fix other issues

Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space>

.bumpversion.cfg

@@ -1,5 +1,5 @@
 [bumpversion]
-current_version = 2024.8.4
+current_version = 2024.8.3
 tag = True
 commit = True
 parse = (?P<major>\d+)\.(?P<minor>\d+)\.(?P<patch>\d+)(?:-(?P<rc_t>[a-zA-Z-]+)(?P<rc_n>[1-9]\\d*))?

.github/dependabot.yml

@@ -23,7 +23,6 @@ updates:
   - package-ecosystem: npm
     directories:
       - "/web"
-      - "/tests/wdio"
       - "/web/sfe"
     schedule:
       interval: daily
@@ -44,9 +43,11 @@ updates:
           - "babel-*"
       eslint:
         patterns:
+          - "@eslint/*"
           - "@typescript-eslint/*"
-          - "eslint"
           - "eslint-*"
+          - "eslint"
+          - "typescript-eslint"
       storybook:
         patterns:
           - "@storybook/*"
@@ -54,10 +55,12 @@ updates:
       esbuild:
         patterns:
           - "@esbuild/*"
+          - "esbuild*"
       rollup:
         patterns:
           - "@rollup/*"
           - "rollup-*"
+          - "rollup*"
       swc:
         patterns:
           - "@swc/*"

.github/pull_request_template.md

@@ -1,7 +1,7 @@
 <!--
 👋 Hi there! Welcome.
 
-Please check the Contributing guidelines: https://goauthentik.io/developer-docs/#how-can-i-contribute
+Please check the Contributing guidelines: https://docs.goauthentik.io/docs/developer-docs/#how-can-i-contribute
 -->
 
 ## Details

.github/workflows/api-ts-publish.yml

@@ -40,7 +40,7 @@ jobs:
         run: |
           export VERSION=`node -e 'console.log(require("../gen-ts-api/package.json").version)'`
           npm i @goauthentik/api@$VERSION
-      - uses: peter-evans/create-pull-request@v6
+      - uses: peter-evans/create-pull-request@v7
         id: cpr
         with:
           token: ${{ steps.generate_token.outputs.token }}

.github/workflows/ci-main.yml

@@ -120,6 +120,12 @@ jobs:
         with:
           flags: unit
           token: ${{ secrets.CODECOV_TOKEN }}
+      - if: ${{ !cancelled() }}
+        uses: codecov/test-results-action@v1
+        with:
+          flags: unit
+          file: unittest.xml
+          token: ${{ secrets.CODECOV_TOKEN }}
   test-integration:
     runs-on: ubuntu-latest
     timeout-minutes: 30
@@ -138,6 +144,12 @@ jobs:
         with:
           flags: integration
           token: ${{ secrets.CODECOV_TOKEN }}
+      - if: ${{ !cancelled() }}
+        uses: codecov/test-results-action@v1
+        with:
+          flags: integration
+          file: unittest.xml
+          token: ${{ secrets.CODECOV_TOKEN }}
   test-e2e:
     name: test-e2e (${{ matrix.job.name }})
     runs-on: ubuntu-latest
@@ -190,6 +202,12 @@ jobs:
         with:
           flags: e2e
           token: ${{ secrets.CODECOV_TOKEN }}
+      - if: ${{ !cancelled() }}
+        uses: codecov/test-results-action@v1
+        with:
+          flags: e2e
+          file: unittest.xml
+          token: ${{ secrets.CODECOV_TOKEN }}
   ci-core-mark:
     needs:
       - lint

.github/workflows/ci-web.yml

@@ -24,17 +24,11 @@ jobs:
           - prettier-check
         project:
           - web
-          - tests/wdio
         include:
           - command: tsc
             project: web
           - command: lit-analyse
             project: web
-        exclude:
-          - command: lint:lockfile
-            project: tests/wdio
-          - command: tsc
-            project: tests/wdio
     steps:
       - uses: actions/checkout@v4
       - uses: actions/setup-node@v4
@@ -45,21 +39,12 @@ jobs:
       - working-directory: ${{ matrix.project }}/
         run: |
           npm ci
-          ${{ matrix.extra_setup }}
       - name: Generate API
         run: make gen-client-ts
       - name: Lint
         working-directory: ${{ matrix.project }}/
         run: npm run ${{ matrix.command }}
-  ci-web-mark:
-    needs:
-      - lint
-    runs-on: ubuntu-latest
-    steps:
-      - run: echo mark
   build:
-    needs:
-      - ci-web-mark
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
@@ -75,6 +60,13 @@ jobs:
       - name: build
         working-directory: web/
         run: npm run build
+  ci-web-mark:
+    needs:
+      - build
+      - lint
+    runs-on: ubuntu-latest
+    steps:
+      - run: echo mark
   test:
     needs:
       - ci-web-mark

.github/workflows/gen-update-webauthn-mds.yml

@@ -24,7 +24,7 @@ jobs:
       - name: Setup authentik env
         uses: ./.github/actions/setup
       - run: poetry run ak update_webauthn_mds
-      - uses: peter-evans/create-pull-request@v6
+      - uses: peter-evans/create-pull-request@v7
         id: cpr
         with:
           token: ${{ steps.generate_token.outputs.token }}

.github/workflows/image-compress.yml

@@ -42,7 +42,7 @@ jobs:
         with:
           githubToken: ${{ steps.generate_token.outputs.token }}
           compressOnly: ${{ github.event_name != 'pull_request' }}
-      - uses: peter-evans/create-pull-request@v6
+      - uses: peter-evans/create-pull-request@v7
         if: "${{ github.event_name != 'pull_request' && steps.compress.outputs.markdown != '' }}"
         id: cpr
         with:

.github/workflows/translation-extract-compile.yml

@@ -32,7 +32,7 @@ jobs:
           poetry run ak compilemessages
           make web-check-compile
       - name: Create Pull Request
-        uses: peter-evans/create-pull-request@v6
+        uses: peter-evans/create-pull-request@v7
         with:
           token: ${{ steps.generate_token.outputs.token }}
           branch: extract-compile-backend-translation

Dockerfile

@@ -94,7 +94,7 @@ RUN --mount=type=secret,id=GEOIPUPDATE_ACCOUNT_ID \
     /bin/sh -c "/usr/bin/entry.sh || echo 'Failed to get GeoIP database, disabling'; exit 0"
 
 # Stage 5: Python dependencies
-FROM ghcr.io/goauthentik/fips-python:3.12.5-slim-bookworm-fips-full AS python-deps
+FROM ghcr.io/goauthentik/fips-python:3.12.7-slim-bookworm-fips-full AS python-deps
 
 ARG TARGETARCH
 ARG TARGETVARIANT
@@ -124,7 +124,7 @@ RUN --mount=type=bind,target=./pyproject.toml,src=./pyproject.toml \
     pip install --force-reinstall /wheels/*"
 
 # Stage 6: Run
-FROM ghcr.io/goauthentik/fips-python:3.12.5-slim-bookworm-fips-full AS final-image
+FROM ghcr.io/goauthentik/fips-python:3.12.7-slim-bookworm-fips-full AS final-image
 
 ARG VERSION
 ARG GIT_BUILD_HASH

Makefile

@@ -19,14 +19,13 @@ pg_name := $(shell python -m authentik.lib.config postgresql.name 2>/dev/null)
 CODESPELL_ARGS = -D - -D .github/codespell-dictionary.txt \
 		-I .github/codespell-words.txt \
 		-S 'web/src/locales/**' \
-		-S 'website/developer-docs/api/reference/**' \
+		-S 'website/docs/developer-docs/api/reference/**' \
 		authentik \
 		internal \
 		cmd \
 		web/src \
 		website/src \
 		website/blog \
-		website/developer-docs \
 		website/docs \
 		website/integrations \
 		website/src

README.md

@@ -34,7 +34,7 @@ For bigger setups, there is a Helm Chart [here](https://github.com/goauthentik/h
 
 ## Development
 
-See [Developer Documentation](https://goauthentik.io/developer-docs/?utm_source=github)
+See [Developer Documentation](https://docs.goauthentik.io/docs/developer-docs/?utm_source=github)
 
 ## Security
 

SECURITY.md

@@ -20,8 +20,8 @@ Even if the issue is not a CVE, we still greatly appreciate your help in hardeni
 
 | Version  | Supported |
 | -------- | --------- |
-| 2024.4.x | ✅        |
 | 2024.6.x | ✅        |
+| 2024.8.x | ✅        |
 
 ## Reporting a Vulnerability
 

authentik/__init__.py

@@ -2,7 +2,7 @@
 
 from os import environ
 
-__version__ = "2024.8.4"
+__version__ = "2024.8.3"
 ENV_GIT_HASH_KEY = "GIT_BUILD_HASH"
 
 

authentik/admin/tasks.py

@@ -1,10 +1,8 @@
 """authentik admin tasks"""
 
-import re
-
 from django.core.cache import cache
-from django.core.validators import URLValidator
 from django.db import DatabaseError, InternalError, ProgrammingError
+from django.utils.translation import gettext_lazy as _
 from packaging.version import parse
 from requests import RequestException
 from structlog.stdlib import get_logger
@@ -21,8 +19,6 @@ LOGGER = get_logger()
 VERSION_NULL = "0.0.0"
 VERSION_CACHE_KEY = "authentik_latest_version"
 VERSION_CACHE_TIMEOUT = 8 * 60 * 60  # 8 hours
-# Chop of the first ^ because we want to search the entire string
-URL_FINDER = URLValidator.regex.pattern[1:]
 LOCAL_VERSION = parse(__version__)
 
 
@@ -78,10 +74,16 @@ def update_latest_version(self: SystemTask):
                 context__new_version=upstream_version,
             ).exists():
                 return
-            event_dict = {"new_version": upstream_version}
-            if match := re.search(URL_FINDER, data.get("stable", {}).get("changelog", "")):
-                event_dict["message"] = f"Changelog: {match.group()}"
-            Event.new(EventAction.UPDATE_AVAILABLE, **event_dict).save()
+            Event.new(
+                EventAction.UPDATE_AVAILABLE,
+                message=_(
+                    "New version {version} available!".format(
+                        version=upstream_version,
+                    )
+                ),
+                new_version=upstream_version,
+                changelog=data.get("stable", {}).get("changelog_url"),
+            ).save()
     except (RequestException, IndexError) as exc:
         cache.set(VERSION_CACHE_KEY, VERSION_NULL, VERSION_CACHE_TIMEOUT)
         self.set_error(exc)

authentik/admin/tests/test_tasks.py

@@ -17,6 +17,7 @@ RESPONSE_VALID = {
     "stable": {
         "version": "99999999.9999999",
         "changelog": "See https://goauthentik.io/test",
+        "changelog_url": "https://goauthentik.io/test",
         "reason": "bugfix",
     },
 }
@@ -35,7 +36,7 @@ class TestAdminTasks(TestCase):
                 Event.objects.filter(
                     action=EventAction.UPDATE_AVAILABLE,
                     context__new_version="99999999.9999999",
-                    context__message="Changelog: https://goauthentik.io/test",
+                    context__message="New version 99999999.9999999 available!",
                 ).exists()
             )
             # test that a consecutive check doesn't create a duplicate event
@@ -45,7 +46,7 @@ class TestAdminTasks(TestCase):
                     Event.objects.filter(
                         action=EventAction.UPDATE_AVAILABLE,
                         context__new_version="99999999.9999999",
-                        context__message="Changelog: https://goauthentik.io/test",
+                        context__message="New version 99999999.9999999 available!",
                     )
                 ),
                 1,

authentik/blueprints/migrations/0001_initial.py

@@ -29,9 +29,7 @@ def check_blueprint_v1_file(BlueprintInstance: type, db_alias, path: Path):
         if version != 1:
             return
         blueprint_file.seek(0)
-    instance: BlueprintInstance = (
-        BlueprintInstance.objects.using(db_alias).filter(path=path).first()
-    )
+    instance = BlueprintInstance.objects.using(db_alias).filter(path=path).first()
     rel_path = path.relative_to(Path(CONFIG.get("blueprints_dir")))
     meta = None
     if metadata:

authentik/blueprints/v1/importer.py

@@ -69,7 +69,7 @@ from authentik.stages.authenticator_webauthn.models import WebAuthnDeviceType
 from authentik.tenants.models import Tenant
 
 # Context set when the serializer is created in a blueprint context
-# Update website/developer-docs/blueprints/v1/models.md when used
+# Update website/docs/customize/blueprints/v1/models.md when used
 SERIALIZER_CONTEXT_BLUEPRINT = "blueprint_entry"
 
 

authentik/core/api/providers.py

@@ -38,6 +38,7 @@ class ProviderSerializer(ModelSerializer, MetaNameSerializer):
             "name",
             "authentication_flow",
             "authorization_flow",
+            "invalidation_flow",
             "property_mappings",
             "component",
             "assigned_application_slug",
@@ -50,6 +51,7 @@ class ProviderSerializer(ModelSerializer, MetaNameSerializer):
         ]
         extra_kwargs = {
             "authorization_flow": {"required": True, "allow_null": False},
+            "invalidation_flow": {"required": True, "allow_null": False},
         }
 
 

authentik/core/migrations/0040_provider_invalidation_flow.py

@@ -0,0 +1,55 @@
+# Generated by Django 5.0.9 on 2024-10-02 11:35
+
+import django.db.models.deletion
+from django.db import migrations, models
+
+from django.apps.registry import Apps
+from django.db import migrations, models
+from django.db.backends.base.schema import BaseDatabaseSchemaEditor
+
+
+def migrate_invalidation_flow_default(apps: Apps, schema_editor: BaseDatabaseSchemaEditor):
+    from authentik.flows.models import FlowDesignation, FlowAuthenticationRequirement
+
+    db_alias = schema_editor.connection.alias
+
+    Flow = apps.get_model("authentik_flows", "Flow")
+    Provider = apps.get_model("authentik_core", "Provider")
+
+    # So this flow is managed via a blueprint, bue we're in a migration so we don't want to rely on that
+    # since the blueprint is just an empty flow we can just create it here
+    # and let it be managed by the blueprint later
+    flow, _ = Flow.objects.using(db_alias).update_or_create(
+        slug="default-provider-invalidation-flow",
+        defaults={
+            "name": "Logged out of application",
+            "title": "You've logged out of %(app)s.",
+            "authentication": FlowAuthenticationRequirement.NONE,
+            "designation": FlowDesignation.INVALIDATION,
+        },
+    )
+    Provider.objects.using(db_alias).filter(invalidation_flow=None).update(invalidation_flow=flow)
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ("authentik_core", "0039_source_group_matching_mode_alter_group_name_and_more"),
+        ("authentik_flows", "0027_auto_20231028_1424"),
+    ]
+
+    operations = [
+        migrations.AddField(
+            model_name="provider",
+            name="invalidation_flow",
+            field=models.ForeignKey(
+                default=None,
+                help_text="Flow used ending the session from a provider.",
+                null=True,
+                on_delete=django.db.models.deletion.SET_DEFAULT,
+                related_name="provider_invalidation",
+                to="authentik_flows.flow",
+            ),
+        ),
+        migrations.RunPython(migrate_invalidation_flow_default),
+    ]

authentik/core/models.py

@@ -391,14 +391,23 @@ class Provider(SerializerModel):
         ),
         related_name="provider_authentication",
     )
-
     authorization_flow = models.ForeignKey(
         "authentik_flows.Flow",
+        # Set to cascade even though null is allowed, since most providers
+        # still require an authorization flow set
         on_delete=models.CASCADE,
         null=True,
         help_text=_("Flow used when authorizing this provider."),
         related_name="provider_authorization",
     )
+    invalidation_flow = models.ForeignKey(
+        "authentik_flows.Flow",
+        on_delete=models.SET_DEFAULT,
+        default=None,
+        null=True,
+        help_text=_("Flow used ending the session from a provider."),
+        related_name="provider_invalidation",
+    )
 
     property_mappings = models.ManyToManyField("PropertyMapping", default=None, blank=True)
 
@@ -793,12 +802,25 @@ class ExpiringModel(models.Model):
         return self.delete(*args, **kwargs)
 
