wip

Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space>

.bumpversion.cfg

@@ -1,16 +1,16 @@
 [bumpversion]
-current_version = 2024.12.3
+current_version = 2025.2.1
 tag = True
 commit = True
 parse = (?P<major>\d+)\.(?P<minor>\d+)\.(?P<patch>\d+)(?:-(?P<rc_t>[a-zA-Z-]+)(?P<rc_n>[1-9]\\d*))?
-serialize =
+serialize = 
 	{major}.{minor}.{patch}-{rc_t}{rc_n}
 	{major}.{minor}.{patch}
 message = release: {new_version}
 tag_name = version/{new_version}
 
 [bumpversion:part:rc_t]
-values =
+values = 
 	rc
 	final
 optional_value = final

.github/ISSUE_TEMPLATE/bug_report.md

@@ -28,7 +28,11 @@ Output of docker-compose logs or kubectl logs respectively
 
 **Version and Deployment (please complete the following information):**
 
--   authentik version: [e.g. 2021.8.5]
+<!--
+Notice: authentik supports installation via Docker, Kubernetes, and AWS CloudFormation only. Support is not available for other methods. For detailed installation and configuration instructions, please refer to the official documentation at https://docs.goauthentik.io/docs/install-config/.
+-->
+
+-   authentik version: [e.g. 2025.2.0]
 -   Deployment: [e.g. docker-compose, helm]
 
 **Additional context**

.github/ISSUE_TEMPLATE/question.md

@@ -20,7 +20,12 @@ Output of docker-compose logs or kubectl logs respectively
 
 **Version and Deployment (please complete the following information):**
 
--   authentik version: [e.g. 2021.8.5]
+<!--
+Notice: authentik supports installation via Docker, Kubernetes, and AWS CloudFormation only. Support is not available for other methods. For detailed installation and configuration instructions, please refer to the official documentation at https://docs.goauthentik.io/docs/install-config/.
+-->
+
+
+-   authentik version: [e.g. 2025.2.0]
 -   Deployment: [e.g. docker-compose, helm]
 
 **Additional context**

.github/actions/setup/action.yml

@@ -30,12 +30,16 @@ runs:
       uses: actions/setup-go@v5
       with:
         go-version-file: "go.mod"
+    - name: Setup docker cache
+      uses: ScribeMD/docker-cache@0.5.0
+      with:
+        key: docker-images-${{ runner.os }}-${{ hashFiles('.github/actions/setup/docker-compose.yml', 'Makefile') }}-${{ inputs.postgresql_version }}
     - name: Setup dependencies
       shell: bash
       run: |
         export PSQL_TAG=${{ inputs.postgresql_version }}
         docker compose -f .github/actions/setup/docker-compose.yml up -d
-        poetry install --sync
+        poetry sync
         cd web && npm ci
     - name: Generate config
       shell: poetry run python {0}

.github/actions/setup/docker-compose.yml

@@ -11,7 +11,7 @@ services:
       - 5432:5432
     restart: always
   redis:
-    image: docker.io/library/redis
+    image: docker.io/library/redis:7
     ports:
       - 6379:6379
     restart: always

.github/codespell-words.txt

@@ -1,7 +1,32 @@
+akadmin
+asgi
+assertIn
+authentik
+authn
+crate
+docstrings
+entra
+goauthentik
+gunicorn
+hass
+jwe
+jwks
 keypair
 keypairs
-hass
-warmup
+kubernetes
+oidc
 ontext
+openid
+passwordless
+plex
+saml
+scim
 singed
-assertIn
+slo
+sso
+totp
+traefik
+# https://github.com/codespell-project/codespell/issues/1224
+upToDate
+warmup
+webauthn

.github/dependabot.yml

@@ -82,6 +82,12 @@ updates:
       docusaurus:
         patterns:
           - "@docusaurus/*"
+      build:
+        patterns:
+          - "@swc/*"
+          - "swc-*"
+          - "lightningcss*"
+          - "@rspack/binding*"
   - package-ecosystem: npm
     directory: "/lifecycle/aws"
     schedule:

.github/workflows/_reusable-docker-build-single.yaml

@@ -40,7 +40,7 @@ jobs:
       attestations: write
     steps:
       - uses: actions/checkout@v4
-      - uses: docker/setup-qemu-action@v3.4.0
+      - uses: docker/setup-qemu-action@v3.6.0
       - uses: docker/setup-buildx-action@v3
       - name: prepare variables
         uses: ./.github/actions/docker-push-variables

.github/workflows/ci-main-daily.yml

@@ -15,8 +15,8 @@ jobs:
       matrix:
         version:
           - docs
+          - version-2025-2
           - version-2024-12
-          - version-2024-10
     steps:
       - uses: actions/checkout@v4
       - run: |

.github/workflows/ci-outpost.yml

@@ -82,7 +82,7 @@ jobs:
         with:
           ref: ${{ github.event.pull_request.head.sha }}
       - name: Set up QEMU
-        uses: docker/setup-qemu-action@v3.4.0
+        uses: docker/setup-qemu-action@v3.6.0
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@v3
       - name: prepare variables

.github/workflows/release-publish.yml

@@ -42,7 +42,7 @@ jobs:
         with:
           go-version-file: "go.mod"
       - name: Set up QEMU
-        uses: docker/setup-qemu-action@v3.4.0
+        uses: docker/setup-qemu-action@v3.6.0
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@v3
       - name: prepare variables
@@ -186,7 +186,7 @@ jobs:
           container=$(docker container create ${{ steps.ev.outputs.imageMainName }})
           docker cp ${container}:web/ .
       - name: Create a Sentry.io release
-        uses: getsentry/action-release@v1
+        uses: getsentry/action-release@v3
         continue-on-error: true
         env:
           SENTRY_AUTH_TOKEN: ${{ secrets.SENTRY_AUTH_TOKEN }}

.github/workflows/translation-extract-compile.yml

@@ -1,9 +1,13 @@
 ---
-name: authentik-backend-translate-extract-compile
+name: authentik-translate-extract-compile
 on:
   schedule:
     - cron: "0 0 * * *" # every day at midnight
   workflow_dispatch:
+  pull_request:
+    branches:
+      - main
+      - version-*
 
 env:
   POSTGRES_DB: authentik
@@ -15,15 +19,21 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - id: generate_token
+        if: ${{ github.event_name != 'pull_request' }}
         uses: tibdex/github-app-token@v2
         with:
           app_id: ${{ secrets.GH_APP_ID }}
           private_key: ${{ secrets.GH_APP_PRIVATE_KEY }}
       - uses: actions/checkout@v4
+        if: ${{ github.event_name != 'pull_request' }}
         with:
           token: ${{ steps.generate_token.outputs.token }}
+      - uses: actions/checkout@v4
+        if: ${{ github.event_name == 'pull_request' }}
       - name: Setup authentik env
         uses: ./.github/actions/setup
+      - name: Generate API
+        run: make gen-client-ts
       - name: run extract
         run: |
           poetry run make i18n-extract
@@ -32,6 +42,7 @@ jobs:
           poetry run ak compilemessages
           make web-check-compile
       - name: Create Pull Request
+        if: ${{ github.event_name != 'pull_request' }}
         uses: peter-evans/create-pull-request@v7
         with:
           token: ${{ steps.generate_token.outputs.token }}

.vscode/settings.json

@@ -1,26 +1,4 @@
 {
-    "cSpell.words": [
-        "akadmin",
-        "asgi",
-        "authentik",
-        "authn",
-        "entra",
-        "goauthentik",
-        "jwe",
-        "jwks",
-        "kubernetes",
-        "oidc",
-        "openid",
-        "passwordless",
-        "plex",
-        "saml",
-        "scim",
-        "slo",
-        "sso",
-        "totp",
-        "traefik",
-        "webauthn"
-    ],
     "todo-tree.tree.showCountsInTree": true,
     "todo-tree.tree.showBadges": true,
     "yaml.customTags": [

Makefile

@@ -4,34 +4,17 @@
 PWD = $(shell pwd)
 UID = $(shell id -u)
 GID = $(shell id -g)
-NPM_VERSION = $(shell python -m scripts.npm_version)
+NPM_VERSION = $(shell poetry run python -m scripts.generate_semver)
 PY_SOURCES = authentik tests scripts lifecycle .github
-GO_SOURCES = cmd internal
-WEB_SOURCES = web/src web/packages
 DOCKER_IMAGE ?= "authentik:test"
 
 GEN_API_TS = "gen-ts-api"
 GEN_API_PY = "gen-py-api"
 GEN_API_GO = "gen-go-api"
 
-pg_user := $(shell python -m authentik.lib.config postgresql.user 2>/dev/null)
-pg_host := $(shell python -m authentik.lib.config postgresql.host 2>/dev/null)
-pg_name := $(shell python -m authentik.lib.config postgresql.name 2>/dev/null)
-
-CODESPELL_ARGS = -D - -D .github/codespell-dictionary.txt \
-		-I .github/codespell-words.txt \
-		-S 'web/src/locales/**' \
-		-S 'website/docs/developer-docs/api/reference/**' \
-		-S '**/node_modules/**' \
-		-S '**/dist/**' \
-		$(PY_SOURCES) \
-		$(GO_SOURCES) \
-		$(WEB_SOURCES) \
-		website/src \
-		website/blog \
-		website/docs \
-		website/integrations \
-		website/src
+pg_user := $(shell poetry run python -m authentik.lib.config postgresql.user 2>/dev/null)
+pg_host := $(shell poetry run python -m authentik.lib.config postgresql.host 2>/dev/null)
+pg_name := $(shell poetry run python -m authentik.lib.config postgresql.name 2>/dev/null)
 
 all: lint-fix lint test gen web  ## Lint, build, and test everything
 
@@ -49,26 +32,26 @@ go-test:
 	go test -timeout 0 -v -race -cover ./...
 
 test: ## Run the server tests and produce a coverage report (locally)
-	coverage run manage.py test --keepdb authentik
-	coverage html
-	coverage report
+	poetry run coverage run manage.py test --keepdb authentik
+	poetry run coverage html
+	poetry run coverage report
 
 lint-fix: lint-codespell  ## Lint and automatically fix errors in the python source code. Reports spelling errors.
-	black $(PY_SOURCES)
-	ruff check --fix $(PY_SOURCES)
+	poetry run black $(PY_SOURCES)
+	poetry run ruff check --fix $(PY_SOURCES)
 
 lint-codespell:  ## Reports spelling errors.
-	codespell -w $(CODESPELL_ARGS)
+	poetry run codespell -w
 
 lint: ## Lint the python and golang sources
-	bandit -r $(PY_SOURCES) -x web/node_modules -x tests/wdio/node_modules -x website/node_modules
+	poetry run bandit -c pyproject.toml -r $(PY_SOURCES)
 	golangci-lint run -v
 
 core-install:
 	poetry install
 
 migrate: ## Run the Authentik Django server's migrations
-	python -m lifecycle.migrate
+	poetry run python -m lifecycle.migrate
 
 i18n-extract: core-i18n-extract web-i18n-extract  ## Extract strings that require translation into files to send to a translation service
 
@@ -76,7 +59,7 @@ aws-cfn:
 	cd lifecycle/aws && npm run aws-cfn
 
 core-i18n-extract:
-	ak makemessages \
+	poetry run ak makemessages \
 		--add-location file \
 		--no-obsolete \
 		--ignore web \
@@ -107,11 +90,11 @@ gen-build:  ## Extract the schema from the database
 	AUTHENTIK_DEBUG=true \
 		AUTHENTIK_TENANTS__ENABLED=true \
 		AUTHENTIK_OUTPOSTS__DISABLE_EMBEDDED_OUTPOST=true \
-		ak make_blueprint_schema > blueprints/schema.json
+		poetry run ak make_blueprint_schema > blueprints/schema.json
 	AUTHENTIK_DEBUG=true \
 		AUTHENTIK_TENANTS__ENABLED=true \
 		AUTHENTIK_OUTPOSTS__DISABLE_EMBEDDED_OUTPOST=true \
-		ak spectacular --file schema.yml
+		poetry run ak spectacular --file schema.yml
 
 gen-changelog:  ## (Release) generate the changelog based from the commits since the last tag
 	git log --pretty=format:" - %s" $(shell git describe --tags $(shell git rev-list --tags --max-count=1))...$(shell git branch --show-current) | sort > changelog.md
@@ -190,7 +173,7 @@ gen-client-go: gen-clean-go  ## Build and install the authentik API for Golang
 	rm -rf ./${GEN_API_GO}/config.yaml ./${GEN_API_GO}/templates/
 
 gen-dev-config:  ## Generate a local development config file
-	python -m scripts.generate_config
+	poetry run scripts/generate_config.py
 
 gen: gen-build gen-client-ts
 
@@ -271,21 +254,21 @@ ci--meta-debug:
 	node --version
 
 ci-black: ci--meta-debug
-	black --check $(PY_SOURCES)
+	poetry run black --check $(PY_SOURCES)
 
 ci-ruff: ci--meta-debug
-	ruff check $(PY_SOURCES)
+	poetry run ruff check $(PY_SOURCES)
 
 ci-codespell: ci--meta-debug
-	codespell $(CODESPELL_ARGS) -s
+	poetry run codespell -s
 
 ci-bandit: ci--meta-debug
-	bandit -r $(PY_SOURCES)
+	poetry run bandit -r $(PY_SOURCES)
 
 ci-pending-migrations: ci--meta-debug
-	ak makemigrations --check
+	poetry run ak makemigrations --check
 
 ci-test: ci--meta-debug
-	coverage run manage.py test --keepdb --randomly-seed ${CI_TEST_SEED} authentik
-	coverage report
-	coverage xml
+	poetry run coverage run manage.py test --keepdb --randomly-seed ${CI_TEST_SEED} authentik
+	poetry run coverage report
+	poetry run coverage xml

SECURITY.md

@@ -2,7 +2,7 @@ authentik takes security very seriously. We follow the rules of [responsible di
 
 ## Independent audits and pentests
 
-We are committed to engaging in regular pentesting and security audits of authentik. Defining and adhering to a cadence of external testing ensures a stronger probability that our code base, our features, and our architecture is as secure and non-exploitable as possible. For more details about specfic audits and pentests, refer to "Audits and Certificates" in our [Security documentation](https://docs.goauthentik.io/docs/security).
+We are committed to engaging in regular pentesting and security audits of authentik. Defining and adhering to a cadence of external testing ensures a stronger probability that our code base, our features, and our architecture is as secure and non-exploitable as possible. For more details about specific audits and pentests, refer to "Audits and Certificates" in our [Security documentation](https://docs.goauthentik.io/docs/security).
 
 ## What authentik classifies as a CVE
 
@@ -20,8 +20,8 @@ Even if the issue is not a CVE, we still greatly appreciate your help in hardeni
 
 | Version   | Supported |
 | --------- | --------- |
-| 2024.10.x | ✅        |
 | 2024.12.x | ✅        |
+| 2025.2.x  | ✅        |
 
 ## Reporting a Vulnerability
 

authentik/__init__.py

@@ -2,7 +2,7 @@
 
 from os import environ
 
-__version__ = "2024.12.3"
+__version__ = "2025.2.1"
 ENV_GIT_HASH_KEY = "GIT_BUILD_HASH"
 
 

authentik/blueprints/v1/importer.py

@@ -50,7 +50,6 @@ from authentik.enterprise.providers.microsoft_entra.models import (
     MicrosoftEntraProviderGroup,
     MicrosoftEntraProviderUser,
 )
-from authentik.enterprise.providers.rac.models import ConnectionToken
 from authentik.enterprise.providers.ssf.models import StreamEvent
 from authentik.enterprise.stages.authenticator_endpoint_gdtc.models import (
     EndpointDevice,
@@ -72,6 +71,7 @@ from authentik.providers.oauth2.models import (
     DeviceToken,
     RefreshToken,
 )
+from authentik.providers.rac.models import ConnectionToken
 from authentik.providers.scim.models import SCIMProviderGroup, SCIMProviderUser
 from authentik.rbac.models import Role
 from authentik.sources.scim.models import SCIMSourceGroup, SCIMSourceUser

authentik/core/sources/flow_manager.py

@@ -35,8 +35,7 @@ from authentik.flows.planner import (
     FlowPlanner,
 )
 from authentik.flows.stage import StageView
-from authentik.flows.views.executor import NEXT_ARG_NAME, SESSION_KEY_GET, SESSION_KEY_PLAN
-from authentik.lib.utils.urls import redirect_with_qs
+from authentik.flows.views.executor import NEXT_ARG_NAME, SESSION_KEY_GET
 from authentik.lib.views import bad_request_message
 from authentik.policies.denied import AccessDeniedResponse
 from authentik.policies.utils import delete_none_values
@@ -47,8 +46,9 @@ from authentik.stages.user_write.stage import PLAN_CONTEXT_USER_PATH
 
 LOGGER = get_logger()
 
