ci: setup action: remove unused dependencies on poetry install (cherry-pick #12365 ) (#12371 )

ci: setup action: remove unused dependencies on poetry install (#12365) Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space> Co-authored-by: Marc 'risson' Schmitt <marc.schmitt@risson.space>
root: fix ssl settings for read replicas not being applied (cherry-pick #12341 ) (#12345 )
2024-12-18 00:53:16 +01:00 · 2024-12-12 18:58:14 +01:00 · 2024-12-10 17:48:12 +01:00 · 2024-12-10 17:47:19 +01:00 · 2024-12-10 17:45:48 +01:00 · 2024-12-10 17:12:52 +01:00
185 changed files with 6544 additions and 899 deletions
--- a/.bumpversion.cfg
+++ b/.bumpversion.cfg
@ -1,5 +1,5 @@
 [bumpversion]
-current_version = 2024.8.3
+current_version = 2024.10.5
 tag = True
 commit = True
 parse = (?P<major>\d+)\.(?P<minor>\d+)\.(?P<patch>\d+)(?:-(?P<rc_t>[a-zA-Z-]+)(?P<rc_n>[1-9]\\d*))?
--- a/.github/actions/setup/action.yml
+++ b/.github/actions/setup/action.yml
@ -35,7 +35,7 @@ runs:
      run: |
        export PSQL_TAG=${{ inputs.postgresql_version }}
        docker compose -f .github/actions/setup/docker-compose.yml up -d
-        poetry install
+        poetry install --sync
        cd web && npm ci
    - name: Generate config
      shell: poetry run python {0}
--- a/.github/workflows/release-tag.yml
+++ b/.github/workflows/release-tag.yml
@ -18,7 +18,7 @@ jobs:
          echo "AUTHENTIK_SECRET_KEY=$(openssl rand 32 | base64 -w 0)" >> .env
          docker buildx install
          mkdir -p ./gen-ts-api
-          docker build -t testing:latest .
+          docker build --no-cache -t testing:latest .
          echo "AUTHENTIK_IMAGE=testing" >> .env
          echo "AUTHENTIK_TAG=latest" >> .env
          docker compose up --no-start
--- a/SECURITY.md
+++ b/SECURITY.md
@ -18,10 +18,10 @@ Even if the issue is not a CVE, we still greatly appreciate your help in hardeni
 (.x being the latest patch release for each version)
-| Version  | Supported |
+| Version   | Supported |
-| -------- | --------- |
+| --------- | --------- |
-| 2024.6.x | ✅        |
+| 2024.8.x  | ✅        |
-| 2024.8.x | ✅        |
+| 2024.10.x | ✅        |
 ## Reporting a Vulnerability
--- a/authentik/init.py
+++ b/authentik/init.py
@ -2,7 +2,7 @@
 from os import environ
-__version__ = "2024.8.3"
+__version__ = "2024.10.5"
 ENV_GIT_HASH_KEY = "GIT_BUILD_HASH"
--- a/authentik/api/templates/api/browser.html
+++ b/authentik/api/templates/api/browser.html
@ -7,7 +7,7 @@ API Browser - {{ brand.branding_title }}
 {% endblock %}
 {% block head %}
-{% versioned_script "dist/standalone/api-browser/index-%v.js" %}
+<script src="{% versioned_script 'dist/standalone/api-browser/index-%v.js' %}" type="module"></script>
 <meta name="theme-color" content="#151515" media="(prefers-color-scheme: light)">
 <meta name="theme-color" content="#151515" media="(prefers-color-scheme: dark)">
 {% endblock %}
--- a/authentik/blueprints/tests/test_packaged.py
+++ b/authentik/blueprints/tests/test_packaged.py
@ -27,7 +27,8 @@ def blueprint_tester(file_name: Path) -> Callable:
        base = Path("blueprints/")
        rel_path = Path(file_name).relative_to(base)
        importer = Importer.from_string(BlueprintInstance(path=str(rel_path)).retrieve())
-        self.assertTrue(importer.validate()[0])
+        validation, logs = importer.validate()
        self.assertTrue(validation, logs)
        self.assertTrue(importer.apply())
    return tester
--- a/authentik/brands/middleware.py
+++ b/authentik/brands/middleware.py
@ -4,7 +4,7 @@ from collections.abc import Callable
 from django.http.request import HttpRequest
 from django.http.response import HttpResponse
-from django.utils.translation import activate
+from django.utils.translation import override
 from authentik.brands.utils import get_brand_for_request
@ -18,10 +18,12 @@ class BrandMiddleware:
        self.get_response = get_response
    def __call__(self, request: HttpRequest) -> HttpResponse:
        locale_to_set = None
        if not hasattr(request, "brand"):
            brand = get_brand_for_request(request)
            request.brand = brand
            locale = brand.default_locale
            if locale != "":
-                activate(locale)
+                locale_to_set = locale
-        return self.get_response(request)
+        with override(locale_to_set):
            return self.get_response(request)
--- a/authentik/core/api/devices.py
+++ b/authentik/core/api/devices.py
@ -1,5 +1,6 @@
 """Authenticator Devices API Views"""
 from django.utils.translation import gettext_lazy as _
 from drf_spectacular.types import OpenApiTypes
 from drf_spectacular.utils import OpenApiParameter, extend_schema
 from rest_framework.fields import (
@ -40,7 +41,11 @@ class DeviceSerializer(MetaNameSerializer):
    def get_extra_description(self, instance: Device) -> str:
        """Get extra description"""
        if isinstance(instance, WebAuthnDevice):
-            return instance.device_type.description
+            return (
                instance.device_type.description
                if instance.device_type
                else _("Extra description not available")
            )
        if isinstance(instance, EndpointDevice):
            return instance.data.get("deviceSignals", {}).get("deviceModel")
        return ""
--- a/authentik/core/middleware.py
+++ b/authentik/core/middleware.py
@ -5,7 +5,7 @@ from contextvars import ContextVar
 from uuid import uuid4
 from django.http import HttpRequest, HttpResponse
-from django.utils.translation import activate
+from django.utils.translation import override
 from sentry_sdk.api import set_tag
 from structlog.contextvars import STRUCTLOG_KEY_PREFIX
@ -31,17 +31,19 @@ class ImpersonateMiddleware:
    def __call__(self, request: HttpRequest) -> HttpResponse:
        # No permission checks are done here, they need to be checked before
        # SESSION_KEY_IMPERSONATE_USER is set.
        locale_to_set = None
        if request.user.is_authenticated:
            locale = request.user.locale(request)
            if locale != "":
-                activate(locale)
+                locale_to_set = locale
        if SESSION_KEY_IMPERSONATE_USER in request.session:
            request.user = request.session[SESSION_KEY_IMPERSONATE_USER]
            # Ensure that the user is active, otherwise nothing will work
            request.user.is_active = True
-        return self.get_response(request)
+        with override(locale_to_set):
            return self.get_response(request)
 class RequestIDMiddleware:
--- a/authentik/core/sources/flow_manager.py
+++ b/authentik/core/sources/flow_manager.py
@ -129,6 +129,11 @@ class SourceFlowManager:
            )
            new_connection.user = self.request.user
            new_connection = self.update_user_connection(new_connection, **kwargs)
            if existing := self.user_connection_type.objects.filter(
                source=self.source, identifier=self.identifier
            ).first():
                existing = self.update_user_connection(existing)
                return Action.AUTH, existing
            return Action.LINK, new_connection
        action, connection = self.matcher.get_user_action(self.identifier, self.user_properties)
--- a/authentik/core/templates/base/skeleton.html
+++ b/authentik/core/templates/base/skeleton.html
@ -15,8 +15,8 @@
        {% endblock %}
        <link rel="stylesheet" type="text/css" href="{% static 'dist/authentik.css' %}">
        <link rel="stylesheet" type="text/css" href="{% static 'dist/custom.css' %}" data-inject>
-        {% versioned_script "dist/poly-%v.js" %}
+        <script src="{% versioned_script 'dist/poly-%v.js' %}" type="module"></script>
-        {% versioned_script "dist/standalone/loading/index-%v.js" %}
+        <script src="{% versioned_script 'dist/standalone/loading/index-%v.js' %}" type="module"></script>
        {% block head %}
        {% endblock %}
        <meta name="sentry-trace" content="{{ sentry_trace }}" />
--- a/authentik/core/templates/if/admin.html
+++ b/authentik/core/templates/if/admin.html
@ -3,7 +3,7 @@
 {% load authentik_core %}
 {% block head %}
-{% versioned_script "dist/admin/AdminInterface-%v.js" %}
+<script src="{% versioned_script 'dist/admin/AdminInterface-%v.js' %}" type="module"></script>
 <meta name="theme-color" content="#18191a" media="(prefers-color-scheme: dark)">
 <meta name="theme-color" content="#ffffff" media="(prefers-color-scheme: light)">
 {% include "base/header_js.html" %}
--- a/authentik/core/templates/if/user.html
+++ b/authentik/core/templates/if/user.html
@ -3,7 +3,7 @@
 {% load authentik_core %}
 {% block head %}
-{% versioned_script "dist/user/UserInterface-%v.js" %}
+<script src="{% versioned_script 'dist/user/UserInterface-%v.js' %}" type="module"></script>
 <meta name="theme-color" content="#1c1e21" media="(prefers-color-scheme: light)">
 <meta name="theme-color" content="#1c1e21" media="(prefers-color-scheme: dark)">
 {% include "base/header_js.html" %}
--- a/authentik/core/templatetags/authentik_core.py
+++ b/authentik/core/templatetags/authentik_core.py
@ -2,7 +2,6 @@
 from django import template
 from django.templatetags.static import static as static_loader
 from django.utils.safestring import mark_safe
 from authentik import get_full_version
@ -12,10 +11,4 @@ register = template.Library()
@register.simple_tag()
 def versioned_script(path: str) -> str:
    """Wrapper around {% static %} tag that supports setting the version"""
-    returned_lines = [
+    return static_loader(path.replace("%v", get_full_version()))
        (
            f'<script src="{static_loader(path.replace("%v", get_full_version()))}'
            '" type="module"></script>'
        ),
    ]
    return mark_safe("".join(returned_lines))  # nosec
--- a/authentik/core/tests/test_applications_api.py
+++ b/authentik/core/tests/test_applications_api.py
@ -12,7 +12,7 @@ from authentik.core.tests.utils import create_test_admin_user, create_test_flow
 from authentik.lib.generators import generate_id
 from authentik.policies.dummy.models import DummyPolicy
 from authentik.policies.models import PolicyBinding
-from authentik.providers.oauth2.models import OAuth2Provider
+from authentik.providers.oauth2.models import OAuth2Provider, RedirectURI, RedirectURIMatchingMode
 from authentik.providers.proxy.models import ProxyProvider
 from authentik.providers.saml.models import SAMLProvider
@ -24,7 +24,7 @@ class TestApplicationsAPI(APITestCase):
        self.user = create_test_admin_user()
        self.provider = OAuth2Provider.objects.create(
            name="test",
-            redirect_uris="http://some-other-domain",
+            redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "http://some-other-domain")],
            authorization_flow=create_test_flow(),
        )
        self.allowed: Application = Application.objects.create(
--- a/authentik/core/tests/test_source_flow_manager.py
+++ b/authentik/core/tests/test_source_flow_manager.py
@ -81,6 +81,22 @@ class TestSourceFlowManager(TestCase):
            reverse("authentik_core:if-user") + "#/settings;page-sources",
        )
    def test_authenticated_auth(self):
        """Test authenticated user linking"""
        user = User.objects.create(username="foo", email="foo@bar.baz")
        UserOAuthSourceConnection.objects.create(
            user=user, source=self.source, identifier=self.identifier
        )
        request = get_request("/", user=user)
        flow_manager = OAuthSourceFlowManager(
            self.source, request, self.identifier, {"info": {}}, {}
        )
        action, connection = flow_manager.get_action()
        self.assertEqual(action, Action.AUTH)
        self.assertIsNotNone(connection.pk)
        response = flow_manager.get_flow()
        self.assertEqual(response.status_code, 302)
    def test_unauthenticated_link(self):
        """Test un-authenticated user linking"""
        flow_manager = OAuthSourceFlowManager(
--- a/authentik/core/tests/test_transactional_applications_api.py
+++ b/authentik/core/tests/test_transactional_applications_api.py
@ -31,6 +31,7 @@ class TestTransactionalApplicationsAPI(APITestCase):
                    "name": uid,
                    "authorization_flow": str(create_test_flow().pk),
                    "invalidation_flow": str(create_test_flow().pk),
                    "redirect_uris": [],
                },
            },
        )
@ -57,6 +58,7 @@ class TestTransactionalApplicationsAPI(APITestCase):
                    "name": uid,
                    "authorization_flow": "",
                    "invalidation_flow": "",
                    "redirect_uris": [],
                },
            },
        )
--- a/authentik/crypto/api.py
+++ b/authentik/crypto/api.py
@ -24,6 +24,7 @@ from rest_framework.fields import (
 from rest_framework.filters import OrderingFilter, SearchFilter
 from rest_framework.request import Request
 from rest_framework.response import Response
 from rest_framework.validators import UniqueValidator
 from rest_framework.viewsets import ModelViewSet
 from structlog.stdlib import get_logger
@ -181,7 +182,10 @@ class CertificateDataSerializer(PassiveSerializer):
 class CertificateGenerationSerializer(PassiveSerializer):
    """Certificate generation parameters"""
-    common_name = CharField()
+    common_name = CharField(
        validators=[UniqueValidator(queryset=CertificateKeyPair.objects.all())],
        source="name",
    )
    subject_alt_name = CharField(required=False, allow_blank=True, label=_("Subject-alt name"))
    validity_days = IntegerField(initial=365)
    alg = ChoiceField(default=PrivateKeyAlg.RSA, choices=PrivateKeyAlg.choices)
@ -242,11 +246,10 @@ class CertificateKeyPairViewSet(UsedByMixin, ModelViewSet):
    def generate(self, request: Request) -> Response:
        """Generate a new, self-signed certificate-key pair"""
        data = CertificateGenerationSerializer(data=request.data)
-        if not data.is_valid():
+        data.is_valid(raise_exception=True)
            return Response(data.errors, status=400)
        raw_san = data.validated_data.get("subject_alt_name", "")
        sans = raw_san.split(",") if raw_san != "" else []
-        builder = CertificateBuilder(data.validated_data["common_name"])
+        builder = CertificateBuilder(data.validated_data["name"])
        builder.alg = data.validated_data["alg"]
        builder.build(
            subject_alt_names=sans,
--- a/authentik/crypto/tests.py
+++ b/authentik/crypto/tests.py
@ -18,7 +18,7 @@ from authentik.crypto.models import CertificateKeyPair
 from authentik.crypto.tasks import MANAGED_DISCOVERED, certificate_discovery
 from authentik.lib.config import CONFIG
 from authentik.lib.generators import generate_id, generate_key
-from authentik.providers.oauth2.models import OAuth2Provider
+from authentik.providers.oauth2.models import OAuth2Provider, RedirectURI, RedirectURIMatchingMode
 class TestCrypto(APITestCase):
@ -89,6 +89,17 @@ class TestCrypto(APITestCase):
        self.assertIsInstance(ext[1], DNSName)
        self.assertEqual(ext[1].value, "baz")
    def test_builder_api_duplicate(self):
        """Test Builder (via API)"""
        cert = create_test_cert()
        self.client.force_login(create_test_admin_user())
        res = self.client.post(
            reverse("authentik_api:certificatekeypair-generate"),
            data={"common_name": cert.name, "subject_alt_name": "bar,baz", "validity_days": 3},
        )
        self.assertEqual(res.status_code, 400)
        self.assertJSONEqual(res.content, {"common_name": ["This field must be unique."]})
    def test_builder_api_empty_san(self):
        """Test Builder (via API)"""
        self.client.force_login(create_test_admin_user())
@ -263,7 +274,7 @@ class TestCrypto(APITestCase):
            client_id="test",
            client_secret=generate_key(),
            authorization_flow=create_test_flow(),
-            redirect_uris="http://localhost",
+            redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "http://localhost")],
            signing_key=keypair,
        )
        response = self.client.get(
@ -295,7 +306,7 @@ class TestCrypto(APITestCase):
            client_id="test",
            client_secret=generate_key(),
            authorization_flow=create_test_flow(),
-            redirect_uris="http://localhost",
+            redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "http://localhost")],
            signing_key=keypair,
        )
        response = self.client.get(
--- a/authentik/enterprise/middleware.py
+++ b/authentik/enterprise/middleware.py
@ -6,6 +6,7 @@ from django.http import HttpRequest, HttpResponse, JsonResponse
 from django.urls import resolve
 from structlog.stdlib import BoundLogger, get_logger
 from authentik.core.api.users import UserViewSet
 from authentik.enterprise.api import LicenseViewSet
 from authentik.enterprise.license import LicenseKey
 from authentik.enterprise.models import LicenseUsageStatus
@ -59,6 +60,9 @@ class EnterpriseMiddleware:
        # Flow executor is mounted as an API path but explicitly allowed
        if request.resolver_match._func_path == class_to_path(FlowExecutorView):
            return True
        # Always allow making changes to users, even in case the license has ben exceeded
        if request.resolver_match._func_path == class_to_path(UserViewSet):
            return True
        # Only apply these restrictions to the API
        if "authentik_api" not in request.resolver_match.app_names:
            return True
--- a/authentik/enterprise/providers/rac/api/providers.py
+++ b/authentik/enterprise/providers/rac/api/providers.py
@ -16,13 +16,28 @@ class RACProviderSerializer(EnterpriseRequiredMixin, ProviderSerializer):
    class Meta:
        model = RACProvider
-        fields = ProviderSerializer.Meta.fields + [
+        fields = [
            "pk",
            "name",
            "authentication_flow",
            "authorization_flow",
            "property_mappings",
            "component",
            "assigned_application_slug",
            "assigned_application_name",
            "assigned_backchannel_application_slug",
            "assigned_backchannel_application_name",
            "verbose_name",
            "verbose_name_plural",
            "meta_model_name",
            "settings",
            "outpost_set",
            "connection_expiry",
            "delete_token_on_disconnect",
        ]
-        extra_kwargs = ProviderSerializer.Meta.extra_kwargs
+        extra_kwargs = {
            "authorization_flow": {"required": True, "allow_null": False},
        }
 class RACProviderViewSet(UsedByMixin, ModelViewSet):
--- a/authentik/enterprise/providers/rac/templates/if/rac.html