     @classmethod
-    def filter_not_expired(cls, **kwargs) -> QuerySet["Token"]:
+    def _not_expired_filter(cls):
+        return Q(expires__gt=now(), expiring=True) | Q(expiring=False)
+
+    @classmethod
+    def filter_not_expired(cls, delete_expired=False, **kwargs) -> QuerySet["ExpiringModel"]:
         """Filer for tokens which are not expired yet or are not expiring,
         and match filters in `kwargs`"""
-        for obj in cls.objects.filter(**kwargs).filter(Q(expires__lt=now(), expiring=True)):
-            obj.delete()
-        return cls.objects.filter(**kwargs)
+        if delete_expired:
+            cls.delete_expired(**kwargs)
+        return cls.objects.filter(cls._not_expired_filter()).filter(**kwargs)
+
+    @classmethod
+    def delete_expired(cls, **kwargs) -> int:
+        objects = cls.objects.all().exclude(cls._not_expired_filter()).filter(**kwargs)
+        amount = 0
+        for obj in objects:
+            obj.expire_action()
+            amount += 1
+        return amount
 
     @property
     def is_expired(self) -> bool:

authentik/core/tasks.py

@@ -30,12 +30,7 @@ def clean_expired_models(self: SystemTask):
     messages = []
     for cls in ExpiringModel.__subclasses__():
         cls: ExpiringModel
-        objects = (
-            cls.objects.all().exclude(expiring=False).exclude(expiring=True, expires__gt=now())
-        )
-        amount = objects.count()
-        for obj in objects:
-            obj.expire_action()
+        amount = cls.delete_expired()
         LOGGER.debug("Expired models", model=cls, amount=amount)
         messages.append(f"Expired {amount} {cls._meta.verbose_name_plural}")
     # Special case

authentik/core/templates/if/end_session.html

@@ -1,43 +0,0 @@
-{% extends 'login/base_full.html' %}
-
-{% load static %}
-{% load i18n %}
-
-{% block title %}
-{% trans 'End session' %} - {{ brand.branding_title }}
-{% endblock %}
-
-{% block card_title %}
-{% blocktrans with application=application.name %}
-You've logged out of {{ application }}.
-{% endblocktrans %}
-{% endblock %}
-
-{% block card %}
-<form method="POST" class="pf-c-form">
-    <p>
-        {% blocktrans with application=application.name branding_title=brand.branding_title %}
-            You've logged out of {{ application }}. You can go back to the overview to launch another application, or log out of your {{ branding_title }} account.
-        {% endblocktrans %}
-    </p>
-
-    <a id="ak-back-home" href="{% url 'authentik_core:root-redirect' %}" class="pf-c-button pf-m-primary">
-        {% trans 'Go back to overview' %}
-    </a>
-
-    <a id="logout" href="{% url 'authentik_flows:default-invalidation' %}" class="pf-c-button pf-m-secondary">
-        {% blocktrans with branding_title=brand.branding_title %}
-            Log out of {{ branding_title }}
-        {% endblocktrans %}
-    </a>
-
-    {% if application.get_launch_url %}
-    <a href="{{ application.get_launch_url }}" class="pf-c-button pf-m-secondary">
-        {% blocktrans with application=application.name %}
-            Log back into {{ application }}
-        {% endblocktrans %}
-    </a>
-    {% endif %}
-
-</form>
-{% endblock %}

authentik/core/tests/test_applications_api.py

@@ -134,6 +134,7 @@ class TestApplicationsAPI(APITestCase):
                             "assigned_application_name": "allowed",
                             "assigned_application_slug": "allowed",
                             "authentication_flow": None,
+                            "invalidation_flow": None,
                             "authorization_flow": str(self.provider.authorization_flow.pk),
                             "component": "ak-provider-oauth2-form",
                             "meta_model_name": "authentik_providers_oauth2.oauth2provider",
@@ -186,6 +187,7 @@ class TestApplicationsAPI(APITestCase):
                             "assigned_application_name": "allowed",
                             "assigned_application_slug": "allowed",
                             "authentication_flow": None,
+                            "invalidation_flow": None,
                             "authorization_flow": str(self.provider.authorization_flow.pk),
                             "component": "ak-provider-oauth2-form",
                             "meta_model_name": "authentik_providers_oauth2.oauth2provider",

authentik/core/tests/test_transactional_applications_api.py

@@ -19,7 +19,6 @@ class TestTransactionalApplicationsAPI(APITestCase):
         """Test transactional Application + provider creation"""
         self.client.force_login(self.user)
         uid = generate_id()
-        authorization_flow = create_test_flow()
         response = self.client.put(
             reverse("authentik_api:core-transactional-application"),
             data={
@@ -30,7 +29,8 @@ class TestTransactionalApplicationsAPI(APITestCase):
                 "provider_model": "authentik_providers_oauth2.oauth2provider",
                 "provider": {
                     "name": uid,
-                    "authorization_flow": str(authorization_flow.pk),
+                    "authorization_flow": str(create_test_flow().pk),
+                    "invalidation_flow": str(create_test_flow().pk),
                 },
             },
         )
@@ -56,10 +56,16 @@ class TestTransactionalApplicationsAPI(APITestCase):
                 "provider": {
                     "name": uid,
                     "authorization_flow": "",
+                    "invalidation_flow": "",
                 },
             },
         )
         self.assertJSONEqual(
             response.content.decode(),
-            {"provider": {"authorization_flow": ["This field may not be null."]}},
+            {
+                "provider": {
+                    "authorization_flow": ["This field may not be null."],
+                    "invalidation_flow": ["This field may not be null."],
+                }
+            },
         )

authentik/core/urls.py

@@ -24,7 +24,6 @@ from authentik.core.views.interface import (
     InterfaceView,
     RootRedirectView,
 )
-from authentik.core.views.session import EndSessionView
 from authentik.flows.views.interface import FlowInterfaceView
 from authentik.root.asgi_middleware import SessionMiddleware
 from authentik.root.messages.consumer import MessageConsumer
@@ -60,11 +59,6 @@ urlpatterns = [
         ensure_csrf_cookie(FlowInterfaceView.as_view()),
         name="if-flow",
     ),
-    path(
-        "if/session-end/<slug:application_slug>/",
-        ensure_csrf_cookie(EndSessionView.as_view()),
-        name="if-session-end",
-    ),
     # Fallback for WS
     path("ws/outpost/<uuid:pk>/", InterfaceView.as_view(template_name="if/admin.html")),
     path(

authentik/core/views/session.py

@@ -1,23 +0,0 @@
-"""authentik Session Views"""
-
-from typing import Any
-
-from django.shortcuts import get_object_or_404
-from django.views.generic.base import TemplateView
-
-from authentik.core.models import Application
-from authentik.policies.views import PolicyAccessView
-
-
-class EndSessionView(TemplateView, PolicyAccessView):
-    """Allow the client to end the Session"""
-
-    template_name = "if/end_session.html"
-
-    def resolve_provider_application(self):
-        self.application = get_object_or_404(Application, slug=self.kwargs["application_slug"])
-
-    def get_context_data(self, **kwargs: Any) -> dict[str, Any]:
-        context = super().get_context_data(**kwargs)
-        context["application"] = self.application
-        return context

authentik/enterprise/providers/rac/tests/test_endpoints_api.py

@@ -68,6 +68,7 @@ class TestEndpointsAPI(APITestCase):
                             "name": self.provider.name,
                             "authentication_flow": None,
                             "authorization_flow": None,
+                            "invalidation_flow": None,
                             "property_mappings": [],
                             "connection_expiry": "hours=8",
                             "delete_token_on_disconnect": False,
@@ -120,6 +121,7 @@ class TestEndpointsAPI(APITestCase):
                             "name": self.provider.name,
                             "authentication_flow": None,
                             "authorization_flow": None,
+                            "invalidation_flow": None,
                             "property_mappings": [],
                             "component": "ak-provider-rac-form",
                             "assigned_application_slug": self.app.slug,
@@ -149,6 +151,7 @@ class TestEndpointsAPI(APITestCase):
                             "name": self.provider.name,
                             "authentication_flow": None,
                             "authorization_flow": None,
+                            "invalidation_flow": None,
                             "property_mappings": [],
                             "component": "ak-provider-rac-form",
                             "assigned_application_slug": self.app.slug,

authentik/events/context_processors/asn.py

@@ -50,7 +50,7 @@ class ASNContextProcessor(MMDBContextProcessor):
         """Wrapper for Reader.asn"""
         with start_span(
             op="authentik.events.asn.asn",
-            description=ip_address,
+            name=ip_address,
         ):
             if not self.configured():
                 return None

authentik/events/context_processors/geoip.py

@@ -51,7 +51,7 @@ class GeoIPContextProcessor(MMDBContextProcessor):
         """Wrapper for Reader.city"""
         with start_span(
             op="authentik.events.geo.city",
-            description=ip_address,
+            name=ip_address,
         ):
             if not self.configured():
                 return None

authentik/events/signals.py

@@ -13,7 +13,7 @@ from authentik.events.apps import SYSTEM_TASK_STATUS
 from authentik.events.models import Event, EventAction, SystemTask
 from authentik.events.tasks import event_notification_handler, gdpr_cleanup
 from authentik.flows.models import Stage
-from authentik.flows.planner import PLAN_CONTEXT_SOURCE, FlowPlan
+from authentik.flows.planner import PLAN_CONTEXT_OUTPOST, PLAN_CONTEXT_SOURCE, FlowPlan
 from authentik.flows.views.executor import SESSION_KEY_PLAN
 from authentik.root.monitoring import monitoring_set
 from authentik.stages.invitation.models import Invitation
@@ -38,6 +38,9 @@ def on_user_logged_in(sender, request: HttpRequest, user: User, **_):
             # Save the login method used
             kwargs[PLAN_CONTEXT_METHOD] = flow_plan.context[PLAN_CONTEXT_METHOD]
             kwargs[PLAN_CONTEXT_METHOD_ARGS] = flow_plan.context.get(PLAN_CONTEXT_METHOD_ARGS, {})
+        if PLAN_CONTEXT_OUTPOST in flow_plan.context:
+            # Save outpost context
+            kwargs[PLAN_CONTEXT_OUTPOST] = flow_plan.context[PLAN_CONTEXT_OUTPOST]
     event = Event.new(EventAction.LOGIN, **kwargs).from_http(request, user=user)
     request.session[SESSION_LOGIN_EVENT] = event
 

authentik/flows/challenge.py

@@ -110,9 +110,22 @@ class FlowErrorChallenge(Challenge):
 class AccessDeniedChallenge(WithUserInfoChallenge):
     """Challenge when a flow's active stage calls `stage_invalid()`."""
 
-    error_message = CharField(required=False)
     component = CharField(default="ak-stage-access-denied")
 
+    error_message = CharField(required=False)
+
+
+class SessionEndChallenge(WithUserInfoChallenge):
+    """Challenge for ending a session"""
+
+    component = CharField(default="ak-stage-session-end")
+
+    application_name = CharField(required=False)
+    application_launch_url = CharField(required=False)
+
+    invalidation_flow_url = CharField(required=False)
+    brand_name = CharField(required=True)
+
 
 class PermissionDict(TypedDict):
     """Consent Permission"""

authentik/flows/migrations/0027_auto_20231028_1424.py

@@ -6,20 +6,18 @@ from django.db.backends.base.schema import BaseDatabaseSchemaEditor
 
 
 def set_oobe_flow_authentication(apps: Apps, schema_editor: BaseDatabaseSchemaEditor):
-    from guardian.shortcuts import get_anonymous_user
+    from guardian.conf import settings as guardian_settings
 
     Flow = apps.get_model("authentik_flows", "Flow")
     User = apps.get_model("authentik_core", "User")
 
     db_alias = schema_editor.connection.alias
 
-    users = User.objects.using(db_alias).exclude(username="akadmin")
-    try:
-        users = users.exclude(pk=get_anonymous_user().pk)
-
-    except Exception:  # nosec
-        pass
-
+    users = (
+        User.objects.using(db_alias)
+        .exclude(username="akadmin")
+        .exclude(username=guardian_settings.ANONYMOUS_USER_NAME)
+    )
     if users.exists():
         Flow.objects.using(db_alias).filter(slug="initial-setup").update(
             authentication="require_superuser"

authentik/flows/models.py

@@ -107,7 +107,9 @@ class Stage(SerializerModel):
 
 
 def in_memory_stage(view: type["StageView"], **kwargs) -> Stage:
-    """Creates an in-memory stage instance, based on a `view` as view."""
+    """Creates an in-memory stage instance, based on a `view` as view.
+    Any key-word arguments are set as attributes on the stage object,
+    accessible via `self.executor.current_stage`."""
     stage = Stage()
     # Because we can't pickle a locally generated function,
     # we set the view as a separate property and reference a generic function

authentik/flows/planner.py

@@ -23,6 +23,7 @@ from authentik.flows.models import (
     in_memory_stage,
 )
 from authentik.lib.config import CONFIG
+from authentik.outposts.models import Outpost
 from authentik.policies.engine import PolicyEngine
 from authentik.root.middleware import ClientIPMiddleware
 
@@ -32,6 +33,7 @@ PLAN_CONTEXT_SSO = "is_sso"
 PLAN_CONTEXT_REDIRECT = "redirect"
 PLAN_CONTEXT_APPLICATION = "application"
 PLAN_CONTEXT_SOURCE = "source"
+PLAN_CONTEXT_OUTPOST = "outpost"
 # Is set by the Flow Planner when a FlowToken was used, and the currently active flow plan
 # was restored.
 PLAN_CONTEXT_IS_RESTORED = "is_restored"
@@ -143,15 +145,28 @@ class FlowPlanner:
             and not request.user.is_superuser
         ):
             raise FlowNonApplicableException()
+        outpost_user = ClientIPMiddleware.get_outpost_user(request)
         if self.flow.authentication == FlowAuthenticationRequirement.REQUIRE_OUTPOST:
-            outpost_user = ClientIPMiddleware.get_outpost_user(request)
             if not outpost_user:
                 raise FlowNonApplicableException()
+        if outpost_user:
+            outpost = Outpost.objects.filter(
+                # TODO: Since Outpost and user are not directly connected, we have to look up a user
+                # like this. This should ideally by in authentik/outposts/models.py
+                pk=outpost_user.username.replace("ak-outpost-", "")
+            ).first()
+            if outpost:
+                return {
+                    PLAN_CONTEXT_OUTPOST: {
+                        "instance": outpost,
+                    }
+                }
+        return {}
 
     def plan(self, request: HttpRequest, default_context: dict[str, Any] | None = None) -> FlowPlan:
         """Check each of the flows' policies, check policies for each stage with PolicyBinding
         and return ordered list"""
-        with start_span(op="authentik.flow.planner.plan", description=self.flow.slug) as span:
+        with start_span(op="authentik.flow.planner.plan", name=self.flow.slug) as span:
             span: Span
             span.set_data("flow", self.flow)
             span.set_data("request", request)
@@ -159,11 +174,12 @@ class FlowPlanner:
             self._logger.debug(
                 "f(plan): starting planning process",
             )
+            context = default_context or {}
             # Bit of a workaround here, if there is a pending user set in the default context
             # we use that user for our cache key
             # to make sure they don't get the generic response
-            if default_context and PLAN_CONTEXT_PENDING_USER in default_context:
-                user = default_context[PLAN_CONTEXT_PENDING_USER]
+            if context and PLAN_CONTEXT_PENDING_USER in context:
+                user = context[PLAN_CONTEXT_PENDING_USER]
             else:
                 user = request.user
                 # We only need to check the flow authentication if it's planned without a user
@@ -171,14 +187,13 @@ class FlowPlanner:
                 # or if a flow is restarted due to `invalid_response_action` being set to
                 # `restart_with_context`, which can only happen if the user was already authorized
                 # to use the flow
-                self._check_authentication(request)
+                context.update(self._check_authentication(request))
             # First off, check the flow's direct policy bindings
             # to make sure the user even has access to the flow
             engine = PolicyEngine(self.flow, user, request)
             engine.use_cache = self.use_cache
-            if default_context:
-                span.set_data("default_context", cleanse_dict(default_context))
-                engine.request.context.update(default_context)
+            span.set_data("context", cleanse_dict(context))
+            engine.request.context.update(context)
             engine.build()
             result = engine.result
             if not result.passing:
@@ -195,12 +210,12 @@ class FlowPlanner:
                         key=cached_plan_key,
                     )
                     # Reset the context as this isn't factored into caching
-                    cached_plan.context = default_context or {}
+                    cached_plan.context = context
                     return cached_plan
             self._logger.debug(
                 "f(plan): building plan",
             )
-            plan = self._build_plan(user, request, default_context)
+            plan = self._build_plan(user, request, context)
             if self.use_cache:
                 cache.set(cache_key(self.flow, user), plan, CACHE_TIMEOUT)
             if not plan.bindings and not self.allow_empty_flows:
@@ -218,7 +233,7 @@ class FlowPlanner:
         with (
             start_span(
                 op="authentik.flow.planner.build_plan",
-                description=self.flow.slug,
+                name=self.flow.slug,
             ) as span,
             HIST_FLOWS_PLAN_TIME.labels(flow_slug=self.flow.slug).time(),
         ):

authentik/flows/stage.py

@@ -13,7 +13,7 @@ from rest_framework.request import Request
 from sentry_sdk import start_span
 from structlog.stdlib import BoundLogger, get_logger
 