-SESSION_KEY_OVERRIDE_FLOW_TOKEN = "authentik/flows/source_override_flow_token"  # nosec
 PLAN_CONTEXT_SOURCE_GROUPS = "source_groups"
+SESSION_KEY_SOURCE_FLOW_STAGES = "authentik/flows/source_flow_stages"
+SESSION_KEY_OVERRIDE_FLOW_TOKEN = "authentik/flows/source_override_flow_token"  # nosec
 
 
 class MessageStage(StageView):
@@ -219,28 +219,28 @@ class SourceFlowManager:
             }
         )
         flow_context.update(self.policy_context)
-        if SESSION_KEY_OVERRIDE_FLOW_TOKEN in self.request.session:
-            token: FlowToken = self.request.session.get(SESSION_KEY_OVERRIDE_FLOW_TOKEN)
-            self._logger.info("Replacing source flow with overridden flow", flow=token.flow.slug)
-            plan = token.plan
-            plan.context[PLAN_CONTEXT_IS_RESTORED] = token
-            plan.context.update(flow_context)
-            for stage in self.get_stages_to_append(flow):
-                plan.append_stage(stage)
-            if stages:
-                for stage in stages:
-                    plan.append_stage(stage)
-            self.request.session[SESSION_KEY_PLAN] = plan
-            flow_slug = token.flow.slug
-            token.delete()
-            return redirect_with_qs(
-                "authentik_core:if-flow",
-                self.request.GET,
-                flow_slug=flow_slug,
-            )
         flow_context.setdefault(PLAN_CONTEXT_REDIRECT, final_redirect)
 
         if not flow:
+            # We only check for the flow token here if we don't have a flow, otherwise we rely on
+            # SESSION_KEY_SOURCE_FLOW_STAGES to delegate the usage of this token and dynamically add
+            # stages that deal with this token to return to another flow
+            if SESSION_KEY_OVERRIDE_FLOW_TOKEN in self.request.session:
+                token: FlowToken = self.request.session.get(SESSION_KEY_OVERRIDE_FLOW_TOKEN)
+                self._logger.info(
+                    "Replacing source flow with overridden flow", flow=token.flow.slug
+                )
+                plan = token.plan
+                plan.context[PLAN_CONTEXT_IS_RESTORED] = token
+                plan.context.update(flow_context)
+                for stage in self.get_stages_to_append(flow):
+                    plan.append_stage(stage)
+                if stages:
+                    for stage in stages:
+                        plan.append_stage(stage)
+                redirect = plan.to_redirect(self.request, token.flow)
+                token.delete()
+                return redirect
             return bad_request_message(
                 self.request,
                 _("Configured flow does not exist."),
@@ -259,6 +259,8 @@ class SourceFlowManager:
         if stages:
             for stage in stages:
                 plan.append_stage(stage)
+        for stage in self.request.session.get(SESSION_KEY_SOURCE_FLOW_STAGES, []):
+            plan.append_stage(stage)
         return plan.to_redirect(self.request, flow)
 
     def handle_auth(
@@ -295,6 +297,8 @@ class SourceFlowManager:
         # When request isn't authenticated we jump straight to auth
         if not self.request.user.is_authenticated:
             return self.handle_auth(connection)
+        # When an override flow token exists we actually still use a flow for link
+        # to continue the existing flow we came from
         if SESSION_KEY_OVERRIDE_FLOW_TOKEN in self.request.session:
             return self._prepare_flow(None, connection)
         connection.save()

authentik/core/tasks.py

@@ -67,6 +67,8 @@ def clean_expired_models(self: SystemTask):
                 raise ImproperlyConfigured(
                     "Invalid session_storage setting, allowed values are db and cache"
                 )
+    if CONFIG.get("session_storage", "cache") == "db":
+        DBSessionStore.clear_expired()
     LOGGER.debug("Expired sessions", model=AuthenticatedSession, amount=amount)
 
     messages.append(f"Expired {amount} {AuthenticatedSession._meta.verbose_name_plural}")

authentik/core/templates/base/header_js.html

@@ -11,6 +11,7 @@
         build: "{{ build }}",
         api: {
             base: "{{ base_url }}",
+            relBase: "{{ base_url_rel }}",
         },
     };
     window.addEventListener("DOMContentLoaded", function () {

authentik/core/templates/base/skeleton.html

@@ -8,6 +8,8 @@
     <head>
         <meta charset="UTF-8">
         <meta name="viewport" content="width=device-width, initial-scale=1, maximum-scale=1">
+        {# Darkreader breaks the site regardless of theme as its not compatible with webcomponents, and we default to a dark theme based on preferred colour-scheme #}
+        <meta name="darkreader-lock">
         <title>{% block title %}{% trans title|default:brand.branding_title %}{% endblock %}</title>
         <link rel="icon" href="{{ brand.branding_favicon_url }}">
         <link rel="shortcut icon" href="{{ brand.branding_favicon_url }}">

authentik/core/views/apps.py

@@ -55,7 +55,7 @@ class RedirectToAppLaunch(View):
             )
         except FlowNonApplicableException:
             raise Http404 from None
-        plan.insert_stage(in_memory_stage(RedirectToAppStage))
+        plan.append_stage(in_memory_stage(RedirectToAppStage))
         return plan.to_redirect(request, flow)
 
 

authentik/core/views/interface.py

@@ -53,6 +53,7 @@ class InterfaceView(TemplateView):
         kwargs["build"] = get_build_hash()
         kwargs["url_kwargs"] = self.kwargs
         kwargs["base_url"] = self.request.build_absolute_uri(CONFIG.get("web.path", "/"))
+        kwargs["base_url_rel"] = CONFIG.get("web.path", "/")
         return super().get_context_data(**kwargs)
 
 

authentik/enterprise/audit/apps.py

@@ -9,7 +9,7 @@ class AuthentikEnterpriseAuditConfig(EnterpriseConfig):
     """Enterprise app config"""
 
     name = "authentik.enterprise.audit"
-    label = "authentik_enterprise_audit"
+    label = "authentik_audit"
     verbose_name = "authentik Enterprise.Audit"
     default = True
 

authentik/enterprise/audit/models.py

@@ -0,0 +1,107 @@
+from django.contrib.contenttypes.models import ContentType
+from django.contrib.contenttypes.fields import GenericForeignKey
+from authentik.lib.models import SerializerModel
+from django.db import models
+from uuid import uuid4
+from authentik.core.models import Group, User
+
+
+# # Names
+# Lifecycle
+# Access reviews
+# Access lifecycle
+# Governance
+# Audit
+# Compliance
+
+# Lifecycle
+# Lifecycle review
+# Review
+# Access review
+# Compliance review
+# X Scheduled review
+
+
+# Only some objects supported?
+#
+# For disabling support:
+# Application
+# Provider
+# Outpost (simply setting the list of providers to empty in the outpost itself)
+# Flow
+# Users
+# Groups <- will get tricky
+# Roles
+# Sources
+# Tokens (api, app_pass)
+# Brands
+# Outpost integrations
+#
+# w/o disabling support
+# System Settings
+# everything else
+#   would need to show in an audit dashboard cause not all have pages to get details
+
+# "default" policy for objects, by default, everlasting
+
+
+class AuditPolicyFailAction(models.TextChoices):
+    # For preview
+    NOTHING = "nothing"
+    # Disable the thing failing, HOW
+    DISABLE = "disable"
+    # Emit events
+    WARN = "warn"
+
+
+class LifecycleRule(SerializerModel):
+    pass
+
+
+class ReviewRule(SerializerModel):
+    id = models.UUIDField(primary_key=True, editable=False, default=uuid4)
+
+    # Check every 6 months, allow for daily/weekly/first of month, etc.
+    interval = models.TextField()  # timedelta
+    # Preventive notification
+    reminder_interval = models.TextField()  # timedelta
+
+    # Must be checked by these
+    groups = models.ManyToManyField(Group)
+    users = models.ManyToManyField(User)
+
+    # How many of the above must approve
+    required_approvals = models.IntegerField(default=1)
+
+    # How long to wait before executing fail action
+    grace_period = models.TextField()  # timedelta
+
+    # What to do if not reviewed in time
+    fail_action = models.CharField(choices=AuditPolicyFailAction)
+
+
+class AuditPolicyBinding(SerializerModel):
+    id = models.UUIDField(primary_key=True, editable=False, default=uuid4)
+
+    # Many to many ? Bind users/groups here instead of on the policy ?
+    policy = models.ForeignKey(AuditPolicy, on_delete=models.PROTECT)
+
+    content_type = models.ForeignKey(ContentType, on_delete=models.CASCADE)
+    object_id = models.TextField(blank=True)  # optional to apply on all objects of specific type
+    content_object = GenericForeignKey("content_type", "object_id")
+
+    # valid -> waiting review -> valid
+    # valid -> waiting review -> review overdue -> valid
+    # valid -> waiting review -> review overdue -> failed -> valid
+    # look at django-fsm or django-viewflow
+    status = models.TextField()
+
+    class Meta:
+        indexes = (
+            models.Index(fields=["content_type"]),
+            models.Index(fields=["content_type", "object_id"]),
+        )
+
+
+class AuditHistory:
+    pass

authentik/enterprise/providers/google_workspace/api/providers.py

@@ -37,6 +37,7 @@ class GoogleWorkspaceProviderSerializer(EnterpriseRequiredMixin, ProviderSeriali
             "user_delete_action",
             "group_delete_action",
             "default_group_email_domain",
+            "dry_run",
         ]
         extra_kwargs = {}
 

authentik/enterprise/providers/google_workspace/clients/base.py

@@ -8,9 +8,10 @@ from httplib2 import HttpLib2Error, HttpLib2ErrorWithResponse
 
 from authentik.enterprise.providers.google_workspace.models import GoogleWorkspaceProvider
 from authentik.lib.sync.outgoing import HTTP_CONFLICT
-from authentik.lib.sync.outgoing.base import BaseOutgoingSyncClient
+from authentik.lib.sync.outgoing.base import SAFE_METHODS, BaseOutgoingSyncClient
 from authentik.lib.sync.outgoing.exceptions import (
     BadRequestSyncException,
+    DryRunRejected,
     NotFoundSyncException,
     ObjectExistsSyncException,
     StopSync,
@@ -43,6 +44,8 @@ class GoogleWorkspaceSyncClient[TModel: Model, TConnection: Model, TSchema: dict
             self.domains.append(domain_name)
 
     def _request(self, request: HttpRequest):
+        if self.provider.dry_run and request.method.upper() not in SAFE_METHODS:
+            raise DryRunRejected(request.uri, request.method, request.body)
         try:
             response = request.execute()
         except GoogleAuthError as exc:

authentik/enterprise/providers/google_workspace/migrations/0004_googleworkspaceprovider_dry_run.py

@@ -0,0 +1,24 @@
+# Generated by Django 5.0.12 on 2025-02-24 19:43
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        (
+            "authentik_providers_google_workspace",
+            "0003_googleworkspaceprovidergroup_attributes_and_more",
+        ),
+    ]
+
+    operations = [
+        migrations.AddField(
+            model_name="googleworkspaceprovider",
+            name="dry_run",
+            field=models.BooleanField(
+                default=False,
+                help_text="When enabled, provider will not modify or create objects in the remote system.",
+            ),
+        ),
+    ]

authentik/enterprise/providers/microsoft_entra/api/providers.py

@@ -36,6 +36,7 @@ class MicrosoftEntraProviderSerializer(EnterpriseRequiredMixin, ProviderSerializ
             "filter_group",
             "user_delete_action",
             "group_delete_action",
+            "dry_run",
         ]
         extra_kwargs = {}
 

authentik/enterprise/providers/microsoft_entra/clients/base.py

@@ -3,6 +3,7 @@ from collections.abc import Coroutine
 from dataclasses import asdict
 from typing import Any
 
+import httpx
 from azure.core.exceptions import (
     ClientAuthenticationError,
     ServiceRequestError,
@@ -12,6 +13,7 @@ from azure.identity.aio import ClientSecretCredential
 from django.db.models import Model
 from django.http import HttpResponseBadRequest, HttpResponseNotFound
 from kiota_abstractions.api_error import APIError
+from kiota_abstractions.request_information import RequestInformation
 from kiota_authentication_azure.azure_identity_authentication_provider import (
     AzureIdentityAuthenticationProvider,
 )
@@ -21,13 +23,15 @@ from msgraph.generated.models.o_data_errors.o_data_error import ODataError
 from msgraph.graph_request_adapter import GraphRequestAdapter, options
 from msgraph.graph_service_client import GraphServiceClient
 from msgraph_core import GraphClientFactory
+from opentelemetry import trace
 
 from authentik.enterprise.providers.microsoft_entra.models import MicrosoftEntraProvider
 from authentik.events.utils import sanitize_item
 from authentik.lib.sync.outgoing import HTTP_CONFLICT
-from authentik.lib.sync.outgoing.base import BaseOutgoingSyncClient
+from authentik.lib.sync.outgoing.base import SAFE_METHODS, BaseOutgoingSyncClient
 from authentik.lib.sync.outgoing.exceptions import (
     BadRequestSyncException,
+    DryRunRejected,
     NotFoundSyncException,
     ObjectExistsSyncException,
     StopSync,
@@ -35,20 +39,24 @@ from authentik.lib.sync.outgoing.exceptions import (
 )
 
 
-def get_request_adapter(
-    credentials: ClientSecretCredential, scopes: list[str] | None = None
-) -> GraphRequestAdapter:
-    if scopes:
-        auth_provider = AzureIdentityAuthenticationProvider(credentials=credentials, scopes=scopes)
-    else:
-        auth_provider = AzureIdentityAuthenticationProvider(credentials=credentials)
+class AuthentikRequestAdapter(GraphRequestAdapter):
+    def __init__(self, auth_provider, provider: MicrosoftEntraProvider, client=None):
+        super().__init__(auth_provider, client)
+        self._provider = provider
 
-    return GraphRequestAdapter(
-        auth_provider=auth_provider,
-        client=GraphClientFactory.create_with_default_middleware(
-            options=options, client=KiotaClientFactory.get_default_client()
-        ),
-    )
+    async def get_http_response_message(
+        self,
+        request_info: RequestInformation,
+        parent_span: trace.Span,
+        claims: str = "",
+    ) -> httpx.Response:
+        if self._provider.dry_run and request_info.http_method.value.upper() not in SAFE_METHODS:
+            raise DryRunRejected(
+                url=request_info.url,
+                method=request_info.http_method.value,
+                body=request_info.content.decode("utf-8"),
+            )
+        return await super().get_http_response_message(request_info, parent_span, claims=claims)
 
 
 class MicrosoftEntraSyncClient[TModel: Model, TConnection: Model, TSchema: dict](
@@ -63,9 +71,27 @@ class MicrosoftEntraSyncClient[TModel: Model, TConnection: Model, TSchema: dict]
         self.credentials = provider.microsoft_credentials()
         self.__prefetch_domains()
 
+    def get_request_adapter(
+        self, credentials: ClientSecretCredential, scopes: list[str] | None = None
+    ) -> AuthentikRequestAdapter:
+        if scopes:
+            auth_provider = AzureIdentityAuthenticationProvider(
+                credentials=credentials, scopes=scopes
+            )
+        else:
+            auth_provider = AzureIdentityAuthenticationProvider(credentials=credentials)
+
+        return AuthentikRequestAdapter(
+            auth_provider=auth_provider,
+            provider=self.provider,
+            client=GraphClientFactory.create_with_default_middleware(
+                options=options, client=KiotaClientFactory.get_default_client()
+            ),
+        )
+
     @property
     def client(self):
-        return GraphServiceClient(request_adapter=get_request_adapter(**self.credentials))
+        return GraphServiceClient(request_adapter=self.get_request_adapter(**self.credentials))
 
     def _request[T](self, request: Coroutine[Any, Any, T]) -> T:
         try:

authentik/enterprise/providers/microsoft_entra/migrations/0003_microsoftentraprovider_dry_run.py

@@ -0,0 +1,24 @@
+# Generated by Django 5.0.12 on 2025-02-24 19:43
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        (
+            "authentik_providers_microsoft_entra",
+            "0002_microsoftentraprovidergroup_attributes_and_more",
+        ),
+    ]
+
+    operations = [
+        migrations.AddField(
+            model_name="microsoftentraprovider",
+            name="dry_run",
+            field=models.BooleanField(
+                default=False,
+                help_text="When enabled, provider will not modify or create objects in the remote system.",
+            ),
+        ),
+    ]

authentik/enterprise/providers/microsoft_entra/tests/test_users.py

@@ -32,7 +32,6 @@ class MicrosoftEntraUserTests(APITestCase):
 
     @apply_blueprint("system/providers-microsoft-entra.yaml")
     def setUp(self) -> None:
-
         # Delete all users and groups as the mocked HTTP responses only return one ID
         # which will cause errors with multiple users
         Tenant.objects.update(avatars="none")
@@ -97,6 +96,38 @@ class MicrosoftEntraUserTests(APITestCase):
             self.assertFalse(Event.objects.filter(action=EventAction.SYSTEM_EXCEPTION).exists())
             user_create.assert_called_once()
 
+    def test_user_create_dry_run(self):
+        """Test user creation (dry run)"""
+        self.provider.dry_run = True
+        self.provider.save()
+        uid = generate_id()
+        with (
+            patch(
+                "authentik.enterprise.providers.microsoft_entra.models.MicrosoftEntraProvider.microsoft_credentials",
+                MagicMock(return_value={"credentials": self.creds}),
+            ),
+            patch(
+                "msgraph.generated.organization.organization_request_builder.OrganizationRequestBuilder.get",
+                AsyncMock(
+                    return_value=OrganizationCollectionResponse(
+                        value=[
+                            Organization(verified_domains=[VerifiedDomain(name="goauthentik.io")])
+                        ]
+                    )
+                ),
+            ),
+        ):
+            user = User.objects.create(
+                username=uid,
+                name=f"{uid} {uid}",
+                email=f"{uid}@goauthentik.io",
+            )
+            microsoft_user = MicrosoftEntraProviderUser.objects.filter(
+                provider=self.provider, user=user
+            ).first()
+            self.assertIsNone(microsoft_user)
+            self.assertFalse(Event.objects.filter(action=EventAction.SYSTEM_EXCEPTION).exists())
+
     def test_user_not_created(self):
         """Test without property mappings, no group is created"""
         self.provider.property_mappings.clear()

authentik/enterprise/providers/rac/apps.py

@@ -1,14 +0,0 @@
-"""RAC app config"""
-
-from authentik.enterprise.apps import EnterpriseConfig
-
-
-class AuthentikEnterpriseProviderRAC(EnterpriseConfig):
-    """authentik enterprise rac app config"""
-
-    name = "authentik.enterprise.providers.rac"
-    label = "authentik_providers_rac"
-    verbose_name = "authentik Enterprise.Providers.RAC"
-    default = True
-    mountpoint = ""
-    ws_mountpoint = "authentik.enterprise.providers.rac.urls"

authentik/enterprise/settings.py

@@ -16,7 +16,6 @@ TENANT_APPS = [
     "authentik.enterprise.audit",
     "authentik.enterprise.providers.google_workspace",
     "authentik.enterprise.providers.microsoft_entra",
-    "authentik.enterprise.providers.rac",
     "authentik.enterprise.providers.ssf",
     "authentik.enterprise.stages.authenticator_endpoint_gdtc",
     "authentik.enterprise.stages.source",

authentik/enterprise/stages/source/stage.py

@@ -9,13 +9,16 @@ from django.utils.timezone import now
 from guardian.shortcuts import get_anonymous_user
 
 from authentik.core.models import Source, User
-from authentik.core.sources.flow_manager import SESSION_KEY_OVERRIDE_FLOW_TOKEN
+from authentik.core.sources.flow_manager import (
+    SESSION_KEY_OVERRIDE_FLOW_TOKEN,
+    SESSION_KEY_SOURCE_FLOW_STAGES,
+)
 from authentik.core.types import UILoginButton
 from authentik.enterprise.stages.source.models import SourceStage
 from authentik.flows.challenge import Challenge, ChallengeResponse
-from authentik.flows.models import FlowToken
+from authentik.flows.models import FlowToken, in_memory_stage
 from authentik.flows.planner import PLAN_CONTEXT_IS_RESTORED
-from authentik.flows.stage import ChallengeStageView
+from authentik.flows.stage import ChallengeStageView, StageView
 from authentik.lib.utils.time import timedelta_from_string
 