+++ b/authentik/enterprise/providers/rac/templates/if/rac.html
@ -3,7 +3,7 @@
 {% load authentik_core %}
 {% block head %}
-{% versioned_script "dist/enterprise/rac/index-%v.js" %}
+<script src="{% versioned_script 'dist/enterprise/rac/index-%v.js' %}" type="module"></script>
 <meta name="theme-color" content="#18191a" media="(prefers-color-scheme: dark)">
 <meta name="theme-color" content="#ffffff" media="(prefers-color-scheme: light)">
 <link rel="icon" href="{{ tenant.branding_favicon }}">
--- a/authentik/enterprise/providers/rac/tests/test_api.py
+++ b/authentik/enterprise/providers/rac/tests/test_api.py
@ -0,0 +1,46 @@
 """Test RAC Provider"""
 from datetime import timedelta
 from time import mktime
 from unittest.mock import MagicMock, patch
 from django.urls import reverse
 from django.utils.timezone import now
 from rest_framework.test import APITestCase
 from authentik.core.tests.utils import create_test_admin_user, create_test_flow
 from authentik.enterprise.license import LicenseKey
 from authentik.enterprise.models import License
 from authentik.lib.generators import generate_id
 class TestAPI(APITestCase):
    """Test Provider API"""
    def setUp(self) -> None:
        self.user = create_test_admin_user()
    @patch(
        "authentik.enterprise.license.LicenseKey.validate",
        MagicMock(
            return_value=LicenseKey(
                aud="",
                exp=int(mktime((now() + timedelta(days=3000)).timetuple())),
                name=generate_id(),
                internal_users=100,
                external_users=100,
            )
        ),
    )
    def test_create(self):
        """Test creation of RAC Provider"""
        License.objects.create(key=generate_id())
        self.client.force_login(self.user)
        response = self.client.post(
            reverse("authentik_api:racprovider-list"),
            data={
                "name": generate_id(),
                "authorization_flow": create_test_flow().pk,
            },
        )
        self.assertEqual(response.status_code, 201)
--- a/authentik/enterprise/providers/rac/tests/test_endpoints_api.py
+++ b/authentik/enterprise/providers/rac/tests/test_endpoints_api.py
@ -68,7 +68,6 @@ class TestEndpointsAPI(APITestCase):
                            "name": self.provider.name,
                            "authentication_flow": None,
                            "authorization_flow": None,
                            "invalidation_flow": None,
                            "property_mappings": [],
                            "connection_expiry": "hours=8",
                            "delete_token_on_disconnect": False,
@ -121,7 +120,6 @@ class TestEndpointsAPI(APITestCase):
                            "name": self.provider.name,
                            "authentication_flow": None,
                            "authorization_flow": None,
                            "invalidation_flow": None,
                            "property_mappings": [],
                            "component": "ak-provider-rac-form",
                            "assigned_application_slug": self.app.slug,
@ -151,7 +149,6 @@ class TestEndpointsAPI(APITestCase):
                            "name": self.provider.name,
                            "authentication_flow": None,
                            "authorization_flow": None,
                            "invalidation_flow": None,
                            "property_mappings": [],
                            "component": "ak-provider-rac-form",
                            "assigned_application_slug": self.app.slug,
--- a/authentik/enterprise/stages/authenticator_endpoint_gdtc/views/dtc.py
+++ b/authentik/enterprise/stages/authenticator_endpoint_gdtc/views/dtc.py
@ -4,7 +4,9 @@ from typing import Any
 from django.http import HttpRequest, HttpResponse, HttpResponseRedirect
 from django.template.response import TemplateResponse
 from django.urls import reverse
 from django.utils.decorators import method_decorator
 from django.views import View
 from django.views.decorators.clickjacking import xframe_options_sameorigin
 from googleapiclient.discovery import build
 from authentik.enterprise.stages.authenticator_endpoint_gdtc.models import (
@ -26,6 +28,7 @@ HEADER_ACCESS_CHALLENGE_RESPONSE = "X-Verified-Access-Challenge-Response"
 DEVICE_TRUST_VERIFIED_ACCESS = "VerifiedAccess"
@method_decorator(xframe_options_sameorigin, name="dispatch")
 class GoogleChromeDeviceTrustConnector(View):
    """Google Chrome Device-trust connector based endpoint authenticator"""
--- a/authentik/enterprise/tests/test_read_only.py
+++ b/authentik/enterprise/tests/test_read_only.py
@ -215,3 +215,49 @@ class TestReadOnly(FlowTestCase):
            {"detail": "Request denied due to expired/invalid license.", "code": "denied_license"},
        )
        self.assertEqual(response.status_code, 400)
    @patch(
        "authentik.enterprise.license.LicenseKey.validate",
        MagicMock(
            return_value=LicenseKey(
                aud="",
                exp=expiry_valid,
                name=generate_id(),
                internal_users=100,
                external_users=100,
            )
        ),
    )
    @patch(
        "authentik.enterprise.license.LicenseKey.get_internal_user_count",
        MagicMock(return_value=1000),
    )
    @patch(
        "authentik.enterprise.license.LicenseKey.get_external_user_count",
        MagicMock(return_value=1000),
    )
    @patch(
        "authentik.enterprise.license.LicenseKey.record_usage",
        MagicMock(),
    )
    def test_manage_users(self):
        """Test that managing users is still possible"""
        License.objects.create(key=generate_id())
        usage = LicenseUsage.objects.create(
            internal_user_count=100,
            external_user_count=100,
            status=LicenseUsageStatus.VALID,
        )
        usage.record_date = now() - timedelta(weeks=THRESHOLD_READ_ONLY_WEEKS + 1)
        usage.save(update_fields=["record_date"])
        admin = create_test_admin_user()
        self.client.force_login(admin)
        # Reading is always allowed
        response = self.client.get(reverse("authentik_api:user-list"))
        self.assertEqual(response.status_code, 200)
        # Writing should also be allowed
        response = self.client.patch(reverse("authentik_api:user-detail", kwargs={"pk": admin.pk}))
        self.assertEqual(response.status_code, 200)
--- a/authentik/flows/stage.py
+++ b/authentik/flows/stage.py
@ -2,6 +2,7 @@
 from typing import TYPE_CHECKING
 from django.conf import settings
 from django.contrib.auth.models import AnonymousUser
 from django.http import HttpRequest
 from django.http.request import QueryDict
@ -224,6 +225,14 @@ class ChallengeStageView(StageView):
                full_errors[field].append(field_error)
        challenge_response.initial_data["response_errors"] = full_errors
        if not challenge_response.is_valid():
            if settings.TEST:
                raise StageInvalidException(
                    (
                        f"Invalid challenge response: \n\t{challenge_response.errors}"
                        f"\n\nValidated data:\n\t {challenge_response.data}"
                        f"\n\nInitial data:\n\t {challenge_response.initial_data}"
                    ),
                )
            self.logger.error(
                "f(ch): invalid challenge response",
                errors=challenge_response.errors,
--- a/authentik/flows/templates/if/flow.html
+++ b/authentik/flows/templates/if/flow.html
@ -18,7 +18,7 @@ window.authentik.flow = {
 {% endblock %}
 {% block head %}
-{% versioned_script "dist/flow/FlowInterface-%v.js" %}
+<script src="{% versioned_script 'dist/flow/FlowInterface-%v.js' %}" type="module"></script>
 <style>
 :root {
    --ak-flow-background: url("{{ flow.background_url }}");
--- a/authentik/lib/config.py
+++ b/authentik/lib/config.py
@ -5,6 +5,7 @@ import json
 import os
 from collections.abc import Mapping
 from contextlib import contextmanager
 from copy import deepcopy
 from dataclasses import dataclass, field
 from enum import Enum
 from glob import glob
@ -336,6 +337,58 @@ def redis_url(db: int) -> str:
    return _redis_url
 def django_db_config(config: ConfigLoader | None = None) -> dict:
    if not config:
        config = CONFIG
    db = {
        "default": {
            "ENGINE": "authentik.root.db",
            "HOST": config.get("postgresql.host"),
            "NAME": config.get("postgresql.name"),
            "USER": config.get("postgresql.user"),
            "PASSWORD": config.get("postgresql.password"),
            "PORT": config.get("postgresql.port"),
            "OPTIONS": {
                "sslmode": config.get("postgresql.sslmode"),
                "sslrootcert": config.get("postgresql.sslrootcert"),
                "sslcert": config.get("postgresql.sslcert"),
                "sslkey": config.get("postgresql.sslkey"),
            },
            "TEST": {
                "NAME": config.get("postgresql.test.name"),
            },
        }
    }
    if config.get_bool("postgresql.use_pgpool", False):
        db["default"]["DISABLE_SERVER_SIDE_CURSORS"] = True
    if config.get_bool("postgresql.use_pgbouncer", False):
        # https://docs.djangoproject.com/en/4.0/ref/databases/#transaction-pooling-server-side-cursors
        db["default"]["DISABLE_SERVER_SIDE_CURSORS"] = True
        # https://docs.djangoproject.com/en/4.0/ref/databases/#persistent-connections
        db["default"]["CONN_MAX_AGE"] = None  # persistent
    for replica in config.get_keys("postgresql.read_replicas"):
        _database = deepcopy(db["default"])
        for setting, current_value in db["default"].items():
            if isinstance(current_value, dict):
                continue
            override = config.get(
                f"postgresql.read_replicas.{replica}.{setting.lower()}", default=UNSET
            )
            if override is not UNSET:
                _database[setting] = override
        for setting in db["default"]["OPTIONS"].keys():
            override = config.get(
                f"postgresql.read_replicas.{replica}.{setting.lower()}", default=UNSET
            )
            if override is not UNSET:
                _database["OPTIONS"][setting] = override
        db[f"replica_{replica}"] = _database
    return db
 if __name__ == "__main__":
    if len(argv) < 2:  # noqa: PLR2004
        print(dumps(CONFIG.raw, indent=4, cls=AttrEncoder))
--- a/authentik/lib/tests/test_config.py
+++ b/authentik/lib/tests/test_config.py
@ -9,7 +9,14 @@ from unittest import mock
 from django.conf import ImproperlyConfigured
 from django.test import TestCase
-from authentik.lib.config import ENV_PREFIX, UNSET, Attr, AttrEncoder, ConfigLoader
+from authentik.lib.config import (
    ENV_PREFIX,
    UNSET,
    Attr,
    AttrEncoder,
    ConfigLoader,
    django_db_config,
 )
 class TestConfig(TestCase):
@ -175,3 +182,201 @@ class TestConfig(TestCase):
        config = ConfigLoader()
        config.set("foo.bar", "baz")
        self.assertEqual(list(config.get_keys("foo")), ["bar"])
    def test_db_default(self):
        """Test default DB Config"""
        config = ConfigLoader()
        config.set("postgresql.host", "foo")
        config.set("postgresql.name", "foo")
        config.set("postgresql.user", "foo")
        config.set("postgresql.password", "foo")
        config.set("postgresql.port", "foo")
        config.set("postgresql.sslmode", "foo")
        config.set("postgresql.sslrootcert", "foo")
        config.set("postgresql.sslcert", "foo")
        config.set("postgresql.sslkey", "foo")
        config.set("postgresql.test.name", "foo")
        conf = django_db_config(config)
        self.assertEqual(
            conf,
            {
                "default": {
                    "ENGINE": "authentik.root.db",
                    "HOST": "foo",
                    "NAME": "foo",
                    "OPTIONS": {
                        "sslcert": "foo",
                        "sslkey": "foo",
                        "sslmode": "foo",
                        "sslrootcert": "foo",
                    },
                    "PASSWORD": "foo",
                    "PORT": "foo",
                    "TEST": {"NAME": "foo"},
                    "USER": "foo",
                }
            },
        )
    def test_db_read_replicas(self):
        """Test read replicas"""
        config = ConfigLoader()
        config.set("postgresql.host", "foo")
        config.set("postgresql.name", "foo")
        config.set("postgresql.user", "foo")
        config.set("postgresql.password", "foo")
        config.set("postgresql.port", "foo")
        config.set("postgresql.sslmode", "foo")
        config.set("postgresql.sslrootcert", "foo")
        config.set("postgresql.sslcert", "foo")
        config.set("postgresql.sslkey", "foo")
        config.set("postgresql.test.name", "foo")
        # Read replica
        config.set("postgresql.read_replicas.0.host", "bar")
        conf = django_db_config(config)
        self.assertEqual(
            conf,
            {
                "default": {
                    "ENGINE": "authentik.root.db",
                    "HOST": "foo",
                    "NAME": "foo",
                    "OPTIONS": {
                        "sslcert": "foo",
                        "sslkey": "foo",
                        "sslmode": "foo",
                        "sslrootcert": "foo",
                    },
                    "PASSWORD": "foo",
                    "PORT": "foo",
                    "TEST": {"NAME": "foo"},
                    "USER": "foo",
                },
                "replica_0": {
                    "ENGINE": "authentik.root.db",
                    "HOST": "bar",
                    "NAME": "foo",
                    "OPTIONS": {
                        "sslcert": "foo",
                        "sslkey": "foo",
                        "sslmode": "foo",
                        "sslrootcert": "foo",
                    },
                    "PASSWORD": "foo",
                    "PORT": "foo",
                    "TEST": {"NAME": "foo"},
                    "USER": "foo",
                },
            },
        )
    def test_db_read_replicas_pgpool(self):
        """Test read replicas"""
        config = ConfigLoader()
        config.set("postgresql.host", "foo")
        config.set("postgresql.name", "foo")
        config.set("postgresql.user", "foo")
        config.set("postgresql.password", "foo")
        config.set("postgresql.port", "foo")
        config.set("postgresql.sslmode", "foo")
        config.set("postgresql.sslrootcert", "foo")
        config.set("postgresql.sslcert", "foo")
        config.set("postgresql.sslkey", "foo")
        config.set("postgresql.test.name", "foo")
        config.set("postgresql.use_pgpool", True)
        # Read replica
        config.set("postgresql.read_replicas.0.host", "bar")
        # This isn't supported
        config.set("postgresql.read_replicas.0.use_pgpool", False)
        conf = django_db_config(config)
        self.assertEqual(
            conf,
            {
                "default": {
                    "DISABLE_SERVER_SIDE_CURSORS": True,
                    "ENGINE": "authentik.root.db",
                    "HOST": "foo",
                    "NAME": "foo",
                    "OPTIONS": {
                        "sslcert": "foo",
                        "sslkey": "foo",
                        "sslmode": "foo",
                        "sslrootcert": "foo",
                    },
                    "PASSWORD": "foo",
                    "PORT": "foo",
                    "TEST": {"NAME": "foo"},
                    "USER": "foo",
                },
                "replica_0": {
                    "DISABLE_SERVER_SIDE_CURSORS": True,
                    "ENGINE": "authentik.root.db",
                    "HOST": "bar",
                    "NAME": "foo",
                    "OPTIONS": {
                        "sslcert": "foo",
                        "sslkey": "foo",
                        "sslmode": "foo",
                        "sslrootcert": "foo",
                    },
                    "PASSWORD": "foo",
                    "PORT": "foo",
                    "TEST": {"NAME": "foo"},
                    "USER": "foo",
                },
            },
        )
    def test_db_read_replicas_diff_ssl(self):
        """Test read replicas (with different SSL Settings)"""
        """Test read replicas"""
        config = ConfigLoader()
        config.set("postgresql.host", "foo")
        config.set("postgresql.name", "foo")
        config.set("postgresql.user", "foo")
        config.set("postgresql.password", "foo")
        config.set("postgresql.port", "foo")
        config.set("postgresql.sslmode", "foo")
        config.set("postgresql.sslrootcert", "foo")
        config.set("postgresql.sslcert", "foo")
        config.set("postgresql.sslkey", "foo")
        config.set("postgresql.test.name", "foo")
        # Read replica
        config.set("postgresql.read_replicas.0.host", "bar")
        config.set("postgresql.read_replicas.0.sslcert", "bar")
        conf = django_db_config(config)
        self.assertEqual(
            conf,
            {
                "default": {
                    "ENGINE": "authentik.root.db",
                    "HOST": "foo",
                    "NAME": "foo",
                    "OPTIONS": {
                        "sslcert": "foo",
                        "sslkey": "foo",
                        "sslmode": "foo",
                        "sslrootcert": "foo",
                    },
                    "PASSWORD": "foo",
                    "PORT": "foo",
                    "TEST": {"NAME": "foo"},
                    "USER": "foo",
                },
                "replica_0": {
                    "ENGINE": "authentik.root.db",
                    "HOST": "bar",
                    "NAME": "foo",
                    "OPTIONS": {
                        "sslcert": "bar",
                        "sslkey": "foo",
                        "sslmode": "foo",
                        "sslrootcert": "foo",
                    },
                    "PASSWORD": "foo",
                    "PORT": "foo",
                    "TEST": {"NAME": "foo"},
                    "USER": "foo",
                },
            },
        )
--- a/authentik/policies/password/models.py
+++ b/authentik/policies/password/models.py
@ -89,6 +89,10 @@ class PasswordPolicy(Policy):
    def passes_static(self, password: str, request: PolicyRequest) -> PolicyResult:
        """Check static rules"""
        error_message = self.error_message
        if error_message == "":
            error_message = _("Invalid password.")