-from authentik.core.models import User
+from authentik.core.models import Application, User
 from authentik.flows.challenge import (
     AccessDeniedChallenge,
     Challenge,
@@ -21,6 +21,7 @@ from authentik.flows.challenge import (
     ContextualFlowInfo,
     HttpChallengeResponse,
     RedirectChallenge,
+    SessionEndChallenge,
     WithUserInfoChallenge,
 )
 from authentik.flows.exceptions import StageInvalidException
@@ -125,7 +126,7 @@ class ChallengeStageView(StageView):
             with (
                 start_span(
                     op="authentik.flow.stage.challenge_invalid",
-                    description=self.__class__.__name__,
+                    name=self.__class__.__name__,
                 ),
                 HIST_FLOWS_STAGE_TIME.labels(
                     stage_type=self.__class__.__name__, method="challenge_invalid"
@@ -135,7 +136,7 @@ class ChallengeStageView(StageView):
         with (
             start_span(
                 op="authentik.flow.stage.challenge_valid",
-                description=self.__class__.__name__,
+                name=self.__class__.__name__,
             ),
             HIST_FLOWS_STAGE_TIME.labels(
                 stage_type=self.__class__.__name__, method="challenge_valid"
@@ -161,7 +162,7 @@ class ChallengeStageView(StageView):
         with (
             start_span(
                 op="authentik.flow.stage.get_challenge",
-                description=self.__class__.__name__,
+                name=self.__class__.__name__,
             ),
             HIST_FLOWS_STAGE_TIME.labels(
                 stage_type=self.__class__.__name__, method="get_challenge"
@@ -174,7 +175,7 @@ class ChallengeStageView(StageView):
                 return self.executor.stage_invalid()
         with start_span(
             op="authentik.flow.stage._get_challenge",
-            description=self.__class__.__name__,
+            name=self.__class__.__name__,
         ):
             if not hasattr(challenge, "initial_data"):
                 challenge.initial_data = {}
@@ -230,7 +231,7 @@ class ChallengeStageView(StageView):
         return HttpChallengeResponse(challenge_response)
 
 
-class AccessDeniedChallengeView(ChallengeStageView):
+class AccessDeniedStage(ChallengeStageView):
     """Used internally by FlowExecutor's stage_invalid()"""
 
     error_message: str | None
@@ -268,3 +269,31 @@ class RedirectStage(ChallengeStageView):
 
     def challenge_valid(self, response: ChallengeResponse) -> HttpResponse:
         return HttpChallengeResponse(self.get_challenge())
+
+
+class SessionEndStage(ChallengeStageView):
+    """Stage inserted when a flow is used as invalidation flow. By default shows actions
+    that the user is likely to take after signing out of a provider."""
+
+    def get_challenge(self, *args, **kwargs) -> Challenge:
+        application: Application | None = self.executor.plan.context.get(PLAN_CONTEXT_APPLICATION)
+        data = {
+            "component": "ak-stage-session-end",
+            "brand_name": self.request.brand.branding_title,
+        }
+        if application:
+            data["application_name"] = application.name
+            data["application_launch_url"] = application.get_launch_url(self.get_pending_user())
+        if self.request.brand.flow_invalidation:
+            data["invalidation_flow_url"] = reverse(
+                "authentik_core:if-flow",
+                kwargs={
+                    "flow_slug": self.request.brand.flow_invalidation.slug,
+                },
+            )
+        return SessionEndChallenge(data=data)
+
+    # This can never be reached since this challenge is created on demand and only the
+    # .get() method is called
+    def challenge_valid(self, response: ChallengeResponse) -> HttpResponse:  # pragma: no cover
+        return self.executor.cancel()

authentik/flows/views/executor.py

@@ -54,7 +54,7 @@ from authentik.flows.planner import (
     FlowPlan,
     FlowPlanner,
 )
-from authentik.flows.stage import AccessDeniedChallengeView, StageView
+from authentik.flows.stage import AccessDeniedStage, StageView
 from authentik.lib.sentry import SentryIgnoredException
 from authentik.lib.utils.errors import exception_to_string
 from authentik.lib.utils.reflection import all_subclasses, class_to_path
@@ -153,7 +153,7 @@ class FlowExecutorView(APIView):
         return plan
 
     def dispatch(self, request: HttpRequest, flow_slug: str) -> HttpResponse:
-        with start_span(op="authentik.flow.executor.dispatch", description=self.flow.slug) as span:
+        with start_span(op="authentik.flow.executor.dispatch", name=self.flow.slug) as span:
             span.set_data("authentik Flow", self.flow.slug)
             get_params = QueryDict(request.GET.get(QS_QUERY, ""))
             if QS_KEY_TOKEN in get_params:
@@ -273,7 +273,7 @@ class FlowExecutorView(APIView):
             with (
                 start_span(
                     op="authentik.flow.executor.stage",
-                    description=class_path,
+                    name=class_path,
                 ) as span,
                 HIST_FLOW_EXECUTION_STAGE_TIME.labels(
                     method=request.method.upper(),
@@ -324,7 +324,7 @@ class FlowExecutorView(APIView):
             with (
                 start_span(
                     op="authentik.flow.executor.stage",
-                    description=class_path,
+                    name=class_path,
                 ) as span,
                 HIST_FLOW_EXECUTION_STAGE_TIME.labels(
                     method=request.method.upper(),
@@ -441,7 +441,7 @@ class FlowExecutorView(APIView):
             )
             return self.restart_flow(keep_context)
         self.cancel()
-        challenge_view = AccessDeniedChallengeView(self, error_message)
+        challenge_view = AccessDeniedStage(self, error_message)
         challenge_view.request = self.request
         return to_stage_response(self.request, challenge_view.get(self.request))
 

authentik/lib/default.yml

@@ -1,4 +1,4 @@
-# update website/docs/installation/configuration.mdx
+# update website/docs/install-config/configuration/configuration.mdx
 # This is the default configuration file
 postgresql:
   host: localhost

authentik/lib/utils/http.py

@@ -21,14 +21,7 @@ class DebugSession(Session):
 
     def send(self, req: PreparedRequest, *args, **kwargs):
         request_id = str(uuid4())
-        LOGGER.debug(
-            "HTTP request sent",
-            uid=request_id,
-            url=req.url,
-            method=req.method,
-            headers=req.headers,
-            body=req.body,
-        )
+        LOGGER.debug("HTTP request sent", uid=request_id, path=req.path_url, headers=req.headers)
         resp = super().send(req, *args, **kwargs)
         LOGGER.debug(
             "HTTP response received",

authentik/outposts/models.py

@@ -9,7 +9,7 @@ from uuid import uuid4
 from dacite.core import from_dict
 from django.contrib.auth.models import Permission
 from django.core.cache import cache
-from django.db import IntegrityError, models, transaction
+from django.db import models, transaction
 from django.db.models.base import Model
 from django.utils.translation import gettext_lazy as _
 from guardian.models import UserObjectPermission
@@ -53,7 +53,7 @@ class ServiceConnectionInvalid(SentryIgnoredException):
 class OutpostConfig:
     """Configuration an outpost uses to configure it self"""
 
-    # update website/docs/outposts/_config.md
+    # update website/docs/add-secure-apps/outposts/_config.md
 
     authentik_host: str = ""
     authentik_host_insecure: bool = False
@@ -380,26 +380,22 @@ class Outpost(SerializerModel, ManagedModel):
         """Get/create token for auto-generated user"""
         managed = f"goauthentik.io/outpost/{self.token_identifier}"
         tokens = Token.filter_not_expired(
+            delete_expired=True,
             identifier=self.token_identifier,
             intent=TokenIntents.INTENT_API,
             managed=managed,
         )
-        if tokens.exists():
-            return tokens.first()
-        try:
-            return Token.objects.create(
-                user=self.user,
-                identifier=self.token_identifier,
-                intent=TokenIntents.INTENT_API,
-                description=f"Autogenerated by authentik for Outpost {self.name}",
-                expiring=False,
-                managed=managed,
-            )
-        except IntegrityError:
-            # Integrity error happens mostly when managed is reused
-            Token.objects.filter(managed=managed).delete()
-            Token.objects.filter(identifier=self.token_identifier).delete()
-            return self.token
+        token: Token | None = tokens.first()
+        if token:
+            return token
+        return Token.objects.create(
+            user=self.user,
+            identifier=self.token_identifier,
+            intent=TokenIntents.INTENT_API,
+            description=f"Autogenerated by authentik for Outpost {self.name}",
+            expiring=False,
+            managed=managed,
+        )
 
     def get_required_objects(self) -> Iterable[models.Model | str]:
         """Get an iterator of all objects the user needs read access to"""

authentik/policies/engine.py

@@ -113,7 +113,7 @@ class PolicyEngine:
         with (
             start_span(
                 op="authentik.policy.engine.build",
-                description=self.__pbm,
+                name=self.__pbm,
             ) as span,
             HIST_POLICIES_ENGINE_TOTAL_TIME.labels(
                 obj_type=class_to_path(self.__pbm.__class__),

authentik/policies/event_matcher/models.py

@@ -108,7 +108,7 @@ class EventMatcherPolicy(Policy):
                 result=result,
             )
             matches.append(result)
-        passing = all(x.passing for x in matches)
+        passing = any(x.passing for x in matches)
         messages = chain(*[x.messages for x in matches])
         result = PolicyResult(passing, *messages)
         result.source_results = matches

authentik/policies/event_matcher/tests.py

@@ -77,24 +77,11 @@ class TestEventMatcherPolicy(TestCase):
         request = PolicyRequest(get_anonymous_user())
         request.context["event"] = event
         policy: EventMatcherPolicy = EventMatcherPolicy.objects.create(
-            client_ip="1.2.3.5", app="foo"
+            client_ip="1.2.3.5", app="bar"
         )
         response = policy.passes(request)
         self.assertFalse(response.passing)
 
-    def test_multiple(self):
-        """Test multiple"""
-        event = Event.new(EventAction.LOGIN)
-        event.app = "foo"
-        event.client_ip = "1.2.3.4"
-        request = PolicyRequest(get_anonymous_user())
-        request.context["event"] = event
-        policy: EventMatcherPolicy = EventMatcherPolicy.objects.create(
-            client_ip="1.2.3.4", app="foo"
-        )
-        response = policy.passes(request)
-        self.assertTrue(response.passing)
-
     def test_invalid(self):
         """Test passing event"""
         request = PolicyRequest(get_anonymous_user())

authentik/providers/ldap/api.py

@@ -87,6 +87,7 @@ class LDAPOutpostConfigSerializer(ModelSerializer):
 
     application_slug = SerializerMethodField()
     bind_flow_slug = CharField(source="authorization_flow.slug")
+    unbind_flow_slug = SerializerMethodField()
 
     def get_application_slug(self, instance: LDAPProvider) -> str:
         """Prioritise backchannel slug over direct application slug"""
@@ -94,6 +95,16 @@ class LDAPOutpostConfigSerializer(ModelSerializer):
             return instance.backchannel_application.slug
         return instance.application.slug
 
+    def get_unbind_flow_slug(self, instance: LDAPProvider) -> str | None:
+        """Get slug for unbind flow, defaulting to brand's default flow."""
+        flow = instance.invalidation_flow
+        if not flow and "request" in self.context:
+            request = self.context.get("request")
+            flow = request.brand.flow_invalidation
+        if not flow:
+            return None
+        return flow.slug
+
     class Meta:
         model = LDAPProvider
         fields = [
@@ -101,6 +112,7 @@ class LDAPOutpostConfigSerializer(ModelSerializer):
             "name",
             "base_dn",
             "bind_flow_slug",
+            "unbind_flow_slug",
             "application_slug",
             "certificate",
             "tls_server_name",

authentik/providers/oauth2/migrations/0019_accesstoken_authentik_p_token_4bc870_idx_and_more.py

@@ -0,0 +1,23 @@
+# Generated by Django 5.0.9 on 2024-09-26 16:25
+
+from django.conf import settings
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ("authentik_providers_oauth2", "0018_alter_accesstoken_expires_and_more"),
+        migrations.swappable_dependency(settings.AUTH_USER_MODEL),
+    ]
+
+    operations = [
+        migrations.AddIndex(
+            model_name="accesstoken",
+            index=models.Index(fields=["token"], name="authentik_p_token_4bc870_idx"),
+        ),
+        migrations.AddIndex(
+            model_name="refreshtoken",
+            index=models.Index(fields=["token"], name="authentik_p_token_1a841f_idx"),
+        ),
+    ]

authentik/providers/oauth2/migrations/0020_remove_accesstoken_authentik_p_token_4bc870_idx_and_more.py

@@ -0,0 +1,31 @@
+# Generated by Django 5.0.9 on 2024-09-27 14:50
+
+from django.conf import settings
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ("authentik_providers_oauth2", "0019_accesstoken_authentik_p_token_4bc870_idx_and_more"),
+        migrations.swappable_dependency(settings.AUTH_USER_MODEL),
+    ]
+
+    operations = [
+        migrations.RemoveIndex(
+            model_name="accesstoken",
+            name="authentik_p_token_4bc870_idx",
+        ),
+        migrations.RemoveIndex(
+            model_name="refreshtoken",
+            name="authentik_p_token_1a841f_idx",
+        ),
+        migrations.AddIndex(
+            model_name="accesstoken",
+            index=models.Index(fields=["token", "provider"], name="authentik_p_token_f99422_idx"),
+        ),
+        migrations.AddIndex(
+            model_name="refreshtoken",
+            index=models.Index(fields=["token", "provider"], name="authentik_p_token_a1d921_idx"),
+        ),
+    ]

authentik/providers/oauth2/models.py

@@ -376,6 +376,9 @@ class AccessToken(SerializerModel, ExpiringModel, BaseGrantModel):
     _id_token = models.TextField()
 
     class Meta:
+        indexes = [
+            models.Index(fields=["token", "provider"]),
+        ]
         verbose_name = _("OAuth2 Access Token")
         verbose_name_plural = _("OAuth2 Access Tokens")
 