 PLAN_CONTEXT_RESUME_TOKEN = "resume_token"  # nosec
@@ -49,6 +52,7 @@ class SourceStageView(ChallengeStageView):
     def get_challenge(self, *args, **kwargs) -> Challenge:
         resume_token = self.create_flow_token()
         self.request.session[SESSION_KEY_OVERRIDE_FLOW_TOKEN] = resume_token
+        self.request.session[SESSION_KEY_SOURCE_FLOW_STAGES] = [in_memory_stage(SourceStageFinal)]
         return self.login_button.challenge
 
     def create_flow_token(self) -> FlowToken:
@@ -77,3 +81,19 @@ class SourceStageView(ChallengeStageView):
 
     def challenge_valid(self, response: ChallengeResponse) -> HttpResponse:
         return self.executor.stage_ok()
+
+
+class SourceStageFinal(StageView):
+    """Dynamic stage injected in the source flow manager. This is injected in the
+    flow the source flow manager picks (authentication or enrollment), and will run at the end.
+    This stage uses the override flow token to resume execution of the initial flow the
+    source stage is bound to."""
+
+    def dispatch(self, *args, **kwargs):
+        token: FlowToken = self.request.session.get(SESSION_KEY_OVERRIDE_FLOW_TOKEN)
+        self.logger.info("Replacing source flow with overridden flow", flow=token.flow.slug)
+        plan = token.plan
+        plan.context[PLAN_CONTEXT_IS_RESTORED] = token
+        response = plan.to_redirect(self.request, token.flow)
+        token.delete()
+        return response

authentik/enterprise/stages/source/tests.py

@@ -4,7 +4,8 @@ from django.urls import reverse
 
 from authentik.core.tests.utils import create_test_flow, create_test_user
 from authentik.enterprise.stages.source.models import SourceStage
-from authentik.flows.models import FlowDesignation, FlowStageBinding, FlowToken
+from authentik.enterprise.stages.source.stage import SourceStageFinal
+from authentik.flows.models import FlowDesignation, FlowStageBinding, FlowToken, in_memory_stage
 from authentik.flows.planner import PLAN_CONTEXT_IS_RESTORED, FlowPlan
 from authentik.flows.tests import FlowTestCase
 from authentik.flows.views.executor import SESSION_KEY_PLAN
@@ -87,6 +88,7 @@ class TestSourceStage(FlowTestCase):
         self.assertIsNotNone(flow_token)
         session = self.client.session
         plan: FlowPlan = session[SESSION_KEY_PLAN]
+        plan.insert_stage(in_memory_stage(SourceStageFinal), index=0)
         plan.context[PLAN_CONTEXT_IS_RESTORED] = flow_token
         session[SESSION_KEY_PLAN] = plan
         session.save()
@@ -96,4 +98,6 @@ class TestSourceStage(FlowTestCase):
             reverse("authentik_api:flow-executor", kwargs={"flow_slug": flow.slug}), follow=True
         )
         self.assertEqual(response.status_code, 200)
-        self.assertStageRedirects(response, reverse("authentik_core:root-redirect"))
+        self.assertStageRedirects(
+            response, reverse("authentik_core:if-flow", kwargs={"flow_slug": flow.slug})
+        )

authentik/flows/planner.py

@@ -76,10 +76,10 @@ class FlowPlan:
         self.bindings.append(binding)
         self.markers.append(marker or StageMarker())
 
-    def insert_stage(self, stage: Stage, marker: StageMarker | None = None):
+    def insert_stage(self, stage: Stage, marker: StageMarker | None = None, index=1):
         """Insert stage into plan, as immediate next stage"""
-        self.bindings.insert(1, FlowStageBinding(stage=stage, order=0))
-        self.markers.insert(1, marker or StageMarker())
+        self.bindings.insert(index, FlowStageBinding(stage=stage, order=0))
+        self.markers.insert(index, marker or StageMarker())
 
     def redirect(self, destination: str):
         """Insert a redirect stage as next stage"""

authentik/lib/config.py

@@ -282,16 +282,14 @@ class ConfigLoader:
 
     def get_optional_int(self, path: str, default=None) -> int | None:
         """Wrapper for get that converts value into int or None if set"""
-        value = self.get(path, default)
+        value = self.get(path, UNSET)
         if value is UNSET:
             return default
         try:
             return int(value)
         except (ValueError, TypeError) as exc:
             if value is None or (isinstance(value, str) and value.lower() == "null"):
-                return default
-            if value is UNSET:
-                return default
+                return None
             self.log("warning", "Failed to parse config as int", path=path, exc=str(exc))
             return default
 
@@ -372,9 +370,9 @@ def django_db_config(config: ConfigLoader | None = None) -> dict:
                 "sslcert": config.get("postgresql.sslcert"),
                 "sslkey": config.get("postgresql.sslkey"),
             },
-            "CONN_MAX_AGE": CONFIG.get_optional_int("postgresql.conn_max_age", 0),
-            "CONN_HEALTH_CHECKS": CONFIG.get_bool("postgresql.conn_health_checks", False),
-            "DISABLE_SERVER_SIDE_CURSORS": CONFIG.get_bool(
+            "CONN_MAX_AGE": config.get_optional_int("postgresql.conn_max_age", 0),
+            "CONN_HEALTH_CHECKS": config.get_bool("postgresql.conn_health_checks", False),
+            "DISABLE_SERVER_SIDE_CURSORS": config.get_bool(
                 "postgresql.disable_server_side_cursors", False
             ),
             "TEST": {
@@ -383,8 +381,8 @@ def django_db_config(config: ConfigLoader | None = None) -> dict:
         }
     }
 
-    conn_max_age = CONFIG.get_optional_int("postgresql.conn_max_age", UNSET)
-    disable_server_side_cursors = CONFIG.get_bool("postgresql.disable_server_side_cursors", UNSET)
+    conn_max_age = config.get_optional_int("postgresql.conn_max_age", UNSET)
+    disable_server_side_cursors = config.get_bool("postgresql.disable_server_side_cursors", UNSET)
     if config.get_bool("postgresql.use_pgpool", False):
         db["default"]["DISABLE_SERVER_SIDE_CURSORS"] = True
         if disable_server_side_cursors is not UNSET:

authentik/lib/default.yml

@@ -64,6 +64,8 @@ debugger: false
 log_level: info
 
 session_storage: cache
+sessions:
+  unauthenticated_age: days=1
 
 error_reporting:
   enabled: false

authentik/lib/sync/outgoing/api.py

@@ -33,6 +33,7 @@ class SyncObjectSerializer(PassiveSerializer):
         )
     )
     sync_object_id = CharField()
+    override_dry_run = BooleanField(default=False)
 
 
 class SyncObjectResultSerializer(PassiveSerializer):
@@ -98,6 +99,7 @@ class OutgoingSyncProviderStatusMixin:
             page=1,
             provider_pk=provider.pk,
             pk=params.validated_data["sync_object_id"],
+            override_dry_run=params.validated_data["override_dry_run"],
         ).get()
         return Response(SyncObjectResultSerializer(instance={"messages": res}).data)
 

authentik/lib/sync/outgoing/base.py

@@ -28,6 +28,14 @@ class Direction(StrEnum):
     remove = "remove"
 
 
+SAFE_METHODS = [
+    "GET",
+    "HEAD",
+    "OPTIONS",
+    "TRACE",
+]
+
+
 class BaseOutgoingSyncClient[
     TModel: "Model", TConnection: "Model", TSchema: dict, TProvider: "OutgoingSyncProvider"
 ]:

authentik/lib/sync/outgoing/exceptions.py

@@ -21,6 +21,22 @@ class BadRequestSyncException(BaseSyncException):
     """Exception when invalid data was sent to the remote system"""
 
 
+class DryRunRejected(BaseSyncException):
+    """When dry_run is enabled and a provider dropped a mutating request"""
+
+    def __init__(self, url: str, method: str, body: dict):
+        super().__init__()
+        self.url = url
+        self.method = method
+        self.body = body
+
+    def __repr__(self):
+        return self.__str__()
+
+    def __str__(self):
+        return f"Dry-run rejected request: {self.method} {self.url}"
+
+
 class StopSync(BaseSyncException):
     """Exception raised when a configuration error should stop the sync process"""
 

authentik/lib/sync/outgoing/models.py

@@ -1,8 +1,9 @@
 from typing import Any, Self
 
 import pglock
-from django.db import connection
+from django.db import connection, models
 from django.db.models import Model, QuerySet, TextChoices
+from django.utils.translation import gettext_lazy as _
 
 from authentik.core.models import Group, User
 from authentik.lib.sync.outgoing.base import BaseOutgoingSyncClient
@@ -18,6 +19,14 @@ class OutgoingSyncDeleteAction(TextChoices):
 
 
 class OutgoingSyncProvider(Model):
+    """Base abstract models for providers implementing outgoing sync"""
+
+    dry_run = models.BooleanField(
+        default=False,
+        help_text=_(
+            "When enabled, provider will not modify or create objects in the remote system."
+        ),
+    )
 
     class Meta:
         abstract = True
@@ -32,7 +41,7 @@ class OutgoingSyncProvider(Model):
 
     @property
     def sync_lock(self) -> pglock.advisory:
-        """Postgres lock for syncing SCIM to prevent multiple parallel syncs happening"""
+        """Postgres lock for syncing to prevent multiple parallel syncs happening"""
         return pglock.advisory(
             lock_id=f"goauthentik.io/{connection.schema_name}/providers/outgoing-sync/{str(self.pk)}",
             timeout=0,

authentik/lib/sync/outgoing/tasks.py

@@ -20,6 +20,7 @@ from authentik.lib.sync.outgoing import PAGE_SIZE, PAGE_TIMEOUT
 from authentik.lib.sync.outgoing.base import Direction
 from authentik.lib.sync.outgoing.exceptions import (
     BadRequestSyncException,
+    DryRunRejected,
     StopSync,
     TransientSyncException,
 )
@@ -105,7 +106,9 @@ class SyncTasks:
                 return
         task.set_status(TaskStatus.SUCCESSFUL, *messages)
 
-    def sync_objects(self, object_type: str, page: int, provider_pk: int, **filter):
+    def sync_objects(
+        self, object_type: str, page: int, provider_pk: int, override_dry_run=False, **filter
+    ):
         _object_type = path_to_class(object_type)
         self.logger = get_logger().bind(
             provider_type=class_to_path(self._provider_model),
@@ -116,6 +119,10 @@ class SyncTasks:
         provider = self._provider_model.objects.filter(pk=provider_pk).first()
         if not provider:
             return messages
+        # Override dry run mode if requested, however don't save the provider
+        # so that scheduled sync tasks still run in dry_run mode
+        if override_dry_run:
+            provider.dry_run = False
         try:
             client = provider.client_for_model(_object_type)
         except TransientSyncException:
@@ -132,6 +139,22 @@ class SyncTasks:
             except SkipObjectException:
                 self.logger.debug("skipping object due to SkipObject", obj=obj)
                 continue
+            except DryRunRejected as exc:
+                messages.append(
+                    asdict(
+                        LogEvent(
+                            _("Dropping mutating request due to dry run"),
+                            log_level="info",
+                            logger=f"{provider._meta.verbose_name}@{object_type}",
+                            attributes={
+                                "obj": sanitize_item(obj),
+                                "method": exc.method,
+                                "url": exc.url,
+                                "body": exc.body,
+                            },
+                        )
+                    )
+                )
             except BadRequestSyncException as exc:
                 self.logger.warning("failed to sync object", exc=exc, obj=obj)
                 messages.append(
@@ -231,8 +254,10 @@ class SyncTasks:
                 raise Retry() from exc
             except SkipObjectException:
                 continue
+            except DryRunRejected as exc:
+                self.logger.info("Rejected dry-run event", exc=exc)
             except StopSync as exc:
-                self.logger.warning(exc, provider_pk=provider.pk)
+                self.logger.warning("Stopping sync", exc=exc, provider_pk=provider.pk)
 
     def sync_signal_m2m(self, group_pk: str, action: str, pk_set: list[int]):
         self.logger = get_logger().bind(
@@ -263,5 +288,7 @@ class SyncTasks:
                 raise Retry() from exc
             except SkipObjectException:
                 continue
+            except DryRunRejected as exc:
+                self.logger.info("Rejected dry-run event", exc=exc)
             except StopSync as exc:
-                self.logger.warning(exc, provider_pk=provider.pk)
+                self.logger.warning("Stopping sync", exc=exc, provider_pk=provider.pk)

authentik/lib/tests/test_config.py

@@ -158,6 +158,18 @@ class TestConfig(TestCase):
             test_obj = Test()
             dumps(test_obj, indent=4, cls=AttrEncoder)
 
+    def test_get_optional_int(self):
+        config = ConfigLoader()
+        self.assertEqual(config.get_optional_int("foo", 21), 21)
+        self.assertEqual(config.get_optional_int("foo"), None)
+        config.set("foo", "21")
+        self.assertEqual(config.get_optional_int("foo"), 21)
+        self.assertEqual(config.get_optional_int("foo", 0), 21)
+        self.assertEqual(config.get_optional_int("foo", "null"), 21)
+        config.set("foo", "null")
+        self.assertEqual(config.get_optional_int("foo"), None)
+        self.assertEqual(config.get_optional_int("foo", 21), None)
+
     @mock.patch.dict(environ, check_deprecations_env_vars)
     def test_check_deprecations(self):
         """Test config key re-write for deprecated env vars"""
@@ -221,6 +233,16 @@ class TestConfig(TestCase):
             },
         )
 
+    def test_db_conn_max_age(self):
+        """Test DB conn_max_age Config"""
+        config = ConfigLoader()
+        config.set("postgresql.conn_max_age", "null")
+        conf = django_db_config(config)
+        self.assertEqual(
+            conf["default"]["CONN_MAX_AGE"],
+            None,
+        )
+
     def test_db_read_replicas(self):
         """Test read replicas"""
         config = ConfigLoader()

authentik/outposts/api/outposts.py

@@ -19,7 +19,6 @@ from authentik.core.api.used_by import UsedByMixin
 from authentik.core.api.utils import JSONDictField, ModelSerializer, PassiveSerializer
 from authentik.core.models import Provider
 from authentik.enterprise.license import LicenseKey
-from authentik.enterprise.providers.rac.models import RACProvider
 from authentik.lib.utils.time import timedelta_from_string, timedelta_string_validator
 from authentik.outposts.api.service_connections import ServiceConnectionSerializer
 from authentik.outposts.apps import MANAGED_OUTPOST, MANAGED_OUTPOST_NAME
@@ -31,6 +30,7 @@ from authentik.outposts.models import (
 )
 from authentik.providers.ldap.models import LDAPProvider
 from authentik.providers.proxy.models import ProxyProvider
+from authentik.providers.rac.models import RACProvider
 from authentik.providers.radius.models import RadiusProvider
 
 

authentik/outposts/tasks.py

@@ -18,8 +18,6 @@ from kubernetes.config.kube_config import KUBE_CONFIG_DEFAULT_LOCATION
 from structlog.stdlib import get_logger
 from yaml import safe_load
 
-from authentik.enterprise.providers.rac.controllers.docker import RACDockerController
-from authentik.enterprise.providers.rac.controllers.kubernetes import RACKubernetesController
 from authentik.events.models import TaskStatus
 from authentik.events.system_tasks import SystemTask, prefill_task
 from authentik.lib.config import CONFIG
@@ -41,6 +39,8 @@ from authentik.providers.ldap.controllers.docker import LDAPDockerController
 from authentik.providers.ldap.controllers.kubernetes import LDAPKubernetesController
 from authentik.providers.proxy.controllers.docker import ProxyDockerController
 from authentik.providers.proxy.controllers.kubernetes import ProxyKubernetesController
+from authentik.providers.rac.controllers.docker import RACDockerController
+from authentik.providers.rac.controllers.kubernetes import RACKubernetesController
 from authentik.providers.radius.controllers.docker import RadiusDockerController
 from authentik.providers.radius.controllers.kubernetes import RadiusKubernetesController
 from authentik.root.celery import CELERY_APP

authentik/policies/geoip/models.py

@@ -128,7 +128,7 @@ class GeoIPPolicy(Policy):
                 (geoip_data["lat"], geoip_data["long"]),
             )
             if self.check_history_distance and dist.km >= (
-                self.history_max_distance_km - self.distance_tolerance_km
+                self.history_max_distance_km + self.distance_tolerance_km
             ):
                 return PolicyResult(
                     False, _("Distance from previous authentication is larger than threshold.")
@@ -139,7 +139,7 @@ class GeoIPPolicy(Policy):
             # clamped to be at least 1 hour
             rel_time_hours = max(int((_now - previous_login.created).total_seconds() / 3600), 1)
             if self.check_impossible_travel and dist.km >= (
-                (MAX_DISTANCE_HOUR_KM * rel_time_hours) - self.distance_tolerance_km
+                (MAX_DISTANCE_HOUR_KM * rel_time_hours) + self.distance_tolerance_km
             ):
                 return PolicyResult(False, _("Distance is further than possible."))
         return PolicyResult(True)

authentik/policies/password/models.py

@@ -148,10 +148,10 @@ class PasswordPolicy(Policy):
             user_inputs.append(request.user.email)
         if request.http_request:
             user_inputs.append(request.http_request.brand.branding_title)
-        # Only calculate result for the first 100 characters, as with over 100 char
+        # Only calculate result for the first 72 characters, as with over 100 char
         # long passwords we can be reasonably sure that they'll surpass the score anyways
         # See https://github.com/dropbox/zxcvbn#runtime-latency
-        results = zxcvbn(password[:100], user_inputs)
+        results = zxcvbn(password[:72], user_inputs)
         LOGGER.debug("password failed", check="zxcvbn", score=results["score"])
         result = PolicyResult(results["score"] > self.zxcvbn_score_threshold)
         if not result.passing:

authentik/providers/oauth2/models.py

@@ -9,7 +9,12 @@ from hashlib import sha256
 from typing import Any
 from urllib.parse import urlparse, urlunparse
 
-from cryptography.hazmat.primitives.asymmetric.ec import EllipticCurvePrivateKey
+from cryptography.hazmat.primitives.asymmetric.ec import (
+    SECP256R1,
+    SECP384R1,
+    SECP521R1,
+    EllipticCurvePrivateKey,
+)
 from cryptography.hazmat.primitives.asymmetric.rsa import RSAPrivateKey
 from cryptography.hazmat.primitives.asymmetric.types import PrivateKeyTypes
 from dacite import Config
@@ -114,6 +119,22 @@ class JWTAlgorithms(models.TextChoices):
     HS256 = "HS256", _("HS256 (Symmetric Encryption)")
     RS256 = "RS256", _("RS256 (Asymmetric Encryption)")
     ES256 = "ES256", _("ES256 (Asymmetric Encryption)")
+    ES384 = "ES384", _("ES384 (Asymmetric Encryption)")
+    ES512 = "ES512", _("ES512 (Asymmetric Encryption)")
+
+    @classmethod
+    def from_private_key(cls, private_key: PrivateKeyTypes | None) -> str:
+        if isinstance(private_key, RSAPrivateKey):
+            return cls.RS256
+        if isinstance(private_key, EllipticCurvePrivateKey):
+            curve = private_key.curve
+            if isinstance(curve, SECP256R1):
+                return cls.ES256
+            if isinstance(curve, SECP384R1):
+                return cls.ES384
+            if isinstance(curve, SECP521R1):
+                return cls.ES512
+        raise ValueError(f"Invalid private key type: {type(private_key)}")
 
 
 class ScopeMapping(PropertyMapping):
@@ -263,11 +284,7 @@ class OAuth2Provider(WebfingerProvider, Provider):
             return self.client_secret, JWTAlgorithms.HS256
         key: CertificateKeyPair = self.signing_key
         private_key = key.private_key
-        if isinstance(private_key, RSAPrivateKey):
-            return private_key, JWTAlgorithms.RS256
-        if isinstance(private_key, EllipticCurvePrivateKey):
-            return private_key, JWTAlgorithms.ES256
-        raise ValueError(f"Invalid private key type: {type(private_key)}")
+        return private_key, JWTAlgorithms.from_private_key(private_key)
 
     def get_issuer(self, request: HttpRequest) -> str | None:
         """Get issuer, based on request"""

authentik/providers/oauth2/views/device_init.py

@@ -71,7 +71,7 @@ class CodeValidatorView(PolicyAccessView):
         except FlowNonApplicableException:
             LOGGER.warning("Flow not applicable to user")
             return None
-        plan.insert_stage(in_memory_stage(OAuthDeviceCodeFinishStage))
+        plan.append_stage(in_memory_stage(OAuthDeviceCodeFinishStage))
         return plan.to_redirect(self.request, self.token.provider.authorization_flow)
 
