return redirect(
-        return super().get_context_data(**kwargs)
+                    "authentik_core:application-launch",
+                    application_slug=brand.default_application.slug,
+                )
+            response = AccessDeniedResponse(self.request)
+            response.error_message = _("Interface can only be accessed by internal users.")
+            return response
+        return super().dispatch(request, *args, **kwargs)

authentik/crypto/api.py

@@ -24,19 +24,17 @@ from rest_framework.fields import (
 from rest_framework.filters import OrderingFilter, SearchFilter
 from rest_framework.request import Request
 from rest_framework.response import Response
-from rest_framework.serializers import ModelSerializer
 from rest_framework.viewsets import ModelViewSet
 from structlog.stdlib import get_logger
 
 from authentik.api.authorization import SecretKeyFilter
 from authentik.core.api.used_by import UsedByMixin
-from authentik.core.api.utils import PassiveSerializer
+from authentik.core.api.utils import ModelSerializer, PassiveSerializer
 from authentik.crypto.apps import MANAGED_KEY
 from authentik.crypto.builder import CertificateBuilder, PrivateKeyAlg
 from authentik.crypto.models import CertificateKeyPair
 from authentik.events.models import Event, EventAction
 from authentik.rbac.decorators import permission_required
-from authentik.rbac.filters import ObjectFilter
 
 LOGGER = get_logger()
 
@@ -267,7 +265,7 @@ class CertificateKeyPairViewSet(UsedByMixin, ModelViewSet):
         ],
         responses={200: CertificateDataSerializer(many=False)},
     )
-    @action(detail=True, pagination_class=None, filter_backends=[ObjectFilter])
+    @action(detail=True, pagination_class=None, filter_backends=[])
     def view_certificate(self, request: Request, pk: str) -> Response:
         """Return certificate-key pairs certificate and log access"""
         certificate: CertificateKeyPair = self.get_object()
@@ -297,7 +295,7 @@ class CertificateKeyPairViewSet(UsedByMixin, ModelViewSet):
         ],
         responses={200: CertificateDataSerializer(many=False)},
     )
-    @action(detail=True, pagination_class=None, filter_backends=[ObjectFilter])
+    @action(detail=True, pagination_class=None, filter_backends=[])
     def view_private_key(self, request: Request, pk: str) -> Response:
         """Return certificate-key pairs private key and log access"""
         certificate: CertificateKeyPair = self.get_object()

authentik/crypto/builder.py

@@ -76,7 +76,7 @@ class CertificateBuilder:
             .subject_name(
                 x509.Name(
                     [
-                        x509.NameAttribute(NameOID.COMMON_NAME, self.common_name),
+                        x509.NameAttribute(NameOID.COMMON_NAME, self.common_name[:64]),
                         x509.NameAttribute(NameOID.ORGANIZATION_NAME, "authentik"),
                         x509.NameAttribute(NameOID.ORGANIZATIONAL_UNIT_NAME, "Self-signed"),
                     ]

authentik/crypto/models.py

@@ -92,7 +92,11 @@ class CertificateKeyPair(SerializerModel, ManagedModel, CreatedUpdatedModel):
     @property
     def kid(self):
         """Get Key ID used for JWKS"""
-        return md5(self.key_data.encode("utf-8")).hexdigest() if self.key_data else ""  # nosec
+        return (
+            md5(self.key_data.encode("utf-8"), usedforsecurity=False).hexdigest()
+            if self.key_data
+            else ""
+        )  # nosec
 
     def __str__(self) -> str:
         return f"Certificate-Key Pair {self.name}"

authentik/crypto/tests.py

@@ -214,46 +214,6 @@ class TestCrypto(APITestCase):
         self.assertEqual(200, response.status_code)
         self.assertIn("Content-Disposition", response)
 