@@ -419,6 +422,9 @@ class RefreshToken(SerializerModel, ExpiringModel, BaseGrantModel):
     _id_token = models.TextField(verbose_name=_("ID Token"))
 
     class Meta:
+        indexes = [
+            models.Index(fields=["token", "provider"]),
+        ]
         verbose_name = _("OAuth2 Refresh Token")
         verbose_name_plural = _("OAuth2 Refresh Tokens")
 

authentik/providers/oauth2/urls.py

@@ -12,6 +12,7 @@ from authentik.providers.oauth2.api.tokens import (
 )
 from authentik.providers.oauth2.views.authorize import AuthorizationFlowInitView
 from authentik.providers.oauth2.views.device_backchannel import DeviceView
+from authentik.providers.oauth2.views.end_session import EndSessionView
 from authentik.providers.oauth2.views.introspection import TokenIntrospectionView
 from authentik.providers.oauth2.views.jwks import JWKSView
 from authentik.providers.oauth2.views.provider import ProviderInfoView
@@ -44,7 +45,7 @@ urlpatterns = [
     ),
     path(
         "<slug:application_slug>/end-session/",
-        RedirectView.as_view(pattern_name="authentik_core:if-session-end", query_string=True),
+        EndSessionView.as_view(),
         name="end-session",
     ),
     path("<slug:application_slug>/jwks/", JWKSView.as_view(), name="jwks"),

authentik/providers/oauth2/views/end_session.py

@@ -0,0 +1,45 @@
+"""oauth2 provider end_session Views"""
+
+from django.http import Http404, HttpRequest, HttpResponse
+from django.shortcuts import get_object_or_404
+
+from authentik.core.models import Application
+from authentik.flows.models import Flow, in_memory_stage
+from authentik.flows.planner import PLAN_CONTEXT_APPLICATION, FlowPlanner
+from authentik.flows.stage import SessionEndStage
+from authentik.flows.views.executor import SESSION_KEY_PLAN
+from authentik.lib.utils.urls import redirect_with_qs
+from authentik.policies.views import PolicyAccessView
+
+
+class EndSessionView(PolicyAccessView):
+    """Redirect to application's provider's invalidation flow"""
+
+    flow: Flow
+
+    def resolve_provider_application(self):
+        self.application = get_object_or_404(Application, slug=self.kwargs["application_slug"])
+        self.provider = self.application.get_provider()
+        if not self.provider:
+            raise Http404
+        self.flow = self.provider.invalidation_flow or self.request.brand.flow_invalidation
+        if not self.flow:
+            raise Http404
+
+    def get(self, request: HttpRequest, *args, **kwargs) -> HttpResponse:
+        """Dispatch the flow planner for the invalidation flow"""
+        planner = FlowPlanner(self.flow)
+        planner.allow_empty_flows = True
+        plan = planner.plan(
+            request,
+            {
+                PLAN_CONTEXT_APPLICATION: self.application,
+            },
+        )
+        plan.insert_stage(in_memory_stage(SessionEndStage))
+        request.session[SESSION_KEY_PLAN] = plan
+        return redirect_with_qs(
+            "authentik_core:if-flow",
+            self.request.GET,
+            flow_slug=self.flow.slug,
+        )

authentik/providers/oauth2/views/token.py

@@ -439,14 +439,15 @@ class TokenParams:
                 # (22 chars being the length of the "template")
                 username=f"ak-{self.provider.name[:150-22]}-client_credentials",
                 defaults={
+                    "attributes": {
+                        USER_ATTRIBUTE_GENERATED: True,
+                    },
                     "last_login": timezone.now(),
                     "name": f"Autogenerated user from application {app.name} (client credentials)",
                     "path": f"{USER_PATH_SYSTEM_PREFIX}/apps/{app.slug}",
                     "type": UserTypes.SERVICE_ACCOUNT,
                 },
             )
-            self.user.attributes[USER_ATTRIBUTE_GENERATED] = True
-            self.user.save()
         self.__check_policy_access(app, request)
 
         Event.new(
@@ -470,6 +471,9 @@ class TokenParams:
             self.user, created = User.objects.update_or_create(
                 username=f"{self.provider.name}-{token.get('sub')}",
                 defaults={
+                    "attributes": {
+                        USER_ATTRIBUTE_GENERATED: True,
+                    },
                     "last_login": timezone.now(),
                     "name": (
                         f"Autogenerated user from application {app.name} (client credentials JWT)"
@@ -478,8 +482,6 @@ class TokenParams:
                     "type": UserTypes.SERVICE_ACCOUNT,
                 },
             )
-            self.user.attributes[USER_ATTRIBUTE_GENERATED] = True
-            self.user.save()
             exp = token.get("exp")
             if created and exp:
                 self.user.attributes[USER_ATTRIBUTE_EXPIRES] = exp

authentik/providers/proxy/tests.py

@@ -24,6 +24,7 @@ class ProxyProviderTests(APITestCase):
                 "name": generate_id(),
                 "mode": ProxyMode.PROXY,
                 "authorization_flow": create_test_flow().pk.hex,
+                "invalidation_flow": create_test_flow().pk.hex,
                 "external_host": "http://localhost",
                 "internal_host": "http://localhost",
                 "basic_auth_enabled": True,
@@ -41,6 +42,7 @@ class ProxyProviderTests(APITestCase):
                 "name": generate_id(),
                 "mode": ProxyMode.PROXY,
                 "authorization_flow": create_test_flow().pk.hex,
+                "invalidation_flow": create_test_flow().pk.hex,
                 "external_host": "http://localhost",
                 "internal_host": "http://localhost",
                 "basic_auth_enabled": True,
@@ -64,6 +66,7 @@ class ProxyProviderTests(APITestCase):
                 "name": generate_id(),
                 "mode": ProxyMode.PROXY,
                 "authorization_flow": create_test_flow().pk.hex,
+                "invalidation_flow": create_test_flow().pk.hex,
                 "external_host": "http://localhost",
             },
         )
@@ -82,6 +85,7 @@ class ProxyProviderTests(APITestCase):
                 "name": name,
                 "mode": ProxyMode.PROXY,
                 "authorization_flow": create_test_flow().pk.hex,
+                "invalidation_flow": create_test_flow().pk.hex,
                 "external_host": "http://localhost",
                 "internal_host": "http://localhost",
             },
@@ -99,6 +103,7 @@ class ProxyProviderTests(APITestCase):
                 "name": name,
                 "mode": ProxyMode.PROXY,
                 "authorization_flow": create_test_flow().pk.hex,
+                "invalidation_flow": create_test_flow().pk.hex,
                 "external_host": "http://localhost",
                 "internal_host": "http://localhost",
             },
@@ -114,6 +119,7 @@ class ProxyProviderTests(APITestCase):
                 "name": name,
                 "mode": ProxyMode.PROXY,
                 "authorization_flow": create_test_flow().pk.hex,
+                "invalidation_flow": create_test_flow().pk.hex,
                 "external_host": "http://localhost",
                 "internal_host": "http://localhost",
             },

authentik/providers/saml/api/providers.py

@@ -188,6 +188,9 @@ class SAMLProviderImportSerializer(PassiveSerializer):
     authorization_flow = PrimaryKeyRelatedField(
         queryset=Flow.objects.filter(designation=FlowDesignation.AUTHORIZATION),
     )
+    invalidation_flow = PrimaryKeyRelatedField(
+        queryset=Flow.objects.filter(designation=FlowDesignation.INVALIDATION),
+    )
     file = FileField()
 
 
@@ -277,7 +280,9 @@ class SAMLProviderViewSet(UsedByMixin, ModelViewSet):
         try:
             metadata = ServiceProviderMetadataParser().parse(file.read().decode())
             metadata.to_provider(
-                data.validated_data["name"], data.validated_data["authorization_flow"]
+                data.validated_data["name"],
+                data.validated_data["authorization_flow"],
+                data.validated_data["invalidation_flow"],
             )
         except ValueError as exc:  # pragma: no cover
             LOGGER.warning(str(exc))

authentik/providers/saml/processors/assertion.py

@@ -50,7 +50,6 @@ class AssertionProcessor:
 
     _issue_instant: str
     _assertion_id: str
-    _response_id: str
 
     _valid_not_before: str
     _session_not_on_or_after: str
@@ -63,7 +62,6 @@ class AssertionProcessor:
 
         self._issue_instant = get_time_string()
         self._assertion_id = get_random_id()
-        self._response_id = get_random_id()
 
         self._valid_not_before = get_time_string(
             timedelta_from_string(self.provider.assertion_valid_not_before)
@@ -132,9 +130,7 @@ class AssertionProcessor:
         """Generate AuthnStatement with AuthnContext and ContextClassRef Elements."""
         auth_n_statement = Element(f"{{{NS_SAML_ASSERTION}}}AuthnStatement")
         auth_n_statement.attrib["AuthnInstant"] = self._valid_not_before
-        auth_n_statement.attrib["SessionIndex"] = sha256(
-            self.http_request.session.session_key.encode("ascii")
-        ).hexdigest()
+        auth_n_statement.attrib["SessionIndex"] = self._assertion_id
         auth_n_statement.attrib["SessionNotOnOrAfter"] = self._session_not_on_or_after
 
         auth_n_context = SubElement(auth_n_statement, f"{{{NS_SAML_ASSERTION}}}AuthnContext")
@@ -289,7 +285,7 @@ class AssertionProcessor:
         response.attrib["Version"] = "2.0"
         response.attrib["IssueInstant"] = self._issue_instant
         response.attrib["Destination"] = self.provider.acs_url
-        response.attrib["ID"] = self._response_id
+        response.attrib["ID"] = get_random_id()
         if self.auth_n_request.id:
             response.attrib["InResponseTo"] = self.auth_n_request.id
 
@@ -312,7 +308,7 @@ class AssertionProcessor:
         ref = xmlsec.template.add_reference(
             signature_node,
             digest_algorithm_transform,
-            uri="#" + element.attrib["ID"],
+            uri="#" + self._assertion_id,
         )
         xmlsec.template.add_transform(ref, xmlsec.constants.TransformEnveloped)
         xmlsec.template.add_transform(ref, xmlsec.constants.TransformExclC14N)

authentik/providers/saml/processors/metadata_parser.py

@@ -49,12 +49,13 @@ class ServiceProviderMetadata:
 
     signing_keypair: CertificateKeyPair | None = None
 
-    def to_provider(self, name: str, authorization_flow: Flow) -> SAMLProvider:
+    def to_provider(
+        self, name: str, authorization_flow: Flow, invalidation_flow: Flow
+    ) -> SAMLProvider:
         """Create a SAMLProvider instance from the details. `name` is required,
         as depending on the metadata CertificateKeypairs might have to be created."""
         provider = SAMLProvider.objects.create(
-            name=name,
-            authorization_flow=authorization_flow,
+            name=name, authorization_flow=authorization_flow, invalidation_flow=invalidation_flow
         )
         provider.issuer = self.entity_id
         provider.sp_binding = self.acs_binding

authentik/providers/saml/tests/test_api.py

@@ -47,11 +47,12 @@ class TestSAMLProviderAPI(APITestCase):
             data={
                 "name": generate_id(),
                 "authorization_flow": create_test_flow().pk,
+                "invalidation_flow": create_test_flow().pk,
                 "acs_url": "http://localhost",
                 "signing_kp": cert.pk,
             },
         )
-        self.assertEqual(400, response.status_code)
+        self.assertEqual(response.status_code, 400)
         self.assertJSONEqual(
             response.content,
             {
@@ -68,12 +69,13 @@ class TestSAMLProviderAPI(APITestCase):
             data={
                 "name": generate_id(),
                 "authorization_flow": create_test_flow().pk,
+                "invalidation_flow": create_test_flow().pk,
                 "acs_url": "http://localhost",
                 "signing_kp": cert.pk,
                 "sign_assertion": True,
             },
         )
-        self.assertEqual(201, response.status_code)
+        self.assertEqual(response.status_code, 201)
 
     def test_metadata(self):
         """Test metadata export (normal)"""
@@ -131,6 +133,7 @@ class TestSAMLProviderAPI(APITestCase):
                     "file": metadata,
                     "name": generate_id(),
                     "authorization_flow": create_test_flow(FlowDesignation.AUTHORIZATION).pk,
+                    "invalidation_flow": create_test_flow(FlowDesignation.INVALIDATION).pk,
                 },
                 format="multipart",
             )

authentik/providers/saml/tests/test_auth_n_request.py

@@ -180,10 +180,6 @@ class TestAuthNRequest(TestCase):
         # Now create a response and convert it to string (provider)
         response_proc = AssertionProcessor(self.provider, http_request, parsed_request)
         response = response_proc.build_response()
-        # Ensure both response and assertion ID are in the response twice (once as ID attribute,
-        # once as ds:Reference URI)
-        self.assertEqual(response.count(response_proc._assertion_id), 2)
-        self.assertEqual(response.count(response_proc._response_id), 2)
 
         # Now parse the response (source)
         http_request.POST = QueryDict(mutable=True)

authentik/providers/saml/tests/test_metadata.py

@@ -82,7 +82,7 @@ class TestServiceProviderMetadataParser(TestCase):
     def test_simple(self):
         """Test simple metadata without Signing"""
         metadata = ServiceProviderMetadataParser().parse(load_fixture("fixtures/simple.xml"))
-        provider = metadata.to_provider("test", self.flow)
+        provider = metadata.to_provider("test", self.flow, self.flow)
         self.assertEqual(provider.acs_url, "http://localhost:8080/saml/acs")
         self.assertEqual(provider.issuer, "http://localhost:8080/saml/metadata")
         self.assertEqual(provider.sp_binding, SAMLBindings.POST)
@@ -95,7 +95,7 @@ class TestServiceProviderMetadataParser(TestCase):
         """Test Metadata with signing cert"""
         create_test_cert()
         metadata = ServiceProviderMetadataParser().parse(load_fixture("fixtures/cert.xml"))
-        provider = metadata.to_provider("test", self.flow)
+        provider = metadata.to_provider("test", self.flow, self.flow)
         self.assertEqual(provider.acs_url, "http://localhost:8080/apps/user_saml/saml/acs")
         self.assertEqual(provider.issuer, "http://localhost:8080/apps/user_saml/saml/metadata")
         self.assertEqual(provider.sp_binding, SAMLBindings.POST)

authentik/providers/saml/views/slo.py

@@ -1,8 +1,8 @@
 """SLO Views"""
 
-from django.http import HttpRequest
+from django.http import Http404, HttpRequest
 from django.http.response import HttpResponse
-from django.shortcuts import get_object_or_404, redirect
+from django.shortcuts import get_object_or_404
 from django.utils.decorators import method_decorator
 from django.views.decorators.clickjacking import xframe_options_sameorigin
 from django.views.decorators.csrf import csrf_exempt
@@ -10,6 +10,11 @@ from structlog.stdlib import get_logger
 
 from authentik.core.models import Application
 from authentik.events.models import Event, EventAction
+from authentik.flows.models import Flow, in_memory_stage
+from authentik.flows.planner import PLAN_CONTEXT_APPLICATION, FlowPlanner
+from authentik.flows.stage import SessionEndStage
+from authentik.flows.views.executor import SESSION_KEY_PLAN
+from authentik.lib.utils.urls import redirect_with_qs
 from authentik.lib.views import bad_request_message
 from authentik.policies.views import PolicyAccessView
 from authentik.providers.saml.exceptions import CannotHandleAssertion
@@ -28,11 +33,16 @@ class SAMLSLOView(PolicyAccessView):
     """ "SAML SLO Base View, which plans a flow and injects our final stage.
     Calls get/post handler."""
 
