release: 2024.10.3

* web: Add InvalidationFlow to Radius Provider dialogues

## What

- Bugfix: adds the InvalidationFlow to the Radius Provider dialogues
  - Repairs: `{"invalidation_flow":["This field is required."]}` message, which was *not* propagated
    to the Notification.
- Nitpick: Pretties `?foo=${true}` expressions: `s/\?([^=]+)=\$\{true\}/\1/`

## Note

Yes, I know I'm going to have to do more magic when we harmonize the forms, and no, I didn't add the
Property Mappings to the wizard, and yes, I know I'm going to have pain with the *new* version of
the wizard. But this is a serious bug; you can't make Radius servers with *either* of the current
dialogues at the moment.

* First things first: save the blueprint that initializes the test runner.

* Committing to having the PKs be a string, and streamlining an event handler.  Type solidity needed for the footer control.

* web/admin/better-footer-links

# What

- A data control that takes two string fields and returns the JSON object for a FooterLink
- A data control that takes a control like the one above and assists the user in entering a
  collection of such objects.

# Why

We're trying to move away from CodeMirror for the simple things, like tables of what is essentially
data entry. Jens proposed this ArrayInput thing, and I've simplified it so you define what "a row"
is as a small, lightweight custom Component that returns and validates the datatype for that row,
and ArrayInput creates a table of rows, and that's that.

We're still working out the details, but the demo is to replace the "Name & URL" table in
AdminSettingsForm with this, since it was silly to ask the customer to hand-write JSON or YAML,
getting the keys right every time, for an `Array<Record<{ name: string, href: string }>>`. And some
client-side validation can't hurt.

Storybook included.  Tests to come.

* Not ready for prime time.

* One lint.  Other lints are still in progress.

* web: lots of 'as unknown as Foo'

I know this is considered bad practice, but we use Lit and Lit.spread
to send initialization arguments to functions that create DOM
objects, and Lit's prefix convention of '.' for object, '?' for
boolean, and '@' for event handler doesn't map at all to the Interface
declarations of Typescript.  So we have to cast these types when
sending them via functions to constructors.

* web/admin/better-footer-links

# What

- Remove the "JSON or YAML" language from the AdminSettings page for describing FooterLinks inputs.
- Add unit tests for ArrayInput and AdminSettingsFooterLinks.
- Provide a property for accessing a component's value

# Why

Providing a property by which the JSONified version of the value can be accessed enhances the
ability of tests to independently check that the value is in a state we desire, since properties can
easily be accessed across the wire protocol used by browser-based testing environments.

* Ensure the UI is built from _current_ before running tests.

.bumpversion.cfg

@@ -1,5 +1,5 @@
 [bumpversion]
-current_version = 2024.6.4
+current_version = 2024.10.3
 tag = True
 commit = True
 parse = (?P<major>\d+)\.(?P<minor>\d+)\.(?P<patch>\d+)(?:-(?P<rc_t>[a-zA-Z-]+)(?P<rc_n>[1-9]\\d*))?

.github/actions/docker-push-variables/action.yml

@@ -29,9 +29,9 @@ outputs:
   imageTags:
     description: "Docker image tags"
     value: ${{ steps.ev.outputs.imageTags }}
-  imageNames:
-    description: "Docker image names"
-    value: ${{ steps.ev.outputs.imageNames }}
+  attestImageNames:
+    description: "Docker image names used for attestation"
+    value: ${{ steps.ev.outputs.attestImageNames }}
   imageMainTag:
     description: "Docker image main tag"
     value: ${{ steps.ev.outputs.imageMainTag }}

.github/actions/docker-push-variables/push_vars.py

@@ -51,15 +51,24 @@ else:
         ]
 
 image_main_tag = image_tags[0].split(":")[-1]
-image_tags_rendered = ",".join(image_tags)
-image_names_rendered = ",".join(set(name.split(":")[0] for name in image_tags))
+
+
+def get_attest_image_names(image_with_tags: list[str]):
+    """Attestation only for GHCR"""
+    image_tags = []
+    for image_name in set(name.split(":")[0] for name in image_with_tags):
+        if not image_name.startswith("ghcr.io"):
+            continue
+        image_tags.append(image_name)
+    return ",".join(set(image_tags))
+
 
 with open(os.environ["GITHUB_OUTPUT"], "a+", encoding="utf-8") as _output:
     print(f"shouldBuild={should_build}", file=_output)
     print(f"sha={sha}", file=_output)
     print(f"version={version}", file=_output)
     print(f"prerelease={prerelease}", file=_output)
-    print(f"imageTags={image_tags_rendered}", file=_output)
-    print(f"imageNames={image_names_rendered}", file=_output)
+    print(f"imageTags={','.join(image_tags)}", file=_output)
+    print(f"attestImageNames={get_attest_image_names(image_tags)}", file=_output)
     print(f"imageMainTag={image_main_tag}", file=_output)
     print(f"imageMainName={image_tags[0]}", file=_output)

.github/actions/setup/action.yml

@@ -14,7 +14,7 @@ runs:
       run: |
         pipx install poetry || true
         sudo apt-get update
-        sudo apt-get install --no-install-recommends -y libpq-dev openssl libxmlsec1-dev pkg-config gettext
+        sudo apt-get install --no-install-recommends -y libpq-dev openssl libxmlsec1-dev pkg-config gettext libkrb5-dev krb5-kdc krb5-user krb5-admin-server
     - name: Setup python and restore poetry
       uses: actions/setup-python@v5
       with:

.github/dependabot.yml

@@ -23,7 +23,6 @@ updates:
   - package-ecosystem: npm
     directories:
       - "/web"
-      - "/tests/wdio"
       - "/web/sfe"
     schedule:
       interval: daily
@@ -44,9 +43,11 @@ updates:
           - "babel-*"
       eslint:
         patterns:
+          - "@eslint/*"
           - "@typescript-eslint/*"
-          - "eslint"
           - "eslint-*"
+          - "eslint"
+          - "typescript-eslint"
       storybook:
         patterns:
           - "@storybook/*"
@@ -54,10 +55,12 @@ updates:
       esbuild:
         patterns:
           - "@esbuild/*"
+          - "esbuild*"
       rollup:
         patterns:
           - "@rollup/*"
           - "rollup-*"
+          - "rollup*"
       swc:
         patterns:
           - "@swc/*"

.github/pull_request_template.md

@@ -1,7 +1,7 @@
 <!--
 👋 Hi there! Welcome.
 
-Please check the Contributing guidelines: https://goauthentik.io/developer-docs/#how-can-i-contribute
+Please check the Contributing guidelines: https://docs.goauthentik.io/docs/developer-docs/#how-can-i-contribute
 -->
 
 ## Details

.github/workflows/api-ts-publish.yml

@@ -40,7 +40,7 @@ jobs:
         run: |
           export VERSION=`node -e 'console.log(require("../gen-ts-api/package.json").version)'`
           npm i @goauthentik/api@$VERSION
-      - uses: peter-evans/create-pull-request@v6
+      - uses: peter-evans/create-pull-request@v7
         id: cpr
         with:
           token: ${{ steps.generate_token.outputs.token }}

.github/workflows/ci-main.yml

@@ -120,6 +120,12 @@ jobs:
         with:
           flags: unit
           token: ${{ secrets.CODECOV_TOKEN }}
+      - if: ${{ !cancelled() }}
+        uses: codecov/test-results-action@v1
+        with:
+          flags: unit
+          file: unittest.xml
+          token: ${{ secrets.CODECOV_TOKEN }}
   test-integration:
     runs-on: ubuntu-latest
     timeout-minutes: 30
@@ -138,6 +144,12 @@ jobs:
         with:
           flags: integration
           token: ${{ secrets.CODECOV_TOKEN }}
+      - if: ${{ !cancelled() }}
+        uses: codecov/test-results-action@v1
+        with:
+          flags: integration
+          file: unittest.xml
+          token: ${{ secrets.CODECOV_TOKEN }}
   test-e2e:
     name: test-e2e (${{ matrix.job.name }})
     runs-on: ubuntu-latest
@@ -168,7 +180,7 @@ jobs:
         uses: ./.github/actions/setup
       - name: Setup e2e env (chrome, etc)
         run: |
-          docker compose -f tests/e2e/docker-compose.yml up -d
+          docker compose -f tests/e2e/docker-compose.yml up -d --quiet-pull
       - id: cache-web
         uses: actions/cache@v4
         with:
@@ -190,6 +202,12 @@ jobs:
         with:
           flags: e2e
           token: ${{ secrets.CODECOV_TOKEN }}
+      - if: ${{ !cancelled() }}
+        uses: codecov/test-results-action@v1
+        with:
+          flags: e2e
+          file: unittest.xml
+          token: ${{ secrets.CODECOV_TOKEN }}
   ci-core-mark:
     needs:
       - lint
@@ -261,7 +279,7 @@ jobs:
         id: attest
         if: ${{ steps.ev.outputs.shouldBuild == 'true' }}
         with:
-          subject-name: ${{ steps.ev.outputs.imageNames }}
+          subject-name: ${{ steps.ev.outputs.attestImageNames }}
           subject-digest: ${{ steps.push.outputs.digest }}
           push-to-registry: true
   pr-comment:

.github/workflows/ci-outpost.yml

@@ -115,7 +115,7 @@ jobs:
         id: attest
         if: ${{ steps.ev.outputs.shouldBuild == 'true' }}
         with:
-          subject-name: ${{ steps.ev.outputs.imageNames }}
+          subject-name: ${{ steps.ev.outputs.attestImageNames }}
           subject-digest: ${{ steps.push.outputs.digest }}
           push-to-registry: true
   build-binary:

.github/workflows/ci-web.yml

@@ -24,17 +24,11 @@ jobs:
           - prettier-check
         project:
           - web
-          - tests/wdio
         include:
           - command: tsc
             project: web
           - command: lit-analyse
             project: web
-        exclude:
-          - command: lint:lockfile
-            project: tests/wdio
-          - command: tsc
-            project: tests/wdio
     steps:
       - uses: actions/checkout@v4
       - uses: actions/setup-node@v4
@@ -45,21 +39,12 @@ jobs:
       - working-directory: ${{ matrix.project }}/
         run: |
           npm ci
-          ${{ matrix.extra_setup }}
       - name: Generate API
         run: make gen-client-ts
       - name: Lint
         working-directory: ${{ matrix.project }}/
         run: npm run ${{ matrix.command }}
-  ci-web-mark:
-    needs:
-      - lint
-    runs-on: ubuntu-latest
-    steps:
-      - run: echo mark
   build:
-    needs:
-      - ci-web-mark
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
@@ -75,6 +60,13 @@ jobs:
       - name: build
         working-directory: web/
         run: npm run build
+  ci-web-mark:
+    needs:
+      - build
+      - lint
+    runs-on: ubuntu-latest
+    steps:
+      - run: echo mark
   test:
     needs:
       - ci-web-mark

.github/workflows/gen-update-webauthn-mds.yml

@@ -24,7 +24,7 @@ jobs:
       - name: Setup authentik env
         uses: ./.github/actions/setup
       - run: poetry run ak update_webauthn_mds
-      - uses: peter-evans/create-pull-request@v6
+      - uses: peter-evans/create-pull-request@v7
         id: cpr
         with:
           token: ${{ steps.generate_token.outputs.token }}

.github/workflows/image-compress.yml

@@ -42,7 +42,7 @@ jobs:
         with:
           githubToken: ${{ steps.generate_token.outputs.token }}
           compressOnly: ${{ github.event_name != 'pull_request' }}
-      - uses: peter-evans/create-pull-request@v6
+      - uses: peter-evans/create-pull-request@v7
         if: "${{ github.event_name != 'pull_request' && steps.compress.outputs.markdown != '' }}"
         id: cpr
         with:

.github/workflows/release-publish.yml

@@ -58,7 +58,7 @@ jobs:
       - uses: actions/attest-build-provenance@v1
         id: attest
         with:
-          subject-name: ${{ steps.ev.outputs.imageNames }}
+          subject-name: ${{ steps.ev.outputs.attestImageNames }}
           subject-digest: ${{ steps.push.outputs.digest }}
           push-to-registry: true
   build-outpost:
@@ -122,7 +122,7 @@ jobs:
       - uses: actions/attest-build-provenance@v1
         id: attest
         with:
-          subject-name: ${{ steps.ev.outputs.imageNames }}
+          subject-name: ${{ steps.ev.outputs.attestImageNames }}
           subject-digest: ${{ steps.push.outputs.digest }}
           push-to-registry: true
   build-outpost-binary:

.github/workflows/translation-extract-compile.yml

@@ -32,7 +32,7 @@ jobs:
           poetry run ak compilemessages
           make web-check-compile
       - name: Create Pull Request
-        uses: peter-evans/create-pull-request@v6
+        uses: peter-evans/create-pull-request@v7
         with:
           token: ${{ steps.generate_token.outputs.token }}
           branch: extract-compile-backend-translation

.vscode/settings.json

@@ -6,6 +6,7 @@
         "authn",
         "entra",
         "goauthentik",
+        "jwe",
         "jwks",
         "kubernetes",
         "oidc",

Dockerfile

@@ -94,7 +94,7 @@ RUN --mount=type=secret,id=GEOIPUPDATE_ACCOUNT_ID \
     /bin/sh -c "/usr/bin/entry.sh || echo 'Failed to get GeoIP database, disabling'; exit 0"
 
 # Stage 5: Python dependencies
-FROM ghcr.io/goauthentik/fips-python:3.12.5-slim-bookworm-fips-full AS python-deps
+FROM ghcr.io/goauthentik/fips-python:3.12.7-slim-bookworm-fips-full AS python-deps
 
 ARG TARGETARCH
 ARG TARGETVARIANT
@@ -110,7 +110,7 @@ RUN rm -f /etc/apt/apt.conf.d/docker-clean; echo 'Binary::apt::APT::Keep-Downloa
 RUN --mount=type=cache,id=apt-$TARGETARCH$TARGETVARIANT,sharing=locked,target=/var/cache/apt \
     apt-get update && \
     # Required for installing pip packages
-    apt-get install -y --no-install-recommends build-essential pkg-config libpq-dev
+    apt-get install -y --no-install-recommends build-essential pkg-config libpq-dev libkrb5-dev
 
 RUN --mount=type=bind,target=./pyproject.toml,src=./pyproject.toml \
     --mount=type=bind,target=./poetry.lock,src=./poetry.lock \
@@ -124,7 +124,7 @@ RUN --mount=type=bind,target=./pyproject.toml,src=./pyproject.toml \
     pip install --force-reinstall /wheels/*"
 
 # Stage 6: Run
-FROM ghcr.io/goauthentik/fips-python:3.12.5-slim-bookworm-fips-full AS final-image
+FROM ghcr.io/goauthentik/fips-python:3.12.7-slim-bookworm-fips-full AS final-image
 
 ARG VERSION
 ARG GIT_BUILD_HASH
@@ -141,7 +141,7 @@ WORKDIR /
 # We cannot cache this layer otherwise we'll end up with a bigger image
 RUN apt-get update && \
     # Required for runtime
-    apt-get install -y --no-install-recommends libpq5 libmaxminddb0 ca-certificates && \
+    apt-get install -y --no-install-recommends libpq5 libmaxminddb0 ca-certificates libkrb5-3 libkadm5clnt-mit12 libkdb5-10 && \
     # Required for bootstrap & healtcheck
     apt-get install -y --no-install-recommends runit && \
     apt-get clean && \
@@ -161,6 +161,7 @@ COPY ./tests /tests
 COPY ./manage.py /
 COPY ./blueprints /blueprints
 COPY ./lifecycle/ /lifecycle
+COPY ./authentik/sources/kerberos/krb5.conf /etc/krb5.conf
 COPY --from=go-builder /go/authentik /bin/authentik
 COPY --from=python-deps /ak-root/venv /ak-root/venv
 COPY --from=web-builder /work/web/dist/ /web/dist/

Makefile

@@ -19,14 +19,13 @@ pg_name := $(shell python -m authentik.lib.config postgresql.name 2>/dev/null)
 CODESPELL_ARGS = -D - -D .github/codespell-dictionary.txt \
 		-I .github/codespell-words.txt \
 		-S 'web/src/locales/**' \
-		-S 'website/developer-docs/api/reference/**' \
+		-S 'website/docs/developer-docs/api/reference/**' \
 		authentik \
 		internal \
 		cmd \
 		web/src \
 		website/src \
 		website/blog \
-		website/developer-docs \
 		website/docs \
 		website/integrations \
 		website/src
@@ -205,7 +204,7 @@ gen: gen-build gen-client-ts
 web-build: web-install  ## Build the Authentik UI
 	cd web && npm run build
 
