release: 2024.6.5

security: fix CVE-2024-47070 (cherry-pick #11536 ) (#11540 )
security: fix CVE-2024-47070 (#11536) * security: fix CVE-2024-47070 * Update website/docs/security/CVE-2024-47070.md --------- Signed-off-by: Jens Langhammer <jens@goauthentik.io> Signed-off-by: Jens L. <jens@beryju.org> Co-authored-by: Jens L. <jens@goauthentik.io> Co-authored-by: Tana M Berry <tanamarieberry@yahoo.com>
2024-09-27 16:21:30 +02:00 · 2024-09-27 16:20:38 +02:00 · 2024-09-27 16:19:15 +02:00 · 2024-08-22 17:19:24 +02:00 · 2024-08-22 17:18:58 +02:00 · 2024-08-08 14:23:44 +02:00
131 changed files with 8214 additions and 4692 deletions
--- a/.bumpversion.cfg
+++ b/.bumpversion.cfg
@ -1,5 +1,5 @@
 [bumpversion]
-current_version = 2024.6.0
+current_version = 2024.6.5
 tag = True
 commit = True
 parse = (?P<major>\d+)\.(?P<minor>\d+)\.(?P<patch>\d+)(?:-(?P<rc_t>[a-zA-Z-]+)(?P<rc_n>[1-9]\\d*))?
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@ -21,7 +21,10 @@ updates:
    labels:
      - dependencies
  - package-ecosystem: npm
-    directory: "/web"
+    directories:
      - "/web"
      - "/tests/wdio"
      - "/web/sfe"
    schedule:
      interval: daily
      time: "04:00"
@ -30,7 +33,6 @@ updates:
    open-pull-requests-limit: 10
    commit-message:
      prefix: "web:"
    # TODO: deduplicate these groups
    groups:
      sentry:
        patterns:
@ -56,38 +58,6 @@ updates:
        patterns:
          - "@rollup/*"
          - "rollup-*"
  - package-ecosystem: npm
    directory: "/tests/wdio"
    schedule:
      interval: daily
      time: "04:00"
    labels:
      - dependencies
    open-pull-requests-limit: 10
    commit-message:
      prefix: "web:"
    # TODO: deduplicate these groups
    groups:
      sentry:
        patterns:
          - "@sentry/*"
          - "@spotlightjs/*"
      babel:
        patterns:
          - "@babel/*"
          - "babel-*"
      eslint:
        patterns:
          - "@typescript-eslint/*"
          - "eslint"
          - "eslint-*"
      storybook:
        patterns:
          - "@storybook/*"
          - "*storybook*"
      esbuild:
        patterns:
          - "@esbuild/*"
      wdio:
        patterns:
          - "@wdio/*"
--- a/.github/workflows/api-ts-publish.yml
+++ b/.github/workflows/api-ts-publish.yml
@ -31,7 +31,12 @@ jobs:
        env:
          NODE_AUTH_TOKEN: ${{ secrets.NPM_PUBLISH_TOKEN }}
      - name: Upgrade /web
-        working-directory: web/
+        working-directory: web
        run: |
          export VERSION=`node -e 'console.log(require("../gen-ts-api/package.json").version)'`
          npm i @goauthentik/api@$VERSION
      - name: Upgrade /web/sfe
        working-directory: web/sfe
        run: |
          export VERSION=`node -e 'console.log(require("../gen-ts-api/package.json").version)'`
          npm i @goauthentik/api@$VERSION
--- a/.github/workflows/ci-web.yml
+++ b/.github/workflows/ci-web.yml
@ -20,6 +20,16 @@ jobs:
        project:
          - web
          - tests/wdio
        include:
          - command: tsc
            project: web
            extra_setup: |
              cd sfe/ && npm ci
        exclude:
          - command: lint:lockfile
            project: tests/wdio
          - command: tsc
            project: tests/wdio
    steps:
      - uses: actions/checkout@v4
      - uses: actions/setup-node@v4
--- a/9
+++ b/9
@ -30,7 +30,12 @@ WORKDIR /work/web
 RUN --mount=type=bind,target=/work/web/package.json,src=./web/package.json \
    --mount=type=bind,target=/work/web/package-lock.json,src=./web/package-lock.json \
    --mount=type=bind,target=/work/web/sfe/package.json,src=./web/sfe/package.json \
    --mount=type=bind,target=/work/web/sfe/package-lock.json,src=./web/sfe/package-lock.json \
    --mount=type=bind,target=/work/web/scripts,src=./web/scripts \
    --mount=type=cache,id=npm-web,sharing=shared,target=/root/.npm \
    npm ci --include=dev && \
    cd sfe && \
    npm ci --include=dev
 COPY ./package.json /work
@ -38,7 +43,9 @@ COPY ./web /work/web/
 COPY ./website /work/website/
 COPY ./gen-ts-api /work/web/node_modules/@goauthentik/api
-RUN npm run build
+RUN npm run build && \
    cd sfe && \
    npm run build
 # Stage 3: Build go proxy
 FROM --platform=${BUILDPLATFORM} mcr.microsoft.com/oss/go/microsoft/golang:1.22-fips-bookworm AS go-builder
--- a/authentik/init.py
+++ b/authentik/init.py
@ -2,7 +2,7 @@
 from os import environ
-__version__ = "2024.6.0"
+__version__ = "2024.6.5"
 ENV_GIT_HASH_KEY = "GIT_BUILD_HASH"
--- a/authentik/brands/api.py
+++ b/authentik/brands/api.py
@ -24,7 +24,7 @@ from authentik.tenants.utils import get_current_tenant
 class FooterLinkSerializer(PassiveSerializer):
    """Links returned in Config API"""
-    href = CharField(read_only=True)
+    href = CharField(read_only=True, allow_null=True)
    name = CharField(read_only=True)
--- a/authentik/core/api/used_by.py
+++ b/authentik/core/api/used_by.py
@ -14,6 +14,7 @@ from rest_framework.request import Request
 from rest_framework.response import Response
 from authentik.core.api.utils import PassiveSerializer
 from authentik.rbac.filters import ObjectFilter
 class DeleteAction(Enum):
@ -53,7 +54,7 @@ class UsedByMixin:
    @extend_schema(
        responses={200: UsedBySerializer(many=True)},
    )
-    @action(detail=True, pagination_class=None, filter_backends=[])
+    @action(detail=True, pagination_class=None, filter_backends=[ObjectFilter])
    def used_by(self, request: Request, *args, **kwargs) -> Response:
        """Get a list of all objects that use this object"""
        model: Model = self.get_object()
--- a/authentik/core/migrations/0029_provider_backchannel_applications_and_more.py
+++ b/authentik/core/migrations/0029_provider_backchannel_applications_and_more.py
@ -7,12 +7,13 @@ from django.db.backends.base.schema import BaseDatabaseSchemaEditor
 def backport_is_backchannel(apps: Apps, schema_editor: BaseDatabaseSchemaEditor):
    db_alias = schema_editor.connection.alias
    from authentik.providers.ldap.models import LDAPProvider
    from authentik.providers.scim.models import SCIMProvider
    for model in [LDAPProvider, SCIMProvider]:
        try:
-            for obj in model.objects.only("is_backchannel"):
+            for obj in model.objects.using(db_alias).only("is_backchannel"):
                obj.is_backchannel = True
                obj.save()
        except (DatabaseError, InternalError, ProgrammingError):
--- a/authentik/core/sources/flow_manager.py
+++ b/authentik/core/sources/flow_manager.py
@ -212,7 +212,7 @@ class SourceFlowManager:
    def _prepare_flow(
        self,
-        flow: Flow,
+        flow: Flow | None,
        connection: UserSourceConnection,
        stages: list[StageView] | None = None,
        **kwargs,
@ -309,7 +309,9 @@ class SourceFlowManager:
        # When request isn't authenticated we jump straight to auth
        if not self.request.user.is_authenticated:
            return self.handle_auth(connection)
-        # Connection has already been saved
+        if SESSION_KEY_OVERRIDE_FLOW_TOKEN in self.request.session:
            return self._prepare_flow(None, connection)
        connection.save()
        Event.new(
            EventAction.SOURCE_LINKED,
            message="Linked Source",
--- a/authentik/core/templates/base/header_js.html
+++ b/authentik/core/templates/base/header_js.html
@ -10,7 +10,7 @@
        versionSubdomain: "{{ version_subdomain }}",
        build: "{{ build }}",
    };
-    window.addEventListener("DOMContentLoaded", () => {
+    window.addEventListener("DOMContentLoaded", function () {
        {% for message in messages %}
        window.dispatchEvent(
            new CustomEvent("ak-message", {
--- a/authentik/core/templates/base/skeleton.html
+++ b/authentik/core/templates/base/skeleton.html
@ -4,7 +4,7 @@
 <!DOCTYPE html>
-<html lang="en">
+<html>
    <head>
        <meta charset="UTF-8">
        <meta name="viewport" content="width=device-width, initial-scale=1, maximum-scale=1">
--- a/authentik/core/templates/login/base_full.html
+++ b/authentik/core/templates/login/base_full.html
@ -71,9 +71,9 @@
                </li>
                {% endfor %}
                <li>
-                    <a href="https://goauthentik.io?utm_source=authentik">
+                    <span>
                        {% trans 'Powered by authentik' %}
-                    </a>
+                    </span>
                </li>
            </ul>
        </footer>
--- a/authentik/core/templatetags/authentik_core.py
+++ b/authentik/core/templatetags/authentik_core.py
@ -17,11 +17,5 @@ def versioned_script(path: str) -> str:
            f'<script src="{static_loader(path.replace("%v", get_full_version()))}'
            '" type="module"></script>'
        ),
        # Legacy method of loading scripts used as a fallback, without the version in the filename
        # TODO: Remove after 2024.6 or later
        (
            f'<script src="{static_loader(path.replace("-%v", ""))}?'
