lint-fix

Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space>

.bumpversion.cfg

@@ -1,5 +1,5 @@
 [bumpversion]
-current_version = 2024.6.4
+current_version = 2024.10.5
 tag = True
 commit = True
 parse = (?P<major>\d+)\.(?P<minor>\d+)\.(?P<patch>\d+)(?:-(?P<rc_t>[a-zA-Z-]+)(?P<rc_n>[1-9]\\d*))?
@@ -30,3 +30,5 @@ optional_value = final
 [bumpversion:file:internal/constants/constants.go]
 
 [bumpversion:file:web/src/common/constants.ts]
+
+[bumpversion:file:website/docs/install-config/install/aws/template.yaml]

.github/actions/docker-push-variables/action.yml

@@ -11,9 +11,9 @@ inputs:
     description: "Docker image arch"
 
 outputs:
-  shouldBuild:
-    description: "Whether to build image or not"
-    value: ${{ steps.ev.outputs.shouldBuild }}
+  shouldPush:
+    description: "Whether to push the image or not"
+    value: ${{ steps.ev.outputs.shouldPush }}
 
   sha:
     description: "sha"
@@ -29,9 +29,9 @@ outputs:
   imageTags:
     description: "Docker image tags"
     value: ${{ steps.ev.outputs.imageTags }}
-  imageNames:
-    description: "Docker image names"
-    value: ${{ steps.ev.outputs.imageNames }}
+  attestImageNames:
+    description: "Docker image names used for attestation"
+    value: ${{ steps.ev.outputs.attestImageNames }}
   imageMainTag:
     description: "Docker image main tag"
     value: ${{ steps.ev.outputs.imageMainTag }}

.github/actions/docker-push-variables/push_vars.py

@@ -7,7 +7,14 @@ from time import time
 parser = configparser.ConfigParser()
 parser.read(".bumpversion.cfg")
 
-should_build = str(len(os.environ.get("DOCKER_USERNAME", "")) > 0).lower()
+# Decide if we should push the image or not
+should_push = True
+if len(os.environ.get("DOCKER_USERNAME", "")) < 1:
+    # Don't push if we don't have DOCKER_USERNAME, i.e. no secrets are available
+    should_push = False
+if os.environ.get("GITHUB_REPOSITORY").lower() == "goauthentik/authentik-internal":
+    # Don't push on the internal repo
+    should_push = False
 
 branch_name = os.environ["GITHUB_REF"]
 if os.environ.get("GITHUB_HEAD_REF", "") != "":
@@ -51,15 +58,24 @@ else:
         ]
 
 image_main_tag = image_tags[0].split(":")[-1]
-image_tags_rendered = ",".join(image_tags)
-image_names_rendered = ",".join(set(name.split(":")[0] for name in image_tags))
+
+
+def get_attest_image_names(image_with_tags: list[str]):
+    """Attestation only for GHCR"""
+    image_tags = []
+    for image_name in set(name.split(":")[0] for name in image_with_tags):
+        if not image_name.startswith("ghcr.io"):
+            continue
+        image_tags.append(image_name)
+    return ",".join(set(image_tags))
+
 
 with open(os.environ["GITHUB_OUTPUT"], "a+", encoding="utf-8") as _output:
-    print(f"shouldBuild={should_build}", file=_output)
+    print(f"shouldPush={str(should_push).lower()}", file=_output)
     print(f"sha={sha}", file=_output)
     print(f"version={version}", file=_output)
     print(f"prerelease={prerelease}", file=_output)
-    print(f"imageTags={image_tags_rendered}", file=_output)
-    print(f"imageNames={image_names_rendered}", file=_output)
+    print(f"imageTags={','.join(image_tags)}", file=_output)
+    print(f"attestImageNames={get_attest_image_names(image_tags)}", file=_output)
     print(f"imageMainTag={image_main_tag}", file=_output)
     print(f"imageMainName={image_tags[0]}", file=_output)

.github/actions/setup/action.yml

@@ -14,7 +14,7 @@ runs:
       run: |
         pipx install poetry || true
         sudo apt-get update
-        sudo apt-get install --no-install-recommends -y libpq-dev openssl libxmlsec1-dev pkg-config gettext
+        sudo apt-get install --no-install-recommends -y libpq-dev openssl libxmlsec1-dev pkg-config gettext libkrb5-dev krb5-kdc krb5-user krb5-admin-server
     - name: Setup python and restore poetry
       uses: actions/setup-python@v5
       with:
@@ -35,7 +35,7 @@ runs:
       run: |
         export PSQL_TAG=${{ inputs.postgresql_version }}
         docker compose -f .github/actions/setup/docker-compose.yml up -d
-        poetry install
+        poetry install --sync
         cd web && npm ci
     - name: Generate config
       shell: poetry run python {0}

.github/dependabot.yml

@@ -23,7 +23,6 @@ updates:
   - package-ecosystem: npm
     directories:
       - "/web"
-      - "/tests/wdio"
       - "/web/sfe"
     schedule:
       interval: daily
@@ -44,9 +43,11 @@ updates:
           - "babel-*"
       eslint:
         patterns:
+          - "@eslint/*"
           - "@typescript-eslint/*"
-          - "eslint"
           - "eslint-*"
+          - "eslint"
+          - "typescript-eslint"
       storybook:
         patterns:
           - "@storybook/*"
@@ -54,10 +55,12 @@ updates:
       esbuild:
         patterns:
           - "@esbuild/*"
+          - "esbuild*"
       rollup:
         patterns:
           - "@rollup/*"
           - "rollup-*"
+          - "rollup*"
       swc:
         patterns:
           - "@swc/*"

.github/pull_request_template.md

@@ -1,7 +1,7 @@
 <!--
 👋 Hi there! Welcome.
 
-Please check the Contributing guidelines: https://goauthentik.io/developer-docs/#how-can-i-contribute
+Please check the Contributing guidelines: https://docs.goauthentik.io/docs/developer-docs/#how-can-i-contribute
 -->
 
 ## Details

.github/workflows/api-py-publish.yml

@@ -7,6 +7,7 @@ on:
   workflow_dispatch:
 jobs:
   build:
+    if: ${{ github.repository != 'goauthentik/authentik-internal' }}
     runs-on: ubuntu-latest
     permissions:
       id-token: write

.github/workflows/api-ts-publish.yml

@@ -7,6 +7,7 @@ on:
   workflow_dispatch:
 jobs:
   build:
+    if: ${{ github.repository != 'goauthentik/authentik-internal' }}
     runs-on: ubuntu-latest
     steps:
       - id: generate_token
@@ -40,7 +41,7 @@ jobs:
         run: |
           export VERSION=`node -e 'console.log(require("../gen-ts-api/package.json").version)'`
           npm i @goauthentik/api@$VERSION
-      - uses: peter-evans/create-pull-request@v6
+      - uses: peter-evans/create-pull-request@v7
         id: cpr
         with:
           token: ${{ steps.generate_token.outputs.token }}

.github/workflows/ci-aws-cfn.yml

@@ -0,0 +1,46 @@
+name: authentik-ci-aws-cfn
+
+on:
+  push:
+    branches:
+      - main
+      - next
+      - version-*
+  pull_request:
+    branches:
+      - main
+      - version-*
+
+env:
+  POSTGRES_DB: authentik
+  POSTGRES_USER: authentik
+  POSTGRES_PASSWORD: "EK-5jnKfjrGRm<77"
+
+jobs:
+  check-changes-applied:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - name: Setup authentik env
+        uses: ./.github/actions/setup
+      - uses: actions/setup-node@v4
+        with:
+          node-version-file: website/package.json
+          cache: "npm"
+          cache-dependency-path: website/package-lock.json
+      - working-directory: website/
+        run: |
+          npm ci
+      - name: Check changes have been applied
+        run: |
+          poetry run make aws-cfn
+          git diff --exit-code
+  ci-aws-cfn-mark:
+    if: always()
+    needs:
+      - check-changes-applied
+    runs-on: ubuntu-latest
+    steps:
+      - uses: re-actors/alls-green@release/v1
+        with:
+          jobs: ${{ toJSON(needs) }}

.github/workflows/ci-main.yml

@@ -116,10 +116,16 @@ jobs:
           poetry run make test
           poetry run coverage xml
       - if: ${{ always() }}
-        uses: codecov/codecov-action@v4
+        uses: codecov/codecov-action@v5
         with:
           flags: unit
           token: ${{ secrets.CODECOV_TOKEN }}
+      - if: ${{ !cancelled() }}
+        uses: codecov/test-results-action@v1
+        with:
+          flags: unit
+          file: unittest.xml
+          token: ${{ secrets.CODECOV_TOKEN }}
   test-integration:
     runs-on: ubuntu-latest
     timeout-minutes: 30
@@ -128,16 +134,22 @@ jobs:
       - name: Setup authentik env
         uses: ./.github/actions/setup
       - name: Create k8s Kind Cluster
-        uses: helm/kind-action@v1.10.0
+        uses: helm/kind-action@v1.11.0
       - name: run integration
         run: |
           poetry run coverage run manage.py test tests/integration
           poetry run coverage xml
       - if: ${{ always() }}
-        uses: codecov/codecov-action@v4
+        uses: codecov/codecov-action@v5
         with:
           flags: integration
           token: ${{ secrets.CODECOV_TOKEN }}
+      - if: ${{ !cancelled() }}
+        uses: codecov/test-results-action@v1
+        with:
+          flags: integration
+          file: unittest.xml
+          token: ${{ secrets.CODECOV_TOKEN }}
   test-e2e:
     name: test-e2e (${{ matrix.job.name }})
     runs-on: ubuntu-latest
@@ -168,7 +180,7 @@ jobs:
         uses: ./.github/actions/setup
       - name: Setup e2e env (chrome, etc)
         run: |
-          docker compose -f tests/e2e/docker-compose.yml up -d
+          docker compose -f tests/e2e/docker-compose.yml up -d --quiet-pull
       - id: cache-web
         uses: actions/cache@v4
         with:
@@ -186,11 +198,18 @@ jobs:
           poetry run coverage run manage.py test ${{ matrix.job.glob }}
           poetry run coverage xml
       - if: ${{ always() }}
-        uses: codecov/codecov-action@v4
+        uses: codecov/codecov-action@v5
         with:
           flags: e2e
           token: ${{ secrets.CODECOV_TOKEN }}
+      - if: ${{ !cancelled() }}
+        uses: codecov/test-results-action@v1
+        with:
+          flags: e2e
+          file: unittest.xml
+          token: ${{ secrets.CODECOV_TOKEN }}
   ci-core-mark:
+    if: always()
     needs:
       - lint
       - test-migrations
@@ -200,7 +219,9 @@ jobs:
       - test-e2e
     runs-on: ubuntu-latest
     steps:
-      - run: echo mark
+      - uses: re-actors/alls-green@release/v1
+        with:
+          jobs: ${{ toJSON(needs) }}
   build:
     strategy:
       fail-fast: false
@@ -234,7 +255,7 @@ jobs:
           image-name: ghcr.io/goauthentik/dev-server
           image-arch: ${{ matrix.arch }}
       - name: Login to Container Registry
-        if: ${{ steps.ev.outputs.shouldBuild == 'true' }}
+        if: ${{ steps.ev.outputs.shouldPush == 'true' }}
         uses: docker/login-action@v3
         with:
           registry: ghcr.io
@@ -251,17 +272,17 @@ jobs:
             GEOIPUPDATE_ACCOUNT_ID=${{ secrets.GEOIPUPDATE_ACCOUNT_ID }}
             GEOIPUPDATE_LICENSE_KEY=${{ secrets.GEOIPUPDATE_LICENSE_KEY }}
           tags: ${{ steps.ev.outputs.imageTags }}
-          push: ${{ steps.ev.outputs.shouldBuild == 'true' }}
+          push: ${{ steps.ev.outputs.shouldPush == 'true' }}
           build-args: |
             GIT_BUILD_HASH=${{ steps.ev.outputs.sha }}
           cache-from: type=registry,ref=ghcr.io/goauthentik/dev-server:buildcache
-          cache-to: ${{ steps.ev.outputs.shouldBuild == 'true' && 'type=registry,ref=ghcr.io/goauthentik/dev-server:buildcache,mode=max' || '' }}
+          cache-to: ${{ steps.ev.outputs.shouldPush == 'true' && 'type=registry,ref=ghcr.io/goauthentik/dev-server:buildcache,mode=max' || '' }}
           platforms: linux/${{ matrix.arch }}
-      - uses: actions/attest-build-provenance@v1
+      - uses: actions/attest-build-provenance@v2
         id: attest
-        if: ${{ steps.ev.outputs.shouldBuild == 'true' }}
+        if: ${{ steps.ev.outputs.shouldPush == 'true' }}
         with:
-          subject-name: ${{ steps.ev.outputs.imageNames }}
+          subject-name: ${{ steps.ev.outputs.attestImageNames }}
           subject-digest: ${{ steps.push.outputs.digest }}
           push-to-registry: true
   pr-comment:
@@ -285,7 +306,7 @@ jobs:
         with:
           image-name: ghcr.io/goauthentik/dev-server
       - name: Comment on PR
-        if: ${{ steps.ev.outputs.shouldBuild == 'true' }}
+        if: ${{ steps.ev.outputs.shouldPush == 'true' }}
         uses: ./.github/actions/comment-pr-instructions
         with:
           tag: ${{ steps.ev.outputs.imageMainTag }}

.github/workflows/ci-outpost.yml

@@ -49,12 +49,15 @@ jobs:
         run: |
           go test -timeout 0 -v -race -coverprofile=coverage.out -covermode=atomic -cover ./...
   ci-outpost-mark:
+    if: always()
     needs:
       - lint-golint
       - test-unittest
     runs-on: ubuntu-latest
     steps:
-      - run: echo mark
+      - uses: re-actors/alls-green@release/v1
+        with:
+          jobs: ${{ toJSON(needs) }}
   build-container:
     timeout-minutes: 120
     needs:
@@ -90,7 +93,7 @@ jobs:
         with:
           image-name: ghcr.io/goauthentik/dev-${{ matrix.type }}
       - name: Login to Container Registry
-        if: ${{ steps.ev.outputs.shouldBuild == 'true' }}
+        if: ${{ steps.ev.outputs.shouldPush == 'true' }}
         uses: docker/login-action@v3
         with:
           registry: ghcr.io
@@ -104,18 +107,18 @@ jobs:
         with:
           tags: ${{ steps.ev.outputs.imageTags }}
           file: ${{ matrix.type }}.Dockerfile
-          push: ${{ steps.ev.outputs.shouldBuild == 'true' }}
+          push: ${{ steps.ev.outputs.shouldPush == 'true' }}
           build-args: |
             GIT_BUILD_HASH=${{ steps.ev.outputs.sha }}
           platforms: linux/amd64,linux/arm64
           context: .
           cache-from: type=registry,ref=ghcr.io/goauthentik/dev-${{ matrix.type }}:buildcache
-          cache-to: ${{ steps.ev.outputs.shouldBuild == 'true' && format('type=registry,ref=ghcr.io/goauthentik/dev-{0}:buildcache,mode=max', matrix.type) || '' }}
-      - uses: actions/attest-build-provenance@v1
+          cache-to: ${{ steps.ev.outputs.shouldPush == 'true' && format('type=registry,ref=ghcr.io/goauthentik/dev-{0}:buildcache,mode=max', matrix.type) || '' }}
+      - uses: actions/attest-build-provenance@v2
         id: attest
-        if: ${{ steps.ev.outputs.shouldBuild == 'true' }}
+        if: ${{ steps.ev.outputs.shouldPush == 'true' }}
         with:
-          subject-name: ${{ steps.ev.outputs.imageNames }}
+          subject-name: ${{ steps.ev.outputs.attestImageNames }}
           subject-digest: ${{ steps.push.outputs.digest }}
           push-to-registry: true
   build-binary:

.github/workflows/ci-web.yml

@@ -24,17 +24,11 @@ jobs:
           - prettier-check
         project:
           - web
-          - tests/wdio
         include:
           - command: tsc
             project: web
           - command: lit-analyse
             project: web
-        exclude:
-          - command: lint:lockfile
-            project: tests/wdio
-          - command: tsc
-            project: tests/wdio
     steps:
       - uses: actions/checkout@v4
       - uses: actions/setup-node@v4
@@ -45,21 +39,12 @@ jobs:
       - working-directory: ${{ matrix.project }}/
         run: |
           npm ci
-          ${{ matrix.extra_setup }}
       - name: Generate API
         run: make gen-client-ts
       - name: Lint
         working-directory: ${{ matrix.project }}/
         run: npm run ${{ matrix.command }}
-  ci-web-mark:
-    needs:
-      - lint
-    runs-on: ubuntu-latest
-    steps:
-      - run: echo mark
   build:
-    needs:
-      - ci-web-mark
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
@@ -75,6 +60,16 @@ jobs:
       - name: build
         working-directory: web/
         run: npm run build
+  ci-web-mark:
+    if: always()
+    needs:
+      - build
+      - lint
+    runs-on: ubuntu-latest
+    steps:
+      - uses: re-actors/alls-green@release/v1
+        with:
+          jobs: ${{ toJSON(needs) }}
   test:
     needs:
       - ci-web-mark

.github/workflows/ci-website.yml

@@ -62,10 +62,13 @@ jobs:
         working-directory: website/
         run: npm run ${{ matrix.job }}
   ci-website-mark:
+    if: always()
     needs:
       - lint
       - test
       - build
     runs-on: ubuntu-latest
     steps:
-      - run: echo mark
+      - uses: re-actors/alls-green@release/v1
+        with:
+          jobs: ${{ toJSON(needs) }}

.github/workflows/gen-update-webauthn-mds.yml

@@ -11,6 +11,7 @@ env:
 
 jobs:
   build:
+    if: ${{ github.repository != 'goauthentik/authentik-internal' }}
     runs-on: ubuntu-latest
     steps:
       - id: generate_token
@@ -24,7 +25,7 @@ jobs:
       - name: Setup authentik env
         uses: ./.github/actions/setup
       - run: poetry run ak update_webauthn_mds
-      - uses: peter-evans/create-pull-request@v6
+      - uses: peter-evans/create-pull-request@v7
         id: cpr
         with:
           token: ${{ steps.generate_token.outputs.token }}