-web: web-lint-fix web-lint web-check-compile web-test  ## Automatically fix formatting issues in the Authentik UI source code, lint the code, and compile it
+web: web-lint-fix web-lint web-check-compile  ## Automatically fix formatting issues in the Authentik UI source code, lint the code, and compile it
 
 web-install:  ## Install the necessary libraries to build the Authentik UI
 	cd web && npm ci

README.md

@@ -34,7 +34,7 @@ For bigger setups, there is a Helm Chart [here](https://github.com/goauthentik/h
 
 ## Development
 
-See [Developer Documentation](https://goauthentik.io/developer-docs/?utm_source=github)
+See [Developer Documentation](https://docs.goauthentik.io/docs/developer-docs/?utm_source=github)
 
 ## Security
 

SECURITY.md

@@ -18,10 +18,10 @@ Even if the issue is not a CVE, we still greatly appreciate your help in hardeni
 
 (.x being the latest patch release for each version)
 
-| Version  | Supported |
-| -------- | --------- |
-| 2024.4.x | ✅        |
-| 2024.6.x | ✅        |
+| Version   | Supported |
+| --------- | --------- |
+| 2024.8.x  | ✅        |
+| 2024.10.x | ✅        |
 
 ## Reporting a Vulnerability
 

authentik/__init__.py

@@ -2,7 +2,7 @@
 
 from os import environ
 
-__version__ = "2024.6.4"
+__version__ = "2024.10.3"
 ENV_GIT_HASH_KEY = "GIT_BUILD_HASH"
 
 

authentik/admin/api/version_history.py

@@ -0,0 +1,33 @@
+from rest_framework.permissions import IsAdminUser
+from rest_framework.viewsets import ReadOnlyModelViewSet
+
+from authentik.admin.models import VersionHistory
+from authentik.core.api.utils import ModelSerializer
+
+
+class VersionHistorySerializer(ModelSerializer):
+    """VersionHistory Serializer"""
+
+    class Meta:
+        model = VersionHistory
+        fields = [
+            "id",
+            "timestamp",
+            "version",
+            "build",
+        ]
+
+
+class VersionHistoryViewSet(ReadOnlyModelViewSet):
+    """VersionHistory Viewset"""
+
+    queryset = VersionHistory.objects.all()
+    serializer_class = VersionHistorySerializer
+    permission_classes = [IsAdminUser]
+    filterset_fields = [
+        "version",
+        "build",
+    ]
+    search_fields = ["version", "build"]
+    ordering = ["-timestamp"]
+    pagination_class = None

authentik/admin/models.py

@@ -0,0 +1,22 @@
+"""authentik admin models"""
+
+from django.db import models
+from django.utils.translation import gettext_lazy as _
+
+
+class VersionHistory(models.Model):
+    id = models.BigAutoField(primary_key=True)
+    timestamp = models.DateTimeField()
+    version = models.TextField()
+    build = models.TextField()
+
+    class Meta:
+        managed = False
+        db_table = "authentik_version_history"
+        ordering = ("-timestamp",)
+        verbose_name = _("Version history")
+        verbose_name_plural = _("Version history")
+        default_permissions = []
+
+    def __str__(self):
+        return f"{self.version}.{self.build} ({self.timestamp})"

authentik/admin/tasks.py

@@ -1,10 +1,8 @@
 """authentik admin tasks"""
 
-import re
-
 from django.core.cache import cache
-from django.core.validators import URLValidator
 from django.db import DatabaseError, InternalError, ProgrammingError
+from django.utils.translation import gettext_lazy as _
 from packaging.version import parse
 from requests import RequestException
 from structlog.stdlib import get_logger
@@ -21,8 +19,6 @@ LOGGER = get_logger()
 VERSION_NULL = "0.0.0"
 VERSION_CACHE_KEY = "authentik_latest_version"
 VERSION_CACHE_TIMEOUT = 8 * 60 * 60  # 8 hours
-# Chop of the first ^ because we want to search the entire string
-URL_FINDER = URLValidator.regex.pattern[1:]
 LOCAL_VERSION = parse(__version__)
 
 
@@ -78,10 +74,16 @@ def update_latest_version(self: SystemTask):
                 context__new_version=upstream_version,
             ).exists():
                 return
-            event_dict = {"new_version": upstream_version}
-            if match := re.search(URL_FINDER, data.get("stable", {}).get("changelog", "")):
-                event_dict["message"] = f"Changelog: {match.group()}"
-            Event.new(EventAction.UPDATE_AVAILABLE, **event_dict).save()
+            Event.new(
+                EventAction.UPDATE_AVAILABLE,
+                message=_(
+                    "New version {version} available!".format(
+                        version=upstream_version,
+                    )
+                ),
+                new_version=upstream_version,
+                changelog=data.get("stable", {}).get("changelog_url"),
+            ).save()
     except (RequestException, IndexError) as exc:
         cache.set(VERSION_CACHE_KEY, VERSION_NULL, VERSION_CACHE_TIMEOUT)
         self.set_error(exc)

authentik/admin/tests/test_tasks.py

@@ -17,6 +17,7 @@ RESPONSE_VALID = {
     "stable": {
         "version": "99999999.9999999",
         "changelog": "See https://goauthentik.io/test",
+        "changelog_url": "https://goauthentik.io/test",
         "reason": "bugfix",
     },
 }
@@ -35,7 +36,7 @@ class TestAdminTasks(TestCase):
                 Event.objects.filter(
                     action=EventAction.UPDATE_AVAILABLE,
                     context__new_version="99999999.9999999",
-                    context__message="Changelog: https://goauthentik.io/test",
+                    context__message="New version 99999999.9999999 available!",
                 ).exists()
             )
             # test that a consecutive check doesn't create a duplicate event
@@ -45,7 +46,7 @@ class TestAdminTasks(TestCase):
                     Event.objects.filter(
                         action=EventAction.UPDATE_AVAILABLE,
                         context__new_version="99999999.9999999",
-                        context__message="Changelog: https://goauthentik.io/test",
+                        context__message="New version 99999999.9999999 available!",
                     )
                 ),
                 1,

authentik/admin/urls.py

@@ -6,6 +6,7 @@ from authentik.admin.api.meta import AppsViewSet, ModelViewSet
 from authentik.admin.api.metrics import AdministrationMetricsViewSet
 from authentik.admin.api.system import SystemView
 from authentik.admin.api.version import VersionView
+from authentik.admin.api.version_history import VersionHistoryViewSet
 from authentik.admin.api.workers import WorkerView
 
 api_urlpatterns = [
@@ -17,6 +18,7 @@ api_urlpatterns = [
         name="admin_metrics",
     ),
     path("admin/version/", VersionView.as_view(), name="admin_version"),
+    ("admin/version/history", VersionHistoryViewSet, "version_history"),
     path("admin/workers/", WorkerView.as_view(), name="admin_workers"),
     path("admin/system/", SystemView.as_view(), name="admin_system"),
 ]

authentik/api/templates/api/browser.html

@@ -7,7 +7,7 @@ API Browser - {{ brand.branding_title }}
 {% endblock %}
 
 {% block head %}
-{% versioned_script "dist/standalone/api-browser/index-%v.js" %}
+<script src="{% versioned_script 'dist/standalone/api-browser/index-%v.js' %}" type="module"></script>
 <meta name="theme-color" content="#151515" media="(prefers-color-scheme: light)">
 <meta name="theme-color" content="#151515" media="(prefers-color-scheme: dark)">
 {% endblock %}

authentik/blueprints/api.py

@@ -51,9 +51,11 @@ class BlueprintInstanceSerializer(ModelSerializer):
         context = self.instance.context if self.instance else {}
         valid, logs = Importer.from_string(content, context).validate()
         if not valid:
-            text_logs = "\n".join([x["event"] for x in logs])
             raise ValidationError(
-                _("Failed to validate blueprint: {logs}".format_map({"logs": text_logs}))
+                [
+                    _("Failed to validate blueprint"),
+                    *[f"- {x.event}" for x in logs],
+                ]
             )
         return content
 

authentik/blueprints/migrations/0001_initial.py

@@ -29,9 +29,7 @@ def check_blueprint_v1_file(BlueprintInstance: type, db_alias, path: Path):
         if version != 1:
             return
         blueprint_file.seek(0)
-    instance: BlueprintInstance = (
-        BlueprintInstance.objects.using(db_alias).filter(path=path).first()
-    )
+    instance = BlueprintInstance.objects.using(db_alias).filter(path=path).first()
     rel_path = path.relative_to(Path(CONFIG.get("blueprints_dir")))
     meta = None
     if metadata:

authentik/blueprints/tests/test_packaged.py

@@ -27,7 +27,8 @@ def blueprint_tester(file_name: Path) -> Callable:
         base = Path("blueprints/")
         rel_path = Path(file_name).relative_to(base)
         importer = Importer.from_string(BlueprintInstance(path=str(rel_path)).retrieve())
-        self.assertTrue(importer.validate()[0])
+        validation, logs = importer.validate()
+        self.assertTrue(validation, logs)
         self.assertTrue(importer.apply())
 
     return tester

authentik/blueprints/tests/test_v1_api.py

@@ -78,5 +78,5 @@ class TestBlueprintsV1API(APITestCase):
         self.assertEqual(res.status_code, 400)
         self.assertJSONEqual(
             res.content.decode(),
-            {"content": ["Failed to validate blueprint: Invalid blueprint version"]},
+            {"content": ["Failed to validate blueprint", "- Invalid blueprint version"]},
         )

authentik/blueprints/v1/importer.py

@@ -51,6 +51,10 @@ from authentik.enterprise.providers.microsoft_entra.models import (
     MicrosoftEntraProviderUser,
 )
 from authentik.enterprise.providers.rac.models import ConnectionToken
+from authentik.enterprise.stages.authenticator_endpoint_gdtc.models import (
+    EndpointDevice,
+    EndpointDeviceConnection,
+)
 from authentik.events.logs import LogEvent, capture_logs
 from authentik.events.models import SystemTask
 from authentik.events.utils import cleanse_dict
@@ -69,7 +73,7 @@ from authentik.stages.authenticator_webauthn.models import WebAuthnDeviceType
 from authentik.tenants.models import Tenant
 
 # Context set when the serializer is created in a blueprint context
-# Update website/developer-docs/blueprints/v1/models.md when used
+# Update website/docs/customize/blueprints/v1/models.md when used
 SERIALIZER_CONTEXT_BLUEPRINT = "blueprint_entry"
 
 
@@ -119,6 +123,8 @@ def excluded_models() -> list[type[Model]]:
         GoogleWorkspaceProviderGroup,
         MicrosoftEntraProviderUser,
         MicrosoftEntraProviderGroup,
+        EndpointDevice,
+        EndpointDeviceConnection,
     )
 
 
@@ -429,7 +435,7 @@ class Importer:
         orig_import = deepcopy(self._import)
         if self._import.version != 1:
             self.logger.warning("Invalid blueprint version")
-            return False, [{"event": "Invalid blueprint version"}]
+            return False, [LogEvent("Invalid blueprint version", log_level="warning", logger=None)]
         with (
             transaction_rollback(),
             capture_logs() as logs,

authentik/brands/middleware.py

@@ -4,7 +4,7 @@ from collections.abc import Callable
 
 from django.http.request import HttpRequest
 from django.http.response import HttpResponse
-from django.utils.translation import activate
+from django.utils.translation import override
 
 from authentik.brands.utils import get_brand_for_request
 
@@ -18,10 +18,12 @@ class BrandMiddleware:
         self.get_response = get_response
 
     def __call__(self, request: HttpRequest) -> HttpResponse:
+        locale_to_set = None
         if not hasattr(request, "brand"):
             brand = get_brand_for_request(request)
             request.brand = brand
             locale = brand.default_locale
             if locale != "":
-                activate(locale)
-        return self.get_response(request)
+                locale_to_set = locale
+        with override(locale_to_set):
+            return self.get_response(request)

authentik/core/api/devices.py

@@ -1,39 +1,55 @@
 """Authenticator Devices API Views"""
 
+from django.utils.translation import gettext_lazy as _
 from drf_spectacular.types import OpenApiTypes
 from drf_spectacular.utils import OpenApiParameter, extend_schema
 from rest_framework.fields import (
     BooleanField,
     CharField,
     DateTimeField,
-    IntegerField,
     SerializerMethodField,
 )
-from rest_framework.permissions import IsAdminUser, IsAuthenticated
+from rest_framework.permissions import IsAuthenticated
 from rest_framework.request import Request
 from rest_framework.response import Response
 from rest_framework.viewsets import ViewSet
 
 from authentik.core.api.utils import MetaNameSerializer
+from authentik.enterprise.stages.authenticator_endpoint_gdtc.models import EndpointDevice
+from authentik.rbac.decorators import permission_required
 from authentik.stages.authenticator import device_classes, devices_for_user
 from authentik.stages.authenticator.models import Device
+from authentik.stages.authenticator_webauthn.models import WebAuthnDevice
 
 
 class DeviceSerializer(MetaNameSerializer):
     """Serializer for Duo authenticator devices"""
 
-    pk = IntegerField()
+    pk = CharField()
     name = CharField()
     type = SerializerMethodField()
     confirmed = BooleanField()
     created = DateTimeField(read_only=True)
     last_updated = DateTimeField(read_only=True)
     last_used = DateTimeField(read_only=True, allow_null=True)
+    extra_description = SerializerMethodField()
 
     def get_type(self, instance: Device) -> str:
         """Get type of device"""
         return instance._meta.label
 
+    def get_extra_description(self, instance: Device) -> str:
+        """Get extra description"""
+        if isinstance(instance, WebAuthnDevice):
+            return (
+                instance.device_type.description
+                if instance.device_type
+                else _("Extra description not available")
+            )
+        if isinstance(instance, EndpointDevice):
+            return instance.data.get("deviceSignals", {}).get("deviceModel")
+        return ""
+
 
 class DeviceViewSet(ViewSet):
     """Viewset for authenticator devices"""
@@ -52,7 +68,7 @@ class AdminDeviceViewSet(ViewSet):
     """Viewset for authenticator devices"""
 
     serializer_class = DeviceSerializer
-    permission_classes = [IsAdminUser]
+    permission_classes = []
 
     def get_devices(self, **kwargs):
         """Get all devices in all child classes"""
@@ -70,6 +86,10 @@ class AdminDeviceViewSet(ViewSet):
         ],
         responses={200: DeviceSerializer(many=True)},
     )
+    @permission_required(
+        None,
+        [f"{model._meta.app_label}.view_{model._meta.model_name}" for model in device_classes()],
+    )
     def list(self, request: Request) -> Response:
         """Get all devices for current user"""
         kwargs = {}

authentik/core/api/property_mappings.py

@@ -30,8 +30,10 @@ from authentik.core.api.utils import (
     PassiveSerializer,
 )
 from authentik.core.expression.evaluator import PropertyMappingEvaluator
+from authentik.core.expression.exceptions import PropertyMappingExpressionException
 from authentik.core.models import Group, PropertyMapping, User
 from authentik.events.utils import sanitize_item
+from authentik.lib.utils.errors import exception_to_string
 from authentik.policies.api.exec import PolicyTestSerializer
 from authentik.rbac.decorators import permission_required
 
@@ -162,12 +164,15 @@ class PropertyMappingViewSet(
 
         response_data = {"successful": True, "result": ""}
         try:
-            result = mapping.evaluate(**context)
+            result = mapping.evaluate(dry_run=True, **context)
             response_data["result"] = dumps(
                 sanitize_item(result), indent=(4 if format_result else None)
             )
+        except PropertyMappingExpressionException as exc:
+            response_data["result"] = exception_to_string(exc.exc)
+            response_data["successful"] = False
         except Exception as exc:
-            response_data["result"] = str(exc)
+            response_data["result"] = exception_to_string(exc)
             response_data["successful"] = False
         response = PropertyMappingTestResultSerializer(response_data)
         return Response(response.data)

authentik/core/api/providers.py

@@ -38,6 +38,7 @@ class ProviderSerializer(ModelSerializer, MetaNameSerializer):
             "name",
             "authentication_flow",
             "authorization_flow",
+            "invalidation_flow",
             "property_mappings",
             "component",
             "assigned_application_slug",
@@ -50,6 +51,7 @@ class ProviderSerializer(ModelSerializer, MetaNameSerializer):
         ]
         extra_kwargs = {
             "authorization_flow": {"required": True, "allow_null": False},
+            "invalidation_flow": {"required": True, "allow_null": False},
         }
 