            f'version={get_full_version()}" type="module"></script>'
        ),
    ]
    return mark_safe("".join(returned_lines))  # nosec
--- a/authentik/core/urls.py
+++ b/authentik/core/urls.py
@ -20,8 +20,9 @@ from authentik.core.api.transactional_applications import TransactionalApplicati
 from authentik.core.api.users import UserViewSet
 from authentik.core.views import apps
 from authentik.core.views.debug import AccessDeniedView
-from authentik.core.views.interface import FlowInterfaceView, InterfaceView
+from authentik.core.views.interface import InterfaceView
 from authentik.core.views.session import EndSessionView
 from authentik.flows.views.interface import FlowInterfaceView
 from authentik.root.asgi_middleware import SessionMiddleware
 from authentik.root.messages.consumer import MessageConsumer
 from authentik.root.middleware import ChannelsLoggingMiddleware
@ -53,6 +54,8 @@ urlpatterns = [
    ),
    path(
        "if/flow/<slug:flow_slug>/",
        # FIXME: move this url to the flows app...also will cause all
        # of the reverse calls to be adjusted
        ensure_csrf_cookie(FlowInterfaceView.as_view()),
        name="if-flow",
    ),
--- a/authentik/core/views/interface.py
+++ b/authentik/core/views/interface.py
@ -3,7 +3,6 @@
 from json import dumps
 from typing import Any
 from django.shortcuts import get_object_or_404
 from django.views.generic.base import TemplateView
 from rest_framework.request import Request
@ -11,7 +10,6 @@ from authentik import get_build_hash
 from authentik.admin.tasks import LOCAL_VERSION
 from authentik.api.v3.config import ConfigView
 from authentik.brands.api import CurrentBrandSerializer
 from authentik.flows.models import Flow
 class InterfaceView(TemplateView):
@ -25,14 +23,3 @@ class InterfaceView(TemplateView):
        kwargs["build"] = get_build_hash()
        kwargs["url_kwargs"] = self.kwargs
        return super().get_context_data(**kwargs)
 class FlowInterfaceView(InterfaceView):
    """Flow interface"""
    template_name = "if/flow.html"
    def get_context_data(self, **kwargs: Any) -> dict[str, Any]:
        kwargs["flow"] = get_object_or_404(Flow, slug=self.kwargs.get("flow_slug"))
        kwargs["inspector"] = "inspector" in self.request.GET
        return super().get_context_data(**kwargs)
--- a/authentik/crypto/api.py
+++ b/authentik/crypto/api.py
@ -35,6 +35,7 @@ from authentik.crypto.builder import CertificateBuilder, PrivateKeyAlg
 from authentik.crypto.models import CertificateKeyPair
 from authentik.events.models import Event, EventAction
 from authentik.rbac.decorators import permission_required
 from authentik.rbac.filters import ObjectFilter
 LOGGER = get_logger()
@ -265,7 +266,7 @@ class CertificateKeyPairViewSet(UsedByMixin, ModelViewSet):
        ],
        responses={200: CertificateDataSerializer(many=False)},
    )
-    @action(detail=True, pagination_class=None, filter_backends=[])
+    @action(detail=True, pagination_class=None, filter_backends=[ObjectFilter])
    def view_certificate(self, request: Request, pk: str) -> Response:
        """Return certificate-key pairs certificate and log access"""
        certificate: CertificateKeyPair = self.get_object()
@ -295,7 +296,7 @@ class CertificateKeyPairViewSet(UsedByMixin, ModelViewSet):
        ],
        responses={200: CertificateDataSerializer(many=False)},
    )
-    @action(detail=True, pagination_class=None, filter_backends=[])
+    @action(detail=True, pagination_class=None, filter_backends=[ObjectFilter])
    def view_private_key(self, request: Request, pk: str) -> Response:
        """Return certificate-key pairs private key and log access"""
        certificate: CertificateKeyPair = self.get_object()
--- a/authentik/crypto/tests.py
+++ b/authentik/crypto/tests.py
@ -214,6 +214,46 @@ class TestCrypto(APITestCase):
        self.assertEqual(200, response.status_code)
        self.assertIn("Content-Disposition", response)
    def test_certificate_download_denied(self):
        """Test certificate export (download)"""
        self.client.logout()
        keypair = create_test_cert()
        response = self.client.get(
            reverse(
                "authentik_api:certificatekeypair-view-certificate",
                kwargs={"pk": keypair.pk},
            )
        )
        self.assertEqual(403, response.status_code)
        response = self.client.get(
            reverse(
                "authentik_api:certificatekeypair-view-certificate",
                kwargs={"pk": keypair.pk},
            ),
            data={"download": True},
        )
        self.assertEqual(403, response.status_code)
    def test_private_key_download_denied(self):
        """Test private_key export (download)"""
        self.client.logout()
        keypair = create_test_cert()
        response = self.client.get(
            reverse(
                "authentik_api:certificatekeypair-view-private-key",
                kwargs={"pk": keypair.pk},
            )
        )
        self.assertEqual(403, response.status_code)
        response = self.client.get(
            reverse(
                "authentik_api:certificatekeypair-view-private-key",
                kwargs={"pk": keypair.pk},
            ),
            data={"download": True},
        )
        self.assertEqual(403, response.status_code)
    def test_used_by(self):
        """Test used_by endpoint"""
        self.client.force_login(create_test_admin_user())
@ -246,6 +286,26 @@ class TestCrypto(APITestCase):
            ],
        )
    def test_used_by_denied(self):
        """Test used_by endpoint"""
        self.client.logout()
        keypair = create_test_cert()
        OAuth2Provider.objects.create(
            name=generate_id(),
            client_id="test",
            client_secret=generate_key(),
            authorization_flow=create_test_flow(),
            redirect_uris="http://localhost",
            signing_key=keypair,
        )
        response = self.client.get(
            reverse(
                "authentik_api:certificatekeypair-used-by",
                kwargs={"pk": keypair.pk},
            )
        )
        self.assertEqual(403, response.status_code)
    def test_discovery(self):
        """Test certificate discovery"""
        name = generate_id()
--- a/authentik/enterprise/providers/rac/api/connection_tokens.py
+++ b/authentik/enterprise/providers/rac/api/connection_tokens.py
@ -34,6 +34,12 @@ class ConnectionTokenSerializer(EnterpriseRequiredMixin, ModelSerializer):
        ]
 class ConnectionTokenOwnerFilter(OwnerFilter):
    """Owner filter for connection tokens (checks session's user)"""
    owner_key = "session__user"
 class ConnectionTokenViewSet(
    mixins.RetrieveModelMixin,
    mixins.UpdateModelMixin,
@ -50,4 +56,9 @@ class ConnectionTokenViewSet(
    search_fields = ["endpoint__name", "provider__name"]
    ordering = ["endpoint__name", "provider__name"]
    permission_classes = [OwnerSuperuserPermissions]
-    filter_backends = [OwnerFilter, DjangoFilterBackend, OrderingFilter, SearchFilter]
+    filter_backends = [
        ConnectionTokenOwnerFilter,
        DjangoFilterBackend,
        OrderingFilter,
        SearchFilter,
    ]
--- a/authentik/enterprise/providers/rac/urls.py
+++ b/authentik/enterprise/providers/rac/urls.py
@ -5,7 +5,6 @@ from channels.sessions import CookieMiddleware
 from django.urls import path
 from django.views.decorators.csrf import ensure_csrf_cookie
 from authentik.core.channels import TokenOutpostMiddleware
 from authentik.enterprise.providers.rac.api.connection_tokens import ConnectionTokenViewSet