.github/workflows/ghcr-retention.yml

@@ -7,6 +7,7 @@ on:
 
 jobs:
   clean-ghcr:
+    if: ${{ github.repository != 'goauthentik/authentik-internal' }}
     name: Delete old unused container images
     runs-on: ubuntu-latest
     steps:

.github/workflows/image-compress.yml

@@ -42,7 +42,7 @@ jobs:
         with:
           githubToken: ${{ steps.generate_token.outputs.token }}
           compressOnly: ${{ github.event_name != 'pull_request' }}
-      - uses: peter-evans/create-pull-request@v6
+      - uses: peter-evans/create-pull-request@v7
         if: "${{ github.event_name != 'pull_request' && steps.compress.outputs.markdown != '' }}"
         id: cpr
         with:

.github/workflows/publish-source-docs.yml

@@ -12,6 +12,7 @@ env:
 
 jobs:
   publish-source-docs:
+    if: ${{ github.repository != 'goauthentik/authentik-internal' }}
     runs-on: ubuntu-latest
     timeout-minutes: 120
     steps:

.github/workflows/release-next-branch.yml

@@ -11,6 +11,7 @@ permissions:
 
 jobs:
   update-next:
+    if: ${{ github.repository != 'goauthentik/authentik-internal' }}
     runs-on: ubuntu-latest
     environment: internal-production
     steps:

.github/workflows/release-publish.yml

@@ -55,10 +55,10 @@ jobs:
             VERSION=${{ github.ref }}
           tags: ${{ steps.ev.outputs.imageTags }}
           platforms: linux/amd64,linux/arm64
-      - uses: actions/attest-build-provenance@v1
+      - uses: actions/attest-build-provenance@v2
         id: attest
         with:
-          subject-name: ${{ steps.ev.outputs.imageNames }}
+          subject-name: ${{ steps.ev.outputs.attestImageNames }}
           subject-digest: ${{ steps.push.outputs.digest }}
           push-to-registry: true
   build-outpost:
@@ -119,10 +119,10 @@ jobs:
           file: ${{ matrix.type }}.Dockerfile
           platforms: linux/amd64,linux/arm64
           context: .
-      - uses: actions/attest-build-provenance@v1
+      - uses: actions/attest-build-provenance@v2
         id: attest
         with:
-          subject-name: ${{ steps.ev.outputs.imageNames }}
+          subject-name: ${{ steps.ev.outputs.attestImageNames }}
           subject-digest: ${{ steps.push.outputs.digest }}
           push-to-registry: true
   build-outpost-binary:
@@ -169,6 +169,27 @@ jobs:
           file: ./authentik-outpost-${{ matrix.type }}_${{ matrix.goos }}_${{ matrix.goarch }}
           asset_name: authentik-outpost-${{ matrix.type }}_${{ matrix.goos }}_${{ matrix.goarch }}
           tag: ${{ github.ref }}
+  upload-aws-cfn-template:
+    permissions:
+      # Needed for AWS login
+      id-token: write
+      contents: read
+    needs:
+      - build-server
+      - build-outpost
+    env:
+      AWS_REGION: eu-central-1
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: aws-actions/configure-aws-credentials@v4
+        with:
+          role-to-assume: "arn:aws:iam::016170277896:role/github_goauthentik_authentik"
+          aws-region: ${{ env.AWS_REGION }}
+      - name: Upload template
+        run: |
+          aws s3 cp website/docs/install-config/install/aws/template.yaml s3://authentik-cloudformation-templates/authentik.ecs.${{ github.ref }}.yaml
+          aws s3 cp website/docs/install-config/install/aws/template.yaml s3://authentik-cloudformation-templates/authentik.ecs.latest.yaml
   test-release:
     needs:
       - build-server

.github/workflows/repo-mirror.yml

@@ -0,0 +1,21 @@
+name: "authentik-repo-mirror"
+
+on: [push, delete]
+
+jobs:
+  to_internal:
+    if: ${{ github.repository != 'goauthentik/authentik-internal' }}
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+      - if: ${{ env.MIRROR_KEY != '' }}
+        uses: pixta-dev/repository-mirroring-action@v1
+        with:
+          target_repo_url:
+            git@github.com:goauthentik/authentik-internal.git
+          ssh_private_key:
+            ${{ secrets.GH_MIRROR_KEY }}
+        env:
+          MIRROR_KEY: ${{ secrets.GH_MIRROR_KEY }}

.github/workflows/repo-stale.yml

@@ -11,6 +11,7 @@ permissions:
 
 jobs:
   stale:
+    if: ${{ github.repository != 'goauthentik/authentik-internal' }}
     runs-on: ubuntu-latest
     steps:
       - id: generate_token

.github/workflows/translation-extract-compile.yml

@@ -32,7 +32,7 @@ jobs:
           poetry run ak compilemessages
           make web-check-compile
       - name: Create Pull Request
-        uses: peter-evans/create-pull-request@v6
+        uses: peter-evans/create-pull-request@v7
         with:
           token: ${{ steps.generate_token.outputs.token }}
           branch: extract-compile-backend-translation

.vscode/settings.json

@@ -6,6 +6,7 @@
         "authn",
         "entra",
         "goauthentik",
+        "jwe",
         "jwks",
         "kubernetes",
         "oidc",

CODEOWNERS

@@ -19,10 +19,15 @@ Dockerfile                      @goauthentik/infrastructure
 *Dockerfile                     @goauthentik/infrastructure
 .dockerignore                   @goauthentik/infrastructure
 docker-compose.yml              @goauthentik/infrastructure
+Makefile                        @goauthentik/infrastructure
+.editorconfig                   @goauthentik/infrastructure
+CODEOWNERS                      @goauthentik/infrastructure
 # Web
 web/                            @goauthentik/frontend
 tests/wdio/                     @goauthentik/frontend
 # Docs & Website
 website/                        @goauthentik/docs
+CODE_OF_CONDUCT.md              @goauthentik/docs
 # Security
-website/docs/security/          @goauthentik/security
+SECURITY.md                     @goauthentik/security @goauthentik/docs
+website/docs/security/          @goauthentik/security @goauthentik/docs

CONTRIBUTING.md

@@ -1 +1 @@
-website/developer-docs/index.md
+website/docs/developer-docs/index.md

Dockerfile

@@ -80,7 +80,7 @@ RUN --mount=type=cache,sharing=locked,target=/go/pkg/mod \
     go build -o /go/authentik ./cmd/server
 
 # Stage 4: MaxMind GeoIP
-FROM --platform=${BUILDPLATFORM} ghcr.io/maxmind/geoipupdate:v7.0.1 AS geoip
+FROM --platform=${BUILDPLATFORM} ghcr.io/maxmind/geoipupdate:v7.1.0 AS geoip
 
 ENV GEOIPUPDATE_EDITION_IDS="GeoLite2-City GeoLite2-ASN"
 ENV GEOIPUPDATE_VERBOSE="1"
@@ -94,7 +94,7 @@ RUN --mount=type=secret,id=GEOIPUPDATE_ACCOUNT_ID \
     /bin/sh -c "/usr/bin/entry.sh || echo 'Failed to get GeoIP database, disabling'; exit 0"
 
 # Stage 5: Python dependencies
-FROM ghcr.io/goauthentik/fips-python:3.12.5-slim-bookworm-fips-full AS python-deps
+FROM ghcr.io/goauthentik/fips-python:3.12.7-slim-bookworm-fips-full AS python-deps
 
 ARG TARGETARCH
 ARG TARGETVARIANT
@@ -110,7 +110,7 @@ RUN rm -f /etc/apt/apt.conf.d/docker-clean; echo 'Binary::apt::APT::Keep-Downloa
 RUN --mount=type=cache,id=apt-$TARGETARCH$TARGETVARIANT,sharing=locked,target=/var/cache/apt \
     apt-get update && \
     # Required for installing pip packages
-    apt-get install -y --no-install-recommends build-essential pkg-config libpq-dev
+    apt-get install -y --no-install-recommends build-essential pkg-config libpq-dev libkrb5-dev
 
 RUN --mount=type=bind,target=./pyproject.toml,src=./pyproject.toml \
     --mount=type=bind,target=./poetry.lock,src=./poetry.lock \
@@ -124,7 +124,7 @@ RUN --mount=type=bind,target=./pyproject.toml,src=./pyproject.toml \
     pip install --force-reinstall /wheels/*"
 
 # Stage 6: Run
-FROM ghcr.io/goauthentik/fips-python:3.12.5-slim-bookworm-fips-full AS final-image
+FROM ghcr.io/goauthentik/fips-python:3.12.7-slim-bookworm-fips-full AS final-image
 
 ARG VERSION
 ARG GIT_BUILD_HASH
@@ -141,7 +141,7 @@ WORKDIR /
 # We cannot cache this layer otherwise we'll end up with a bigger image
 RUN apt-get update && \
     # Required for runtime
-    apt-get install -y --no-install-recommends libpq5 libmaxminddb0 ca-certificates && \
+    apt-get install -y --no-install-recommends libpq5 libmaxminddb0 ca-certificates libkrb5-3 libkadm5clnt-mit12 libkdb5-10 && \
     # Required for bootstrap & healtcheck
     apt-get install -y --no-install-recommends runit && \
     apt-get clean && \
@@ -161,6 +161,7 @@ COPY ./tests /tests
 COPY ./manage.py /
 COPY ./blueprints /blueprints
 COPY ./lifecycle/ /lifecycle
+COPY ./authentik/sources/kerberos/krb5.conf /etc/krb5.conf
 COPY --from=go-builder /go/authentik /bin/authentik
 COPY --from=python-deps /ak-root/venv /ak-root/venv
 COPY --from=web-builder /work/web/dist/ /web/dist/

Makefile

@@ -5,7 +5,7 @@ PWD = $(shell pwd)
 UID = $(shell id -u)
 GID = $(shell id -g)
 NPM_VERSION = $(shell python -m scripts.npm_version)
-PY_SOURCES = authentik tests scripts lifecycle .github
+PY_SOURCES = authentik tests scripts lifecycle .github website/docs/install-config/install/aws
 DOCKER_IMAGE ?= "authentik:test"
 
 GEN_API_TS = "gen-ts-api"
@@ -19,14 +19,13 @@ pg_name := $(shell python -m authentik.lib.config postgresql.name 2>/dev/null)
 CODESPELL_ARGS = -D - -D .github/codespell-dictionary.txt \
 		-I .github/codespell-words.txt \
 		-S 'web/src/locales/**' \
-		-S 'website/developer-docs/api/reference/**' \
+		-S 'website/docs/developer-docs/api/reference/**' \
 		authentik \
 		internal \
 		cmd \
 		web/src \
 		website/src \
 		website/blog \
-		website/developer-docs \
 		website/docs \
 		website/integrations \
 		website/src
@@ -205,7 +204,7 @@ gen: gen-build gen-client-ts
 web-build: web-install  ## Build the Authentik UI
 	cd web && npm run build
 
-web: web-lint-fix web-lint web-check-compile web-test  ## Automatically fix formatting issues in the Authentik UI source code, lint the code, and compile it
+web: web-lint-fix web-lint web-check-compile  ## Automatically fix formatting issues in the Authentik UI source code, lint the code, and compile it
 
 web-install:  ## Install the necessary libraries to build the Authentik UI
 	cd web && npm ci
@@ -253,6 +252,9 @@ website-build:
 website-watch:  ## Build and watch the documentation website, updating automatically
 	cd website && npm run watch
 
+aws-cfn:
+	cd website && npm run aws-cfn
+
 #########################
 ## Docker
 #########################

README.md

@@ -34,7 +34,7 @@ For bigger setups, there is a Helm Chart [here](https://github.com/goauthentik/h
 
 ## Development
 
-See [Developer Documentation](https://goauthentik.io/developer-docs/?utm_source=github)
+See [Developer Documentation](https://docs.goauthentik.io/docs/developer-docs/?utm_source=github)
 
 ## Security
 

SECURITY.md

@@ -2,7 +2,7 @@ authentik takes security very seriously. We follow the rules of [responsible di
 
 ## Independent audits and pentests
 
-In May/June of 2023 [Cure53](https://cure53.de) conducted an audit and pentest. The [results](https://cure53.de/pentest-report_authentik.pdf) are published on the [Cure53 website](https://cure53.de/#publications-2023). For more details about authentik's response to the findings of the audit refer to [2023-06 Cure53 Code audit](https://goauthentik.io/docs/security/2023-06-cure53).
+We are committed to engaging in regular pentesting and security audits of authentik. Defining and adhering to a cadence of external testing ensures a stronger probability that our code base, our features, and our architecture is as secure and non-exploitable as possible. For more details about specfic audits and pentests, refer to "Audits and Certificates" in our [Security documentation](https://docs.goauthentik.io/docs/security).
 
 ## What authentik classifies as a CVE
 
@@ -18,10 +18,10 @@ Even if the issue is not a CVE, we still greatly appreciate your help in hardeni
 
 (.x being the latest patch release for each version)
 
-| Version  | Supported |
-| -------- | --------- |
-| 2024.4.x | ✅        |
-| 2024.6.x | ✅        |
+| Version   | Supported |
+| --------- | --------- |
+| 2024.8.x  | ✅        |
+| 2024.10.x | ✅        |
 
 ## Reporting a Vulnerability
 

authentik/__init__.py

@@ -2,7 +2,7 @@
 
 from os import environ
 
-__version__ = "2024.6.4"
+__version__ = "2024.10.5"
 ENV_GIT_HASH_KEY = "GIT_BUILD_HASH"
 
 

authentik/admin/api/version_history.py

@@ -0,0 +1,33 @@
+from rest_framework.permissions import IsAdminUser
+from rest_framework.viewsets import ReadOnlyModelViewSet
+
+from authentik.admin.models import VersionHistory
+from authentik.core.api.utils import ModelSerializer
+
+
+class VersionHistorySerializer(ModelSerializer):
+    """VersionHistory Serializer"""
+
+    class Meta:
+        model = VersionHistory
+        fields = [
+            "id",
+            "timestamp",
+            "version",
+            "build",
+        ]
+
+
+class VersionHistoryViewSet(ReadOnlyModelViewSet):
+    """VersionHistory Viewset"""
+
+    queryset = VersionHistory.objects.all()
+    serializer_class = VersionHistorySerializer
+    permission_classes = [IsAdminUser]
+    filterset_fields = [
+        "version",
+        "build",
+    ]
+    search_fields = ["version", "build"]
+    ordering = ["-timestamp"]
+    pagination_class = None

authentik/admin/models.py

@@ -0,0 +1,22 @@
+"""authentik admin models"""
+
+from django.db import models
+from django.utils.translation import gettext_lazy as _
+
+
+class VersionHistory(models.Model):
+    id = models.BigAutoField(primary_key=True)
+    timestamp = models.DateTimeField()
+    version = models.TextField()
+    build = models.TextField()
+
+    class Meta:
+        managed = False
+        db_table = "authentik_version_history"
+        ordering = ("-timestamp",)
+        verbose_name = _("Version history")
+        verbose_name_plural = _("Version history")
+        default_permissions = []
+
+    def __str__(self):
+        return f"{self.version}.{self.build} ({self.timestamp})"

authentik/admin/tasks.py

@@ -1,10 +1,8 @@
 """authentik admin tasks"""
 
-import re
-
 from django.core.cache import cache
-from django.core.validators import URLValidator
 from django.db import DatabaseError, InternalError, ProgrammingError
+from django.utils.translation import gettext_lazy as _
 from packaging.version import parse
 from requests import RequestException
 from structlog.stdlib import get_logger
@@ -21,8 +19,6 @@ LOGGER = get_logger()
 VERSION_NULL = "0.0.0"
 VERSION_CACHE_KEY = "authentik_latest_version"
 VERSION_CACHE_TIMEOUT = 8 * 60 * 60  # 8 hours
-# Chop of the first ^ because we want to search the entire string
-URL_FINDER = URLValidator.regex.pattern[1:]
 LOCAL_VERSION = parse(__version__)
 