 

authentik/core/api/users.py

@@ -678,10 +678,13 @@ class UserViewSet(UsedByMixin, ModelViewSet):
         if not request.tenant.impersonation:
             LOGGER.debug("User attempted to impersonate", user=request.user)
             return Response(status=401)
-        if not request.user.has_perm("impersonate"):
+        user_to_be = self.get_object()
+        # Check both object-level perms and global perms
+        if not request.user.has_perm(
+            "authentik_core.impersonate", user_to_be
+        ) and not request.user.has_perm("authentik_core.impersonate"):
             LOGGER.debug("User attempted to impersonate without permissions", user=request.user)
             return Response(status=401)
-        user_to_be = self.get_object()
         if user_to_be.pk == self.request.user.pk:
             LOGGER.debug("User attempted to impersonate themselves", user=request.user)
             return Response(status=401)

authentik/core/management/commands/change_user_type.py

@@ -9,10 +9,11 @@ class Command(TenantCommand):
 
     def add_arguments(self, parser):
         parser.add_argument("--type", type=str, required=True)
-        parser.add_argument("--all", action="store_true")
-        parser.add_argument("usernames", nargs="+", type=str)
+        parser.add_argument("--all", action="store_true", default=False)
+        parser.add_argument("usernames", nargs="*", type=str)
 
     def handle_per_tenant(self, **options):
+        print(options)
         new_type = UserTypes(options["type"])
         qs = (
             User.objects.exclude_anonymous()
@@ -22,6 +23,9 @@ class Command(TenantCommand):
         if options["usernames"] and options["all"]:
             self.stderr.write("--all and usernames specified, only one can be specified")
             return
+        if not options["usernames"] and not options["all"]:
+            self.stderr.write("--all or usernames must be specified")
+            return
         if options["usernames"] and not options["all"]:
             qs = qs.filter(username__in=options["usernames"])
         updated = qs.update(type=new_type)

authentik/core/management/commands/shell.py

@@ -4,6 +4,7 @@ import code
 import platform
 import sys
 import traceback
+from pprint import pprint
 
 from django.apps import apps
 from django.core.management.base import BaseCommand
@@ -34,7 +35,9 @@ class Command(BaseCommand):
 
     def get_namespace(self):
         """Prepare namespace with all models"""
-        namespace = {}
+        namespace = {
+            "pprint": pprint,
+        }
 
         # Gather Django models and constants from each app
         for app in apps.get_app_configs():

authentik/core/middleware.py

@@ -5,7 +5,7 @@ from contextvars import ContextVar
 from uuid import uuid4
 
 from django.http import HttpRequest, HttpResponse
-from django.utils.translation import activate
+from django.utils.translation import override
 from sentry_sdk.api import set_tag
 from structlog.contextvars import STRUCTLOG_KEY_PREFIX
 
@@ -31,17 +31,19 @@ class ImpersonateMiddleware:
     def __call__(self, request: HttpRequest) -> HttpResponse:
         # No permission checks are done here, they need to be checked before
         # SESSION_KEY_IMPERSONATE_USER is set.
+        locale_to_set = None
         if request.user.is_authenticated:
             locale = request.user.locale(request)
             if locale != "":
-                activate(locale)
+                locale_to_set = locale
 
         if SESSION_KEY_IMPERSONATE_USER in request.session:
             request.user = request.session[SESSION_KEY_IMPERSONATE_USER]
             # Ensure that the user is active, otherwise nothing will work
             request.user.is_active = True
 
-        return self.get_response(request)
+        with override(locale_to_set):
+            return self.get_response(request)
 
 
 class RequestIDMiddleware:

authentik/core/migrations/0040_provider_invalidation_flow.py

@@ -0,0 +1,55 @@
+# Generated by Django 5.0.9 on 2024-10-02 11:35
+
+import django.db.models.deletion
+from django.db import migrations, models
+
+from django.apps.registry import Apps
+from django.db import migrations, models
+from django.db.backends.base.schema import BaseDatabaseSchemaEditor
+
+
+def migrate_invalidation_flow_default(apps: Apps, schema_editor: BaseDatabaseSchemaEditor):
+    from authentik.flows.models import FlowDesignation, FlowAuthenticationRequirement
+
+    db_alias = schema_editor.connection.alias
+
+    Flow = apps.get_model("authentik_flows", "Flow")
+    Provider = apps.get_model("authentik_core", "Provider")
+
+    # So this flow is managed via a blueprint, bue we're in a migration so we don't want to rely on that
+    # since the blueprint is just an empty flow we can just create it here
+    # and let it be managed by the blueprint later
+    flow, _ = Flow.objects.using(db_alias).update_or_create(
+        slug="default-provider-invalidation-flow",
+        defaults={
+            "name": "Logged out of application",
+            "title": "You've logged out of %(app)s.",
+            "authentication": FlowAuthenticationRequirement.NONE,
+            "designation": FlowDesignation.INVALIDATION,
+        },
+    )
+    Provider.objects.using(db_alias).filter(invalidation_flow=None).update(invalidation_flow=flow)
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ("authentik_core", "0039_source_group_matching_mode_alter_group_name_and_more"),
+        ("authentik_flows", "0027_auto_20231028_1424"),
+    ]
+
+    operations = [
+        migrations.AddField(
+            model_name="provider",
+            name="invalidation_flow",
+            field=models.ForeignKey(
+                default=None,
+                help_text="Flow used ending the session from a provider.",
+                null=True,
+                on_delete=django.db.models.deletion.SET_DEFAULT,
+                related_name="provider_invalidation",
+                to="authentik_flows.flow",
+            ),
+        ),
+        migrations.RunPython(migrate_invalidation_flow_default),
+    ]

authentik/core/models.py

@@ -330,11 +330,13 @@ class User(SerializerModel, GuardianUserMixin, AttributesMixin, AbstractUser):
         """superuser == staff user"""
         return self.is_superuser  # type: ignore
 
-    def set_password(self, raw_password, signal=True):
+    def set_password(self, raw_password, signal=True, sender=None):
         if self.pk and signal:
             from authentik.core.signals import password_changed
 
-            password_changed.send(sender=self, user=self, password=raw_password)
+            if not sender:
+                sender = self
+            password_changed.send(sender=sender, user=self, password=raw_password)
         self.password_change_date = now()
         return super().set_password(raw_password)
 
@@ -391,14 +393,23 @@ class Provider(SerializerModel):
         ),
         related_name="provider_authentication",
     )
-
     authorization_flow = models.ForeignKey(
         "authentik_flows.Flow",
+        # Set to cascade even though null is allowed, since most providers
+        # still require an authorization flow set
         on_delete=models.CASCADE,
         null=True,
         help_text=_("Flow used when authorizing this provider."),
         related_name="provider_authorization",
     )
+    invalidation_flow = models.ForeignKey(
+        "authentik_flows.Flow",
+        on_delete=models.SET_DEFAULT,
+        default=None,
+        null=True,
+        help_text=_("Flow used ending the session from a provider."),
+        related_name="provider_invalidation",
+    )
 
     property_mappings = models.ManyToManyField("PropertyMapping", default=None, blank=True)
 
@@ -466,8 +477,6 @@ class ApplicationQuerySet(QuerySet):
     def with_provider(self) -> "QuerySet[Application]":
         qs = self.select_related("provider")
         for subclass in Provider.objects.get_queryset()._get_subclasses_recurse(Provider):
-            if LOOKUP_SEP in subclass:
-                continue
             qs = qs.select_related(f"provider__{subclass}")
         return qs
 
@@ -545,15 +554,24 @@ class Application(SerializerModel, PolicyBindingModel):
         if not self.provider:
             return None
 
-        for subclass in Provider.objects.get_queryset()._get_subclasses_recurse(Provider):
-            # We don't care about recursion, skip nested models
-            if LOOKUP_SEP in subclass:
+        candidates = []
+        base_class = Provider
+        for subclass in base_class.objects.get_queryset()._get_subclasses_recurse(base_class):
+            parent = self.provider
+            for level in subclass.split(LOOKUP_SEP):
+                try:
+                    parent = getattr(parent, level)
+                except AttributeError:
+                    break
+            if parent in candidates:
                 continue
-            try:
-                return getattr(self.provider, subclass)
-            except AttributeError:
-                pass
-        return None
+            idx = subclass.count(LOOKUP_SEP)
+            if type(parent) is not base_class:
+                idx += 1
+            candidates.insert(idx, parent)
+        if not candidates:
+            return None
+        return candidates[-1]
 
     def __str__(self):
         return str(self.name)
@@ -901,7 +919,7 @@ class PropertyMapping(SerializerModel, ManagedModel):
         except ControlFlowException as exc:
             raise exc
         except Exception as exc:
-            raise PropertyMappingExpressionException(self, exc) from exc
+            raise PropertyMappingExpressionException(exc, self) from exc
 
     def __str__(self):
         return f"Property Mapping {self.name}"

authentik/core/sources/flow_manager.py

@@ -1,11 +1,9 @@
 """Source decision helper"""
 
-from enum import Enum
 from typing import Any
 
 from django.contrib import messages
 from django.db import IntegrityError, transaction
-from django.db.models.query_utils import Q
 from django.http import HttpRequest, HttpResponse
 from django.shortcuts import redirect
 from django.urls import reverse
@@ -16,12 +14,11 @@ from authentik.core.models import (
     Group,
     GroupSourceConnection,
     Source,
-    SourceGroupMatchingModes,
-    SourceUserMatchingModes,
     User,
     UserSourceConnection,
 )
 from authentik.core.sources.mapper import SourceMapper
+from authentik.core.sources.matcher import Action, SourceMatcher
 from authentik.core.sources.stage import (
     PLAN_CONTEXT_SOURCES_CONNECTION,
     PostSourceStage,
@@ -54,16 +51,6 @@ SESSION_KEY_OVERRIDE_FLOW_TOKEN = "authentik/flows/source_override_flow_token"
 PLAN_CONTEXT_SOURCE_GROUPS = "source_groups"
 
 
-class Action(Enum):
-    """Actions that can be decided based on the request
-    and source settings"""
-
-    LINK = "link"
-    AUTH = "auth"
-    ENROLL = "enroll"
-    DENY = "deny"
-
-
 class MessageStage(StageView):
     """Show a pre-configured message after the flow is done"""
 
@@ -86,6 +73,7 @@ class SourceFlowManager:
 
     source: Source
     mapper: SourceMapper
+    matcher: SourceMatcher
     request: HttpRequest
 
     identifier: str
@@ -108,6 +96,9 @@ class SourceFlowManager:
     ) -> None:
         self.source = source
         self.mapper = SourceMapper(self.source)
+        self.matcher = SourceMatcher(
+            self.source, self.user_connection_type, self.group_connection_type
+        )
         self.request = request
         self.identifier = identifier
         self.user_info = user_info
@@ -131,66 +122,24 @@ class SourceFlowManager:
 
     def get_action(self, **kwargs) -> tuple[Action, UserSourceConnection | None]:  # noqa: PLR0911
         """decide which action should be taken"""
-        new_connection = self.user_connection_type(source=self.source, identifier=self.identifier)
         # When request is authenticated, always link
         if self.request.user.is_authenticated:
+            new_connection = self.user_connection_type(
+                source=self.source, identifier=self.identifier
+            )
             new_connection.user = self.request.user
             new_connection = self.update_user_connection(new_connection, **kwargs)
+            if existing := self.user_connection_type.objects.filter(
+                source=self.source, identifier=self.identifier
+            ).first():
+                existing = self.update_user_connection(existing)
+                return Action.AUTH, existing
             return Action.LINK, new_connection
 
-        existing_connections = self.user_connection_type.objects.filter(
-            source=self.source, identifier=self.identifier
-        )
-        if existing_connections.exists():
-            connection = existing_connections.first()
-            return Action.AUTH, self.update_user_connection(connection, **kwargs)
-        # No connection exists, but we match on identifier, so enroll
-        if self.source.user_matching_mode == SourceUserMatchingModes.IDENTIFIER:
-            # We don't save the connection here cause it doesn't have a user assigned yet
-            return Action.ENROLL, self.update_user_connection(new_connection, **kwargs)
-
-        # Check for existing users with matching attributes
-        query = Q()
-        # Either query existing user based on email or username
-        if self.source.user_matching_mode in [
-            SourceUserMatchingModes.EMAIL_LINK,
-            SourceUserMatchingModes.EMAIL_DENY,
-        ]:
-            if not self.user_properties.get("email", None):
-                self._logger.warning("Refusing to use none email")
-                return Action.DENY, None
-            query = Q(email__exact=self.user_properties.get("email", None))
-        if self.source.user_matching_mode in [
-            SourceUserMatchingModes.USERNAME_LINK,
-            SourceUserMatchingModes.USERNAME_DENY,
-        ]:
-            if not self.user_properties.get("username", None):
-                self._logger.warning("Refusing to use none username")
-                return Action.DENY, None
-            query = Q(username__exact=self.user_properties.get("username", None))
-        self._logger.debug("trying to link with existing user", query=query)
-        matching_users = User.objects.filter(query)
-        # No matching users, always enroll
-        if not matching_users.exists():
-            self._logger.debug("no matching users found, enrolling")
-            return Action.ENROLL, self.update_user_connection(new_connection, **kwargs)
-
-        user = matching_users.first()
-        if self.source.user_matching_mode in [
-            SourceUserMatchingModes.EMAIL_LINK,
-            SourceUserMatchingModes.USERNAME_LINK,
-        ]:
-            new_connection.user = user
-            new_connection = self.update_user_connection(new_connection, **kwargs)
-            return Action.LINK, new_connection
-        if self.source.user_matching_mode in [
-            SourceUserMatchingModes.EMAIL_DENY,
-            SourceUserMatchingModes.USERNAME_DENY,
-        ]:
-            self._logger.info("denying source because user exists", user=user)
-            return Action.DENY, None
-        # Should never get here as default enroll case is returned above.
-        return Action.DENY, None  # pragma: no cover
+        action, connection = self.matcher.get_user_action(self.identifier, self.user_properties)
+        if connection:
+            connection = self.update_user_connection(connection, **kwargs)
+        return action, connection
 
     def update_user_connection(
         self, connection: UserSourceConnection, **kwargs
@@ -328,7 +277,6 @@ class SourceFlowManager:
         connection: UserSourceConnection,
     ) -> HttpResponse:
         """Login user and redirect."""
-        flow_kwargs = {PLAN_CONTEXT_PENDING_USER: connection.user}
         return self._prepare_flow(
             self.source.authentication_flow,
             connection,
@@ -342,7 +290,11 @@ class SourceFlowManager:
                     ),
                 )
             ],
-            **flow_kwargs,
+            **{
+                PLAN_CONTEXT_PENDING_USER: connection.user,
+                PLAN_CONTEXT_PROMPT: delete_none_values(self.user_properties),
+                PLAN_CONTEXT_USER_PATH: self.source.get_user_path(),
+            },
         )
 
     def handle_existing_link(
@@ -408,74 +360,16 @@ class SourceFlowManager:
 class GroupUpdateStage(StageView):
     """Dynamically injected stage which updates the user after enrollment/authentication."""
 