 from authentik.enterprise.providers.rac.api.endpoints import EndpointViewSet
 from authentik.enterprise.providers.rac.api.property_mappings import RACPropertyMappingViewSet
@ -13,6 +12,7 @@ from authentik.enterprise.providers.rac.api.providers import RACProviderViewSet
 from authentik.enterprise.providers.rac.consumer_client import RACClientConsumer
 from authentik.enterprise.providers.rac.consumer_outpost import RACOutpostConsumer
 from authentik.enterprise.providers.rac.views import RACInterface, RACStartView
 from authentik.outposts.channels import TokenOutpostMiddleware
 from authentik.root.asgi_middleware import SessionMiddleware
 from authentik.root.middleware import ChannelsLoggingMiddleware
--- a/authentik/events/middleware.py
+++ b/authentik/events/middleware.py
@ -35,6 +35,7 @@ IGNORED_MODELS = tuple(
 _CTX_OVERWRITE_USER = ContextVar[User | None]("authentik_events_log_overwrite_user", default=None)
 _CTX_IGNORE = ContextVar[bool]("authentik_events_log_ignore", default=False)
 _CTX_REQUEST = ContextVar[HttpRequest | None]("authentik_events_log_request", default=None)
 def should_log_model(model: Model) -> bool:
@ -149,11 +150,13 @@ class AuditMiddleware:
        m2m_changed.disconnect(dispatch_uid=request.request_id)
    def __call__(self, request: HttpRequest) -> HttpResponse:
        _CTX_REQUEST.set(request)
        self.connect(request)
        response = self.get_response(request)
        self.disconnect(request)
        _CTX_REQUEST.set(None)
        return response
    def process_exception(self, request: HttpRequest, exception: Exception):
@ -167,7 +170,7 @@ class AuditMiddleware:
            thread = EventNewThread(
                EventAction.SUSPICIOUS_REQUEST,
                request,
-                message=str(exception),
+                message=exception_to_string(exception),
            )
            thread.run()
        elif before_send({}, {"exc_info": (None, exception, None)}) is not None:
@ -192,6 +195,8 @@ class AuditMiddleware:
            return
        if _CTX_IGNORE.get():
            return
        if request.request_id != _CTX_REQUEST.get().request_id:
            return
        user = self.get_user(request)
        action = EventAction.MODEL_CREATED if created else EventAction.MODEL_UPDATED
@ -205,6 +210,8 @@ class AuditMiddleware:
            return
        if _CTX_IGNORE.get():
            return
        if request.request_id != _CTX_REQUEST.get().request_id:
            return
        user = self.get_user(request)
        EventNewThread(
@ -230,6 +237,8 @@ class AuditMiddleware:
            return
        if _CTX_IGNORE.get():
            return
        if request.request_id != _CTX_REQUEST.get().request_id:
            return
        user = self.get_user(request)
        EventNewThread(
--- a/authentik/events/models.py
+++ b/authentik/events/models.py
@ -238,6 +238,8 @@ class Event(SerializerModel, ExpiringModel):
                "args": cleanse_dict(QueryDict(request.META.get("QUERY_STRING", ""))),
                "user_agent": request.META.get("HTTP_USER_AGENT", ""),
            }
            if hasattr(request, "request_id"):
                self.context["http_request"]["request_id"] = request.request_id
            # Special case for events created during flow execution
            # since they keep the http query within a wrapped query
            if QS_QUERY in self.context["http_request"]["args"]:
--- a/authentik/events/signals.py
+++ b/authentik/events/signals.py
@ -75,7 +75,10 @@ def on_login_failed(
    **kwargs,
 ):
    """Failed Login, authentik custom event"""
-    Event.new(EventAction.LOGIN_FAILED, **credentials, stage=stage, **kwargs).from_http(request)
+    user = User.objects.filter(username=credentials.get("username")).first()
    Event.new(EventAction.LOGIN_FAILED, **credentials, stage=stage, **kwargs).from_http(
        request, user
    )
@receiver(invitation_used)
--- a/authentik/flows/api/flows.py
+++ b/authentik/flows/api/flows.py
@ -37,6 +37,7 @@ from authentik.lib.utils.file import (
 )
 from authentik.lib.views import bad_request_message
 from authentik.rbac.decorators import permission_required
 from authentik.rbac.filters import ObjectFilter
 LOGGER = get_logger()
@ -281,7 +282,7 @@ class FlowViewSet(UsedByMixin, ModelViewSet):
            400: OpenApiResponse(description="Flow not applicable"),
        },
    )
-    @action(detail=True, pagination_class=None, filter_backends=[])
+    @action(detail=True, pagination_class=None, filter_backends=[ObjectFilter])
    def execute(self, request: Request, slug: str):
        """Execute flow for current user"""
        # Because we pre-plan the flow here, and not in the planner, we need to manually clear
--- a/authentik/flows/migrations/0027_auto_20231028_1424.py
+++ b/authentik/flows/migrations/0027_auto_20231028_1424.py
@ -21,7 +21,9 @@ def set_oobe_flow_authentication(apps: Apps, schema_editor: BaseDatabaseSchemaEd
        pass
    if users.exists():
-        Flow.objects.filter(slug="initial-setup").update(authentication="require_superuser")
+        Flow.objects.using(db_alias).filter(slug="initial-setup").update(
            authentication="require_superuser"
        )
 class Migration(migrations.Migration):
--- a/authentik/flows/templates/if/flow-sfe.html
+++ b/authentik/flows/templates/if/flow-sfe.html
@ -0,0 +1,54 @@
 {% load static %}
 {% load i18n %}
 {% load authentik_core %}
 <!DOCTYPE html>
 <html lang="en">
    <head>
        <meta charset="UTF-8">
        <meta name="viewport" content="width=device-width, initial-scale=1, maximum-scale=1">
        <title>{% block title %}{% trans title|default:brand.branding_title %}{% endblock %}</title>
        <link rel="icon" href="{{ brand.branding_favicon }}">
        <link rel="shortcut icon" href="{{ brand.branding_favicon }}">
        {% block head_before %}
        {% endblock %}
        <link rel="stylesheet" type="text/css" href="{% static 'dist/sfe/bootstrap.min.css' %}">
        <meta name="sentry-trace" content="{{ sentry_trace }}" />
        {% include "base/header_js.html" %}
        <style>
          html,
          body {
            height: 100%;
          }
          body {
            background-image: url("{{ flow.background_url }}");
            background-repeat: no-repeat;
            background-size: cover;
          }
          .card {
            padding: 3rem;
          }
          .form-signin {
            max-width: 330px;
            padding: 1rem;
          }
          .form-signin .form-floating:focus-within {
            z-index: 2;
          }
          .brand-icon {
            max-width: 100%;
          }
        </style>
    </head>
    <body class="d-flex align-items-center py-4 bg-body-tertiary">
      <div class="card m-auto">
        <main class="form-signin w-100 m-auto" id="flow-sfe-container">
        </main>
        <span class="mt-3 mb-0 text-muted text-center">{% trans 'Powered by authentik' %}</span>
      </div>
      <script src="{% static 'dist/sfe/index.js' %}"></script>
    </body>
 </html>
--- a/authentik/flows/templates/if/flow.html
+++ b/authentik/flows/templates/if/flow.html
--- a/authentik/flows/views/interface.py
+++ b/authentik/flows/views/interface.py
@ -0,0 +1,41 @@
 """Interface views"""
 from typing import Any
 from django.shortcuts import get_object_or_404
 from ua_parser.user_agent_parser import Parse
 from authentik.core.views.interface import InterfaceView
 from authentik.flows.models import Flow
 class FlowInterfaceView(InterfaceView):
    """Flow interface"""