 

authentik/providers/oauth2/views/end_session.py

@@ -34,5 +34,5 @@ class EndSessionView(PolicyAccessView):
                 PLAN_CONTEXT_APPLICATION: self.application,
             },
         )
-        plan.insert_stage(in_memory_stage(SessionEndStage))
+        plan.append_stage(in_memory_stage(SessionEndStage))
         return plan.to_redirect(self.request, self.flow)

authentik/providers/oauth2/views/jwks.py

@@ -75,10 +75,7 @@ class JWKSView(View):
         key_data = {}
 
         if use == "sig":
-            if isinstance(private_key, RSAPrivateKey):
-                key_data["alg"] = JWTAlgorithms.RS256
-            elif isinstance(private_key, EllipticCurvePrivateKey):
-                key_data["alg"] = JWTAlgorithms.ES256
+            key_data["alg"] = JWTAlgorithms.from_private_key(private_key)
         elif use == "enc":
             key_data["alg"] = "RSA-OAEP-256"
             key_data["enc"] = "A256CBC-HS512"

authentik/providers/proxy/controllers/k8s/ingress.py

@@ -36,17 +36,17 @@ class IngressReconciler(KubernetesObjectReconciler[V1Ingress]):
     def reconciler_name() -> str:
         return "ingress"
 
-    def _check_annotations(self, reference: V1Ingress):
+    def _check_annotations(self, current: V1Ingress, reference: V1Ingress):
         """Check that all annotations *we* set are correct"""
-        for key, value in self.get_ingress_annotations().items():
-            if key not in reference.metadata.annotations:
+        for key, value in reference.metadata.annotations.items():
+            if key not in current.metadata.annotations:
                 raise NeedsUpdate()
-            if reference.metadata.annotations[key] != value:
+            if current.metadata.annotations[key] != value:
                 raise NeedsUpdate()
 
     def reconcile(self, current: V1Ingress, reference: V1Ingress):
         super().reconcile(current, reference)
-        self._check_annotations(reference)
+        self._check_annotations(current, reference)
         # Create a list of all expected host and tls hosts
         expected_hosts = []
         expected_hosts_tls = []

authentik/providers/rac/api/connection_tokens.py

@@ -6,13 +6,12 @@ from rest_framework.viewsets import GenericViewSet
 from authentik.core.api.groups import GroupMemberSerializer
 from authentik.core.api.used_by import UsedByMixin
 from authentik.core.api.utils import ModelSerializer
-from authentik.enterprise.api import EnterpriseRequiredMixin
-from authentik.enterprise.providers.rac.api.endpoints import EndpointSerializer
-from authentik.enterprise.providers.rac.api.providers import RACProviderSerializer
-from authentik.enterprise.providers.rac.models import ConnectionToken
+from authentik.providers.rac.api.endpoints import EndpointSerializer
+from authentik.providers.rac.api.providers import RACProviderSerializer
+from authentik.providers.rac.models import ConnectionToken
 
 
-class ConnectionTokenSerializer(EnterpriseRequiredMixin, ModelSerializer):
+class ConnectionTokenSerializer(ModelSerializer):
     """ConnectionToken Serializer"""
 
     provider_obj = RACProviderSerializer(source="provider", read_only=True)

authentik/providers/rac/api/endpoints.py

@@ -14,10 +14,9 @@ from structlog.stdlib import get_logger
 from authentik.core.api.used_by import UsedByMixin
 from authentik.core.api.utils import ModelSerializer
 from authentik.core.models import Provider
-from authentik.enterprise.api import EnterpriseRequiredMixin
-from authentik.enterprise.providers.rac.api.providers import RACProviderSerializer
-from authentik.enterprise.providers.rac.models import Endpoint
 from authentik.policies.engine import PolicyEngine
+from authentik.providers.rac.api.providers import RACProviderSerializer
+from authentik.providers.rac.models import Endpoint
 from authentik.rbac.filters import ObjectFilter
 
 LOGGER = get_logger()
@@ -28,7 +27,7 @@ def user_endpoint_cache_key(user_pk: str) -> str:
     return f"goauthentik.io/providers/rac/endpoint_access/{user_pk}"
 
 
-class EndpointSerializer(EnterpriseRequiredMixin, ModelSerializer):
+class EndpointSerializer(ModelSerializer):
     """Endpoint Serializer"""
 
     provider_obj = RACProviderSerializer(source="provider", read_only=True)

authentik/providers/rac/api/property_mappings.py

@@ -10,7 +10,7 @@ from rest_framework.viewsets import ModelViewSet
 from authentik.core.api.property_mappings import PropertyMappingSerializer
 from authentik.core.api.used_by import UsedByMixin
 from authentik.core.api.utils import JSONDictField
-from authentik.enterprise.providers.rac.models import RACPropertyMapping
+from authentik.providers.rac.models import RACPropertyMapping
 
 
 class RACPropertyMappingSerializer(PropertyMappingSerializer):

authentik/providers/rac/api/providers.py

@@ -5,11 +5,10 @@ from rest_framework.viewsets import ModelViewSet
 
 from authentik.core.api.providers import ProviderSerializer
 from authentik.core.api.used_by import UsedByMixin
-from authentik.enterprise.api import EnterpriseRequiredMixin
-from authentik.enterprise.providers.rac.models import RACProvider
+from authentik.providers.rac.models import RACProvider
 
 
-class RACProviderSerializer(EnterpriseRequiredMixin, ProviderSerializer):
+class RACProviderSerializer(ProviderSerializer):
     """RACProvider Serializer"""
 
     outpost_set = ListField(child=CharField(), read_only=True, source="outpost_set.all")

authentik/providers/rac/apps.py

@@ -0,0 +1,14 @@
+"""RAC app config"""
+
+from django.apps import AppConfig
+
+
+class AuthentikProviderRAC(AppConfig):
+    """authentik rac app config"""
+
+    name = "authentik.providers.rac"
+    label = "authentik_providers_rac"
+    verbose_name = "authentik Providers.RAC"
+    default = True
+    mountpoint = ""
+    ws_mountpoint = "authentik.providers.rac.urls"

authentik/providers/rac/consumer_client.py

@@ -7,22 +7,22 @@ from channels.generic.websocket import AsyncWebsocketConsumer
 from django.http.request import QueryDict
 from structlog.stdlib import BoundLogger, get_logger
 
-from authentik.enterprise.providers.rac.models import ConnectionToken, RACProvider
 from authentik.outposts.consumer import OUTPOST_GROUP_INSTANCE
 from authentik.outposts.models import Outpost, OutpostState, OutpostType
+from authentik.providers.rac.models import ConnectionToken, RACProvider
 
 # Global broadcast group, which messages are sent to when the outpost connects back
 # to authentik for a specific connection
 # The `RACClientConsumer` consumer adds itself to this group on connection,
 # and removes itself once it has been assigned a specific outpost channel
-RAC_CLIENT_GROUP = "group_enterprise_rac_client"
+RAC_CLIENT_GROUP = "group_rac_client"
 # A group for all connections in a given authentik session ID
 # A disconnect message is sent to this group when the session expires/is deleted
-RAC_CLIENT_GROUP_SESSION = "group_enterprise_rac_client_%(session)s"
+RAC_CLIENT_GROUP_SESSION = "group_rac_client_%(session)s"
 # A group for all connections with a specific token, which in almost all cases
 # is just one connection, however this is used to disconnect the connection
 # when the token is deleted
-RAC_CLIENT_GROUP_TOKEN = "group_enterprise_rac_token_%(token)s"  # nosec
+RAC_CLIENT_GROUP_TOKEN = "group_rac_token_%(token)s"  # nosec
 
 # Step 1: Client connects to this websocket endpoint
 # Step 2: We prepare all the connection args for Guac

authentik/providers/rac/consumer_outpost.py

@@ -3,7 +3,7 @@
 from channels.exceptions import ChannelFull
 from channels.generic.websocket import AsyncWebsocketConsumer
 
-from authentik.enterprise.providers.rac.consumer_client import RAC_CLIENT_GROUP
+from authentik.providers.rac.consumer_client import RAC_CLIENT_GROUP
 
 
 class RACOutpostConsumer(AsyncWebsocketConsumer):

authentik/providers/rac/models.py

@@ -74,7 +74,7 @@ class RACProvider(Provider):
 
     @property
     def serializer(self) -> type[Serializer]:
-        from authentik.enterprise.providers.rac.api.providers import RACProviderSerializer
+        from authentik.providers.rac.api.providers import RACProviderSerializer
 
         return RACProviderSerializer
 
@@ -100,7 +100,7 @@ class Endpoint(SerializerModel, PolicyBindingModel):
 
     @property
     def serializer(self) -> type[Serializer]:
-        from authentik.enterprise.providers.rac.api.endpoints import EndpointSerializer
+        from authentik.providers.rac.api.endpoints import EndpointSerializer
 
         return EndpointSerializer
 
@@ -129,7 +129,7 @@ class RACPropertyMapping(PropertyMapping):
 
     @property
     def serializer(self) -> type[Serializer]:
-        from authentik.enterprise.providers.rac.api.property_mappings import (
+        from authentik.providers.rac.api.property_mappings import (
             RACPropertyMappingSerializer,
         )
 

authentik/providers/rac/signals.py

@@ -10,12 +10,12 @@ from django.dispatch import receiver
 from django.http import HttpRequest
 
 from authentik.core.models import User
-from authentik.enterprise.providers.rac.api.endpoints import user_endpoint_cache_key
-from authentik.enterprise.providers.rac.consumer_client import (
+from authentik.providers.rac.api.endpoints import user_endpoint_cache_key
+from authentik.providers.rac.consumer_client import (
     RAC_CLIENT_GROUP_SESSION,
     RAC_CLIENT_GROUP_TOKEN,
 )
-from authentik.enterprise.providers.rac.models import ConnectionToken, Endpoint
+from authentik.providers.rac.models import ConnectionToken, Endpoint
 
 
 @receiver(user_logged_out)

authentik/providers/rac/templates/if/rac.html

@@ -3,7 +3,7 @@
 {% load authentik_core %}
 
 {% block head %}
-<script src="{% versioned_script 'dist/enterprise/rac/index-%v.js' %}" type="module"></script>
+<script src="{% versioned_script 'dist/rac/index-%v.js' %}" type="module"></script>
 <meta name="theme-color" content="#18191a" media="(prefers-color-scheme: dark)">
 <meta name="theme-color" content="#ffffff" media="(prefers-color-scheme: light)">
 <link rel="icon" href="{{ tenant.branding_favicon_url }}">

authentik/providers/rac/tests/test_api.py

@@ -1,16 +1,9 @@
 """Test RAC Provider"""
 
-from datetime import timedelta
-from time import mktime
-from unittest.mock import MagicMock, patch
-
 from django.urls import reverse
-from django.utils.timezone import now
 from rest_framework.test import APITestCase
 
 from authentik.core.tests.utils import create_test_admin_user, create_test_flow
-from authentik.enterprise.license import LicenseKey
-from authentik.enterprise.models import License
 from authentik.lib.generators import generate_id
 
 
@@ -20,21 +13,8 @@ class TestAPI(APITestCase):
     def setUp(self) -> None:
         self.user = create_test_admin_user()
 
-    @patch(
-        "authentik.enterprise.license.LicenseKey.validate",
-        MagicMock(
-            return_value=LicenseKey(
-                aud="",
-                exp=int(mktime((now() + timedelta(days=3000)).timetuple())),
-                name=generate_id(),
-                internal_users=100,
-                external_users=100,
-            )
-        ),
-    )
     def test_create(self):
         """Test creation of RAC Provider"""
-        License.objects.create(key=generate_id())
         self.client.force_login(self.user)
         response = self.client.post(
             reverse("authentik_api:racprovider-list"),

authentik/providers/rac/tests/test_endpoints_api.py

@@ -5,10 +5,10 @@ from rest_framework.test import APITestCase
 
 from authentik.core.models import Application
 from authentik.core.tests.utils import create_test_admin_user
-from authentik.enterprise.providers.rac.models import Endpoint, Protocols, RACProvider
 from authentik.lib.generators import generate_id
 from authentik.policies.dummy.models import DummyPolicy
 from authentik.policies.models import PolicyBinding
+from authentik.providers.rac.models import Endpoint, Protocols, RACProvider
 
 
 class TestEndpointsAPI(APITestCase):

authentik/providers/rac/tests/test_models.py

@@ -4,14 +4,14 @@ from django.test import TransactionTestCase
 
 from authentik.core.models import Application, AuthenticatedSession
 from authentik.core.tests.utils import create_test_admin_user
-from authentik.enterprise.providers.rac.models import (
+from authentik.lib.generators import generate_id
+from authentik.providers.rac.models import (
     ConnectionToken,
     Endpoint,
     Protocols,
     RACPropertyMapping,
     RACProvider,
 )
-from authentik.lib.generators import generate_id
 
 
 class TestModels(TransactionTestCase):

authentik/providers/rac/tests/test_views.py

@@ -1,23 +1,17 @@
 """RAC Views tests"""
 
-from datetime import timedelta
 from json import loads
-from time import mktime
-from unittest.mock import MagicMock, patch
 
 from django.urls import reverse
-from django.utils.timezone import now
 from rest_framework.test import APITestCase
 
 from authentik.core.models import Application
 from authentik.core.tests.utils import create_test_admin_user, create_test_flow
-from authentik.enterprise.license import LicenseKey
-from authentik.enterprise.models import License
-from authentik.enterprise.providers.rac.models import Endpoint, Protocols, RACProvider
 from authentik.lib.generators import generate_id
 from authentik.policies.denied import AccessDeniedResponse
 from authentik.policies.dummy.models import DummyPolicy
 from authentik.policies.models import PolicyBinding
+from authentik.providers.rac.models import Endpoint, Protocols, RACProvider
 
 
 class TestRACViews(APITestCase):
@@ -39,21 +33,8 @@ class TestRACViews(APITestCase):
             provider=self.provider,
         )
 
-    @patch(
-        "authentik.enterprise.license.LicenseKey.validate",
-        MagicMock(
-            return_value=LicenseKey(
-                aud="",
-                exp=int(mktime((now() + timedelta(days=3000)).timetuple())),
-                name=generate_id(),
-                internal_users=100,
-                external_users=100,
-            )
-        ),
-    )
     def test_no_policy(self):
         """Test request"""
-        License.objects.create(key=generate_id())
         self.client.force_login(self.user)
         response = self.client.get(
             reverse(
@@ -70,18 +51,6 @@ class TestRACViews(APITestCase):
         final_response = self.client.get(next_url)
         self.assertEqual(final_response.status_code, 200)
 
-    @patch(
-        "authentik.enterprise.license.LicenseKey.validate",
-        MagicMock(
-            return_value=LicenseKey(
-                aud="",
-                exp=int(mktime((now() + timedelta(days=3000)).timetuple())),
-                name=generate_id(),
-                internal_users=100,
-                external_users=100,
-            )
-        ),
-    )
     def test_app_deny(self):
         """Test request (deny on app level)"""
         PolicyBinding.objects.create(
@@ -89,7 +58,6 @@ class TestRACViews(APITestCase):
             policy=DummyPolicy.objects.create(name="deny", result=False, wait_min=1, wait_max=2),
             order=0,
         )
-        License.objects.create(key=generate_id())
         self.client.force_login(self.user)
         response = self.client.get(
             reverse(
@@ -99,18 +67,6 @@ class TestRACViews(APITestCase):
         )
         self.assertIsInstance(response, AccessDeniedResponse)
 
-    @patch(
-        "authentik.enterprise.license.LicenseKey.validate",
-        MagicMock(
-            return_value=LicenseKey(
-                aud="",
-                exp=int(mktime((now() + timedelta(days=3000)).timetuple())),
-                name=generate_id(),
-                internal_users=100,
-                external_users=100,
-            )
-        ),
-    )
     def test_endpoint_deny(self):
         """Test request (deny on endpoint level)"""
         PolicyBinding.objects.create(
@@ -118,7 +74,6 @@ class TestRACViews(APITestCase):
             policy=DummyPolicy.objects.create(name="deny", result=False, wait_min=1, wait_max=2),
             order=0,
         )
-        License.objects.create(key=generate_id())
         self.client.force_login(self.user)
         response = self.client.get(
             reverse(

authentik/providers/rac/urls.py

@@ -4,14 +4,14 @@ from channels.auth import AuthMiddleware
 from channels.sessions import CookieMiddleware
 from django.urls import path
 
-from authentik.enterprise.providers.rac.api.connection_tokens import ConnectionTokenViewSet
-from authentik.enterprise.providers.rac.api.endpoints import EndpointViewSet
-from authentik.enterprise.providers.rac.api.property_mappings import RACPropertyMappingViewSet
-from authentik.enterprise.providers.rac.api.providers import RACProviderViewSet
-from authentik.enterprise.providers.rac.consumer_client import RACClientConsumer
-from authentik.enterprise.providers.rac.consumer_outpost import RACOutpostConsumer
-from authentik.enterprise.providers.rac.views import RACInterface, RACStartView
 from authentik.outposts.channels import TokenOutpostMiddleware
+from authentik.providers.rac.api.connection_tokens import ConnectionTokenViewSet
+from authentik.providers.rac.api.endpoints import EndpointViewSet
+from authentik.providers.rac.api.property_mappings import RACPropertyMappingViewSet
+from authentik.providers.rac.api.providers import RACProviderViewSet
+from authentik.providers.rac.consumer_client import RACClientConsumer
+from authentik.providers.rac.consumer_outpost import RACOutpostConsumer
+from authentik.providers.rac.views import RACInterface, RACStartView
 from authentik.root.asgi_middleware import SessionMiddleware
 from authentik.root.middleware import ChannelsLoggingMiddleware
 

authentik/providers/rac/views.py

@@ -10,8 +10,6 @@ from django.utils.translation import gettext as _
 
 from authentik.core.models import Application, AuthenticatedSession
 from authentik.core.views.interface import InterfaceView
-from authentik.enterprise.policy import EnterprisePolicyAccessView
-from authentik.enterprise.providers.rac.models import ConnectionToken, Endpoint, RACProvider
 from authentik.events.models import Event, EventAction
 from authentik.flows.challenge import RedirectChallenge
 from authentik.flows.exceptions import FlowNonApplicableException
@@ -20,9 +18,11 @@ from authentik.flows.planner import PLAN_CONTEXT_APPLICATION, FlowPlanner
 from authentik.flows.stage import RedirectStage
 from authentik.lib.utils.time import timedelta_from_string
 from authentik.policies.engine import PolicyEngine
+from authentik.policies.views import PolicyAccessView
+from authentik.providers.rac.models import ConnectionToken, Endpoint, RACProvider
 