-    def get_action(
-        self, group_id: str, group_properties: dict[str, Any | dict[str, Any]]
-    ) -> tuple[Action, GroupSourceConnection | None]:
-        """decide which action should be taken"""
-        new_connection = self.group_connection_type(source=self.source, identifier=group_id)
-
-        existing_connections = self.group_connection_type.objects.filter(
-            source=self.source, identifier=group_id
-        )
-        if existing_connections.exists():
-            return Action.LINK, existing_connections.first()
-        # No connection exists, but we match on identifier, so enroll
-        if self.source.group_matching_mode == SourceGroupMatchingModes.IDENTIFIER:
-            # We don't save the connection here cause it doesn't have a user assigned yet
-            return Action.ENROLL, new_connection
-
-        # Check for existing groups with matching attributes
-        query = Q()
-        if self.source.group_matching_mode in [
-            SourceGroupMatchingModes.NAME_LINK,
-            SourceGroupMatchingModes.NAME_DENY,
-        ]:
-            if not group_properties.get("name", None):
-                LOGGER.warning(
-                    "Refusing to use none group name", source=self.source, group_id=group_id
-                )
-                return Action.DENY, None
-            query = Q(name__exact=group_properties.get("name"))
-        LOGGER.debug(
-            "trying to link with existing group", source=self.source, query=query, group_id=group_id
-        )
-        matching_groups = Group.objects.filter(query)
-        # No matching groups, always enroll
-        if not matching_groups.exists():
-            LOGGER.debug(
-                "no matching groups found, enrolling", source=self.source, group_id=group_id
-            )
-            return Action.ENROLL, new_connection
-
-        group = matching_groups.first()
-        if self.source.group_matching_mode in [
-            SourceGroupMatchingModes.NAME_LINK,
-        ]:
-            new_connection.group = group
-            return Action.LINK, new_connection
-        if self.source.group_matching_mode in [
-            SourceGroupMatchingModes.NAME_DENY,
-        ]:
-            LOGGER.info(
-                "denying source because group exists",
-                source=self.source,
-                group=group,
-                group_id=group_id,
-            )
-            return Action.DENY, None
-        # Should never get here as default enroll case is returned above.
-        return Action.DENY, None  # pragma: no cover
-
     def handle_group(
         self, group_id: str, group_properties: dict[str, Any | dict[str, Any]]
     ) -> Group | None:
-        action, connection = self.get_action(group_id, group_properties)
+        action, connection = self.matcher.get_group_action(group_id, group_properties)
         if action == Action.ENROLL:
             group = Group.objects.create(**group_properties)
             connection.group = group
             connection.save()
             return group
-        elif action == Action.LINK:
+        elif action in (Action.LINK, Action.AUTH):
             group = connection.group
             group.update_attributes(group_properties)
             connection.save()
@@ -489,6 +383,7 @@ class GroupUpdateStage(StageView):
         self.group_connection_type: GroupSourceConnection = (
             self.executor.current_stage.group_connection_type
         )
+        self.matcher = SourceMatcher(self.source, None, self.group_connection_type)
 
         raw_groups: dict[str, dict[str, Any | dict[str, Any]]] = self.executor.plan.context[
             PLAN_CONTEXT_SOURCE_GROUPS

authentik/core/sources/matcher.py

@@ -0,0 +1,152 @@
+"""Source user and group matching"""
+
+from dataclasses import dataclass
+from enum import Enum
+from typing import Any
+
+from django.db.models import Q
+from structlog import get_logger
+
+from authentik.core.models import (
+    Group,
+    GroupSourceConnection,
+    Source,
+    SourceGroupMatchingModes,
+    SourceUserMatchingModes,
+    User,
+    UserSourceConnection,
+)
+
+
+class Action(Enum):
+    """Actions that can be decided based on the request and source settings"""
+
+    LINK = "link"
+    AUTH = "auth"
+    ENROLL = "enroll"
+    DENY = "deny"
+
+
+@dataclass
+class MatchableProperty:
+    property: str
+    link_mode: SourceUserMatchingModes | SourceGroupMatchingModes
+    deny_mode: SourceUserMatchingModes | SourceGroupMatchingModes
+
+
+class SourceMatcher:
+    def __init__(
+        self,
+        source: Source,
+        user_connection_type: type[UserSourceConnection],
+        group_connection_type: type[GroupSourceConnection],
+    ):
+        self.source = source
+        self.user_connection_type = user_connection_type
+        self.group_connection_type = group_connection_type
+        self._logger = get_logger().bind(source=self.source)
+
+    def get_action(
+        self,
+        object_type: type[User | Group],
+        matchable_properties: list[MatchableProperty],
+        identifier: str,
+        properties: dict[str, Any | dict[str, Any]],
+    ) -> tuple[Action, UserSourceConnection | GroupSourceConnection | None]:
+        connection_type = None
+        matching_mode = None
+        identifier_matching_mode = None
+        if object_type == User:
+            connection_type = self.user_connection_type
+            matching_mode = self.source.user_matching_mode
+            identifier_matching_mode = SourceUserMatchingModes.IDENTIFIER
+        if object_type == Group:
+            connection_type = self.group_connection_type
+            matching_mode = self.source.group_matching_mode
+            identifier_matching_mode = SourceGroupMatchingModes.IDENTIFIER
+        if not connection_type or not matching_mode or not identifier_matching_mode:
+            return Action.DENY, None
+
+        new_connection = connection_type(source=self.source, identifier=identifier)
+
+        existing_connections = connection_type.objects.filter(
+            source=self.source, identifier=identifier
+        )
+        if existing_connections.exists():
+            return Action.AUTH, existing_connections.first()
+        # No connection exists, but we match on identifier, so enroll
+        if matching_mode == identifier_matching_mode:
+            # We don't save the connection here cause it doesn't have a user/group assigned yet
+            return Action.ENROLL, new_connection
+
+        # Check for existing users with matching attributes
+        query = Q()
+        for matchable_property in matchable_properties:
+            property = matchable_property.property
+            if matching_mode in [matchable_property.link_mode, matchable_property.deny_mode]:
+                if not properties.get(property, None):
+                    self._logger.warning(
+                        "Refusing to use none property", identifier=identifier, property=property
+                    )
+                    return Action.DENY, None
+                query_args = {
+                    f"{property}__exact": properties[property],
+                }
+                query = Q(**query_args)
+        self._logger.debug(
+            "Trying to link with existing object", query=query, identifier=identifier
+        )
+        matching_objects = object_type.objects.filter(query)
+        # Not matching objects, always enroll
+        if not matching_objects.exists():
+            self._logger.debug("No matching objects found, enrolling")
+            return Action.ENROLL, new_connection
+
+        obj = matching_objects.first()
+        if matching_mode in [mp.link_mode for mp in matchable_properties]:
+            attr = None
+            if object_type == User:
+                attr = "user"
+            if object_type == Group:
+                attr = "group"
+            setattr(new_connection, attr, obj)
+            return Action.LINK, new_connection
+        if matching_mode in [mp.deny_mode for mp in matchable_properties]:
+            self._logger.info("Denying source because object exists", obj=obj)
+            return Action.DENY, None
+
+        # Should never get here as default enroll case is returned above.
+        return Action.DENY, None  # pragma: no cover
+
+    def get_user_action(
+        self, identifier: str, properties: dict[str, Any | dict[str, Any]]
+    ) -> tuple[Action, UserSourceConnection | None]:
+        return self.get_action(
+            User,
+            [
+                MatchableProperty(
+                    "username",
+                    SourceUserMatchingModes.USERNAME_LINK,
+                    SourceUserMatchingModes.USERNAME_DENY,
+                ),
+                MatchableProperty(
+                    "email", SourceUserMatchingModes.EMAIL_LINK, SourceUserMatchingModes.EMAIL_DENY
+                ),
+            ],
+            identifier,
+            properties,
+        )
+
+    def get_group_action(
+        self, identifier: str, properties: dict[str, Any | dict[str, Any]]
+    ) -> tuple[Action, GroupSourceConnection | None]:
+        return self.get_action(
+            Group,
+            [
+                MatchableProperty(
+                    "name", SourceGroupMatchingModes.NAME_LINK, SourceGroupMatchingModes.NAME_DENY
+                ),
+            ],
+            identifier,
+            properties,
+        )

authentik/core/templates/base/skeleton.html

@@ -15,8 +15,8 @@
         {% endblock %}
         <link rel="stylesheet" type="text/css" href="{% static 'dist/authentik.css' %}">
         <link rel="stylesheet" type="text/css" href="{% static 'dist/custom.css' %}" data-inject>
-        {% versioned_script "dist/poly-%v.js" %}
-        {% versioned_script "dist/standalone/loading/index-%v.js" %}
+        <script src="{% versioned_script 'dist/poly-%v.js' %}" type="module"></script>
+        <script src="{% versioned_script 'dist/standalone/loading/index-%v.js' %}" type="module"></script>
         {% block head %}
         {% endblock %}
         <meta name="sentry-trace" content="{{ sentry_trace }}" />

authentik/core/templates/if/admin.html

@@ -3,7 +3,7 @@
 {% load authentik_core %}
 
 {% block head %}
-{% versioned_script "dist/admin/AdminInterface-%v.js" %}
+<script src="{% versioned_script 'dist/admin/AdminInterface-%v.js' %}" type="module"></script>
 <meta name="theme-color" content="#18191a" media="(prefers-color-scheme: dark)">
 <meta name="theme-color" content="#ffffff" media="(prefers-color-scheme: light)">
 {% include "base/header_js.html" %}

authentik/core/templates/if/end_session.html

@@ -1,43 +0,0 @@
-{% extends 'login/base_full.html' %}
-
-{% load static %}
-{% load i18n %}
-
-{% block title %}
-{% trans 'End session' %} - {{ brand.branding_title }}
-{% endblock %}
-
-{% block card_title %}
-{% blocktrans with application=application.name %}
-You've logged out of {{ application }}.
-{% endblocktrans %}
-{% endblock %}
-
-{% block card %}
-<form method="POST" class="pf-c-form">
-    <p>
-        {% blocktrans with application=application.name branding_title=brand.branding_title %}
-            You've logged out of {{ application }}. You can go back to the overview to launch another application, or log out of your {{ branding_title }} account.
-        {% endblocktrans %}
-    </p>
-
-    <a id="ak-back-home" href="{% url 'authentik_core:root-redirect' %}" class="pf-c-button pf-m-primary">
-        {% trans 'Go back to overview' %}
-    </a>
-
-    <a id="logout" href="{% url 'authentik_flows:default-invalidation' %}" class="pf-c-button pf-m-secondary">
-        {% blocktrans with branding_title=brand.branding_title %}
-            Log out of {{ branding_title }}
-        {% endblocktrans %}
-    </a>
-
-    {% if application.get_launch_url %}
-    <a href="{{ application.get_launch_url }}" class="pf-c-button pf-m-secondary">
-        {% blocktrans with application=application.name %}
-            Log back into {{ application }}
-        {% endblocktrans %}
-    </a>
-    {% endif %}
-
-</form>
-{% endblock %}

authentik/core/templates/if/user.html

@@ -3,7 +3,7 @@
 {% load authentik_core %}
 
 {% block head %}
-{% versioned_script "dist/user/UserInterface-%v.js" %}
+<script src="{% versioned_script 'dist/user/UserInterface-%v.js' %}" type="module"></script>
 <meta name="theme-color" content="#1c1e21" media="(prefers-color-scheme: light)">
 <meta name="theme-color" content="#1c1e21" media="(prefers-color-scheme: dark)">
 {% include "base/header_js.html" %}

authentik/core/templatetags/authentik_core.py

@@ -2,7 +2,6 @@
 
 from django import template
 from django.templatetags.static import static as static_loader
-from django.utils.safestring import mark_safe
 
 from authentik import get_full_version
 
@@ -12,10 +11,4 @@ register = template.Library()
 @register.simple_tag()
 def versioned_script(path: str) -> str:
     """Wrapper around {% static %} tag that supports setting the version"""
-    returned_lines = [
-        (
-            f'<script src="{static_loader(path.replace("%v", get_full_version()))}'
-            '" type="module"></script>'
-        ),
-    ]
-    return mark_safe("".join(returned_lines))  # nosec
+    return static_loader(path.replace("%v", get_full_version()))

authentik/core/tests/test_applications_api.py

@@ -9,9 +9,12 @@ from rest_framework.test import APITestCase
 
 from authentik.core.models import Application
 from authentik.core.tests.utils import create_test_admin_user, create_test_flow
+from authentik.lib.generators import generate_id
 from authentik.policies.dummy.models import DummyPolicy
 from authentik.policies.models import PolicyBinding
-from authentik.providers.oauth2.models import OAuth2Provider
+from authentik.providers.oauth2.models import OAuth2Provider, RedirectURI, RedirectURIMatchingMode
+from authentik.providers.proxy.models import ProxyProvider
+from authentik.providers.saml.models import SAMLProvider
 
 
 class TestApplicationsAPI(APITestCase):
@@ -21,7 +24,7 @@ class TestApplicationsAPI(APITestCase):
         self.user = create_test_admin_user()
         self.provider = OAuth2Provider.objects.create(
             name="test",
-            redirect_uris="http://some-other-domain",
+            redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "http://some-other-domain")],
             authorization_flow=create_test_flow(),
         )
         self.allowed: Application = Application.objects.create(
@@ -131,6 +134,7 @@ class TestApplicationsAPI(APITestCase):
                             "assigned_application_name": "allowed",
                             "assigned_application_slug": "allowed",
                             "authentication_flow": None,
+                            "invalidation_flow": None,
                             "authorization_flow": str(self.provider.authorization_flow.pk),
                             "component": "ak-provider-oauth2-form",
                             "meta_model_name": "authentik_providers_oauth2.oauth2provider",
@@ -183,6 +187,7 @@ class TestApplicationsAPI(APITestCase):
                             "assigned_application_name": "allowed",
                             "assigned_application_slug": "allowed",
                             "authentication_flow": None,
+                            "invalidation_flow": None,
                             "authorization_flow": str(self.provider.authorization_flow.pk),
                             "component": "ak-provider-oauth2-form",
                             "meta_model_name": "authentik_providers_oauth2.oauth2provider",
@@ -222,3 +227,31 @@ class TestApplicationsAPI(APITestCase):
                 ],
             },
         )
+
+    def test_get_provider(self):
+        """Ensure that proxy providers (at the time of writing that is the only provider
+        that inherits from another proxy type (OAuth) instead of inheriting from the root
+        provider class) is correctly looked up and selected from the database"""
+        slug = generate_id()
+        provider = ProxyProvider.objects.create(name=generate_id())
+        Application.objects.create(
+            name=generate_id(),
+            slug=slug,
+            provider=provider,
+        )
+        self.assertEqual(Application.objects.get(slug=slug).get_provider(), provider)
+        self.assertEqual(
+            Application.objects.with_provider().get(slug=slug).get_provider(), provider
+        )
+
+        slug = generate_id()
+        provider = SAMLProvider.objects.create(name=generate_id())
+        Application.objects.create(
+            name=generate_id(),
+            slug=slug,
+            provider=provider,
+        )
+        self.assertEqual(Application.objects.get(slug=slug).get_provider(), provider)
+        self.assertEqual(
+            Application.objects.with_provider().get(slug=slug).get_provider(), provider
+        )

authentik/core/tests/test_devices_api.py

@@ -0,0 +1,59 @@
+"""Test Devices API"""
+
+from json import loads
+
+from django.urls import reverse
+from rest_framework.test import APITestCase
+
+from authentik.core.tests.utils import create_test_admin_user, create_test_user
+
+
+class TestDevicesAPI(APITestCase):
+    """Test applications API"""
+
+    def setUp(self) -> None:
+        self.admin = create_test_admin_user()
+        self.user1 = create_test_user()
+        self.device1 = self.user1.staticdevice_set.create()
+        self.user2 = create_test_user()
+        self.device2 = self.user2.staticdevice_set.create()
+
+    def test_user_api(self):
+        """Test user API"""
+        self.client.force_login(self.user1)
+        response = self.client.get(
+            reverse(
+                "authentik_api:device-list",
+            )
+        )
+        self.assertEqual(response.status_code, 200)
+        body = loads(response.content.decode())
+        self.assertEqual(len(body), 1)
+        self.assertEqual(body[0]["pk"], str(self.device1.pk))
+
+    def test_user_api_as_admin(self):
+        """Test user API"""
+        self.client.force_login(self.admin)
+        response = self.client.get(
+            reverse(
+                "authentik_api:device-list",
+            )
+        )
+        self.assertEqual(response.status_code, 200)
+        body = loads(response.content.decode())
+        self.assertEqual(len(body), 0)
+
+    def test_admin_api(self):
+        """Test admin API"""
+        self.client.force_login(self.admin)
+        response = self.client.get(
+            reverse(
+                "authentik_api:admin-device-list",
+            )
+        )
+        self.assertEqual(response.status_code, 200)
+        body = loads(response.content.decode())
+        self.assertEqual(len(body), 2)
+        self.assertEqual(
+            {body[0]["pk"], body[1]["pk"]}, {str(self.device1.pk), str(self.device2.pk)}
+        )

authentik/core/tests/test_impersonation.py

@@ -3,10 +3,10 @@
 from json import loads
 
 from django.urls import reverse
+from guardian.shortcuts import assign_perm
 from rest_framework.test import APITestCase
 
-from authentik.core.models import User
-from authentik.core.tests.utils import create_test_admin_user
+from authentik.core.tests.utils import create_test_admin_user, create_test_user
 from authentik.tenants.utils import get_current_tenant
 