    def get_context_data(self, **kwargs: Any) -> dict[str, Any]:
        kwargs["flow"] = get_object_or_404(Flow, slug=self.kwargs.get("flow_slug"))
        kwargs["inspector"] = "inspector" in self.request.GET
        return super().get_context_data(**kwargs)
    def compat_needs_sfe(self) -> bool:
        """Check if we need to use the simplified flow executor for compatibility"""
        ua = Parse(self.request.META.get("HTTP_USER_AGENT", ""))
        if ua["user_agent"]["family"] == "IE":
            return True
        # Only use SFE for Edge 18 and older, after Edge 18 MS switched to chromium which supports
        # the default flow executor
        if (
            ua["user_agent"]["family"] == "Edge"
            and int(ua["user_agent"]["major"]) <= 18  # noqa: PLR2004
        ):  # noqa: PLR2004
            return True
        # https://github.com/AzureAD/microsoft-authentication-library-for-objc
        # Used by Microsoft Teams/Office on macOS, and also uses a very outdated browser engine
        if "PKeyAuth" in ua["string"]:
            return True
        return False
    def get_template_names(self) -> list[str]:
        if self.compat_needs_sfe() or "sfe" in self.request.GET:
            return ["if/flow-sfe.html"]
        return ["if/flow.html"]
--- a/authentik/lib/sync/outgoing/signals.py
+++ b/authentik/lib/sync/outgoing/signals.py
@ -2,6 +2,7 @@ from collections.abc import Callable
 from django.core.paginator import Paginator
 from django.db.models import Model
 from django.db.models.query import Q
 from django.db.models.signals import m2m_changed, post_save, pre_delete
 from authentik.core.models import Group, User
@ -34,7 +35,9 @@ def register_signals(
    def model_post_save(sender: type[Model], instance: User | Group, created: bool, **_):
        """Post save handler"""
-        if not provider_type.objects.filter(backchannel_application__isnull=False).exists():
+        if not provider_type.objects.filter(
            Q(backchannel_application__isnull=False) | Q(application__isnull=False)
        ).exists():
            return
        task_sync_direct.delay(class_to_path(instance.__class__), instance.pk, Direction.add.value)
@ -43,7 +46,9 @@ def register_signals(
    def model_pre_delete(sender: type[Model], instance: User | Group, **_):
        """Pre-delete handler"""
-        if not provider_type.objects.filter(backchannel_application__isnull=False).exists():
+        if not provider_type.objects.filter(
            Q(backchannel_application__isnull=False) | Q(application__isnull=False)
        ).exists():
            return
        task_sync_direct.delay(
            class_to_path(instance.__class__), instance.pk, Direction.remove.value
@ -58,7 +63,9 @@ def register_signals(
        """Sync group membership"""
        if action not in ["post_add", "post_remove"]:
            return
-        if not provider_type.objects.filter(backchannel_application__isnull=False).exists():
+        if not provider_type.objects.filter(
            Q(backchannel_application__isnull=False) | Q(application__isnull=False)
        ).exists():
            return
        # reverse: instance is a Group, pk_set is a list of user pks
        # non-reverse: instance is a User, pk_set is a list of groups
--- a/authentik/lib/sync/outgoing/tasks.py
+++ b/authentik/lib/sync/outgoing/tasks.py
@ -5,6 +5,7 @@ from celery.exceptions import Retry
 from celery.result import allow_join_result
 from django.core.paginator import Paginator
 from django.db.models import Model, QuerySet
 from django.db.models.query import Q
 from django.utils.text import slugify
 from django.utils.translation import gettext_lazy as _
 from structlog.stdlib import BoundLogger, get_logger
@ -37,7 +38,9 @@ class SyncTasks:
        self._provider_model = provider_model
    def sync_all(self, single_sync: Callable[[int], None]):
-        for provider in self._provider_model.objects.filter(backchannel_application__isnull=False):
+        for provider in self._provider_model.objects.filter(
            Q(backchannel_application__isnull=False) | Q(application__isnull=False)
        ):
            self.trigger_single_task(provider, single_sync)
    def trigger_single_task(self, provider: OutgoingSyncProvider, sync_task: Callable[[int], None]):
@ -62,7 +65,8 @@ class SyncTasks:
            provider_pk=provider_pk,
        )
        provider = self._provider_model.objects.filter(
-            pk=provider_pk, backchannel_application__isnull=False
+            Q(backchannel_application__isnull=False) | Q(application__isnull=False),
            pk=provider_pk,
        ).first()
        if not provider:
            return
@ -204,7 +208,9 @@ class SyncTasks:
        if not instance:
            return
        operation = Direction(raw_op)
-        for provider in self._provider_model.objects.filter(backchannel_application__isnull=False):
+        for provider in self._provider_model.objects.filter(
            Q(backchannel_application__isnull=False) | Q(application__isnull=False)
        ):
            client = provider.client_for_model(instance.__class__)
            # Check if the object is allowed within the provider's restrictions
            queryset = provider.get_object_qs(instance.__class__)
@ -223,6 +229,8 @@ class SyncTasks:
                    client.delete(instance)
            except TransientSyncException as exc:
                raise Retry() from exc
            except SkipObjectException:
                continue
            except StopSync as exc:
                self.logger.warning(exc, provider_pk=provider.pk)
@ -233,7 +241,9 @@ class SyncTasks:
        group = Group.objects.filter(pk=group_pk).first()
        if not group:
            return
-        for provider in self._provider_model.objects.filter(backchannel_application__isnull=False):
+        for provider in self._provider_model.objects.filter(
            Q(backchannel_application__isnull=False) | Q(application__isnull=False)
        ):
            # Check if the object is allowed within the provider's restrictions
            queryset: QuerySet = provider.get_object_qs(Group)
            # The queryset we get from the provider must include the instance we've got given
@ -251,5 +261,7 @@ class SyncTasks:
                client.update_group(group, operation, pk_set)
            except TransientSyncException as exc:
                raise Retry() from exc
            except SkipObjectException:
                continue
            except StopSync as exc:
                self.logger.warning(exc, provider_pk=provider.pk)
--- a/authentik/lib/tests/test_http.py
+++ b/authentik/lib/tests/test_http.py
@ -30,6 +30,11 @@ class TestHTTP(TestCase):
        request = self.factory.get("/", HTTP_X_FORWARDED_FOR="127.0.0.2")
        self.assertEqual(ClientIPMiddleware.get_client_ip(request), "127.0.0.2")
    def test_forward_for_invalid(self):
        """Test invalid forward for"""
        request = self.factory.get("/", HTTP_X_FORWARDED_FOR="foobar")
        self.assertEqual(ClientIPMiddleware.get_client_ip(request), ClientIPMiddleware.default_ip)
    def test_fake_outpost(self):
        """Test faked IP which is overridden by an outpost"""
        token = Token.objects.create(
@ -53,6 +58,17 @@ class TestHTTP(TestCase):
            },
        )
        self.assertEqual(ClientIPMiddleware.get_client_ip(request), "127.0.0.1")
        # Invalid, not a real IP
        self.user.type = UserTypes.INTERNAL_SERVICE_ACCOUNT
        self.user.save()
        request = self.factory.get(
            "/",
            **{
                ClientIPMiddleware.outpost_remote_ip_header: "foobar",