        if len(password) < self.length_min:
            LOGGER.debug("password failed", check="static", reason="length")
            return PolicyResult(False, self.error_message)
--- a/authentik/providers/ldap/api.py
+++ b/authentik/providers/ldap/api.py
@ -159,7 +159,10 @@ class LDAPOutpostConfigViewSet(ListModelMixin, GenericViewSet):
        access_response = PolicyResult(result.passing)
        response = self.LDAPCheckAccessSerializer(
            instance={
-                "has_search_permission": request.user.has_perm("search_full_directory", provider),
+                "has_search_permission": (
                    request.user.has_perm("search_full_directory", provider)
                    or request.user.has_perm("authentik_providers_ldap.search_full_directory")
                ),
                "access": access_response,
            }
        )
--- a/authentik/providers/oauth2/api/providers.py
+++ b/authentik/providers/oauth2/api/providers.py
@ -1,15 +1,18 @@
 """OAuth2Provider API Views"""
 from copy import copy
 from re import compile
 from re import error as RegexError
 from django.urls import reverse
 from django.utils import timezone
 from django.utils.translation import gettext_lazy as _
 from drf_spectacular.types import OpenApiTypes
 from drf_spectacular.utils import OpenApiParameter, OpenApiResponse, extend_schema
 from guardian.shortcuts import get_objects_for_user
 from rest_framework.decorators import action
 from rest_framework.exceptions import ValidationError
-from rest_framework.fields import CharField
+from rest_framework.fields import CharField, ChoiceField
 from rest_framework.generics import get_object_or_404
 from rest_framework.request import Request
 from rest_framework.response import Response
@ -20,13 +23,39 @@ from authentik.core.api.used_by import UsedByMixin
 from authentik.core.api.utils import PassiveSerializer, PropertyMappingPreviewSerializer
 from authentik.core.models import Provider
 from authentik.providers.oauth2.id_token import IDToken
-from authentik.providers.oauth2.models import AccessToken, OAuth2Provider, ScopeMapping
+from authentik.providers.oauth2.models import (
    AccessToken,
    OAuth2Provider,
    RedirectURIMatchingMode,
    ScopeMapping,
 )
 from authentik.rbac.decorators import permission_required
 class RedirectURISerializer(PassiveSerializer):
    """A single allowed redirect URI entry"""
    matching_mode = ChoiceField(choices=RedirectURIMatchingMode.choices)
    url = CharField()
 class OAuth2ProviderSerializer(ProviderSerializer):
    """OAuth2Provider Serializer"""
    redirect_uris = RedirectURISerializer(many=True, source="_redirect_uris")
    def validate_redirect_uris(self, data: list) -> list:
        for entry in data:
            if entry.get("matching_mode") == RedirectURIMatchingMode.REGEX:
                url = entry.get("url")
                try:
                    compile(url)
                except RegexError:
                    raise ValidationError(
                        _("Invalid Regex Pattern: {url}".format(url=url))
                    ) from None
        return data
    class Meta:
        model = OAuth2Provider
        fields = ProviderSerializer.Meta.fields + [
@ -79,7 +108,6 @@ class OAuth2ProviderViewSet(UsedByMixin, ModelViewSet):
        "refresh_token_validity",
        "include_claims_in_id_token",
        "signing_key",
        "redirect_uris",
        "sub_mode",
        "property_mappings",
        "issuer_mode",
--- a/authentik/providers/oauth2/errors.py
+++ b/authentik/providers/oauth2/errors.py
@ -7,7 +7,7 @@ from django.http import HttpRequest, HttpResponse, HttpResponseRedirect
 from authentik.events.models import Event, EventAction
 from authentik.lib.sentry import SentryIgnoredException
 from authentik.lib.views import bad_request_message
-from authentik.providers.oauth2.models import GrantTypes
+from authentik.providers.oauth2.models import GrantTypes, RedirectURI
 class OAuth2Error(SentryIgnoredException):
@ -46,9 +46,9 @@ class RedirectUriError(OAuth2Error):
    )
    provided_uri: str
-    allowed_uris: list[str]
+    allowed_uris: list[RedirectURI]
-    def __init__(self, provided_uri: str, allowed_uris: list[str]) -> None:
+    def __init__(self, provided_uri: str, allowed_uris: list[RedirectURI]) -> None:
        super().__init__()
        self.provided_uri = provided_uri
        self.allowed_uris = allowed_uris
--- a/authentik/providers/oauth2/migrations/0019_accesstoken_authentik_p_token_4bc870_idx_and_more.py
+++ b/authentik/providers/oauth2/migrations/0019_accesstoken_authentik_p_token_4bc870_idx_and_more.py
@ -11,13 +11,16 @@ class Migration(migrations.Migration):
        migrations.swappable_dependency(settings.AUTH_USER_MODEL),
    ]
-    operations = [
+    # Original preserved
-        migrations.AddIndex(
+    # See https://github.com/goauthentik/authentik/issues/11874
-            model_name="accesstoken",
+    # operations = [
-            index=models.Index(fields=["token"], name="authentik_p_token_4bc870_idx"),
+    #     migrations.AddIndex(
-        ),
+    #         model_name="accesstoken",
-        migrations.AddIndex(
+    #         index=models.Index(fields=["token"], name="authentik_p_token_4bc870_idx"),
-            model_name="refreshtoken",
+    #     ),
-            index=models.Index(fields=["token"], name="authentik_p_token_1a841f_idx"),
+    #     migrations.AddIndex(
-        ),
+    #         model_name="refreshtoken",
-    ]
+    #         index=models.Index(fields=["token"], name="authentik_p_token_1a841f_idx"),
    #     ),
    # ]
    operations = []
--- a/authentik/providers/oauth2/migrations/0020_remove_accesstoken_authentik_p_token_4bc870_idx_and_more.py
+++ b/authentik/providers/oauth2/migrations/0020_remove_accesstoken_authentik_p_token_4bc870_idx_and_more.py
@ -11,21 +11,24 @@ class Migration(migrations.Migration):
        migrations.swappable_dependency(settings.AUTH_USER_MODEL),
    ]
-    operations = [
+    # Original preserved
-        migrations.RemoveIndex(
+    # See https://github.com/goauthentik/authentik/issues/11874
-            model_name="accesstoken",
+    # operations = [
-            name="authentik_p_token_4bc870_idx",
+    #     migrations.RemoveIndex(
-        ),
+    #         model_name="accesstoken",
-        migrations.RemoveIndex(
+    #         name="authentik_p_token_4bc870_idx",
-            model_name="refreshtoken",
+    #     ),
-            name="authentik_p_token_1a841f_idx",
+    #     migrations.RemoveIndex(
-        ),
+    #         model_name="refreshtoken",
-        migrations.AddIndex(
+    #         name="authentik_p_token_1a841f_idx",
-            model_name="accesstoken",
+    #     ),
-            index=models.Index(fields=["token", "provider"], name="authentik_p_token_f99422_idx"),
+    #     migrations.AddIndex(
-        ),
+    #         model_name="accesstoken",
-        migrations.AddIndex(
+    #         index=models.Index(fields=["token", "provider"], name="authentik_p_token_f99422_idx"),
-            model_name="refreshtoken",
+    #     ),
-            index=models.Index(fields=["token", "provider"], name="authentik_p_token_a1d921_idx"),
+    #     migrations.AddIndex(
-        ),
+    #         model_name="refreshtoken",
-    ]
+    #         index=models.Index(fields=["token", "provider"], name="authentik_p_token_a1d921_idx"),
    #     ),
    # ]
    operations = []
--- a/authentik/providers/oauth2/migrations/0022_remove_accesstoken_session_id_and_more.py
+++ b/authentik/providers/oauth2/migrations/0022_remove_accesstoken_session_id_and_more.py
@ -37,7 +37,7 @@ def migrate_session(apps: Apps, schema_editor: BaseDatabaseSchemaEditor):
 class Migration(migrations.Migration):
    dependencies = [
-        ("authentik_core", "0040_provider_invalidation_flow"),
+        ("authentik_core", "0039_source_group_matching_mode_alter_group_name_and_more"),
        ("authentik_providers_oauth2", "0021_oauth2provider_encryption_key_and_more"),
    ]
--- a/authentik/providers/oauth2/migrations/0023_alter_accesstoken_refreshtoken_use_hash_index.py
+++ b/authentik/providers/oauth2/migrations/0023_alter_accesstoken_refreshtoken_use_hash_index.py
@ -0,0 +1,31 @@
 # Generated by Django 5.0.9 on 2024-10-31 14:28
 import django.contrib.postgres.indexes
 from django.conf import settings
 from django.db import migrations
 class Migration(migrations.Migration):
    dependencies = [
        ("authentik_core", "0039_source_group_matching_mode_alter_group_name_and_more"),
        ("authentik_providers_oauth2", "0022_remove_accesstoken_session_id_and_more"),
        migrations.swappable_dependency(settings.AUTH_USER_MODEL),
    ]
    operations = [
        migrations.RunSQL("DROP INDEX IF EXISTS authentik_p_token_f99422_idx;"),
        migrations.RunSQL("DROP INDEX IF EXISTS authentik_p_token_a1d921_idx;"),
        migrations.AddIndex(
            model_name="accesstoken",
            index=django.contrib.postgres.indexes.HashIndex(
                fields=["token"], name="authentik_p_token_e00883_hash"
            ),
        ),
        migrations.AddIndex(
            model_name="refreshtoken",
            index=django.contrib.postgres.indexes.HashIndex(
                fields=["token"], name="authentik_p_token_32e2b7_hash"
            ),
        ),
    ]
--- a/authentik/providers/oauth2/migrations/0024_remove_oauth2provider_redirect_uris_and_more.py
+++ b/authentik/providers/oauth2/migrations/0024_remove_oauth2provider_redirect_uris_and_more.py
@ -0,0 +1,49 @@
 # Generated by Django 5.0.9 on 2024-11-04 12:56
 from dataclasses import asdict
 from django.apps.registry import Apps
 from django.db.backends.base.schema import BaseDatabaseSchemaEditor
 from django.db import migrations, models
 def migrate_redirect_uris(apps: Apps, schema_editor: BaseDatabaseSchemaEditor):
    from authentik.providers.oauth2.models import RedirectURI, RedirectURIMatchingMode
    OAuth2Provider = apps.get_model("authentik_providers_oauth2", "oauth2provider")
    db_alias = schema_editor.connection.alias
    for provider in OAuth2Provider.objects.using(db_alias).all():
        uris = []
        for old in provider.old_redirect_uris.split("\n"):
            mode = RedirectURIMatchingMode.STRICT
            if old == "*" or old == ".*":
                mode = RedirectURIMatchingMode.REGEX
            uris.append(asdict(RedirectURI(mode, url=old)))
        provider._redirect_uris = uris
        provider.save()
 class Migration(migrations.Migration):
    dependencies = [
        ("authentik_providers_oauth2", "0023_alter_accesstoken_refreshtoken_use_hash_index"),
    ]
    operations = [
        migrations.RenameField(
            model_name="oauth2provider",
            old_name="redirect_uris",
            new_name="old_redirect_uris",
        ),
        migrations.AddField(
            model_name="oauth2provider",
            name="_redirect_uris",
            field=models.JSONField(default=dict, verbose_name="Redirect URIs"),
        ),
        migrations.RunPython(migrate_redirect_uris, lambda *args: ...),
        migrations.RemoveField(
            model_name="oauth2provider",
            name="old_redirect_uris",
        ),
    ]
--- a/authentik/providers/oauth2/models.py
+++ b/authentik/providers/oauth2/models.py
@ -3,7 +3,7 @@
 import base64
 import binascii
 import json
-from dataclasses import asdict
+from dataclasses import asdict, dataclass
 from functools import cached_property
 from hashlib import sha256
 from typing import Any
@ -12,7 +12,9 @@ from urllib.parse import urlparse, urlunparse
 from cryptography.hazmat.primitives.asymmetric.ec import EllipticCurvePrivateKey
 from cryptography.hazmat.primitives.asymmetric.rsa import RSAPrivateKey
 from cryptography.hazmat.primitives.asymmetric.types import PrivateKeyTypes
 from dacite import Config
 from dacite.core import from_dict
 from django.contrib.postgres.indexes import HashIndex
 from django.db import models
 from django.http import HttpRequest
 from django.templatetags.static import static
@ -76,11 +78,25 @@ class IssuerMode(models.TextChoices):
    """Configure how the `iss` field is created."""
    GLOBAL = "global", _("Same identifier is used for all providers")
-    PER_PROVIDER = "per_provider", _(
+    PER_PROVIDER = (
-        "Each provider has a different issuer, based on the application slug."
+        "per_provider",
        _("Each provider has a different issuer, based on the application slug."),
    )
 class RedirectURIMatchingMode(models.TextChoices):
    STRICT = "strict", _("Strict URL comparison")
    REGEX = "regex", _("Regular Expression URL matching")
@dataclass
 class RedirectURI:
    """A single redirect URI entry"""
    matching_mode: RedirectURIMatchingMode
    url: str
 class ResponseTypes(models.TextChoices):
    """Response Type required by the client."""
@ -155,11 +171,9 @@ class OAuth2Provider(WebfingerProvider, Provider):
        verbose_name=_("Client Secret"),
        default=generate_client_secret,
    )
-    redirect_uris = models.TextField(
+    _redirect_uris = models.JSONField(
-        default="",
+        default=dict,
        blank=True,
        verbose_name=_("Redirect URIs"),
        help_text=_("Enter each URI on a new line."),
    )
    include_claims_in_id_token = models.BooleanField(
@ -270,12 +284,33 @@ class OAuth2Provider(WebfingerProvider, Provider):
        except Provider.application.RelatedObjectDoesNotExist:
            return None
    @property
    def redirect_uris(self) -> list[RedirectURI]:
        uris = []
        for entry in self._redirect_uris:
            uris.append(
                from_dict(
                    RedirectURI,
                    entry,
                    config=Config(type_hooks={RedirectURIMatchingMode: RedirectURIMatchingMode}),
                )
            )
        return uris
    @redirect_uris.setter
    def redirect_uris(self, value: list[RedirectURI]):
        cleansed = []
        for entry in value:
            cleansed.append(asdict(entry))
        self._redirect_uris = cleansed
    @property
    def launch_url(self) -> str | None:
        """Guess launch_url based on first redirect_uri"""
-        if self.redirect_uris == "":
+        redirects = self.redirect_uris
        if len(redirects) < 1:
            return None
-        main_url = self.redirect_uris.split("\n", maxsplit=1)[0]
+        main_url = redirects[0].url
        try:
            launch_url = urlparse(main_url)._replace(path="")
            return urlunparse(launch_url)
@ -418,7 +453,7 @@ class AccessToken(SerializerModel, ExpiringModel, BaseGrantModel):
    class Meta:
        indexes = [
-            models.Index(fields=["token", "provider"]),
+            HashIndex(fields=["token"]),
        ]
        verbose_name = _("OAuth2 Access Token")
        verbose_name_plural = _("OAuth2 Access Tokens")
@ -464,7 +499,7 @@ class RefreshToken(SerializerModel, ExpiringModel, BaseGrantModel):
    class Meta:
        indexes = [
-            models.Index(fields=["token", "provider"]),
+            HashIndex(fields=["token"]),
        ]
        verbose_name = _("OAuth2 Refresh Token")
        verbose_name_plural = _("OAuth2 Refresh Tokens")
--- a/authentik/providers/oauth2/tests/test_api.py
+++ b/authentik/providers/oauth2/tests/test_api.py
@ -10,7 +10,13 @@ from rest_framework.test import APITestCase
 from authentik.blueprints.tests import apply_blueprint
 from authentik.core.models import Application
 from authentik.core.tests.utils import create_test_admin_user, create_test_flow
-from authentik.providers.oauth2.models import OAuth2Provider, ScopeMapping
+from authentik.lib.generators import generate_id
 from authentik.providers.oauth2.models import (
    OAuth2Provider,
    RedirectURI,
    RedirectURIMatchingMode,
    ScopeMapping,
 )
 class TestAPI(APITestCase):
@ -21,7 +27,7 @@ class TestAPI(APITestCase):
        self.provider: OAuth2Provider = OAuth2Provider.objects.create(
            name="test",
            authorization_flow=create_test_flow(),
-            redirect_uris="http://testserver",
+            redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "http://testserver")],
        )
        self.provider.property_mappings.set(ScopeMapping.objects.all())
        self.app = Application.objects.create(name="test", slug="test", provider=self.provider)
@ -50,9 +56,29 @@ class TestAPI(APITestCase):
    @skipUnless(version_info >= (3, 11, 4), "This behaviour is only Python 3.11.4 and up")
    def test_launch_url(self):
        """Test launch_url"""
-        self.provider.redirect_uris = (
+        self.provider.redirect_uris = [
-            "https://[\\d\\w]+.pr.test.goauthentik.io/source/oauth/callback/authentik/\n"
+            RedirectURI(
-        )
+                RedirectURIMatchingMode.REGEX,
                "https://[\\d\\w]+.pr.test.goauthentik.io/source/oauth/callback/authentik/",
            ),
        ]
        self.provider.save()
        self.provider.refresh_from_db()
        self.assertIsNone(self.provider.launch_url)
    def test_validate_redirect_uris(self):
        """Test redirect_uris API"""
        response = self.client.post(
            reverse("authentik_api:oauth2provider-list"),
            data={
                "name": generate_id(),
                "authorization_flow": create_test_flow().pk,
                "invalidation_flow": create_test_flow().pk,
                "redirect_uris": [
                    {"matching_mode": "strict", "url": "http://goauthentik.io"},
                    {"matching_mode": "regex", "url": "**"},
                ],
            },
        )
        self.assertJSONEqual(response.content, {"redirect_uris": ["Invalid Regex Pattern: **"]})
        self.assertEqual(response.status_code, 400)
--- a/authentik/providers/oauth2/tests/test_authorize.py
+++ b/authentik/providers/oauth2/tests/test_authorize.py
@ -19,6 +19,8 @@ from authentik.providers.oauth2.models import (
    AuthorizationCode,
    GrantTypes,
    OAuth2Provider,
    RedirectURI,
    RedirectURIMatchingMode,
    ScopeMapping,
 )
 from authentik.providers.oauth2.tests.utils import OAuthTestCase
@ -39,7 +41,7 @@ class TestAuthorize(OAuthTestCase):
            name=generate_id(),
            client_id="test",
            authorization_flow=create_test_flow(),
-            redirect_uris="http://local.invalid/Foo",
+            redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "http://local.invalid/Foo")],
        )
        with self.assertRaises(AuthorizeError):