-    def test_certificate_download_denied(self):
-        """Test certificate export (download)"""
-        self.client.logout()
-        keypair = create_test_cert()
-        response = self.client.get(
-            reverse(
-                "authentik_api:certificatekeypair-view-certificate",
-                kwargs={"pk": keypair.pk},
-            )
-        )
-        self.assertEqual(403, response.status_code)
-        response = self.client.get(
-            reverse(
-                "authentik_api:certificatekeypair-view-certificate",
-                kwargs={"pk": keypair.pk},
-            ),
-            data={"download": True},
-        )
-        self.assertEqual(403, response.status_code)
-
-    def test_private_key_download_denied(self):
-        """Test private_key export (download)"""
-        self.client.logout()
-        keypair = create_test_cert()
-        response = self.client.get(
-            reverse(
-                "authentik_api:certificatekeypair-view-private-key",
-                kwargs={"pk": keypair.pk},
-            )
-        )
-        self.assertEqual(403, response.status_code)
-        response = self.client.get(
-            reverse(
-                "authentik_api:certificatekeypair-view-private-key",
-                kwargs={"pk": keypair.pk},
-            ),
-            data={"download": True},
-        )
-        self.assertEqual(403, response.status_code)
-
     def test_used_by(self):
         """Test used_by endpoint"""
         self.client.force_login(create_test_admin_user())
@@ -281,31 +241,11 @@ class TestCrypto(APITestCase):
                     "model_name": "oauth2provider",
                     "pk": str(provider.pk),
                     "name": str(provider),
-                    "action": DeleteAction.SET_NULL.name,
+                    "action": DeleteAction.SET_NULL.value,
                 }
             ],
         )
 
-    def test_used_by_denied(self):
-        """Test used_by endpoint"""
-        self.client.logout()
-        keypair = create_test_cert()
-        OAuth2Provider.objects.create(
-            name=generate_id(),
-            client_id="test",
-            client_secret=generate_key(),
-            authorization_flow=create_test_flow(),
-            redirect_uris="http://localhost",
-            signing_key=keypair,
-        )
-        response = self.client.get(
-            reverse(
-                "authentik_api:certificatekeypair-used-by",
-                kwargs={"pk": keypair.pk},
-            )
-        )
-        self.assertEqual(403, response.status_code)
-
     def test_discovery(self):
         """Test certificate discovery"""
         name = generate_id()

authentik/enterprise/api.py

@@ -13,11 +13,10 @@ from rest_framework.fields import CharField, IntegerField
 from rest_framework.permissions import IsAuthenticated
 from rest_framework.request import Request
 from rest_framework.response import Response
-from rest_framework.serializers import ModelSerializer
 from rest_framework.viewsets import ModelViewSet
 
 from authentik.core.api.used_by import UsedByMixin
-from authentik.core.api.utils import PassiveSerializer
+from authentik.core.api.utils import ModelSerializer, PassiveSerializer
 from authentik.core.models import User, UserTypes
 from authentik.enterprise.license import LicenseKey, LicenseSummarySerializer
 from authentik.enterprise.models import License

authentik/enterprise/providers/google_workspace/api/groups.py

@@ -0,0 +1,47 @@
+"""GoogleWorkspaceProviderGroup API Views"""
+
+from rest_framework import mixins
+from rest_framework.viewsets import GenericViewSet
+
+from authentik.core.api.used_by import UsedByMixin
+from authentik.core.api.users import UserGroupSerializer
+from authentik.core.api.utils import ModelSerializer
+from authentik.enterprise.providers.google_workspace.models import GoogleWorkspaceProviderGroup
+from authentik.lib.sync.outgoing.api import OutgoingSyncConnectionCreateMixin
+
+
+class GoogleWorkspaceProviderGroupSerializer(ModelSerializer):
+    """GoogleWorkspaceProviderGroup Serializer"""
+
+    group_obj = UserGroupSerializer(source="group", read_only=True)
+
+    class Meta:
+
+        model = GoogleWorkspaceProviderGroup
+        fields = [
+            "id",
+            "google_id",
+            "group",
+            "group_obj",
+            "provider",
+            "attributes",
+        ]
+        extra_kwargs = {"attributes": {"read_only": True}}
+
+
+class GoogleWorkspaceProviderGroupViewSet(
+    mixins.CreateModelMixin,
+    OutgoingSyncConnectionCreateMixin,
+    mixins.RetrieveModelMixin,
+    mixins.DestroyModelMixin,
+    UsedByMixin,
+    mixins.ListModelMixin,
+    GenericViewSet,
+):
+    """GoogleWorkspaceProviderGroup Viewset"""
+
+    queryset = GoogleWorkspaceProviderGroup.objects.all().select_related("group")
+    serializer_class = GoogleWorkspaceProviderGroupSerializer
+    filterset_fields = ["provider__id", "group__name", "group__group_uuid"]
+    search_fields = ["provider__name", "group__name"]
+    ordering = ["group__name"]