+    flow: Flow
+
     def resolve_provider_application(self):
         self.application = get_object_or_404(Application, slug=self.kwargs["application_slug"])
         self.provider: SAMLProvider = get_object_or_404(
             SAMLProvider, pk=self.application.provider_id
         )
+        self.flow = self.provider.invalidation_flow or self.request.brand.flow_invalidation
+        if not self.flow:
+            raise Http404
 
     def check_saml_request(self) -> HttpRequest | None:
         """Handler to verify the SAML Request. Must be implemented by a subclass"""
@@ -45,9 +55,20 @@ class SAMLSLOView(PolicyAccessView):
         method_response = self.check_saml_request()
         if method_response:
             return method_response
-        return redirect(
-            "authentik_core:if-session-end",
-            application_slug=self.kwargs["application_slug"],
+        planner = FlowPlanner(self.flow)
+        planner.allow_empty_flows = True
+        plan = planner.plan(
+            request,
+            {
+                PLAN_CONTEXT_APPLICATION: self.application,
+            },
+        )
+        plan.insert_stage(in_memory_stage(SessionEndStage))
+        request.session[SESSION_KEY_PLAN] = plan
+        return redirect_with_qs(
+            "authentik_core:if-flow",
+            self.request.GET,
+            flow_slug=self.flow.slug,
         )
 
     def post(self, request: HttpRequest, application_slug: str) -> HttpResponse:

authentik/providers/scim/api/providers.py

@@ -26,6 +26,7 @@ class SCIMProviderSerializer(ProviderSerializer):
             "verbose_name_plural",
             "meta_model_name",
             "url",
+            "verify_certificates",
             "token",
             "exclude_users_service_account",
             "filter_group",

authentik/providers/scim/clients/base.py

@@ -42,6 +42,7 @@ class SCIMClient[TModel: "Model", TConnection: "Model", TSchema: "BaseModel"](
     def __init__(self, provider: SCIMProvider):
         super().__init__(provider)
         self._session = get_http_session()
+        self._session.verify = provider.verify_certificates
         self.provider = provider
         # Remove trailing slashes as we assume the URL doesn't have any
         base_url = provider.url

authentik/providers/scim/clients/groups.py

@@ -2,10 +2,9 @@
 
 from itertools import batched
 
-from django.db import transaction
 from pydantic import ValidationError
 from pydanticscim.group import GroupMember
-from pydanticscim.responses import PatchOp
+from pydanticscim.responses import PatchOp, PatchOperation
 
 from authentik.core.models import Group
 from authentik.lib.sync.mapper import PropertyMappingManager
@@ -20,7 +19,7 @@ from authentik.providers.scim.clients.base import SCIMClient
 from authentik.providers.scim.clients.exceptions import (
     SCIMRequestException,
 )
-from authentik.providers.scim.clients.schema import SCIM_GROUP_SCHEMA, PatchOperation, PatchRequest
+from authentik.providers.scim.clients.schema import SCIM_GROUP_SCHEMA, PatchRequest
 from authentik.providers.scim.clients.schema import Group as SCIMGroupSchema
 from authentik.providers.scim.models import (
     SCIMMapping,
@@ -105,47 +104,13 @@ class SCIMGroupClient(SCIMClient[Group, SCIMProviderGroup, SCIMGroupSchema]):
             provider=self.provider, group=group, scim_id=scim_id
         )
         users = list(group.users.order_by("id").values_list("id", flat=True))
-        self._patch_add_users(connection, users)
+        self._patch_add_users(group, users)
         return connection
 
     def update(self, group: Group, connection: SCIMProviderGroup):
         """Update existing group"""
         scim_group = self.to_schema(group, connection)
         scim_group.id = connection.scim_id
-        try:
-            if self._config.patch.supported:
-                return self._update_patch(group, scim_group, connection)
-            return self._update_put(group, scim_group, connection)
-        except NotFoundSyncException:
-            # Resource missing is handled by self.write, which will re-create the group
-            raise
-
-    def _update_patch(
-        self, group: Group, scim_group: SCIMGroupSchema, connection: SCIMProviderGroup
-    ):
-        """Update a group via PATCH request"""
-        # Patch group's attributes instead of replacing it and re-adding users if we can
-        self._request(
-            "PATCH",
-            f"/Groups/{connection.scim_id}",
-            json=PatchRequest(
-                Operations=[
-                    PatchOperation(
-                        op=PatchOp.replace,
-                        path=None,
-                        value=scim_group.model_dump(mode="json", exclude_unset=True),
-                    )
-                ]
-            ).model_dump(
-                mode="json",
-                exclude_unset=True,
-                exclude_none=True,
-            ),
-        )
-        return self.patch_compare_users(group)
-
-    def _update_put(self, group: Group, scim_group: SCIMGroupSchema, connection: SCIMProviderGroup):
-        """Update a group via PUT request"""
         try:
             self._request(
                 "PUT",
@@ -155,25 +120,33 @@ class SCIMGroupClient(SCIMClient[Group, SCIMProviderGroup, SCIMGroupSchema]):
                     exclude_unset=True,
                 ),
             )
-            return self.patch_compare_users(group)
+            users = list(group.users.order_by("id").values_list("id", flat=True))
+            return self._patch_add_users(group, users)
+        except NotFoundSyncException:
+            # Resource missing is handled by self.write, which will re-create the group
+            raise
         except (SCIMRequestException, ObjectExistsSyncException):
             # Some providers don't support PUT on groups, so this is mainly a fix for the initial
             # sync, send patch add requests for all the users the group currently has
-            return self._update_patch(group, scim_group, connection)
+            users = list(group.users.order_by("id").values_list("id", flat=True))
+            self._patch_add_users(group, users)
+            # Also update the group name
+            return self._patch(
+                scim_group.id,
+                PatchOperation(
+                    op=PatchOp.replace,
+                    path="displayName",
+                    value=scim_group.displayName,
+                ),
+            )
 
     def update_group(self, group: Group, action: Direction, users_set: set[int]):
         """Update a group, either using PUT to replace it or PATCH if supported"""
-        scim_group = SCIMProviderGroup.objects.filter(provider=self.provider, group=group).first()
-        if not scim_group:
-            self.logger.warning(
-                "could not sync group membership, group does not exist", group=group
-            )
-            return
         if self._config.patch.supported:
             if action == Direction.add:
-                return self._patch_add_users(scim_group, users_set)
+                return self._patch_add_users(group, users_set)
             if action == Direction.remove:
-                return self._patch_remove_users(scim_group, users_set)
+                return self._patch_remove_users(group, users_set)
         try:
             return self.write(group)
         except SCIMRequestException as exc:
@@ -181,24 +154,19 @@ class SCIMGroupClient(SCIMClient[Group, SCIMProviderGroup, SCIMGroupSchema]):
                 # Assume that provider does not support PUT and also doesn't support
                 # ServiceProviderConfig, so try PATCH as a fallback
                 if action == Direction.add:
-                    return self._patch_add_users(scim_group, users_set)
+                    return self._patch_add_users(group, users_set)
                 if action == Direction.remove:
-                    return self._patch_remove_users(scim_group, users_set)
+                    return self._patch_remove_users(group, users_set)
             raise exc
 
-    def _patch_chunked(
+    def _patch(
         self,
         group_id: str,
         *ops: PatchOperation,
     ):
-        """Helper function that chunks patch requests based on the maxOperations attribute.
-        This is not strictly according to specs but there's nothing in the schema that allows the
-        us to know what the maximum patch operations per request should be."""
         chunk_size = self._config.bulk.maxOperations
         if chunk_size < 1:
             chunk_size = len(ops)
-        if len(ops) < 1:
-            return
         for chunk in batched(ops, chunk_size):
             req = PatchRequest(Operations=list(chunk))
             self._request(
@@ -209,70 +177,16 @@ class SCIMGroupClient(SCIMClient[Group, SCIMProviderGroup, SCIMGroupSchema]):
                 ),
             )
 
-    @transaction.atomic
-    def patch_compare_users(self, group: Group):
-        """Compare users with a SCIM group and add/remove any differences"""
-        # Get scim group first
+    def _patch_add_users(self, group: Group, users_set: set[int]):
+        """Add users in users_set to group"""
+        if len(users_set) < 1:
+            return
         scim_group = SCIMProviderGroup.objects.filter(provider=self.provider, group=group).first()
         if not scim_group:
             self.logger.warning(
                 "could not sync group membership, group does not exist", group=group
             )
             return
-        # Get a list of all users in the authentik group
-        raw_users_should = list(group.users.order_by("id").values_list("id", flat=True))
-        # Lookup the SCIM IDs of the users
-        users_should: list[str] = list(
-            SCIMProviderUser.objects.filter(
-                user__pk__in=raw_users_should, provider=self.provider
-            ).values_list("scim_id", flat=True)
-        )
-        if len(raw_users_should) != len(users_should):
-            self.logger.warning(
-                "User count mismatch, not all users in the group are synced to SCIM yet.",
-                group=group,
-            )
-        # Get current group status
-        current_group = SCIMGroupSchema.model_validate(
-            self._request("GET", f"/Groups/{scim_group.scim_id}")
-        )
-        users_to_add = []
-        users_to_remove = []
-        # Check users currently in group and if they shouldn't be in the group and remove them
-        for user in current_group.members or []:
-            if user.value not in users_should:
-                users_to_remove.append(user.value)
-        # Check users that should be in the group and add them
-        for user in users_should:
-            if len([x for x in current_group.members if x.value == user]) < 1:
-                users_to_add.append(user)
-        # Only send request if we need to make changes
-        if len(users_to_add) < 1 and len(users_to_remove) < 1:
-            return
-        return self._patch_chunked(
-            scim_group.scim_id,
-            *[
-                PatchOperation(
-                    op=PatchOp.add,
-                    path="members",
-                    value=[{"value": x}],
-                )
-                for x in users_to_add
-            ],
-            *[
-                PatchOperation(
-                    op=PatchOp.remove,
-                    path="members",
-                    value=[{"value": x}],
-                )
-                for x in users_to_remove
-            ],
-        )
-
-    def _patch_add_users(self, scim_group: SCIMProviderGroup, users_set: set[int]):
-        """Add users in users_set to group"""
-        if len(users_set) < 1:
-            return
         user_ids = list(
             SCIMProviderUser.objects.filter(
                 user__pk__in=users_set, provider=self.provider
@@ -280,7 +194,7 @@ class SCIMGroupClient(SCIMClient[Group, SCIMProviderGroup, SCIMGroupSchema]):
         )
         if len(user_ids) < 1:
             return
-        self._patch_chunked(
+        self._patch(
             scim_group.scim_id,
             *[
                 PatchOperation(
@@ -292,10 +206,16 @@ class SCIMGroupClient(SCIMClient[Group, SCIMProviderGroup, SCIMGroupSchema]):
             ],
         )
 
-    def _patch_remove_users(self, scim_group: SCIMProviderGroup, users_set: set[int]):
+    def _patch_remove_users(self, group: Group, users_set: set[int]):
         """Remove users in users_set from group"""
         if len(users_set) < 1:
             return
+        scim_group = SCIMProviderGroup.objects.filter(provider=self.provider, group=group).first()
+        if not scim_group:
+            self.logger.warning(
+                "could not sync group membership, group does not exist", group=group
+            )
+            return
         user_ids = list(
             SCIMProviderUser.objects.filter(
                 user__pk__in=users_set, provider=self.provider
@@ -303,7 +223,7 @@ class SCIMGroupClient(SCIMClient[Group, SCIMProviderGroup, SCIMGroupSchema]):
         )
         if len(user_ids) < 1:
             return
-        self._patch_chunked(
+        self._patch(
             scim_group.scim_id,
             *[
                 PatchOperation(

authentik/providers/scim/clients/schema.py

@@ -2,7 +2,6 @@
 
 from pydantic import Field
 from pydanticscim.group import Group as BaseGroup
-from pydanticscim.responses import PatchOperation as BasePatchOperation
 from pydanticscim.responses import PatchRequest as BasePatchRequest
 from pydanticscim.responses import SCIMError as BaseSCIMError
 from pydanticscim.service_provider import Bulk as BaseBulk
@@ -69,12 +68,6 @@ class PatchRequest(BasePatchRequest):
     schemas: tuple[str] = ("urn:ietf:params:scim:api:messages:2.0:PatchOp",)
 
 
-class PatchOperation(BasePatchOperation):
-    """PatchOperation with optional path"""
-
-    path: str | None
-
-
 class SCIMError(BaseSCIMError):
     """SCIM error with optional status code"""
 

authentik/providers/scim/migrations/0010_scimprovider_verify_certificates.py

@@ -0,0 +1,18 @@
+# Generated by Django 5.0.9 on 2024-09-19 14:02
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ("authentik_providers_scim", "0009_alter_scimmapping_options"),
+    ]
+
+    operations = [
+        migrations.AddField(
+            model_name="scimprovider",
+            name="verify_certificates",
+            field=models.BooleanField(default=True),
+        ),
+    ]

authentik/providers/scim/models.py

@@ -68,6 +68,7 @@ class SCIMProvider(OutgoingSyncProvider, BackchannelProvider):
 
     url = models.TextField(help_text=_("Base URL to SCIM requests, usually ends in /v2"))
     token = models.TextField(help_text=_("Authentication token"))
+    verify_certificates = models.BooleanField(default=True)
 
     property_mappings_group = models.ManyToManyField(
         PropertyMapping,

authentik/providers/scim/tests/test_membership.py

@@ -252,118 +252,3 @@ class SCIMMembershipTests(TestCase):
                     ],
                 },
             )
-
-    def test_member_add_save(self):
-        """Test member add + save"""
-        config = ServiceProviderConfiguration.default()
-
-        config.patch.supported = True
-        user_scim_id = generate_id()
-        group_scim_id = generate_id()
-        uid = generate_id()
-        group = Group.objects.create(
-            name=uid,
-        )
-
-        user = User.objects.create(username=generate_id())
-
-        # Test initial sync of group creation
-        with Mocker() as mocker:
-            mocker.get(
-                "https://localhost/ServiceProviderConfig",
-                json=config.model_dump(),
-            )
-            mocker.post(
-                "https://localhost/Users",
-                json={
-                    "id": user_scim_id,
-                },
-            )
-            mocker.post(
-                "https://localhost/Groups",
-                json={
-                    "id": group_scim_id,
-                },
-            )
-
-            self.configure()
-            sync_tasks.trigger_single_task(self.provider, scim_sync).get()
-
-            self.assertEqual(mocker.call_count, 6)
-            self.assertEqual(mocker.request_history[0].method, "GET")
-            self.assertEqual(mocker.request_history[1].method, "GET")
-            self.assertEqual(mocker.request_history[2].method, "GET")
-            self.assertEqual(mocker.request_history[3].method, "POST")
-            self.assertEqual(mocker.request_history[4].method, "GET")
-            self.assertEqual(mocker.request_history[5].method, "POST")
-            self.assertJSONEqual(
-                mocker.request_history[3].body,
-                {
-                    "schemas": ["urn:ietf:params:scim:schemas:core:2.0:User"],
-                    "emails": [],
-                    "active": True,
-                    "externalId": user.uid,
-                    "name": {"familyName": " ", "formatted": " ", "givenName": ""},
-                    "displayName": "",
-                    "userName": user.username,
-                },
-            )
-            self.assertJSONEqual(
-                mocker.request_history[5].body,
-                {
-                    "schemas": ["urn:ietf:params:scim:schemas:core:2.0:Group"],
-                    "externalId": str(group.pk),
-                    "displayName": group.name,
-                },
-            )
-
-        with Mocker() as mocker:
-            mocker.get(
-                "https://localhost/ServiceProviderConfig",
-                json=config.model_dump(),
-            )
-            mocker.get(
-                f"https://localhost/Groups/{group_scim_id}",
-                json={},
-            )
-            mocker.patch(
-                f"https://localhost/Groups/{group_scim_id}",
-                json={},
-            )
-            group.users.add(user)
-            group.save()
-            self.assertEqual(mocker.call_count, 5)
-            self.assertEqual(mocker.request_history[0].method, "GET")
-            self.assertEqual(mocker.request_history[1].method, "PATCH")
-            self.assertEqual(mocker.request_history[2].method, "GET")
-            self.assertEqual(mocker.request_history[3].method, "PATCH")
-            self.assertEqual(mocker.request_history[4].method, "GET")
-            self.assertJSONEqual(
-                mocker.request_history[1].body,
-                {
-                    "schemas": ["urn:ietf:params:scim:api:messages:2.0:PatchOp"],
-                    "Operations": [
-                        {
-                            "op": "add",
-                            "path": "members",
-                            "value": [{"value": user_scim_id}],
-                        }
-                    ],
-                },
-            )
-            self.assertJSONEqual(
-                mocker.request_history[3].body,
-                {
-                    "Operations": [
-                        {
-                            "op": "replace",
-                            "value": {
-                                "id": group_scim_id,
-                                "displayName": group.name,
-                                "schemas": ["urn:ietf:params:scim:schemas:core:2.0:Group"],
-                                "externalId": str(group.pk),
-                            },
-                        }
-                    ]
-                },
-            )

authentik/recovery/lib.py

@@ -22,7 +22,7 @@ def create_admin_group(user: User) -> Group:
     return group
 
 
-def create_recovery_token(user: User, expiry: datetime, generated_from: str) -> (Token, str):
+def create_recovery_token(user: User, expiry: datetime, generated_from: str) -> tuple[Token, str]:
     """Create recovery token and associated link"""
     _now = now()
     token = Token.objects.create(

authentik/root/middleware.py

@@ -228,9 +228,9 @@ class ClientIPMiddleware:
             )
             return None
         # Update sentry scope to include correct IP
-        user = Scope.get_isolation_scope()._user or {}
-        user["ip_address"] = delegated_ip
-        Scope.get_isolation_scope().set_user(user)
+        sentry_user = Scope.get_isolation_scope()._user or {}
+        sentry_user["ip_address"] = delegated_ip
+        Scope.get_isolation_scope().set_user(sentry_user)
         # Set the outpost service account on the request
         setattr(request, self.request_attr_outpost_user, user)
         try:

authentik/sources/oauth/types/apple.py

@@ -15,12 +15,13 @@ from authentik.sources.oauth.models import OAuthSource
 from authentik.sources.oauth.types.registry import SourceType, registry
 from authentik.sources.oauth.views.callback import OAuthCallback
 from authentik.sources.oauth.views.redirect import OAuthRedirect
+from authentik.stages.identification.stage import LoginChallengeMixin
 