                ClientIPMiddleware.outpost_token_header: token.key,
            },
        )
        self.assertEqual(ClientIPMiddleware.get_client_ip(request), "127.0.0.1")
        # Valid
        self.user.type = UserTypes.INTERNAL_SERVICE_ACCOUNT
        self.user.save()
--- a/authentik/outposts/api/outposts.py
+++ b/authentik/outposts/api/outposts.py
@ -20,6 +20,7 @@ from authentik.core.api.utils import JSONDictField, ModelSerializer, PassiveSeri
 from authentik.core.models import Provider
 from authentik.enterprise.license import LicenseKey
 from authentik.enterprise.providers.rac.models import RACProvider
 from authentik.lib.utils.time import timedelta_from_string, timedelta_string_validator
 from authentik.outposts.api.service_connections import ServiceConnectionSerializer
 from authentik.outposts.apps import MANAGED_OUTPOST, MANAGED_OUTPOST_NAME
 from authentik.outposts.models import (
@ -49,6 +50,10 @@ class OutpostSerializer(ModelSerializer):
    service_connection_obj = ServiceConnectionSerializer(
        source="service_connection", read_only=True
    )
    refresh_interval_s = SerializerMethodField()
    def get_refresh_interval_s(self, obj: Outpost) -> int:
        return int(timedelta_from_string(obj.config.refresh_interval).total_seconds())
    def validate_name(self, name: str) -> str:
        """Validate name (especially for embedded outpost)"""
@ -84,7 +89,8 @@ class OutpostSerializer(ModelSerializer):
    def validate_config(self, config) -> dict:
        """Check that the config has all required fields"""
        try:
-            from_dict(OutpostConfig, config)
+            parsed = from_dict(OutpostConfig, config)
            timedelta_string_validator(parsed.refresh_interval)
        except DaciteError as exc:
            raise ValidationError(f"Failed to validate config: {str(exc)}") from exc
        return config
@ -99,6 +105,7 @@ class OutpostSerializer(ModelSerializer):
            "providers_obj",
            "service_connection",
            "service_connection_obj",
            "refresh_interval_s",
            "token_identifier",
            "config",
            "managed",
--- a/authentik/outposts/api/service_connections.py
+++ b/authentik/outposts/api/service_connections.py
@ -26,6 +26,7 @@ from authentik.outposts.models import (
    KubernetesServiceConnection,
    OutpostServiceConnection,
 )
 from authentik.rbac.filters import ObjectFilter
 class ServiceConnectionSerializer(ModelSerializer, MetaNameSerializer):
@ -75,7 +76,7 @@ class ServiceConnectionViewSet(
    filterset_fields = ["name"]
    @extend_schema(responses={200: ServiceConnectionStateSerializer(many=False)})
-    @action(detail=True, pagination_class=None, filter_backends=[])
+    @action(detail=True, pagination_class=None, filter_backends=[ObjectFilter])
    def state(self, request: Request, pk: str) -> Response:
        """Get the service connection's state"""
        connection = self.get_object()
--- a/authentik/outposts/channels.py
+++ b/authentik/outposts/channels.py
--- a/authentik/outposts/migrations/0001_squashed_0017_outpost_managed.py
+++ b/authentik/outposts/migrations/0001_squashed_0017_outpost_managed.py
@ -13,16 +13,17 @@ import authentik.outposts.models
 def fix_missing_token_identifier(apps: Apps, schema_editor: BaseDatabaseSchemaEditor):
    db_alias = schema_editor.connection.alias
    User = apps.get_model("authentik_core", "User")
    Token = apps.get_model("authentik_core", "Token")
    from authentik.outposts.models import Outpost
-    for outpost in Outpost.objects.using(schema_editor.connection.alias).all().only("pk"):
+    for outpost in Outpost.objects.using(db_alias).all().only("pk"):
        user_identifier = outpost.user_identifier
-        users = User.objects.filter(username=user_identifier)
+        users = User.objects.using(db_alias).filter(username=user_identifier)
        if not users.exists():
            continue
-        tokens = Token.objects.filter(user=users.first())
+        tokens = Token.objects.using(db_alias).filter(user=users.first())
        for token in tokens:
            if token.identifier != outpost.token_identifier:
                token.identifier = outpost.token_identifier
@ -37,8 +38,8 @@ def migrate_to_service_connection(apps: Apps, schema_editor: BaseDatabaseSchemaE
        "authentik_outposts", "KubernetesServiceConnection"
    )
-    docker = DockerServiceConnection.objects.filter(local=True).first()
+    docker = DockerServiceConnection.objects.using(db_alias).filter(local=True).first()
-    k8s = KubernetesServiceConnection.objects.filter(local=True).first()
+    k8s = KubernetesServiceConnection.objects.using(db_alias).filter(local=True).first()
    try:
        for outpost in Outpost.objects.using(db_alias).all().exclude(deployment_type="custom"):
@ -54,21 +55,21 @@ def migrate_to_service_connection(apps: Apps, schema_editor: BaseDatabaseSchemaE
 def remove_pb_prefix_users(apps: Apps, schema_editor: BaseDatabaseSchemaEditor):
-    alias = schema_editor.connection.alias
+    db_alias = schema_editor.connection.alias
    User = apps.get_model("authentik_core", "User")
    Outpost = apps.get_model("authentik_outposts", "Outpost")
-    for outpost in Outpost.objects.using(alias).all():
+    for outpost in Outpost.objects.using(db_alias).all():
-        matching = User.objects.using(alias).filter(username=f"pb-outpost-{outpost.uuid.hex}")
+        matching = User.objects.using(db_alias).filter(username=f"pb-outpost-{outpost.uuid.hex}")
        if matching.exists():
            matching.delete()
 def update_config_prefix(apps: Apps, schema_editor: BaseDatabaseSchemaEditor):
-    alias = schema_editor.connection.alias
+    db_alias = schema_editor.connection.alias
    Outpost = apps.get_model("authentik_outposts", "Outpost")
-    for outpost in Outpost.objects.using(alias).all():
+    for outpost in Outpost.objects.using(db_alias).all():
        config = outpost._config
        for key in list(config):
            if "passbook" in key:
--- a/authentik/outposts/models.py
+++ b/authentik/outposts/models.py
@ -61,6 +61,7 @@ class OutpostConfig:
    log_level: str = CONFIG.get("log_level")
    object_naming_template: str = field(default="ak-outpost-%(name)s")
    refresh_interval: str = "minutes=5"
    container_image: str | None = field(default=None)
--- a/authentik/outposts/tests/test_ws.py
+++ b/authentik/outposts/tests/test_ws.py
@ -2,7 +2,6 @@
 from dataclasses import asdict
 from channels.exceptions import DenyConnection
 from channels.routing import URLRouter
 from channels.testing import WebsocketCommunicator
 from django.test import TransactionTestCase
@ -37,9 +36,8 @@ class TestOutpostWS(TransactionTestCase):
        communicator = WebsocketCommunicator(
            URLRouter(websocket.websocket_urlpatterns), f"/ws/outpost/{self.outpost.pk}/"
        )
-        with self.assertRaises(DenyConnection):
+        connected, _ = await communicator.connect()
-            connected, _ = await communicator.connect()
+        self.assertFalse(connected)
            self.assertFalse(connected)
    async def test_auth_valid(self):
        """Test auth with token"""
--- a/authentik/outposts/urls.py
+++ b/authentik/outposts/urls.py
@ -2,13 +2,13 @@
 from django.urls import path
 from authentik.core.channels import TokenOutpostMiddleware
 from authentik.outposts.api.outposts import OutpostViewSet
 from authentik.outposts.api.service_connections import (
    DockerServiceConnectionViewSet,
    KubernetesServiceConnectionViewSet,
    ServiceConnectionViewSet,