 
-class RACStartView(EnterprisePolicyAccessView):
+class RACStartView(PolicyAccessView):
     """Start a RAC connection by checking access and creating a connection token"""
 
     endpoint: Endpoint
@@ -46,7 +46,7 @@ class RACStartView(EnterprisePolicyAccessView):
             )
         except FlowNonApplicableException:
             raise Http404 from None
-        plan.insert_stage(
+        plan.append_stage(
             in_memory_stage(
                 RACFinalStage,
                 application=self.application,

authentik/providers/saml/views/slo.py

@@ -61,7 +61,7 @@ class SAMLSLOView(PolicyAccessView):
                 PLAN_CONTEXT_APPLICATION: self.application,
             },
         )
-        plan.insert_stage(in_memory_stage(SessionEndStage))
+        plan.append_stage(in_memory_stage(SessionEndStage))
         return plan.to_redirect(self.request, self.flow)
 
     def post(self, request: HttpRequest, application_slug: str) -> HttpResponse:

authentik/providers/scim/api/providers.py

@@ -30,6 +30,7 @@ class SCIMProviderSerializer(ProviderSerializer):
             "token",
             "exclude_users_service_account",
             "filter_group",
+            "dry_run",
         ]
         extra_kwargs = {}
 

authentik/providers/scim/clients/base.py

@@ -12,8 +12,9 @@ from authentik.lib.sync.outgoing import (
     HTTP_SERVICE_UNAVAILABLE,
     HTTP_TOO_MANY_REQUESTS,
 )
-from authentik.lib.sync.outgoing.base import BaseOutgoingSyncClient
+from authentik.lib.sync.outgoing.base import SAFE_METHODS, BaseOutgoingSyncClient
 from authentik.lib.sync.outgoing.exceptions import (
+    DryRunRejected,
     NotFoundSyncException,
     ObjectExistsSyncException,
     TransientSyncException,
@@ -54,6 +55,8 @@ class SCIMClient[TModel: "Model", TConnection: "Model", TSchema: "BaseModel"](
 
     def _request(self, method: str, path: str, **kwargs) -> dict:
         """Wrapper to send a request to the full URL"""
+        if self.provider.dry_run and method.upper() not in SAFE_METHODS:
+            raise DryRunRejected(f"{self.base_url}{path}", method, body=kwargs.get("json"))
         try:
             response = self._session.request(
                 method,

authentik/providers/scim/migrations/0011_scimprovider_dry_run.py

@@ -0,0 +1,21 @@
+# Generated by Django 5.0.12 on 2025-02-24 19:43
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ("authentik_providers_scim", "0010_scimprovider_verify_certificates"),
+    ]
+
+    operations = [
+        migrations.AddField(
+            model_name="scimprovider",
+            name="dry_run",
+            field=models.BooleanField(
+                default=False,
+                help_text="When enabled, provider will not modify or create objects in the remote system.",
+            ),
+        ),
+    ]

authentik/providers/scim/tests/test_user.py

@@ -3,12 +3,15 @@
 from json import loads
 
 from django.test import TestCase
+from django.utils.text import slugify
 from jsonschema import validate
 from requests_mock import Mocker
 
 from authentik.blueprints.tests import apply_blueprint
 from authentik.core.models import Application, Group, User
+from authentik.events.models import SystemTask
 from authentik.lib.generators import generate_id
+from authentik.lib.sync.outgoing.base import SAFE_METHODS
 from authentik.providers.scim.models import SCIMMapping, SCIMProvider
 from authentik.providers.scim.tasks import scim_sync, sync_tasks
 from authentik.tenants.models import Tenant
@@ -330,3 +333,59 @@ class SCIMUserTests(TestCase):
                 "userName": uid,
             },
         )
+
+    def test_user_create_dry_run(self):
+        """Test user creation (dry_run)"""
+        # Update the provider before we start mocking as saving the provider triggers a full sync
+        self.provider.dry_run = True
+        self.provider.save()
+        with Mocker() as mock:
+            scim_id = generate_id()
+            mock.get(
+                "https://localhost/ServiceProviderConfig",
+                json={},
+            )
+            mock.post(
+                "https://localhost/Users",
+                json={
+                    "id": scim_id,
+                },
+            )
+            uid = generate_id()
+            User.objects.create(
+                username=uid,
+                name=f"{uid} {uid}",
+                email=f"{uid}@goauthentik.io",
+            )
+            self.assertEqual(mock.call_count, 1, mock.request_history)
+            self.assertEqual(mock.request_history[0].method, "GET")
+
+    def test_sync_task_dry_run(self):
+        """Test sync tasks"""
+        # Update the provider before we start mocking as saving the provider triggers a full sync
+        self.provider.dry_run = True
+        self.provider.save()
+        with Mocker() as mock:
+            uid = generate_id()
+            mock.get(
+                "https://localhost/ServiceProviderConfig",
+                json={},
+            )
+            User.objects.create(
+                username=uid,
+                name=f"{uid} {uid}",
+                email=f"{uid}@goauthentik.io",
+            )
+
+            sync_tasks.trigger_single_task(self.provider, scim_sync).get()
+
+            self.assertEqual(mock.call_count, 3)
+            for request in mock.request_history:
+                self.assertIn(request.method, SAFE_METHODS)
+        task = SystemTask.objects.filter(uid=slugify(self.provider.name)).first()
+        self.assertIsNotNone(task)
+        drop_msg = task.messages[2]
+        self.assertEqual(drop_msg["event"], "Dropping mutating request due to dry run")
+        self.assertIsNotNone(drop_msg["attributes"]["url"])
+        self.assertIsNotNone(drop_msg["attributes"]["body"])
+        self.assertIsNotNone(drop_msg["attributes"]["method"])

authentik/rbac/api/rbac.py

@@ -2,7 +2,7 @@
 
 from django.apps import apps
 from django.contrib.auth.models import Permission
-from django.db.models import Q, QuerySet
+from django.db.models import QuerySet
 from django_filters.filters import ModelChoiceFilter
 from django_filters.filterset import FilterSet
 from django_filters.rest_framework import DjangoFilterBackend
@@ -18,7 +18,6 @@ from rest_framework.filters import OrderingFilter, SearchFilter
 from rest_framework.permissions import IsAuthenticated
 from rest_framework.viewsets import ReadOnlyModelViewSet
 
-from authentik.blueprints.v1.importer import excluded_models
 from authentik.core.api.utils import ModelSerializer, PassiveSerializer
 from authentik.core.models import User
 from authentik.lib.validators import RequiredTogetherValidator
@@ -106,13 +105,13 @@ class RBACPermissionViewSet(ReadOnlyModelViewSet):
     ]
 
     def get_queryset(self) -> QuerySet:
-        query = Q()
-        for model in excluded_models():
-            query |= Q(
-                content_type__app_label=model._meta.app_label,
-                content_type__model=model._meta.model_name,
+        return (
+            Permission.objects.all()
+            .select_related("content_type")
+            .filter(
+                content_type__app_label__startswith="authentik",
             )
-        return Permission.objects.all().select_related("content_type").exclude(query)
+        )
 
 
 class PermissionAssignSerializer(PassiveSerializer):

authentik/root/settings.py

@@ -16,6 +16,7 @@ from authentik.lib.config import CONFIG, django_db_config, redis_url
 from authentik.lib.logging import get_logger_config, structlog_configure
 from authentik.lib.sentry import sentry_init
 from authentik.lib.utils.reflection import get_env
+from authentik.lib.utils.time import timedelta_from_string
 from authentik.stages.password import BACKEND_APP_PASSWORD, BACKEND_INBUILT, BACKEND_LDAP
 
 BASE_DIR = Path(__file__).absolute().parent.parent.parent
@@ -87,6 +88,7 @@ TENANT_APPS = [
     "authentik.providers.ldap",
     "authentik.providers.oauth2",
     "authentik.providers.proxy",
+    "authentik.providers.rac",
     "authentik.providers.radius",
     "authentik.providers.saml",
     "authentik.providers.scim",
@@ -241,6 +243,9 @@ SESSION_CACHE_ALIAS = "default"
 # Configured via custom SessionMiddleware
 # SESSION_COOKIE_SAMESITE = "None"
 # SESSION_COOKIE_SECURE = True
+SESSION_COOKIE_AGE = timedelta_from_string(
+    CONFIG.get("sessions.unauthenticated_age", "days=1")
+).total_seconds()
 SESSION_EXPIRE_AT_BROWSER_CLOSE = True
 
 MESSAGE_STORAGE = "authentik.root.messages.storage.ChannelsStorage"

authentik/sources/oauth/types/azure_ad.py

@@ -2,6 +2,7 @@
 
 from typing import Any
 
+from requests import RequestException
 from structlog.stdlib import get_logger
 
 from authentik.sources.oauth.clients.oauth2 import UserprofileHeaderAuthClient
@@ -21,10 +22,35 @@ class AzureADOAuthRedirect(OAuthRedirect):
         }
 
 
+class AzureADClient(UserprofileHeaderAuthClient):
+    """Fetch AzureAD group information"""
+
+    def get_profile_info(self, token):
+        profile_data = super().get_profile_info(token)
+        if "https://graph.microsoft.com/GroupMember.Read.All" not in self.source.additional_scopes:
+            return profile_data
+        group_response = self.session.request(
+            "get",
+            "https://graph.microsoft.com/v1.0/me/memberOf",
+            headers={"Authorization": f"{token['token_type']} {token['access_token']}"},
+        )
+        try:
+            group_response.raise_for_status()
+        except RequestException as exc:
+            LOGGER.warning(
+                "Unable to fetch user profile",
+                exc=exc,
+                response=exc.response.text if exc.response else str(exc),
+            )
+            return None
+        profile_data["raw_groups"] = group_response.json()
+        return profile_data
+
+
 class AzureADOAuthCallback(OpenIDConnectOAuth2Callback):
     """AzureAD OAuth2 Callback"""
 
-    client_class = UserprofileHeaderAuthClient
+    client_class = AzureADClient
 
     def get_user_id(self, info: dict[str, str]) -> str:
         # Default try to get `id` for the Graph API endpoint
@@ -53,8 +79,24 @@ class AzureADType(SourceType):
 
     def get_base_user_properties(self, info: dict[str, Any], **kwargs) -> dict[str, Any]:
         mail = info.get("mail", None) or info.get("otherMails", [None])[0]
+        # Format group info
+        groups = []
+        group_id_dict = {}
+        for group in info.get("raw_groups", {}).get("value", []):
+            if group["@odata.type"] != "#microsoft.graph.group":
+                continue
+            groups.append(group["id"])
+            group_id_dict[group["id"]] = group
+        info["raw_groups"] = group_id_dict
         return {
             "username": info.get("userPrincipalName"),
             "email": mail,
             "name": info.get("displayName"),
+            "groups": groups,
+        }
+
+    def get_base_group_properties(self, source, group_id, **kwargs):
+        raw_group = kwargs["info"]["raw_groups"][group_id]
+        return {
+            "name": raw_group["displayName"],
         }

authentik/stages/authenticator_email/models.py

@@ -7,6 +7,7 @@ from django.utils.translation import gettext_lazy as _
 from django.views import View
 from rest_framework.serializers import BaseSerializer
 
+from authentik.core.types import UserSettingSerializer
 from authentik.events.models import Event, EventAction
 from authentik.flows.exceptions import StageInvalidException
 from authentik.flows.models import ConfigurableStage, FriendlyNamedStage, Stage
@@ -71,6 +72,14 @@ class AuthenticatorEmailStage(ConfigurableStage, FriendlyNamedStage, Stage):
     def component(self) -> str:
         return "ak-stage-authenticator-email-form"
 
+    def ui_user_settings(self) -> UserSettingSerializer | None:
+        return UserSettingSerializer(
+            data={
+                "title": self.friendly_name or str(self._meta.verbose_name),
+                "component": "ak-user-settings-authenticator-email",
+            }
+        )
+
     @property
     def backend_class(self) -> type[BaseEmailBackend]:
         """Get the email backend class to use"""

authentik/stages/authenticator_email/tests.py

@@ -299,10 +299,6 @@ class TestAuthenticatorEmailStage(FlowTestCase):
                 data={"component": "ak-stage-authenticator-email", "code": device.token},
             )
             self.assertEqual(response.status_code, 200)
-            self.assertTrue(device.confirmed)
-            # Session key should be removed after device is saved
-            device.save()
-            self.assertNotIn(SESSION_KEY_EMAIL_DEVICE, self.client.session)
 
     def test_model_properties_and_methods(self):
         """Test model properties"""
@@ -329,7 +325,6 @@ class TestAuthenticatorEmailStage(FlowTestCase):
             self.stage.send(device)
 
     def test_email_tasks(self):
-
         email_send_mock = MagicMock()
         with patch(
             "authentik.stages.email.tasks.send_mails",