 LOGGER = get_logger()
 APPLE_CLIENT_ID_PARTS = 3
 
 
-class AppleLoginChallenge(Challenge):
+class AppleLoginChallenge(LoginChallengeMixin, Challenge):
     """Special challenge for apple-native authentication flow, which happens on the client."""
 
     client_id = CharField()

authentik/sources/plex/models.py

@@ -19,9 +19,10 @@ from authentik.core.models import (
 from authentik.core.types import UILoginButton, UserSettingSerializer
 from authentik.flows.challenge import Challenge, ChallengeResponse
 from authentik.lib.generators import generate_id
+from authentik.stages.identification.stage import LoginChallengeMixin
 
 
-class PlexAuthenticationChallenge(Challenge):
+class PlexAuthenticationChallenge(LoginChallengeMixin, Challenge):
     """Challenge shown to the user in identification stage"""
 
     client_id = CharField()

authentik/sources/saml/migrations/0017_fix_x509subjectname.py

@@ -0,0 +1,26 @@
+# Generated by Django 5.0.9 on 2024-10-10 15:45
+
+from django.db import migrations
+from django.apps.registry import Apps
+
+from django.db.backends.base.schema import BaseDatabaseSchemaEditor
+
+
+def fix_X509SubjectName(apps: Apps, schema_editor: BaseDatabaseSchemaEditor):
+    db_alias = schema_editor.connection.alias
+
+    SAMLSource = apps.get_model("authentik_sources_saml", "SAMLSource")
+    SAMLSource.objects.using(db_alias).filter(
+        name_id_policy="urn:oasis:names:tc:SAML:2.0:nameid-format:X509SubjectName"
+    ).update(name_id_policy="urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName")
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ("authentik_sources_saml", "0016_samlsource_encryption_kp"),
+    ]
+
+    operations = [
+        migrations.RunPython(fix_X509SubjectName),
+    ]

authentik/sources/saml/processors/constants.py

@@ -19,7 +19,7 @@ NS_MAP = {
 SAML_NAME_ID_FORMAT_EMAIL = "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"
 SAML_NAME_ID_FORMAT_PERSISTENT = "urn:oasis:names:tc:SAML:2.0:nameid-format:persistent"
 SAML_NAME_ID_FORMAT_UNSPECIFIED = "urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"
-SAML_NAME_ID_FORMAT_X509 = "urn:oasis:names:tc:SAML:2.0:nameid-format:X509SubjectName"
+SAML_NAME_ID_FORMAT_X509 = "urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName"
 SAML_NAME_ID_FORMAT_WINDOWS = "urn:oasis:names:tc:SAML:2.0:nameid-format:WindowsDomainQualifiedName"
 SAML_NAME_ID_FORMAT_TRANSIENT = "urn:oasis:names:tc:SAML:2.0:nameid-format:transient"
 

authentik/sources/saml/processors/metadata.py

@@ -1,6 +1,5 @@
 """SAML Service Provider Metadata Processor"""
 
-from collections.abc import Iterator
 from typing import Optional
 
 from django.http import HttpRequest
@@ -13,11 +12,6 @@ from authentik.sources.saml.processors.constants import (
     NS_SAML_METADATA,
     NS_SIGNATURE,
     SAML_BINDING_POST,
-    SAML_NAME_ID_FORMAT_EMAIL,
-    SAML_NAME_ID_FORMAT_PERSISTENT,
-    SAML_NAME_ID_FORMAT_TRANSIENT,
-    SAML_NAME_ID_FORMAT_WINDOWS,
-    SAML_NAME_ID_FORMAT_X509,
 )
 
 
@@ -60,19 +54,10 @@ class MetadataProcessor:
             return key_descriptor
         return None
 
-    def get_name_id_formats(self) -> Iterator[Element]:
-        """Get compatible NameID Formats"""
-        formats = [
-            SAML_NAME_ID_FORMAT_EMAIL,
-            SAML_NAME_ID_FORMAT_PERSISTENT,
-            SAML_NAME_ID_FORMAT_X509,
-            SAML_NAME_ID_FORMAT_WINDOWS,
-            SAML_NAME_ID_FORMAT_TRANSIENT,
-        ]
-        for name_id_format in formats:
-            element = Element(f"{{{NS_SAML_METADATA}}}NameIDFormat")
-            element.text = name_id_format
-            yield element
+    def get_name_id_format(self) -> Element:
+        element = Element(f"{{{NS_SAML_METADATA}}}NameIDFormat")
+        element.text = self.source.name_id_policy
+        return element
 
     def build_entity_descriptor(self) -> str:
         """Build full EntityDescriptor"""
@@ -92,8 +77,7 @@ class MetadataProcessor:
         if encryption_descriptor is not None:
             sp_sso_descriptor.append(encryption_descriptor)
 
-        for name_id_format in self.get_name_id_formats():
-            sp_sso_descriptor.append(name_id_format)
+        sp_sso_descriptor.append(self.get_name_id_format())
 
         assertion_consumer_service = SubElement(
             sp_sso_descriptor, f"{{{NS_SAML_METADATA}}}AssertionConsumerService"

authentik/stages/consent/stage.py

@@ -96,8 +96,9 @@ class ConsentStageView(ChallengeStageView):
         if PLAN_CONTEXT_PENDING_USER in self.executor.plan.context:
             user = self.executor.plan.context[PLAN_CONTEXT_PENDING_USER]
 
+        # Remove expired consents to prevent database unique constraints errors
         consent: UserConsent | None = UserConsent.filter_not_expired(
-            user=user, application=application
+            delete_expired=True, user=user, application=application
         ).first()
         self.executor.plan.context[PLAN_CONTEXT_CONSENT] = consent
 

authentik/stages/identification/stage.py

@@ -26,23 +26,31 @@ from authentik.flows.models import FlowDesignation
 from authentik.flows.planner import PLAN_CONTEXT_PENDING_USER
 from authentik.flows.stage import PLAN_CONTEXT_PENDING_USER_IDENTIFIER, ChallengeStageView
 from authentik.flows.views.executor import SESSION_KEY_APPLICATION_PRE, SESSION_KEY_GET
+from authentik.lib.utils.reflection import all_subclasses
 from authentik.lib.utils.urls import reverse_with_qs
 from authentik.root.middleware import ClientIPMiddleware
-from authentik.sources.oauth.types.apple import AppleLoginChallenge
-from authentik.sources.plex.models import PlexAuthenticationChallenge
 from authentik.stages.identification.models import IdentificationStage
 from authentik.stages.identification.signals import identification_failed
 from authentik.stages.password.stage import authenticate
 
 
+class LoginChallengeMixin:
+    """Base login challenge for Identification stage"""
+
+
+def get_login_serializers():
+    mapping = {
+        RedirectChallenge().fields["component"].default: RedirectChallenge,
+    }
+    for cls in all_subclasses(LoginChallengeMixin):
+        mapping[cls().fields["component"].default] = cls
+    return mapping
+
+
 @extend_schema_field(
     PolymorphicProxySerializer(
         component_name="LoginChallengeTypes",
-        serializers={
-            RedirectChallenge().fields["component"].default: RedirectChallenge,
-            PlexAuthenticationChallenge().fields["component"].default: PlexAuthenticationChallenge,
-            AppleLoginChallenge().fields["component"].default: AppleLoginChallenge,
-        },
+        serializers=get_login_serializers,
         resource_type_field_name="component",
     )
 )
@@ -96,7 +104,7 @@ class IdentificationChallengeResponse(ChallengeResponse):
         if not pre_user:
             with start_span(
                 op="authentik.stages.identification.validate_invalid_wait",
-                description="Sleep random time on invalid user identifier",
+                name="Sleep random time on invalid user identifier",
             ):
                 # Sleep a random time (between 90 and 210ms) to "prevent" user enumeration attacks
                 sleep(0.030 * SystemRandom().randint(3, 7))
@@ -138,7 +146,7 @@ class IdentificationChallengeResponse(ChallengeResponse):
         try:
             with start_span(
                 op="authentik.stages.identification.authenticate",
-                description="User authenticate call (combo stage)",
+                name="User authenticate call (combo stage)",
             ):
                 user = authenticate(
                     self.stage.request,

authentik/stages/password/stage.py

@@ -49,7 +49,7 @@ def authenticate(
         LOGGER.debug("Attempting authentication...", backend=backend_path)
         with start_span(
             op="authentik.stages.password.authenticate",
-            description=backend_path,
+            name=backend_path,
         ):
             user = backend.authenticate(request, **credentials)
         if user is None:

authentik/stages/prompt/models.py

@@ -38,7 +38,7 @@ LOGGER = get_logger()
 class FieldTypes(models.TextChoices):
     """Field types an Prompt can be"""
 
-    # update website/docs/flow/stages/prompt/index.md
+    # update website/docs/add-secure-apps/flows-stages/stages/prompt/index.md
 
     # Simple text field
     TEXT = "text", _("Text: Simple Text input")

blueprints/default/flow-default-provider-invalidation.yaml

@@ -0,0 +1,13 @@
+version: 1
+metadata:
+  name: Default - Provider invalidation flow
+entries:
+- attrs:
+    designation: invalidation
+    name: Logged out of application
+    title: You've logged out of %(app)s.
+    authentication: none
+  identifiers:
+    slug: default-provider-invalidation-flow
+  model: authentik_flows.flow
+  id: flow

blueprints/schema.json

@@ -2,7 +2,7 @@
     "$schema": "http://json-schema.org/draft-07/schema",
     "$id": "https://goauthentik.io/blueprints/schema.json",
     "type": "object",
-    "title": "authentik 2024.8.4 Blueprint schema",
+    "title": "authentik 2024.8.3 Blueprint schema",
     "required": [
         "version",
         "entries"
@@ -5117,6 +5117,12 @@
                     "title": "Authorization flow",
                     "description": "Flow used when authorizing this provider."
                 },
+                "invalidation_flow": {
+                    "type": "string",
+                    "format": "uuid",
+                    "title": "Invalidation flow",
+                    "description": "Flow used ending the session from a provider."
+                },
                 "property_mappings": {
                     "type": "array",
                     "items": {
@@ -5287,6 +5293,12 @@
                     "title": "Authorization flow",
                     "description": "Flow used when authorizing this provider."
                 },
+                "invalidation_flow": {
+                    "type": "string",
+                    "format": "uuid",
+                    "title": "Invalidation flow",
+                    "description": "Flow used ending the session from a provider."
+                },
                 "property_mappings": {
                     "type": "array",
                     "items": {
@@ -5428,6 +5440,12 @@
                     "title": "Authorization flow",
                     "description": "Flow used when authorizing this provider."
                 },
+                "invalidation_flow": {
+                    "type": "string",
+                    "format": "uuid",
+                    "title": "Invalidation flow",
+                    "description": "Flow used ending the session from a provider."
+                },
                 "property_mappings": {
                     "type": "array",
                     "items": {
@@ -5563,6 +5581,12 @@
                     "title": "Authorization flow",
                     "description": "Flow used when authorizing this provider."
                 },
+                "invalidation_flow": {
+                    "type": "string",
+                    "format": "uuid",
+                    "title": "Invalidation flow",
+                    "description": "Flow used ending the session from a provider."
+                },
                 "property_mappings": {
                     "type": "array",
                     "items": {
@@ -5688,6 +5712,12 @@
                     "title": "Authorization flow",
                     "description": "Flow used when authorizing this provider."
                 },
+                "invalidation_flow": {
+                    "type": "string",
+                    "format": "uuid",
+                    "title": "Invalidation flow",
+                    "description": "Flow used ending the session from a provider."
+                },
                 "property_mappings": {
                     "type": "array",
                     "items": {
@@ -5926,6 +5956,10 @@
                     "title": "Url",
                     "description": "Base URL to SCIM requests, usually ends in /v2"
                 },
+                "verify_certificates": {
+                    "type": "boolean",
+                    "title": "Verify certificates"
+                },
                 "token": {
                     "type": "string",
                     "minLength": 1,
@@ -7567,7 +7601,7 @@
                     "enum": [
                         "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress",
                         "urn:oasis:names:tc:SAML:2.0:nameid-format:persistent",
-                        "urn:oasis:names:tc:SAML:2.0:nameid-format:X509SubjectName",
+                        "urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName",
                         "urn:oasis:names:tc:SAML:2.0:nameid-format:WindowsDomainQualifiedName",
                         "urn:oasis:names:tc:SAML:2.0:nameid-format:transient"
                     ],
@@ -12761,6 +12795,12 @@
                     "title": "Authorization flow",
                     "description": "Flow used when authorizing this provider."
                 },
+                "invalidation_flow": {
+                    "type": "string",
+                    "format": "uuid",
+                    "title": "Invalidation flow",
+                    "description": "Flow used ending the session from a provider."
+                },
                 "property_mappings": {
                     "type": "array",
                     "items": {

docker-compose.yml

@@ -31,7 +31,7 @@ services:
     volumes:
       - redis:/data
   server:
-    image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2024.8.4}
+    image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2024.8.3}
     restart: unless-stopped
     command: server
     environment:
@@ -52,7 +52,7 @@ services:
       - postgresql
       - redis
   worker:
-    image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2024.8.4}
+    image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2024.8.3}
     restart: unless-stopped
     command: worker
     environment:

go.mod

@@ -7,7 +7,7 @@ toolchain go1.23.0
 require (
 	beryju.io/ldap v0.1.0
 	github.com/coreos/go-oidc/v3 v3.11.0
-	github.com/getsentry/sentry-go v0.28.1
+	github.com/getsentry/sentry-go v0.29.0
 	github.com/go-http-utils/etag v0.0.0-20161124023236-513ea8f21eb1
 	github.com/go-ldap/ldap/v3 v3.4.8
 	github.com/go-openapi/runtime v0.28.0
@@ -18,20 +18,20 @@ require (
 	github.com/gorilla/securecookie v1.1.2
 	github.com/gorilla/sessions v1.4.0
 	github.com/gorilla/websocket v1.5.3
-	github.com/jellydator/ttlcache/v3 v3.2.1
+	github.com/jellydator/ttlcache/v3 v3.3.0
 	github.com/mitchellh/mapstructure v1.5.0
 	github.com/nmcclain/asn1-ber v0.0.0-20170104154839-2661553a0484
-	github.com/pires/go-proxyproto v0.7.0
-	github.com/prometheus/client_golang v1.20.2
+	github.com/pires/go-proxyproto v0.8.0
+	github.com/prometheus/client_golang v1.20.4
 	github.com/redis/go-redis/v9 v9.6.1
 	github.com/sethvargo/go-envconfig v1.1.0
 	github.com/sirupsen/logrus v1.9.3
 	github.com/spf13/cobra v1.8.1
 	github.com/stretchr/testify v1.9.0
 	github.com/wwt/guac v1.3.2
-	goauthentik.io/api/v3 v3.2024064.1
+	goauthentik.io/api/v3 v3.2024083.5
 	golang.org/x/exp v0.0.0-20230210204819-062eb4c674ab
-	golang.org/x/oauth2 v0.22.0
+	golang.org/x/oauth2 v0.23.0
 	golang.org/x/sync v0.8.0
 	gopkg.in/yaml.v2 v2.4.0
 	layeh.com/radius v0.0.0-20210819152912-ad72663a72ab