 
@@ -15,7 +15,7 @@ class TestImpersonation(APITestCase):
 
     def setUp(self) -> None:
         super().setUp()
-        self.other_user = User.objects.create(username="to-impersonate")
+        self.other_user = create_test_user()
         self.user = create_test_admin_user()
 
     def test_impersonate_simple(self):
@@ -44,6 +44,46 @@ class TestImpersonation(APITestCase):
         self.assertEqual(response_body["user"]["username"], self.user.username)
         self.assertNotIn("original", response_body)
 
+    def test_impersonate_global(self):
+        """Test impersonation with global permissions"""
+        new_user = create_test_user()
+        assign_perm("authentik_core.impersonate", new_user)
+        assign_perm("authentik_core.view_user", new_user)
+        self.client.force_login(new_user)
+
+        response = self.client.post(
+            reverse(
+                "authentik_api:user-impersonate",
+                kwargs={"pk": self.other_user.pk},
+            )
+        )
+        self.assertEqual(response.status_code, 201)
+
+        response = self.client.get(reverse("authentik_api:user-me"))
+        response_body = loads(response.content.decode())
+        self.assertEqual(response_body["user"]["username"], self.other_user.username)
+        self.assertEqual(response_body["original"]["username"], new_user.username)
+
+    def test_impersonate_scoped(self):
+        """Test impersonation with scoped permissions"""
+        new_user = create_test_user()
+        assign_perm("authentik_core.impersonate", new_user, self.other_user)
+        assign_perm("authentik_core.view_user", new_user, self.other_user)
+        self.client.force_login(new_user)
+
+        response = self.client.post(
+            reverse(
+                "authentik_api:user-impersonate",
+                kwargs={"pk": self.other_user.pk},
+            )
+        )
+        self.assertEqual(response.status_code, 201)
+
+        response = self.client.get(reverse("authentik_api:user-me"))
+        response_body = loads(response.content.decode())
+        self.assertEqual(response_body["user"]["username"], self.other_user.username)
+        self.assertEqual(response_body["original"]["username"], new_user.username)
+
     def test_impersonate_denied(self):
         """test impersonation without permissions"""
         self.client.force_login(self.other_user)

authentik/core/tests/test_source_flow_manager.py

@@ -81,6 +81,22 @@ class TestSourceFlowManager(TestCase):
             reverse("authentik_core:if-user") + "#/settings;page-sources",
         )
 
+    def test_authenticated_auth(self):
+        """Test authenticated user linking"""
+        user = User.objects.create(username="foo", email="foo@bar.baz")
+        UserOAuthSourceConnection.objects.create(
+            user=user, source=self.source, identifier=self.identifier
+        )
+        request = get_request("/", user=user)
+        flow_manager = OAuthSourceFlowManager(
+            self.source, request, self.identifier, {"info": {}}, {}
+        )
+        action, connection = flow_manager.get_action()
+        self.assertEqual(action, Action.AUTH)
+        self.assertIsNotNone(connection.pk)
+        response = flow_manager.get_flow()
+        self.assertEqual(response.status_code, 302)
+
     def test_unauthenticated_link(self):
         """Test un-authenticated user linking"""
         flow_manager = OAuthSourceFlowManager(

authentik/core/tests/test_transactional_applications_api.py

@@ -19,7 +19,6 @@ class TestTransactionalApplicationsAPI(APITestCase):
         """Test transactional Application + provider creation"""
         self.client.force_login(self.user)
         uid = generate_id()
-        authorization_flow = create_test_flow()
         response = self.client.put(
             reverse("authentik_api:core-transactional-application"),
             data={
@@ -30,7 +29,9 @@ class TestTransactionalApplicationsAPI(APITestCase):
                 "provider_model": "authentik_providers_oauth2.oauth2provider",
                 "provider": {
                     "name": uid,
-                    "authorization_flow": str(authorization_flow.pk),
+                    "authorization_flow": str(create_test_flow().pk),
+                    "invalidation_flow": str(create_test_flow().pk),
+                    "redirect_uris": [],
                 },
             },
         )
@@ -56,10 +57,17 @@ class TestTransactionalApplicationsAPI(APITestCase):
                 "provider": {
                     "name": uid,
                     "authorization_flow": "",
+                    "invalidation_flow": "",
+                    "redirect_uris": [],
                 },
             },
         )
         self.assertJSONEqual(
             response.content.decode(),
-            {"provider": {"authorization_flow": ["This field may not be null."]}},
+            {
+                "provider": {
+                    "authorization_flow": ["This field may not be null."],
+                    "invalidation_flow": ["This field may not be null."],
+                }
+            },
         )

authentik/core/urls.py

@@ -5,7 +5,6 @@ from channels.sessions import CookieMiddleware
 from django.conf import settings
 from django.contrib.auth.decorators import login_required
 from django.urls import path
-from django.views.decorators.csrf import ensure_csrf_cookie
 
 from authentik.core.api.applications import ApplicationViewSet
 from authentik.core.api.authenticated_sessions import AuthenticatedSessionViewSet
@@ -24,7 +23,6 @@ from authentik.core.views.interface import (
     InterfaceView,
     RootRedirectView,
 )
-from authentik.core.views.session import EndSessionView
 from authentik.flows.views.interface import FlowInterfaceView
 from authentik.root.asgi_middleware import SessionMiddleware
 from authentik.root.messages.consumer import MessageConsumer
@@ -45,26 +43,21 @@ urlpatterns = [
     # Interfaces
     path(
         "if/admin/",
-        ensure_csrf_cookie(BrandDefaultRedirectView.as_view(template_name="if/admin.html")),
+        BrandDefaultRedirectView.as_view(template_name="if/admin.html"),
         name="if-admin",
     ),
     path(
         "if/user/",
-        ensure_csrf_cookie(BrandDefaultRedirectView.as_view(template_name="if/user.html")),
+        BrandDefaultRedirectView.as_view(template_name="if/user.html"),
         name="if-user",
     ),
     path(
         "if/flow/<slug:flow_slug>/",
         # FIXME: move this url to the flows app...also will cause all
         # of the reverse calls to be adjusted
-        ensure_csrf_cookie(FlowInterfaceView.as_view()),
+        FlowInterfaceView.as_view(),
         name="if-flow",
     ),
-    path(
-        "if/session-end/<slug:application_slug>/",
-        ensure_csrf_cookie(EndSessionView.as_view()),
-        name="if-session-end",
-    ),
     # Fallback for WS
     path("ws/outpost/<uuid:pk>/", InterfaceView.as_view(template_name="if/admin.html")),
     path(

authentik/core/views/session.py

@@ -1,23 +0,0 @@
-"""authentik Session Views"""
-
-from typing import Any
-
-from django.shortcuts import get_object_or_404
-from django.views.generic.base import TemplateView
-
-from authentik.core.models import Application
-from authentik.policies.views import PolicyAccessView
-
-
-class EndSessionView(TemplateView, PolicyAccessView):
-    """Allow the client to end the Session"""
-
-    template_name = "if/end_session.html"
-
-    def resolve_provider_application(self):
-        self.application = get_object_or_404(Application, slug=self.kwargs["application_slug"])
-
-    def get_context_data(self, **kwargs: Any) -> dict[str, Any]:
-        context = super().get_context_data(**kwargs)
-        context["application"] = self.application
-        return context

authentik/crypto/api.py

@@ -24,6 +24,7 @@ from rest_framework.fields import (
 from rest_framework.filters import OrderingFilter, SearchFilter
 from rest_framework.request import Request
 from rest_framework.response import Response
+from rest_framework.validators import UniqueValidator
 from rest_framework.viewsets import ModelViewSet
 from structlog.stdlib import get_logger
 
@@ -181,7 +182,10 @@ class CertificateDataSerializer(PassiveSerializer):
 class CertificateGenerationSerializer(PassiveSerializer):
     """Certificate generation parameters"""
 
-    common_name = CharField()
+    common_name = CharField(
+        validators=[UniqueValidator(queryset=CertificateKeyPair.objects.all())],
+        source="name",
+    )
     subject_alt_name = CharField(required=False, allow_blank=True, label=_("Subject-alt name"))
     validity_days = IntegerField(initial=365)
     alg = ChoiceField(default=PrivateKeyAlg.RSA, choices=PrivateKeyAlg.choices)
@@ -242,11 +246,10 @@ class CertificateKeyPairViewSet(UsedByMixin, ModelViewSet):
     def generate(self, request: Request) -> Response:
         """Generate a new, self-signed certificate-key pair"""
         data = CertificateGenerationSerializer(data=request.data)
-        if not data.is_valid():
-            return Response(data.errors, status=400)
+        data.is_valid(raise_exception=True)
         raw_san = data.validated_data.get("subject_alt_name", "")
         sans = raw_san.split(",") if raw_san != "" else []
-        builder = CertificateBuilder(data.validated_data["common_name"])
+        builder = CertificateBuilder(data.validated_data["name"])
         builder.alg = data.validated_data["alg"]
         builder.build(
             subject_alt_names=sans,

authentik/crypto/tests.py

@@ -18,7 +18,7 @@ from authentik.crypto.models import CertificateKeyPair
 from authentik.crypto.tasks import MANAGED_DISCOVERED, certificate_discovery
 from authentik.lib.config import CONFIG
 from authentik.lib.generators import generate_id, generate_key
-from authentik.providers.oauth2.models import OAuth2Provider
+from authentik.providers.oauth2.models import OAuth2Provider, RedirectURI, RedirectURIMatchingMode
 
 
 class TestCrypto(APITestCase):
@@ -89,6 +89,17 @@ class TestCrypto(APITestCase):
         self.assertIsInstance(ext[1], DNSName)
         self.assertEqual(ext[1].value, "baz")
 
+    def test_builder_api_duplicate(self):
+        """Test Builder (via API)"""
+        cert = create_test_cert()
+        self.client.force_login(create_test_admin_user())
+        res = self.client.post(
+            reverse("authentik_api:certificatekeypair-generate"),
+            data={"common_name": cert.name, "subject_alt_name": "bar,baz", "validity_days": 3},
+        )
+        self.assertEqual(res.status_code, 400)
+        self.assertJSONEqual(res.content, {"common_name": ["This field must be unique."]})
+
     def test_builder_api_empty_san(self):
         """Test Builder (via API)"""
         self.client.force_login(create_test_admin_user())
@@ -263,7 +274,7 @@ class TestCrypto(APITestCase):
             client_id="test",
             client_secret=generate_key(),
             authorization_flow=create_test_flow(),
-            redirect_uris="http://localhost",
+            redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "http://localhost")],
             signing_key=keypair,
         )
         response = self.client.get(
@@ -295,7 +306,7 @@ class TestCrypto(APITestCase):
             client_id="test",
             client_secret=generate_key(),
             authorization_flow=create_test_flow(),
-            redirect_uris="http://localhost",
+            redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "http://localhost")],
             signing_key=keypair,
         )
         response = self.client.get(

authentik/enterprise/api.py

@@ -18,7 +18,7 @@ from authentik.core.api.used_by import UsedByMixin
 from authentik.core.api.utils import ModelSerializer, PassiveSerializer
 from authentik.core.models import User, UserTypes
 from authentik.enterprise.license import LicenseKey, LicenseSummarySerializer
-from authentik.enterprise.models import License, LicenseUsageStatus
+from authentik.enterprise.models import License
 from authentik.rbac.decorators import permission_required
 from authentik.tenants.utils import get_unique_identifier
 
@@ -29,7 +29,7 @@ class EnterpriseRequiredMixin:
 
     def validate(self, attrs: dict) -> dict:
         """Check that a valid license exists"""
-        if LicenseKey.cached_summary().status != LicenseUsageStatus.UNLICENSED:
+        if not LicenseKey.cached_summary().status.is_valid:
             raise ValidationError(_("Enterprise is required to create/update this object."))
         return super().validate(attrs)
 

authentik/enterprise/apps.py

@@ -25,4 +25,4 @@ class AuthentikEnterpriseConfig(EnterpriseConfig):
         """Actual enterprise check, cached"""
         from authentik.enterprise.license import LicenseKey
 
-        return LicenseKey.cached_summary().status
+        return LicenseKey.cached_summary().status.is_valid

authentik/enterprise/license.py

@@ -117,10 +117,13 @@ class LicenseKey:
                     our_cert.public_key(),
                     algorithms=["ES512"],
                     audience=get_license_aud(),
-                    options={"verify_exp": check_expiry},
+                    options={"verify_exp": check_expiry, "verify_signature": check_expiry},
                 ),
             )
         except PyJWTError:
+            unverified = decode(jwt, options={"verify_signature": False})
+            if unverified["aud"] != get_license_aud():
+                raise ValidationError("Invalid Install ID in license") from None
             raise ValidationError("Unable to verify license") from None
         return body
 
@@ -134,7 +137,7 @@ class LicenseKey:
             exp_ts = int(mktime(lic.expiry.timetuple()))
             if total.exp == 0:
                 total.exp = exp_ts
-            total.exp = min(total.exp, exp_ts)
+            total.exp = max(total.exp, exp_ts)
             total.license_flags.extend(lic.status.license_flags)
         return total
 

authentik/enterprise/providers/rac/api/providers.py

@@ -16,13 +16,28 @@ class RACProviderSerializer(EnterpriseRequiredMixin, ProviderSerializer):
 
     class Meta:
         model = RACProvider
-        fields = ProviderSerializer.Meta.fields + [
+        fields = [
+            "pk",
+            "name",
+            "authentication_flow",
+            "authorization_flow",
+            "property_mappings",
+            "component",
+            "assigned_application_slug",
+            "assigned_application_name",
+            "assigned_backchannel_application_slug",
+            "assigned_backchannel_application_name",
+            "verbose_name",
+            "verbose_name_plural",
+            "meta_model_name",
             "settings",
             "outpost_set",
             "connection_expiry",
             "delete_token_on_disconnect",
         ]
-        extra_kwargs = ProviderSerializer.Meta.extra_kwargs
+        extra_kwargs = {
+            "authorization_flow": {"required": True, "allow_null": False},
+        }
 
 
 class RACProviderViewSet(UsedByMixin, ModelViewSet):

authentik/enterprise/providers/rac/templates/if/rac.html

@@ -3,7 +3,7 @@
 {% load authentik_core %}
 
 {% block head %}
-{% versioned_script "dist/enterprise/rac/index-%v.js" %}
+<script src="{% versioned_script 'dist/enterprise/rac/index-%v.js' %}" type="module"></script>
 <meta name="theme-color" content="#18191a" media="(prefers-color-scheme: dark)">
 <meta name="theme-color" content="#ffffff" media="(prefers-color-scheme: light)">
 <link rel="icon" href="{{ tenant.branding_favicon }}">

authentik/enterprise/providers/rac/tests/test_api.py

@@ -0,0 +1,46 @@
+"""Test RAC Provider"""
+
+from datetime import timedelta
+from time import mktime
+from unittest.mock import MagicMock, patch
+
+from django.urls import reverse
+from django.utils.timezone import now
+from rest_framework.test import APITestCase
+
+from authentik.core.tests.utils import create_test_admin_user, create_test_flow
+from authentik.enterprise.license import LicenseKey
+from authentik.enterprise.models import License
+from authentik.lib.generators import generate_id
+
+
+class TestAPI(APITestCase):
+    """Test Provider API"""
+
+    def setUp(self) -> None:
+        self.user = create_test_admin_user()
+
+    @patch(
+        "authentik.enterprise.license.LicenseKey.validate",
+        MagicMock(
+            return_value=LicenseKey(
+                aud="",
+                exp=int(mktime((now() + timedelta(days=3000)).timetuple())),
+                name=generate_id(),
+                internal_users=100,
+                external_users=100,
+            )
+        ),
+    )
+    def test_create(self):
+        """Test creation of RAC Provider"""
+        License.objects.create(key=generate_id())
+        self.client.force_login(self.user)
+        response = self.client.post(
+            reverse("authentik_api:racprovider-list"),
+            data={
+                "name": generate_id(),
+                "authorization_flow": create_test_flow().pk,
+            },
+        )
+        self.assertEqual(response.status_code, 201)

authentik/enterprise/providers/rac/urls.py

@@ -3,7 +3,6 @@
 from channels.auth import AuthMiddleware
 from channels.sessions import CookieMiddleware
 from django.urls import path
-from django.views.decorators.csrf import ensure_csrf_cookie
 
 from authentik.enterprise.providers.rac.api.connection_tokens import ConnectionTokenViewSet
 from authentik.enterprise.providers.rac.api.endpoints import EndpointViewSet
@@ -19,12 +18,12 @@ from authentik.root.middleware import ChannelsLoggingMiddleware
 urlpatterns = [
     path(
         "application/rac/<slug:app>/<uuid:endpoint>/",
-        ensure_csrf_cookie(RACStartView.as_view()),
+        RACStartView.as_view(),
         name="start",
     ),
     path(
         "if/rac/<str:token>/",
-        ensure_csrf_cookie(RACInterface.as_view()),
+        RACInterface.as_view(),
         name="if-rac",
     ),
 ]

authentik/enterprise/settings.py

@@ -17,6 +17,7 @@ TENANT_APPS = [
     "authentik.enterprise.providers.google_workspace",
     "authentik.enterprise.providers.microsoft_entra",
     "authentik.enterprise.providers.rac",
+    "authentik.enterprise.stages.authenticator_endpoint_gdtc",
     "authentik.enterprise.stages.source",
 ]
 

authentik/enterprise/signals.py

@@ -3,7 +3,7 @@
 from datetime import datetime
 
 from django.core.cache import cache
-from django.db.models.signals import post_save, pre_save
+from django.db.models.signals import post_delete, post_save, pre_save
 from django.dispatch import receiver
 from django.utils.timezone import get_current_timezone
 