authentik/stages/authenticator_webauthn/mds/aaguid.json

@@ -146,5 +146,10 @@
 		"name": "LogMeOnce",
 		"icon_dark": "data:image/svg+xml;base64,PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiIHN0YW5kYWxvbmU9Im5vIj8+CjxzdmcgdmVyc2lvbj0iMS4xIiB2aWV3Qm94PSIwIDAgMjA0OCAyMDQ4IiB3aWR0aD0iMTI4IiBoZWlnaHQ9IjEyOCIgeG1sbnM9Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvc3ZnIj4KPHBhdGggZD0iTSAwIDAgTCAtNSAxIEwgLTE1IDQgTCAtMzggMTEgTCAtNTcgMTggTCAtNzYgMjkgTCAtOTAgMzggTCAtMTA5IDUyIEwgLTExNiA1OSBMIC0xMjcgNjggTCAtMTQwIDgxIEwgLTE0OCA4OCBMIC0xNDkgOTEgTCAtMTUxIDkxIEwgLTE2MSAxMDEgTCAtMTY5IDEwOCBMIC0xNjkgMTEwIEwgLTE3MSAxMTAgTCAtMTgwIDExOSBMIC0xODggMTI2IEwgLTIwMSAxMzcgTCAtMjEyIDE0NiBMIC0yMjYgMTU3IEwgLTIzOSAxNjcgTCAtMjUwIDE3NSBMIC0yNzAgMTg4IEwgLTI5MSAyMDIgTCAtMzA5IDIxMiBMIC0zMzAgMjI0IEwgLTM1MyAyMzUgTCAtMzg2IDI1MCBMIC00MDcgMjU5IEwgLTQ0OSAyNzMgTCAtNDcyIDI4MSBMIC01MDIgMjg5IEwgLTU1MSAyOTggTCAtNjE1IDMwOSBMIC02NDcgMzE2IEwgLTY4MSAzMjQgTCAtNjk4IDMzMCBMIC03MTQgMzM4IEwgLTczNSAzNTEgTCAtNzQ1IDM1OCBMIC03NTYgMzY3IEwgLTc2NCAzNzUgTCAtNzY2IDM3OSBMIC03NjggMzc5IEwgLTc3MyAzODUgTCAtNzgxIDM5NSBMIC03OTEgNDEwIEwgLTgwMSA0MjggTCAtODEwIDQ0NyBMIC04MTYgNDY1IEwgLTgyMiA1MDAgTCAtODI3IDU0NSBMIC04MzAgNTkyIEwgLTgzMiA2NTMgTCAtODMyIDcxMiBMIC04MzEgNzQyIEwgLTgyOCA3OTQgTCAtODIyIDg2NiBMIC04MTYgOTI4IEwgLTgxMiA5NTcgTCAtODAwIDEwMjAgTCAtNzg5IDEwNzIgTCAtNzgzIDEwOTggTCAtNzY1IDExNjIgTCAtNzUxIDEyMDcgTCAtNzQ0IDEyMjUgTCAtNzM0IDEyNTQgTCAtNzIwIDEyOTAgTCAtNzA0IDEzMjggTCAtNjg5IDEzNjEgTCAtNjY4IDE0MDMgTCAtNjUzIDE0MzEgTCAtNjM5IDE0NTYgTCAtNjIwIDE0ODggTCAtNjA3IDE1MDkgTCAtNTk0IDE1MjkgTCAtNTg0IDE1NDQgTCAtNTcxIDE1NjMgTCAtNTU4IDE1ODEgTCAtNTQ0IDE2MDAgTCAtNTMzIDE2MTUgTCAtNTIwIDE2MzIgTCAtNTA3IDE2NDggTCAtNDc5IDE2ODIgTCAtNDcwIDE2OTMgTCAtNDYwIDE3MDQgTCAtNDQ5IDE3MTYgTCAtNDQyIDE3MjQgTCAtNDMyIDE3MzQgTCAtNDI1IDE3NDIgTCAtMzY4IDE3OTkgTCAtMzUxIDE4MTUgTCAtMzM1IDE4MzAgTCAtMzI3IDE4MzcgTCAtMzE0IDE4NDkgTCAtMjg4IDE4NzEgTCAtMjcxIDE4ODUgTCAtMjYxIDE4OTMgTCAtMjQ0IDE5MDcgTCAtMjI4IDE5MTkgTCAtMjE1IDE5MjkgTCAtMTk2IDE5NDMgTCAtMTg0IDE5NTIgTCAtMTY4IDE5NjMgTCAtMTQ4IDE5NzcgTCAtMTMzIDE5ODcgTCAtMTEyIDIwMDAgTCAtODggMjAxMyBMIC03MiAyMDIxIEwgLTUyIDIwMzAgTCAtMzIgMjAzNyBMIDEyIDIwNDggTCA2MCAyMDQ4IEwgNjEgMjA0NyBMIDczIDIwNDQgTCAxMDAgMjAzNyBMIDEyMSAyMDI5IEwgMTQ5IDIwMTUgTCAxNjcgMjAwNSBMIDE4NiAxOTk0IEwgMjEwIDE5NzkgTCAyMzEgMTk2NSBMIDI2NiAxOTQxIEwgMjg0IDE5MjggTCAyOTUgMTkyMCBMIDMwNiAxOTExIEwgMzI0IDE4OTggTCAzMzggMTg4NyBMIDM0OSAxODc3IEwgMzU4IDE4NzAgTCAzNjkgMTg2MCBMIDM4MCAxODUxIEwgMzgwIDE4NDkgTCAzODIgMTg0OSBMIDM4NSAxODQ2IEwgMzk2IDE4MzcgTCA0MDMgMTgzMCBMIDQxMSAxODIzIEwgNDE4IDE4MTYgTCA0MjYgMTgwOSBMIDQ3NSAxNzYwIEwgNDc3IDE3NTYgTCA0NzkgMTc1NiBMIDQ4NyAxNzQ3IEwgNTAzIDE3MzAgTCA1MTAgMTcyMiBMIDUxOSAxNzEyIEwgNTI2IDE3MDQgTCA1MzggMTY5MSBMIDU0NyAxNjgwIEwgNTU4IDE2NjcgTCA1NjYgMTY1NiBMIDU3OSAxNjQwIEwgNTkwIDE2MjYgTCA2MDYgMTYwNSBMIDYyMSAxNTgzIEwgNjMxIDE1NjkgTCA2NDUgMTU0OSBMIDY1NSAxNTMzIEwgNjcwIDE1MTAgTCA2ODUgMTQ4NSBMIDY5NiAxNDY3IEwgNzA2IDE0NDkgTCA3MzAgMTQwNSBMIDc0NSAxMzc0IEwgNzYyIDEzMzggTCA3NzQgMTMxMCBMIDc5MiAxMjY3IEwgODExIDEyMTYgTCA4MjcgMTE2NiBMIDg0MiAxMTE3IEwgODU4IDEwNTEgTCA4NzAgOTk2IEwgODc1IDk2NyBMIDg4MSA5MTcgTCA4ODYgODgyIEwgODkxIDg0NiBMIDg5NCA4MTIgTCA4OTYgNzc0IEwgODk2IDY1NSBMIDg5NSA2MzAgTCA4OTIgNTkzIEwgODg4IDU1OSBMIDg3NyA0NzAgTCA4NzIgNDQ1IEwgODY1IDQyNiBMIDg1NyA0MTEgTCA4NDcgMzk1IEwgODM0IDM3OCBMIDgxNCAzNTggTCA4MDAgMzQ3IEwgNzg1IDMzNyBMIDc2NiAzMjcgTCA3NTAgMzIxIEwgNzI3IDMxNSBMIDY5MyAzMDggTCA2NTAgMzAxIEwgNTk3IDI5MiBMIDU3MCAyODYgTCA1NDggMjgwIEwgNTE1IDI3MCBMIDQ4NyAyNjEgTCA0NTkgMjUwIEwgNDM4IDI0MSBMIDQxNCAyMzAgTCAzODIgMjEzIEwgMzU4IDE5OSBMIDM0NyAxOTIgTCAzMzAgMTgwIEwgMzEyIDE2NyBMIDMwMCAxNTcgTCAyODYgMTQ2IEwgMjcxIDEzMyBMIDI2MyAxMjYgTCAyNTEgMTE1IEwgMjQwIDEwNiBMIDIyOCA5NSBMIDIwMCA3MSBMIDE4OSA2MiBMIDE3NCA1MCBMIDE1OCAzOCBMIDE0MiAyNyBMIDEyNyAxOSBMIDExNSAxNCBMIDk1IDggTCA3MSAwIEwgMCAwIHogTSAzMCA2MjIgTCA1MSA2MjMgTCA3OSA2MjcgTCAxMDAgNjMzIEwgMTIxIDY0MSBMIDE0MSA2NTIgTCAxNTcgNjYzIEwgMTcyIDY3NiBMIDE4NiA2OTAgTCAxODYgNjkyIEwgMTg4IDY5MiBMIDIwNiA3MTYgTCAyMTYgNzM0IEwgMjIxIDc0NSBMIDIyNiA3NTggTCAyMzMgNzg0IEwgMjM2IDc5OCBMIDIzNyA4MDggTCAyMzcgODQwIEwgMjMzIDg2NSBMIDIyNiA4OTEgTCAyMTkgOTA5IEwgMjA5IDkyOCBMIDE5NSA5NDkgTCAxODYgOTU5IEwgMTc5IDk2NyBMIDE2NiA5ODAgTCAxNTUgOTg5IEwgMTQyIDk5OCBMIDEyNiAxMDA3IEwgMTEzIDEwMTIgTCAxMTQgMTAyNCBMIDEyMiAxMDYwIEwgMTM3IDExMjMgTCAxNTYgMTIwOCBMIDE3MCAxMjcxIEwgMTc0IDEyOTYgTCAxNzYgMTMxMCBMIDE3NiAxMzM1IEwgMTczIDEzNDkgTCAxNjYgMTM1OSBMIDE1NyAxMzY3IEwgMTQ2IDEzNzIgTCAxNDAgMTM3NCBMIDExOSAxMzc2IEwgNTEgMTM3NiBMIC0zMiAxMzc3IEwgLTY0IDEzNzcgTCAtNzggMTM3NCBMIC04NSAxMzcwIEwgLTk4IDEzNTkgTCAtMTA2IDEzNDkgTCAtMTEwIDEzNDEgTCAtMTEyIDEzMzMgTCAtMTEyIDEzMTggTCAtMTA3IDEyODggTCAtMTAwIDEyNTYgTCAtODUgMTE5NiBMIC02OSAxMTI0IEwgLTU3IDEwNzIgTCAtNTAgMTAzNiBMIC00NyAxMDExIEwgLTUzIDEwMDkgTCAtNjkgMTAwMSBMIC04MSA5OTQgTCAtOTMgOTg1IEwgLTEwMyA5NzYgTCAtMTExIDk2OSBMIC0xMjAgOTYwIEwgLTEzMSA5NDYgTCAtMTQyIDkyOSBMIC0xNTIgOTEwIEwgLTE2MCA4OTAgTCAtMTY2IDg3MCBMIC0xNjkgODUzIEwgLTE3MCA4NDQgTCAtMTcwIDgxNCBMIC0xNjcgNzk0IEwgLTE2MSA3NjcgTCAtMTU0IDc0NiBMIC0xMzcgNzEzIEwgLTEyNiA2OTggTCAtMTE5IDY5MCBMIC0xMDggNjc4IEwgLTkzIDY2NSBMIC03NyA2NTMgTCAtNTYgNjQxIEwgLTM4IDYzMyBMIC0xNiA2MjcgTCAzIDYyNCBMIDMwIDYyMiB6ICIgdHJhbnNmb3JtPSJ0cmFuc2xhdGUoOTkxKSIgc3R5bGU9ImZpbGw6I2ZmZmZmZiIgLz4KPC9zdmc+Cg==",
 		"icon_light": "data:image/svg+xml;base64,PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz4KPHN2ZyB2ZXJzaW9uPSIxLjEiIHZpZXdCb3g9IjAgMCAyMDQ4IDIwNDgiIHdpZHRoPSIxMjgiIGhlaWdodD0iMTI4IiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciPgo8cGF0aCB0cmFuc2Zvcm09InRyYW5zbGF0ZSg5OTEpIiBkPSJtMCAwaDcxbDI0IDggMjAgNiAxMiA1IDE1IDggMTYgMTEgMTYgMTIgMTUgMTIgMTEgOSAyOCAyNCAxMiAxMSAxMSA5IDEyIDExIDggNyAxNSAxMyAxNCAxMSAxMiAxMCAxOCAxMyAxNyAxMiAxMSA3IDI0IDE0IDMyIDE3IDI0IDExIDIxIDkgMjggMTEgMjggOSAzMyAxMCAyMiA2IDI3IDYgNTMgOSA0MyA3IDM0IDcgMjMgNiAxNiA2IDE5IDEwIDE1IDEwIDE0IDExIDIwIDIwIDEzIDE3IDEwIDE2IDggMTUgNyAxOSA1IDI1IDExIDg5IDQgMzQgMyAzNyAxIDI1djExOWwtMiAzOC0zIDM0LTUgMzYtNSAzNS02IDUwLTUgMjktMTIgNTUtMTYgNjYtMTUgNDktMTYgNTAtMTkgNTEtMTggNDMtMTIgMjgtMTcgMzYtMTUgMzEtMjQgNDQtMTAgMTgtMTEgMTgtMTUgMjUtMTUgMjMtMTAgMTYtMTQgMjAtMTAgMTQtMTUgMjItMTYgMjEtMTEgMTQtMTMgMTYtOCAxMS0xMSAxMy05IDExLTEyIDEzLTcgOC05IDEwLTcgOC0xNiAxNy04IDloLTJsLTIgNC00OSA0OS04IDctNyA3LTggNy03IDctMTEgOS0zIDNoLTJ2MmwtMTEgOS0xMSAxMC05IDctMTEgMTAtMTQgMTEtMTggMTMtMTEgOS0xMSA4LTE4IDEzLTM1IDI0LTIxIDE0LTI0IDE1LTE5IDExLTE4IDEwLTI4IDE0LTIxIDgtMjcgNy0xMiAzLTEgMWgtNDhsLTQ0LTExLTIwLTctMjAtOS0xNi04LTI0LTEzLTIxLTEzLTE1LTEwLTIwLTE0LTE2LTExLTEyLTktMTktMTQtMTMtMTAtMTYtMTItMTctMTQtMTAtOC0xNy0xNC0yNi0yMi0xMy0xMi04LTctMTYtMTUtMTctMTYtNTctNTctNy04LTEwLTEwLTctOC0xMS0xMi0xMC0xMS05LTExLTI4LTM0LTEzLTE2LTEzLTE3LTExLTE1LTE0LTE5LTEzLTE4LTEzLTE5LTEwLTE1LTEzLTIwLTEzLTIxLTE5LTMyLTE0LTI1LTE1LTI4LTIxLTQyLTE1LTMzLTE2LTM4LTE0LTM2LTEwLTI5LTctMTgtMTQtNDUtMTgtNjQtNi0yNi0xMS01Mi0xMi02My00LTI5LTYtNjItNi03Mi0zLTUyLTEtMzB2LTU5bDItNjEgMy00NyA1LTQ1IDYtMzUgNi0xOCA5LTE5IDEwLTE4IDEwLTE1IDgtMTAgNS02aDJsMi00IDgtOCAxMS05IDEwLTcgMjEtMTMgMTYtOCAxNy02IDM0LTggMzItNyA2NC0xMSA0OS05IDMwLTggMjMtOCA0Mi0xNCAyMS05IDMzLTE1IDIzLTExIDIxLTEyIDE4LTEwIDIxLTE0IDIwLTEzIDExLTggMTMtMTAgMTQtMTEgMTEtOSAxMy0xMSA4LTcgOS05aDJ2LTJsOC03IDEwLTEwaDJsMS0zIDgtNyAxMy0xMyAxMS05IDctNyAxOS0xNCAxNC05IDE5LTExIDE5LTcgMjMtNyAxMC0zeiIgZmlsbD0iI0YxODQyOSIvPgo8cGF0aCB0cmFuc2Zvcm09InRyYW5zbGF0ZSgxMDIxLDYyMikiIGQ9Im0wIDAgMjEgMSAyOCA0IDIxIDYgMjEgOCAyMCAxMSAxNiAxMSAxNSAxMyAxNCAxNHYyaDJsMTggMjQgMTAgMTggNSAxMSA1IDEzIDcgMjYgMyAxNCAxIDEwdjMybC00IDI1LTcgMjYtNyAxOC0xMCAxOS0xNCAyMS05IDEwLTcgOC0xMyAxMy0xMSA5LTEzIDktMTYgOS0xMyA1IDEgMTIgOCAzNiAxNSA2MyAxOSA4NSAxNCA2MyA0IDI1IDIgMTR2MjVsLTMgMTQtNyAxMC05IDgtMTEgNS02IDItMjEgMmgtNjhsLTgzIDFoLTMybC0xNC0zLTctNC0xMy0xMS04LTEwLTQtOC0yLTh2LTE1bDUtMzAgNy0zMiAxNS02MCAxNi03MiAxMi01MiA3LTM2IDMtMjUtNi0yLTE2LTgtMTItNy0xMi05LTEwLTktOC03LTktOS0xMS0xNC0xMS0xNy0xMC0xOS04LTIwLTYtMjAtMy0xNy0xLTl2LTMwbDMtMjAgNi0yNyA3LTIxIDE3LTMzIDExLTE1IDctOCAxMS0xMiAxNS0xMyAxNi0xMiAyMS0xMiAxOC04IDIyLTYgMTktM3oiIGZpbGw9IiNGRUZGRkUiLz4KPC9zdmc+Cg=="
-	}
-}
+	},
+    "a10c6dd9-465e-4226-8198-c7c44b91c555": {
+        "name": "Kaspersky Password Manager",
+        "icon_dark": "data:image/svg+xml;base64,PHN2ZyB3aWR0aD0iNTEyIiBoZWlnaHQ9IjUxMiIgdmlld0JveD0iMCAwIDUxMiA1MTIiIGZpbGw9Im5vbmUiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyI+PGcgY2xpcC1wYXRoPSJ1cmwoI2NsaXAwXzc0ODRfODc0NSkiPjxnIGNsaXAtcGF0aD0idXJsKCNjbGlwMV83NDg0Xzg3NDUpIj48ZyBjbGlwLXBhdGg9InVybCgjY2xpcDJfNzQ4NF84NzQ1KSI+PHBhdGggZD0iTTI4MS45NjQgNi45NjE3MUMyNjUuODkzIC0yLjI5OTc0IDI0Ni4xMDcgLTIuMjk5NzQgMjMwLjAzNiA2Ljk2MTcxTDQ2LjAzNjUgMTEzLjAwMkMyOS45MjcxIDEyMi4yODYgMjAgMTM5LjQ2NiAyMCAxNTguMDZWMzUzLjk3MkMyMCAzNzIuNTY2IDI5LjkyNzEgMzg5Ljc0NSA0Ni4wMzY1IDM5OS4wMjlMMjMwLjAzNiA1MDUuMDdDMjQ2LjEwNyA1MTQuMzMxIDI2NS44OTMgNTE0LjMzMSAyODEuOTY0IDUwNS4wN0w0NjUuOTY0IDM5OS4wMjlDNDgyLjA3MyAzODkuNzQ1IDQ5MiAzNzIuNTY2IDQ5MiAzNTMuOTcyVjE1OC4wNkM0OTIgMTM5LjQ2NiA0ODIuMDczIDEyMi4yODYgNDY1Ljk2NCAxMTMuMDAyTDI4MS45NjQgNi45NjE3MVoiIGZpbGw9InVybCgjcGFpbnQwX2xpbmVhcl83NDg0Xzg3NDUpIi8+PHBhdGggZmlsbC1ydWxlPSJldmVub2RkIiBjbGlwLXJ1bGU9ImV2ZW5vZGQiIGQ9Ik00NTMuOTggMTMzLjc5OEwyNjkuOTggMjcuNzU3NEMyNjEuMzI3IDIyLjc3MDQgMjUwLjY3MyAyMi43NzA0IDI0Mi4wMiAyNy43NTc0TDU4LjAxOTYgMTMzLjc5OEM0OS4zNDUzIDEzOC43OTcgNDQgMTQ4LjA0NyA0NCAxNTguMDZWMzUzLjk3MkM0NCAzNjMuOTg0IDQ5LjM0NTMgMzczLjIzNCA1OC4wMTk2IDM3OC4yMzNMMjQyLjAyIDQ4NC4yNzRDMjUwLjY3MyA0ODkuMjYxIDI2MS4zMjcgNDg5LjI2MSAyNjkuOTggNDg0LjI3NEw0NTMuOTggMzc4LjIzM0M0NjIuNjU1IDM3My4yMzQgNDY4IDM2My45ODQgNDY4IDM1My45NzJWMTU4LjA2QzQ2OCAxNDguMDQ3IDQ2Mi42NTUgMTM4Ljc5NyA0NTMuOTggMTMzLjc5OFpNMjgxLjk2NCA2Ljk2MTcxQzI2NS44OTMgLTIuMjk5NzQgMjQ2LjEwNyAtMi4yOTk3NCAyMzAuMDM2IDYuOTYxNzFMNDYuMDM2NSAxMTMuMDAyQzI5LjkyNzEgMTIyLjI4NiAyMCAxMzkuNDY2IDIwIDE1OC4wNlYzNTMuOTcyQzIwIDM3Mi41NjYgMjkuOTI3MSAzODkuNzQ1IDQ2LjAzNjUgMzk5LjAyOUwyMzAuMDM2IDUwNS4wN0MyNDYuMTA3IDUxNC4zMzEgMjY1Ljg5MyA1MTQuMzMxIDI4MS45NjQgNTA1LjA3TDQ2NS45NjQgMzk5LjAyOUM0ODIuMDczIDM4OS43NDUgNDkyIDM3Mi41NjYgNDkyIDM1My45NzJWMTU4LjA2QzQ5MiAxMzkuNDY2IDQ4Mi4wNzMgMTIyLjI4NiA0NjUuOTY0IDExMy4wMDJMMjgxLjk2NCA2Ljk2MTcxWiIgZmlsbD0iYmxhY2siLz48L2c+PHBhdGggZmlsbC1ydWxlPSJldmVub2RkIiBjbGlwLXJ1bGU9ImV2ZW5vZGQiIGQ9Ik0yNTYgMTQwQzI0Mi43NDUgMTQwIDIzMiAxNTAuNzQ1IDIzMiAxNjRDMjMyIDE3Ny4yNTUgMjQyLjc0NSAxODggMjU2IDE4OEMyNjkuMjU1IDE4OCAyODAgMTc3LjI1NSAyODAgMTY0QzI4MCAxNTAuNzQ1IDI2OS4yNTUgMTQwIDI1NiAxNDBaTTI0OCAxNjRDMjQ4IDE1OS41ODIgMjUxLjU4MiAxNTYgMjU2IDE1NkMyNjAuNDE4IDE1NiAyNjQgMTU5LjU4MiAyNjQgMTY0QzI2NCAxNjguNDE4IDI2MC40MTggMTcyIDI1NiAxNzJDMjUxLjU4MiAxNzIgMjQ4IDE2OC40MTggMjQ4IDE2NFoiIGZpbGw9ImJsYWNrIi8+PHBhdGggZmlsbC1ydWxlPSJldmVub2RkIiBjbGlwLXJ1bGU9ImV2ZW5vZGQiIGQ9Ik0xNzIgMTkyQzE3MiAxNDUuNjA4IDIwOS42MDggMTA4IDI1NiAxMDhDMzAyLjM5MiAxMDggMzQwIDE0NS42MDggMzQwIDE5MkMzNDAgMjI3LjA2MSAzMTguNTE5IDI1Ny4xMDUgMjg4IDI2OS42OVYzODYuNjdDMjg4IDM5Mi4zOTEgMjg0Ljk0NiAzOTcuNjc2IDI3OS45ODkgNDAwLjUzM0wyNjMuOTg5IDQwOS43NTNDMjU5LjA0NCA0MTIuNjAzIDI1Mi45NTYgNDEyLjYwMyAyNDguMDExIDQwOS43NTNMMjMyLjAxMSA0MDAuNTMzQzIyNy4wNTQgMzk3LjY3NiAyMjQgMzkyLjM5MSAyMjQgMzg2LjY3VjM3MkMyMjQgMzY5Ljg3OCAyMjQuODQzIDM2Ny44NDQgMjI2LjM0MyAzNjYuMzQzTDIzNiAzNTYuNjg2VjM1NS4zMTRMMjI2LjM0MyAzNDUuNjU3QzIyNC44NDMgMzQ0LjE1NyAyMjQgMzQyLjEyMiAyMjQgMzQwVjMzMkMyMjQgMzI5Ljg3OCAyMjQuODQzIDMyNy44NDQgMjI2LjM0MyAzMjYuMzQzTDIzNiAzMTYuNjg2VjMxNS4zMTRMMjI2LjM0MyAzMDUuNjU3QzIyNC44NDMgMzA0LjE1NyAyMjQgMzAyLjEyMiAyMjQgMzAwVjI2OS42OUMxOTMuNDgxIDI1Ny4xMDUgMTcyIDIyNy4wNjEgMTcyIDE5MlpNMjU2IDEyNEMyMTguNDQ1IDEyNCAxODggMTU0LjQ0NSAxODggMTkyQzE4OCAyMjkuNTU1IDIxOC40NDUgMjYwIDI1NiAyNjBDMjkzLjU1NSAyNjAgMzI0IDIyOS41NTUgMzI0IDE5MkMzMjQgMTU0LjQ0NSAyOTMuNTU1IDEyNCAyNTYgMTI0Wk0yNTYgMjc2QzI2MS40NzEgMjc2IDI2Ni44MiAyNzUuNDc3IDI3MiAyNzQuNDc4VjM4Ni42N0wyNTYgMzk1Ljg5TDI0MCAzODYuNjdWMzc1LjMxNEwyNDkuNjU3IDM2NS42NTdDMjUxLjE1NyAzNjQuMTU3IDI1MiAzNjIuMTIyIDI1MiAzNjBWMzUyQzI1MiAzNDkuODc4IDI1MS4xNTcgMzQ3Ljg0NCAyNDkuNjU3IDM0Ni4zNDNMMjQwIDMzNi42ODZWMzM1LjMxNEwyNDkuNjU3IDMyNS42NTdDMjUxLjE1NyAzMjQuMTU3IDI1MiAzMjIuMTIyIDI1MiAzMjBWMzEyQzI1MiAzMDkuODc4IDI1MS4xNTcgMzA3Ljg0NCAyNDkuNjU3IDMwNi4zNDNMMjQwIDI5Ni42ODZWMjc0LjQ3OEMyNDUuMTggMjc1LjQ3NyAyNTAuNTI5IDI3NiAyNTYgMjc2WiIgZmlsbD0iYmxhY2siLz48L2c+PC9nPjxkZWZzPjxsaW5lYXJHcmFkaWVudCBpZD0icGFpbnQwX2xpbmVhcl83NDg0Xzg3NDUiIHgxPSIzOTMuODY1IiB5MT0iNjMuMjc5NiIgeDI9Ijk5LjIwNDMiIHkyPSI0MjkuOTk4IiBncmFkaWVudFVuaXRzPSJ1c2VyU3BhY2VPblVzZSI+PHN0b3Agc3RvcC1jb2xvcj0iIzRERkY4OCIvPjxzdG9wIG9mZnNldD0iMSIgc3RvcC1jb2xvcj0iIzNERThDQSIvPjwvbGluZWFyR3JhZGllbnQ+PGNsaXBQYXRoIGlkPSJjbGlwMF83NDg0Xzg3NDUiPjxyZWN0IHdpZHRoPSI1MTIiIGhlaWdodD0iNTEyIiBmaWxsPSJ3aGl0ZSIvPjwvY2xpcFBhdGg+PGNsaXBQYXRoIGlkPSJjbGlwMV83NDg0Xzg3NDUiPjxyZWN0IHdpZHRoPSI1MTIiIGhlaWdodD0iNTEyIiBmaWxsPSJ3aGl0ZSIvPjwvY2xpcFBhdGg+PGNsaXBQYXRoIGlkPSJjbGlwMl83NDg0Xzg3NDUiPjxyZWN0IHdpZHRoPSI1MTIiIGhlaWdodD0iNTEyIiBmaWxsPSJ3aGl0ZSIvPjwvY2xpcFBhdGg+PC9kZWZzPjwvc3ZnPg==",
+        "icon_light": "data:image/svg+xml;base64,PHN2ZyB3aWR0aD0iNTEyIiBoZWlnaHQ9IjUxMiIgdmlld0JveD0iMCAwIDUxMiA1MTIiIGZpbGw9Im5vbmUiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyI+PGcgY2xpcC1wYXRoPSJ1cmwoI2NsaXAwXzc0ODRfODc0NSkiPjxnIGNsaXAtcGF0aD0idXJsKCNjbGlwMV83NDg0Xzg3NDUpIj48ZyBjbGlwLXBhdGg9InVybCgjY2xpcDJfNzQ4NF84NzQ1KSI+PHBhdGggZD0iTTI4MS45NjQgNi45NjE3MUMyNjUuODkzIC0yLjI5OTc0IDI0Ni4xMDcgLTIuMjk5NzQgMjMwLjAzNiA2Ljk2MTcxTDQ2LjAzNjUgMTEzLjAwMkMyOS45MjcxIDEyMi4yODYgMjAgMTM5LjQ2NiAyMCAxNTguMDZWMzUzLjk3MkMyMCAzNzIuNTY2IDI5LjkyNzEgMzg5Ljc0NSA0Ni4wMzY1IDM5OS4wMjlMMjMwLjAzNiA1MDUuMDdDMjQ2LjEwNyA1MTQuMzMxIDI2NS44OTMgNTE0LjMzMSAyODEuOTY0IDUwNS4wN0w0NjUuOTY0IDM5OS4wMjlDNDgyLjA3MyAzODkuNzQ1IDQ5MiAzNzIuNTY2IDQ5MiAzNTMuOTcyVjE1OC4wNkM0OTIgMTM5LjQ2NiA0ODIuMDczIDEyMi4yODYgNDY1Ljk2NCAxMTMuMDAyTDI4MS45NjQgNi45NjE3MVoiIGZpbGw9InVybCgjcGFpbnQwX2xpbmVhcl83NDg0Xzg3NDUpIi8+PHBhdGggZmlsbC1ydWxlPSJldmVub2RkIiBjbGlwLXJ1bGU9ImV2ZW5vZGQiIGQ9Ik00NTMuOTggMTMzLjc5OEwyNjkuOTggMjcuNzU3NEMyNjEuMzI3IDIyLjc3MDQgMjUwLjY3MyAyMi43NzA0IDI0Mi4wMiAyNy43NTc0TDU4LjAxOTYgMTMzLjc5OEM0OS4zNDUzIDEzOC43OTcgNDQgMTQ4LjA0NyA0NCAxNTguMDZWMzUzLjk3MkM0NCAzNjMuOTg0IDQ5LjM0NTMgMzczLjIzNCA1OC4wMTk2IDM3OC4yMzNMMjQyLjAyIDQ4NC4yNzRDMjUwLjY3MyA0ODkuMjYxIDI2MS4zMjcgNDg5LjI2MSAyNjkuOTggNDg0LjI3NEw0NTMuOTggMzc4LjIzM0M0NjIuNjU1IDM3My4yMzQgNDY4IDM2My45ODQgNDY4IDM1My45NzJWMTU4LjA2QzQ2OCAxNDguMDQ3IDQ2Mi42NTUgMTM4Ljc5NyA0NTMuOTggMTMzLjc5OFpNMjgxLjk2NCA2Ljk2MTcxQzI2NS44OTMgLTIuMjk5NzQgMjQ2LjEwNyAtMi4yOTk3NCAyMzAuMDM2IDYuOTYxNzFMNDYuMDM2NSAxMTMuMDAyQzI5LjkyNzEgMTIyLjI4NiAyMCAxMzkuNDY2IDIwIDE1OC4wNlYzNTMuOTcyQzIwIDM3Mi41NjYgMjkuOTI3MSAzODkuNzQ1IDQ2LjAzNjUgMzk5LjAyOUwyMzAuMDM2IDUwNS4wN0MyNDYuMTA3IDUxNC4zMzEgMjY1Ljg5MyA1MTQuMzMxIDI4MS45NjQgNTA1LjA3TDQ2NS45NjQgMzk5LjAyOUM0ODIuMDczIDM4OS43NDUgNDkyIDM3Mi41NjYgNDkyIDM1My45NzJWMTU4LjA2QzQ5MiAxMzkuNDY2IDQ4Mi4wNzMgMTIyLjI4NiA0NjUuOTY0IDExMy4wMDJMMjgxLjk2NCA2Ljk2MTcxWiIgZmlsbD0iYmxhY2siLz48L2c+PHBhdGggZmlsbC1ydWxlPSJldmVub2RkIiBjbGlwLXJ1bGU9ImV2ZW5vZGQiIGQ9Ik0yNTYgMTQwQzI0Mi43NDUgMTQwIDIzMiAxNTAuNzQ1IDIzMiAxNjRDMjMyIDE3Ny4yNTUgMjQyLjc0NSAxODggMjU2IDE4OEMyNjkuMjU1IDE4OCAyODAgMTc3LjI1NSAyODAgMTY0QzI4MCAxNTAuNzQ1IDI2OS4yNTUgMTQwIDI1NiAxNDBaTTI0OCAxNjRDMjQ4IDE1OS41ODIgMjUxLjU4MiAxNTYgMjU2IDE1NkMyNjAuNDE4IDE1NiAyNjQgMTU5LjU4MiAyNjQgMTY0QzI2NCAxNjguNDE4IDI2MC40MTggMTcyIDI1NiAxNzJDMjUxLjU4MiAxNzIgMjQ4IDE2OC40MTggMjQ4IDE2NFoiIGZpbGw9ImJsYWNrIi8+PHBhdGggZmlsbC1ydWxlPSJldmVub2RkIiBjbGlwLXJ1bGU9ImV2ZW5vZGQiIGQ9Ik0xNzIgMTkyQzE3MiAxNDUuNjA4IDIwOS42MDggMTA4IDI1NiAxMDhDMzAyLjM5MiAxMDggMzQwIDE0NS42MDggMzQwIDE5MkMzNDAgMjI3LjA2MSAzMTguNTE5IDI1Ny4xMDUgMjg4IDI2OS42OVYzODYuNjdDMjg4IDM5Mi4zOTEgMjg0Ljk0NiAzOTcuNjc2IDI3OS45ODkgNDAwLjUzM0wyNjMuOTg5IDQwOS43NTNDMjU5LjA0NCA0MTIuNjAzIDI1Mi45NTYgNDEyLjYwMyAyNDguMDExIDQwOS43NTNMMjMyLjAxMSA0MDAuNTMzQzIyNy4wNTQgMzk3LjY3NiAyMjQgMzkyLjM5MSAyMjQgMzg2LjY3VjM3MkMyMjQgMzY5Ljg3OCAyMjQuODQzIDM2Ny44NDQgMjI2LjM0MyAzNjYuMzQzTDIzNiAzNTYuNjg2VjM1NS4zMTRMMjI2LjM0MyAzNDUuNjU3QzIyNC44NDMgMzQ0LjE1NyAyMjQgMzQyLjEyMiAyMjQgMzQwVjMzMkMyMjQgMzI5Ljg3OCAyMjQuODQzIDMyNy44NDQgMjI2LjM0MyAzMjYuMzQzTDIzNiAzMTYuNjg2VjMxNS4zMTRMMjI2LjM0MyAzMDUuNjU3QzIyNC44NDMgMzA0LjE1NyAyMjQgMzAyLjEyMiAyMjQgMzAwVjI2OS42OUMxOTMuNDgxIDI1Ny4xMDUgMTcyIDIyNy4wNjEgMTcyIDE5MlpNMjU2IDEyNEMyMTguNDQ1IDEyNCAxODggMTU0LjQ0NSAxODggMTkyQzE4OCAyMjkuNTU1IDIxOC40NDUgMjYwIDI1NiAyNjBDMjkzLjU1NSAyNjAgMzI0IDIyOS41NTUgMzI0IDE5MkMzMjQgMTU0LjQ0NSAyOTMuNTU1IDEyNCAyNTYgMTI0Wk0yNTYgMjc2QzI2MS40NzEgMjc2IDI2Ni44MiAyNzUuNDc3IDI3MiAyNzQuNDc4VjM4Ni42N0wyNTYgMzk1Ljg5TDI0MCAzODYuNjdWMzc1LjMxNEwyNDkuNjU3IDM2NS42NTdDMjUxLjE1NyAzNjQuMTU3IDI1MiAzNjIuMTIyIDI1MiAzNjBWMzUyQzI1MiAzNDkuODc4IDI1MS4xNTcgMzQ3Ljg0NCAyNDkuNjU3IDM0Ni4zNDNMMjQwIDMzNi42ODZWMzM1LjMxNEwyNDkuNjU3IDMyNS42NTdDMjUxLjE1NyAzMjQuMTU3IDI1MiAzMjIuMTIyIDI1MiAzMjBWMzEyQzI1MiAzMDkuODc4IDI1MS4xNTcgMzA3Ljg0NCAyNDkuNjU3IDMwNi4zNDNMMjQwIDI5Ni42ODZWMjc0LjQ3OEMyNDUuMTggMjc1LjQ3NyAyNTAuNTI5IDI3NiAyNTYgMjc2WiIgZmlsbD0iYmxhY2siLz48L2c+PC9nPjxkZWZzPjxsaW5lYXJHcmFkaWVudCBpZD0icGFpbnQwX2xpbmVhcl83NDg0Xzg3NDUiIHgxPSIzOTMuODY1IiB5MT0iNjMuMjc5NiIgeDI9Ijk5LjIwNDMiIHkyPSI0MjkuOTk4IiBncmFkaWVudFVuaXRzPSJ1c2VyU3BhY2VPblVzZSI+PHN0b3Agc3RvcC1jb2xvcj0iIzRERkY4OCIvPjxzdG9wIG9mZnNldD0iMSIgc3RvcC1jb2xvcj0iIzNERThDQSIvPjwvbGluZWFyR3JhZGllbnQ+PGNsaXBQYXRoIGlkPSJjbGlwMF83NDg0Xzg3NDUiPjxyZWN0IHdpZHRoPSI1MTIiIGhlaWdodD0iNTEyIiBmaWxsPSJ3aGl0ZSIvPjwvY2xpcFBhdGg+PGNsaXBQYXRoIGlkPSJjbGlwMV83NDg0Xzg3NDUiPjxyZWN0IHdpZHRoPSI1MTIiIGhlaWdodD0iNTEyIiBmaWxsPSJ3aGl0ZSIvPjwvY2xpcFBhdGg+PGNsaXBQYXRoIGlkPSJjbGlwMl83NDg0Xzg3NDUiPjxyZWN0IHdpZHRoPSI1MTIiIGhlaWdodD0iNTEyIiBmaWxsPSJ3aGl0ZSIvPjwvY2xpcFBhdGg+PC9kZWZzPjwvc3ZnPg=="
+    }
+}