authentik/enterprise/providers/google_workspace/api/property_mappings.py

@@ -0,0 +1,39 @@
+"""google Property mappings API Views"""
+
+from django_filters.filters import AllValuesMultipleFilter
+from django_filters.filterset import FilterSet
+from drf_spectacular.types import OpenApiTypes
+from drf_spectacular.utils import extend_schema_field
+from rest_framework.viewsets import ModelViewSet
+
+from authentik.core.api.property_mappings import PropertyMappingSerializer
+from authentik.core.api.used_by import UsedByMixin
+from authentik.enterprise.providers.google_workspace.models import GoogleWorkspaceProviderMapping
+
+
+class GoogleWorkspaceProviderMappingSerializer(PropertyMappingSerializer):
+    """GoogleWorkspaceProviderMapping Serializer"""
+
+    class Meta:
+        model = GoogleWorkspaceProviderMapping
+        fields = PropertyMappingSerializer.Meta.fields
+
+
+class GoogleWorkspaceProviderMappingFilter(FilterSet):
+    """Filter for GoogleWorkspaceProviderMapping"""
+
+    managed = extend_schema_field(OpenApiTypes.STR)(AllValuesMultipleFilter(field_name="managed"))
+
+    class Meta:
+        model = GoogleWorkspaceProviderMapping
+        fields = "__all__"
+
+
+class GoogleWorkspaceProviderMappingViewSet(UsedByMixin, ModelViewSet):
+    """GoogleWorkspaceProviderMapping Viewset"""
+
+    queryset = GoogleWorkspaceProviderMapping.objects.all()
+    serializer_class = GoogleWorkspaceProviderMappingSerializer
+    filterset_class = GoogleWorkspaceProviderMappingFilter
+    search_fields = ["name"]
+    ordering = ["name"]

authentik/enterprise/providers/google_workspace/api/providers.py

@@ -0,0 +1,54 @@
+"""Google Provider API Views"""
+
+from rest_framework.viewsets import ModelViewSet
+
+from authentik.core.api.providers import ProviderSerializer
+from authentik.core.api.used_by import UsedByMixin
+from authentik.enterprise.api import EnterpriseRequiredMixin
+from authentik.enterprise.providers.google_workspace.models import GoogleWorkspaceProvider
+from authentik.enterprise.providers.google_workspace.tasks import google_workspace_sync
+from authentik.lib.sync.outgoing.api import OutgoingSyncProviderStatusMixin
+
+
+class GoogleWorkspaceProviderSerializer(EnterpriseRequiredMixin, ProviderSerializer):
+    """GoogleWorkspaceProvider Serializer"""
+
+    class Meta:
+        model = GoogleWorkspaceProvider
+        fields = [
+            "pk",
+            "name",
+            "property_mappings",
+            "property_mappings_group",
+            "component",
+            "assigned_backchannel_application_slug",
+            "assigned_backchannel_application_name",
+            "verbose_name",
+            "verbose_name_plural",
+            "meta_model_name",
+            "delegated_subject",
+            "credentials",
+            "scopes",
+            "exclude_users_service_account",
+            "filter_group",
+            "user_delete_action",
+            "group_delete_action",
+            "default_group_email_domain",
+        ]
+        extra_kwargs = {}
+
+
+class GoogleWorkspaceProviderViewSet(OutgoingSyncProviderStatusMixin, UsedByMixin, ModelViewSet):
+    """GoogleWorkspaceProvider Viewset"""
+
+    queryset = GoogleWorkspaceProvider.objects.all()
+    serializer_class = GoogleWorkspaceProviderSerializer
+    filterset_fields = [
+        "name",
+        "exclude_users_service_account",
+        "delegated_subject",
+        "filter_group",
+    ]
+    search_fields = ["name"]
+    ordering = ["name"]
+    sync_single_task = google_workspace_sync