 )
 from authentik.outposts.channels import TokenOutpostMiddleware
 from authentik.outposts.consumer import OutpostConsumer
 from authentik.root.middleware import ChannelsLoggingMiddleware
--- a/authentik/policies/reputation/api.py
+++ b/authentik/policies/reputation/api.py
@ -1,6 +1,8 @@
 """Reputation policy API Views"""
 from django.utils.translation import gettext_lazy as _
 from django_filters.filters import BaseInFilter, CharFilter
 from django_filters.filterset import FilterSet
 from rest_framework import mixins
 from rest_framework.exceptions import ValidationError
 from rest_framework.viewsets import GenericViewSet, ModelViewSet
@ -11,6 +13,10 @@ from authentik.policies.api.policies import PolicySerializer
 from authentik.policies.reputation.models import Reputation, ReputationPolicy
 class CharInFilter(BaseInFilter, CharFilter):
    pass
 class ReputationPolicySerializer(PolicySerializer):
    """Reputation Policy Serializer"""
@ -38,6 +44,16 @@ class ReputationPolicyViewSet(UsedByMixin, ModelViewSet):
    ordering = ["name"]
 class ReputationFilter(FilterSet):
    """Filter for reputation"""
    identifier_in = CharInFilter(field_name="identifier", lookup_expr="in")
    class Meta:
        model = Reputation
        fields = ["identifier", "ip", "score"]
 class ReputationSerializer(ModelSerializer):
    """Reputation Serializer"""
@ -66,5 +82,5 @@ class ReputationViewSet(
    queryset = Reputation.objects.all()
    serializer_class = ReputationSerializer
    search_fields = ["identifier", "ip", "score"]
-    filterset_fields = ["identifier", "ip", "score"]
+    filterset_class = ReputationFilter
    ordering = ["ip"]
--- a/authentik/providers/oauth2/tests/test_introspect.py
+++ b/authentik/providers/oauth2/tests/test_introspect.py
@ -29,7 +29,6 @@ class TesOAuth2Introspection(OAuthTestCase):
        self.app = Application.objects.create(
            name=generate_id(), slug=generate_id(), provider=self.provider
        )
        self.app.save()
        self.user = create_test_admin_user()
        self.auth = b64encode(
            f"{self.provider.client_id}:{self.provider.client_secret}".encode()
@ -114,6 +113,41 @@ class TesOAuth2Introspection(OAuthTestCase):
            },
        )
    def test_introspect_invalid_provider(self):
        """Test introspection (mismatched provider and token)"""
        provider: OAuth2Provider = OAuth2Provider.objects.create(
            name=generate_id(),
            authorization_flow=create_test_flow(),
            redirect_uris="",
            signing_key=create_test_cert(),
        )
        auth = b64encode(f"{provider.client_id}:{provider.client_secret}".encode()).decode()
        token: AccessToken = AccessToken.objects.create(
            provider=self.provider,
            user=self.user,
            token=generate_id(),
            auth_time=timezone.now(),
            _scope="openid user profile",
            _id_token=json.dumps(
                asdict(
                    IDToken("foo", "bar"),
                )
            ),
        )
        res = self.client.post(
            reverse("authentik_providers_oauth2:token-introspection"),
            HTTP_AUTHORIZATION=f"Basic {auth}",
            data={"token": token.token},
        )
        self.assertEqual(res.status_code, 200)
        self.assertJSONEqual(
            res.content.decode(),
            {
                "active": False,
            },
        )
    def test_introspect_invalid_auth(self):
        """Test introspect (invalid auth)"""
        res = self.client.post(
--- a/authentik/providers/oauth2/views/introspection.py
+++ b/authentik/providers/oauth2/views/introspection.py
@ -46,10 +46,10 @@ class TokenIntrospectionParams:
        if not provider:
            raise TokenIntrospectionError
-        access_token = AccessToken.objects.filter(token=raw_token).first()
+        access_token = AccessToken.objects.filter(token=raw_token, provider=provider).first()
        if access_token:
            return TokenIntrospectionParams(access_token, provider)
-        refresh_token = RefreshToken.objects.filter(token=raw_token).first()
+        refresh_token = RefreshToken.objects.filter(token=raw_token, provider=provider).first()
        if refresh_token:
            return TokenIntrospectionParams(refresh_token, provider)
        LOGGER.debug("Token does not exist", token=raw_token)
--- a/authentik/providers/saml/api/providers.py
+++ b/authentik/providers/saml/api/providers.py
@ -268,7 +268,7 @@ class SAMLProviderViewSet(UsedByMixin, ModelViewSet):
        except ValueError as exc:  # pragma: no cover
            LOGGER.warning(str(exc))
            raise ValidationError(
-                _("Failed to import Metadata: {messages}".format_map({"message": str(exc)})),
+                _("Failed to import Metadata: {messages}".format_map({"messages": str(exc)})),
            ) from None
        return Response(status=204)
--- a/authentik/providers/scim/clients/base.py
+++ b/authentik/providers/scim/clients/base.py
@ -89,6 +89,6 @@ class SCIMClient[TModel: "Model", TConnection: "Model", TSchema: "BaseModel"](
            return ServiceProviderConfiguration.model_validate(
                self._request("GET", "/ServiceProviderConfig")
            )
-        except (ValidationError, SCIMRequestException) as exc:
+        except (ValidationError, SCIMRequestException, NotFoundSyncException) as exc:
            self.logger.warning("failed to get ServiceProviderConfig", exc=exc)
            return default_config
--- a/authentik/root/middleware.py
+++ b/authentik/root/middleware.py
@ -2,6 +2,7 @@
 from collections.abc import Callable
 from hashlib import sha512
 from ipaddress import ip_address
 from time import perf_counter, time
 from typing import Any
@ -174,6 +175,7 @@ class ClientIPMiddleware:
    def __init__(self, get_response: Callable[[HttpRequest], HttpResponse]):
        self.get_response = get_response
        self.logger = get_logger().bind()
    def _get_client_ip_from_meta(self, meta: dict[str, Any]) -> str:
        """Attempt to get the client's IP by checking common HTTP Headers.
@ -185,11 +187,16 @@ class ClientIPMiddleware:
            "HTTP_X_FORWARDED_FOR",
            "REMOTE_ADDR",
        )
-        for _header in headers:
+        try:
-            if _header in meta:
+            for _header in headers:
-                ips: list[str] = meta.get(_header).split(",")
+                if _header in meta:
-                return ips[0].strip()
+                    ips: list[str] = meta.get(_header).split(",")
-        return self.default_ip
+                    # Ensure the IP parses as a valid IP
                    return str(ip_address(ips[0].strip()))
            return self.default_ip
        except ValueError as exc:
            self.logger.debug("Invalid remote IP", exc=exc)
            return self.default_ip
    # FIXME: this should probably not be in `root` but rather in a middleware in `outposts`
    # but for now it's fine
@ -228,7 +235,11 @@ class ClientIPMiddleware:
        Hub.current.scope.set_user(user)
        # Set the outpost service account on the request
        setattr(request, self.request_attr_outpost_user, user)
-        return delegated_ip
+        try:
            return str(ip_address(delegated_ip))
        except ValueError as exc:
            self.logger.debug("Invalid remote IP from Outpost", exc=exc)
            return None
    def _get_client_ip(self, request: HttpRequest | None) -> str:
        """Attempt to get the client's IP by checking common HTTP Headers.