authentik/stages/email/tasks.py

@@ -12,6 +12,7 @@ from structlog.stdlib import get_logger
 
 from authentik.events.models import Event, EventAction, TaskStatus
 from authentik.events.system_tasks import SystemTask
+from authentik.lib.utils.reflection import class_to_path, path_to_class
 from authentik.root.celery import CELERY_APP
 from authentik.stages.authenticator_email.models import AuthenticatorEmailStage
 from authentik.stages.email.models import EmailStage
@@ -32,9 +33,10 @@ def send_mails(
         Celery group promise for the email sending tasks
     """
     tasks = []
-    stage_class = stage.__class__
+    # Use the class path instead of the class itself for serialization
+    stage_class_path = class_to_path(stage.__class__)
     for message in messages:
-        tasks.append(send_mail.s(message.__dict__, stage_class, str(stage.pk)))
+        tasks.append(send_mail.s(message.__dict__, stage_class_path, str(stage.pk)))
     lazy_group = group(*tasks)
     promise = lazy_group()
     return promise
@@ -61,7 +63,7 @@ def get_email_body(email: EmailMultiAlternatives) -> str:
 def send_mail(
     self: SystemTask,
     message: dict[Any, Any],
-    stage_class: EmailStage | AuthenticatorEmailStage = EmailStage,
+    stage_class_path: str | None = None,
     email_stage_pk: str | None = None,
 ):
     """Send Email for Email Stage. Retries are scheduled automatically."""
@@ -69,9 +71,10 @@ def send_mail(
     message_id = make_msgid(domain=DNS_NAME)
     self.set_uid(slugify(message_id.replace(".", "_").replace("@", "_")))
     try:
-        if not email_stage_pk:
-            stage: EmailStage | AuthenticatorEmailStage = stage_class(use_global_settings=True)
+        if not stage_class_path or not email_stage_pk:
+            stage = EmailStage(use_global_settings=True)
         else:
+            stage_class = path_to_class(stage_class_path)
             stages = stage_class.objects.filter(pk=email_stage_pk)
             if not stages.exists():
                 self.set_status(

authentik/stages/email/tests/test_tasks.py

@@ -0,0 +1,58 @@
+"""Test email stage tasks"""
+
+from unittest.mock import patch
+
+from django.core.mail import EmailMultiAlternatives
+from django.test import TestCase
+
+from authentik.core.tests.utils import create_test_admin_user
+from authentik.lib.utils.reflection import class_to_path
+from authentik.stages.authenticator_email.models import AuthenticatorEmailStage
+from authentik.stages.email.models import EmailStage
+from authentik.stages.email.tasks import get_email_body, send_mails
+
+
+class TestEmailTasks(TestCase):
+    """Test email stage tasks"""
+
+    def setUp(self):
+        self.user = create_test_admin_user()
+        self.stage = EmailStage.objects.create(
+            name="test-email",
+            use_global_settings=True,
+        )
+        self.auth_stage = AuthenticatorEmailStage.objects.create(
+            name="test-auth-email",
+            use_global_settings=True,
+        )
+
+    def test_get_email_body_html(self):
+        """Test get_email_body with HTML alternative"""
+        message = EmailMultiAlternatives()
+        message.body = "plain text"
+        message.attach_alternative("<p>html content</p>", "text/html")
+        self.assertEqual(get_email_body(message), "<p>html content</p>")
+
+    def test_get_email_body_plain(self):
+        """Test get_email_body with plain text only"""
+        message = EmailMultiAlternatives()
+        message.body = "plain text"
+        self.assertEqual(get_email_body(message), "plain text")
+
+    def test_send_mails_email_stage(self):
+        """Test send_mails with EmailStage"""
+        message = EmailMultiAlternatives()
+        with patch("authentik.stages.email.tasks.send_mail") as mock_send:
+            send_mails(self.stage, message)
+            mock_send.s.assert_called_once_with(
+                message.__dict__, class_to_path(EmailStage), str(self.stage.pk)
+            )
+
+    def test_send_mails_authenticator_stage(self):
+        """Test send_mails with AuthenticatorEmailStage"""
+        message = EmailMultiAlternatives()
+        with patch("authentik.stages.email.tasks.send_mail") as mock_send:
+            send_mails(self.auth_stage, message)
+            mock_send.s.assert_called_once_with(
+                message.__dict__, class_to_path(AuthenticatorEmailStage), str(self.auth_stage.pk)
+            )

blueprints/default/flow-default-authenticator-totp-setup.yaml

@@ -5,7 +5,7 @@ entries:
 - attrs:
     designation: stage_configuration
     name: default-authenticator-totp-setup
-    title: Setup Two-Factor authentication
+    title: Set up Two-Factor authentication
     authentication: require_authenticated
   identifiers:
     slug: default-authenticator-totp-setup