 
@@ -78,10 +74,16 @@ def update_latest_version(self: SystemTask):
                 context__new_version=upstream_version,
             ).exists():
                 return
-            event_dict = {"new_version": upstream_version}
-            if match := re.search(URL_FINDER, data.get("stable", {}).get("changelog", "")):
-                event_dict["message"] = f"Changelog: {match.group()}"
-            Event.new(EventAction.UPDATE_AVAILABLE, **event_dict).save()
+            Event.new(
+                EventAction.UPDATE_AVAILABLE,
+                message=_(
+                    "New version {version} available!".format(
+                        version=upstream_version,
+                    )
+                ),
+                new_version=upstream_version,
+                changelog=data.get("stable", {}).get("changelog_url"),
+            ).save()
     except (RequestException, IndexError) as exc:
         cache.set(VERSION_CACHE_KEY, VERSION_NULL, VERSION_CACHE_TIMEOUT)
         self.set_error(exc)

authentik/admin/tests/test_tasks.py

@@ -17,6 +17,7 @@ RESPONSE_VALID = {
     "stable": {
         "version": "99999999.9999999",
         "changelog": "See https://goauthentik.io/test",
+        "changelog_url": "https://goauthentik.io/test",
         "reason": "bugfix",
     },
 }
@@ -35,7 +36,7 @@ class TestAdminTasks(TestCase):
                 Event.objects.filter(
                     action=EventAction.UPDATE_AVAILABLE,
                     context__new_version="99999999.9999999",
-                    context__message="Changelog: https://goauthentik.io/test",
+                    context__message="New version 99999999.9999999 available!",
                 ).exists()
             )
             # test that a consecutive check doesn't create a duplicate event
@@ -45,7 +46,7 @@ class TestAdminTasks(TestCase):
                     Event.objects.filter(
                         action=EventAction.UPDATE_AVAILABLE,
                         context__new_version="99999999.9999999",
-                        context__message="Changelog: https://goauthentik.io/test",
+                        context__message="New version 99999999.9999999 available!",
                     )
                 ),
                 1,

authentik/admin/urls.py

@@ -6,6 +6,7 @@ from authentik.admin.api.meta import AppsViewSet, ModelViewSet
 from authentik.admin.api.metrics import AdministrationMetricsViewSet
 from authentik.admin.api.system import SystemView
 from authentik.admin.api.version import VersionView
+from authentik.admin.api.version_history import VersionHistoryViewSet
 from authentik.admin.api.workers import WorkerView
 
 api_urlpatterns = [
@@ -17,6 +18,7 @@ api_urlpatterns = [
         name="admin_metrics",
     ),
     path("admin/version/", VersionView.as_view(), name="admin_version"),
+    ("admin/version/history", VersionHistoryViewSet, "version_history"),
     path("admin/workers/", WorkerView.as_view(), name="admin_workers"),
     path("admin/system/", SystemView.as_view(), name="admin_system"),
 ]

authentik/api/templates/api/browser.html

@@ -7,7 +7,7 @@ API Browser - {{ brand.branding_title }}
 {% endblock %}
 
 {% block head %}
-{% versioned_script "dist/standalone/api-browser/index-%v.js" %}
+<script src="{% versioned_script 'dist/standalone/api-browser/index-%v.js' %}" type="module"></script>
 <meta name="theme-color" content="#151515" media="(prefers-color-scheme: light)">
 <meta name="theme-color" content="#151515" media="(prefers-color-scheme: dark)">
 {% endblock %}

authentik/blueprints/api.py

@@ -51,9 +51,11 @@ class BlueprintInstanceSerializer(ModelSerializer):
         context = self.instance.context if self.instance else {}
         valid, logs = Importer.from_string(content, context).validate()
         if not valid:
-            text_logs = "\n".join([x["event"] for x in logs])
             raise ValidationError(
-                _("Failed to validate blueprint: {logs}".format_map({"logs": text_logs}))
+                [
+                    _("Failed to validate blueprint"),
+                    *[f"- {x.event}" for x in logs],
+                ]
             )
         return content
 

authentik/blueprints/migrations/0001_initial.py

@@ -29,9 +29,7 @@ def check_blueprint_v1_file(BlueprintInstance: type, db_alias, path: Path):
         if version != 1:
             return
         blueprint_file.seek(0)
-    instance: BlueprintInstance = (
-        BlueprintInstance.objects.using(db_alias).filter(path=path).first()
-    )
+    instance = BlueprintInstance.objects.using(db_alias).filter(path=path).first()
     rel_path = path.relative_to(Path(CONFIG.get("blueprints_dir")))
     meta = None
     if metadata:

authentik/blueprints/tests/test_packaged.py

@@ -27,7 +27,8 @@ def blueprint_tester(file_name: Path) -> Callable:
         base = Path("blueprints/")
         rel_path = Path(file_name).relative_to(base)
         importer = Importer.from_string(BlueprintInstance(path=str(rel_path)).retrieve())
-        self.assertTrue(importer.validate()[0])
+        validation, logs = importer.validate()
+        self.assertTrue(validation, logs)
         self.assertTrue(importer.apply())
 
     return tester

authentik/blueprints/tests/test_v1_api.py

@@ -78,5 +78,5 @@ class TestBlueprintsV1API(APITestCase):
         self.assertEqual(res.status_code, 400)
         self.assertJSONEqual(
             res.content.decode(),
-            {"content": ["Failed to validate blueprint: Invalid blueprint version"]},
+            {"content": ["Failed to validate blueprint", "- Invalid blueprint version"]},
         )

authentik/blueprints/v1/importer.py

@@ -51,6 +51,10 @@ from authentik.enterprise.providers.microsoft_entra.models import (
     MicrosoftEntraProviderUser,
 )
 from authentik.enterprise.providers.rac.models import ConnectionToken
+from authentik.enterprise.stages.authenticator_endpoint_gdtc.models import (
+    EndpointDevice,
+    EndpointDeviceConnection,
+)
 from authentik.events.logs import LogEvent, capture_logs
 from authentik.events.models import SystemTask
 from authentik.events.utils import cleanse_dict
@@ -61,7 +65,12 @@ from authentik.lib.utils.reflection import get_apps
 from authentik.outposts.models import OutpostServiceConnection
 from authentik.policies.models import Policy, PolicyBindingModel
 from authentik.policies.reputation.models import Reputation
-from authentik.providers.oauth2.models import AccessToken, AuthorizationCode, RefreshToken
+from authentik.providers.oauth2.models import (
+    AccessToken,
+    AuthorizationCode,
+    DeviceToken,
+    RefreshToken,
+)
 from authentik.providers.scim.models import SCIMProviderGroup, SCIMProviderUser
 from authentik.rbac.models import Role
 from authentik.sources.scim.models import SCIMSourceGroup, SCIMSourceUser
@@ -69,7 +78,7 @@ from authentik.stages.authenticator_webauthn.models import WebAuthnDeviceType
 from authentik.tenants.models import Tenant
 
 # Context set when the serializer is created in a blueprint context
-# Update website/developer-docs/blueprints/v1/models.md when used
+# Update website/docs/customize/blueprints/v1/models.md when used
 SERIALIZER_CONTEXT_BLUEPRINT = "blueprint_entry"
 
 
@@ -119,6 +128,9 @@ def excluded_models() -> list[type[Model]]:
         GoogleWorkspaceProviderGroup,
         MicrosoftEntraProviderUser,
         MicrosoftEntraProviderGroup,
+        EndpointDevice,
+        EndpointDeviceConnection,
+        DeviceToken,
     )
 
 
@@ -287,7 +299,11 @@ class Importer:
 
         serializer_kwargs = {}
         model_instance = existing_models.first()
-        if not isinstance(model(), BaseMetaModel) and model_instance:
+        if (
+            not isinstance(model(), BaseMetaModel)
+            and model_instance
+            and entry.state != BlueprintEntryDesiredState.MUST_CREATED
+        ):
             self.logger.debug(
                 "Initialise serializer with instance",
                 model=model,
@@ -297,11 +313,12 @@ class Importer:
             serializer_kwargs["instance"] = model_instance
             serializer_kwargs["partial"] = True
         elif model_instance and entry.state == BlueprintEntryDesiredState.MUST_CREATED:
+            msg = (
+                f"State is set to {BlueprintEntryDesiredState.MUST_CREATED.value} "
+                "and object exists already",
+            )
             raise EntryInvalidError.from_entry(
-                (
-                    f"State is set to {BlueprintEntryDesiredState.MUST_CREATED} "
-                    "and object exists already",
-                ),
+                ValidationError({k: msg for k in entry.identifiers.keys()}, "unique"),
                 entry,
             )
         else:
@@ -429,7 +446,7 @@ class Importer:
         orig_import = deepcopy(self._import)
         if self._import.version != 1:
             self.logger.warning("Invalid blueprint version")
-            return False, [{"event": "Invalid blueprint version"}]
+            return False, [LogEvent("Invalid blueprint version", log_level="warning", logger=None)]
         with (
             transaction_rollback(),
             capture_logs() as logs,

authentik/blueprints/v1/tasks.py

@@ -5,8 +5,9 @@ from hashlib import sha512
 from pathlib import Path
 from sys import platform
 
+import pglock
 from dacite.core import from_dict
-from django.db import DatabaseError, InternalError, ProgrammingError
+from django.db import DatabaseError, InternalError, ProgrammingError, connection
 from django.utils.text import slugify
 from django.utils.timezone import now
 from django.utils.translation import gettext_lazy as _
@@ -152,15 +153,27 @@ def blueprints_find() -> list[BlueprintFile]:
 @prefill_task
 def blueprints_discovery(self: SystemTask, path: str | None = None):
     """Find blueprints and check if they need to be created in the database"""
-    count = 0
-    for blueprint in blueprints_find():
-        if path and blueprint.path != path:
-            continue
-        check_blueprint_v1_file(blueprint)
-        count += 1
-    self.set_status(
-        TaskStatus.SUCCESSFUL, _("Successfully imported %(count)d files." % {"count": count})
-    )
+    with pglock.advisory(
+        lock_id=f"goauthentik.io/{connection.schema_name}/blueprints/discovery",
+        timeout=0,
+        side_effect=pglock.Return,
+    ) as lock_acquired:
+        if not lock_acquired:
+            LOGGER.debug("Not running blueprint discovery, lock was not acquired")
+            self.set_status(
+                TaskStatus.SUCCESSFUL,
+                _("Blueprint discovery lock could not be acquired. Skipping discovery."),
+            )
+            return
+        count = 0
+        for blueprint in blueprints_find():
+            if path and blueprint.path != path:
+                continue
+            check_blueprint_v1_file(blueprint)
+            count += 1
+        self.set_status(
+            TaskStatus.SUCCESSFUL, _("Successfully imported {count} files.".format(count=count))
+        )
 
 
 def check_blueprint_v1_file(blueprint: BlueprintFile):
@@ -197,48 +210,60 @@ def check_blueprint_v1_file(blueprint: BlueprintFile):
 def apply_blueprint(self: SystemTask, instance_pk: str):
     """Apply single blueprint"""
     self.save_on_success = False
-    instance: BlueprintInstance | None = None
-    try:
-        instance: BlueprintInstance = BlueprintInstance.objects.filter(pk=instance_pk).first()
-        if not instance or not instance.enabled:
+    with pglock.advisory(
+        lock_id=f"goauthentik.io/{connection.schema_name}/blueprints/apply/{instance_pk}",
+        timeout=0,
+        side_effect=pglock.Return,
+    ) as lock_acquired:
+        if not lock_acquired:
+            LOGGER.debug("Not running blueprint discovery, lock was not acquired")
+            self.set_status(
+                TaskStatus.SUCCESSFUL,
+                _("Blueprint apply lock could not be acquired. Skipping apply."),
+            )
             return
-        self.set_uid(slugify(instance.name))
-        blueprint_content = instance.retrieve()
-        file_hash = sha512(blueprint_content.encode()).hexdigest()
-        importer = Importer.from_string(blueprint_content, instance.context)
-        if importer.blueprint.metadata:
-            instance.metadata = asdict(importer.blueprint.metadata)
-        valid, logs = importer.validate()
-        if not valid:
-            instance.status = BlueprintInstanceStatus.ERROR
-            instance.save()
-            self.set_status(TaskStatus.ERROR, *logs)
-            return
-        with capture_logs() as logs:
-            applied = importer.apply()
-            if not applied:
+        instance: BlueprintInstance | None = None
+        try:
+            instance: BlueprintInstance = BlueprintInstance.objects.filter(pk=instance_pk).first()
+            if not instance or not instance.enabled:
+                return
+            self.set_uid(slugify(instance.name))
+            blueprint_content = instance.retrieve()
+            file_hash = sha512(blueprint_content.encode()).hexdigest()
+            importer = Importer.from_string(blueprint_content, instance.context)
+            if importer.blueprint.metadata:
+                instance.metadata = asdict(importer.blueprint.metadata)
+            valid, logs = importer.validate()
+            if not valid:
                 instance.status = BlueprintInstanceStatus.ERROR
                 instance.save()
                 self.set_status(TaskStatus.ERROR, *logs)
                 return
-        instance.status = BlueprintInstanceStatus.SUCCESSFUL
-        instance.last_applied_hash = file_hash
-        instance.last_applied = now()
-        self.set_status(TaskStatus.SUCCESSFUL)
-    except (
-        OSError,
-        DatabaseError,
-        ProgrammingError,
-        InternalError,
-        BlueprintRetrievalFailed,
-        EntryInvalidError,
-    ) as exc:
-        if instance:
-            instance.status = BlueprintInstanceStatus.ERROR
-        self.set_error(exc)
-    finally:
-        if instance:
-            instance.save()
+            with capture_logs() as logs:
+                applied = importer.apply()
+                if not applied:
+                    instance.status = BlueprintInstanceStatus.ERROR
+                    instance.save()
+                    self.set_status(TaskStatus.ERROR, *logs)
+                    return
+            instance.status = BlueprintInstanceStatus.SUCCESSFUL
+            instance.last_applied_hash = file_hash
+            instance.last_applied = now()
+            self.set_status(TaskStatus.SUCCESSFUL)
+        except (
+            OSError,
+            DatabaseError,
+            ProgrammingError,
+            InternalError,
+            BlueprintRetrievalFailed,
+            EntryInvalidError,
+        ) as exc:
+            if instance:
+                instance.status = BlueprintInstanceStatus.ERROR
+            self.set_error(exc)
+        finally:
+            if instance:
+                instance.save()
 
 
 @CELERY_APP.task()

authentik/brands/api.py

@@ -84,8 +84,8 @@ class CurrentBrandSerializer(PassiveSerializer):
 
     matched_domain = CharField(source="domain")
     branding_title = CharField()
-    branding_logo = CharField()
-    branding_favicon = CharField()
+    branding_logo = CharField(source="branding_logo_url")
+    branding_favicon = CharField(source="branding_favicon_url")
     ui_footer_links = ListField(
         child=FooterLinkSerializer(),
         read_only=True,

authentik/brands/middleware.py

@@ -4,7 +4,7 @@ from collections.abc import Callable
 
 from django.http.request import HttpRequest
 from django.http.response import HttpResponse
-from django.utils.translation import activate
+from django.utils.translation import override
 
 from authentik.brands.utils import get_brand_for_request
 
@@ -18,10 +18,14 @@ class BrandMiddleware:
         self.get_response = get_response
 
     def __call__(self, request: HttpRequest) -> HttpResponse:
+        locale_to_set = None
         if not hasattr(request, "brand"):
             brand = get_brand_for_request(request)
             request.brand = brand
             locale = brand.default_locale
             if locale != "":
-                activate(locale)
+                locale_to_set = locale
+        if locale_to_set:
+            with override(locale_to_set):
+                return self.get_response(request)
         return self.get_response(request)

authentik/brands/models.py

@@ -10,6 +10,7 @@ from structlog.stdlib import get_logger
 
 from authentik.crypto.models import CertificateKeyPair
 from authentik.flows.models import Flow
+from authentik.lib.config import CONFIG
 from authentik.lib.models import SerializerModel
 
 LOGGER = get_logger()
@@ -71,6 +72,18 @@ class Brand(SerializerModel):
     )
     attributes = models.JSONField(default=dict, blank=True)
 
+    def branding_logo_url(self) -> str:
+        """Get branding_logo with the correct prefix"""
+        if self.branding_logo.startswith("/static"):
+            return CONFIG.get("web.path", "/")[:-1] + self.branding_logo
+        return self.branding_logo
+
+    def branding_favicon_url(self) -> str:
+        """Get branding_favicon with the correct prefix"""
+        if self.branding_favicon.startswith("/static"):
+            return CONFIG.get("web.path", "/")[:-1] + self.branding_favicon
+        return self.branding_favicon
+
     @property
     def serializer(self) -> Serializer:
         from authentik.brands.api import BrandSerializer

authentik/core/api/devices.py

@@ -1,39 +1,55 @@
 """Authenticator Devices API Views"""
 
+from django.utils.translation import gettext_lazy as _
 from drf_spectacular.types import OpenApiTypes
 from drf_spectacular.utils import OpenApiParameter, extend_schema
 from rest_framework.fields import (
     BooleanField,
     CharField,
     DateTimeField,
-    IntegerField,
     SerializerMethodField,
 )
-from rest_framework.permissions import IsAdminUser, IsAuthenticated
+from rest_framework.permissions import IsAuthenticated
 from rest_framework.request import Request
 from rest_framework.response import Response
 from rest_framework.viewsets import ViewSet
 
 from authentik.core.api.utils import MetaNameSerializer
+from authentik.enterprise.stages.authenticator_endpoint_gdtc.models import EndpointDevice
+from authentik.rbac.decorators import permission_required
 from authentik.stages.authenticator import device_classes, devices_for_user
 from authentik.stages.authenticator.models import Device
+from authentik.stages.authenticator_webauthn.models import WebAuthnDevice
 
 
 class DeviceSerializer(MetaNameSerializer):
     """Serializer for Duo authenticator devices"""
 
-    pk = IntegerField()
+    pk = CharField()
     name = CharField()
     type = SerializerMethodField()
     confirmed = BooleanField()
     created = DateTimeField(read_only=True)
     last_updated = DateTimeField(read_only=True)
     last_used = DateTimeField(read_only=True, allow_null=True)
+    extra_description = SerializerMethodField()
 
     def get_type(self, instance: Device) -> str:
         """Get type of device"""
         return instance._meta.label
 
+    def get_extra_description(self, instance: Device) -> str:
+        """Get extra description"""
+        if isinstance(instance, WebAuthnDevice):
+            return (
+                instance.device_type.description
+                if instance.device_type
+                else _("Extra description not available")
+            )
+        if isinstance(instance, EndpointDevice):
+            return instance.data.get("deviceSignals", {}).get("deviceModel")
+        return ""
+
 
 class DeviceViewSet(ViewSet):
     """Viewset for authenticator devices"""
@@ -52,7 +68,7 @@ class AdminDeviceViewSet(ViewSet):
     """Viewset for authenticator devices"""
 
     serializer_class = DeviceSerializer
-    permission_classes = [IsAdminUser]
+    permission_classes = []
 
     def get_devices(self, **kwargs):
         """Get all devices in all child classes"""
@@ -70,6 +86,10 @@ class AdminDeviceViewSet(ViewSet):
         ],
         responses={200: DeviceSerializer(many=True)},
     )
+    @permission_required(
+        None,
+        [f"{model._meta.app_label}.view_{model._meta.model_name}" for model in device_classes()],
+    )
     def list(self, request: Request) -> Response:
         """Get all devices for current user"""
         kwargs = {}

authentik/core/api/property_mappings.py

@@ -30,8 +30,10 @@ from authentik.core.api.utils import (
     PassiveSerializer,
 )
 from authentik.core.expression.evaluator import PropertyMappingEvaluator
+from authentik.core.expression.exceptions import PropertyMappingExpressionException
 from authentik.core.models import Group, PropertyMapping, User
 from authentik.events.utils import sanitize_item
+from authentik.lib.utils.errors import exception_to_string
 from authentik.policies.api.exec import PolicyTestSerializer
 from authentik.rbac.decorators import permission_required
 