            request = self.factory.get(
@ -64,7 +66,7 @@ class TestAuthorize(OAuthTestCase):
            name=generate_id(),
            client_id="test",
            authorization_flow=create_test_flow(),
-            redirect_uris="http://local.invalid/Foo",
+            redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "http://local.invalid/Foo")],
        )
        with self.assertRaises(AuthorizeError):
            request = self.factory.get(
@ -84,7 +86,7 @@ class TestAuthorize(OAuthTestCase):
            name=generate_id(),
            client_id="test",
            authorization_flow=create_test_flow(),
-            redirect_uris="http://local.invalid",
+            redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "http://local.invalid")],
        )
        with self.assertRaises(RedirectUriError):
            request = self.factory.get("/", data={"response_type": "code", "client_id": "test"})
@ -106,7 +108,7 @@ class TestAuthorize(OAuthTestCase):
            name=generate_id(),
            client_id="test",
            authorization_flow=create_test_flow(),
-            redirect_uris="data:local.invalid",
+            redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "data:local.invalid")],
        )
        with self.assertRaises(RedirectUriError):
            request = self.factory.get(
@ -125,7 +127,7 @@ class TestAuthorize(OAuthTestCase):
            name=generate_id(),
            client_id="test",
            authorization_flow=create_test_flow(),
-            redirect_uris="",
+            redirect_uris=[],
        )
        with self.assertRaises(RedirectUriError):
            request = self.factory.get("/", data={"response_type": "code", "client_id": "test"})
@ -140,7 +142,7 @@ class TestAuthorize(OAuthTestCase):
        )
        OAuthAuthorizationParams.from_request(request)
        provider.refresh_from_db()
-        self.assertEqual(provider.redirect_uris, "+")
+        self.assertEqual(provider.redirect_uris, [RedirectURI(RedirectURIMatchingMode.STRICT, "+")])
    def test_invalid_redirect_uri_regex(self):
        """test missing/invalid redirect URI"""
@ -148,7 +150,7 @@ class TestAuthorize(OAuthTestCase):
            name=generate_id(),
            client_id="test",
            authorization_flow=create_test_flow(),
-            redirect_uris="http://local.invalid?",
+            redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "http://local.invalid?")],
        )
        with self.assertRaises(RedirectUriError):
            request = self.factory.get("/", data={"response_type": "code", "client_id": "test"})
@ -170,7 +172,7 @@ class TestAuthorize(OAuthTestCase):
            name=generate_id(),
            client_id="test",
            authorization_flow=create_test_flow(),
-            redirect_uris="+",
+            redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "+")],
        )
        with self.assertRaises(RedirectUriError):
            request = self.factory.get("/", data={"response_type": "code", "client_id": "test"})
@ -213,7 +215,7 @@ class TestAuthorize(OAuthTestCase):
            name=generate_id(),
            client_id="test",
            authorization_flow=create_test_flow(),
-            redirect_uris="http://local.invalid/Foo",
+            redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "http://local.invalid/Foo")],
        )
        provider.property_mappings.set(
            ScopeMapping.objects.filter(
@ -301,7 +303,7 @@ class TestAuthorize(OAuthTestCase):
            name=generate_id(),
            client_id="test",
            authorization_flow=flow,
-            redirect_uris="foo://localhost",
+            redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "foo://localhost")],
            access_code_validity="seconds=100",
        )
        Application.objects.create(name="app", slug="app", provider=provider)
@ -343,7 +345,7 @@ class TestAuthorize(OAuthTestCase):
            name=generate_id(),
            client_id="test",
            authorization_flow=flow,
-            redirect_uris="http://localhost",
+            redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "http://localhost")],
            signing_key=self.keypair,
        )
        provider.property_mappings.set(
@ -420,7 +422,7 @@ class TestAuthorize(OAuthTestCase):
            name=generate_id(),
            client_id="test",
            authorization_flow=flow,
-            redirect_uris="http://localhost",
+            redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "http://localhost")],
            signing_key=self.keypair,
            encryption_key=self.keypair,
        )
@ -486,7 +488,7 @@ class TestAuthorize(OAuthTestCase):
            name=generate_id(),
            client_id="test",
            authorization_flow=flow,
-            redirect_uris="http://localhost",
+            redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "http://localhost")],
            signing_key=self.keypair,
        )
        Application.objects.create(name="app", slug="app", provider=provider)
@ -541,7 +543,7 @@ class TestAuthorize(OAuthTestCase):
            name=generate_id(),
            client_id=generate_id(),
            authorization_flow=flow,
-            redirect_uris="http://localhost",
+            redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "http://localhost")],
            signing_key=self.keypair,
        )
        provider.property_mappings.set(
@ -599,7 +601,7 @@ class TestAuthorize(OAuthTestCase):
            name=generate_id(),
            client_id=generate_id(),
            authorization_flow=flow,
-            redirect_uris="http://localhost",
+            redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "http://localhost")],
            signing_key=self.keypair,
        )
        app = Application.objects.create(name=generate_id(), slug=generate_id(), provider=provider)
--- a/authentik/providers/oauth2/tests/test_device_init.py
+++ b/authentik/providers/oauth2/tests/test_device_init.py
@ -3,6 +3,7 @@
 from urllib.parse import urlencode
 from django.urls import reverse
 from rest_framework.test import APIClient
 from authentik.core.models import Application, Group
 from authentik.core.tests.utils import create_test_admin_user, create_test_brand, create_test_flow
@ -34,7 +35,10 @@ class TesOAuth2DeviceInit(OAuthTestCase):
        self.brand.flow_device_code = self.device_flow
        self.brand.save()
-    def test_device_init(self):
+        self.api_client = APIClient()
        self.api_client.force_login(self.user)
    def test_device_init_get(self):
        """Test device init"""
        res = self.client.get(reverse("authentik_providers_oauth2_root:device-login"))
        self.assertEqual(res.status_code, 302)
@ -48,6 +52,76 @@ class TesOAuth2DeviceInit(OAuthTestCase):
            ),
        )
    def test_device_init_post(self):
        """Test device init"""
        res = self.api_client.get(reverse("authentik_providers_oauth2_root:device-login"))
        self.assertEqual(res.status_code, 302)
        self.assertEqual(
            res.url,
            reverse(
                "authentik_core:if-flow",
                kwargs={
                    "flow_slug": self.device_flow.slug,
                },
            ),
        )
        res = self.api_client.get(
            reverse(
                "authentik_api:flow-executor",
                kwargs={
                    "flow_slug": self.device_flow.slug,
                },
            ),
        )
        self.assertEqual(res.status_code, 200)
        self.assertJSONEqual(
            res.content,
            {
                "component": "ak-provider-oauth2-device-code",
                "flow_info": {
                    "background": "/static/dist/assets/images/flow_background.jpg",
                    "cancel_url": "/flows/-/cancel/",
                    "layout": "stacked",
                    "title": self.device_flow.title,
                },
            },
        )
        provider = OAuth2Provider.objects.create(
            name=generate_id(),
            authorization_flow=create_test_flow(),
        )
        Application.objects.create(name=generate_id(), slug=generate_id(), provider=provider)
        token = DeviceToken.objects.create(
            provider=provider,
        )
        res = self.api_client.post(
            reverse(
                "authentik_api:flow-executor",
                kwargs={
                    "flow_slug": self.device_flow.slug,
                },
            ),
            data={
                "component": "ak-provider-oauth2-device-code",
                "code": token.user_code,
            },
        )
        self.assertEqual(res.status_code, 200)
        self.assertJSONEqual(
            res.content,
            {
                "component": "xak-flow-redirect",
                "to": reverse(
                    "authentik_core:if-flow",
                    kwargs={
                        "flow_slug": provider.authorization_flow.slug,
                    },
                ),
            },
        )
    def test_no_flow(self):
        """Test no flow"""
        self.brand.flow_device_code = None
--- a/authentik/providers/oauth2/tests/test_introspect.py
+++ b/authentik/providers/oauth2/tests/test_introspect.py
@ -11,7 +11,14 @@ from authentik.core.models import Application
 from authentik.core.tests.utils import create_test_admin_user, create_test_cert, create_test_flow
 from authentik.lib.generators import generate_id
 from authentik.providers.oauth2.constants import ACR_AUTHENTIK_DEFAULT
-from authentik.providers.oauth2.models import AccessToken, IDToken, OAuth2Provider, RefreshToken
+from authentik.providers.oauth2.models import (
    AccessToken,
    IDToken,
    OAuth2Provider,
    RedirectURI,
    RedirectURIMatchingMode,
    RefreshToken,
 )
 from authentik.providers.oauth2.tests.utils import OAuthTestCase
@ -23,7 +30,7 @@ class TesOAuth2Introspection(OAuthTestCase):
        self.provider: OAuth2Provider = OAuth2Provider.objects.create(
            name=generate_id(),
            authorization_flow=create_test_flow(),
-            redirect_uris="",
+            redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "")],
            signing_key=create_test_cert(),
        )
        self.app = Application.objects.create(
@ -118,7 +125,7 @@ class TesOAuth2Introspection(OAuthTestCase):
        provider: OAuth2Provider = OAuth2Provider.objects.create(
            name=generate_id(),
            authorization_flow=create_test_flow(),
-            redirect_uris="",
+            redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "")],
            signing_key=create_test_cert(),
        )
        auth = b64encode(f"{provider.client_id}:{provider.client_secret}".encode()).decode()
--- a/authentik/providers/oauth2/tests/test_jwks.py
+++ b/authentik/providers/oauth2/tests/test_jwks.py
@ -13,7 +13,7 @@ from authentik.core.tests.utils import create_test_cert, create_test_flow
 from authentik.crypto.builder import PrivateKeyAlg
 from authentik.crypto.models import CertificateKeyPair
 from authentik.lib.generators import generate_id
-from authentik.providers.oauth2.models import OAuth2Provider
+from authentik.providers.oauth2.models import OAuth2Provider, RedirectURI, RedirectURIMatchingMode
 from authentik.providers.oauth2.tests.utils import OAuthTestCase
 TEST_CORDS_CERT = """
@ -49,7 +49,7 @@ class TestJWKS(OAuthTestCase):
            name="test",
            client_id="test",
            authorization_flow=create_test_flow(),
-            redirect_uris="http://local.invalid",
+            redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "http://local.invalid")],
            signing_key=create_test_cert(),
        )
        app = Application.objects.create(name="test", slug="test", provider=provider)
@ -68,7 +68,7 @@ class TestJWKS(OAuthTestCase):
            name="test",
            client_id="test",
            authorization_flow=create_test_flow(),
-            redirect_uris="http://local.invalid",
+            redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "http://local.invalid")],
        )
        app = Application.objects.create(name="test", slug="test", provider=provider)
        response = self.client.get(
@ -82,7 +82,7 @@ class TestJWKS(OAuthTestCase):
            name="test",
            client_id="test",
            authorization_flow=create_test_flow(),
-            redirect_uris="http://local.invalid",
+            redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "http://local.invalid")],
            signing_key=create_test_cert(PrivateKeyAlg.ECDSA),
        )
        app = Application.objects.create(name="test", slug="test", provider=provider)
@ -99,7 +99,7 @@ class TestJWKS(OAuthTestCase):
            name="test",
            client_id="test",
            authorization_flow=create_test_flow(),
-            redirect_uris="http://local.invalid",
+            redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "http://local.invalid")],
            signing_key=create_test_cert(PrivateKeyAlg.ECDSA),
            encryption_key=create_test_cert(PrivateKeyAlg.ECDSA),
        )
@ -122,7 +122,7 @@ class TestJWKS(OAuthTestCase):
            name="test",
            client_id="test",
            authorization_flow=create_test_flow(),
-            redirect_uris="http://local.invalid",
+            redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "http://local.invalid")],
            signing_key=cert,
        )
        app = Application.objects.create(name="test", slug="test", provider=provider)
--- a/authentik/providers/oauth2/tests/test_revoke.py
+++ b/authentik/providers/oauth2/tests/test_revoke.py
@ -10,7 +10,14 @@ from django.utils import timezone
 from authentik.core.models import Application
 from authentik.core.tests.utils import create_test_admin_user, create_test_cert, create_test_flow
 from authentik.lib.generators import generate_id
-from authentik.providers.oauth2.models import AccessToken, IDToken, OAuth2Provider, RefreshToken
+from authentik.providers.oauth2.models import (
    AccessToken,
    IDToken,
    OAuth2Provider,
    RedirectURI,
    RedirectURIMatchingMode,
    RefreshToken,
 )
 from authentik.providers.oauth2.tests.utils import OAuthTestCase
@ -22,7 +29,7 @@ class TesOAuth2Revoke(OAuthTestCase):
        self.provider: OAuth2Provider = OAuth2Provider.objects.create(
            name=generate_id(),
            authorization_flow=create_test_flow(),
-            redirect_uris="",
+            redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "")],
            signing_key=create_test_cert(),
        )
        self.app = Application.objects.create(
--- a/authentik/providers/oauth2/tests/test_token.py
+++ b/authentik/providers/oauth2/tests/test_token.py
@ -22,6 +22,8 @@ from authentik.providers.oauth2.models import (
    AccessToken,
    AuthorizationCode,
    OAuth2Provider,
    RedirectURI,
    RedirectURIMatchingMode,
    RefreshToken,
    ScopeMapping,
 )
@ -42,7 +44,7 @@ class TestToken(OAuthTestCase):
        provider = OAuth2Provider.objects.create(
            name=generate_id(),
            authorization_flow=create_test_flow(),
-            redirect_uris="http://TestServer",
+            redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "http://TestServer")],
            signing_key=self.keypair,
        )
        header = b64encode(f"{provider.client_id}:{provider.client_secret}".encode()).decode()
@ -69,7 +71,7 @@ class TestToken(OAuthTestCase):
        provider = OAuth2Provider.objects.create(
            name=generate_id(),
            authorization_flow=create_test_flow(),
-            redirect_uris="http://testserver",
+            redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "http://testserver")],
            signing_key=self.keypair,
        )
        header = b64encode(f"{provider.client_id}:{provider.client_secret}".encode()).decode()
@ -90,7 +92,7 @@ class TestToken(OAuthTestCase):
        provider = OAuth2Provider.objects.create(
            name=generate_id(),
            authorization_flow=create_test_flow(),
-            redirect_uris="http://local.invalid",
+            redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "http://local.invalid")],
            signing_key=self.keypair,
        )
        header = b64encode(f"{provider.client_id}:{provider.client_secret}".encode()).decode()
@ -118,7 +120,7 @@ class TestToken(OAuthTestCase):
        provider = OAuth2Provider.objects.create(
            name=generate_id(),
            authorization_flow=create_test_flow(),
-            redirect_uris="http://local.invalid",
+            redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "http://local.invalid")],
            signing_key=self.keypair,
        )
        # Needs to be assigned to an application for iss to be set
@ -157,7 +159,7 @@ class TestToken(OAuthTestCase):
        provider = OAuth2Provider.objects.create(
            name=generate_id(),
            authorization_flow=create_test_flow(),
-            redirect_uris="http://local.invalid",
+            redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "http://local.invalid")],
            signing_key=self.keypair,
            encryption_key=self.keypair,
        )
@ -188,7 +190,7 @@ class TestToken(OAuthTestCase):
        provider = OAuth2Provider.objects.create(
            name=generate_id(),
            authorization_flow=create_test_flow(),
-            redirect_uris="http://local.invalid",
+            redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "http://local.invalid")],
            signing_key=self.keypair,
        )
        provider.property_mappings.set(
@ -250,7 +252,7 @@ class TestToken(OAuthTestCase):
        provider = OAuth2Provider.objects.create(
            name=generate_id(),
            authorization_flow=create_test_flow(),
-            redirect_uris="http://local.invalid",
+            redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "http://local.invalid")],
            signing_key=self.keypair,
        )
        provider.property_mappings.set(
@ -308,7 +310,7 @@ class TestToken(OAuthTestCase):
        provider = OAuth2Provider.objects.create(
            name=generate_id(),
            authorization_flow=create_test_flow(),
-            redirect_uris="http://testserver",
+            redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "http://testserver")],
            signing_key=self.keypair,