@@ -27,3 +27,9 @@ def post_save_license(sender: type[License], instance: License, **_):
     """Trigger license usage calculation when license is saved"""
     cache.delete(CACHE_KEY_ENTERPRISE_LICENSE)
     enterprise_update_usage.delay()
+
+
+@receiver(post_delete, sender=License)
+def post_delete_license(sender: type[License], instance: License, **_):
+    """Clear license cache when license is deleted"""
+    cache.delete(CACHE_KEY_ENTERPRISE_LICENSE)

authentik/enterprise/stages/authenticator_endpoint_gdtc/api.py

@@ -0,0 +1,82 @@
+"""AuthenticatorEndpointGDTCStage API Views"""
+
+from django_filters.rest_framework.backends import DjangoFilterBackend
+from rest_framework import mixins
+from rest_framework.filters import OrderingFilter, SearchFilter
+from rest_framework.permissions import IsAdminUser
+from rest_framework.serializers import ModelSerializer
+from rest_framework.viewsets import GenericViewSet, ModelViewSet
+from structlog.stdlib import get_logger
+
+from authentik.api.authorization import OwnerFilter, OwnerPermissions
+from authentik.core.api.used_by import UsedByMixin
+from authentik.enterprise.api import EnterpriseRequiredMixin
+from authentik.enterprise.stages.authenticator_endpoint_gdtc.models import (
+    AuthenticatorEndpointGDTCStage,
+    EndpointDevice,
+)
+from authentik.flows.api.stages import StageSerializer
+
+LOGGER = get_logger()
+
+
+class AuthenticatorEndpointGDTCStageSerializer(EnterpriseRequiredMixin, StageSerializer):
+    """AuthenticatorEndpointGDTCStage Serializer"""
+
+    class Meta:
+        model = AuthenticatorEndpointGDTCStage
+        fields = StageSerializer.Meta.fields + [
+            "configure_flow",
+            "friendly_name",
+            "credentials",
+        ]
+
+
+class AuthenticatorEndpointGDTCStageViewSet(UsedByMixin, ModelViewSet):
+    """AuthenticatorEndpointGDTCStage Viewset"""
+
+    queryset = AuthenticatorEndpointGDTCStage.objects.all()
+    serializer_class = AuthenticatorEndpointGDTCStageSerializer
+    filterset_fields = [
+        "name",
+        "configure_flow",
+    ]
+    search_fields = ["name"]
+    ordering = ["name"]
+
+
+class EndpointDeviceSerializer(ModelSerializer):
+    """Serializer for Endpoint authenticator devices"""
+
+    class Meta:
+        model = EndpointDevice
+        fields = ["pk", "name"]
+        depth = 2
+
+
+class EndpointDeviceViewSet(
+    mixins.RetrieveModelMixin,
+    mixins.ListModelMixin,
+    UsedByMixin,
+    GenericViewSet,
+):
+    """Viewset for Endpoint authenticator devices"""
+
+    queryset = EndpointDevice.objects.all()
+    serializer_class = EndpointDeviceSerializer
+    search_fields = ["name"]
+    filterset_fields = ["name"]
+    ordering = ["name"]
+    permission_classes = [OwnerPermissions]
+    filter_backends = [OwnerFilter, DjangoFilterBackend, OrderingFilter, SearchFilter]
+
+
+class EndpointAdminDeviceViewSet(ModelViewSet):
+    """Viewset for Endpoint authenticator devices (for admins)"""
+
+    permission_classes = [IsAdminUser]
+    queryset = EndpointDevice.objects.all()
+    serializer_class = EndpointDeviceSerializer
+    search_fields = ["name"]
+    filterset_fields = ["name"]
+    ordering = ["name"]

authentik/enterprise/stages/authenticator_endpoint_gdtc/apps.py

@@ -0,0 +1,13 @@
+"""authentik Endpoint app config"""
+
+from authentik.enterprise.apps import EnterpriseConfig
+
+
+class AuthentikStageAuthenticatorEndpointConfig(EnterpriseConfig):
+    """authentik endpoint config"""
+
+    name = "authentik.enterprise.stages.authenticator_endpoint_gdtc"
+    label = "authentik_stages_authenticator_endpoint_gdtc"
+    verbose_name = "authentik Enterprise.Stages.Authenticator.Endpoint GDTC"
+    default = True
+    mountpoint = "endpoint/gdtc/"

authentik/enterprise/stages/authenticator_endpoint_gdtc/migrations/0001_initial.py

@@ -0,0 +1,115 @@
+# Generated by Django 5.0.9 on 2024-10-22 11:40
+
+import django.db.models.deletion
+import uuid
+from django.conf import settings
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    initial = True
+
+    dependencies = [
+        ("authentik_flows", "0027_auto_20231028_1424"),
+        migrations.swappable_dependency(settings.AUTH_USER_MODEL),
+    ]
+
+    operations = [
+        migrations.CreateModel(
+            name="AuthenticatorEndpointGDTCStage",
+            fields=[
+                (
+                    "stage_ptr",
+                    models.OneToOneField(
+                        auto_created=True,
+                        on_delete=django.db.models.deletion.CASCADE,
+                        parent_link=True,
+                        primary_key=True,
+                        serialize=False,
+                        to="authentik_flows.stage",
+                    ),
+                ),
+                ("friendly_name", models.TextField(null=True)),
+                ("credentials", models.JSONField()),
+                (
+                    "configure_flow",
+                    models.ForeignKey(
+                        blank=True,
+                        help_text="Flow used by an authenticated user to configure this Stage. If empty, user will not be able to configure this stage.",
+                        null=True,
+                        on_delete=django.db.models.deletion.SET_NULL,
+                        to="authentik_flows.flow",
+                    ),
+                ),
+            ],
+            options={
+                "verbose_name": "Endpoint Authenticator Google Device Trust Connector Stage",
+                "verbose_name_plural": "Endpoint Authenticator Google Device Trust Connector Stages",
+            },
+            bases=("authentik_flows.stage", models.Model),
+        ),
+        migrations.CreateModel(
+            name="EndpointDevice",
+            fields=[
+                ("created", models.DateTimeField(auto_now_add=True)),
+                ("last_updated", models.DateTimeField(auto_now=True)),
+                (
+                    "name",
+                    models.CharField(
+                        help_text="The human-readable name of this device.", max_length=64
+                    ),
+                ),
+                (
+                    "confirmed",
+                    models.BooleanField(default=True, help_text="Is this device ready for use?"),
+                ),
+                ("last_used", models.DateTimeField(null=True)),
+                ("uuid", models.UUIDField(default=uuid.uuid4, primary_key=True, serialize=False)),
+                (
+                    "host_identifier",
+                    models.TextField(
+                        help_text="A unique identifier for the endpoint device, usually the device serial number",
+                        unique=True,
+                    ),
+                ),
+                ("data", models.JSONField()),
+                (
+                    "user",
+                    models.ForeignKey(
+                        on_delete=django.db.models.deletion.CASCADE, to=settings.AUTH_USER_MODEL
+                    ),
+                ),
+            ],
+            options={
+                "verbose_name": "Endpoint Device",
+                "verbose_name_plural": "Endpoint Devices",
+            },
+        ),
+        migrations.CreateModel(
+            name="EndpointDeviceConnection",
+            fields=[
+                (
+                    "id",
+                    models.AutoField(
+                        auto_created=True, primary_key=True, serialize=False, verbose_name="ID"
+                    ),
+                ),
+                ("attributes", models.JSONField()),
+                (
+                    "device",
+                    models.ForeignKey(
+                        on_delete=django.db.models.deletion.CASCADE,
+                        to="authentik_stages_authenticator_endpoint_gdtc.endpointdevice",
+                    ),
+                ),
+                (
+                    "stage",
+                    models.ForeignKey(
+                        on_delete=django.db.models.deletion.CASCADE,
+                        to="authentik_stages_authenticator_endpoint_gdtc.authenticatorendpointgdtcstage",
+                    ),
+                ),
+            ],
+        ),
+    ]

authentik/enterprise/stages/authenticator_endpoint_gdtc/models.py

@@ -0,0 +1,101 @@
+"""Endpoint stage"""
+
+from uuid import uuid4
+
+from django.contrib.auth import get_user_model
+from django.db import models
+from django.utils.translation import gettext_lazy as _
+from google.oauth2.service_account import Credentials
+from rest_framework.serializers import BaseSerializer, Serializer
+
+from authentik.core.types import UserSettingSerializer
+from authentik.flows.models import ConfigurableStage, FriendlyNamedStage, Stage
+from authentik.flows.stage import StageView
+from authentik.lib.models import SerializerModel
+from authentik.stages.authenticator.models import Device
+
+
+class AuthenticatorEndpointGDTCStage(ConfigurableStage, FriendlyNamedStage, Stage):
+    """Setup Google Chrome Device-trust connection"""
+
+    credentials = models.JSONField()
+
+    def google_credentials(self):
+        return {
+            "credentials": Credentials.from_service_account_info(
+                self.credentials, scopes=["https://www.googleapis.com/auth/verifiedaccess"]
+            ),
+        }
+
+    @property
+    def serializer(self) -> type[BaseSerializer]:
+        from authentik.enterprise.stages.authenticator_endpoint_gdtc.api import (
+            AuthenticatorEndpointGDTCStageSerializer,
+        )
+
+        return AuthenticatorEndpointGDTCStageSerializer
+
+    @property
+    def view(self) -> type[StageView]:
+        from authentik.enterprise.stages.authenticator_endpoint_gdtc.stage import (
+            AuthenticatorEndpointStageView,
+        )
+
+        return AuthenticatorEndpointStageView
+
+    @property
+    def component(self) -> str:
+        return "ak-stage-authenticator-endpoint-gdtc-form"
+
+    def ui_user_settings(self) -> UserSettingSerializer | None:
+        return UserSettingSerializer(
+            data={
+                "title": self.friendly_name or str(self._meta.verbose_name),
+                "component": "ak-user-settings-authenticator-endpoint",
+            }
+        )
+
+    def __str__(self) -> str:
+        return f"Endpoint Authenticator Google Device Trust Connector Stage {self.name}"
+
+    class Meta:
+        verbose_name = _("Endpoint Authenticator Google Device Trust Connector Stage")
+        verbose_name_plural = _("Endpoint Authenticator Google Device Trust Connector Stages")
+
+
+class EndpointDevice(SerializerModel, Device):
+    """Endpoint Device for a single user"""
+
+    uuid = models.UUIDField(primary_key=True, default=uuid4)
+    host_identifier = models.TextField(
+        unique=True,
+        help_text="A unique identifier for the endpoint device, usually the device serial number",
+    )
+
+    user = models.ForeignKey(get_user_model(), on_delete=models.CASCADE)
+    data = models.JSONField()
+
+    @property
+    def serializer(self) -> Serializer:
+        from authentik.enterprise.stages.authenticator_endpoint_gdtc.api import (
+            EndpointDeviceSerializer,
+        )
+
+        return EndpointDeviceSerializer
+
+    def __str__(self):
+        return str(self.name) or str(self.user_id)
+
+    class Meta:
+        verbose_name = _("Endpoint Device")
+        verbose_name_plural = _("Endpoint Devices")
+
+
+class EndpointDeviceConnection(models.Model):
+    device = models.ForeignKey(EndpointDevice, on_delete=models.CASCADE)
+    stage = models.ForeignKey(AuthenticatorEndpointGDTCStage, on_delete=models.CASCADE)
+
+    attributes = models.JSONField()
+
+    def __str__(self) -> str:
+        return f"Endpoint device connection {self.device_id} to {self.stage_id}"

authentik/enterprise/stages/authenticator_endpoint_gdtc/stage.py

@@ -0,0 +1,32 @@
+from django.http import HttpResponse
+from django.urls import reverse
+from django.utils.translation import gettext_lazy as _
+
+from authentik.flows.challenge import (
+    Challenge,
+    ChallengeResponse,
+    FrameChallenge,
+    FrameChallengeResponse,
+)
+from authentik.flows.stage import ChallengeStageView
+
+
+class AuthenticatorEndpointStageView(ChallengeStageView):
+    """Endpoint stage"""
+
+    response_class = FrameChallengeResponse
+
+    def get_challenge(self, *args, **kwargs) -> Challenge:
+        return FrameChallenge(
+            data={
+                "component": "xak-flow-frame",
+                "url": self.request.build_absolute_uri(
+                    reverse("authentik_stages_authenticator_endpoint_gdtc:chrome")
+                ),
+                "loading_overlay": True,
+                "loading_text": _("Verifying your browser..."),
+            }
+        )
+
+    def challenge_valid(self, response: ChallengeResponse) -> HttpResponse:
+        return self.executor.stage_ok()

authentik/enterprise/stages/authenticator_endpoint_gdtc/templates/stages/authenticator_endpoint/google_chrome_dtc.html