authentik/enterprise/providers/google_workspace/api/users.py

@@ -0,0 +1,47 @@
+"""GoogleWorkspaceProviderUser API Views"""
+
+from rest_framework import mixins
+from rest_framework.viewsets import GenericViewSet
+
+from authentik.core.api.groups import GroupMemberSerializer
+from authentik.core.api.used_by import UsedByMixin
+from authentik.core.api.utils import ModelSerializer
+from authentik.enterprise.providers.google_workspace.models import GoogleWorkspaceProviderUser
+from authentik.lib.sync.outgoing.api import OutgoingSyncConnectionCreateMixin
+
+
+class GoogleWorkspaceProviderUserSerializer(ModelSerializer):
+    """GoogleWorkspaceProviderUser Serializer"""
+
+    user_obj = GroupMemberSerializer(source="user", read_only=True)
+
+    class Meta:
+
+        model = GoogleWorkspaceProviderUser
+        fields = [
+            "id",
+            "google_id",
+            "user",
+            "user_obj",
+            "provider",
+            "attributes",
+        ]
+        extra_kwargs = {"attributes": {"read_only": True}}
+
+
+class GoogleWorkspaceProviderUserViewSet(
+    mixins.CreateModelMixin,
+    OutgoingSyncConnectionCreateMixin,
+    mixins.RetrieveModelMixin,
+    mixins.DestroyModelMixin,
+    UsedByMixin,
+    mixins.ListModelMixin,
+    GenericViewSet,
+):
+    """GoogleWorkspaceProviderUser Viewset"""
+
+    queryset = GoogleWorkspaceProviderUser.objects.all().select_related("user")
+    serializer_class = GoogleWorkspaceProviderUserSerializer
+    filterset_fields = ["provider__id", "user__username", "user__id"]
+    search_fields = ["provider__name", "user__username"]
+    ordering = ["user__username"]

authentik/enterprise/providers/google_workspace/apps.py

@@ -0,0 +1,9 @@
+from authentik.enterprise.apps import EnterpriseConfig
+
+
+class AuthentikEnterpriseProviderGoogleConfig(EnterpriseConfig):
+
+    name = "authentik.enterprise.providers.google_workspace"
+    label = "authentik_providers_google_workspace"
+    verbose_name = "authentik Enterprise.Providers.Google Workspace"
+    default = True

authentik/enterprise/providers/google_workspace/clients/base.py

@@ -0,0 +1,74 @@
+from django.db.models import Model
+from django.http import HttpResponseBadRequest, HttpResponseNotFound
+from google.auth.exceptions import GoogleAuthError, TransportError
+from googleapiclient.discovery import build
+from googleapiclient.errors import Error, HttpError
+from googleapiclient.http import HttpRequest
+from httplib2 import HttpLib2Error, HttpLib2ErrorWithResponse
+
+from authentik.enterprise.providers.google_workspace.models import GoogleWorkspaceProvider
+from authentik.lib.sync.outgoing import HTTP_CONFLICT
+from authentik.lib.sync.outgoing.base import BaseOutgoingSyncClient
+from authentik.lib.sync.outgoing.exceptions import (
+    BadRequestSyncException,
+    NotFoundSyncException,
+    ObjectExistsSyncException,
+    StopSync,
+    TransientSyncException,
+)
+
+
+class GoogleWorkspaceSyncClient[TModel: Model, TConnection: Model, TSchema: dict](
+    BaseOutgoingSyncClient[TModel, TConnection, TSchema, GoogleWorkspaceProvider]
+):
+    """Base client for syncing to google workspace"""
+
+    domains: list
+
+    def __init__(self, provider: GoogleWorkspaceProvider) -> None:
+        super().__init__(provider)
+        self.directory_service = build(
+            "admin",
+            "directory_v1",
+            cache_discovery=False,
+            **provider.google_credentials(),
+        )
+        self.__prefetch_domains()
+
+    def __prefetch_domains(self):
+        self.domains = []
+        domains = self._request(self.directory_service.domains().list(customer="my_customer"))
+        for domain in domains.get("domains", []):
+            domain_name = domain.get("domainName")
+            self.domains.append(domain_name)
+
+    def _request(self, request: HttpRequest):
+        try:
+            response = request.execute()
+        except GoogleAuthError as exc:
+            if isinstance(exc, TransportError):
+                raise TransientSyncException(f"Failed to send request: {str(exc)}") from exc
+            raise StopSync(exc) from exc
+        except HttpLib2Error as exc:
+            if isinstance(exc, HttpLib2ErrorWithResponse):
+                self._response_handle_status_code(request.body, exc.response.status, exc)
+            raise TransientSyncException(f"Failed to send request: {str(exc)}") from exc
+        except HttpError as exc:
+            self._response_handle_status_code(request.body, exc.status_code, exc)
+            raise TransientSyncException(f"Failed to send request: {str(exc)}") from exc
+        except Error as exc:
+            raise TransientSyncException(f"Failed to send request: {str(exc)}") from exc
+        return response
+
+    def _response_handle_status_code(self, request: dict, status_code: int, root_exc: Exception):
+        if status_code == HttpResponseNotFound.status_code:
+            raise NotFoundSyncException("Object not found") from root_exc
+        if status_code == HTTP_CONFLICT:
+            raise ObjectExistsSyncException("Object exists") from root_exc
+        if status_code == HttpResponseBadRequest.status_code:
+            raise BadRequestSyncException("Bad request", request) from root_exc
+
+    def check_email_valid(self, *emails: str):
+        for email in emails:
+            if not any(email.endswith(f"@{domain_name}") for domain_name in self.domains):
+                raise BadRequestSyncException(f"Invalid email domain: {email}")