go.sum

@@ -69,8 +69,8 @@ github.com/envoyproxy/go-control-plane v0.9.4/go.mod h1:6rpuAdCZL397s3pYoYcLgu1m
 github.com/envoyproxy/protoc-gen-validate v0.1.0/go.mod h1:iSmxcyjqTsJpI2R4NaDN7+kN2VEUnK/pcBlmesArF7c=
 github.com/felixge/httpsnoop v1.0.3 h1:s/nj+GCswXYzN5v2DpNMuMQYe+0DDwt5WVCU6CWBdXk=
 github.com/felixge/httpsnoop v1.0.3/go.mod h1:m8KPJKqk1gH5J9DgRY2ASl2lWCfGKXixSwevea8zH2U=
-github.com/getsentry/sentry-go v0.28.1 h1:zzaSm/vHmGllRM6Tpx1492r0YDzauArdBfkJRtY6P5k=
-github.com/getsentry/sentry-go v0.28.1/go.mod h1:1fQZ+7l7eeJ3wYi82q5Hg8GqAPgefRq+FP/QhafYVgg=
+github.com/getsentry/sentry-go v0.29.0 h1:YtWluuCFg9OfcqnaujpY918N/AhCCwarIDWOYSBAjCA=
+github.com/getsentry/sentry-go v0.29.0/go.mod h1:jhPesDAL0Q0W2+2YEuVOvdWmVtdsr1+jtBrlDEVWwLY=
 github.com/go-asn1-ber/asn1-ber v1.5.5 h1:MNHlNMBDgEKD4TcKr36vQN68BA00aDfjIt3/bD50WnA=
 github.com/go-asn1-ber/asn1-ber v1.5.5/go.mod h1:hEBeB/ic+5LoWskz+yKT7vGhhPYkProFKoKdwZRWMe0=
 github.com/go-errors/errors v1.4.2 h1:J6MZopCL4uSllY1OfXM374weqZFFItUbrImctkmUxIA=
@@ -200,8 +200,8 @@ github.com/jcmturner/gokrb5/v8 v8.4.4 h1:x1Sv4HaTpepFkXbt2IkL29DXRf8sOfZXo8eRKh6
 github.com/jcmturner/gokrb5/v8 v8.4.4/go.mod h1:1btQEpgT6k+unzCwX1KdWMEwPPkkgBtP+F6aCACiMrs=
 github.com/jcmturner/rpc/v2 v2.0.3 h1:7FXXj8Ti1IaVFpSAziCZWNzbNuZmnvw/i6CqLNdWfZY=
 github.com/jcmturner/rpc/v2 v2.0.3/go.mod h1:VUJYCIDm3PVOEHw8sgt091/20OJjskO/YJki3ELg/Hc=
-github.com/jellydator/ttlcache/v3 v3.2.1 h1:eS8ljnYY7BllYGkXw/TfczWZrXUu/CH7SIkC6ugn9Js=
-github.com/jellydator/ttlcache/v3 v3.2.1/go.mod h1:bj2/e0l4jRnQdrnSTaGTsh4GSXvMjQcy41i7th0GVGw=
+github.com/jellydator/ttlcache/v3 v3.3.0 h1:BdoC9cE81qXfrxeb9eoJi9dWrdhSuwXMAnHTbnBm4Wc=
+github.com/jellydator/ttlcache/v3 v3.3.0/go.mod h1:bj2/e0l4jRnQdrnSTaGTsh4GSXvMjQcy41i7th0GVGw=
 github.com/josharian/intern v1.0.0 h1:vlS4z54oSdjm0bgjRigI+G1HpF+tI+9rE5LLzOg8HmY=
 github.com/josharian/intern v1.0.0/go.mod h1:5DoeVV0s6jJacbCEi61lwdGj/aVlrQvzHFFd8Hwg//Y=
 github.com/jstemmer/go-junit-report v0.0.0-20190106144839-af01ea7f8024/go.mod h1:6v2b51hI/fHJwM22ozAgKL4VKDeJcHhJFhtBdhmNjmU=
@@ -233,14 +233,14 @@ github.com/opentracing/opentracing-go v1.2.0 h1:uEJPy/1a5RIPAJ0Ov+OIO8OxWu77jEv+
 github.com/opentracing/opentracing-go v1.2.0/go.mod h1:GxEUsuufX4nBwe+T+Wl9TAgYrxe9dPLANfrWvHYVTgc=
 github.com/pingcap/errors v0.11.4 h1:lFuQV/oaUMGcD2tqt+01ROSmJs75VG1ToEOkZIZ4nE4=
 github.com/pingcap/errors v0.11.4/go.mod h1:Oi8TUi2kEtXXLMJk9l1cGmz20kV3TaQ0usTwv5KuLY8=
-github.com/pires/go-proxyproto v0.7.0 h1:IukmRewDQFWC7kfnb66CSomk2q/seBuilHBYFwyq0Hs=
-github.com/pires/go-proxyproto v0.7.0/go.mod h1:Vz/1JPY/OACxWGQNIRY2BeyDmpoaWmEP40O9LbuiFR4=
+github.com/pires/go-proxyproto v0.8.0 h1:5unRmEAPbHXHuLjDg01CxJWf91cw3lKHc/0xzKpXEe0=
+github.com/pires/go-proxyproto v0.8.0/go.mod h1:iknsfgnH8EkjrMeMyvfKByp9TiBZCKZM0jx2xmKqnVY=
 github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4=
 github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
 github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
-github.com/prometheus/client_golang v1.20.2 h1:5ctymQzZlyOON1666svgwn3s6IKWgfbjsejTMiXIyjg=
-github.com/prometheus/client_golang v1.20.2/go.mod h1:PIEt8X02hGcP8JWbeHyeZ53Y/jReSnHgO035n//V5WE=
+github.com/prometheus/client_golang v1.20.4 h1:Tgh3Yr67PaOv/uTqloMsCEdeuFTatm5zIq5+qNN23vI=
+github.com/prometheus/client_golang v1.20.4/go.mod h1:PIEt8X02hGcP8JWbeHyeZ53Y/jReSnHgO035n//V5WE=
 github.com/prometheus/client_model v0.0.0-20190812154241-14fe0d1b01d4/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA=
 github.com/prometheus/client_model v0.6.1 h1:ZKSh/rekM+n3CeS952MLRAdFwIKqeY8b62p8ais2e9E=
 github.com/prometheus/client_model v0.6.1/go.mod h1:OrxVMOVHjw3lKMa8+x6HeMGkHMQyHDk9E3jmP2AmGiY=
@@ -299,8 +299,8 @@ go.opentelemetry.io/otel/trace v1.24.0 h1:CsKnnL4dUAr/0llH9FKuc698G04IrpWV0MQA/Y
 go.opentelemetry.io/otel/trace v1.24.0/go.mod h1:HPc3Xr/cOApsBI154IU0OI0HJexz+aw5uPdbs3UCjNU=
 go.uber.org/goleak v1.3.0 h1:2K3zAYmnTNqV73imy9J1T3WC+gmCePx2hEGkimedGto=
 go.uber.org/goleak v1.3.0/go.mod h1:CoHD4mav9JJNrW/WLlf7HGZPjdw8EucARQHekz1X6bE=
-goauthentik.io/api/v3 v3.2024064.1 h1:vxquklgDGD+nGFhWRAsQ7ezQKg17MRq6bzEk25fbsb4=
-goauthentik.io/api/v3 v3.2024064.1/go.mod h1:zz+mEZg8rY/7eEjkMGWJ2DnGqk+zqxuybGCGrR2O4Kw=
+goauthentik.io/api/v3 v3.2024083.5 h1:qXJ4VRPP8ZBvCFrOH252JhEbURbu4MK5b0KZBGq4z1w=
+goauthentik.io/api/v3 v3.2024083.5/go.mod h1:zz+mEZg8rY/7eEjkMGWJ2DnGqk+zqxuybGCGrR2O4Kw=
 golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
 golang.org/x/crypto v0.0.0-20190510104115-cbcb75029529/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
 golang.org/x/crypto v0.0.0-20190605123033-f99c8df09eb5/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
@@ -388,8 +388,8 @@ golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45/go.mod h1:gOpvHmFTYa4Iltr
 golang.org/x/oauth2 v0.0.0-20191202225959-858c2ad4c8b6/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
 golang.org/x/oauth2 v0.0.0-20200107190931-bf48bf16ab8d/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
 golang.org/x/oauth2 v0.0.0-20210218202405-ba52d332ba99/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A=
-golang.org/x/oauth2 v0.22.0 h1:BzDx2FehcG7jJwgWLELCdmLuxk2i+x9UDpSiss2u0ZA=
-golang.org/x/oauth2 v0.22.0/go.mod h1:XYTD2NtWslqkgxebSiOHnXEap4TF09sJSc7H1sXbhtI=
+golang.org/x/oauth2 v0.23.0 h1:PbgcYx2W7i4LvjJWEbf0ngHV6qJYr86PkAV3bXdLEbs=
+golang.org/x/oauth2 v0.23.0/go.mod h1:XYTD2NtWslqkgxebSiOHnXEap4TF09sJSc7H1sXbhtI=
 golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20181221193216-37e7f081c4d4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=

internal/constants/constants.go

@@ -29,4 +29,4 @@ func UserAgent() string {
 	return fmt.Sprintf("authentik@%s", FullVersion())
 }
 
-const VERSION = "2024.8.4"
+const VERSION = "2024.8.3"

internal/outpost/ldap/bind/direct/unbind.go

@@ -8,11 +8,17 @@ import (
 )
 
 func (db *DirectBinder) Unbind(username string, req *bind.Request) (ldap.LDAPResultCode, error) {
+	flowSlug := db.si.GetInvalidationFlowSlug()
+	if flowSlug == nil {
+		req.Log().Debug("Provider does not have a logout flow configured")
+		db.si.SetFlags(req.BindDN, nil)
+		return ldap.LDAPResultSuccess, nil
+	}
 	flags := db.si.GetFlags(req.BindDN)
 	if flags == nil || flags.Session == nil {
 		return ldap.LDAPResultSuccess, nil
 	}
-	fe := flow.NewFlowExecutor(req.Context(), db.si.GetInvalidationFlowSlug(), db.si.GetAPIClient().GetConfig(), log.Fields{
+	fe := flow.NewFlowExecutor(req.Context(), *flowSlug, db.si.GetAPIClient().GetConfig(), log.Fields{
 		"boundDN":   req.BindDN,
 		"client":    req.RemoteAddr(),
 		"requestId": req.ID(),
@@ -22,7 +28,7 @@ func (db *DirectBinder) Unbind(username string, req *bind.Request) (ldap.LDAPRes
 	fe.Params.Add("goauthentik.io/outpost/ldap", "true")
 	_, err := fe.Execute()
 	if err != nil {
-		db.log.WithError(err).Warning("failed to logout user")
+		req.Log().WithError(err).Warning("failed to logout user")
 	}
 	db.si.SetFlags(req.BindDN, nil)
 	return ldap.LDAPResultSuccess, nil

internal/outpost/ldap/instance.go

@@ -26,7 +26,7 @@ type ProviderInstance struct {
 
 	appSlug                string
 	authenticationFlowSlug string
-	invalidationFlowSlug   string
+	invalidationFlowSlug   *string
 	s                      *LDAPServer
 	log                    *log.Entry
 
@@ -99,7 +99,7 @@ func (pi *ProviderInstance) GetAuthenticationFlowSlug() string {
 	return pi.authenticationFlowSlug
 }
 
-func (pi *ProviderInstance) GetInvalidationFlowSlug() string {
+func (pi *ProviderInstance) GetInvalidationFlowSlug() *string {
 	return pi.invalidationFlowSlug
 }
 

internal/outpost/ldap/refresh.go

@@ -29,16 +29,6 @@ func (ls *LDAPServer) getCurrentProvider(pk int32) *ProviderInstance {
 	return nil
 }
 
-func (ls *LDAPServer) getInvalidationFlow() string {
-	req, _, err := ls.ac.Client.CoreApi.CoreBrandsCurrentRetrieve(context.Background()).Execute()
-	if err != nil {
-		ls.log.WithError(err).Warning("failed to fetch brand config")
-		return ""
-	}
-	flow := req.GetFlowInvalidation()
-	return flow
-}
-
 func (ls *LDAPServer) Refresh() error {
 	apiProviders, err := ak.Paginator(ls.ac.Client.OutpostsApi.OutpostsLdapList(context.Background()), ak.PaginatorOptions{
 		PageSize: 100,
@@ -51,7 +41,6 @@ func (ls *LDAPServer) Refresh() error {
 		return errors.New("no ldap provider defined")
 	}
 	providers := make([]*ProviderInstance, len(apiProviders))
-	invalidationFlow := ls.getInvalidationFlow()
 	for idx, provider := range apiProviders {
 		userDN := strings.ToLower(fmt.Sprintf("ou=%s,%s", constants.OUUsers, *provider.BaseDn))
 		groupDN := strings.ToLower(fmt.Sprintf("ou=%s,%s", constants.OUGroups, *provider.BaseDn))
@@ -75,7 +64,7 @@ func (ls *LDAPServer) Refresh() error {
 			UserDN:                 userDN,
 			appSlug:                provider.ApplicationSlug,
 			authenticationFlowSlug: provider.BindFlowSlug,
-			invalidationFlowSlug:   invalidationFlow,
+			invalidationFlowSlug:   provider.UnbindFlowSlug.Get(),
 			boundUsersMutex:        usersMutex,
 			boundUsers:             users,
 			s:                      ls,

internal/outpost/ldap/server/base.go

@@ -12,7 +12,7 @@ type LDAPServerInstance interface {
 	GetOutpostName() string
 
 	GetAuthenticationFlowSlug() string
-	GetInvalidationFlowSlug() string
+	GetInvalidationFlowSlug() *string
 	GetAppSlug() string
 	GetProviderID() int32
 

internal/outpost/proxyv2/application/application.go

@@ -65,8 +65,11 @@ type Server interface {
 	CryptoStore() *ak.CryptoStore
 }
 
-func NewApplication(p api.ProxyOutpostConfig, c *http.Client, server Server) (*Application, error) {
+func init() {
 	gob.Register(Claims{})
+}
+
+func NewApplication(p api.ProxyOutpostConfig, c *http.Client, server Server, oldApp *Application) (*Application, error) {
 	muxLogger := log.WithField("logger", "authentik.outpost.proxyv2.application").WithField("name", p.Name)
 
 	externalHost, err := url.Parse(p.ExternalHost)
@@ -137,7 +140,15 @@ func NewApplication(p api.ProxyOutpostConfig, c *http.Client, server Server) (*A
 		isEmbedded:           isEmbedded,
 	}
 	go a.authHeaderCache.Start()
-	a.sessions = a.getStore(p, externalHost)
+	if oldApp != nil && oldApp.sessions != nil {
+		a.sessions = oldApp.sessions
+	} else {
+		sess, err := a.getStore(p, externalHost)
+		if err != nil {
+			return nil, err
+		}
+		a.sessions = sess
+	}
 	mux.Use(web.NewLoggingHandler(muxLogger, func(l *log.Entry, r *http.Request) *log.Entry {
 		c := a.getClaimsFromSession(r)
 		if c == nil {
@@ -235,9 +246,8 @@ func NewApplication(p api.ProxyOutpostConfig, c *http.Client, server Server) (*A
 				// TODO: maybe create event for this?
 				a.log.WithError(err).Warning("failed to compile SkipPathRegex")
 				continue
-			} else {
-				a.UnauthenticatedRegex = append(a.UnauthenticatedRegex, re)
 			}
+			a.UnauthenticatedRegex = append(a.UnauthenticatedRegex, re)
 		}
 	}
 	return a, nil

internal/outpost/proxyv2/application/session.go

@@ -26,7 +26,7 @@ import (
 
 const RedisKeyPrefix = "authentik_proxy_session_"
 