        )
        provider.property_mappings.set(
--- a/authentik/providers/oauth2/tests/test_token_cc_jwt_source.py
+++ b/authentik/providers/oauth2/tests/test_token_cc_jwt_source.py
@ -19,7 +19,12 @@ from authentik.providers.oauth2.constants import (
    SCOPE_OPENID_PROFILE,
    TOKEN_TYPE,
 )
-from authentik.providers.oauth2.models import OAuth2Provider, ScopeMapping
+from authentik.providers.oauth2.models import (
    OAuth2Provider,
    RedirectURI,
    RedirectURIMatchingMode,
    ScopeMapping,
 )
 from authentik.providers.oauth2.tests.utils import OAuthTestCase
 from authentik.providers.oauth2.views.jwks import JWKSView
 from authentik.sources.oauth.models import OAuthSource
@ -54,7 +59,7 @@ class TestTokenClientCredentialsJWTSource(OAuthTestCase):
        self.provider: OAuth2Provider = OAuth2Provider.objects.create(
            name="test",
            authorization_flow=create_test_flow(),
-            redirect_uris="http://testserver",
+            redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "http://testserver")],
            signing_key=self.cert,
        )
        self.provider.jwks_sources.add(self.source)
--- a/authentik/providers/oauth2/tests/test_token_cc_standard.py
+++ b/authentik/providers/oauth2/tests/test_token_cc_standard.py
@ -19,7 +19,13 @@ from authentik.providers.oauth2.constants import (
    TOKEN_TYPE,
 )
 from authentik.providers.oauth2.errors import TokenError
-from authentik.providers.oauth2.models import OAuth2Provider, ScopeMapping
+from authentik.providers.oauth2.models import (
    AccessToken,
    OAuth2Provider,
    RedirectURI,
    RedirectURIMatchingMode,
    ScopeMapping,
 )
 from authentik.providers.oauth2.tests.utils import OAuthTestCase
@ -33,7 +39,7 @@ class TestTokenClientCredentialsStandard(OAuthTestCase):
        self.provider = OAuth2Provider.objects.create(
            name="test",
            authorization_flow=create_test_flow(),
-            redirect_uris="http://testserver",
+            redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "http://testserver")],
            signing_key=create_test_cert(),
        )
        self.provider.property_mappings.set(ScopeMapping.objects.all())
@ -107,6 +113,48 @@ class TestTokenClientCredentialsStandard(OAuthTestCase):
            {"error": "invalid_grant", "error_description": TokenError.errors["invalid_grant"]},
        )
    def test_incorrect_scopes(self):
        """test scope that isn't configured"""
        response = self.client.post(
            reverse("authentik_providers_oauth2:token"),
            {
                "grant_type": GRANT_TYPE_CLIENT_CREDENTIALS,
                "scope": f"{SCOPE_OPENID} {SCOPE_OPENID_EMAIL} {SCOPE_OPENID_PROFILE} extra_scope",
                "client_id": self.provider.client_id,
                "client_secret": self.provider.client_secret,
            },
        )
        self.assertEqual(response.status_code, 200)
        body = loads(response.content.decode())
        self.assertEqual(body["token_type"], TOKEN_TYPE)
        token = AccessToken.objects.filter(
            provider=self.provider, token=body["access_token"]
        ).first()
        self.assertSetEqual(
            set(token.scope), {SCOPE_OPENID, SCOPE_OPENID_EMAIL, SCOPE_OPENID_PROFILE}
        )
        _, alg = self.provider.jwt_key
        jwt = decode(
            body["access_token"],
            key=self.provider.signing_key.public_key,
            algorithms=[alg],
            audience=self.provider.client_id,
        )
        self.assertEqual(
            jwt["given_name"], "Autogenerated user from application test (client credentials)"
        )
        self.assertEqual(jwt["preferred_username"], "ak-test-client_credentials")
        jwt = decode(
            body["id_token"],
            key=self.provider.signing_key.public_key,
            algorithms=[alg],
            audience=self.provider.client_id,
        )
        self.assertEqual(
            jwt["given_name"], "Autogenerated user from application test (client credentials)"
        )
        self.assertEqual(jwt["preferred_username"], "ak-test-client_credentials")
    def test_successful(self):
        """test successful"""
        response = self.client.post(
--- a/authentik/providers/oauth2/tests/test_token_cc_standard_compat.py
+++ b/authentik/providers/oauth2/tests/test_token_cc_standard_compat.py
@ -20,7 +20,12 @@ from authentik.providers.oauth2.constants import (
    TOKEN_TYPE,
 )
 from authentik.providers.oauth2.errors import TokenError
-from authentik.providers.oauth2.models import OAuth2Provider, ScopeMapping
+from authentik.providers.oauth2.models import (
    OAuth2Provider,
    RedirectURI,
    RedirectURIMatchingMode,
    ScopeMapping,
 )
 from authentik.providers.oauth2.tests.utils import OAuthTestCase
@ -34,7 +39,7 @@ class TestTokenClientCredentialsStandardCompat(OAuthTestCase):
        self.provider = OAuth2Provider.objects.create(
            name="test",
            authorization_flow=create_test_flow(),
-            redirect_uris="http://testserver",
+            redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "http://testserver")],
            signing_key=create_test_cert(),
        )
        self.provider.property_mappings.set(ScopeMapping.objects.all())
--- a/authentik/providers/oauth2/tests/test_token_cc_user_pw.py
+++ b/authentik/providers/oauth2/tests/test_token_cc_user_pw.py
@ -19,7 +19,12 @@ from authentik.providers.oauth2.constants import (
    TOKEN_TYPE,
 )
 from authentik.providers.oauth2.errors import TokenError
-from authentik.providers.oauth2.models import OAuth2Provider, ScopeMapping
+from authentik.providers.oauth2.models import (
    OAuth2Provider,
    RedirectURI,
    RedirectURIMatchingMode,
    ScopeMapping,
 )
 from authentik.providers.oauth2.tests.utils import OAuthTestCase
@ -33,7 +38,7 @@ class TestTokenClientCredentialsUserNamePassword(OAuthTestCase):
        self.provider = OAuth2Provider.objects.create(
            name="test",
            authorization_flow=create_test_flow(),
-            redirect_uris="http://testserver",
+            redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "http://testserver")],
            signing_key=create_test_cert(),
        )
        self.provider.property_mappings.set(ScopeMapping.objects.all())
--- a/authentik/providers/oauth2/tests/test_token_device.py
+++ b/authentik/providers/oauth2/tests/test_token_device.py
@ -9,8 +9,19 @@ from authentik.blueprints.tests import apply_blueprint
 from authentik.core.models import Application
 from authentik.core.tests.utils import create_test_admin_user, create_test_cert, create_test_flow
 from authentik.lib.generators import generate_code_fixed_length, generate_id
-from authentik.providers.oauth2.constants import GRANT_TYPE_DEVICE_CODE
+from authentik.providers.oauth2.constants import (
-from authentik.providers.oauth2.models import DeviceToken, OAuth2Provider, ScopeMapping
+    GRANT_TYPE_DEVICE_CODE,
    SCOPE_OPENID,
    SCOPE_OPENID_EMAIL,
 )
 from authentik.providers.oauth2.models import (
    AccessToken,
    DeviceToken,
    OAuth2Provider,
    RedirectURI,
    RedirectURIMatchingMode,
    ScopeMapping,
 )
 from authentik.providers.oauth2.tests.utils import OAuthTestCase
@ -24,7 +35,7 @@ class TestTokenDeviceCode(OAuthTestCase):
        self.provider = OAuth2Provider.objects.create(
            name="test",
            authorization_flow=create_test_flow(),
-            redirect_uris="http://testserver",
+            redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "http://testserver")],
            signing_key=create_test_cert(),
        )
        self.provider.property_mappings.set(ScopeMapping.objects.all())
@ -80,3 +91,28 @@ class TestTokenDeviceCode(OAuthTestCase):
            },
        )
        self.assertEqual(res.status_code, 200)
    def test_code_mismatched_scope(self):
        """Test code with user (mismatched scopes)"""
        device_token = DeviceToken.objects.create(
            provider=self.provider,
            user_code=generate_code_fixed_length(),
            device_code=generate_id(),
            user=self.user,
            scope=[SCOPE_OPENID, SCOPE_OPENID_EMAIL],
        )
        res = self.client.post(
            reverse("authentik_providers_oauth2:token"),
            data={
                "client_id": self.provider.client_id,
                "grant_type": GRANT_TYPE_DEVICE_CODE,
                "device_code": device_token.device_code,
                "scope": f"{SCOPE_OPENID} {SCOPE_OPENID_EMAIL} invalid",
            },
        )
        self.assertEqual(res.status_code, 200)
        body = loads(res.content)
        token = AccessToken.objects.filter(
            provider=self.provider, token=body["access_token"]
        ).first()
        self.assertSetEqual(set(token.scope), {SCOPE_OPENID, SCOPE_OPENID_EMAIL})
--- a/authentik/providers/oauth2/tests/test_token_pkce.py
+++ b/authentik/providers/oauth2/tests/test_token_pkce.py
@ -10,7 +10,12 @@ from authentik.core.models import Application
 from authentik.core.tests.utils import create_test_admin_user, create_test_flow
 from authentik.lib.generators import generate_id
 from authentik.providers.oauth2.constants import GRANT_TYPE_AUTHORIZATION_CODE
-from authentik.providers.oauth2.models import AuthorizationCode, OAuth2Provider
+from authentik.providers.oauth2.models import (
    AuthorizationCode,
    OAuth2Provider,
    RedirectURI,
    RedirectURIMatchingMode,
 )
 from authentik.providers.oauth2.tests.utils import OAuthTestCase
@ -30,7 +35,7 @@ class TestTokenPKCE(OAuthTestCase):
            name=generate_id(),
            client_id="test",
            authorization_flow=flow,
-            redirect_uris="foo://localhost",
+            redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "foo://localhost")],
            access_code_validity="seconds=100",
        )
        Application.objects.create(name="app", slug="app", provider=provider)
@ -93,7 +98,7 @@ class TestTokenPKCE(OAuthTestCase):
            name=generate_id(),
            client_id="test",
            authorization_flow=flow,
-            redirect_uris="foo://localhost",
+            redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "foo://localhost")],
            access_code_validity="seconds=100",
        )
        Application.objects.create(name="app", slug="app", provider=provider)
@ -154,7 +159,7 @@ class TestTokenPKCE(OAuthTestCase):
            name=generate_id(),
            client_id="test",
            authorization_flow=flow,
-            redirect_uris="foo://localhost",
+            redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "foo://localhost")],
            access_code_validity="seconds=100",
        )
        Application.objects.create(name="app", slug="app", provider=provider)
@ -210,7 +215,7 @@ class TestTokenPKCE(OAuthTestCase):
            name=generate_id(),
            client_id="test",
            authorization_flow=flow,
-            redirect_uris="foo://localhost",
+            redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "foo://localhost")],
            access_code_validity="seconds=100",
        )
        Application.objects.create(name="app", slug="app", provider=provider)
--- a/authentik/providers/oauth2/tests/test_userinfo.py
+++ b/authentik/providers/oauth2/tests/test_userinfo.py
@ -11,7 +11,14 @@ from authentik.core.models import Application
 from authentik.core.tests.utils import create_test_admin_user, create_test_cert, create_test_flow
 from authentik.events.models import Event, EventAction
 from authentik.lib.generators import generate_id
-from authentik.providers.oauth2.models import AccessToken, IDToken, OAuth2Provider, ScopeMapping
+from authentik.providers.oauth2.models import (
    AccessToken,
    IDToken,
    OAuth2Provider,
    RedirectURI,
    RedirectURIMatchingMode,
    ScopeMapping,
 )
 from authentik.providers.oauth2.tests.utils import OAuthTestCase
@ -25,7 +32,7 @@ class TestUserinfo(OAuthTestCase):
        self.provider: OAuth2Provider = OAuth2Provider.objects.create(
            name=generate_id(),
            authorization_flow=create_test_flow(),
-            redirect_uris="",
+            redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "")],
            signing_key=create_test_cert(),
        )
        self.provider.property_mappings.set(ScopeMapping.objects.all())
--- a/authentik/providers/oauth2/views/authorize.py
+++ b/authentik/providers/oauth2/views/authorize.py
@ -56,6 +56,8 @@ from authentik.providers.oauth2.models import (
    AuthorizationCode,
    GrantTypes,
    OAuth2Provider,
    RedirectURI,
    RedirectURIMatchingMode,
    ResponseMode,
    ResponseTypes,
    ScopeMapping,
@ -187,40 +189,39 @@ class OAuthAuthorizationParams:
    def check_redirect_uri(self):
        """Redirect URI validation."""
-        allowed_redirect_urls = self.provider.redirect_uris.split()
+        allowed_redirect_urls = self.provider.redirect_uris
        if not self.redirect_uri:
            LOGGER.warning("Missing redirect uri.")
            raise RedirectUriError("", allowed_redirect_urls)
-        if self.provider.redirect_uris == "":
+        if len(allowed_redirect_urls) < 1:
            LOGGER.info("Setting redirect for blank redirect_uris", redirect=self.redirect_uri)
-            self.provider.redirect_uris = self.redirect_uri
+            self.provider.redirect_uris = [
                RedirectURI(RedirectURIMatchingMode.STRICT, self.redirect_uri)
            ]
            self.provider.save()
-            allowed_redirect_urls = self.provider.redirect_uris.split()
+            allowed_redirect_urls = self.provider.redirect_uris
-        if self.provider.redirect_uris == "*":
+        match_found = False
-            LOGGER.info("Converting redirect_uris to regex", redirect=self.redirect_uri)
+        for allowed in allowed_redirect_urls:
-            self.provider.redirect_uris = ".*"
+            if allowed.matching_mode == RedirectURIMatchingMode.STRICT:
-            self.provider.save()
+                if self.redirect_uri == allowed.url:
-            allowed_redirect_urls = self.provider.redirect_uris.split()
+                    match_found = True
-
+                    break
-        try:
+            if allowed.matching_mode == RedirectURIMatchingMode.REGEX:
-            if not any(fullmatch(x, self.redirect_uri) for x in allowed_redirect_urls):
+                try:
-                LOGGER.warning(
+                    if fullmatch(allowed.url, self.redirect_uri):
-                    "Invalid redirect uri (regex comparison)",
+                        match_found = True
-                    redirect_uri_given=self.redirect_uri,
+                        break
-                    redirect_uri_expected=allowed_redirect_urls,
+                except RegexError as exc:
-                )
+                    LOGGER.warning(
-                raise RedirectUriError(self.redirect_uri, allowed_redirect_urls)
+                        "Failed to parse regular expression",
-        except RegexError as exc:
+                        exc=exc,
-            LOGGER.info("Failed to parse regular expression, checking directly", exc=exc)
+                        url=allowed.url,
-            if not any(x == self.redirect_uri for x in allowed_redirect_urls):
+                        provider=self.provider,
-                LOGGER.warning(
+                    )
-                    "Invalid redirect uri (strict comparison)",
+        if not match_found:
-                    redirect_uri_given=self.redirect_uri,
+            raise RedirectUriError(self.redirect_uri, allowed_redirect_urls)
                    redirect_uri_expected=allowed_redirect_urls,
                )
                raise RedirectUriError(self.redirect_uri, allowed_redirect_urls) from None
        # Check against forbidden schemes
        if urlparse(self.redirect_uri).scheme in FORBIDDEN_URI_SCHEMES:
            raise RedirectUriError(self.redirect_uri, allowed_redirect_urls)
--- a/authentik/providers/oauth2/views/device_init.py
+++ b/authentik/providers/oauth2/views/device_init.py
@ -5,7 +5,7 @@ from typing import Any
 from django.http import HttpRequest, HttpResponse
 from django.utils.translation import gettext as _
 from rest_framework.exceptions import ValidationError
-from rest_framework.fields import CharField, IntegerField
+from rest_framework.fields import CharField
 from structlog.stdlib import get_logger
 from authentik.brands.models import Brand
@ -47,6 +47,9 @@ class CodeValidatorView(PolicyAccessView):
        self.provider = self.token.provider
        self.application = self.token.provider.application
    def post(self, request: HttpRequest, *args, **kwargs):
        return self.get(request, *args, **kwargs)
    def get(self, request: HttpRequest, *args, **kwargs):
        scope_descriptions = UserInfoView().get_scope_descriptions(self.token.scope, self.provider)
        planner = FlowPlanner(self.provider.authorization_flow)
@ -122,7 +125,7 @@ class OAuthDeviceCodeChallenge(Challenge):
 class OAuthDeviceCodeChallengeResponse(ChallengeResponse):
    """Response that includes the user-entered device code"""
-    code = IntegerField()
+    code = CharField()
    component = CharField(default="ak-provider-oauth2-device-code")
    def validate_code(self, code: int) -> HttpResponse | None:
--- a/authentik/providers/oauth2/views/provider.py
+++ b/authentik/providers/oauth2/views/provider.py
@ -162,5 +162,5 @@ class ProviderInfoView(View):
            OAuth2Provider, pk=application.provider_id
        )
        response = super().dispatch(request, *args, **kwargs)
-        cors_allow(request, response, *self.provider.redirect_uris.split("\n"))
+        cors_allow(request, response, *[x.url for x in self.provider.redirect_uris])
        return response
--- a/authentik/providers/oauth2/views/token.py
+++ b/authentik/providers/oauth2/views/token.py
@ -58,7 +58,9 @@ from authentik.providers.oauth2.models import (
    ClientTypes,
    DeviceToken,
    OAuth2Provider,
    RedirectURIMatchingMode,
    RefreshToken,
    ScopeMapping,
 )
 from authentik.providers.oauth2.utils import TokenResponse, cors_allow, extract_client_auth
 from authentik.providers.oauth2.views.authorize import FORBIDDEN_URI_SCHEMES
@ -77,7 +79,7 @@ class TokenParams:
    redirect_uri: str
    grant_type: str
    state: str
-    scope: list[str]
+    scope: set[str]
    provider: OAuth2Provider
@ -112,11 +114,26 @@ class TokenParams:
            redirect_uri=request.POST.get("redirect_uri", ""),
            grant_type=request.POST.get("grant_type", ""),
            state=request.POST.get("state", ""),
-            scope=request.POST.get("scope", "").split(),
+            scope=set(request.POST.get("scope", "").split()),
            # PKCE parameter.
            code_verifier=request.POST.get("code_verifier"),
        )
    def __check_scopes(self):
        allowed_scope_names = set(
            ScopeMapping.objects.filter(provider__in=[self.provider]).values_list(
                "scope_name", flat=True
            )
        )
        scopes_to_check = self.scope
        if not scopes_to_check.issubset(allowed_scope_names):
            LOGGER.info(
                "Application requested scopes not configured, setting to overlap",
                scope_allowed=allowed_scope_names,
                scope_given=self.scope,
            )
            self.scope = self.scope.intersection(allowed_scope_names)
    def __check_policy_access(self, app: Application, request: HttpRequest, **kwargs):
        with start_span(
            op="authentik.providers.oauth2.token.policy",
@ -149,7 +166,7 @@ class TokenParams:
                    client_id=self.provider.client_id,
                )
                raise TokenError("invalid_client")
-
+        self.__check_scopes()
        if self.grant_type == GRANT_TYPE_AUTHORIZATION_CODE:
            with start_span(
                op="authentik.providers.oauth2.post.parse.code",
@ -179,42 +196,7 @@ class TokenParams:
            LOGGER.warning("Missing authorization code")
            raise TokenError("invalid_grant")
-        allowed_redirect_urls = self.provider.redirect_uris.split()
+        self.__check_redirect_uri(request)
        # At this point, no provider should have a blank redirect_uri, in case they do
        # this will check an empty array and raise an error
        try:
            if not any(fullmatch(x, self.redirect_uri) for x in allowed_redirect_urls):
                LOGGER.warning(
                    "Invalid redirect uri (regex comparison)",
                    redirect_uri=self.redirect_uri,
                    expected=allowed_redirect_urls,
                )
                Event.new(
                    EventAction.CONFIGURATION_ERROR,
                    message="Invalid redirect URI used by provider",
                    provider=self.provider,
                    redirect_uri=self.redirect_uri,
                    expected=allowed_redirect_urls,
                ).from_http(request)
                raise TokenError("invalid_client")
        except RegexError as exc:
            LOGGER.info("Failed to parse regular expression, checking directly", exc=exc)
            if not any(x == self.redirect_uri for x in allowed_redirect_urls):
                LOGGER.warning(
                    "Invalid redirect uri (strict comparison)",
                    redirect_uri=self.redirect_uri,
                    expected=allowed_redirect_urls,
                )
                Event.new(
                    EventAction.CONFIGURATION_ERROR,
                    message="Invalid redirect_uri configured",
                    provider=self.provider,
                ).from_http(request)
                raise TokenError("invalid_client") from None
        # Check against forbidden schemes
        if urlparse(self.redirect_uri).scheme in FORBIDDEN_URI_SCHEMES:
            raise TokenError("invalid_request")
        self.authorization_code = AuthorizationCode.objects.filter(code=raw_code).first()
        if not self.authorization_code:
@ -254,6 +236,48 @@ class TokenParams:
        if not self.authorization_code.code_challenge and self.code_verifier:
            raise TokenError("invalid_grant")
    def __check_redirect_uri(self, request: HttpRequest):
        allowed_redirect_urls = self.provider.redirect_uris
        # At this point, no provider should have a blank redirect_uri, in case they do
        # this will check an empty array and raise an error
        match_found = False
        for allowed in allowed_redirect_urls:
            if allowed.matching_mode == RedirectURIMatchingMode.STRICT:
                if self.redirect_uri == allowed.url:
                    match_found = True
                    break
            if allowed.matching_mode == RedirectURIMatchingMode.REGEX:
                try:
                    if fullmatch(allowed.url, self.redirect_uri):
                        match_found = True
                        break
                except RegexError as exc:
                    LOGGER.warning(
                        "Failed to parse regular expression",
                        exc=exc,
                        url=allowed.url,
                        provider=self.provider,
                    )
                    Event.new(
                        EventAction.CONFIGURATION_ERROR,
                        message="Invalid redirect_uri configured",
                        provider=self.provider,
                    ).from_http(request)
        if not match_found:
            Event.new(
                EventAction.CONFIGURATION_ERROR,
                message="Invalid redirect URI used by provider",
                provider=self.provider,
                redirect_uri=self.redirect_uri,
                expected=allowed_redirect_urls,
            ).from_http(request)
            raise TokenError("invalid_client")
        # Check against forbidden schemes
        if urlparse(self.redirect_uri).scheme in FORBIDDEN_URI_SCHEMES:
            raise TokenError("invalid_request")
    def __post_init_refresh(self, raw_token: str, request: HttpRequest):
        if not raw_token:
            LOGGER.warning("Missing refresh token")
@ -497,7 +521,7 @@ class TokenView(View):
        response = super().dispatch(request, *args, **kwargs)
        allowed_origins = []
        if self.provider:
-            allowed_origins = self.provider.redirect_uris.split("\n")
+            allowed_origins = [x.url for x in self.provider.redirect_uris]
        cors_allow(self.request, response, *allowed_origins)
        return response
@ -710,7 +734,7 @@ class TokenView(View):
            "id_token": access_token.id_token.to_jwt(self.provider),
        }
-        if SCOPE_OFFLINE_ACCESS in self.params.scope:
+        if SCOPE_OFFLINE_ACCESS in self.params.device_code.scope:
            refresh_token_expiry = now + timedelta_from_string(self.provider.refresh_token_validity)
            refresh_token = RefreshToken(
                user=self.params.device_code.user,
--- a/authentik/providers/oauth2/views/userinfo.py
+++ b/authentik/providers/oauth2/views/userinfo.py
@ -108,7 +108,7 @@ class UserInfoView(View):
        response = super().dispatch(request, *args, **kwargs)
        allowed_origins = []
        if self.token:
-            allowed_origins = self.token.provider.redirect_uris.split("\n")
+            allowed_origins = [x.url for x in self.token.provider.redirect_uris]
        cors_allow(self.request, response, *allowed_origins)
        return response
--- a/authentik/providers/proxy/api.py
+++ b/authentik/providers/proxy/api.py
@ -13,6 +13,7 @@ from authentik.core.api.providers import ProviderSerializer
 from authentik.core.api.used_by import UsedByMixin
 from authentik.core.api.utils import ModelSerializer, PassiveSerializer
 from authentik.lib.utils.time import timedelta_from_string
 from authentik.providers.oauth2.api.providers import RedirectURISerializer
 from authentik.providers.oauth2.models import ScopeMapping
 from authentik.providers.oauth2.views.provider import ProviderInfoView
 from authentik.providers.proxy.models import ProxyMode, ProxyProvider
@ -39,7 +40,7 @@ class ProxyProviderSerializer(ProviderSerializer):
    """ProxyProvider Serializer"""
    client_id = CharField(read_only=True)
-    redirect_uris = CharField(read_only=True)
+    redirect_uris = RedirectURISerializer(many=True, read_only=True, source="_redirect_uris")
    outpost_set = ListField(child=CharField(), read_only=True, source="outpost_set.all")
    def validate_basic_auth_enabled(self, value: bool) -> bool:
@ -121,7 +122,6 @@ class ProxyProviderViewSet(UsedByMixin, ModelViewSet):
        "basic_auth_password_attribute": ["iexact"],
        "basic_auth_user_attribute": ["iexact"],
        "mode": ["iexact"],
        "redirect_uris": ["iexact"],
        "cookie_domain": ["iexact"],
    }
    search_fields = ["name"]
--- a/authentik/providers/proxy/models.py
+++ b/authentik/providers/proxy/models.py
@ -13,7 +13,13 @@ from rest_framework.serializers import Serializer
 from authentik.crypto.models import CertificateKeyPair
 from authentik.lib.models import DomainlessURLValidator
 from authentik.outposts.models import OutpostModel
-from authentik.providers.oauth2.models import ClientTypes, OAuth2Provider, ScopeMapping
+from authentik.providers.oauth2.models import (
    ClientTypes,
    OAuth2Provider,
    RedirectURI,
    RedirectURIMatchingMode,
    ScopeMapping,
 )
 SCOPE_AK_PROXY = "ak_proxy"
 OUTPOST_CALLBACK_SIGNATURE = "X-authentik-auth-callback"
@ -24,14 +30,14 @@ def get_cookie_secret():
    return "".join(SystemRandom().choice(string.ascii_uppercase + string.digits) for _ in range(32))
-def _get_callback_url(uri: str) -> str:
+def _get_callback_url(uri: str) -> list[RedirectURI]:
-    return "\n".join(
+    return [
-        [
+        RedirectURI(
-            urljoin(uri, "outpost.goauthentik.io/callback")
+            RedirectURIMatchingMode.STRICT,
-            + f"\\?{OUTPOST_CALLBACK_SIGNATURE}=true",
+            urljoin(uri, "outpost.goauthentik.io/callback") + f"?{OUTPOST_CALLBACK_SIGNATURE}=true",
-            uri + f"\\?{OUTPOST_CALLBACK_SIGNATURE}=true",
+        ),
-        ]
+        RedirectURI(RedirectURIMatchingMode.STRICT, uri + f"?{OUTPOST_CALLBACK_SIGNATURE}=true"),
-    )
+    ]
 class ProxyMode(models.TextChoices):
--- a/authentik/providers/scim/clients/schema.py
+++ b/authentik/providers/scim/clients/schema.py
@ -19,6 +19,7 @@ SCIM_GROUP_SCHEMA = "urn:ietf:params:scim:schemas:core:2.0:Group"
 class User(BaseUser):
    """Modified User schema with added externalId field"""
    id: str | int | None = None
    schemas: list[str] = [SCIM_USER_SCHEMA]
    externalId: str | None = None
    meta: dict | None = None
@ -27,6 +28,7 @@ class User(BaseUser):
 class Group(BaseGroup):
    """Modified Group schema with added externalId field"""
    id: str | int | None = None
    schemas: list[str] = [SCIM_GROUP_SCHEMA]
    externalId: str | None = None
    meta: dict | None = None
--- a/authentik/rbac/api/rbac_roles.py
+++ b/authentik/rbac/api/rbac_roles.py
@ -53,7 +53,7 @@ class ExtraRoleObjectPermissionSerializer(RoleObjectPermissionSerializer):
        except LookupError:
            return None
        objects = get_objects_for_group(instance.group, f"{app_label}.view_{model}", model_class)
-        obj = objects.first()
+        obj = objects.filter(pk=instance.object_pk).first()
        if not obj:
            return None
        return str(obj)
--- a/authentik/rbac/api/rbac_users.py
+++ b/authentik/rbac/api/rbac_users.py
@ -53,7 +53,7 @@ class ExtraUserObjectPermissionSerializer(UserObjectPermissionSerializer):
        except LookupError:
            return None
        objects = get_objects_for_user(instance.user, f"{app_label}.view_{model}", model_class)
-        obj = objects.first()
+        obj = objects.filter(pk=instance.object_pk).first()
        if not obj:
            return None
        return str(obj)
--- a/authentik/root/monitoring.py
+++ b/authentik/root/monitoring.py
@ -1,6 +1,8 @@
 """Metrics view"""
-from base64 import b64encode
+from hmac import compare_digest
 from pathlib import Path
 from tempfile import gettempdir
 from django.conf import settings
 from django.db import connections
@ -16,22 +18,21 @@ monitoring_set = Signal()
 class MetricsView(View):
-    """Wrapper around ExportToDjangoView, using http-basic auth"""
+    """Wrapper around ExportToDjangoView with authentication, accessed by the authentik router"""
    def __init__(self, **kwargs):
        _tmp = Path(gettempdir())
        with open(_tmp / "authentik-core-metrics.key") as _f:
            self.monitoring_key = _f.read()
    def get(self, request: HttpRequest) -> HttpResponse:
        """Check for HTTP-Basic auth"""
        auth_header = request.META.get("HTTP_AUTHORIZATION", "")
        auth_type, _, given_credentials = auth_header.partition(" ")
-        credentials = f"monitor:{settings.SECRET_KEY}"
+        authed = auth_type == "Bearer" and compare_digest(given_credentials, self.monitoring_key)
        expected = b64encode(str.encode(credentials)).decode()
        authed = auth_type == "Basic" and given_credentials == expected
        if not authed and not settings.DEBUG:
-            response = HttpResponse(status=401)
+            return HttpResponse(status=401)
            response["WWW-Authenticate"] = 'Basic realm="authentik-monitoring"'
            return response
        monitoring_set.send_robust(self)
        return ExportToDjangoView(request)
--- a/authentik/root/settings.py
+++ b/authentik/root/settings.py
@ -12,7 +12,7 @@ from sentry_sdk import set_tag
 from xmlsec import enable_debug_trace
 from authentik import __version__
-from authentik.lib.config import CONFIG, redis_url
+from authentik.lib.config import CONFIG, django_db_config, redis_url
 from authentik.lib.logging import get_logger_config, structlog_configure
 from authentik.lib.sentry import sentry_init
 from authentik.lib.utils.reflection import get_env
@ -38,7 +38,6 @@ LANGUAGE_COOKIE_NAME = "authentik_language"
 SESSION_COOKIE_NAME = "authentik_session"
 SESSION_COOKIE_DOMAIN = CONFIG.get("cookie_domain", None)
 APPEND_SLASH = False
 X_FRAME_OPTIONS = "SAMEORIGIN"
 AUTHENTICATION_BACKENDS = [
    "django.contrib.auth.backends.ModelBackend",
@ -296,45 +295,7 @@ CHANNEL_LAYERS = {
 # https://docs.djangoproject.com/en/2.1/ref/settings/#databases
 ORIGINAL_BACKEND = "django_prometheus.db.backends.postgresql"
-DATABASES = {
+DATABASES = django_db_config()
    "default": {
        "ENGINE": "authentik.root.db",
        "HOST": CONFIG.get("postgresql.host"),
        "NAME": CONFIG.get("postgresql.name"),
        "USER": CONFIG.get("postgresql.user"),
        "PASSWORD": CONFIG.get("postgresql.password"),
        "PORT": CONFIG.get("postgresql.port"),
        "SSLMODE": CONFIG.get("postgresql.sslmode"),
        "SSLROOTCERT": CONFIG.get("postgresql.sslrootcert"),
        "SSLCERT": CONFIG.get("postgresql.sslcert"),
        "SSLKEY": CONFIG.get("postgresql.sslkey"),
        "TEST": {
            "NAME": CONFIG.get("postgresql.test.name"),
        },
    }
 }
 if CONFIG.get_bool("postgresql.use_pgpool", False):
    DATABASES["default"]["DISABLE_SERVER_SIDE_CURSORS"] = True
 if CONFIG.get_bool("postgresql.use_pgbouncer", False):
    # https://docs.djangoproject.com/en/4.0/ref/databases/#transaction-pooling-server-side-cursors
    DATABASES["default"]["DISABLE_SERVER_SIDE_CURSORS"] = True
    # https://docs.djangoproject.com/en/4.0/ref/databases/#persistent-connections
    DATABASES["default"]["CONN_MAX_AGE"] = None  # persistent
 for replica in CONFIG.get_keys("postgresql.read_replicas"):
    _database = DATABASES["default"].copy()
    for setting in DATABASES["default"].keys():
        default = object()
        if setting in ("TEST",):
            continue
        override = CONFIG.get(
            f"postgresql.read_replicas.{replica}.{setting.lower()}", default=default
        )
        if override is not default:
            _database[setting] = override
    DATABASES[f"replica_{replica}"] = _database
 DATABASE_ROUTERS = (
    "authentik.tenants.db.FailoverRouter",
--- a/authentik/root/tests.py
+++ b/authentik/root/tests.py
@ -1,8 +1,9 @@
 """root tests"""
-from base64 import b64encode
+from pathlib import Path
 from secrets import token_urlsafe
 from tempfile import gettempdir
 from django.conf import settings
 from django.test import TestCase
 from django.urls import reverse
@ -10,6 +11,16 @@ from django.urls import reverse
 class TestRoot(TestCase):
    """Test root application"""
    def setUp(self):
        _tmp = Path(gettempdir())
        self.token = token_urlsafe(32)
        with open(_tmp / "authentik-core-metrics.key", "w") as _f:
            _f.write(self.token)
    def tearDown(self):
        _tmp = Path(gettempdir())
        (_tmp / "authentik-core-metrics.key").unlink()
    def test_monitoring_error(self):
        """Test monitoring without any credentials"""
        response = self.client.get(reverse("metrics"))
@ -17,8 +28,7 @@ class TestRoot(TestCase):
    def test_monitoring_ok(self):
        """Test monitoring with credentials"""
-        creds = "Basic " + b64encode(f"monitor:{settings.SECRET_KEY}".encode()).decode("utf-8")
+        auth_headers = {"HTTP_AUTHORIZATION": f"Bearer {self.token}"}
        auth_headers = {"HTTP_AUTHORIZATION": creds}
        response = self.client.get(reverse("metrics"), **auth_headers)
        self.assertEqual(response.status_code, 200)
--- a/authentik/stages/authenticator_validate/stage.py
+++ b/authentik/stages/authenticator_validate/stage.py
@ -332,7 +332,7 @@ class AuthenticatorValidateStageView(ChallengeStageView):
            serializer = SelectableStageSerializer(
                data={
                    "pk": stage.pk,
-                    "name": getattr(stage, "friendly_name", stage.name),
+                    "name": getattr(stage, "friendly_name", stage.name) or stage.name,
                    "verbose_name": str(stage._meta.verbose_name)
                    .replace("Setup Stage", "")
                    .strip(),
--- a/authentik/stages/authenticator_validate/tests/test_stage.py
+++ b/authentik/stages/authenticator_validate/tests/test_stage.py
@ -4,6 +4,7 @@ from unittest.mock import MagicMock, patch
 from django.test.client import RequestFactory
 from django.urls.base import reverse
 from django.utils.timezone import now
 from authentik.core.tests.utils import create_test_admin_user, create_test_flow
 from authentik.flows.models import FlowDesignation, FlowStageBinding, NotConfiguredAction
@ -13,6 +14,7 @@ from authentik.flows.views.executor import SESSION_KEY_PLAN
 from authentik.lib.generators import generate_id, generate_key
 from authentik.stages.authenticator_duo.models import AuthenticatorDuoStage, DuoDevice
 from authentik.stages.authenticator_static.models import AuthenticatorStaticStage
 from authentik.stages.authenticator_totp.models import AuthenticatorTOTPStage, TOTPDigits
 from authentik.stages.authenticator_validate.api import AuthenticatorValidateStageSerializer
 from authentik.stages.authenticator_validate.models import AuthenticatorValidateStage, DeviceClasses
 from authentik.stages.authenticator_validate.stage import PLAN_CONTEXT_DEVICE_CHALLENGES
@ -76,8 +78,8 @@ class AuthenticatorValidateStageTests(FlowTestCase):
        conf_stage = AuthenticatorStaticStage.objects.create(
            name=generate_id(),
        )
-        conf_stage2 = AuthenticatorStaticStage.objects.create(
+        conf_stage2 = AuthenticatorTOTPStage.objects.create(
-            name=generate_id(),
+            name=generate_id(), digits=TOTPDigits.SIX
        )
        stage = AuthenticatorValidateStage.objects.create(
            name=generate_id(),
@ -153,10 +155,14 @@ class AuthenticatorValidateStageTests(FlowTestCase):
            {
                "device_class": "static",
                "device_uid": "1",
                "challenge": {},
                "last_used": now(),
            },
            {
                "device_class": "totp",
                "device_uid": "2",
                "challenge": {},
                "last_used": now(),
            },
        ]
        session[SESSION_KEY_PLAN] = plan
--- a/authentik/stages/captcha/api.py
+++ b/authentik/stages/captcha/api.py
@ -17,6 +17,7 @@ class CaptchaStageSerializer(StageSerializer):
            "private_key",
            "js_url",
            "api_url",
            "interactive",
            "score_min_threshold",
            "score_max_threshold",
            "error_on_invalid_score",
--- a/authentik/stages/captcha/migrations/0004_captchastage_interactive.py
+++ b/authentik/stages/captcha/migrations/0004_captchastage_interactive.py
@ -0,0 +1,18 @@
 # Generated by Django 5.0.9 on 2024-10-30 14:28
 from django.db import migrations, models
 class Migration(migrations.Migration):
    dependencies = [
        ("authentik_stages_captcha", "0003_captchastage_error_on_invalid_score_and_more"),
    ]
    operations = [
        migrations.AddField(
            model_name="captchastage",
            name="interactive",
            field=models.BooleanField(default=False),
        ),
    ]
--- a/authentik/stages/captcha/models.py
+++ b/authentik/stages/captcha/models.py
@ -9,11 +9,13 @@ from authentik.flows.models import Stage
 class CaptchaStage(Stage):
-    """Verify the user is human using Google's reCaptcha."""
+    """Verify the user is human using Google's reCaptcha/other compatible CAPTCHA solutions."""
    public_key = models.TextField(help_text=_("Public key, acquired your captcha Provider."))
    private_key = models.TextField(help_text=_("Private key, acquired your captcha Provider."))