authentik/enterprise/providers/google_workspace/clients/groups.py

@@ -0,0 +1,220 @@
+from django.db import transaction
+from django.utils.text import slugify
+
+from authentik.core.models import Group
+from authentik.enterprise.providers.google_workspace.clients.base import GoogleWorkspaceSyncClient
+from authentik.enterprise.providers.google_workspace.models import (
+    GoogleWorkspaceProvider,
+    GoogleWorkspaceProviderGroup,
+    GoogleWorkspaceProviderMapping,
+    GoogleWorkspaceProviderUser,
+)
+from authentik.lib.sync.mapper import PropertyMappingManager
+from authentik.lib.sync.outgoing.base import Direction
+from authentik.lib.sync.outgoing.exceptions import (
+    NotFoundSyncException,
+    ObjectExistsSyncException,
+    TransientSyncException,
+)
+from authentik.lib.sync.outgoing.models import OutgoingSyncDeleteAction
+
+
+class GoogleWorkspaceGroupClient(
+    GoogleWorkspaceSyncClient[Group, GoogleWorkspaceProviderGroup, dict]
+):
+    """Google client for groups"""
+
+    connection_type = GoogleWorkspaceProviderGroup
+    connection_type_query = "group"
+    can_discover = True
+
+    def __init__(self, provider: GoogleWorkspaceProvider) -> None:
+        super().__init__(provider)
+        self.mapper = PropertyMappingManager(
+            self.provider.property_mappings_group.all().order_by("name").select_subclasses(),
+            GoogleWorkspaceProviderMapping,
+            ["group", "provider", "connection"],
+        )
+
+    def to_schema(self, obj: Group, connection: GoogleWorkspaceProviderGroup) -> dict:
+        """Convert authentik group"""
+        return super().to_schema(
+            obj,
+            connection=connection,
+            email=f"{slugify(obj.name)}@{self.provider.default_group_email_domain}",
+        )
+
+    def delete(self, obj: Group):
+        """Delete group"""
+        google_group = GoogleWorkspaceProviderGroup.objects.filter(
+            provider=self.provider, group=obj
+        ).first()
+        if not google_group:
+            self.logger.debug("Group does not exist in Google, skipping")
+            return None
+        with transaction.atomic():
+            if self.provider.group_delete_action == OutgoingSyncDeleteAction.DELETE:
+                self._request(
+                    self.directory_service.groups().delete(groupKey=google_group.google_id)
+                )
+            google_group.delete()
+
+    def create(self, group: Group):
+        """Create group from scratch and create a connection object"""
+        google_group = self.to_schema(group, None)
+        self.check_email_valid(google_group["email"])
+        with transaction.atomic():
+            try:
+                response = self._request(self.directory_service.groups().insert(body=google_group))
+            except ObjectExistsSyncException:
+                # group already exists in google workspace, so we can connect them manually
+                # for groups we need to fetch the group from google as we connect on
+                # ID and not group email
+                group_data = self._request(
+                    self.directory_service.groups().get(groupKey=google_group["email"])
+                )
+                return GoogleWorkspaceProviderGroup.objects.create(
+                    provider=self.provider,
+                    group=group,
+                    google_id=group_data["id"],
+                    attributes=group_data,
+                )
+            else:
+                return GoogleWorkspaceProviderGroup.objects.create(
+                    provider=self.provider,
+                    group=group,
+                    google_id=response["id"],
+                    attributes=response,
+                )
+
+    def update(self, group: Group, connection: GoogleWorkspaceProviderGroup):
+        """Update existing group"""
+        google_group = self.to_schema(group, connection)
+        self.check_email_valid(google_group["email"])
+        try:
+            response = self._request(
+                self.directory_service.groups().update(
+                    groupKey=connection.google_id,
+                    body=google_group,
+                )
+            )
+            connection.attributes = response
+            connection.save()
+        except NotFoundSyncException:
+            # Resource missing is handled by self.write, which will re-create the group
+            raise
+
+    def write(self, obj: Group):
+        google_group, created = super().write(obj)
+        self.create_sync_members(obj, google_group)
+        return google_group, created
+