-func (a *Application) getStore(p api.ProxyOutpostConfig, externalHost *url.URL) sessions.Store {
+func (a *Application) getStore(p api.ProxyOutpostConfig, externalHost *url.URL) (sessions.Store, error) {
 	maxAge := 0
 	if p.AccessTokenValidity.IsSet() {
 		t := p.AccessTokenValidity.Get()
@@ -73,7 +73,7 @@ func (a *Application) getStore(p api.ProxyOutpostConfig, externalHost *url.URL)
 		// New default RedisStore
 		rs, err := redisstore.NewRedisStore(context.Background(), client)
 		if err != nil {
-			a.log.WithError(err).Panic("failed to connect to redis")
+			return nil, err
 		}
 
 		rs.KeyPrefix(RedisKeyPrefix)
@@ -87,7 +87,7 @@ func (a *Application) getStore(p api.ProxyOutpostConfig, externalHost *url.URL)
 		})
 
 		a.log.Trace("using redis session backend")
-		return rs
+		return rs, nil
 	}
 	dir := os.TempDir()
 	cs := sessions.NewFilesystemStore(dir)
@@ -106,7 +106,7 @@ func (a *Application) getStore(p api.ProxyOutpostConfig, externalHost *url.URL)
 	cs.Options.MaxAge = maxAge
 	cs.Options.Path = "/"
 	a.log.WithField("dir", dir).Trace("using filesystem session backend")
-	return cs
+	return cs, nil
 }
 
 func (a *Application) SessionName() string {

internal/outpost/proxyv2/application/test.go

@@ -66,6 +66,7 @@ func newTestApplication() *Application {
 		},
 		http.DefaultClient,
 		ts,
+		nil,
 	)
 	ts.apps = append(ts.apps, a)
 	return a

internal/outpost/proxyv2/refresh.go

@@ -4,6 +4,7 @@ import (
 	"context"
 	"fmt"
 	"net/http"
+	"net/url"
 
 	"github.com/getsentry/sentry-go"
 	"goauthentik.io/internal/constants"
@@ -37,16 +38,21 @@ func (ps *ProxyServer) Refresh() error {
 				),
 			),
 		}
-		a, err := application.NewApplication(provider, hc, ps)
-		existing, ok := ps.apps[a.Host]
+		externalHost, err := url.Parse(provider.ExternalHost)
+		if err != nil {
+			ps.log.WithError(err).Warning("failed to parse URL, skipping provider")
+			continue
+		}
+		existing, ok := ps.apps[externalHost.Host]
+		a, err := application.NewApplication(provider, hc, ps, existing)
 		if ok {
 			existing.Stop()
 		}
 		if err != nil {
 			ps.log.WithError(err).Warning("failed to setup application")
-		} else {
-			apps[a.Host] = a
+			continue
 		}
+		apps[externalHost.Host] = a
 	}
 	ps.apps = apps
 	ps.log.Debug("Swapped maps")

locale/en/LC_MESSAGES/django.po

@@ -8,7 +8,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: PACKAGE VERSION\n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2024-08-18 00:08+0000\n"
+"POT-Creation-Date: 2024-10-12 00:08+0000\n"
 "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
 "Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
 "Language-Team: LANGUAGE <LL@li.org>\n"
@@ -18,6 +18,11 @@ msgstr ""
 "Content-Transfer-Encoding: 8bit\n"
 "Plural-Forms: nplurals=2; plural=(n != 1);\n"
 
+#: authentik/admin/tasks.py
+#, python-brace-format
+msgid "New version {version} available!"
+msgstr ""
+
 #: authentik/api/schema.py
 msgid "Generic API Error"
 msgstr ""
@@ -31,8 +36,7 @@ msgid "Blueprint file does not exist"
 msgstr ""
 
 #: authentik/blueprints/api.py
-#, python-brace-format
-msgid "Failed to validate blueprint: {logs}"
+msgid "Failed to validate blueprint"
 msgstr ""
 
 #: authentik/blueprints/api.py
@@ -1844,6 +1848,10 @@ msgstr ""
 msgid "Used recovery-link to authenticate."
 msgstr ""
 
+#: authentik/sources/ldap/api.py
+msgid "Only a single LDAP Source with password synchronization is allowed"
+msgstr ""
+
 #: authentik/sources/ldap/models.py
 msgid "Server URI"
 msgstr ""

locale/fr/LC_MESSAGES/django.po

@@ -19,7 +19,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: PACKAGE VERSION\n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2024-08-12 13:45+0000\n"
+"POT-Creation-Date: 2024-10-12 00:08+0000\n"
 "PO-Revision-Date: 2022-09-26 16:47+0000\n"
 "Last-Translator: Marc Schmitt, 2024\n"
 "Language-Team: French (https://app.transifex.com/authentik/teams/119923/fr/)\n"
@@ -29,6 +29,11 @@ msgstr ""
 "Language: fr\n"
 "Plural-Forms: nplurals=3; plural=(n == 0 || n == 1) ? 0 : n != 0 && n % 1000000 == 0 ? 1 : 2;\n"
 
+#: authentik/admin/tasks.py
+#, python-brace-format
+msgid "New version {version} available!"
+msgstr "Une nouvelle version {version} est disponible !"
+
 #: authentik/api/schema.py
 msgid "Generic API Error"
 msgstr "Erreur d'API Générique"
@@ -42,9 +47,8 @@ msgid "Blueprint file does not exist"
 msgstr "Le fichier de plan n'existe pas"
 
 #: authentik/blueprints/api.py
-#, python-brace-format
-msgid "Failed to validate blueprint: {logs}"
-msgstr "Échec de validation du plan : {logs}"
+msgid "Failed to validate blueprint"
+msgstr "Échec de validation du plan"
 
 #: authentik/blueprints/api.py
 msgid "Either path or content must be set."
@@ -1342,14 +1346,6 @@ msgstr "Impossible de résoudre l'application"
 msgid "DN under which objects are accessible."
 msgstr "DN sous lequel les objets sont accessibles."
 
-#: authentik/providers/ldap/models.py
-msgid ""
-"Users in this group can do search queries. If not set, every user can "
-"execute search queries."
-msgstr ""
-"Les utilisateurs dans ce groupe peuvent faire des requêtes de recherche. Si "
-"laissé vide, tous les utilisateurs peuvent faire des requêtes de recherche."
-
 #: authentik/providers/ldap/models.py
 msgid ""
 "The start for uidNumbers, this number is added to the user.pk to make sure "
@@ -1396,6 +1392,10 @@ msgstr "Fournisseur LDAP"
 msgid "LDAP Providers"
 msgstr "Fournisseurs LDAP"
 
+#: authentik/providers/ldap/models.py
+msgid "Search full LDAP directory"
+msgstr "Rechercher dans l'annuaire LDAP complet"
+
 #: authentik/providers/oauth2/id_token.py
 msgid "Based on the Hashed User ID"
 msgstr "Basé sur le hash de l'ID utilisateur"
@@ -1796,6 +1796,14 @@ msgstr "Mappage de propriété fournisseur Radius"
 msgid "Radius Provider Property Mappings"
 msgstr "Mappages de propriété fournisseur Radius"
 
+#: authentik/providers/saml/api/providers.py
+msgid ""
+"With a signing keypair selected, at least one of 'Sign assertion' and 'Sign "
+"Response' must be selected."
+msgstr ""
+"Quand une clé de signature est sélectionnée, au moins l'un de « Signer les "
+"assertions » et « Signer les réponses » doit être sélectionné."
+
 #: authentik/providers/saml/api/providers.py
 msgid "Invalid XML Syntax"
 msgstr "Syntaxe XML Invalide"
@@ -1944,6 +1952,20 @@ msgstr ""
 msgid "Signing Keypair"
 msgstr "Paire de clés de Signature"
 
+#: authentik/providers/saml/models.py authentik/sources/saml/models.py
+msgid ""
+"When selected, incoming assertions are encrypted by the IdP using the public"
+" key of the encryption keypair. The assertion is decrypted by the SP using "
+"the the private key."
+msgstr ""
+"Si activé, les assertions entrantes seront chiffrées par l'IdP avec la clé "
+"publique de la paire de clé de chiffrement. L'assertion est déchiffrée par "
+"le SP en utilisant la clé privée."
+
+#: authentik/providers/saml/models.py authentik/sources/saml/models.py
+msgid "Encryption Keypair"
+msgstr "Paire de clés de chiffrement"
+
 #: authentik/providers/saml/models.py
 msgid "Default relay_state value for IDP-initiated logins"
 msgstr "Valeur par défaut de relay_state des connexions initiées par l'IdP"
@@ -2041,6 +2063,11 @@ msgstr ""
 msgid "Used recovery-link to authenticate."
 msgstr "Utiliser un lien de récupération pour se connecter."
 
+#: authentik/sources/ldap/api.py
+msgid "Only a single LDAP Source with password synchronization is allowed"
+msgstr ""
+"Une seule source LDAP avec synchronisation de mot de passe est autorisée"
+
 #: authentik/sources/ldap/models.py
 msgid "Server URI"
 msgstr "URI du serveur"
@@ -2466,20 +2493,6 @@ msgstr ""
 "Paire de clés utilisées pour signer les réponses sortantes allant vers le "
 "fournisseur d'identité."
 
-#: authentik/sources/saml/models.py
-msgid ""
-"When selected, incoming assertions are encrypted by the IdP using the public"
-" key of the encryption keypair. The assertion is decrypted by the SP using "
-"the the private key."
-msgstr ""
-"Si activé, les assertions entrantes seront chiffrées par l'IdP avec la clé "
-"publique de la paire de clé de chiffrement. L'assertion est déchiffrée par "
-"le SP en utilisant la clé privée."
-
-#: authentik/sources/saml/models.py
-msgid "Encryption Keypair"
-msgstr "Paire de clés de chiffrement"
-
 #: authentik/sources/saml/models.py
 msgid "SAML Source"
 msgstr "Source SAML"

locale/ru/LC_MESSAGES/django.po

@@ -16,7 +16,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: PACKAGE VERSION\n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2024-08-15 00:09+0000\n"
+"POT-Creation-Date: 2024-08-18 00:08+0000\n"
 "PO-Revision-Date: 2022-09-26 16:47+0000\n"
 "Last-Translator: Anton Babenko, 2024\n"
 "Language-Team: Russian (https://app.transifex.com/authentik/teams/119923/ru/)\n"
@@ -739,7 +739,7 @@ msgstr "Правило Уведомления"
 
 #: authentik/events/models.py
 msgid "Notification Rules"
-msgstr "Правило Уведомлений"
+msgstr "Правила уведомлений"
 
 #: authentik/events/models.py
 msgid "Webhook Mapping"
@@ -1771,6 +1771,14 @@ msgstr "Сопоставление свойства Radius провайдера"
 msgid "Radius Provider Property Mappings"
 msgstr "Сопоставление свойств Radius провайдера"
 
+#: authentik/providers/saml/api/providers.py
+msgid ""
+"With a signing keypair selected, at least one of 'Sign assertion' and 'Sign "
+"Response' must be selected."
+msgstr ""
+"При выборе пары ключей для подписи необходимо выбрать как минимум один из "
+"вариантов: 'Подписывать утверждение' или 'Подписывать ответ'."
+
 #: authentik/providers/saml/api/providers.py
 msgid "Invalid XML Syntax"
 msgstr "Некорректный синтаксис XML"
@@ -1918,6 +1926,21 @@ msgstr ""
 msgid "Signing Keypair"
 msgstr "Пара ключей для подписи"
 
+#: authentik/providers/saml/models.py authentik/sources/saml/models.py
+msgid ""
+"When selected, incoming assertions are encrypted by the IdP using the public"
+" key of the encryption keypair. The assertion is decrypted by the SP using "
+"the the private key."
+msgstr ""
+"При выборе этого варианта, входящие утверждения шифруются поставщиком "
+"идентификации (IdP) с использованием открытого ключа из пары ключей "
+"шифрования. Утверждение расшифровывается поставщиком услуг (SP) с "
+"использованием закрытого ключа."
+
+#: authentik/providers/saml/models.py authentik/sources/saml/models.py
+msgid "Encryption Keypair"
+msgstr "Пара ключей шифрования"
+
 #: authentik/providers/saml/models.py
 msgid "Default relay_state value for IDP-initiated logins"
 msgstr "Значение relay_state по умолчанию для логинов, инициированных IDP"
@@ -2446,21 +2469,6 @@ msgstr ""
 "Пара ключей, используемая для подписи исходящих ответов, направляемых "
 "провайдеру идентификационных данных."
 
-#: authentik/sources/saml/models.py
-msgid ""
-"When selected, incoming assertions are encrypted by the IdP using the public"
-" key of the encryption keypair. The assertion is decrypted by the SP using "
-"the the private key."
-msgstr ""
-"При выборе этого варианта, входящие утверждения шифруются поставщиком "
-"идентификации (IdP) с использованием открытого ключа из пары ключей "
-"шифрования. Утверждение расшифровывается поставщиком услуг (SP) с "
-"использованием закрытого ключа."
-
-#: authentik/sources/saml/models.py
-msgid "Encryption Keypair"
-msgstr "Пара ключей шифрования"
-
 #: authentik/sources/saml/models.py
 msgid "SAML Source"
 msgstr "Источник SAML"

locale/zh-Hans/LC_MESSAGES/django.po

@@ -15,7 +15,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: PACKAGE VERSION\n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2024-08-18 00:08+0000\n"
+"POT-Creation-Date: 2024-10-12 00:08+0000\n"
 "PO-Revision-Date: 2022-09-26 16:47+0000\n"
 "Last-Translator: deluxghost, 2024\n"
 "Language-Team: Chinese Simplified (https://app.transifex.com/authentik/teams/119923/zh-Hans/)\n"
@@ -25,6 +25,11 @@ msgstr ""
 "Language: zh-Hans\n"
 "Plural-Forms: nplurals=1; plural=0;\n"
 
+#: authentik/admin/tasks.py
+#, python-brace-format
+msgid "New version {version} available!"
+msgstr "新版本 {version} 可用！"
+
 #: authentik/api/schema.py
 msgid "Generic API Error"
 msgstr "通用 API 错误"
@@ -38,9 +43,8 @@ msgid "Blueprint file does not exist"
 msgstr "蓝图文件不存在"
 
 #: authentik/blueprints/api.py
-#, python-brace-format
-msgid "Failed to validate blueprint: {logs}"
-msgstr "验证蓝图失败：{logs}"
+msgid "Failed to validate blueprint"
+msgstr "验证蓝图失败"
 
 #: authentik/blueprints/api.py
 msgid "Either path or content must be set."
@@ -1877,6 +1881,10 @@ msgstr "创建一个密钥，可用于恢复对 authentik 的访问权限。"
 msgid "Used recovery-link to authenticate."
 msgstr "已使用恢复链接进行身份验证。"
 
+#: authentik/sources/ldap/api.py
+msgid "Only a single LDAP Source with password synchronization is allowed"
+msgstr "仅允许使用密码同步的单个 LDAP 源"
+
 #: authentik/sources/ldap/models.py
 msgid "Server URI"
 msgstr "服务器 URI"

locale/zh_CN/LC_MESSAGES/django.po

@@ -14,7 +14,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: PACKAGE VERSION\n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2024-08-18 00:08+0000\n"
+"POT-Creation-Date: 2024-10-12 00:08+0000\n"
 "PO-Revision-Date: 2022-09-26 16:47+0000\n"
 "Last-Translator: deluxghost, 2024\n"
 "Language-Team: Chinese (China) (https://app.transifex.com/authentik/teams/119923/zh_CN/)\n"
@@ -24,6 +24,11 @@ msgstr ""
 "Language: zh_CN\n"
 "Plural-Forms: nplurals=1; plural=0;\n"
 
+#: authentik/admin/tasks.py
+#, python-brace-format
+msgid "New version {version} available!"
+msgstr "新版本 {version} 可用！"
+
 #: authentik/api/schema.py
 msgid "Generic API Error"
 msgstr "通用 API 错误"
@@ -37,9 +42,8 @@ msgid "Blueprint file does not exist"
 msgstr "蓝图文件不存在"
 
 #: authentik/blueprints/api.py
-#, python-brace-format
-msgid "Failed to validate blueprint: {logs}"
-msgstr "验证蓝图失败：{logs}"
+msgid "Failed to validate blueprint"
+msgstr "验证蓝图失败"
 
 #: authentik/blueprints/api.py
 msgid "Either path or content must be set."
@@ -1876,6 +1880,10 @@ msgstr "创建一个密钥，可用于恢复对 authentik 的访问权限。"
 msgid "Used recovery-link to authenticate."
 msgstr "已使用恢复链接进行身份验证。"
 
+#: authentik/sources/ldap/api.py
+msgid "Only a single LDAP Source with password synchronization is allowed"
+msgstr "仅允许使用密码同步的单个 LDAP 源"
+
 #: authentik/sources/ldap/models.py
 msgid "Server URI"
 msgstr "服务器 URI"