@@ -162,12 +164,15 @@ class PropertyMappingViewSet(
 
         response_data = {"successful": True, "result": ""}
         try:
-            result = mapping.evaluate(**context)
+            result = mapping.evaluate(dry_run=True, **context)
             response_data["result"] = dumps(
                 sanitize_item(result), indent=(4 if format_result else None)
             )
+        except PropertyMappingExpressionException as exc:
+            response_data["result"] = exception_to_string(exc.exc)
+            response_data["successful"] = False
         except Exception as exc:
-            response_data["result"] = str(exc)
+            response_data["result"] = exception_to_string(exc)
             response_data["successful"] = False
         response = PropertyMappingTestResultSerializer(response_data)
         return Response(response.data)

authentik/core/api/providers.py

@@ -38,6 +38,7 @@ class ProviderSerializer(ModelSerializer, MetaNameSerializer):
             "name",
             "authentication_flow",
             "authorization_flow",
+            "invalidation_flow",
             "property_mappings",
             "component",
             "assigned_application_slug",
@@ -50,6 +51,7 @@ class ProviderSerializer(ModelSerializer, MetaNameSerializer):
         ]
         extra_kwargs = {
             "authorization_flow": {"required": True, "allow_null": False},
+            "invalidation_flow": {"required": True, "allow_null": False},
         }
 
 

authentik/core/api/transactional_applications.py

@@ -1,10 +1,12 @@
 """transactional application and provider creation"""
 
 from django.apps import apps
+from django.db.models import Model
+from django.utils.translation import gettext as _
 from drf_spectacular.utils import PolymorphicProxySerializer, extend_schema, extend_schema_field
-from rest_framework.exceptions import ValidationError
+from rest_framework.exceptions import PermissionDenied, ValidationError
 from rest_framework.fields import BooleanField, CharField, ChoiceField, DictField, ListField
-from rest_framework.permissions import IsAdminUser
+from rest_framework.permissions import IsAuthenticated
 from rest_framework.request import Request
 from rest_framework.response import Response
 from rest_framework.views import APIView
@@ -22,6 +24,7 @@ from authentik.core.api.applications import ApplicationSerializer
 from authentik.core.api.utils import PassiveSerializer
 from authentik.core.models import Provider
 from authentik.lib.utils.reflection import all_subclasses
+from authentik.policies.api.bindings import PolicyBindingSerializer
 
 
 def get_provider_serializer_mapping():
@@ -45,6 +48,13 @@ class TransactionProviderField(DictField):
     """Dictionary field which can hold provider creation data"""
 
 
+class TransactionPolicyBindingSerializer(PolicyBindingSerializer):
+    """PolicyBindingSerializer which does not require target as target is set implicitly"""
+
+    class Meta(PolicyBindingSerializer.Meta):
+        fields = [x for x in PolicyBindingSerializer.Meta.fields if x != "target"]
+
+
 class TransactionApplicationSerializer(PassiveSerializer):
     """Serializer for creating a provider and an application in one transaction"""
 
@@ -52,6 +62,8 @@ class TransactionApplicationSerializer(PassiveSerializer):
     provider_model = ChoiceField(choices=list(get_provider_serializer_mapping().keys()))
     provider = TransactionProviderField()
 
+    policy_bindings = TransactionPolicyBindingSerializer(many=True, required=False)
+
     _provider_model: type[Provider] = None
 
     def validate_provider_model(self, fq_model_name: str) -> str:
@@ -96,6 +108,19 @@ class TransactionApplicationSerializer(PassiveSerializer):
                 id="app",
             )
         )
+        for binding in attrs.get("policy_bindings", []):
+            binding["target"] = KeyOf(None, ScalarNode(tag="", value="app"))
+            for key, value in binding.items():
+                if not isinstance(value, Model):
+                    continue
+                binding[key] = value.pk
+            blueprint.entries.append(
+                BlueprintEntry(
+                    model="authentik_policies.policybinding",
+                    state=BlueprintEntryDesiredState.MUST_CREATED,
+                    identifiers=binding,
+                )
+            )
         importer = Importer(blueprint, {})
         try:
             valid, _ = importer.validate(raise_validation_errors=True)
@@ -120,8 +145,7 @@ class TransactionApplicationResponseSerializer(PassiveSerializer):
 class TransactionalApplicationView(APIView):
     """Create provider and application and attach them in a single transaction"""
 
-    # TODO: Migrate to a more specific permission
-    permission_classes = [IsAdminUser]
+    permission_classes = [IsAuthenticated]
 
     @extend_schema(
         request=TransactionApplicationSerializer(),
@@ -133,8 +157,23 @@ class TransactionalApplicationView(APIView):
         """Convert data into a blueprint, validate it and apply it"""
         data = TransactionApplicationSerializer(data=request.data)
         data.is_valid(raise_exception=True)
-
-        importer = Importer(data.validated_data, {})
+        blueprint: Blueprint = data.validated_data
+        for entry in blueprint.entries:
+            full_model = entry.get_model(blueprint)
+            app, __, model = full_model.partition(".")
+            if not request.user.has_perm(f"{app}.add_{model}"):
+                raise PermissionDenied(
+                    {
+                        entry.id: _(
+                            "User lacks permission to create {model}".format_map(
+                                {
+                                    "model": full_model,
+                                }
+                            )
+                        )
+                    }
+                )
+        importer = Importer(blueprint, {})
         applied = importer.apply()
         response = {"applied": False, "logs": []}
         response["applied"] = applied

authentik/core/api/users.py

@@ -666,7 +666,12 @@ class UserViewSet(UsedByMixin, ModelViewSet):
 
     @permission_required("authentik_core.impersonate")
     @extend_schema(
-        request=OpenApiTypes.NONE,
+        request=inline_serializer(
+            "ImpersonationSerializer",
+            {
+                "reason": CharField(required=True),
+            },
+        ),
         responses={
             "204": OpenApiResponse(description="Successfully started impersonation"),
             "401": OpenApiResponse(description="Access denied"),
@@ -678,18 +683,27 @@ class UserViewSet(UsedByMixin, ModelViewSet):
         if not request.tenant.impersonation:
             LOGGER.debug("User attempted to impersonate", user=request.user)
             return Response(status=401)
-        if not request.user.has_perm("impersonate"):
+        user_to_be = self.get_object()
+        reason = request.data.get("reason", "")
+        # Check both object-level perms and global perms
+        if not request.user.has_perm(
+            "authentik_core.impersonate", user_to_be
+        ) and not request.user.has_perm("authentik_core.impersonate"):
             LOGGER.debug("User attempted to impersonate without permissions", user=request.user)
             return Response(status=401)
-        user_to_be = self.get_object()
         if user_to_be.pk == self.request.user.pk:
             LOGGER.debug("User attempted to impersonate themselves", user=request.user)
             return Response(status=401)
+        if not reason and request.tenant.impersonation_require_reason:
+            LOGGER.debug(
+                "User attempted to impersonate without providing a reason", user=request.user
+            )
+            return Response(status=401)
 
         request.session[SESSION_KEY_IMPERSONATE_ORIGINAL_USER] = request.user
         request.session[SESSION_KEY_IMPERSONATE_USER] = user_to_be
 
-        Event.new(EventAction.IMPERSONATION_STARTED).from_http(request, user_to_be)
+        Event.new(EventAction.IMPERSONATION_STARTED, reason=reason).from_http(request, user_to_be)
 
         return Response(status=201)
 

authentik/core/management/commands/change_user_type.py

@@ -9,10 +9,11 @@ class Command(TenantCommand):
 
     def add_arguments(self, parser):
         parser.add_argument("--type", type=str, required=True)
-        parser.add_argument("--all", action="store_true")
-        parser.add_argument("usernames", nargs="+", type=str)
+        parser.add_argument("--all", action="store_true", default=False)
+        parser.add_argument("usernames", nargs="*", type=str)
 
     def handle_per_tenant(self, **options):
+        print(options)
         new_type = UserTypes(options["type"])
         qs = (
             User.objects.exclude_anonymous()
@@ -22,6 +23,9 @@ class Command(TenantCommand):
         if options["usernames"] and options["all"]:
             self.stderr.write("--all and usernames specified, only one can be specified")
             return
+        if not options["usernames"] and not options["all"]:
+            self.stderr.write("--all or usernames must be specified")
+            return
         if options["usernames"] and not options["all"]:
             qs = qs.filter(username__in=options["usernames"])
         updated = qs.update(type=new_type)

authentik/core/management/commands/shell.py

@@ -4,6 +4,7 @@ import code
 import platform
 import sys
 import traceback
+from pprint import pprint
 
 from django.apps import apps
 from django.core.management.base import BaseCommand
@@ -34,7 +35,9 @@ class Command(BaseCommand):
 
     def get_namespace(self):
         """Prepare namespace with all models"""
-        namespace = {}
+        namespace = {
+            "pprint": pprint,
+        }
 
         # Gather Django models and constants from each app
         for app in apps.get_app_configs():

authentik/core/middleware.py

@@ -5,7 +5,7 @@ from contextvars import ContextVar
 from uuid import uuid4
 
 from django.http import HttpRequest, HttpResponse
-from django.utils.translation import activate
+from django.utils.translation import override
 from sentry_sdk.api import set_tag
 from structlog.contextvars import STRUCTLOG_KEY_PREFIX
 
@@ -31,16 +31,20 @@ class ImpersonateMiddleware:
     def __call__(self, request: HttpRequest) -> HttpResponse:
         # No permission checks are done here, they need to be checked before
         # SESSION_KEY_IMPERSONATE_USER is set.
+        locale_to_set = None
         if request.user.is_authenticated:
             locale = request.user.locale(request)
             if locale != "":
-                activate(locale)
+                locale_to_set = locale
 
         if SESSION_KEY_IMPERSONATE_USER in request.session:
             request.user = request.session[SESSION_KEY_IMPERSONATE_USER]
             # Ensure that the user is active, otherwise nothing will work
             request.user.is_active = True
 
+        if locale_to_set:
+            with override(locale_to_set):
+                return self.get_response(request)
         return self.get_response(request)
 
 

authentik/core/migrations/0040_provider_invalidation_flow.py

@@ -0,0 +1,55 @@
+# Generated by Django 5.0.9 on 2024-10-02 11:35
+
+import django.db.models.deletion
+from django.db import migrations, models
+
+from django.apps.registry import Apps
+from django.db import migrations, models
+from django.db.backends.base.schema import BaseDatabaseSchemaEditor
+
+
+def migrate_invalidation_flow_default(apps: Apps, schema_editor: BaseDatabaseSchemaEditor):
+    from authentik.flows.models import FlowDesignation, FlowAuthenticationRequirement
+
+    db_alias = schema_editor.connection.alias
+
+    Flow = apps.get_model("authentik_flows", "Flow")
+    Provider = apps.get_model("authentik_core", "Provider")
+
+    # So this flow is managed via a blueprint, bue we're in a migration so we don't want to rely on that
+    # since the blueprint is just an empty flow we can just create it here
+    # and let it be managed by the blueprint later
+    flow, _ = Flow.objects.using(db_alias).update_or_create(
+        slug="default-provider-invalidation-flow",
+        defaults={
+            "name": "Logged out of application",
+            "title": "You've logged out of %(app)s.",
+            "authentication": FlowAuthenticationRequirement.NONE,
+            "designation": FlowDesignation.INVALIDATION,
+        },
+    )
+    Provider.objects.using(db_alias).filter(invalidation_flow=None).update(invalidation_flow=flow)
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ("authentik_core", "0039_source_group_matching_mode_alter_group_name_and_more"),
+        ("authentik_flows", "0027_auto_20231028_1424"),
+    ]
+
+    operations = [
+        migrations.AddField(
+            model_name="provider",
+            name="invalidation_flow",
+            field=models.ForeignKey(
+                default=None,
+                help_text="Flow used ending the session from a provider.",
+                null=True,
+                on_delete=django.db.models.deletion.SET_DEFAULT,
+                related_name="provider_invalidation",
+                to="authentik_flows.flow",
+            ),
+        ),
+        migrations.RunPython(migrate_invalidation_flow_default),
+    ]

authentik/core/models.py

@@ -330,11 +330,13 @@ class User(SerializerModel, GuardianUserMixin, AttributesMixin, AbstractUser):
         """superuser == staff user"""
         return self.is_superuser  # type: ignore
 
-    def set_password(self, raw_password, signal=True):
+    def set_password(self, raw_password, signal=True, sender=None):
         if self.pk and signal:
             from authentik.core.signals import password_changed
 
-            password_changed.send(sender=self, user=self, password=raw_password)
+            if not sender:
+                sender = self
+            password_changed.send(sender=sender, user=self, password=raw_password)
         self.password_change_date = now()
         return super().set_password(raw_password)
 
@@ -391,14 +393,23 @@ class Provider(SerializerModel):
         ),
         related_name="provider_authentication",
     )
-
     authorization_flow = models.ForeignKey(
         "authentik_flows.Flow",
+        # Set to cascade even though null is allowed, since most providers
+        # still require an authorization flow set
         on_delete=models.CASCADE,
         null=True,
         help_text=_("Flow used when authorizing this provider."),
         related_name="provider_authorization",
     )
+    invalidation_flow = models.ForeignKey(
+        "authentik_flows.Flow",
+        on_delete=models.SET_DEFAULT,
+        default=None,
+        null=True,
+        help_text=_("Flow used ending the session from a provider."),
+        related_name="provider_invalidation",
+    )
 
     property_mappings = models.ManyToManyField("PropertyMapping", default=None, blank=True)
 
@@ -466,8 +477,6 @@ class ApplicationQuerySet(QuerySet):
     def with_provider(self) -> "QuerySet[Application]":
         qs = self.select_related("provider")
         for subclass in Provider.objects.get_queryset()._get_subclasses_recurse(Provider):
-            if LOOKUP_SEP in subclass:
-                continue
             qs = qs.select_related(f"provider__{subclass}")
         return qs
 
@@ -545,15 +554,24 @@ class Application(SerializerModel, PolicyBindingModel):
         if not self.provider:
             return None
 
-        for subclass in Provider.objects.get_queryset()._get_subclasses_recurse(Provider):
-            # We don't care about recursion, skip nested models
-            if LOOKUP_SEP in subclass:
+        candidates = []
+        base_class = Provider
+        for subclass in base_class.objects.get_queryset()._get_subclasses_recurse(base_class):
+            parent = self.provider
+            for level in subclass.split(LOOKUP_SEP):
+                try:
+                    parent = getattr(parent, level)
+                except AttributeError:
+                    break
+            if parent in candidates:
                 continue
-            try:
-                return getattr(self.provider, subclass)
-            except AttributeError:
-                pass
-        return None
+            idx = subclass.count(LOOKUP_SEP)
+            if type(parent) is not base_class:
+                idx += 1
+            candidates.insert(idx, parent)
+        if not candidates:
+            return None
+        return candidates[-1]
 
     def __str__(self):
         return str(self.name)
@@ -901,7 +919,7 @@ class PropertyMapping(SerializerModel, ManagedModel):
         except ControlFlowException as exc:
             raise exc
         except Exception as exc:
-            raise PropertyMappingExpressionException(self, exc) from exc
+            raise PropertyMappingExpressionException(exc, self) from exc
 
     def __str__(self):
         return f"Property Mapping {self.name}"

authentik/core/sources/flow_manager.py

@@ -1,11 +1,9 @@
 """Source decision helper"""
 
-from enum import Enum
 from typing import Any
 
 from django.contrib import messages
 from django.db import IntegrityError, transaction
-from django.db.models.query_utils import Q
 from django.http import HttpRequest, HttpResponse
 from django.shortcuts import redirect
 from django.urls import reverse
@@ -16,12 +14,11 @@ from authentik.core.models import (
     Group,
     GroupSourceConnection,
     Source,
-    SourceGroupMatchingModes,
-    SourceUserMatchingModes,
     User,
     UserSourceConnection,
 )
 from authentik.core.sources.mapper import SourceMapper
+from authentik.core.sources.matcher import Action, SourceMatcher
 from authentik.core.sources.stage import (
     PLAN_CONTEXT_SOURCES_CONNECTION,
     PostSourceStage,
@@ -54,16 +51,6 @@ SESSION_KEY_OVERRIDE_FLOW_TOKEN = "authentik/flows/source_override_flow_token"
 PLAN_CONTEXT_SOURCE_GROUPS = "source_groups"
 
 
-class Action(Enum):
-    """Actions that can be decided based on the request
-    and source settings"""
-
-    LINK = "link"
-    AUTH = "auth"
-    ENROLL = "enroll"
-    DENY = "deny"
-
-
 class MessageStage(StageView):
     """Show a pre-configured message after the flow is done"""
 
@@ -86,6 +73,7 @@ class SourceFlowManager:
 
     source: Source
     mapper: SourceMapper
+    matcher: SourceMatcher
     request: HttpRequest
 
     identifier: str
@@ -108,6 +96,9 @@ class SourceFlowManager:
     ) -> None:
         self.source = source
         self.mapper = SourceMapper(self.source)
+        self.matcher = SourceMatcher(
+            self.source, self.user_connection_type, self.group_connection_type
+        )
         self.request = request
         self.identifier = identifier
         self.user_info = user_info
@@ -131,66 +122,24 @@ class SourceFlowManager:
 
     def get_action(self, **kwargs) -> tuple[Action, UserSourceConnection | None]:  # noqa: PLR0911
         """decide which action should be taken"""
-        new_connection = self.user_connection_type(source=self.source, identifier=self.identifier)
         # When request is authenticated, always link
         if self.request.user.is_authenticated:
+            new_connection = self.user_connection_type(
+                source=self.source, identifier=self.identifier
+            )
             new_connection.user = self.request.user
             new_connection = self.update_user_connection(new_connection, **kwargs)
+            if existing := self.user_connection_type.objects.filter(
+                source=self.source, identifier=self.identifier
+            ).first():
+                existing = self.update_user_connection(existing)
+                return Action.AUTH, existing
             return Action.LINK, new_connection
 