    interactive = models.BooleanField(default=False)
    score_min_threshold = models.FloatField(default=0.5)  # Default values for reCaptcha
    score_max_threshold = models.FloatField(default=1.0)  # Default values for reCaptcha
--- a/authentik/stages/captcha/stage.py
+++ b/authentik/stages/captcha/stage.py
@ -3,7 +3,7 @@
 from django.http.response import HttpResponse
 from django.utils.translation import gettext as _
 from requests import RequestException
-from rest_framework.fields import CharField
+from rest_framework.fields import BooleanField, CharField
 from rest_framework.serializers import ValidationError
 from structlog.stdlib import get_logger
@ -24,10 +24,12 @@ PLAN_CONTEXT_CAPTCHA = "captcha"
 class CaptchaChallenge(WithUserInfoChallenge):
    """Site public key"""
    site_key = CharField()
    js_url = CharField()
    component = CharField(default="ak-stage-captcha")
    site_key = CharField(required=True)
    js_url = CharField(required=True)
    interactive = BooleanField(required=True)
 def verify_captcha_token(stage: CaptchaStage, token: str, remote_ip: str):
    """Validate captcha token"""
@ -103,6 +105,7 @@ class CaptchaStageView(ChallengeStageView):
            data={
                "js_url": self.executor.current_stage.js_url,
                "site_key": self.executor.current_stage.public_key,
                "interactive": self.executor.current_stage.interactive,
            }
        )
--- a/authentik/stages/identification/stage.py
+++ b/authentik/stages/identification/stage.py
@ -26,6 +26,7 @@ from authentik.flows.models import FlowDesignation
 from authentik.flows.planner import PLAN_CONTEXT_PENDING_USER
 from authentik.flows.stage import PLAN_CONTEXT_PENDING_USER_IDENTIFIER, ChallengeStageView
 from authentik.flows.views.executor import SESSION_KEY_APPLICATION_PRE, SESSION_KEY_GET
 from authentik.lib.avatars import DEFAULT_AVATAR
 from authentik.lib.utils.reflection import all_subclasses
 from authentik.lib.utils.urls import reverse_with_qs
 from authentik.root.middleware import ClientIPMiddleware
@ -76,7 +77,7 @@ class IdentificationChallenge(Challenge):
    allow_show_password = BooleanField(default=False)
    application_pre = CharField(required=False)
    flow_designation = ChoiceField(FlowDesignation.choices)
-    captcha_stage = CaptchaChallenge(required=False)
+    captcha_stage = CaptchaChallenge(required=False, allow_null=True)
    enroll_url = CharField(required=False)
    recovery_url = CharField(required=False)
@ -223,6 +224,9 @@ class IdentificationStageView(ChallengeStageView):
                    {
                        "js_url": current_stage.captcha_stage.js_url,
                        "site_key": current_stage.captcha_stage.public_key,
                        "interactive": current_stage.captcha_stage.interactive,
                        "pending_user": "",
                        "pending_user_avatar": DEFAULT_AVATAR,
                    }
                    if current_stage.captcha_stage
                    else None
--- a/authentik/stages/password/stage.py
+++ b/authentik/stages/password/stage.py
@ -21,7 +21,7 @@ from authentik.flows.challenge import (
    WithUserInfoChallenge,
 )
 from authentik.flows.exceptions import StageInvalidException
-from authentik.flows.models import Flow, FlowDesignation, Stage
+from authentik.flows.models import Flow, Stage
 from authentik.flows.planner import PLAN_CONTEXT_PENDING_USER
 from authentik.flows.stage import ChallengeStageView
 from authentik.lib.utils.reflection import path_to_class
@ -141,11 +141,11 @@ class PasswordStageView(ChallengeStageView):
                "allow_show_password": self.executor.current_stage.allow_show_password,
            }
        )
-        recovery_flow = Flow.objects.filter(designation=FlowDesignation.RECOVERY)
+        recovery_flow: Flow | None = self.request.brand.flow_recovery
-        if recovery_flow.exists():
+        if recovery_flow:
            recover_url = reverse(
                "authentik_core:if-flow",
-                kwargs={"flow_slug": recovery_flow.first().slug},
+                kwargs={"flow_slug": recovery_flow.slug},
            )
            challenge.initial_data["recovery_url"] = self.request.build_absolute_uri(recover_url)
        return challenge
--- a/authentik/stages/password/tests.py
+++ b/authentik/stages/password/tests.py
@ -5,7 +5,7 @@ from unittest.mock import MagicMock, patch
 from django.core.exceptions import PermissionDenied
 from django.urls import reverse
-from authentik.core.tests.utils import create_test_admin_user, create_test_flow
+from authentik.core.tests.utils import create_test_admin_user, create_test_brand, create_test_flow
 from authentik.flows.markers import StageMarker
 from authentik.flows.models import FlowDesignation, FlowStageBinding
 from authentik.flows.planner import PLAN_CONTEXT_PENDING_USER, FlowPlan
@ -57,6 +57,9 @@ class TestPasswordStage(FlowTestCase):
    def test_recovery_flow_link(self):
        """Test link to the default recovery flow"""
        flow = create_test_flow(designation=FlowDesignation.RECOVERY)
        brand = create_test_brand()
        brand.flow_recovery = flow
        brand.save()
        plan = FlowPlan(flow_pk=self.flow.pk.hex, bindings=[self.binding], markers=[StageMarker()])
        session = self.client.session
--- a/blueprints/default/flow-oobe.yaml
+++ b/blueprints/default/flow-oobe.yaml
@ -101,7 +101,6 @@ entries:
    - !KeyOf prompt-field-email
    - !KeyOf prompt-field-password
    - !KeyOf prompt-field-password-repeat
    validation_policies: []
  id: stage-default-oobe-password
  identifiers:
    name: stage-default-oobe-password
--- a/blueprints/default/flow-password-change.yaml
+++ b/blueprints/default/flow-password-change.yaml
@ -2,6 +2,17 @@ version: 1
 metadata:
  name: Default - Password change flow
 entries:
 - attrs:
    check_static_rules: true
    check_zxcvbn: true
    length_min: 8
    password_field: password
    zxcvbn_score_threshold: 2
    error_message: Password needs to be 8 characters or longer.
  identifiers:
    name: default-password-change-password-policy
  model: authentik_policies_password.passwordpolicy
  id: default-password-change-password-policy
 - attrs:
    designation: stage_configuration
    name: Change Password
@ -39,6 +50,8 @@ entries:
    fields:
    - !KeyOf prompt-field-password
    - !KeyOf prompt-field-password-repeat
    validation_policies:
    - !KeyOf default-password-change-password-policy
  identifiers:
    name: default-password-change-prompt
  id: default-password-change-prompt
--- a/blueprints/schema.json
+++ b/blueprints/schema.json
@ -2,7 +2,7 @@
    "$schema": "http://json-schema.org/draft-07/schema",
    "$id": "https://goauthentik.io/blueprints/schema.json",
    "type": "object",
-    "title": "authentik 2024.8.3 Blueprint schema",
+    "title": "authentik 2024.10.5 Blueprint schema",
    "required": [
        "version",
        "entries"
@ -5570,9 +5570,30 @@
                    "description": "Key used to encrypt the tokens. When set, tokens will be encrypted and returned as JWEs."
                },
                "redirect_uris": {
-                    "type": "string",
+                    "type": "array",
-                    "title": "Redirect URIs",
+                    "items": {
-                    "description": "Enter each URI on a new line."
+                        "type": "object",
                        "properties": {
                            "matching_mode": {
                                "type": "string",
                                "enum": [
                                    "strict",
                                    "regex"
                                ],
                                "title": "Matching mode"
                            },
                            "url": {
                                "type": "string",
                                "minLength": 1,
                                "title": "Url"
                            }
                        },
                        "required": [
                            "matching_mode",
                            "url"
                        ]
                    },
                    "title": "Redirect uris"
                },
                "sub_mode": {
                    "type": "string",
@ -6974,7 +6995,7 @@
                "spnego_server_name": {
                    "type": "string",
                    "title": "Spnego server name",
-                    "description": "Force the use of a specific server name for SPNEGO"
+                    "description": "Force the use of a specific server name for SPNEGO. Must be in the form HTTP@hostname"
                },
                "spnego_keytab": {
                    "type": "string",
@ -9781,6 +9802,10 @@
                    "minLength": 1,
                    "title": "Api url"
                },
                "interactive": {
                    "type": "boolean",
                    "title": "Interactive"
                },
                "score_min_threshold": {
                    "type": "number",
                    "title": "Score min threshold"
@ -13383,12 +13408,6 @@
                    "title": "Authorization flow",
                    "description": "Flow used when authorizing this provider."
                },
                "invalidation_flow": {
                    "type": "string",
                    "format": "uuid",
                    "title": "Invalidation flow",
                    "description": "Flow used ending the session from a provider."
                },
                "property_mappings": {
                    "type": "array",
                    "items": {
--- a/blueprints/system/sources-kerberos.yaml
+++ b/blueprints/system/sources-kerberos.yaml
@ -38,7 +38,7 @@ entries:
      name: "authentik default Kerberos User Mapping: Ignore system principals"
      expression: |
        localpart, realm = principal.rsplit("@", 1)
-        denied_prefixes = ["kadmin/", "krbtgt/", "K/M", "WELLKNOWN/"]
+        denied_prefixes = ["kadmin/", "krbtgt/", "K/M", "WELLKNOWN/", "kiprop/", "changepw/"]
        for prefix in denied_prefixes:
            if localpart.lower().startswith(prefix.lower()):
                raise SkipObject
--- a/docker-compose.yml
+++ b/docker-compose.yml
@ -31,7 +31,7 @@ services:
    volumes:
      - redis:/data
  server:
-    image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2024.8.3}
+    image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2024.10.5}
    restart: unless-stopped
    command: server
    environment:
@ -52,7 +52,7 @@ services:
      - postgresql
      - redis
  worker:
-    image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2024.8.3}
+    image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2024.10.5}
    restart: unless-stopped
    command: worker
    environment:
--- a/internal/constants/constants.go
+++ b/internal/constants/constants.go
@ -29,4 +29,4 @@ func UserAgent() string {
 	return fmt.Sprintf("authentik@%s", FullVersion())
 }
-const VERSION = "2024.8.3"
+const VERSION = "2024.10.5"
--- a/internal/outpost/ldap/ldap.go
+++ b/internal/outpost/ldap/ldap.go
@ -65,7 +65,7 @@ func (ls *LDAPServer) StartLDAPServer() error {
 		ls.log.WithField("listen", listen).WithError(err).Warning("Failed to listen (SSL)")
 		return err
 	}
-	proxyListener := &proxyproto.Listener{Listener: ln}
+	proxyListener := &proxyproto.Listener{Listener: ln, ConnPolicy: utils.GetProxyConnectionPolicy()}
 	defer proxyListener.Close()
 	ls.log.WithField("listen", listen).Info("Starting LDAP server")
--- a/internal/outpost/ldap/ldap_tls.go
+++ b/internal/outpost/ldap/ldap_tls.go
@ -48,7 +48,7 @@ func (ls *LDAPServer) StartLDAPTLSServer() error {
 		return err
 	}
-	proxyListener := &proxyproto.Listener{Listener: ln}
+	proxyListener := &proxyproto.Listener{Listener: ln, ConnPolicy: utils.GetProxyConnectionPolicy()}
 	defer proxyListener.Close()
 	tln := tls.NewListener(proxyListener, tlsConfig)
--- a/internal/outpost/proxyv2/application/application.go
+++ b/internal/outpost/proxyv2/application/application.go
@ -23,6 +23,7 @@ import (
 	"github.com/prometheus/client_golang/prometheus"
 	log "github.com/sirupsen/logrus"
 	"goauthentik.io/api/v3"
 	"goauthentik.io/internal/config"
 	"goauthentik.io/internal/outpost/ak"
 	"goauthentik.io/internal/outpost/proxyv2/constants"
 	"goauthentik.io/internal/outpost/proxyv2/hs256"
@ -121,6 +122,14 @@ func NewApplication(p api.ProxyOutpostConfig, c *http.Client, server Server, old
 	bs := string(h.Sum([]byte(*p.ClientId)))
 	sessionName := fmt.Sprintf("authentik_proxy_%s", bs[:8])
 	// When HOST_BROWSER is set, use that as Host header for token requests to make the issuer match
 	// otherwise we use the internally configured authentik_host
 	tokenEndpointHost := server.API().Outpost.Config["authentik_host"].(string)
 	if config.Get().AuthentikHostBrowser != "" {
 		tokenEndpointHost = config.Get().AuthentikHostBrowser
 	}
 	publicHTTPClient := web.NewHostInterceptor(c, tokenEndpointHost)
 	a := &Application{
 		Host:                 externalHost.Host,
 		log:                  muxLogger,
@ -131,7 +140,7 @@ func NewApplication(p api.ProxyOutpostConfig, c *http.Client, server Server, old
 		tokenVerifier:        verifier,
 		proxyConfig:          p,
 		httpClient:           c,
-		publicHostHTTPClient: web.NewHostInterceptor(c, server.API().Outpost.Config["authentik_host"].(string)),
+		publicHostHTTPClient: publicHTTPClient,
 		mux:                  mux,
 		errorTemplates:       templates.GetTemplates(),
 		ak:                   server.API(),
--- a/internal/outpost/proxyv2/proxyv2.go
+++ b/internal/outpost/proxyv2/proxyv2.go
@ -129,7 +129,7 @@ func (ps *ProxyServer) ServeHTTP() {
 		ps.log.WithField("listen", listenAddress).WithError(err).Warning("Failed to listen")
 		return
 	}
-	proxyListener := &proxyproto.Listener{Listener: listener}
+	proxyListener := &proxyproto.Listener{Listener: listener, ConnPolicy: utils.GetProxyConnectionPolicy()}
 	defer proxyListener.Close()
 	ps.log.WithField("listen", listenAddress).Info("Starting HTTP server")
@ -148,7 +148,7 @@ func (ps *ProxyServer) ServeHTTPS() {
 		ps.log.WithError(err).Warning("Failed to listen (TLS)")
 		return
 	}
-	proxyListener := &proxyproto.Listener{Listener: web.TCPKeepAliveListener{TCPListener: ln.(*net.TCPListener)}}
+	proxyListener := &proxyproto.Listener{Listener: web.TCPKeepAliveListener{TCPListener: ln.(*net.TCPListener)}, ConnPolicy: utils.GetProxyConnectionPolicy()}
 	defer proxyListener.Close()
 	tlsListener := tls.NewListener(proxyListener, tlsConfig)
--- a/internal/utils/proxy.go
+++ b/internal/utils/proxy.go
@ -0,0 +1,34 @@
 package utils
 import (
 	"net"
 	"github.com/pires/go-proxyproto"
 	log "github.com/sirupsen/logrus"
 	"goauthentik.io/internal/config"
 )
 func GetProxyConnectionPolicy() proxyproto.ConnPolicyFunc {
 	nets := []*net.IPNet{}
 	for _, rn := range config.Get().Listen.TrustedProxyCIDRs {
 		_, cidr, err := net.ParseCIDR(rn)
 		if err != nil {
 			continue
 		}
 		nets = append(nets, cidr)
 	}
 	return func(connPolicyOptions proxyproto.ConnPolicyOptions) (proxyproto.Policy, error) {
 		host, _, err := net.SplitHostPort(connPolicyOptions.Upstream.String())
 		if err == nil {
 			// remoteAddr will be nil if the IP cannot be parsed
 			remoteAddr := net.ParseIP(host)
 			for _, allowedCidr := range nets {
 				if remoteAddr != nil && allowedCidr.Contains(remoteAddr) {
 					log.WithField("remoteAddr", remoteAddr).WithField("cidr", allowedCidr.String()).Trace("Using remote IP from proxy protocol")
 					return proxyproto.USE, nil
 				}
 			}
 		}
 		return proxyproto.SKIP, nil
 	}
 }
--- a/internal/utils/web/http_host_interceptor.go
+++ b/internal/utils/web/http_host_interceptor.go
@ -14,8 +14,10 @@ type hostInterceptor struct {
 }
 func (t hostInterceptor) RoundTrip(r *http.Request) (*http.Response, error) {
-	r.Host = t.host
+	if r.Host != t.host {
-	r.Header.Set("X-Forwarded-Proto", t.scheme)
+		r.Host = t.host
 		r.Header.Set("X-Forwarded-Proto", t.scheme)
 	}
 	return t.inner.RoundTrip(r)
 }
--- a/internal/web/metrics.go
+++ b/internal/web/metrics.go
@ -1,11 +1,15 @@
 package web
 import (
 	"encoding/base64"
 	"fmt"
 	"io"
 	"net/http"
 	"os"
 	"path"
 	"github.com/gorilla/mux"
 	"github.com/gorilla/securecookie"
 	"github.com/prometheus/client_golang/prometheus"
 	"github.com/prometheus/client_golang/prometheus/promauto"
 	"github.com/prometheus/client_golang/prometheus/promhttp"
@ -14,14 +18,25 @@ import (
 	"goauthentik.io/internal/utils/sentry"
 )
 const MetricsKeyFile = "authentik-core-metrics.key"
 var Requests = promauto.NewHistogramVec(prometheus.HistogramOpts{
 	Name: "authentik_main_request_duration_seconds",
 	Help: "API request latencies in seconds",
 }, []string{"dest"})
 func (ws *WebServer) runMetricsServer() {
 	m := mux.NewRouter()
 	l := log.WithField("logger", "authentik.router.metrics")
 	tmp := os.TempDir()
 	key := base64.StdEncoding.EncodeToString(securecookie.GenerateRandomKey(64))
 	keyPath := path.Join(tmp, MetricsKeyFile)
 	err := os.WriteFile(keyPath, []byte(key), 0o600)
 	if err != nil {
 		l.WithError(err).Warning("failed to save metrics key")
 		return
 	}
 	m := mux.NewRouter()
 	m.Use(sentry.SentryNoSampleMiddleware)
 	m.Path("/metrics").HandlerFunc(func(rw http.ResponseWriter, r *http.Request) {
 		promhttp.InstrumentMetricHandler(
@ -36,7 +51,7 @@ func (ws *WebServer) runMetricsServer() {
 			l.WithError(err).Warning("failed to get upstream metrics")
 			return
 		}
-		re.SetBasicAuth("monitor", config.Get().SecretKey)
+		re.Header.Set("Authorization", fmt.Sprintf("Bearer %s", key))
 		res, err := ws.upstreamHttpClient().Do(re)
 		if err != nil {
 			l.WithError(err).Warning("failed to get upstream metrics")
@ -49,9 +64,13 @@ func (ws *WebServer) runMetricsServer() {
 		}
 	})
 	l.WithField("listen", config.Get().Listen.Metrics).Info("Starting Metrics server")
-	err := http.ListenAndServe(config.Get().Listen.Metrics, m)
+	err = http.ListenAndServe(config.Get().Listen.Metrics, m)
 	if err != nil {
 		l.WithError(err).Warning("Failed to start metrics server")
 	}
 	l.WithField("listen", config.Get().Listen.Metrics).Info("Stopping Metrics server")
 	err = os.Remove(keyPath)
 	if err != nil {
 		l.WithError(err).Warning("failed to remove metrics key file")
 	}
 }
--- a/internal/web/static.go
+++ b/internal/web/static.go
@ -42,8 +42,11 @@ func (ws *WebServer) configureStatic() {
 	// Media files, if backend is file
 	if config.Get().Storage.Media.Backend == "file" {
-		fsMedia := http.FileServer(http.Dir(config.Get().Storage.Media.File.Path))
+		fsMedia := http.StripPrefix("/media", http.FileServer(http.Dir(config.Get().Storage.Media.File.Path)))
-		staticRouter.PathPrefix("/media/").Handler(http.StripPrefix("/media", fsMedia))
+		staticRouter.PathPrefix("/media/").HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 		    w.Header().Set("Content-Security-Policy", "default-src 'none'; style-src 'unsafe-inline'; sandbox")
 		    fsMedia.ServeHTTP(w, r)
 		})
 	}
 	staticRouter.PathPrefix("/if/help/").Handler(http.StripPrefix("/if/help/", http.FileServer(http.Dir("./website/help/"))))
--- a/internal/web/web.go
+++ b/internal/web/web.go
@ -19,6 +19,7 @@ import (
 	"goauthentik.io/internal/config"
 	"goauthentik.io/internal/gounicorn"
 	"goauthentik.io/internal/outpost/proxyv2"
 	"goauthentik.io/internal/utils"
 	"goauthentik.io/internal/utils/web"
 	"goauthentik.io/internal/web/brand_tls"
 )
@ -52,7 +53,7 @@ func NewWebServer() *WebServer {
 	loggingHandler.Use(web.NewLoggingHandler(l, nil))
 	tmp := os.TempDir()
-	socketPath := path.Join(tmp, "authentik-core.sock")
+	socketPath := path.Join(tmp, UnixSocketName)
 	// create http client to talk to backend, normal client if we're in debug more
 	// and a client that connects to our socket when in non debug mode
@ -149,7 +150,7 @@ func (ws *WebServer) listenPlain() {
 		ws.log.WithError(err).Warning("failed to listen")
 		return
 	}
-	proxyListener := &proxyproto.Listener{Listener: ln}
+	proxyListener := &proxyproto.Listener{Listener: ln, ConnPolicy: utils.GetProxyConnectionPolicy()}
 	defer proxyListener.Close()
 	ws.log.WithField("listen", config.Get().Listen.HTTP).Info("Starting HTTP server")
--- a/internal/web/web_tls.go
+++ b/internal/web/web_tls.go
@ -45,7 +45,7 @@ func (ws *WebServer) listenTLS() {
 		ws.log.WithError(err).Warning("failed to listen (TLS)")
 		return
 	}
-	proxyListener := &proxyproto.Listener{Listener: web.TCPKeepAliveListener{TCPListener: ln.(*net.TCPListener)}}
+	proxyListener := &proxyproto.Listener{Listener: web.TCPKeepAliveListener{TCPListener: ln.(*net.TCPListener)}, ConnPolicy: utils.GetProxyConnectionPolicy()}
 	defer proxyListener.Close()
 	tlsListener := tls.NewListener(proxyListener, tlsConfig)
--- a/lifecycle/ak
+++ b/lifecycle/ak
@ -54,7 +54,9 @@ function cleanup {
 }
 function prepare_debug {
-    apt-get install -y --no-install-recommends krb5-kdc krb5-user krb5-admin-server
+    export DEBIAN_FRONTEND=noninteractive
    apt-get update
    apt-get install -y --no-install-recommends krb5-kdc krb5-user krb5-admin-server libkrb5-dev gcc
    VIRTUAL_ENV=/ak-root/venv poetry install --no-ansi --no-interaction
    touch /unittest.xml
    chown authentik:authentik /unittest.xml
--- a/package.json
+++ b/package.json
@ -1,5 +1,5 @@
 {
    "name": "@goauthentik/authentik",
-    "version": "2024.8.3",
+    "version": "2024.10.5",
    "private": true
 }
--- a/poetry.lock
+++ b/poetry.lock
@ -1,4 +1,4 @@
-# This file is automatically @generated by Poetry 1.8.3 and should not be changed by hand.