@ -274,9 +285,13 @@ class ChannelsLoggingMiddleware:
        self.log(scope)
        try:
            return await self.inner(scope, receive, send)
        except DenyConnection:
            return await send({"type": "websocket.close"})
        except Exception as exc:
            if settings.DEBUG:
                raise exc
            LOGGER.warning("Exception in ASGI application", exc=exc)
-            raise DenyConnection() from None
+            return await send({"type": "websocket.close"})
    def log(self, scope: dict, **kwargs):
        """Log request"""
--- a/authentik/sources/ldap/migrations/0001_squashed_0012_auto_20210812_1703.py
+++ b/authentik/sources/ldap/migrations/0001_squashed_0012_auto_20210812_1703.py
@ -31,9 +31,9 @@ def set_default_group_mappings(apps: Apps, schema_editor):
    db_alias = schema_editor.connection.alias
    for source in LDAPSource.objects.using(db_alias).all():
-        if source.property_mappings_group.exists():
+        if source.property_mappings_group.using(db_alias).exists():
            continue
-        source.property_mappings_group.set(
+        source.property_mappings_group.using(db_alias).set(
            LDAPPropertyMapping.objects.using(db_alias).filter(
                managed="goauthentik.io/sources/ldap/default-name"
            )
--- a/authentik/sources/ldap/signals.py
+++ b/authentik/sources/ldap/signals.py
@ -39,7 +39,7 @@ def sync_ldap_source_on_save(sender, instance: LDAPSource, **_):
@receiver(password_validate)
 def ldap_password_validate(sender, password: str, plan_context: dict[str, Any], **__):
    """if there's an LDAP Source with enabled password sync, check the password"""
-    sources = LDAPSource.objects.filter(sync_users_password=True)
+    sources = LDAPSource.objects.filter(sync_users_password=True, enabled=True)
    if not sources.exists():
        return
    source = sources.first()
@ -56,7 +56,7 @@ def ldap_password_validate(sender, password: str, plan_context: dict[str, Any],
@receiver(password_changed)
 def ldap_sync_password(sender, user: User, password: str, **_):
    """Connect to ldap and update password."""
-    sources = LDAPSource.objects.filter(sync_users_password=True)
+    sources = LDAPSource.objects.filter(sync_users_password=True, enabled=True)
    if not sources.exists():
        return
    source = sources.first()
--- a/authentik/sources/oauth/types/facebook.py
+++ b/authentik/sources/oauth/types/facebook.py
@ -2,9 +2,6 @@
 from typing import Any
 from facebook import GraphAPI
 from authentik.sources.oauth.clients.oauth2 import OAuth2Client
 from authentik.sources.oauth.types.registry import SourceType, registry
 from authentik.sources.oauth.views.callback import OAuthCallback
 from authentik.sources.oauth.views.redirect import OAuthRedirect
@ -19,19 +16,9 @@ class FacebookOAuthRedirect(OAuthRedirect):
        }
 class FacebookOAuth2Client(OAuth2Client):
    """Facebook OAuth2 Client"""
    def get_profile_info(self, token: dict[str, str]) -> dict[str, Any] | None:
        api = GraphAPI(access_token=token["access_token"])
        return api.get_object("me", fields="id,name,email")
 class FacebookOAuth2Callback(OAuthCallback):
    """Facebook OAuth2 Callback"""
    client_class = FacebookOAuth2Client
    def get_user_enroll_context(
        self,
        info: dict[str, Any],
--- a/authentik/sources/saml/migrations/0001_squashed_0009_auto_20210301_0949.py
+++ b/authentik/sources/saml/migrations/0001_squashed_0009_auto_20210301_0949.py
@ -10,6 +10,8 @@ from authentik.sources.saml.processors import constants
 def update_algorithms(apps: Apps, schema_editor: BaseDatabaseSchemaEditor):
    db_alias = schema_editor.connection.alias
    SAMLSource = apps.get_model("authentik_sources_saml", "SAMLSource")
    signature_translation_map = {
        "rsa-sha1": constants.RSA_SHA1,
@ -22,7 +24,7 @@ def update_algorithms(apps: Apps, schema_editor: BaseDatabaseSchemaEditor):
        "sha256": constants.SHA256,
    }
-    for source in SAMLSource.objects.all():
+    for source in SAMLSource.objects.using(db_alias).all():
        source.signature_algorithm = signature_translation_map.get(
            source.signature_algorithm, constants.RSA_SHA256
        )
--- a/authentik/sources/saml/processors/response.py
+++ b/authentik/sources/saml/processors/response.py
@ -10,6 +10,7 @@ from django.core.cache import cache
 from django.core.exceptions import SuspiciousOperation
 from django.http import HttpRequest
 from django.utils.timezone import now
 from lxml import etree  # nosec
 from structlog.stdlib import get_logger
 from authentik.core.models import (
@ -240,7 +241,7 @@ class ResponseProcessor:
            name_id.text,
            delete_none_values(self.get_attributes()),
        )
-        flow_manager.policy_context["saml_response"] = self._root
+        flow_manager.policy_context["saml_response"] = etree.tostring(self._root)
        return flow_manager
--- a/authentik/sources/scim/models.py
+++ b/authentik/sources/scim/models.py
@ -1,7 +1,5 @@
 """SCIM Source"""
 from uuid import uuid4
 from django.db import models
 from django.templatetags.static import static
 from django.utils.translation import gettext_lazy as _
@ -19,8 +17,6 @@ class SCIMSource(Source):
    @property
    def service_account_identifier(self) -> str:
        if not self.pk:
            self.pk = uuid4()
        return f"ak-source-scim-{self.pk}"
    @property
--- a/authentik/sources/scim/signals.py
+++ b/authentik/sources/scim/signals.py
@ -1,41 +1,44 @@
 from django.db.models import Model
-from django.db.models.signals import pre_delete, pre_save
+from django.db.models.signals import post_delete, post_save
 from django.dispatch import receiver
 from authentik.core.models import USER_PATH_SYSTEM_PREFIX, Token, TokenIntents, User, UserTypes
 from authentik.events.middleware import audit_ignore
 from authentik.sources.scim.models import SCIMSource
 USER_PATH_SOURCE_SCIM = USER_PATH_SYSTEM_PREFIX + "/sources/scim"
-@receiver(pre_save, sender=SCIMSource)
+@receiver(post_save, sender=SCIMSource)
-def scim_source_pre_save(sender: type[Model], instance: SCIMSource, **_):
+def scim_source_post_save(sender: type[Model], instance: SCIMSource, created: bool, **_):
    """Create service account before source is saved"""
    # .service_account_identifier will auto-assign a primary key uuid to the source
    # if none is set yet, just so we can get the identifier before we save
    identifier = instance.service_account_identifier
-    user = User.objects.create(
+    user, _ = User.objects.update_or_create(
        username=identifier,
-        name=f"SCIM Source {instance.name} Service-Account",
+        defaults={
-        type=UserTypes.INTERNAL_SERVICE_ACCOUNT,
+            "name": f"SCIM Source {instance.name} Service-Account",
-        path=USER_PATH_SOURCE_SCIM,
+            "type": UserTypes.INTERNAL_SERVICE_ACCOUNT,
            "path": USER_PATH_SOURCE_SCIM,
        },
    )
-    token = Token.objects.create(
+    token, token_created = Token.objects.update_or_create(
        user=user,
        identifier=identifier,
-        intent=TokenIntents.INTENT_API,
+        defaults={
-        expiring=False,
+            "user": user,
-        managed=f"goauthentik.io/sources/scim/{instance.pk}",
+            "intent": TokenIntents.INTENT_API,
            "expiring": False,
            "managed": f"goauthentik.io/sources/scim/{instance.pk}",
        },
    )
-    instance.token = token
+    if created or token_created:
        with audit_ignore():
            instance.token = token
            instance.save()
-@receiver(pre_delete, sender=SCIMSource)
+@receiver(post_delete, sender=SCIMSource)
-def scim_source_pre_delete(sender: type[Model], instance: SCIMSource, **_):
+def scim_source_post_delete(sender: type[Model], instance: SCIMSource, **_):
-    """Delete SCIM Source service account before deleting source"""
+    """Delete SCIM Source service account after deleting source"""
    Token.objects.filter(
        identifier=instance.service_account_identifier, intent=TokenIntents.INTENT_API
    ).delete()
    User.objects.filter(
        username=instance.service_account_identifier, type=UserTypes.INTERNAL_SERVICE_ACCOUNT
    ).delete()
--- a/authentik/stages/authenticator_validate/migrations/0010_remove_authenticatorvalidatestage_configuration_stage_and_more.py
+++ b/authentik/stages/authenticator_validate/migrations/0010_remove_authenticatorvalidatestage_configuration_stage_and_more.py
@ -13,7 +13,7 @@ def migrate_configuration_stage(apps: Apps, schema_editor: BaseDatabaseSchemaEdi
    for stage in AuthenticatorValidateStage.objects.using(db_alias).all():
        if stage.configuration_stage:
-            stage.configuration_stages.set([stage.configuration_stage])
+            stage.configuration_stages.using(db_alias).set([stage.configuration_stage])
            stage.save()
--- a/authentik/stages/authenticator_validate/stage.py
+++ b/authentik/stages/authenticator_validate/stage.py
@ -325,7 +325,7 @@ class AuthenticatorValidateStageView(ChallengeStageView):
            serializer = SelectableStageSerializer(
                data={
                    "pk": stage.pk,
-                    "name": stage.friendly_name or stage.name,
+                    "name": getattr(stage, "friendly_name", stage.name),
                    "verbose_name": str(stage._meta.verbose_name)
                    .replace("Setup Stage", "")
                    .strip(),
--- a/authentik/stages/authenticator_validate/tests/test_duo.py
+++ b/authentik/stages/authenticator_validate/tests/test_duo.py
@ -8,6 +8,7 @@ from django.urls import reverse
 from rest_framework.exceptions import ValidationError
 from authentik.brands.utils import get_brand_for_request
 from authentik.core.middleware import RESPONSE_HEADER_ID
 from authentik.core.tests.utils import create_test_admin_user, create_test_flow
 from authentik.events.models import Event, EventAction
 from authentik.flows.models import FlowDesignation, FlowStageBinding
@ -186,6 +187,7 @@ class AuthenticatorValidateStageDuoTests(FlowTestCase):
                    "method": "GET",
                    "path": f"/api/v3/flows/executor/{flow.slug}/",
                    "user_agent": "",
                    "request_id": response[RESPONSE_HEADER_ID],
                },
            },
        )
--- a/authentik/stages/email/templates/email/base.html
+++ b/authentik/stages/email/templates/email/base.html
@ -120,7 +120,7 @@
            </tr>
            <tr>
              <td align="center">
-                Powered by <a href="https://goauthentik.io?utm_source=authentik&utm_medium=email">authentik</a>.