-        existing_connections = self.user_connection_type.objects.filter(
-            source=self.source, identifier=self.identifier
-        )
-        if existing_connections.exists():
-            connection = existing_connections.first()
-            return Action.AUTH, self.update_user_connection(connection, **kwargs)
-        # No connection exists, but we match on identifier, so enroll
-        if self.source.user_matching_mode == SourceUserMatchingModes.IDENTIFIER:
-            # We don't save the connection here cause it doesn't have a user assigned yet
-            return Action.ENROLL, self.update_user_connection(new_connection, **kwargs)
-
-        # Check for existing users with matching attributes
-        query = Q()
-        # Either query existing user based on email or username
-        if self.source.user_matching_mode in [
-            SourceUserMatchingModes.EMAIL_LINK,
-            SourceUserMatchingModes.EMAIL_DENY,
-        ]:
-            if not self.user_properties.get("email", None):
-                self._logger.warning("Refusing to use none email")
-                return Action.DENY, None
-            query = Q(email__exact=self.user_properties.get("email", None))
-        if self.source.user_matching_mode in [
-            SourceUserMatchingModes.USERNAME_LINK,
-            SourceUserMatchingModes.USERNAME_DENY,
-        ]:
-            if not self.user_properties.get("username", None):
-                self._logger.warning("Refusing to use none username")
-                return Action.DENY, None
-            query = Q(username__exact=self.user_properties.get("username", None))
-        self._logger.debug("trying to link with existing user", query=query)
-        matching_users = User.objects.filter(query)
-        # No matching users, always enroll
-        if not matching_users.exists():
-            self._logger.debug("no matching users found, enrolling")
-            return Action.ENROLL, self.update_user_connection(new_connection, **kwargs)
-
-        user = matching_users.first()
-        if self.source.user_matching_mode in [
-            SourceUserMatchingModes.EMAIL_LINK,
-            SourceUserMatchingModes.USERNAME_LINK,
-        ]:
-            new_connection.user = user
-            new_connection = self.update_user_connection(new_connection, **kwargs)
-            return Action.LINK, new_connection
-        if self.source.user_matching_mode in [
-            SourceUserMatchingModes.EMAIL_DENY,
-            SourceUserMatchingModes.USERNAME_DENY,
-        ]:
-            self._logger.info("denying source because user exists", user=user)
-            return Action.DENY, None
-        # Should never get here as default enroll case is returned above.
-        return Action.DENY, None  # pragma: no cover
+        action, connection = self.matcher.get_user_action(self.identifier, self.user_properties)
+        if connection:
+            connection = self.update_user_connection(connection, **kwargs)
+        return action, connection
 
     def update_user_connection(
         self, connection: UserSourceConnection, **kwargs
@@ -316,19 +265,13 @@ class SourceFlowManager:
         if stages:
             for stage in stages:
                 plan.append_stage(stage)
-        self.request.session[SESSION_KEY_PLAN] = plan
-        return redirect_with_qs(
-            "authentik_core:if-flow",
-            self.request.GET,
-            flow_slug=flow.slug,
-        )
+        return plan.to_redirect(self.request, flow)
 
     def handle_auth(
         self,
         connection: UserSourceConnection,
     ) -> HttpResponse:
         """Login user and redirect."""
-        flow_kwargs = {PLAN_CONTEXT_PENDING_USER: connection.user}
         return self._prepare_flow(
             self.source.authentication_flow,
             connection,
@@ -342,7 +285,11 @@ class SourceFlowManager:
                     ),
                 )
             ],
-            **flow_kwargs,
+            **{
+                PLAN_CONTEXT_PENDING_USER: connection.user,
+                PLAN_CONTEXT_PROMPT: delete_none_values(self.user_properties),
+                PLAN_CONTEXT_USER_PATH: self.source.get_user_path(),
+            },
         )
 
     def handle_existing_link(
@@ -408,74 +355,16 @@ class SourceFlowManager:
 class GroupUpdateStage(StageView):
     """Dynamically injected stage which updates the user after enrollment/authentication."""
 
-    def get_action(
-        self, group_id: str, group_properties: dict[str, Any | dict[str, Any]]
-    ) -> tuple[Action, GroupSourceConnection | None]:
-        """decide which action should be taken"""
-        new_connection = self.group_connection_type(source=self.source, identifier=group_id)
-
-        existing_connections = self.group_connection_type.objects.filter(
-            source=self.source, identifier=group_id
-        )
-        if existing_connections.exists():
-            return Action.LINK, existing_connections.first()
-        # No connection exists, but we match on identifier, so enroll
-        if self.source.group_matching_mode == SourceGroupMatchingModes.IDENTIFIER:
-            # We don't save the connection here cause it doesn't have a user assigned yet
-            return Action.ENROLL, new_connection
-
-        # Check for existing groups with matching attributes
-        query = Q()
-        if self.source.group_matching_mode in [
-            SourceGroupMatchingModes.NAME_LINK,
-            SourceGroupMatchingModes.NAME_DENY,
-        ]:
-            if not group_properties.get("name", None):
-                LOGGER.warning(
-                    "Refusing to use none group name", source=self.source, group_id=group_id
-                )
-                return Action.DENY, None
-            query = Q(name__exact=group_properties.get("name"))
-        LOGGER.debug(
-            "trying to link with existing group", source=self.source, query=query, group_id=group_id
-        )
-        matching_groups = Group.objects.filter(query)
-        # No matching groups, always enroll
-        if not matching_groups.exists():
-            LOGGER.debug(
-                "no matching groups found, enrolling", source=self.source, group_id=group_id
-            )
-            return Action.ENROLL, new_connection
-
-        group = matching_groups.first()
-        if self.source.group_matching_mode in [
-            SourceGroupMatchingModes.NAME_LINK,
-        ]:
-            new_connection.group = group
-            return Action.LINK, new_connection
-        if self.source.group_matching_mode in [
-            SourceGroupMatchingModes.NAME_DENY,
-        ]:
-            LOGGER.info(
-                "denying source because group exists",
-                source=self.source,
-                group=group,
-                group_id=group_id,
-            )
-            return Action.DENY, None
-        # Should never get here as default enroll case is returned above.
-        return Action.DENY, None  # pragma: no cover
-
     def handle_group(
         self, group_id: str, group_properties: dict[str, Any | dict[str, Any]]
     ) -> Group | None:
-        action, connection = self.get_action(group_id, group_properties)
+        action, connection = self.matcher.get_group_action(group_id, group_properties)
         if action == Action.ENROLL:
             group = Group.objects.create(**group_properties)
             connection.group = group
             connection.save()
             return group
-        elif action == Action.LINK:
+        elif action in (Action.LINK, Action.AUTH):
             group = connection.group
             group.update_attributes(group_properties)
             connection.save()
@@ -489,6 +378,7 @@ class GroupUpdateStage(StageView):
         self.group_connection_type: GroupSourceConnection = (
             self.executor.current_stage.group_connection_type
         )
+        self.matcher = SourceMatcher(self.source, None, self.group_connection_type)
 
         raw_groups: dict[str, dict[str, Any | dict[str, Any]]] = self.executor.plan.context[
             PLAN_CONTEXT_SOURCE_GROUPS

authentik/core/sources/matcher.py

@@ -0,0 +1,152 @@
+"""Source user and group matching"""
+
+from dataclasses import dataclass
+from enum import Enum
+from typing import Any
+
+from django.db.models import Q
+from structlog import get_logger
+
+from authentik.core.models import (
+    Group,
+    GroupSourceConnection,
+    Source,
+    SourceGroupMatchingModes,
+    SourceUserMatchingModes,
+    User,
+    UserSourceConnection,
+)
+
+
+class Action(Enum):
+    """Actions that can be decided based on the request and source settings"""
+
+    LINK = "link"
+    AUTH = "auth"
+    ENROLL = "enroll"
+    DENY = "deny"
+
+
+@dataclass
+class MatchableProperty:
+    property: str
+    link_mode: SourceUserMatchingModes | SourceGroupMatchingModes
+    deny_mode: SourceUserMatchingModes | SourceGroupMatchingModes
+
+
+class SourceMatcher:
+    def __init__(
+        self,
+        source: Source,
+        user_connection_type: type[UserSourceConnection],
+        group_connection_type: type[GroupSourceConnection],
+    ):
+        self.source = source
+        self.user_connection_type = user_connection_type
+        self.group_connection_type = group_connection_type
+        self._logger = get_logger().bind(source=self.source)
+
+    def get_action(
+        self,
+        object_type: type[User | Group],
+        matchable_properties: list[MatchableProperty],
+        identifier: str,
+        properties: dict[str, Any | dict[str, Any]],
+    ) -> tuple[Action, UserSourceConnection | GroupSourceConnection | None]:
+        connection_type = None
+        matching_mode = None
+        identifier_matching_mode = None
+        if object_type == User:
+            connection_type = self.user_connection_type
+            matching_mode = self.source.user_matching_mode
+            identifier_matching_mode = SourceUserMatchingModes.IDENTIFIER
+        if object_type == Group:
+            connection_type = self.group_connection_type
+            matching_mode = self.source.group_matching_mode
+            identifier_matching_mode = SourceGroupMatchingModes.IDENTIFIER
+        if not connection_type or not matching_mode or not identifier_matching_mode:
+            return Action.DENY, None
+
+        new_connection = connection_type(source=self.source, identifier=identifier)
+
+        existing_connections = connection_type.objects.filter(
+            source=self.source, identifier=identifier
+        )
+        if existing_connections.exists():
+            return Action.AUTH, existing_connections.first()
+        # No connection exists, but we match on identifier, so enroll
+        if matching_mode == identifier_matching_mode:
+            # We don't save the connection here cause it doesn't have a user/group assigned yet
+            return Action.ENROLL, new_connection
+
+        # Check for existing users with matching attributes
+        query = Q()
+        for matchable_property in matchable_properties:
+            property = matchable_property.property
+            if matching_mode in [matchable_property.link_mode, matchable_property.deny_mode]:
+                if not properties.get(property, None):
+                    self._logger.warning(
+                        "Refusing to use none property", identifier=identifier, property=property
+                    )
+                    return Action.DENY, None
+                query_args = {
+                    f"{property}__exact": properties[property],
+                }
+                query = Q(**query_args)
+        self._logger.debug(
+            "Trying to link with existing object", query=query, identifier=identifier
+        )
+        matching_objects = object_type.objects.filter(query)
+        # Not matching objects, always enroll
+        if not matching_objects.exists():
+            self._logger.debug("No matching objects found, enrolling")
+            return Action.ENROLL, new_connection
+
+        obj = matching_objects.first()
+        if matching_mode in [mp.link_mode for mp in matchable_properties]:
+            attr = None
+            if object_type == User:
+                attr = "user"
+            if object_type == Group:
+                attr = "group"
+            setattr(new_connection, attr, obj)
+            return Action.LINK, new_connection
+        if matching_mode in [mp.deny_mode for mp in matchable_properties]:
+            self._logger.info("Denying source because object exists", obj=obj)
+            return Action.DENY, None
+
+        # Should never get here as default enroll case is returned above.
+        return Action.DENY, None  # pragma: no cover
+
+    def get_user_action(
+        self, identifier: str, properties: dict[str, Any | dict[str, Any]]
+    ) -> tuple[Action, UserSourceConnection | None]:
+        return self.get_action(
+            User,
+            [
+                MatchableProperty(
+                    "username",
+                    SourceUserMatchingModes.USERNAME_LINK,
+                    SourceUserMatchingModes.USERNAME_DENY,
+                ),
+                MatchableProperty(
+                    "email", SourceUserMatchingModes.EMAIL_LINK, SourceUserMatchingModes.EMAIL_DENY
+                ),
+            ],
+            identifier,
+            properties,
+        )
+
+    def get_group_action(
+        self, identifier: str, properties: dict[str, Any | dict[str, Any]]
+    ) -> tuple[Action, GroupSourceConnection | None]:
+        return self.get_action(
+            Group,
+            [
+                MatchableProperty(
+                    "name", SourceGroupMatchingModes.NAME_LINK, SourceGroupMatchingModes.NAME_DENY
+                ),
+            ],
+            identifier,
+            properties,
+        )

authentik/core/templates/base/header_js.html

@@ -9,6 +9,9 @@
         versionFamily: "{{ version_family }}",
         versionSubdomain: "{{ version_subdomain }}",
         build: "{{ build }}",
+        api: {
+            base: "{{ base_url }}",
+        },
     };
     window.addEventListener("DOMContentLoaded", function () {
         {% for message in messages %}

authentik/core/templates/base/skeleton.html

@@ -9,14 +9,14 @@
         <meta charset="UTF-8">
         <meta name="viewport" content="width=device-width, initial-scale=1, maximum-scale=1">
         <title>{% block title %}{% trans title|default:brand.branding_title %}{% endblock %}</title>
-        <link rel="icon" href="{{ brand.branding_favicon }}">
-        <link rel="shortcut icon" href="{{ brand.branding_favicon }}">
+        <link rel="icon" href="{{ brand.branding_favicon_url }}">
+        <link rel="shortcut icon" href="{{ brand.branding_favicon_url }}">
         {% block head_before %}
         {% endblock %}
         <link rel="stylesheet" type="text/css" href="{% static 'dist/authentik.css' %}">
         <link rel="stylesheet" type="text/css" href="{% static 'dist/custom.css' %}" data-inject>
-        {% versioned_script "dist/poly-%v.js" %}
-        {% versioned_script "dist/standalone/loading/index-%v.js" %}
+        <script src="{% versioned_script 'dist/poly-%v.js' %}" type="module"></script>
+        <script src="{% versioned_script 'dist/standalone/loading/index-%v.js' %}" type="module"></script>
         {% block head %}
         {% endblock %}
         <meta name="sentry-trace" content="{{ sentry_trace }}" />

authentik/core/templates/if/admin.html

@@ -3,7 +3,7 @@
 {% load authentik_core %}
 
 {% block head %}
-{% versioned_script "dist/admin/AdminInterface-%v.js" %}
+<script src="{% versioned_script 'dist/admin/AdminInterface-%v.js' %}" type="module"></script>
 <meta name="theme-color" content="#18191a" media="(prefers-color-scheme: dark)">
 <meta name="theme-color" content="#ffffff" media="(prefers-color-scheme: light)">
 {% include "base/header_js.html" %}

authentik/core/templates/if/end_session.html

@@ -1,43 +0,0 @@
-{% extends 'login/base_full.html' %}
-
-{% load static %}
-{% load i18n %}
-
-{% block title %}
-{% trans 'End session' %} - {{ brand.branding_title }}
-{% endblock %}
-
-{% block card_title %}
-{% blocktrans with application=application.name %}
-You've logged out of {{ application }}.
-{% endblocktrans %}
-{% endblock %}
-
-{% block card %}
-<form method="POST" class="pf-c-form">
-    <p>
-        {% blocktrans with application=application.name branding_title=brand.branding_title %}
-            You've logged out of {{ application }}. You can go back to the overview to launch another application, or log out of your {{ branding_title }} account.
-        {% endblocktrans %}
-    </p>
-
-    <a id="ak-back-home" href="{% url 'authentik_core:root-redirect' %}" class="pf-c-button pf-m-primary">
-        {% trans 'Go back to overview' %}
-    </a>
-
-    <a id="logout" href="{% url 'authentik_flows:default-invalidation' %}" class="pf-c-button pf-m-secondary">
-        {% blocktrans with branding_title=brand.branding_title %}
-            Log out of {{ branding_title }}
-        {% endblocktrans %}
-    </a>
-
-    {% if application.get_launch_url %}
-    <a href="{{ application.get_launch_url }}" class="pf-c-button pf-m-secondary">
-        {% blocktrans with application=application.name %}
-            Log back into {{ application }}
-        {% endblocktrans %}
-    </a>
-    {% endif %}
-
-</form>
-{% endblock %}

authentik/core/templates/if/user.html

@@ -3,7 +3,7 @@
 {% load authentik_core %}
 
 {% block head %}
-{% versioned_script "dist/user/UserInterface-%v.js" %}
+<script src="{% versioned_script 'dist/user/UserInterface-%v.js' %}" type="module"></script>
 <meta name="theme-color" content="#1c1e21" media="(prefers-color-scheme: light)">
 <meta name="theme-color" content="#1c1e21" media="(prefers-color-scheme: dark)">
 {% include "base/header_js.html" %}

authentik/core/templates/login/base_full.html

@@ -4,7 +4,7 @@
 {% load i18n %}
 
 {% block head_before %}
-<link rel="prefetch" href="/static/dist/assets/images/flow_background.jpg" />
+<link rel="prefetch" href="{% static 'dist/assets/images/flow_background.jpg' %}" />
 <link rel="stylesheet" type="text/css" href="{% static 'dist/patternfly.min.css' %}">
 <link rel="stylesheet" type="text/css" href="{% static 'dist/theme-dark.css' %}" media="(prefers-color-scheme: dark)">
 {% include "base/header_js.html" %}
@@ -13,7 +13,7 @@
 {% block head %}
 <style>
 :root {
-    --ak-flow-background: url("/static/dist/assets/images/flow_background.jpg");
+    --ak-flow-background: url("{% static 'dist/assets/images/flow_background.jpg' %}");
     --pf-c-background-image--BackgroundImage: var(--ak-flow-background);
     --pf-c-background-image--BackgroundImage-2x: var(--ak-flow-background);
     --pf-c-background-image--BackgroundImage--sm: var(--ak-flow-background);
@@ -50,7 +50,7 @@
     <div class="ak-login-container">
         <main class="pf-c-login__main">
             <div class="pf-c-login__main-header pf-c-brand ak-brand">
-                <img src="{{ brand.branding_logo }}" alt="authentik Logo" />
+                <img src="{{ brand.branding_logo_url }}" alt="authentik Logo" />
             </div>
             <header class="pf-c-login__main-header">
                 <h1 class="pf-c-title pf-m-3xl">

authentik/core/templatetags/authentik_core.py

@@ -2,7 +2,6 @@
 
 from django import template
 from django.templatetags.static import static as static_loader
-from django.utils.safestring import mark_safe
 
 from authentik import get_full_version
 
@@ -12,10 +11,4 @@ register = template.Library()
 @register.simple_tag()
 def versioned_script(path: str) -> str:
     """Wrapper around {% static %} tag that supports setting the version"""
-    returned_lines = [
-        (
-            f'<script src="{static_loader(path.replace("%v", get_full_version()))}'
-            '" type="module"></script>'
-        ),
-    ]
-    return mark_safe("".join(returned_lines))  # nosec
+    return static_loader(path.replace("%v", get_full_version()))