+    def create_sync_members(self, obj: Group, google_group: GoogleWorkspaceProviderGroup):
+        """Sync all members after a group was created"""
+        users = list(obj.users.order_by("id").values_list("id", flat=True))
+        connections = GoogleWorkspaceProviderUser.objects.filter(
+            provider=self.provider, user__pk__in=users
+        ).values_list("google_id", flat=True)
+        self._patch(google_group.google_id, Direction.add, connections)
+
+    def update_group(self, group: Group, action: Direction, users_set: set[int]):
+        """Update a groups members"""
+        if action == Direction.add:
+            return self._patch_add_users(group, users_set)
+        if action == Direction.remove:
+            return self._patch_remove_users(group, users_set)
+
+    def _patch(self, google_group_id: str, direction: Direction, members: list[str]):
+        for user in members:
+            try:
+                if direction == Direction.add:
+                    self._request(
+                        self.directory_service.members().insert(
+                            groupKey=google_group_id, body={"email": user}
+                        )
+                    )
+                if direction == Direction.remove:
+                    self._request(
+                        self.directory_service.members().delete(
+                            groupKey=google_group_id, memberKey=user
+                        )
+                    )
+            except ObjectExistsSyncException:
+                pass
+            except TransientSyncException:
+                raise
+
+    def _patch_add_users(self, group: Group, users_set: set[int]):
+        """Add users in users_set to group"""
+        if len(users_set) < 1:
+            return
+        google_group = GoogleWorkspaceProviderGroup.objects.filter(
+            provider=self.provider, group=group
+        ).first()
+        if not google_group:
+            self.logger.warning(
+                "could not sync group membership, group does not exist", group=group
+            )
+            return
+        user_ids = list(
+            GoogleWorkspaceProviderUser.objects.filter(
+                user__pk__in=users_set, provider=self.provider
+            ).values_list("google_id", flat=True)
+        )
+        if len(user_ids) < 1:
+            return
+        self._patch(google_group.google_id, Direction.add, user_ids)
+
+    def _patch_remove_users(self, group: Group, users_set: set[int]):
+        """Remove users in users_set from group"""
+        if len(users_set) < 1:
+            return
+        google_group = GoogleWorkspaceProviderGroup.objects.filter(
+            provider=self.provider, group=group
+        ).first()
+        if not google_group:
+            self.logger.warning(
+                "could not sync group membership, group does not exist", group=group
+            )
+            return
+        user_ids = list(
+            GoogleWorkspaceProviderUser.objects.filter(
+                user__pk__in=users_set, provider=self.provider
+            ).values_list("google_id", flat=True)
+        )
+        if len(user_ids) < 1:
+            return
+        self._patch(google_group.google_id, Direction.remove, user_ids)
+
+    def discover(self):
+        """Iterate through all groups and connect them with authentik groups if possible"""
+        request = self.directory_service.groups().list(
+            customer="my_customer", maxResults=500, orderBy="email"
+        )
+        while request:
+            response = request.execute()
+            for group in response.get("groups", []):
+                self._discover_single_group(group)
+            request = self.directory_service.groups().list_next(
+                previous_request=request, previous_response=response
+            )
+
+    def _discover_single_group(self, group: dict):
+        """handle discovery of a single group"""
+        google_name = group["name"]
+        google_id = group["id"]
+        matching_authentik_group = (
+            self.provider.get_object_qs(Group).filter(name=google_name).first()
+        )
+        if not matching_authentik_group:
+            return
+        GoogleWorkspaceProviderGroup.objects.get_or_create(
+            provider=self.provider,
+            group=matching_authentik_group,
+            google_id=google_id,
+            attributes=group,
+        )
+
+    def update_single_attribute(self, connection: GoogleWorkspaceProviderUser):
+        group = self.directory_service.groups().get(connection.google_id)
+        connection.attributes = group