@@ -0,0 +1,9 @@
+<html>
+<script>
+  window.parent.postMessage({
+    message: "submit",
+    source: "goauthentik.io",
+    context: "flow-executor"
+  });
+</script>
+</html>

authentik/enterprise/stages/authenticator_endpoint_gdtc/urls.py

@@ -0,0 +1,26 @@
+"""API URLs"""
+
+from django.urls import path
+
+from authentik.enterprise.stages.authenticator_endpoint_gdtc.api import (
+    AuthenticatorEndpointGDTCStageViewSet,
+    EndpointAdminDeviceViewSet,
+    EndpointDeviceViewSet,
+)
+from authentik.enterprise.stages.authenticator_endpoint_gdtc.views.dtc import (
+    GoogleChromeDeviceTrustConnector,
+)
+
+urlpatterns = [
+    path("chrome/", GoogleChromeDeviceTrustConnector.as_view(), name="chrome"),
+]
+
+api_urlpatterns = [
+    ("authenticators/endpoint", EndpointDeviceViewSet),
+    (
+        "authenticators/admin/endpoint",
+        EndpointAdminDeviceViewSet,
+        "admin-endpointdevice",
+    ),
+    ("stages/authenticator/endpoint_gdtc", AuthenticatorEndpointGDTCStageViewSet),
+]

authentik/enterprise/stages/authenticator_endpoint_gdtc/views/dtc.py

@@ -0,0 +1,84 @@
+from json import dumps, loads
+from typing import Any
+
+from django.http import HttpRequest, HttpResponse, HttpResponseRedirect
+from django.template.response import TemplateResponse
+from django.urls import reverse
+from django.views import View
+from googleapiclient.discovery import build
+
+from authentik.enterprise.stages.authenticator_endpoint_gdtc.models import (
+    AuthenticatorEndpointGDTCStage,
+    EndpointDevice,
+    EndpointDeviceConnection,
+)
+from authentik.flows.planner import PLAN_CONTEXT_PENDING_USER, FlowPlan
+from authentik.flows.views.executor import SESSION_KEY_PLAN
+from authentik.stages.password.stage import PLAN_CONTEXT_METHOD, PLAN_CONTEXT_METHOD_ARGS
+
+# Header we get from chrome that initiates verified access
+HEADER_DEVICE_TRUST = "X-Device-Trust"
+# Header we send to the client with the challenge
+HEADER_ACCESS_CHALLENGE = "X-Verified-Access-Challenge"
+# Header we get back from the client that we verify with google
+HEADER_ACCESS_CHALLENGE_RESPONSE = "X-Verified-Access-Challenge-Response"
+# Header value for x-device-trust that initiates the flow
+DEVICE_TRUST_VERIFIED_ACCESS = "VerifiedAccess"
+
+
+class GoogleChromeDeviceTrustConnector(View):
+    """Google Chrome Device-trust connector based endpoint authenticator"""
+
+    def get_flow_plan(self) -> FlowPlan:
+        flow_plan: FlowPlan = self.request.session[SESSION_KEY_PLAN]
+        return flow_plan
+
+    def setup(self, request: HttpRequest, *args: Any, **kwargs: Any) -> None:
+        super().setup(request, *args, **kwargs)
+        stage: AuthenticatorEndpointGDTCStage = self.get_flow_plan().bindings[0].stage
+        self.google_client = build(
+            "verifiedaccess",
+            "v2",
+            cache_discovery=False,
+            **stage.google_credentials(),
+        )
+
+    def get(self, request: HttpRequest) -> HttpResponse:
+        x_device_trust = request.headers.get(HEADER_DEVICE_TRUST)
+        x_access_challenge_response = request.headers.get(HEADER_ACCESS_CHALLENGE_RESPONSE)
+        if x_device_trust == "VerifiedAccess" and x_access_challenge_response is None:
+            challenge = self.google_client.challenge().generate().execute()
+            res = HttpResponseRedirect(
+                self.request.build_absolute_uri(
+                    reverse("authentik_stages_authenticator_endpoint_gdtc:chrome")
+                )
+            )
+            res[HEADER_ACCESS_CHALLENGE] = dumps(challenge)
+            return res
+        if x_access_challenge_response:
+            response = (
+                self.google_client.challenge()
+                .verify(body=loads(x_access_challenge_response))
+                .execute()
+            )
+            # Remove deprecated string representation of deviceSignals
+            response.pop("deviceSignal", None)
+            flow_plan: FlowPlan = self.get_flow_plan()
+            device, _ = EndpointDevice.objects.update_or_create(
+                host_identifier=response["deviceSignals"]["serialNumber"],
+                user=flow_plan.context.get(PLAN_CONTEXT_PENDING_USER),
+                defaults={"name": response["deviceSignals"]["hostname"], "data": response},
+            )
+            EndpointDeviceConnection.objects.update_or_create(
+                device=device,
+                stage=flow_plan.bindings[0].stage,
+                defaults={
+                    "attributes": response,
+                },
+            )
+            flow_plan.context.setdefault(PLAN_CONTEXT_METHOD, "trusted_endpoint")
+            flow_plan.context.setdefault(PLAN_CONTEXT_METHOD_ARGS, {})
+            flow_plan.context[PLAN_CONTEXT_METHOD_ARGS].setdefault("endpoints", [])
+            flow_plan.context[PLAN_CONTEXT_METHOD_ARGS]["endpoints"].append(response)
+            request.session[SESSION_KEY_PLAN] = flow_plan
+        return TemplateResponse(request, "stages/authenticator_endpoint/google_chrome_dtc.html")

authentik/events/api/notifications.py

@@ -69,8 +69,5 @@ class NotificationViewSet(
     @action(detail=False, methods=["post"])
     def mark_all_seen(self, request: Request) -> Response:
         """Mark all the user's notifications as seen"""
-        notifications = Notification.objects.filter(user=request.user)
-        for notification in notifications:
-            notification.seen = True
-        Notification.objects.bulk_update(notifications, ["seen"])
+        Notification.objects.filter(user=request.user, seen=False).update(seen=True)
         return Response({}, status=204)

authentik/events/context_processors/asn.py

@@ -50,7 +50,7 @@ class ASNContextProcessor(MMDBContextProcessor):
         """Wrapper for Reader.asn"""
         with start_span(
             op="authentik.events.asn.asn",
-            description=ip_address,
+            name=ip_address,
         ):
             if not self.configured():
                 return None

authentik/events/context_processors/geoip.py

@@ -51,7 +51,7 @@ class GeoIPContextProcessor(MMDBContextProcessor):
         """Wrapper for Reader.city"""
         with start_span(
             op="authentik.events.geo.city",
-            description=ip_address,
+            name=ip_address,
         ):
             if not self.configured():
                 return None

authentik/events/models.py

@@ -49,6 +49,7 @@ from authentik.policies.models import PolicyBindingModel
 from authentik.root.middleware import ClientIPMiddleware
 from authentik.stages.email.utils import TemplateEmailMessage
 from authentik.tenants.models import Tenant
+from authentik.tenants.utils import get_current_tenant
 
 LOGGER = get_logger()
 DISCORD_FIELD_LIMIT = 25
@@ -58,7 +59,11 @@ NOTIFICATION_SUMMARY_LENGTH = 75
 def default_event_duration():
     """Default duration an Event is saved.
     This is used as a fallback when no brand is available"""
-    return now() + timedelta(days=365)
+    try:
+        tenant = get_current_tenant()
+        return now() + timedelta_from_string(tenant.event_retention)
+    except Tenant.DoesNotExist:
+        return now() + timedelta(days=365)
 
 
 def default_brand():
@@ -245,12 +250,6 @@ class Event(SerializerModel, ExpiringModel):
             if QS_QUERY in self.context["http_request"]["args"]:
                 wrapped = self.context["http_request"]["args"][QS_QUERY]
                 self.context["http_request"]["args"] = cleanse_dict(QueryDict(wrapped))
-        if hasattr(request, "tenant"):
-            tenant: Tenant = request.tenant
-            # Because self.created only gets set on save, we can't use it's value here
-            # hence we set self.created to now and then use it
-            self.created = now()
-            self.expires = self.created + timedelta_from_string(tenant.event_retention)
         if hasattr(request, "brand"):
             brand: Brand = request.brand
             self.brand = sanitize_dict(model_to_dict(brand))

authentik/events/signals.py

@@ -1,19 +1,22 @@
 """authentik events signal listener"""
 
+from importlib import import_module
 from typing import Any
 
+from django.conf import settings
 from django.contrib.auth.signals import user_logged_in, user_logged_out
 from django.db.models.signals import post_save, pre_delete
 from django.dispatch import receiver
 from django.http import HttpRequest
+from rest_framework.request import Request
 
-from authentik.core.models import User
+from authentik.core.models import AuthenticatedSession, User
 from authentik.core.signals import login_failed, password_changed
 from authentik.events.apps import SYSTEM_TASK_STATUS
 from authentik.events.models import Event, EventAction, SystemTask
 from authentik.events.tasks import event_notification_handler, gdpr_cleanup
 from authentik.flows.models import Stage
-from authentik.flows.planner import PLAN_CONTEXT_SOURCE, FlowPlan
+from authentik.flows.planner import PLAN_CONTEXT_OUTPOST, PLAN_CONTEXT_SOURCE, FlowPlan
 from authentik.flows.views.executor import SESSION_KEY_PLAN
 from authentik.root.monitoring import monitoring_set
 from authentik.stages.invitation.models import Invitation
@@ -23,6 +26,7 @@ from authentik.stages.user_write.signals import user_write
 from authentik.tenants.utils import get_current_tenant
 
 SESSION_LOGIN_EVENT = "login_event"
+_session_engine = import_module(settings.SESSION_ENGINE)
 
 
 @receiver(user_logged_in)
@@ -38,13 +42,25 @@ def on_user_logged_in(sender, request: HttpRequest, user: User, **_):
             # Save the login method used
             kwargs[PLAN_CONTEXT_METHOD] = flow_plan.context[PLAN_CONTEXT_METHOD]
             kwargs[PLAN_CONTEXT_METHOD_ARGS] = flow_plan.context.get(PLAN_CONTEXT_METHOD_ARGS, {})
+        if PLAN_CONTEXT_OUTPOST in flow_plan.context:
+            # Save outpost context
+            kwargs[PLAN_CONTEXT_OUTPOST] = flow_plan.context[PLAN_CONTEXT_OUTPOST]
     event = Event.new(EventAction.LOGIN, **kwargs).from_http(request, user=user)
     request.session[SESSION_LOGIN_EVENT] = event
+    request.session.save()
 
 
-def get_login_event(request: HttpRequest) -> Event | None:
+def get_login_event(request_or_session: HttpRequest | AuthenticatedSession | None) -> Event | None:
     """Wrapper to get login event that can be mocked in tests"""
-    return request.session.get(SESSION_LOGIN_EVENT, None)
+    session = None
+    if not request_or_session:
+        return None
+    if isinstance(request_or_session, HttpRequest | Request):
+        session = request_or_session.session
+    if isinstance(request_or_session, AuthenticatedSession):
+        SessionStore = _session_engine.SessionStore
+        session = SessionStore(request_or_session.session_key)
+    return session.get(SESSION_LOGIN_EVENT, None)
 
 
 @receiver(user_logged_out)

authentik/events/tests/test_models.py

@@ -6,6 +6,7 @@ from django.db.models import Model
 from django.test import TestCase
 
 from authentik.core.models import default_token_key
+from authentik.events.models import default_event_duration
 from authentik.lib.utils.reflection import get_apps
 
 
@@ -20,7 +21,7 @@ def model_tester_factory(test_model: type[Model]) -> Callable:
         allowed = 0
         # Token-like objects need to lookup the current tenant to get the default token length
         for field in test_model._meta.fields:
-            if field.default == default_token_key:
+            if field.default in [default_token_key, default_event_duration]:
                 allowed += 1
         with self.assertNumQueries(allowed):
             str(test_model())

authentik/events/tests/test_notifications.py

@@ -2,7 +2,8 @@
 
 from unittest.mock import MagicMock, patch
 
-from django.test import TestCase
+from django.urls import reverse
+from rest_framework.test import APITestCase
 
 from authentik.core.models import Group, User
 from authentik.events.models import (
@@ -10,6 +11,7 @@ from authentik.events.models import (
     EventAction,
     Notification,
     NotificationRule,
+    NotificationSeverity,
     NotificationTransport,
     NotificationWebhookMapping,
     TransportMode,
@@ -20,7 +22,7 @@ from authentik.policies.exceptions import PolicyException
 from authentik.policies.models import PolicyBinding
 
 
-class TestEventsNotifications(TestCase):
+class TestEventsNotifications(APITestCase):
     """Test Event Notifications"""
 
     def setUp(self) -> None:
@@ -131,3 +133,15 @@ class TestEventsNotifications(TestCase):
         Notification.objects.all().delete()
         Event.new(EventAction.CUSTOM_PREFIX).save()
         self.assertEqual(Notification.objects.first().body, "foo")
+
+    def test_api_mark_all_seen(self):
+        """Test mark_all_seen"""
+        self.client.force_login(self.user)
+
+        Notification.objects.create(
+            severity=NotificationSeverity.NOTICE, body="foo", user=self.user, seen=False
+        )
+
+        response = self.client.post(reverse("authentik_api:notification-mark-all-seen"))
+        self.assertEqual(response.status_code, 204)
+        self.assertFalse(Notification.objects.filter(body="foo", seen=False).exists())

authentik/flows/challenge.py

@@ -8,7 +8,7 @@ from uuid import UUID
 from django.core.serializers.json import DjangoJSONEncoder
 from django.db import models
 from django.http import JsonResponse
-from rest_framework.fields import CharField, ChoiceField, DictField
+from rest_framework.fields import BooleanField, CharField, ChoiceField, DictField
 from rest_framework.request import Request
 
 from authentik.core.api.utils import PassiveSerializer
@@ -110,9 +110,22 @@ class FlowErrorChallenge(Challenge):
 class AccessDeniedChallenge(WithUserInfoChallenge):
     """Challenge when a flow's active stage calls `stage_invalid()`."""
 
-    error_message = CharField(required=False)
     component = CharField(default="ak-stage-access-denied")
 
+    error_message = CharField(required=False)
+
+
+class SessionEndChallenge(WithUserInfoChallenge):
+    """Challenge for ending a session"""
+
+    component = CharField(default="ak-stage-session-end")
+
+    application_name = CharField(required=False)
+    application_launch_url = CharField(required=False)
+
+    invalidation_flow_url = CharField(required=False)
+    brand_name = CharField(required=True)
+
 
 class PermissionDict(TypedDict):
     """Consent Permission"""
@@ -147,6 +160,20 @@ class AutoSubmitChallengeResponse(ChallengeResponse):
     component = CharField(default="ak-stage-autosubmit")
 
 
+class FrameChallenge(Challenge):
+    """Challenge type to render a frame"""
+
+    component = CharField(default="xak-flow-frame")
+    url = CharField()
+    loading_overlay = BooleanField(default=False)
+    loading_text = CharField()
+
+
+class FrameChallengeResponse(ChallengeResponse):
+
+    component = CharField(default="xak-flow-frame")
+
+
 class DataclassEncoder(DjangoJSONEncoder):
     """Convert any dataclass to json"""
 

authentik/flows/migrations/0027_auto_20231028_1424.py

@@ -6,20 +6,18 @@ from django.db.backends.base.schema import BaseDatabaseSchemaEditor
 
 
 def set_oobe_flow_authentication(apps: Apps, schema_editor: BaseDatabaseSchemaEditor):
-    from guardian.shortcuts import get_anonymous_user
+    from guardian.conf import settings as guardian_settings
 
     Flow = apps.get_model("authentik_flows", "Flow")
     User = apps.get_model("authentik_core", "User")
 
     db_alias = schema_editor.connection.alias
 
-    users = User.objects.using(db_alias).exclude(username="akadmin")
-    try:
-        users = users.exclude(pk=get_anonymous_user().pk)
-
-    except Exception:  # nosec
-        pass
-
+    users = (
+        User.objects.using(db_alias)
+        .exclude(username="akadmin")
+        .exclude(username=guardian_settings.ANONYMOUS_USER_NAME)
+    )
     if users.exists():
         Flow.objects.using(db_alias).filter(slug="initial-setup").update(
             authentication="require_superuser"

authentik/flows/models.py

@@ -107,7 +107,9 @@ class Stage(SerializerModel):
 
 
 def in_memory_stage(view: type["StageView"], **kwargs) -> Stage:
-    """Creates an in-memory stage instance, based on a `view` as view."""
+    """Creates an in-memory stage instance, based on a `view` as view.
+    Any key-word arguments are set as attributes on the stage object,
+    accessible via `self.executor.current_stage`."""
     stage = Stage()
     # Because we can't pickle a locally generated function,
     # we set the view as a separate property and reference a generic function

authentik/flows/planner.py

@@ -23,6 +23,7 @@ from authentik.flows.models import (
     in_memory_stage,
 )
 from authentik.lib.config import CONFIG
+from authentik.outposts.models import Outpost
 from authentik.policies.engine import PolicyEngine
 from authentik.root.middleware import ClientIPMiddleware
 