authentik/core/tests/test_applications_api.py

@@ -9,9 +9,12 @@ from rest_framework.test import APITestCase
 
 from authentik.core.models import Application
 from authentik.core.tests.utils import create_test_admin_user, create_test_flow
+from authentik.lib.generators import generate_id
 from authentik.policies.dummy.models import DummyPolicy
 from authentik.policies.models import PolicyBinding
-from authentik.providers.oauth2.models import OAuth2Provider
+from authentik.providers.oauth2.models import OAuth2Provider, RedirectURI, RedirectURIMatchingMode
+from authentik.providers.proxy.models import ProxyProvider
+from authentik.providers.saml.models import SAMLProvider
 
 
 class TestApplicationsAPI(APITestCase):
@@ -21,7 +24,7 @@ class TestApplicationsAPI(APITestCase):
         self.user = create_test_admin_user()
         self.provider = OAuth2Provider.objects.create(
             name="test",
-            redirect_uris="http://some-other-domain",
+            redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "http://some-other-domain")],
             authorization_flow=create_test_flow(),
         )
         self.allowed: Application = Application.objects.create(
@@ -131,6 +134,7 @@ class TestApplicationsAPI(APITestCase):
                             "assigned_application_name": "allowed",
                             "assigned_application_slug": "allowed",
                             "authentication_flow": None,
+                            "invalidation_flow": None,
                             "authorization_flow": str(self.provider.authorization_flow.pk),
                             "component": "ak-provider-oauth2-form",
                             "meta_model_name": "authentik_providers_oauth2.oauth2provider",
@@ -183,6 +187,7 @@ class TestApplicationsAPI(APITestCase):
                             "assigned_application_name": "allowed",
                             "assigned_application_slug": "allowed",
                             "authentication_flow": None,
+                            "invalidation_flow": None,
                             "authorization_flow": str(self.provider.authorization_flow.pk),
                             "component": "ak-provider-oauth2-form",
                             "meta_model_name": "authentik_providers_oauth2.oauth2provider",
@@ -222,3 +227,31 @@ class TestApplicationsAPI(APITestCase):
                 ],
             },
         )
+
+    def test_get_provider(self):
+        """Ensure that proxy providers (at the time of writing that is the only provider
+        that inherits from another proxy type (OAuth) instead of inheriting from the root
+        provider class) is correctly looked up and selected from the database"""
+        slug = generate_id()
+        provider = ProxyProvider.objects.create(name=generate_id())
+        Application.objects.create(
+            name=generate_id(),
+            slug=slug,
+            provider=provider,
+        )
+        self.assertEqual(Application.objects.get(slug=slug).get_provider(), provider)
+        self.assertEqual(
+            Application.objects.with_provider().get(slug=slug).get_provider(), provider
+        )
+
+        slug = generate_id()
+        provider = SAMLProvider.objects.create(name=generate_id())
+        Application.objects.create(
+            name=generate_id(),
+            slug=slug,
+            provider=provider,
+        )
+        self.assertEqual(Application.objects.get(slug=slug).get_provider(), provider)
+        self.assertEqual(
+            Application.objects.with_provider().get(slug=slug).get_provider(), provider
+        )

authentik/core/tests/test_devices_api.py

@@ -0,0 +1,59 @@
+"""Test Devices API"""
+
+from json import loads
+
+from django.urls import reverse
+from rest_framework.test import APITestCase
+
+from authentik.core.tests.utils import create_test_admin_user, create_test_user
+
+
+class TestDevicesAPI(APITestCase):
+    """Test applications API"""
+
+    def setUp(self) -> None:
+        self.admin = create_test_admin_user()
+        self.user1 = create_test_user()
+        self.device1 = self.user1.staticdevice_set.create()
+        self.user2 = create_test_user()
+        self.device2 = self.user2.staticdevice_set.create()
+
+    def test_user_api(self):
+        """Test user API"""
+        self.client.force_login(self.user1)
+        response = self.client.get(
+            reverse(
+                "authentik_api:device-list",
+            )
+        )
+        self.assertEqual(response.status_code, 200)
+        body = loads(response.content.decode())
+        self.assertEqual(len(body), 1)
+        self.assertEqual(body[0]["pk"], str(self.device1.pk))
+
+    def test_user_api_as_admin(self):
+        """Test user API"""
+        self.client.force_login(self.admin)
+        response = self.client.get(
+            reverse(
+                "authentik_api:device-list",
+            )
+        )
+        self.assertEqual(response.status_code, 200)
+        body = loads(response.content.decode())
+        self.assertEqual(len(body), 0)
+
+    def test_admin_api(self):
+        """Test admin API"""
+        self.client.force_login(self.admin)
+        response = self.client.get(
+            reverse(
+                "authentik_api:admin-device-list",
+            )
+        )
+        self.assertEqual(response.status_code, 200)
+        body = loads(response.content.decode())
+        self.assertEqual(len(body), 2)
+        self.assertEqual(
+            {body[0]["pk"], body[1]["pk"]}, {str(self.device1.pk), str(self.device2.pk)}
+        )

authentik/core/tests/test_impersonation.py

@@ -3,10 +3,10 @@
 from json import loads
 
 from django.urls import reverse
+from guardian.shortcuts import assign_perm
 from rest_framework.test import APITestCase
 
-from authentik.core.models import User
-from authentik.core.tests.utils import create_test_admin_user
+from authentik.core.tests.utils import create_test_admin_user, create_test_user
 from authentik.tenants.utils import get_current_tenant
 
 
@@ -15,7 +15,7 @@ class TestImpersonation(APITestCase):
 
     def setUp(self) -> None:
         super().setUp()
-        self.other_user = User.objects.create(username="to-impersonate")
+        self.other_user = create_test_user()
         self.user = create_test_admin_user()
 
     def test_impersonate_simple(self):
@@ -29,7 +29,8 @@ class TestImpersonation(APITestCase):
             reverse(
                 "authentik_api:user-impersonate",
                 kwargs={"pk": self.other_user.pk},
-            )
+            ),
+            data={"reason": "some reason"},
         )
 
         response = self.client.get(reverse("authentik_api:user-me"))
@@ -44,12 +45,55 @@ class TestImpersonation(APITestCase):
         self.assertEqual(response_body["user"]["username"], self.user.username)
         self.assertNotIn("original", response_body)
 
+    def test_impersonate_global(self):
+        """Test impersonation with global permissions"""
+        new_user = create_test_user()
+        assign_perm("authentik_core.impersonate", new_user)
+        assign_perm("authentik_core.view_user", new_user)
+        self.client.force_login(new_user)
+
+        response = self.client.post(
+            reverse(
+                "authentik_api:user-impersonate",
+                kwargs={"pk": self.other_user.pk},
+            ),
+            data={"reason": "some reason"},
+        )
+        self.assertEqual(response.status_code, 201)
+
+        response = self.client.get(reverse("authentik_api:user-me"))
+        response_body = loads(response.content.decode())
+        self.assertEqual(response_body["user"]["username"], self.other_user.username)
+        self.assertEqual(response_body["original"]["username"], new_user.username)
+
+    def test_impersonate_scoped(self):
+        """Test impersonation with scoped permissions"""
+        new_user = create_test_user()
+        assign_perm("authentik_core.impersonate", new_user, self.other_user)
+        assign_perm("authentik_core.view_user", new_user, self.other_user)
+        self.client.force_login(new_user)
+
+        response = self.client.post(
+            reverse(
+                "authentik_api:user-impersonate",
+                kwargs={"pk": self.other_user.pk},
+            ),
+            data={"reason": "some reason"},
+        )
+        self.assertEqual(response.status_code, 201)
+
+        response = self.client.get(reverse("authentik_api:user-me"))
+        response_body = loads(response.content.decode())
+        self.assertEqual(response_body["user"]["username"], self.other_user.username)
+        self.assertEqual(response_body["original"]["username"], new_user.username)
+
     def test_impersonate_denied(self):
         """test impersonation without permissions"""
         self.client.force_login(self.other_user)
 
         response = self.client.post(
-            reverse("authentik_api:user-impersonate", kwargs={"pk": self.user.pk})
+            reverse("authentik_api:user-impersonate", kwargs={"pk": self.user.pk}),
+            data={"reason": "some reason"},
         )
         self.assertEqual(response.status_code, 403)
 
@@ -65,7 +109,8 @@ class TestImpersonation(APITestCase):
         self.client.force_login(self.user)
 
         response = self.client.post(
-            reverse("authentik_api:user-impersonate", kwargs={"pk": self.other_user.pk})
+            reverse("authentik_api:user-impersonate", kwargs={"pk": self.other_user.pk}),
+            data={"reason": "some reason"},
         )
         self.assertEqual(response.status_code, 401)
 
@@ -78,7 +123,22 @@ class TestImpersonation(APITestCase):
         self.client.force_login(self.user)
 
         response = self.client.post(
-            reverse("authentik_api:user-impersonate", kwargs={"pk": self.user.pk})
+            reverse("authentik_api:user-impersonate", kwargs={"pk": self.user.pk}),
+            data={"reason": "some reason"},
+        )
+        self.assertEqual(response.status_code, 401)
+
+        response = self.client.get(reverse("authentik_api:user-me"))
+        response_body = loads(response.content.decode())
+        self.assertEqual(response_body["user"]["username"], self.user.username)
+
+    def test_impersonate_reason_required(self):
+        """test impersonation that user must provide reason"""
+        self.client.force_login(self.user)
+
+        response = self.client.post(
+            reverse("authentik_api:user-impersonate", kwargs={"pk": self.user.pk}),
+            data={"reason": ""},
         )
         self.assertEqual(response.status_code, 401)
 

authentik/core/tests/test_source_flow_manager.py

@@ -81,6 +81,22 @@ class TestSourceFlowManager(TestCase):
             reverse("authentik_core:if-user") + "#/settings;page-sources",
         )
 
+    def test_authenticated_auth(self):
+        """Test authenticated user linking"""
+        user = User.objects.create(username="foo", email="foo@bar.baz")
+        UserOAuthSourceConnection.objects.create(
+            user=user, source=self.source, identifier=self.identifier
+        )
+        request = get_request("/", user=user)
+        flow_manager = OAuthSourceFlowManager(
+            self.source, request, self.identifier, {"info": {}}, {}
+        )
+        action, connection = flow_manager.get_action()
+        self.assertEqual(action, Action.AUTH)
+        self.assertIsNotNone(connection.pk)
+        response = flow_manager.get_flow()
+        self.assertEqual(response.status_code, 302)
+
     def test_unauthenticated_link(self):
         """Test un-authenticated user linking"""
         flow_manager = OAuthSourceFlowManager(

authentik/core/tests/test_transactional_applications_api.py

@@ -1,11 +1,13 @@
 """Test Transactional API"""
 
 from django.urls import reverse
+from guardian.shortcuts import assign_perm
 from rest_framework.test import APITestCase
 
-from authentik.core.models import Application
-from authentik.core.tests.utils import create_test_admin_user, create_test_flow
+from authentik.core.models import Application, Group
+from authentik.core.tests.utils import create_test_flow, create_test_user
 from authentik.lib.generators import generate_id
+from authentik.policies.models import PolicyBinding
 from authentik.providers.oauth2.models import OAuth2Provider
 
 
@@ -13,12 +15,68 @@ class TestTransactionalApplicationsAPI(APITestCase):
     """Test Transactional API"""
 
     def setUp(self) -> None:
-        self.user = create_test_admin_user()
+        self.user = create_test_user()
+        assign_perm("authentik_core.add_application", self.user)
+        assign_perm("authentik_providers_oauth2.add_oauth2provider", self.user)
 
     def test_create_transactional(self):
         """Test transactional Application + provider creation"""
         self.client.force_login(self.user)
         uid = generate_id()
+        response = self.client.put(
+            reverse("authentik_api:core-transactional-application"),
+            data={
+                "app": {
+                    "name": uid,
+                    "slug": uid,
+                },
+                "provider_model": "authentik_providers_oauth2.oauth2provider",
+                "provider": {
+                    "name": uid,
+                    "authorization_flow": str(create_test_flow().pk),
+                    "invalidation_flow": str(create_test_flow().pk),
+                    "redirect_uris": [],
+                },
+            },
+        )
+        self.assertJSONEqual(response.content.decode(), {"applied": True, "logs": []})
+        provider = OAuth2Provider.objects.filter(name=uid).first()
+        self.assertIsNotNone(provider)
+        app = Application.objects.filter(slug=uid).first()
+        self.assertIsNotNone(app)
+        self.assertEqual(app.provider.pk, provider.pk)
+
+    def test_create_transactional_permission_denied(self):
+        """Test transactional Application + provider creation (missing permissions)"""
+        self.client.force_login(self.user)
+        uid = generate_id()
+        response = self.client.put(
+            reverse("authentik_api:core-transactional-application"),
+            data={
+                "app": {
+                    "name": uid,
+                    "slug": uid,
+                },
+                "provider_model": "authentik_providers_saml.samlprovider",
+                "provider": {
+                    "name": uid,
+                    "authorization_flow": str(create_test_flow().pk),
+                    "invalidation_flow": str(create_test_flow().pk),
+                    "acs_url": "https://goauthentik.io",
+                },
+            },
+        )
+        self.assertJSONEqual(
+            response.content.decode(),
+            {"provider": "User lacks permission to create authentik_providers_saml.samlprovider"},
+        )
+
+    def test_create_transactional_bindings(self):
+        """Test transactional Application + provider creation"""
+        assign_perm("authentik_policies.add_policybinding", self.user)
+        self.client.force_login(self.user)
+        uid = generate_id()
+        group = Group.objects.create(name=generate_id())
         authorization_flow = create_test_flow()
         response = self.client.put(
             reverse("authentik_api:core-transactional-application"),
@@ -31,7 +89,10 @@ class TestTransactionalApplicationsAPI(APITestCase):
                 "provider": {
                     "name": uid,
                     "authorization_flow": str(authorization_flow.pk),
+                    "invalidation_flow": str(authorization_flow.pk),
+                    "redirect_uris": [],
                 },
+                "policy_bindings": [{"group": group.pk, "order": 0}],
             },
         )
         self.assertJSONEqual(response.content.decode(), {"applied": True, "logs": []})
@@ -40,6 +101,10 @@ class TestTransactionalApplicationsAPI(APITestCase):
         app = Application.objects.filter(slug=uid).first()
         self.assertIsNotNone(app)
         self.assertEqual(app.provider.pk, provider.pk)
+        binding = PolicyBinding.objects.filter(target=app).first()
+        self.assertIsNotNone(binding)
+        self.assertEqual(binding.target, app)
+        self.assertEqual(binding.group, group)
 
     def test_create_transactional_invalid(self):
         """Test transactional Application + provider creation"""
@@ -56,10 +121,46 @@ class TestTransactionalApplicationsAPI(APITestCase):
                 "provider": {
                     "name": uid,
                     "authorization_flow": "",
+                    "invalidation_flow": "",
+                    "redirect_uris": [],
                 },
             },
         )
         self.assertJSONEqual(
             response.content.decode(),
-            {"provider": {"authorization_flow": ["This field may not be null."]}},
+            {
+                "provider": {
+                    "authorization_flow": ["This field may not be null."],
+                    "invalidation_flow": ["This field may not be null."],
+                }
+            },
+        )
+
+    def test_create_transactional_duplicate_name_provider(self):
+        """Test transactional Application + provider creation"""
+        self.client.force_login(self.user)
+        uid = generate_id()
+        OAuth2Provider.objects.create(
+            name=uid,
+            authorization_flow=create_test_flow(),
+            invalidation_flow=create_test_flow(),
+        )
+        response = self.client.put(
+            reverse("authentik_api:core-transactional-application"),
+            data={
+                "app": {
+                    "name": uid,
+                    "slug": uid,
+                },
+                "provider_model": "authentik_providers_oauth2.oauth2provider",
+                "provider": {
+                    "name": uid,
+                    "authorization_flow": str(create_test_flow().pk),
+                    "invalidation_flow": str(create_test_flow().pk),
+                },
+            },
+        )
+        self.assertJSONEqual(
+            response.content.decode(),
+            {"provider": {"name": ["State is set to must_created and object exists already"]}},
         )

authentik/core/urls.py

@@ -5,7 +5,6 @@ from channels.sessions import CookieMiddleware
 from django.conf import settings
 from django.contrib.auth.decorators import login_required
 from django.urls import path
-from django.views.decorators.csrf import ensure_csrf_cookie
 
 from authentik.core.api.applications import ApplicationViewSet
 from authentik.core.api.authenticated_sessions import AuthenticatedSessionViewSet
@@ -24,7 +23,6 @@ from authentik.core.views.interface import (
     InterfaceView,
     RootRedirectView,
 )
-from authentik.core.views.session import EndSessionView
 from authentik.flows.views.interface import FlowInterfaceView
 from authentik.root.asgi_middleware import SessionMiddleware
 from authentik.root.messages.consumer import MessageConsumer
@@ -45,26 +43,21 @@ urlpatterns = [
     # Interfaces
     path(
         "if/admin/",
-        ensure_csrf_cookie(BrandDefaultRedirectView.as_view(template_name="if/admin.html")),
+        BrandDefaultRedirectView.as_view(template_name="if/admin.html"),
         name="if-admin",
     ),
     path(
         "if/user/",
-        ensure_csrf_cookie(BrandDefaultRedirectView.as_view(template_name="if/user.html")),
+        BrandDefaultRedirectView.as_view(template_name="if/user.html"),
         name="if-user",
     ),
     path(
         "if/flow/<slug:flow_slug>/",
         # FIXME: move this url to the flows app...also will cause all
         # of the reverse calls to be adjusted
-        ensure_csrf_cookie(FlowInterfaceView.as_view()),
+        FlowInterfaceView.as_view(),
         name="if-flow",
     ),
-    path(
-        "if/session-end/<slug:application_slug>/",
-        ensure_csrf_cookie(EndSessionView.as_view()),
-        name="if-session-end",
-    ),
     # Fallback for WS
     path("ws/outpost/<uuid:pk>/", InterfaceView.as_view(template_name="if/admin.html")),
     path(

authentik/core/views/apps.py

@@ -17,10 +17,8 @@ from authentik.flows.planner import PLAN_CONTEXT_APPLICATION, FlowPlanner
 from authentik.flows.stage import ChallengeStageView
 from authentik.flows.views.executor import (
     SESSION_KEY_APPLICATION_PRE,
-    SESSION_KEY_PLAN,
     ToDefaultFlow,
 )
-from authentik.lib.utils.urls import redirect_with_qs
 from authentik.stages.consent.stage import (
     PLAN_CONTEXT_CONSENT_HEADER,
     PLAN_CONTEXT_CONSENT_PERMISSIONS,
@@ -58,8 +56,7 @@ class RedirectToAppLaunch(View):
         except FlowNonApplicableException:
             raise Http404 from None
         plan.insert_stage(in_memory_stage(RedirectToAppStage))
-        request.session[SESSION_KEY_PLAN] = plan
-        return redirect_with_qs("authentik_core:if-flow", request.GET, flow_slug=flow.slug)
+        return plan.to_redirect(request, flow)
 
 
 class RedirectToAppStage(ChallengeStageView):

authentik/core/views/interface.py

@@ -16,6 +16,7 @@ from authentik.api.v3.config import ConfigView
 from authentik.brands.api import CurrentBrandSerializer
 from authentik.brands.models import Brand
 from authentik.core.models import UserTypes
+from authentik.lib.config import CONFIG
 from authentik.policies.denied import AccessDeniedResponse
 