+# This file is automatically @generated by Poetry 1.8.5 and should not be changed by hand.
 [[package]]
 name = "aiohappyeyeballs"
@ -4549,19 +4549,19 @@ test = ["pytest"]
 [[package]]
 name = "setuptools"
-version = "72.1.0"
+version = "69.1.1"
 description = "Easily download, build, install, upgrade, and uninstall Python packages"
 optional = false
 python-versions = ">=3.8"
 files = [
-    {file = "setuptools-72.1.0-py3-none-any.whl", hash = "sha256:5a03e1860cf56bb6ef48ce186b0e557fdba433237481a9a625176c2831be15d1"},
+    {file = "setuptools-69.1.1-py3-none-any.whl", hash = "sha256:02fa291a0471b3a18b2b2481ed902af520c69e8ae0919c13da936542754b4c56"},
-    {file = "setuptools-72.1.0.tar.gz", hash = "sha256:8d243eff56d095e5817f796ede6ae32941278f542e0f941867cc05ae52b162ec"},
+    {file = "setuptools-69.1.1.tar.gz", hash = "sha256:5c0806c7d9af348e6dd3777b4f4dbb42c7ad85b190104837488eab9a7c945cf8"},
 ]
 [package.extras]
-core = ["importlib-metadata (>=6)", "importlib-resources (>=5.10.2)", "jaraco.text (>=3.7)", "more-itertools (>=8.8)", "ordered-set (>=3.1.1)", "packaging (>=24)", "platformdirs (>=2.6.2)", "tomli (>=2.0.1)", "wheel (>=0.43.0)"]
+docs = ["furo", "jaraco.packaging (>=9.3)", "jaraco.tidelift (>=1.4)", "pygments-github-lexers (==0.0.5)", "rst.linker (>=1.9)", "sphinx (<7.2.5)", "sphinx (>=3.5)", "sphinx-favicon", "sphinx-inline-tabs", "sphinx-lint", "sphinx-notfound-page (>=1,<2)", "sphinx-reredirects", "sphinxcontrib-towncrier"]
-doc = ["furo", "jaraco.packaging (>=9.3)", "jaraco.tidelift (>=1.4)", "pygments-github-lexers (==0.0.5)", "pyproject-hooks (!=1.1)", "rst.linker (>=1.9)", "sphinx (>=3.5)", "sphinx-favicon", "sphinx-inline-tabs", "sphinx-lint", "sphinx-notfound-page (>=1,<2)", "sphinx-reredirects", "sphinxcontrib-towncrier"]
+testing = ["build[virtualenv]", "filelock (>=3.4.0)", "flake8-2020", "ini2toml[lite] (>=0.9)", "jaraco.develop (>=7.21)", "jaraco.envs (>=2.2)", "jaraco.path (>=3.2.0)", "packaging (>=23.2)", "pip (>=19.1)", "pytest (>=6)", "pytest-checkdocs (>=2.4)", "pytest-cov", "pytest-enabler (>=2.2)", "pytest-home (>=0.5)", "pytest-mypy (>=0.9.1)", "pytest-perf", "pytest-ruff (>=0.2.1)", "pytest-timeout", "pytest-xdist", "tomli-w (>=1.0.0)", "virtualenv (>=13.0.0)", "wheel"]
-test = ["build[virtualenv] (>=1.0.3)", "filelock (>=3.4.0)", "importlib-metadata", "ini2toml[lite] (>=0.14)", "jaraco.develop (>=7.21)", "jaraco.envs (>=2.2)", "jaraco.path (>=3.2.0)", "jaraco.test", "mypy (==1.11.*)", "packaging (>=23.2)", "pip (>=19.1)", "pyproject-hooks (!=1.1)", "pytest (>=6,!=8.1.*)", "pytest-checkdocs (>=2.4)", "pytest-cov", "pytest-enabler (>=2.2)", "pytest-home (>=0.5)", "pytest-mypy", "pytest-perf", "pytest-ruff (<0.4)", "pytest-ruff (>=0.2.1)", "pytest-ruff (>=0.3.2)", "pytest-subprocess", "pytest-timeout", "pytest-xdist (>=3)", "tomli", "tomli-w (>=1.0.0)", "virtualenv (>=13.0.0)", "wheel"]
+testing-integration = ["build[virtualenv] (>=1.0.3)", "filelock (>=3.4.0)", "jaraco.envs (>=2.2)", "jaraco.path (>=3.2.0)", "packaging (>=23.2)", "pytest", "pytest-enabler", "pytest-xdist", "tomli", "virtualenv (>=13.0.0)", "wheel"]
 [[package]]
 name = "six"
@ -5565,4 +5565,4 @@ files = [
 [metadata]
 lock-version = "2.0"
 python-versions = "~3.12"
-content-hash = "10aa88f2f0e56cddd91adba8c39c52de92763429fb615a27c3dc218952cff808"
+content-hash = "32f3901cb944de57ed5cb11dde3a2010de845b04adf557b7e3a701581e260613"
--- a/pyproject.toml
+++ b/pyproject.toml
@ -1,6 +1,6 @@
 [tool.poetry]
 name = "authentik"
-version = "2024.8.3"
+version = "2024.10.5"
 description = ""
 authors = ["authentik Team <hello@goauthentik.io>"]
@ -139,6 +139,7 @@ scim2-filter-parser = "*"
 sentry-sdk = "*"
 service_identity = "*"
 setproctitle = "*"
 setuptools = "~69.1"
 structlog = "*"
 swagger-spec-validator = "*"
 tenant-schemas-celery = "*"
--- a/schema.yml
+++ b/schema.yml
@ -1,7 +1,7 @@
 openapi: 3.0.3
 info:
  title: authentik
-  version: 2024.8.3
+  version: 2024.10.5
  description: Making authentication simple.
  contact:
    email: hello@goauthentik.io
@ -20218,10 +20218,6 @@ paths:
            format: uuid
        explode: true
        style: form
      - in: query
        name: redirect_uris
        schema:
          type: string
      - in: query
        name: refresh_token_validity
        schema:
@ -20637,10 +20633,6 @@ paths:
            format: uuid
        explode: true
        style: form
      - in: query
        name: redirect_uris__iexact
        schema:
          type: string
      - name: search
        required: false
        in: query
@ -39220,7 +39212,10 @@ components:
          type: string
        js_url:
          type: string
        interactive:
          type: boolean
      required:
      - interactive
      - js_url
      - pending_user
      - pending_user_avatar
@ -39276,6 +39271,8 @@ components:
          type: string
        api_url:
          type: string
        interactive:
          type: boolean
        score_min_threshold:
          type: number
          format: double
@ -39322,6 +39319,8 @@ components:
        api_url:
          type: string
          minLength: 1
        interactive:
          type: boolean
        score_min_threshold:
          type: number
          format: double
@ -42975,7 +42974,8 @@ components:
          readOnly: true
        spnego_server_name:
          type: string
-          description: Force the use of a specific server name for SPNEGO
+          description: Force the use of a specific server name for SPNEGO. Must be
            in the form HTTP@hostname
        spnego_ccache:
          type: string
          description: Credential cache to use for SPNEGO in form type:residual
@ -43144,7 +43144,8 @@ components:
            be in the form TYPE:residual
        spnego_server_name:
          type: string
-          description: Force the use of a specific server name for SPNEGO
+          description: Force the use of a specific server name for SPNEGO. Must be
            in the form HTTP@hostname
        spnego_keytab:
          type: string
          writeOnly: true
@ -44051,6 +44052,11 @@ components:
      required:
      - challenge
      - name
    MatchingModeEnum:
      enum:
      - strict
      - regex
      type: string
    Metadata:
      type: object
      description: Serializer for blueprint metadata
@ -44753,8 +44759,9 @@ components:
          description: Key used to encrypt the tokens. When set, tokens will be encrypted
            and returned as JWEs.
        redirect_uris:
-          type: string
+          type: array
-          description: Enter each URI on a new line.
+          items:
            $ref: '#/components/schemas/RedirectURI'
        sub_mode:
          allOf:
          - $ref: '#/components/schemas/SubModeEnum'
@ -44783,6 +44790,7 @@ components:
      - meta_model_name
      - name
      - pk
      - redirect_uris
      - verbose_name
      - verbose_name_plural
    OAuth2ProviderRequest:
@ -44854,8 +44862,9 @@ components:
          description: Key used to encrypt the tokens. When set, tokens will be encrypted
            and returned as JWEs.
        redirect_uris:
-          type: string
+          type: array
-          description: Enter each URI on a new line.
+          items:
            $ref: '#/components/schemas/RedirectURIRequest'
        sub_mode:
          allOf:
          - $ref: '#/components/schemas/SubModeEnum'
@ -44877,6 +44886,7 @@ components:
      - authorization_flow
      - invalidation_flow
      - name
      - redirect_uris
    OAuth2ProviderSetupURLs:
      type: object
      description: OAuth2 Provider Metadata serializer
@ -44934,7 +44944,8 @@ components:
          minLength: 1
          default: ak-provider-oauth2-device-code
        code:
-          type: integer
+          type: string
          minLength: 1
      required:
      - code
    OAuthDeviceCodeFinishChallenge:
@ -47730,6 +47741,8 @@ components:
        api_url:
          type: string
          minLength: 1
        interactive:
          type: boolean
        score_min_threshold:
          type: number
          format: double
@ -48448,7 +48461,8 @@ components:
            be in the form TYPE:residual
        spnego_server_name:
          type: string
-          description: Force the use of a specific server name for SPNEGO
+          description: Force the use of a specific server name for SPNEGO. Must be
            in the form HTTP@hostname
        spnego_keytab:
          type: string
          writeOnly: true
@ -48871,8 +48885,9 @@ components:
          description: Key used to encrypt the tokens. When set, tokens will be encrypted
            and returned as JWEs.
        redirect_uris:
-          type: string
+          type: array
-          description: Enter each URI on a new line.
+          items:
            $ref: '#/components/schemas/RedirectURIRequest'
        sub_mode:
          allOf:
          - $ref: '#/components/schemas/SubModeEnum'
@ -49461,10 +49476,6 @@ components:
          type: string
          format: uuid
          description: Flow used when authorizing this provider.
        invalidation_flow:
          type: string
          format: uuid
          description: Flow used ending the session from a provider.
        property_mappings:
          type: array
          items:
@ -51469,7 +51480,9 @@ components:
          description: When enabled, this provider will intercept the authorization
            header and authenticate requests based on its value.
        redirect_uris:
-          type: string
+          type: array
          items:
            $ref: '#/components/schemas/RedirectURI'
          readOnly: true
        cookie_domain:
          type: string
@ -51696,10 +51709,6 @@ components:
          type: string
          format: uuid
          description: Flow used when authorizing this provider.
        invalidation_flow:
          type: string
          format: uuid
          description: Flow used ending the session from a provider.
        property_mappings:
          type: array
          items:
@ -51757,7 +51766,6 @@ components:
      - assigned_backchannel_application_slug
      - authorization_flow
      - component
      - invalidation_flow
      - meta_model_name
      - name
      - outpost_set
@ -51781,10 +51789,6 @@ components:
          type: string
          format: uuid
          description: Flow used when authorizing this provider.
        invalidation_flow:
          type: string
          format: uuid
          description: Flow used ending the session from a provider.
        property_mappings:
          type: array
          items:
@ -51801,7 +51805,6 @@ components:
          description: When set to true, connection tokens will be deleted upon disconnect.
      required:
      - authorization_flow
      - invalidation_flow
      - name
    RadiusCheckAccess:
      type: object
@ -52075,6 +52078,29 @@ components:
          type: string
      required:
      - to
    RedirectURI:
      type: object
      description: A single allowed redirect URI entry
      properties:
        matching_mode:
          $ref: '#/components/schemas/MatchingModeEnum'
        url:
          type: string
      required:
      - matching_mode
      - url
    RedirectURIRequest:
      type: object
      description: A single allowed redirect URI entry
      properties:
        matching_mode:
          $ref: '#/components/schemas/MatchingModeEnum'
        url:
          type: string
          minLength: 1
      required:
      - matching_mode
      - url
    Reputation:
      type: object
      description: Reputation Serializer
--- a/tests/e2e/test_provider_oauth2_github.py
+++ b/tests/e2e/test_provider_oauth2_github.py
@ -12,7 +12,12 @@ from authentik.flows.models import Flow
 from authentik.lib.generators import generate_id, generate_key
 from authentik.policies.expression.models import ExpressionPolicy
 from authentik.policies.models import PolicyBinding
-from authentik.providers.oauth2.models import ClientTypes, OAuth2Provider
+from authentik.providers.oauth2.models import (
    ClientTypes,
    OAuth2Provider,
    RedirectURI,
    RedirectURIMatchingMode,
 )
 from tests.e2e.utils import SeleniumTestCase, retry
@ -73,7 +78,9 @@ class TestProviderOAuth2Github(SeleniumTestCase):
            client_id=self.client_id,
            client_secret=self.client_secret,
            client_type=ClientTypes.CONFIDENTIAL,
-            redirect_uris="http://localhost:3000/login/github",
+            redirect_uris=[
                RedirectURI(RedirectURIMatchingMode.STRICT, "http://localhost:3000/login/github")
            ],
            authorization_flow=authorization_flow,
        )
        Application.objects.create(
@ -128,7 +135,9 @@ class TestProviderOAuth2Github(SeleniumTestCase):
            client_id=self.client_id,
            client_secret=self.client_secret,
            client_type=ClientTypes.CONFIDENTIAL,
-            redirect_uris="http://localhost:3000/login/github",
+            redirect_uris=[
                RedirectURI(RedirectURIMatchingMode.STRICT, "http://localhost:3000/login/github")
            ],
            authorization_flow=authorization_flow,
        )
        app = Application.objects.create(
@ -199,7 +208,9 @@ class TestProviderOAuth2Github(SeleniumTestCase):
            client_id=self.client_id,
            client_secret=self.client_secret,
            client_type=ClientTypes.CONFIDENTIAL,
-            redirect_uris="http://localhost:3000/login/github",
+            redirect_uris=[
                RedirectURI(RedirectURIMatchingMode.STRICT, "http://localhost:3000/login/github")
            ],
            authorization_flow=authorization_flow,
        )
        app = Application.objects.create(
--- a/tests/e2e/test_provider_oauth2_grafana.py
+++ b/tests/e2e/test_provider_oauth2_grafana.py
@ -19,7 +19,13 @@ from authentik.providers.oauth2.constants import (
    SCOPE_OPENID_EMAIL,
    SCOPE_OPENID_PROFILE,
 )
-from authentik.providers.oauth2.models import ClientTypes, OAuth2Provider, ScopeMapping
+from authentik.providers.oauth2.models import (
    ClientTypes,
    OAuth2Provider,
    RedirectURI,
    RedirectURIMatchingMode,
    ScopeMapping,
 )
 from tests.e2e.utils import SeleniumTestCase, retry
@ -82,7 +88,7 @@ class TestProviderOAuth2OAuth(SeleniumTestCase):
            client_id=self.client_id,
            client_secret=self.client_secret,
            signing_key=create_test_cert(),
-            redirect_uris="http://localhost:3000/",
+            redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "http://localhost:3000/")],
            authorization_flow=authorization_flow,
        )
        provider.property_mappings.set(
@ -131,7 +137,11 @@ class TestProviderOAuth2OAuth(SeleniumTestCase):
            client_id=self.client_id,
            client_secret=self.client_secret,
            signing_key=create_test_cert(),
-            redirect_uris="http://localhost:3000/login/generic_oauth",
+            redirect_uris=[
                RedirectURI(
                    RedirectURIMatchingMode.STRICT, "http://localhost:3000/login/generic_oauth"
                )
            ],
            authorization_flow=authorization_flow,
        )
        provider.property_mappings.set(
@ -200,7 +210,11 @@ class TestProviderOAuth2OAuth(SeleniumTestCase):
            client_id=self.client_id,
            client_secret=self.client_secret,
            signing_key=create_test_cert(),
-            redirect_uris="http://localhost:3000/login/generic_oauth",
+            redirect_uris=[
                RedirectURI(
                    RedirectURIMatchingMode.STRICT, "http://localhost:3000/login/generic_oauth"
                )
            ],
            authorization_flow=authorization_flow,
            invalidation_flow=invalidation_flow,
        )
@ -275,7 +289,11 @@ class TestProviderOAuth2OAuth(SeleniumTestCase):
            client_id=self.client_id,
            client_secret=self.client_secret,
            signing_key=create_test_cert(),
-            redirect_uris="http://localhost:3000/login/generic_oauth",
+            redirect_uris=[
                RedirectURI(
                    RedirectURIMatchingMode.STRICT, "http://localhost:3000/login/generic_oauth"
                )
            ],
        )
        provider.property_mappings.set(
            ScopeMapping.objects.filter(
@ -355,7 +373,11 @@ class TestProviderOAuth2OAuth(SeleniumTestCase):
            client_id=self.client_id,
            client_secret=self.client_secret,
            signing_key=create_test_cert(),
-            redirect_uris="http://localhost:3000/login/generic_oauth",
+            redirect_uris=[
                RedirectURI(
                    RedirectURIMatchingMode.STRICT, "http://localhost:3000/login/generic_oauth"
                )
            ],
        )
        provider.property_mappings.set(
            ScopeMapping.objects.filter(
--- a/Show More
+++ b/Show More