@@ -32,6 +33,7 @@ PLAN_CONTEXT_SSO = "is_sso"
 PLAN_CONTEXT_REDIRECT = "redirect"
 PLAN_CONTEXT_APPLICATION = "application"
 PLAN_CONTEXT_SOURCE = "source"
+PLAN_CONTEXT_OUTPOST = "outpost"
 # Is set by the Flow Planner when a FlowToken was used, and the currently active flow plan
 # was restored.
 PLAN_CONTEXT_IS_RESTORED = "is_restored"
@@ -143,15 +145,28 @@ class FlowPlanner:
             and not request.user.is_superuser
         ):
             raise FlowNonApplicableException()
+        outpost_user = ClientIPMiddleware.get_outpost_user(request)
         if self.flow.authentication == FlowAuthenticationRequirement.REQUIRE_OUTPOST:
-            outpost_user = ClientIPMiddleware.get_outpost_user(request)
             if not outpost_user:
                 raise FlowNonApplicableException()
+        if outpost_user:
+            outpost = Outpost.objects.filter(
+                # TODO: Since Outpost and user are not directly connected, we have to look up a user
+                # like this. This should ideally by in authentik/outposts/models.py
+                pk=outpost_user.username.replace("ak-outpost-", "")
+            ).first()
+            if outpost:
+                return {
+                    PLAN_CONTEXT_OUTPOST: {
+                        "instance": outpost,
+                    }
+                }
+        return {}
 
     def plan(self, request: HttpRequest, default_context: dict[str, Any] | None = None) -> FlowPlan:
         """Check each of the flows' policies, check policies for each stage with PolicyBinding
         and return ordered list"""
-        with start_span(op="authentik.flow.planner.plan", description=self.flow.slug) as span:
+        with start_span(op="authentik.flow.planner.plan", name=self.flow.slug) as span:
             span: Span
             span.set_data("flow", self.flow)
             span.set_data("request", request)
@@ -159,11 +174,12 @@ class FlowPlanner:
             self._logger.debug(
                 "f(plan): starting planning process",
             )
+            context = default_context or {}
             # Bit of a workaround here, if there is a pending user set in the default context
             # we use that user for our cache key
             # to make sure they don't get the generic response
-            if default_context and PLAN_CONTEXT_PENDING_USER in default_context:
-                user = default_context[PLAN_CONTEXT_PENDING_USER]
+            if context and PLAN_CONTEXT_PENDING_USER in context:
+                user = context[PLAN_CONTEXT_PENDING_USER]
             else:
                 user = request.user
                 # We only need to check the flow authentication if it's planned without a user
@@ -171,14 +187,13 @@ class FlowPlanner:
                 # or if a flow is restarted due to `invalid_response_action` being set to
                 # `restart_with_context`, which can only happen if the user was already authorized
                 # to use the flow
-                self._check_authentication(request)
+                context.update(self._check_authentication(request))
             # First off, check the flow's direct policy bindings
             # to make sure the user even has access to the flow
             engine = PolicyEngine(self.flow, user, request)
             engine.use_cache = self.use_cache
-            if default_context:
-                span.set_data("default_context", cleanse_dict(default_context))
-                engine.request.context.update(default_context)
+            span.set_data("context", cleanse_dict(context))
+            engine.request.context.update(context)
             engine.build()
             result = engine.result
             if not result.passing:
@@ -195,12 +210,12 @@ class FlowPlanner:
                         key=cached_plan_key,
                     )
                     # Reset the context as this isn't factored into caching
-                    cached_plan.context = default_context or {}
+                    cached_plan.context = context
                     return cached_plan
             self._logger.debug(
                 "f(plan): building plan",
             )
-            plan = self._build_plan(user, request, default_context)
+            plan = self._build_plan(user, request, context)
             if self.use_cache:
                 cache.set(cache_key(self.flow, user), plan, CACHE_TIMEOUT)
             if not plan.bindings and not self.allow_empty_flows:
@@ -218,7 +233,7 @@ class FlowPlanner:
         with (
             start_span(
                 op="authentik.flow.planner.build_plan",
-                description=self.flow.slug,
+                name=self.flow.slug,
             ) as span,
             HIST_FLOWS_PLAN_TIME.labels(flow_slug=self.flow.slug).time(),
         ):

authentik/flows/stage.py

@@ -13,7 +13,7 @@ from rest_framework.request import Request
 from sentry_sdk import start_span
 from structlog.stdlib import BoundLogger, get_logger
 
-from authentik.core.models import User
+from authentik.core.models import Application, User
 from authentik.flows.challenge import (
     AccessDeniedChallenge,
     Challenge,
@@ -21,6 +21,7 @@ from authentik.flows.challenge import (
     ContextualFlowInfo,
     HttpChallengeResponse,
     RedirectChallenge,
+    SessionEndChallenge,
     WithUserInfoChallenge,
 )
 from authentik.flows.exceptions import StageInvalidException
@@ -125,7 +126,7 @@ class ChallengeStageView(StageView):
             with (
                 start_span(
                     op="authentik.flow.stage.challenge_invalid",
-                    description=self.__class__.__name__,
+                    name=self.__class__.__name__,
                 ),
                 HIST_FLOWS_STAGE_TIME.labels(
                     stage_type=self.__class__.__name__, method="challenge_invalid"
@@ -135,7 +136,7 @@ class ChallengeStageView(StageView):
         with (
             start_span(
                 op="authentik.flow.stage.challenge_valid",
-                description=self.__class__.__name__,
+                name=self.__class__.__name__,
             ),
             HIST_FLOWS_STAGE_TIME.labels(
                 stage_type=self.__class__.__name__, method="challenge_valid"
@@ -161,7 +162,7 @@ class ChallengeStageView(StageView):
         with (
             start_span(
                 op="authentik.flow.stage.get_challenge",
-                description=self.__class__.__name__,
+                name=self.__class__.__name__,
             ),
             HIST_FLOWS_STAGE_TIME.labels(
                 stage_type=self.__class__.__name__, method="get_challenge"
@@ -174,7 +175,7 @@ class ChallengeStageView(StageView):
                 return self.executor.stage_invalid()
         with start_span(
             op="authentik.flow.stage._get_challenge",
-            description=self.__class__.__name__,
+            name=self.__class__.__name__,
         ):
             if not hasattr(challenge, "initial_data"):
                 challenge.initial_data = {}
@@ -230,7 +231,7 @@ class ChallengeStageView(StageView):
         return HttpChallengeResponse(challenge_response)
 
 
-class AccessDeniedChallengeView(ChallengeStageView):
+class AccessDeniedStage(ChallengeStageView):
     """Used internally by FlowExecutor's stage_invalid()"""
 
     error_message: str | None
@@ -268,3 +269,31 @@ class RedirectStage(ChallengeStageView):
 
     def challenge_valid(self, response: ChallengeResponse) -> HttpResponse:
         return HttpChallengeResponse(self.get_challenge())
+
+
+class SessionEndStage(ChallengeStageView):
+    """Stage inserted when a flow is used as invalidation flow. By default shows actions
+    that the user is likely to take after signing out of a provider."""
+
+    def get_challenge(self, *args, **kwargs) -> Challenge:
+        application: Application | None = self.executor.plan.context.get(PLAN_CONTEXT_APPLICATION)
+        data = {
+            "component": "ak-stage-session-end",
+            "brand_name": self.request.brand.branding_title,
+        }
+        if application:
+            data["application_name"] = application.name
+            data["application_launch_url"] = application.get_launch_url(self.get_pending_user())
+        if self.request.brand.flow_invalidation:
+            data["invalidation_flow_url"] = reverse(
+                "authentik_core:if-flow",
+                kwargs={
+                    "flow_slug": self.request.brand.flow_invalidation.slug,
+                },
+            )
+        return SessionEndChallenge(data=data)
+
+    # This can never be reached since this challenge is created on demand and only the
+    # .get() method is called
+    def challenge_valid(self, response: ChallengeResponse) -> HttpResponse:  # pragma: no cover
+        return self.executor.cancel()

authentik/flows/templates/if/flow.html

@@ -18,7 +18,7 @@ window.authentik.flow = {
 {% endblock %}
 
 {% block head %}
-{% versioned_script "dist/flow/FlowInterface-%v.js" %}
+<script src="{% versioned_script 'dist/flow/FlowInterface-%v.js' %}" type="module"></script>
 <style>
 :root {
     --ak-flow-background: url("{{ flow.background_url }}");

authentik/flows/tests/test_inspector.py

@@ -46,6 +46,7 @@ class TestFlowInspector(APITestCase):
             res.content,
             {
                 "allow_show_password": False,
+                "captcha_stage": None,
                 "component": "ak-stage-identification",
                 "flow_info": {
                     "background": flow.background_url,

authentik/flows/views/executor.py

@@ -54,7 +54,7 @@ from authentik.flows.planner import (
     FlowPlan,
     FlowPlanner,
 )
-from authentik.flows.stage import AccessDeniedChallengeView, StageView
+from authentik.flows.stage import AccessDeniedStage, StageView
 from authentik.lib.sentry import SentryIgnoredException
 from authentik.lib.utils.errors import exception_to_string
 from authentik.lib.utils.reflection import all_subclasses, class_to_path
@@ -153,7 +153,7 @@ class FlowExecutorView(APIView):
         return plan
 
     def dispatch(self, request: HttpRequest, flow_slug: str) -> HttpResponse:
-        with start_span(op="authentik.flow.executor.dispatch", description=self.flow.slug) as span:
+        with start_span(op="authentik.flow.executor.dispatch", name=self.flow.slug) as span:
             span.set_data("authentik Flow", self.flow.slug)
             get_params = QueryDict(request.GET.get(QS_QUERY, ""))
             if QS_KEY_TOKEN in get_params:
@@ -273,7 +273,7 @@ class FlowExecutorView(APIView):
             with (
                 start_span(
                     op="authentik.flow.executor.stage",
-                    description=class_path,
+                    name=class_path,
                 ) as span,
                 HIST_FLOW_EXECUTION_STAGE_TIME.labels(
                     method=request.method.upper(),
@@ -324,7 +324,7 @@ class FlowExecutorView(APIView):
             with (
                 start_span(
                     op="authentik.flow.executor.stage",
-                    description=class_path,
+                    name=class_path,
                 ) as span,
                 HIST_FLOW_EXECUTION_STAGE_TIME.labels(
                     method=request.method.upper(),
@@ -441,7 +441,7 @@ class FlowExecutorView(APIView):
             )
             return self.restart_flow(keep_context)
         self.cancel()
-        challenge_view = AccessDeniedChallengeView(self, error_message)
+        challenge_view = AccessDeniedStage(self, error_message)
         challenge_view.request = self.request
         return to_stage_response(self.request, challenge_view.get(self.request))
 

authentik/lib/default.yml

@@ -1,4 +1,4 @@
-# update website/docs/installation/configuration.mdx
+# update website/docs/install-config/configuration/configuration.mdx
 # This is the default configuration file
 postgresql:
   host: localhost
@@ -105,6 +105,10 @@ ldap:
   tls:
     ciphers: null
 
+sources:
+  kerberos:
+    task_timeout_hours: 2
+
 reputation:
   expiry: 86400
 

authentik/lib/expression/evaluator.py

@@ -2,7 +2,6 @@
 
 import re
 import socket
-from collections.abc import Iterable
 from ipaddress import ip_address, ip_network
 from textwrap import indent
 from types import CodeType
@@ -28,6 +27,12 @@ from authentik.stages.authenticator import devices_for_user
 
 LOGGER = get_logger()
 
+ARG_SANITIZE = re.compile(r"[:.-]")
+
+
+def sanitize_arg(arg_name: str) -> str:
+    return re.sub(ARG_SANITIZE, "_", arg_name)
+
 
 class BaseEvaluator:
     """Validate and evaluate python-based expressions"""
@@ -177,9 +182,9 @@ class BaseEvaluator:
         proc = PolicyProcess(PolicyBinding(policy=policy), request=req, connection=None)
         return proc.profiling_wrapper()
 
-    def wrap_expression(self, expression: str, params: Iterable[str]) -> str:
+    def wrap_expression(self, expression: str) -> str:
         """Wrap expression in a function, call it, and save the result as `result`"""
-        handler_signature = ",".join(params)
+        handler_signature = ",".join(sanitize_arg(x) for x in self._context.keys())
         full_expression = ""
         full_expression += f"def handler({handler_signature}):\n"
         full_expression += indent(expression, "    ")
@@ -188,8 +193,8 @@ class BaseEvaluator:
 
     def compile(self, expression: str) -> CodeType:
         """Parse expression. Raises SyntaxError or ValueError if the syntax is incorrect."""
-        param_keys = self._context.keys()
-        return compile(self.wrap_expression(expression, param_keys), self._filename, "exec")
+        expression = self.wrap_expression(expression)
+        return compile(expression, self._filename, "exec")
 
     def evaluate(self, expression_source: str) -> Any:
         """Parse and evaluate expression. If the syntax is incorrect, a SyntaxError is raised.
@@ -205,7 +210,7 @@ class BaseEvaluator:
                 self.handle_error(exc, expression_source)
                 raise exc
             try:
-                _locals = self._context
+                _locals = {sanitize_arg(x): y for x, y in self._context.items()}
                 # Yes this is an exec, yes it is potentially bad. Since we limit what variables are
                 # available here, and these policies can only be edited by admins, this is a risk
                 # we're willing to take.

authentik/lib/tests/test_http.py

@@ -30,6 +30,11 @@ class TestHTTP(TestCase):
         request = self.factory.get("/", HTTP_X_FORWARDED_FOR="127.0.0.2")
         self.assertEqual(ClientIPMiddleware.get_client_ip(request), "127.0.0.2")
 
+    def test_forward_for_invalid(self):
+        """Test invalid forward for"""
+        request = self.factory.get("/", HTTP_X_FORWARDED_FOR="foobar")
+        self.assertEqual(ClientIPMiddleware.get_client_ip(request), ClientIPMiddleware.default_ip)
+
     def test_fake_outpost(self):
         """Test faked IP which is overridden by an outpost"""
         token = Token.objects.create(
@@ -53,6 +58,17 @@ class TestHTTP(TestCase):
             },
         )
         self.assertEqual(ClientIPMiddleware.get_client_ip(request), "127.0.0.1")
+        # Invalid, not a real IP
+        self.user.type = UserTypes.INTERNAL_SERVICE_ACCOUNT
+        self.user.save()
+        request = self.factory.get(
+            "/",
+            **{
+                ClientIPMiddleware.outpost_remote_ip_header: "foobar",
+                ClientIPMiddleware.outpost_token_header: token.key,
+            },
+        )
+        self.assertEqual(ClientIPMiddleware.get_client_ip(request), "127.0.0.1")
         # Valid
         self.user.type = UserTypes.INTERNAL_SERVICE_ACCOUNT
         self.user.save()

authentik/lib/utils/http.py

@@ -21,7 +21,14 @@ class DebugSession(Session):
 
     def send(self, req: PreparedRequest, *args, **kwargs):
         request_id = str(uuid4())
-        LOGGER.debug("HTTP request sent", uid=request_id, path=req.path_url, headers=req.headers)
+        LOGGER.debug(
+            "HTTP request sent",
+            uid=request_id,
+            url=req.url,
+            method=req.method,
+            headers=req.headers,
+            body=req.body,
+        )
         resp = super().send(req, *args, **kwargs)
         LOGGER.debug(
             "HTTP response received",

authentik/outposts/models.py

@@ -53,7 +53,7 @@ class ServiceConnectionInvalid(SentryIgnoredException):
 class OutpostConfig:
     """Configuration an outpost uses to configure it self"""
 
-    # update website/docs/outposts/_config.md
+    # update website/docs/add-secure-apps/outposts/_config.md
 
     authentik_host: str = ""
     authentik_host_insecure: bool = False

authentik/policies/engine.py

@@ -113,7 +113,7 @@ class PolicyEngine:
         with (
             start_span(
                 op="authentik.policy.engine.build",
-                description=self.__pbm,
+                name=self.__pbm,
             ) as span,
             HIST_POLICIES_ENGINE_TOTAL_TIME.labels(
                 obj_type=class_to_path(self.__pbm.__class__),

authentik/policies/event_matcher/models.py

@@ -108,7 +108,7 @@ class EventMatcherPolicy(Policy):
                 result=result,
             )
             matches.append(result)
-        passing = any(x.passing for x in matches)
+        passing = all(x.passing for x in matches)
         messages = chain(*[x.messages for x in matches])
         result = PolicyResult(passing, *messages)
         result.source_results = matches

authentik/policies/event_matcher/tests.py

@@ -77,11 +77,24 @@ class TestEventMatcherPolicy(TestCase):
         request = PolicyRequest(get_anonymous_user())
         request.context["event"] = event
         policy: EventMatcherPolicy = EventMatcherPolicy.objects.create(
-            client_ip="1.2.3.5", app="bar"
+            client_ip="1.2.3.5", app="foo"
         )
         response = policy.passes(request)
         self.assertFalse(response.passing)
 
+    def test_multiple(self):
+        """Test multiple"""
+        event = Event.new(EventAction.LOGIN)
+        event.app = "foo"
+        event.client_ip = "1.2.3.4"
+        request = PolicyRequest(get_anonymous_user())
+        request.context["event"] = event
+        policy: EventMatcherPolicy = EventMatcherPolicy.objects.create(
+            client_ip="1.2.3.4", app="foo"
+        )
+        response = policy.passes(request)
+        self.assertTrue(response.passing)
+
     def test_invalid(self):
         """Test passing event"""
         request = PolicyRequest(get_anonymous_user())

authentik/policies/password/models.py

@@ -89,6 +89,10 @@ class PasswordPolicy(Policy):
 
     def passes_static(self, password: str, request: PolicyRequest) -> PolicyResult:
         """Check static rules"""
+        error_message = self.error_message
+        if error_message == "":
+            error_message = _("Invalid password.")
+
         if len(password) < self.length_min:
             LOGGER.debug("password failed", check="static", reason="length")
             return PolicyResult(False, self.error_message)