 
@@ -51,6 +52,7 @@ class InterfaceView(TemplateView):
         kwargs["version_subdomain"] = f"version-{LOCAL_VERSION.major}-{LOCAL_VERSION.minor}"
         kwargs["build"] = get_build_hash()
         kwargs["url_kwargs"] = self.kwargs
+        kwargs["base_url"] = self.request.build_absolute_uri(CONFIG.get("web.path", "/"))
         return super().get_context_data(**kwargs)
 
 

authentik/core/views/session.py

@@ -1,23 +0,0 @@
-"""authentik Session Views"""
-
-from typing import Any
-
-from django.shortcuts import get_object_or_404
-from django.views.generic.base import TemplateView
-
-from authentik.core.models import Application
-from authentik.policies.views import PolicyAccessView
-
-
-class EndSessionView(TemplateView, PolicyAccessView):
-    """Allow the client to end the Session"""
-
-    template_name = "if/end_session.html"
-
-    def resolve_provider_application(self):
-        self.application = get_object_or_404(Application, slug=self.kwargs["application_slug"])
-
-    def get_context_data(self, **kwargs: Any) -> dict[str, Any]:
-        context = super().get_context_data(**kwargs)
-        context["application"] = self.application
-        return context

authentik/crypto/api.py

@@ -24,6 +24,7 @@ from rest_framework.fields import (
 from rest_framework.filters import OrderingFilter, SearchFilter
 from rest_framework.request import Request
 from rest_framework.response import Response
+from rest_framework.validators import UniqueValidator
 from rest_framework.viewsets import ModelViewSet
 from structlog.stdlib import get_logger
 
@@ -181,7 +182,10 @@ class CertificateDataSerializer(PassiveSerializer):
 class CertificateGenerationSerializer(PassiveSerializer):
     """Certificate generation parameters"""
 
-    common_name = CharField()
+    common_name = CharField(
+        validators=[UniqueValidator(queryset=CertificateKeyPair.objects.all())],
+        source="name",
+    )
     subject_alt_name = CharField(required=False, allow_blank=True, label=_("Subject-alt name"))
     validity_days = IntegerField(initial=365)
     alg = ChoiceField(default=PrivateKeyAlg.RSA, choices=PrivateKeyAlg.choices)
@@ -242,11 +246,10 @@ class CertificateKeyPairViewSet(UsedByMixin, ModelViewSet):
     def generate(self, request: Request) -> Response:
         """Generate a new, self-signed certificate-key pair"""
         data = CertificateGenerationSerializer(data=request.data)
-        if not data.is_valid():
-            return Response(data.errors, status=400)
+        data.is_valid(raise_exception=True)
         raw_san = data.validated_data.get("subject_alt_name", "")
         sans = raw_san.split(",") if raw_san != "" else []
-        builder = CertificateBuilder(data.validated_data["common_name"])
+        builder = CertificateBuilder(data.validated_data["name"])
         builder.alg = data.validated_data["alg"]
         builder.build(
             subject_alt_names=sans,

authentik/crypto/tasks.py

@@ -85,5 +85,5 @@ def certificate_discovery(self: SystemTask):
         if dirty:
             cert.save()
     self.set_status(
-        TaskStatus.SUCCESSFUL, _("Successfully imported %(count)d files." % {"count": discovered})
+        TaskStatus.SUCCESSFUL, _("Successfully imported {count} files.".format(count=discovered))
     )

authentik/crypto/tests.py

@@ -18,7 +18,7 @@ from authentik.crypto.models import CertificateKeyPair
 from authentik.crypto.tasks import MANAGED_DISCOVERED, certificate_discovery
 from authentik.lib.config import CONFIG
 from authentik.lib.generators import generate_id, generate_key
-from authentik.providers.oauth2.models import OAuth2Provider
+from authentik.providers.oauth2.models import OAuth2Provider, RedirectURI, RedirectURIMatchingMode
 
 
 class TestCrypto(APITestCase):
@@ -89,6 +89,17 @@ class TestCrypto(APITestCase):
         self.assertIsInstance(ext[1], DNSName)
         self.assertEqual(ext[1].value, "baz")
 
+    def test_builder_api_duplicate(self):
+        """Test Builder (via API)"""
+        cert = create_test_cert()
+        self.client.force_login(create_test_admin_user())
+        res = self.client.post(
+            reverse("authentik_api:certificatekeypair-generate"),
+            data={"common_name": cert.name, "subject_alt_name": "bar,baz", "validity_days": 3},
+        )
+        self.assertEqual(res.status_code, 400)
+        self.assertJSONEqual(res.content, {"common_name": ["This field must be unique."]})
+
     def test_builder_api_empty_san(self):
         """Test Builder (via API)"""
         self.client.force_login(create_test_admin_user())
@@ -263,7 +274,7 @@ class TestCrypto(APITestCase):
             client_id="test",
             client_secret=generate_key(),
             authorization_flow=create_test_flow(),
-            redirect_uris="http://localhost",
+            redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "http://localhost")],
             signing_key=keypair,
         )
         response = self.client.get(
@@ -295,7 +306,7 @@ class TestCrypto(APITestCase):
             client_id="test",
             client_secret=generate_key(),
             authorization_flow=create_test_flow(),
-            redirect_uris="http://localhost",
+            redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "http://localhost")],
             signing_key=keypair,
         )
         response = self.client.get(

authentik/enterprise/api.py

@@ -18,7 +18,7 @@ from authentik.core.api.used_by import UsedByMixin
 from authentik.core.api.utils import ModelSerializer, PassiveSerializer
 from authentik.core.models import User, UserTypes
 from authentik.enterprise.license import LicenseKey, LicenseSummarySerializer
-from authentik.enterprise.models import License, LicenseUsageStatus
+from authentik.enterprise.models import License
 from authentik.rbac.decorators import permission_required
 from authentik.tenants.utils import get_unique_identifier
 
@@ -29,7 +29,7 @@ class EnterpriseRequiredMixin:
 
     def validate(self, attrs: dict) -> dict:
         """Check that a valid license exists"""
-        if LicenseKey.cached_summary().status != LicenseUsageStatus.UNLICENSED:
+        if not LicenseKey.cached_summary().status.is_valid:
             raise ValidationError(_("Enterprise is required to create/update this object."))
         return super().validate(attrs)
 

authentik/enterprise/apps.py

@@ -25,4 +25,4 @@ class AuthentikEnterpriseConfig(EnterpriseConfig):
         """Actual enterprise check, cached"""
         from authentik.enterprise.license import LicenseKey
 
-        return LicenseKey.cached_summary().status
+        return LicenseKey.cached_summary().status.is_valid

authentik/enterprise/license.py

@@ -117,10 +117,13 @@ class LicenseKey:
                     our_cert.public_key(),
                     algorithms=["ES512"],
                     audience=get_license_aud(),
-                    options={"verify_exp": check_expiry},
+                    options={"verify_exp": check_expiry, "verify_signature": check_expiry},
                 ),
             )
         except PyJWTError:
+            unverified = decode(jwt, options={"verify_signature": False})
+            if unverified["aud"] != get_license_aud():
+                raise ValidationError("Invalid Install ID in license") from None
             raise ValidationError("Unable to verify license") from None
         return body
 
@@ -134,7 +137,7 @@ class LicenseKey:
             exp_ts = int(mktime(lic.expiry.timetuple()))
             if total.exp == 0:
                 total.exp = exp_ts
-            total.exp = min(total.exp, exp_ts)
+            total.exp = max(total.exp, exp_ts)
             total.license_flags.extend(lic.status.license_flags)
         return total
 

authentik/enterprise/middleware.py

@@ -6,6 +6,7 @@ from django.http import HttpRequest, HttpResponse, JsonResponse
 from django.urls import resolve
 from structlog.stdlib import BoundLogger, get_logger
 
+from authentik.core.api.users import UserViewSet
 from authentik.enterprise.api import LicenseViewSet
 from authentik.enterprise.license import LicenseKey
 from authentik.enterprise.models import LicenseUsageStatus
@@ -59,6 +60,9 @@ class EnterpriseMiddleware:
         # Flow executor is mounted as an API path but explicitly allowed
         if request.resolver_match._func_path == class_to_path(FlowExecutorView):
             return True
+        # Always allow making changes to users, even in case the license has ben exceeded
+        if request.resolver_match._func_path == class_to_path(UserViewSet):
+            return True
         # Only apply these restrictions to the API
         if "authentik_api" not in request.resolver_match.app_names:
             return True

authentik/enterprise/providers/rac/api/providers.py

@@ -16,13 +16,28 @@ class RACProviderSerializer(EnterpriseRequiredMixin, ProviderSerializer):
 
     class Meta:
         model = RACProvider
-        fields = ProviderSerializer.Meta.fields + [
+        fields = [
+            "pk",
+            "name",
+            "authentication_flow",
+            "authorization_flow",
+            "property_mappings",
+            "component",
+            "assigned_application_slug",
+            "assigned_application_name",
+            "assigned_backchannel_application_slug",
+            "assigned_backchannel_application_name",
+            "verbose_name",
+            "verbose_name_plural",
+            "meta_model_name",
             "settings",
             "outpost_set",
             "connection_expiry",
             "delete_token_on_disconnect",
         ]
-        extra_kwargs = ProviderSerializer.Meta.extra_kwargs
+        extra_kwargs = {
+            "authorization_flow": {"required": True, "allow_null": False},
+        }
 
 
 class RACProviderViewSet(UsedByMixin, ModelViewSet):

authentik/enterprise/providers/rac/templates/if/rac.html

@@ -3,11 +3,11 @@
 {% load authentik_core %}
 
 {% block head %}
-{% versioned_script "dist/enterprise/rac/index-%v.js" %}
+<script src="{% versioned_script 'dist/enterprise/rac/index-%v.js' %}" type="module"></script>
 <meta name="theme-color" content="#18191a" media="(prefers-color-scheme: dark)">
 <meta name="theme-color" content="#ffffff" media="(prefers-color-scheme: light)">
-<link rel="icon" href="{{ tenant.branding_favicon }}">
-<link rel="shortcut icon" href="{{ tenant.branding_favicon }}">
+<link rel="icon" href="{{ tenant.branding_favicon_url }}">
+<link rel="shortcut icon" href="{{ tenant.branding_favicon_url }}">
 {% include "base/header_js.html" %}
 {% endblock %}
 

authentik/enterprise/providers/rac/tests/test_api.py

@@ -0,0 +1,46 @@
+"""Test RAC Provider"""
+
+from datetime import timedelta
+from time import mktime
+from unittest.mock import MagicMock, patch
+
+from django.urls import reverse
+from django.utils.timezone import now
+from rest_framework.test import APITestCase
+
+from authentik.core.tests.utils import create_test_admin_user, create_test_flow
+from authentik.enterprise.license import LicenseKey
+from authentik.enterprise.models import License
+from authentik.lib.generators import generate_id
+
+
+class TestAPI(APITestCase):
+    """Test Provider API"""
+
+    def setUp(self) -> None:
+        self.user = create_test_admin_user()
+
+    @patch(
+        "authentik.enterprise.license.LicenseKey.validate",
+        MagicMock(
+            return_value=LicenseKey(
+                aud="",
+                exp=int(mktime((now() + timedelta(days=3000)).timetuple())),
+                name=generate_id(),
+                internal_users=100,
+                external_users=100,
+            )
+        ),
+    )
+    def test_create(self):
+        """Test creation of RAC Provider"""
+        License.objects.create(key=generate_id())
+        self.client.force_login(self.user)
+        response = self.client.post(
+            reverse("authentik_api:racprovider-list"),
+            data={
+                "name": generate_id(),
+                "authorization_flow": create_test_flow().pk,
+            },
+        )
+        self.assertEqual(response.status_code, 201)

authentik/enterprise/providers/rac/urls.py

@@ -3,7 +3,6 @@
 from channels.auth import AuthMiddleware
 from channels.sessions import CookieMiddleware
 from django.urls import path
-from django.views.decorators.csrf import ensure_csrf_cookie
 
 from authentik.enterprise.providers.rac.api.connection_tokens import ConnectionTokenViewSet
 from authentik.enterprise.providers.rac.api.endpoints import EndpointViewSet
@@ -19,12 +18,12 @@ from authentik.root.middleware import ChannelsLoggingMiddleware
 urlpatterns = [
     path(
         "application/rac/<slug:app>/<uuid:endpoint>/",
-        ensure_csrf_cookie(RACStartView.as_view()),
+        RACStartView.as_view(),
         name="start",
     ),
     path(
         "if/rac/<str:token>/",
-        ensure_csrf_cookie(RACInterface.as_view()),
+        RACInterface.as_view(),
         name="if-rac",
     ),
 ]

authentik/enterprise/providers/rac/views.py

@@ -18,9 +18,7 @@ from authentik.flows.exceptions import FlowNonApplicableException
 from authentik.flows.models import in_memory_stage
 from authentik.flows.planner import PLAN_CONTEXT_APPLICATION, FlowPlanner
 from authentik.flows.stage import RedirectStage
-from authentik.flows.views.executor import SESSION_KEY_PLAN
 from authentik.lib.utils.time import timedelta_from_string
-from authentik.lib.utils.urls import redirect_with_qs
 from authentik.policies.engine import PolicyEngine
 
 
@@ -56,12 +54,7 @@ class RACStartView(EnterprisePolicyAccessView):
                 provider=self.provider,
             )
         )
-        request.session[SESSION_KEY_PLAN] = plan
-        return redirect_with_qs(
-            "authentik_core:if-flow",
-            request.GET,
-            flow_slug=self.provider.authorization_flow.slug,
-        )
+        return plan.to_redirect(request, self.provider.authorization_flow)
 
 
 class RACInterface(InterfaceView):

authentik/enterprise/settings.py

@@ -17,6 +17,7 @@ TENANT_APPS = [
     "authentik.enterprise.providers.google_workspace",
     "authentik.enterprise.providers.microsoft_entra",
     "authentik.enterprise.providers.rac",
+    "authentik.enterprise.stages.authenticator_endpoint_gdtc",
     "authentik.enterprise.stages.source",
 ]
 

authentik/enterprise/signals.py

@@ -3,7 +3,7 @@
 from datetime import datetime
 
 from django.core.cache import cache
-from django.db.models.signals import post_save, pre_save
+from django.db.models.signals import post_delete, post_save, pre_save
 from django.dispatch import receiver
 from django.utils.timezone import get_current_timezone
 
@@ -27,3 +27,9 @@ def post_save_license(sender: type[License], instance: License, **_):
     """Trigger license usage calculation when license is saved"""
     cache.delete(CACHE_KEY_ENTERPRISE_LICENSE)
     enterprise_update_usage.delay()
+
+
+@receiver(post_delete, sender=License)
+def post_delete_license(sender: type[License], instance: License, **_):
+    """Clear license cache when license is deleted"""
+    cache.delete(CACHE_KEY_ENTERPRISE_LICENSE)

authentik/enterprise/stages/authenticator_endpoint_gdtc/api.py

@@ -0,0 +1,82 @@
+"""AuthenticatorEndpointGDTCStage API Views"""
+
+from django_filters.rest_framework.backends import DjangoFilterBackend
+from rest_framework import mixins
+from rest_framework.filters import OrderingFilter, SearchFilter
+from rest_framework.permissions import IsAdminUser
+from rest_framework.serializers import ModelSerializer
+from rest_framework.viewsets import GenericViewSet, ModelViewSet
+from structlog.stdlib import get_logger
+
+from authentik.api.authorization import OwnerFilter, OwnerPermissions
+from authentik.core.api.used_by import UsedByMixin
+from authentik.enterprise.api import EnterpriseRequiredMixin
+from authentik.enterprise.stages.authenticator_endpoint_gdtc.models import (
+    AuthenticatorEndpointGDTCStage,
+    EndpointDevice,
+)
+from authentik.flows.api.stages import StageSerializer
+
+LOGGER = get_logger()
+
+
+class AuthenticatorEndpointGDTCStageSerializer(EnterpriseRequiredMixin, StageSerializer):
+    """AuthenticatorEndpointGDTCStage Serializer"""
+
+    class Meta:
+        model = AuthenticatorEndpointGDTCStage
+        fields = StageSerializer.Meta.fields + [
+            "configure_flow",
+            "friendly_name",
+            "credentials",
+        ]
+
+
+class AuthenticatorEndpointGDTCStageViewSet(UsedByMixin, ModelViewSet):
+    """AuthenticatorEndpointGDTCStage Viewset"""
+
+    queryset = AuthenticatorEndpointGDTCStage.objects.all()
+    serializer_class = AuthenticatorEndpointGDTCStageSerializer
+    filterset_fields = [
+        "name",
+        "configure_flow",
+    ]
+    search_fields = ["name"]
+    ordering = ["name"]
+
+
+class EndpointDeviceSerializer(ModelSerializer):
+    """Serializer for Endpoint authenticator devices"""
+
+    class Meta:
+        model = EndpointDevice
+        fields = ["pk", "name"]
+        depth = 2
+
+
+class EndpointDeviceViewSet(
+    mixins.RetrieveModelMixin,
+    mixins.ListModelMixin,
+    UsedByMixin,
+    GenericViewSet,
+):
+    """Viewset for Endpoint authenticator devices"""
+
+    queryset = EndpointDevice.objects.all()
+    serializer_class = EndpointDeviceSerializer
+    search_fields = ["name"]
+    filterset_fields = ["name"]
+    ordering = ["name"]
+    permission_classes = [OwnerPermissions]
+    filter_backends = [OwnerFilter, DjangoFilterBackend, OrderingFilter, SearchFilter]
+
+
+class EndpointAdminDeviceViewSet(ModelViewSet):
+    """Viewset for Endpoint authenticator devices (for admins)"""
+
+    permission_classes = [IsAdminUser]
+    queryset = EndpointDevice.objects.all()
+    serializer_class = EndpointDeviceSerializer
+    search_fields = ["name"]
+    filterset_fields = ["name"]
+    ordering = ["name"]

authentik/enterprise/stages/authenticator_endpoint_gdtc/apps.py

@@ -0,0 +1,13 @@
+"""authentik Endpoint app config"""
+
+from authentik.enterprise.apps import EnterpriseConfig
+
+
+class AuthentikStageAuthenticatorEndpointConfig(EnterpriseConfig):
+    """authentik endpoint config"""
+
+    name = "authentik.enterprise.stages.authenticator_endpoint_gdtc"
+    label = "authentik_stages_authenticator_endpoint_gdtc"
+    verbose_name = "authentik Enterprise.Stages.Authenticator.Endpoint GDTC"
+    default = True
+    mountpoint = "endpoint/gdtc/"

authentik/enterprise/stages/authenticator_endpoint_gdtc/migrations/0001_initial.py