blueprints/schema.json

@@ -2,7 +2,7 @@
     "$schema": "http://json-schema.org/draft-07/schema",
     "$id": "https://goauthentik.io/blueprints/schema.json",
     "type": "object",
-    "title": "authentik 2024.12.3 Blueprint schema",
+    "title": "authentik 2025.2.1 Blueprint schema",
     "required": [
         "version",
         "entries"
@@ -801,6 +801,126 @@
                             }
                         }
                     },
+                    {
+                        "type": "object",
+                        "required": [
+                            "model",
+                            "identifiers"
+                        ],
+                        "properties": {
+                            "model": {
+                                "const": "authentik_providers_rac.racprovider"
+                            },
+                            "id": {
+                                "type": "string"
+                            },
+                            "state": {
+                                "type": "string",
+                                "enum": [
+                                    "absent",
+                                    "present",
+                                    "created",
+                                    "must_created"
+                                ],
+                                "default": "present"
+                            },
+                            "conditions": {
+                                "type": "array",
+                                "items": {
+                                    "type": "boolean"
+                                }
+                            },
+                            "permissions": {
+                                "$ref": "#/$defs/model_authentik_providers_rac.racprovider_permissions"
+                            },
+                            "attrs": {
+                                "$ref": "#/$defs/model_authentik_providers_rac.racprovider"
+                            },
+                            "identifiers": {
+                                "$ref": "#/$defs/model_authentik_providers_rac.racprovider"
+                            }
+                        }
+                    },
+                    {
+                        "type": "object",
+                        "required": [
+                            "model",
+                            "identifiers"
+                        ],
+                        "properties": {
+                            "model": {
+                                "const": "authentik_providers_rac.endpoint"
+                            },
+                            "id": {
+                                "type": "string"
+                            },
+                            "state": {
+                                "type": "string",
+                                "enum": [
+                                    "absent",
+                                    "present",
+                                    "created",
+                                    "must_created"
+                                ],
+                                "default": "present"
+                            },
+                            "conditions": {
+                                "type": "array",
+                                "items": {
+                                    "type": "boolean"
+                                }
+                            },
+                            "permissions": {
+                                "$ref": "#/$defs/model_authentik_providers_rac.endpoint_permissions"
+                            },
+                            "attrs": {
+                                "$ref": "#/$defs/model_authentik_providers_rac.endpoint"
+                            },
+                            "identifiers": {
+                                "$ref": "#/$defs/model_authentik_providers_rac.endpoint"
+                            }
+                        }
+                    },
+                    {
+                        "type": "object",
+                        "required": [
+                            "model",
+                            "identifiers"
+                        ],
+                        "properties": {
+                            "model": {
+                                "const": "authentik_providers_rac.racpropertymapping"
+                            },
+                            "id": {
+                                "type": "string"
+                            },
+                            "state": {
+                                "type": "string",
+                                "enum": [
+                                    "absent",
+                                    "present",
+                                    "created",
+                                    "must_created"
+                                ],
+                                "default": "present"
+                            },
+                            "conditions": {
+                                "type": "array",
+                                "items": {
+                                    "type": "boolean"
+                                }
+                            },
+                            "permissions": {
+                                "$ref": "#/$defs/model_authentik_providers_rac.racpropertymapping_permissions"
+                            },
+                            "attrs": {
+                                "$ref": "#/$defs/model_authentik_providers_rac.racpropertymapping"
+                            },
+                            "identifiers": {
+                                "$ref": "#/$defs/model_authentik_providers_rac.racpropertymapping"
+                            }
+                        }
+                    },
                     {
                         "type": "object",
                         "required": [
@@ -3561,126 +3681,6 @@
                             }
                         }
                     },
-                    {
-                        "type": "object",
-                        "required": [
-                            "model",
-                            "identifiers"
-                        ],
-                        "properties": {
-                            "model": {
-                                "const": "authentik_providers_rac.racprovider"
-                            },
-                            "id": {
-                                "type": "string"
-                            },
-                            "state": {
-                                "type": "string",
-                                "enum": [
-                                    "absent",
-                                    "present",
-                                    "created",
-                                    "must_created"
-                                ],
-                                "default": "present"
-                            },
-                            "conditions": {
-                                "type": "array",
-                                "items": {
-                                    "type": "boolean"
-                                }
-                            },
-                            "permissions": {
-                                "$ref": "#/$defs/model_authentik_providers_rac.racprovider_permissions"
-                            },
-                            "attrs": {
-                                "$ref": "#/$defs/model_authentik_providers_rac.racprovider"
-                            },
-                            "identifiers": {
-                                "$ref": "#/$defs/model_authentik_providers_rac.racprovider"
-                            }
-                        }
-                    },
-                    {
-                        "type": "object",
-                        "required": [
-                            "model",
-                            "identifiers"
-                        ],
-                        "properties": {
-                            "model": {
-                                "const": "authentik_providers_rac.endpoint"
-                            },
-                            "id": {
-                                "type": "string"
-                            },
-                            "state": {
-                                "type": "string",
-                                "enum": [
-                                    "absent",
-                                    "present",
-                                    "created",
-                                    "must_created"
-                                ],
-                                "default": "present"
-                            },
-                            "conditions": {
-                                "type": "array",
-                                "items": {
-                                    "type": "boolean"
-                                }
-                            },
-                            "permissions": {
-                                "$ref": "#/$defs/model_authentik_providers_rac.endpoint_permissions"
-                            },
-                            "attrs": {
-                                "$ref": "#/$defs/model_authentik_providers_rac.endpoint"
-                            },
-                            "identifiers": {
-                                "$ref": "#/$defs/model_authentik_providers_rac.endpoint"
-                            }
-                        }
-                    },
-                    {
-                        "type": "object",
-                        "required": [
-                            "model",
-                            "identifiers"
-                        ],
-                        "properties": {
-                            "model": {
-                                "const": "authentik_providers_rac.racpropertymapping"
-                            },
-                            "id": {
-                                "type": "string"
-                            },
-                            "state": {
-                                "type": "string",
-                                "enum": [
-                                    "absent",
-                                    "present",
-                                    "created",
-                                    "must_created"
-                                ],
-                                "default": "present"
-                            },
-                            "conditions": {
-                                "type": "array",
-                                "items": {
-                                    "type": "boolean"
-                                }
-                            },
-                            "permissions": {
-                                "$ref": "#/$defs/model_authentik_providers_rac.racpropertymapping_permissions"
-                            },
-                            "attrs": {
-                                "$ref": "#/$defs/model_authentik_providers_rac.racpropertymapping"
-                            },
-                            "identifiers": {
-                                "$ref": "#/$defs/model_authentik_providers_rac.racpropertymapping"
-                            }
-                        }
-                    },
                     {
                         "type": "object",
                         "required": [
@@ -4663,6 +4663,7 @@
                         "authentik.providers.ldap",
                         "authentik.providers.oauth2",
                         "authentik.providers.proxy",
+                        "authentik.providers.rac",
                         "authentik.providers.radius",
                         "authentik.providers.saml",
                         "authentik.providers.scim",
@@ -4703,7 +4704,6 @@
                         "authentik.enterprise.audit",
                         "authentik.enterprise.providers.google_workspace",
                         "authentik.enterprise.providers.microsoft_entra",
-                        "authentik.enterprise.providers.rac",
                         "authentik.enterprise.providers.ssf",
                         "authentik.enterprise.stages.authenticator_endpoint_gdtc",
                         "authentik.enterprise.stages.source",
@@ -4738,6 +4738,9 @@
                         "authentik_providers_oauth2.scopemapping",
                         "authentik_providers_oauth2.oauth2provider",
                         "authentik_providers_proxy.proxyprovider",
+                        "authentik_providers_rac.racprovider",
+                        "authentik_providers_rac.endpoint",
+                        "authentik_providers_rac.racpropertymapping",
                         "authentik_providers_radius.radiusprovider",
                         "authentik_providers_radius.radiusproviderpropertymapping",
                         "authentik_providers_saml.samlprovider",
@@ -4807,9 +4810,6 @@
                         "authentik_providers_google_workspace.googleworkspaceprovidermapping",
                         "authentik_providers_microsoft_entra.microsoftentraprovider",
                         "authentik_providers_microsoft_entra.microsoftentraprovidermapping",
-                        "authentik_providers_rac.racprovider",
-                        "authentik_providers_rac.endpoint",
-                        "authentik_providers_rac.racpropertymapping",
                         "authentik_providers_ssf.ssfprovider",
                         "authentik_stages_authenticator_endpoint_gdtc.authenticatorendpointgdtcstage",
                         "authentik_stages_source.sourcestage",
@@ -6046,6 +6046,216 @@
                 }
             }
         },
+        "model_authentik_providers_rac.racprovider": {
+            "type": "object",
+            "properties": {
+                "name": {
+                    "type": "string",
+                    "minLength": 1,
+                    "title": "Name"
+                },
+                "authentication_flow": {
+                    "type": "string",
+                    "format": "uuid",
+                    "title": "Authentication flow",
+                    "description": "Flow used for authentication when the associated application is accessed by an un-authenticated user."
+                },
+                "authorization_flow": {
+                    "type": "string",
+                    "format": "uuid",
+                    "title": "Authorization flow",
+                    "description": "Flow used when authorizing this provider."
+                },
+                "property_mappings": {
+                    "type": "array",
+                    "items": {
+                        "type": "string",
+                        "format": "uuid"
+                    },
+                    "title": "Property mappings"
+                },
+                "settings": {
+                    "type": "object",
+                    "additionalProperties": true,
+                    "title": "Settings"
+                },
+                "connection_expiry": {
+                    "type": "string",
+                    "minLength": 1,
+                    "title": "Connection expiry",
+                    "description": "Determines how long a session lasts. Default of 0 means that the sessions lasts until the browser is closed. (Format: hours=-1;minutes=-2;seconds=-3)"
+                },
+                "delete_token_on_disconnect": {
+                    "type": "boolean",
+                    "title": "Delete token on disconnect",
+                    "description": "When set to true, connection tokens will be deleted upon disconnect."
+                }
+            },
+            "required": []
+        },
+        "model_authentik_providers_rac.racprovider_permissions": {
+            "type": "array",
+            "items": {
+                "type": "object",
+                "required": [
+                    "permission"
+                ],
+                "properties": {
+                    "permission": {
+                        "type": "string",
+                        "enum": [
+                            "add_racprovider",
+                            "change_racprovider",
+                            "delete_racprovider",
+                            "view_racprovider"
+                        ]
+                    },
+                    "user": {
+                        "type": "integer"
+                    },
+                    "role": {
+                        "type": "string"
+                    }
+                }
+            }
+        },
+        "model_authentik_providers_rac.endpoint": {
+            "type": "object",
+            "properties": {
+                "name": {
+                    "type": "string",
+                    "minLength": 1,
+                    "title": "Name"
+                },
+                "provider": {
+                    "type": "integer",
+                    "title": "Provider"
+                },
+                "protocol": {
+                    "type": "string",
+                    "enum": [
+                        "rdp",
+                        "vnc",
+                        "ssh"
+                    ],
+                    "title": "Protocol"
+                },
+                "host": {
+                    "type": "string",
+                    "minLength": 1,
+                    "title": "Host"
+                },
+                "settings": {
+                    "type": "object",
+                    "additionalProperties": true,
+                    "title": "Settings"
+                },
+                "property_mappings": {
+                    "type": "array",
+                    "items": {
+                        "type": "string",
+                        "format": "uuid"
+                    },
+                    "title": "Property mappings"
+                },
+                "auth_mode": {
+                    "type": "string",
+                    "enum": [
+                        "static",
+                        "prompt"
+                    ],
+                    "title": "Auth mode"
+                },
+                "maximum_connections": {
+                    "type": "integer",
+                    "minimum": -2147483648,
+                    "maximum": 2147483647,
+                    "title": "Maximum connections"
+                }
+            },
+            "required": []
+        },
+        "model_authentik_providers_rac.endpoint_permissions": {
+            "type": "array",
+            "items": {
+                "type": "object",
+                "required": [
+                    "permission"
+                ],
+                "properties": {
+                    "permission": {
+                        "type": "string",
+                        "enum": [
+                            "add_endpoint",
+                            "change_endpoint",
+                            "delete_endpoint",
+                            "view_endpoint"
+                        ]
+                    },
+                    "user": {
+                        "type": "integer"
+                    },
+                    "role": {
+                        "type": "string"
+                    }
+                }
+            }
+        },
+        "model_authentik_providers_rac.racpropertymapping": {
+            "type": "object",
+            "properties": {
+                "managed": {
+                    "type": [
+                        "string",
+                        "null"
+                    ],
+                    "minLength": 1,
+                    "title": "Managed by authentik",
+                    "description": "Objects that are managed by authentik. These objects are created and updated automatically. This flag only indicates that an object can be overwritten by migrations. You can still modify the objects via the API, but expect changes to be overwritten in a later update."
+                },
+                "name": {
+                    "type": "string",
+                    "minLength": 1,
+                    "title": "Name"
+                },
+                "expression": {
+                    "type": "string",
+                    "title": "Expression"
+                },
+                "static_settings": {
+                    "type": "object",
+                    "additionalProperties": true,
+                    "title": "Static settings"
+                }
+            },
+            "required": []
+        },
+        "model_authentik_providers_rac.racpropertymapping_permissions": {
+            "type": "array",
+            "items": {
+                "type": "object",
+                "required": [
+                    "permission"
+                ],
+                "properties": {
+                    "permission": {
+                        "type": "string",
+                        "enum": [
+                            "add_racpropertymapping",
+                            "change_racpropertymapping",
+                            "delete_racpropertymapping",
+                            "view_racpropertymapping"
+                        ]
+                    },
+                    "user": {
+                        "type": "integer"
+                    },
+                    "role": {
+                        "type": "string"
+                    }
+                }
+            }
+        },
         "model_authentik_providers_radius.radiusprovider": {
             "type": "object",
             "properties": {
@@ -6459,6 +6669,11 @@
                     "type": "string",
                     "format": "uuid",
                     "title": "Filter group"
+                },
+                "dry_run": {
+                    "type": "boolean",
+                    "title": "Dry run",
+                    "description": "When enabled, provider will not modify or create objects in the remote system."
                 }
             },
             "required": []
@@ -13986,6 +14201,11 @@
                     "type": "string",
                     "minLength": 1,
                     "title": "Default group email domain"
+                },
+                "dry_run": {
+                    "type": "boolean",
+                    "title": "Dry run",
+                    "description": "When enabled, provider will not modify or create objects in the remote system."
                 }
             },
             "required": []
@@ -14134,6 +14354,11 @@
                         "suspend"
                     ],
                     "title": "Group delete action"
+                },
+                "dry_run": {
+                    "type": "boolean",
+                    "title": "Dry run",
+                    "description": "When enabled, provider will not modify or create objects in the remote system."
                 }
             },
             "required": []
@@ -14215,216 +14440,6 @@
                 }
             }
         },
-        "model_authentik_providers_rac.racprovider": {
-            "type": "object",
-            "properties": {
-                "name": {
-                    "type": "string",
-                    "minLength": 1,
-                    "title": "Name"
-                },
-                "authentication_flow": {
-                    "type": "string",
-                    "format": "uuid",
-                    "title": "Authentication flow",
-                    "description": "Flow used for authentication when the associated application is accessed by an un-authenticated user."
-                },
-                "authorization_flow": {
-                    "type": "string",
-                    "format": "uuid",
-                    "title": "Authorization flow",
-                    "description": "Flow used when authorizing this provider."
-                },
-                "property_mappings": {
-                    "type": "array",
-                    "items": {
-                        "type": "string",
-                        "format": "uuid"
-                    },
-                    "title": "Property mappings"
-                },
-                "settings": {
-                    "type": "object",
-                    "additionalProperties": true,
-                    "title": "Settings"
-                },
-                "connection_expiry": {
-                    "type": "string",
-                    "minLength": 1,
-                    "title": "Connection expiry",
-                    "description": "Determines how long a session lasts. Default of 0 means that the sessions lasts until the browser is closed. (Format: hours=-1;minutes=-2;seconds=-3)"
-                },
-                "delete_token_on_disconnect": {
-                    "type": "boolean",
-                    "title": "Delete token on disconnect",
-                    "description": "When set to true, connection tokens will be deleted upon disconnect."
-                }
-            },
-            "required": []
-        },
-        "model_authentik_providers_rac.racprovider_permissions": {
-            "type": "array",
-            "items": {
-                "type": "object",
-                "required": [
-                    "permission"
-                ],
-                "properties": {
-                    "permission": {
-                        "type": "string",
-                        "enum": [
-                            "add_racprovider",
-                            "change_racprovider",
-                            "delete_racprovider",
-                            "view_racprovider"
-                        ]
-                    },
-                    "user": {
-                        "type": "integer"
-                    },
-                    "role": {
-                        "type": "string"
-                    }
-                }
-            }
-        },
-        "model_authentik_providers_rac.endpoint": {
-            "type": "object",
-            "properties": {
-                "name": {
-                    "type": "string",
-                    "minLength": 1,
-                    "title": "Name"
-                },
-                "provider": {
-                    "type": "integer",
-                    "title": "Provider"
-                },
-                "protocol": {
-                    "type": "string",
-                    "enum": [
-                        "rdp",
-                        "vnc",
-                        "ssh"
-                    ],
-                    "title": "Protocol"
-                },
-                "host": {
-                    "type": "string",
-                    "minLength": 1,
-                    "title": "Host"
-                },
-                "settings": {
-                    "type": "object",
-                    "additionalProperties": true,
-                    "title": "Settings"
-                },
-                "property_mappings": {
-                    "type": "array",
-                    "items": {
-                        "type": "string",
-                        "format": "uuid"
-                    },
-                    "title": "Property mappings"
-                },
-                "auth_mode": {
-                    "type": "string",
-                    "enum": [
-                        "static",
-                        "prompt"
-                    ],
-                    "title": "Auth mode"
-                },
-                "maximum_connections": {
-                    "type": "integer",
-                    "minimum": -2147483648,
-                    "maximum": 2147483647,
-                    "title": "Maximum connections"
-                }
-            },
-            "required": []
-        },
-        "model_authentik_providers_rac.endpoint_permissions": {
-            "type": "array",
-            "items": {
-                "type": "object",
-                "required": [
-                    "permission"
-                ],
-                "properties": {
-                    "permission": {
-                        "type": "string",
-                        "enum": [
-                            "add_endpoint",
-                            "change_endpoint",
-                            "delete_endpoint",
-                            "view_endpoint"
-                        ]
-                    },
-                    "user": {
-                        "type": "integer"
-                    },
-                    "role": {
-                        "type": "string"
-                    }
-                }
-            }
-        },
-        "model_authentik_providers_rac.racpropertymapping": {
-            "type": "object",
-            "properties": {
-                "managed": {
-                    "type": [
-                        "string",
-                        "null"
-                    ],
-                    "minLength": 1,
-                    "title": "Managed by authentik",
-                    "description": "Objects that are managed by authentik. These objects are created and updated automatically. This flag only indicates that an object can be overwritten by migrations. You can still modify the objects via the API, but expect changes to be overwritten in a later update."
-                },
-                "name": {
-                    "type": "string",
-                    "minLength": 1,
-                    "title": "Name"
-                },
-                "expression": {
-                    "type": "string",
-                    "title": "Expression"
-                },
-                "static_settings": {
-                    "type": "object",
-                    "additionalProperties": true,
-                    "title": "Static settings"
-                }
-            },
-            "required": []
-        },
-        "model_authentik_providers_rac.racpropertymapping_permissions": {
-            "type": "array",
-            "items": {
-                "type": "object",
-                "required": [
-                    "permission"
-                ],
-                "properties": {
-                    "permission": {
-                        "type": "string",
-                        "enum": [
-                            "add_racpropertymapping",
-                            "change_racpropertymapping",
-                            "delete_racpropertymapping",
-                            "view_racpropertymapping"
-                        ]
-                    },
-                    "user": {
-                        "type": "integer"
-                    },
-                    "role": {
-                        "type": "string"
-                    }
-                }
-            }
-        },
         "model_authentik_providers_ssf.ssfprovider": {
             "type": "object",
             "properties": {