@@ -0,0 +1,115 @@
+# Generated by Django 5.0.9 on 2024-10-22 11:40
+
+import django.db.models.deletion
+import uuid
+from django.conf import settings
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    initial = True
+
+    dependencies = [
+        ("authentik_flows", "0027_auto_20231028_1424"),
+        migrations.swappable_dependency(settings.AUTH_USER_MODEL),
+    ]
+
+    operations = [
+        migrations.CreateModel(
+            name="AuthenticatorEndpointGDTCStage",
+            fields=[
+                (
+                    "stage_ptr",
+                    models.OneToOneField(
+                        auto_created=True,
+                        on_delete=django.db.models.deletion.CASCADE,
+                        parent_link=True,
+                        primary_key=True,
+                        serialize=False,
+                        to="authentik_flows.stage",
+                    ),
+                ),
+                ("friendly_name", models.TextField(null=True)),
+                ("credentials", models.JSONField()),
+                (
+                    "configure_flow",
+                    models.ForeignKey(
+                        blank=True,
+                        help_text="Flow used by an authenticated user to configure this Stage. If empty, user will not be able to configure this stage.",
+                        null=True,
+                        on_delete=django.db.models.deletion.SET_NULL,
+                        to="authentik_flows.flow",
+                    ),
+                ),
+            ],
+            options={
+                "verbose_name": "Endpoint Authenticator Google Device Trust Connector Stage",
+                "verbose_name_plural": "Endpoint Authenticator Google Device Trust Connector Stages",
+            },
+            bases=("authentik_flows.stage", models.Model),
+        ),
+        migrations.CreateModel(
+            name="EndpointDevice",
+            fields=[
+                ("created", models.DateTimeField(auto_now_add=True)),
+                ("last_updated", models.DateTimeField(auto_now=True)),
+                (
+                    "name",
+                    models.CharField(
+                        help_text="The human-readable name of this device.", max_length=64
+                    ),
+                ),
+                (
+                    "confirmed",
+                    models.BooleanField(default=True, help_text="Is this device ready for use?"),
+                ),
+                ("last_used", models.DateTimeField(null=True)),
+                ("uuid", models.UUIDField(default=uuid.uuid4, primary_key=True, serialize=False)),
+                (
+                    "host_identifier",
+                    models.TextField(
+                        help_text="A unique identifier for the endpoint device, usually the device serial number",
+                        unique=True,
+                    ),
+                ),
+                ("data", models.JSONField()),
+                (
+                    "user",
+                    models.ForeignKey(
+                        on_delete=django.db.models.deletion.CASCADE, to=settings.AUTH_USER_MODEL
+                    ),
+                ),
+            ],
+            options={
+                "verbose_name": "Endpoint Device",
+                "verbose_name_plural": "Endpoint Devices",
+            },
+        ),
+        migrations.CreateModel(
+            name="EndpointDeviceConnection",
+            fields=[
+                (
+                    "id",
+                    models.AutoField(
+                        auto_created=True, primary_key=True, serialize=False, verbose_name="ID"
+                    ),
+                ),
+                ("attributes", models.JSONField()),
+                (
+                    "device",
+                    models.ForeignKey(
+                        on_delete=django.db.models.deletion.CASCADE,
+                        to="authentik_stages_authenticator_endpoint_gdtc.endpointdevice",
+                    ),
+                ),
+                (
+                    "stage",
+                    models.ForeignKey(
+                        on_delete=django.db.models.deletion.CASCADE,
+                        to="authentik_stages_authenticator_endpoint_gdtc.authenticatorendpointgdtcstage",
+                    ),
+                ),
+            ],
+        ),
+    ]

authentik/enterprise/stages/authenticator_endpoint_gdtc/models.py

@@ -0,0 +1,101 @@
+"""Endpoint stage"""
+
+from uuid import uuid4
+
+from django.contrib.auth import get_user_model
+from django.db import models
+from django.utils.translation import gettext_lazy as _
+from google.oauth2.service_account import Credentials
+from rest_framework.serializers import BaseSerializer, Serializer
+
+from authentik.core.types import UserSettingSerializer
+from authentik.flows.models import ConfigurableStage, FriendlyNamedStage, Stage
+from authentik.flows.stage import StageView
+from authentik.lib.models import SerializerModel
+from authentik.stages.authenticator.models import Device
+
+
+class AuthenticatorEndpointGDTCStage(ConfigurableStage, FriendlyNamedStage, Stage):
+    """Setup Google Chrome Device-trust connection"""
+
+    credentials = models.JSONField()
+
+    def google_credentials(self):
+        return {
+            "credentials": Credentials.from_service_account_info(
+                self.credentials, scopes=["https://www.googleapis.com/auth/verifiedaccess"]
+            ),
+        }
+
+    @property
+    def serializer(self) -> type[BaseSerializer]:
+        from authentik.enterprise.stages.authenticator_endpoint_gdtc.api import (
+            AuthenticatorEndpointGDTCStageSerializer,
+        )
+
+        return AuthenticatorEndpointGDTCStageSerializer
+
+    @property
+    def view(self) -> type[StageView]:
+        from authentik.enterprise.stages.authenticator_endpoint_gdtc.stage import (
+            AuthenticatorEndpointStageView,
+        )
+
+        return AuthenticatorEndpointStageView
+
+    @property
+    def component(self) -> str:
+        return "ak-stage-authenticator-endpoint-gdtc-form"
+
+    def ui_user_settings(self) -> UserSettingSerializer | None:
+        return UserSettingSerializer(
+            data={
+                "title": self.friendly_name or str(self._meta.verbose_name),
+                "component": "ak-user-settings-authenticator-endpoint",
+            }
+        )
+
+    def __str__(self) -> str:
+        return f"Endpoint Authenticator Google Device Trust Connector Stage {self.name}"
+
+    class Meta:
+        verbose_name = _("Endpoint Authenticator Google Device Trust Connector Stage")
+        verbose_name_plural = _("Endpoint Authenticator Google Device Trust Connector Stages")
+
+
+class EndpointDevice(SerializerModel, Device):
+    """Endpoint Device for a single user"""
+
+    uuid = models.UUIDField(primary_key=True, default=uuid4)
+    host_identifier = models.TextField(
+        unique=True,
+        help_text="A unique identifier for the endpoint device, usually the device serial number",
+    )
+
+    user = models.ForeignKey(get_user_model(), on_delete=models.CASCADE)
+    data = models.JSONField()
+
+    @property
+    def serializer(self) -> Serializer:
+        from authentik.enterprise.stages.authenticator_endpoint_gdtc.api import (
+            EndpointDeviceSerializer,
+        )
+
+        return EndpointDeviceSerializer
+
+    def __str__(self):
+        return str(self.name) or str(self.user_id)
+
+    class Meta:
+        verbose_name = _("Endpoint Device")
+        verbose_name_plural = _("Endpoint Devices")
+
+
+class EndpointDeviceConnection(models.Model):
+    device = models.ForeignKey(EndpointDevice, on_delete=models.CASCADE)
+    stage = models.ForeignKey(AuthenticatorEndpointGDTCStage, on_delete=models.CASCADE)
+
+    attributes = models.JSONField()
+
+    def __str__(self) -> str:
+        return f"Endpoint device connection {self.device_id} to {self.stage_id}"

authentik/enterprise/stages/authenticator_endpoint_gdtc/stage.py

@@ -0,0 +1,32 @@
+from django.http import HttpResponse
+from django.urls import reverse
+from django.utils.translation import gettext_lazy as _
+
+from authentik.flows.challenge import (
+    Challenge,
+    ChallengeResponse,
+    FrameChallenge,
+    FrameChallengeResponse,
+)
+from authentik.flows.stage import ChallengeStageView
+
+
+class AuthenticatorEndpointStageView(ChallengeStageView):
+    """Endpoint stage"""
+
+    response_class = FrameChallengeResponse
+
+    def get_challenge(self, *args, **kwargs) -> Challenge:
+        return FrameChallenge(
+            data={
+                "component": "xak-flow-frame",
+                "url": self.request.build_absolute_uri(
+                    reverse("authentik_stages_authenticator_endpoint_gdtc:chrome")
+                ),
+                "loading_overlay": True,
+                "loading_text": _("Verifying your browser..."),
+            }
+        )
+
+    def challenge_valid(self, response: ChallengeResponse) -> HttpResponse:
+        return self.executor.stage_ok()

authentik/enterprise/stages/authenticator_endpoint_gdtc/templates/stages/authenticator_endpoint/google_chrome_dtc.html

@@ -0,0 +1,9 @@
+<html>
+<script>
+  window.parent.postMessage({
+    message: "submit",
+    source: "goauthentik.io",
+    context: "flow-executor"
+  });
+</script>
+</html>

authentik/enterprise/stages/authenticator_endpoint_gdtc/urls.py

@@ -0,0 +1,26 @@
+"""API URLs"""
+
+from django.urls import path
+
+from authentik.enterprise.stages.authenticator_endpoint_gdtc.api import (
+    AuthenticatorEndpointGDTCStageViewSet,
+    EndpointAdminDeviceViewSet,
+    EndpointDeviceViewSet,
+)
+from authentik.enterprise.stages.authenticator_endpoint_gdtc.views.dtc import (
+    GoogleChromeDeviceTrustConnector,
+)
+
+urlpatterns = [
+    path("chrome/", GoogleChromeDeviceTrustConnector.as_view(), name="chrome"),
+]
+
+api_urlpatterns = [
+    ("authenticators/endpoint", EndpointDeviceViewSet),
+    (
+        "authenticators/admin/endpoint",
+        EndpointAdminDeviceViewSet,
+        "admin-endpointdevice",
+    ),
+    ("stages/authenticator/endpoint_gdtc", AuthenticatorEndpointGDTCStageViewSet),
+]

authentik/enterprise/stages/authenticator_endpoint_gdtc/views/dtc.py

@@ -0,0 +1,87 @@
+from json import dumps, loads
+from typing import Any
+
+from django.http import HttpRequest, HttpResponse, HttpResponseRedirect
+from django.template.response import TemplateResponse
+from django.urls import reverse
+from django.utils.decorators import method_decorator
+from django.views import View
+from django.views.decorators.clickjacking import xframe_options_sameorigin
+from googleapiclient.discovery import build
+
+from authentik.enterprise.stages.authenticator_endpoint_gdtc.models import (
+    AuthenticatorEndpointGDTCStage,
+    EndpointDevice,
+    EndpointDeviceConnection,
+)
+from authentik.flows.planner import PLAN_CONTEXT_PENDING_USER, FlowPlan
+from authentik.flows.views.executor import SESSION_KEY_PLAN
+from authentik.stages.password.stage import PLAN_CONTEXT_METHOD, PLAN_CONTEXT_METHOD_ARGS
+
+# Header we get from chrome that initiates verified access
+HEADER_DEVICE_TRUST = "X-Device-Trust"
+# Header we send to the client with the challenge
+HEADER_ACCESS_CHALLENGE = "X-Verified-Access-Challenge"
+# Header we get back from the client that we verify with google
+HEADER_ACCESS_CHALLENGE_RESPONSE = "X-Verified-Access-Challenge-Response"
+# Header value for x-device-trust that initiates the flow
+DEVICE_TRUST_VERIFIED_ACCESS = "VerifiedAccess"
+
+
+@method_decorator(xframe_options_sameorigin, name="dispatch")
+class GoogleChromeDeviceTrustConnector(View):
+    """Google Chrome Device-trust connector based endpoint authenticator"""
+
+    def get_flow_plan(self) -> FlowPlan:
+        flow_plan: FlowPlan = self.request.session[SESSION_KEY_PLAN]
+        return flow_plan
+
+    def setup(self, request: HttpRequest, *args: Any, **kwargs: Any) -> None:
+        super().setup(request, *args, **kwargs)
+        stage: AuthenticatorEndpointGDTCStage = self.get_flow_plan().bindings[0].stage
+        self.google_client = build(
+            "verifiedaccess",
+            "v2",
+            cache_discovery=False,
+            **stage.google_credentials(),
+        )
+
+    def get(self, request: HttpRequest) -> HttpResponse:
+        x_device_trust = request.headers.get(HEADER_DEVICE_TRUST)
+        x_access_challenge_response = request.headers.get(HEADER_ACCESS_CHALLENGE_RESPONSE)
+        if x_device_trust == "VerifiedAccess" and x_access_challenge_response is None:
+            challenge = self.google_client.challenge().generate().execute()
+            res = HttpResponseRedirect(
+                self.request.build_absolute_uri(
+                    reverse("authentik_stages_authenticator_endpoint_gdtc:chrome")
+                )
+            )
+            res[HEADER_ACCESS_CHALLENGE] = dumps(challenge)
+            return res
+        if x_access_challenge_response:
+            response = (
+                self.google_client.challenge()
+                .verify(body=loads(x_access_challenge_response))
+                .execute()
+            )
+            # Remove deprecated string representation of deviceSignals
+            response.pop("deviceSignal", None)
+            flow_plan: FlowPlan = self.get_flow_plan()
+            device, _ = EndpointDevice.objects.update_or_create(
+                host_identifier=response["deviceSignals"]["serialNumber"],
+                user=flow_plan.context.get(PLAN_CONTEXT_PENDING_USER),
+                defaults={"name": response["deviceSignals"]["hostname"], "data": response},
+            )
+            EndpointDeviceConnection.objects.update_or_create(
+                device=device,
+                stage=flow_plan.bindings[0].stage,
+                defaults={
+                    "attributes": response,
+                },
+            )
+            flow_plan.context.setdefault(PLAN_CONTEXT_METHOD, "trusted_endpoint")
+            flow_plan.context.setdefault(PLAN_CONTEXT_METHOD_ARGS, {})
+            flow_plan.context[PLAN_CONTEXT_METHOD_ARGS].setdefault("endpoints", [])
+            flow_plan.context[PLAN_CONTEXT_METHOD_ARGS]["endpoints"].append(response)
+            request.session[SESSION_KEY_PLAN] = flow_plan
+        return TemplateResponse(request, "stages/authenticator_endpoint/google_chrome_dtc.html")

authentik/enterprise/tests/test_read_only.py

@@ -215,3 +215,49 @@ class TestReadOnly(FlowTestCase):
             {"detail": "Request denied due to expired/invalid license.", "code": "denied_license"},
         )
         self.assertEqual(response.status_code, 400)
+
+    @patch(
+        "authentik.enterprise.license.LicenseKey.validate",
+        MagicMock(
+            return_value=LicenseKey(
+                aud="",
+                exp=expiry_valid,
+                name=generate_id(),
+                internal_users=100,
+                external_users=100,
+            )
+        ),
+    )
+    @patch(
+        "authentik.enterprise.license.LicenseKey.get_internal_user_count",
+        MagicMock(return_value=1000),
+    )
+    @patch(
+        "authentik.enterprise.license.LicenseKey.get_external_user_count",
+        MagicMock(return_value=1000),
+    )
+    @patch(
+        "authentik.enterprise.license.LicenseKey.record_usage",
+        MagicMock(),
+    )
+    def test_manage_users(self):
+        """Test that managing users is still possible"""
+        License.objects.create(key=generate_id())
+        usage = LicenseUsage.objects.create(
+            internal_user_count=100,
+            external_user_count=100,
+            status=LicenseUsageStatus.VALID,
+        )
+        usage.record_date = now() - timedelta(weeks=THRESHOLD_READ_ONLY_WEEKS + 1)
+        usage.save(update_fields=["record_date"])
+
+        admin = create_test_admin_user()
+        self.client.force_login(admin)
+
+        # Reading is always allowed
+        response = self.client.get(reverse("authentik_api:user-list"))
+        self.assertEqual(response.status_code, 200)
+
+        # Writing should also be allowed
+        response = self.client.patch(reverse("authentik_api:user-detail", kwargs={"pk": admin.pk}))
+        self.assertEqual(response.status_code, 200)

authentik/events/api/notifications.py

@@ -69,8 +69,5 @@ class NotificationViewSet(
     @action(detail=False, methods=["post"])
     def mark_all_seen(self, request: Request) -> Response:
         """Mark all the user's notifications as seen"""
-        notifications = Notification.objects.filter(user=request.user)
-        for notification in notifications:
-            notification.seen = True
-        Notification.objects.bulk_update(notifications, ["seen"])
+        Notification.objects.filter(user=request.user, seen=False).update(seen=True)
         return Response({}, status=204)

authentik/events/context_processors/asn.py

@@ -50,7 +50,7 @@ class ASNContextProcessor(MMDBContextProcessor):
         """Wrapper for Reader.asn"""
         with start_span(
             op="authentik.events.asn.asn",
-            description=ip_address,
+            name=ip_address,
         ):
             if not self.configured():
                 return None