+                Powered by <a rel="noopener noreferrer" target="_blank" href="https://goauthentik.io?utm_source=authentik&utm_medium=email">authentik</a>.
              </td>
            </tr>
          </table>
--- a/authentik/stages/identification/migrations/0002_auto_20200530_2204_squashed_0013_identificationstage_passwordless_flow.py
+++ b/authentik/stages/identification/migrations/0002_auto_20200530_2204_squashed_0013_identificationstage_passwordless_flow.py
@ -13,9 +13,9 @@ def assign_sources(apps: Apps, schema_editor: BaseDatabaseSchemaEditor):
    IdentificationStage = apps.get_model("authentik_stages_identification", "identificationstage")
    Source = apps.get_model("authentik_core", "source")
-    sources = Source.objects.all()
+    sources = Source.objects.using(db_alias).all()
-    for stage in IdentificationStage.objects.all().using(db_alias):
+    for stage in IdentificationStage.objects.using(db_alias).all():
-        stage.sources.set(sources)
+        stage.sources.using(db_alias).set(sources)
        stage.save()
@ -144,7 +144,7 @@ class Migration(migrations.Migration):
                default=None,
                help_text=(
                    "When set, shows a password field, instead of showing the password field as"
-                    " seaprate step."
+                    " separate step."
                ),
                null=True,
                on_delete=django.db.models.deletion.SET_NULL,
--- a/authentik/stages/prompt/api.py
+++ b/authentik/stages/prompt/api.py
@ -108,7 +108,7 @@ class PromptViewSet(UsedByMixin, ModelViewSet):
            return Response(
                {
                    "non_field_errors": [
-                        exception_to_string(exc),
+                        exception_to_string(exc.exc),
                    ]
                },
                status=400,
--- a/authentik/stages/prompt/migrations/0009_prompt_name.py
+++ b/authentik/stages/prompt/migrations/0009_prompt_name.py
@ -12,7 +12,7 @@ def set_generated_name(apps: Apps, schema_editor: BaseDatabaseSchemaEditor):
    for prompt in Prompt.objects.using(db_alias).all():
        name = prompt.field_key
-        stage = prompt.promptstage_set.order_by("name").first()
+        stage = prompt.promptstage_set.using(db_alias).order_by("name").first()
        if stage:
            name += "_" + stage.name
        else:
--- a/authentik/stages/prompt/models.py
+++ b/authentik/stages/prompt/models.py
@ -170,7 +170,7 @@ class Prompt(SerializerModel):
            try:
                raw_choices = evaluator.evaluate(self.placeholder)
            except Exception as exc:  # pylint:disable=broad-except
-                wrapped = PropertyMappingExpressionException(str(exc))
+                wrapped = PropertyMappingExpressionException(exc, None)
                LOGGER.warning(
                    "failed to evaluate prompt choices",
                    exc=wrapped,
@ -208,7 +208,7 @@ class Prompt(SerializerModel):
            try:
                return evaluator.evaluate(self.placeholder)
            except Exception as exc:  # pylint:disable=broad-except
-                wrapped = PropertyMappingExpressionException(str(exc), None)
+                wrapped = PropertyMappingExpressionException(exc, None)
                LOGGER.warning(
                    "failed to evaluate prompt placeholder",
                    exc=wrapped,
@ -237,7 +237,7 @@ class Prompt(SerializerModel):
            try:
                value = evaluator.evaluate(self.initial_value)
            except Exception as exc:  # pylint:disable=broad-except
-                wrapped = PropertyMappingExpressionException(str(exc))
+                wrapped = PropertyMappingExpressionException(exc, None)
                LOGGER.warning(
                    "failed to evaluate prompt initial value",
                    exc=wrapped,
--- a/authentik/stages/user_login/middleware.py
+++ b/authentik/stages/user_login/middleware.py
@ -1,10 +1,9 @@
 """Sessions bound to ASN/Network and GeoIP/Continent/etc"""
 from django.conf import settings
 from django.contrib.auth.middleware import AuthenticationMiddleware
 from django.contrib.auth.signals import user_logged_out
 from django.contrib.auth.views import redirect_to_login
 from django.http.request import HttpRequest
 from django.shortcuts import redirect
 from structlog.stdlib import get_logger
 from authentik.core.models import AuthenticatedSession
@ -87,7 +86,7 @@ class BoundSessionMiddleware(SessionMiddleware):
            AuthenticationMiddleware(lambda request: request).process_request(request)
            logout_extra(request, exc)
            request.session.clear()
-            return redirect(settings.LOGIN_URL)
+            return redirect_to_login(request.get_full_path())
        return None
    def recheck_session(self, request: HttpRequest):
--- a/authentik/stages/user_write/stage.py
+++ b/authentik/stages/user_write/stage.py
@ -6,6 +6,7 @@ from django.contrib.auth import update_session_auth_hash
 from django.db import transaction
 from django.db.utils import IntegrityError, InternalError
 from django.http import HttpRequest, HttpResponse
 from django.utils.functional import SimpleLazyObject
 from django.utils.translation import gettext as _
 from rest_framework.exceptions import ValidationError
@ -118,6 +119,14 @@ class UserWriteStageView(StageView):
                UserWriteStageView.write_attribute(user, key, value)
            # User has this key already
            elif hasattr(user, key):
                if isinstance(user, SimpleLazyObject):
                    user._setup()
                    user = user._wrapped
                attr = getattr(type(user), key)
                if isinstance(attr, property):
                    if not attr.fset:
                        self.logger.info("discarding key", key=key)
                        continue
                setattr(user, key, value)
            # If none of the cases above matched, we have an attribute that the user doesn't have,
            # has no setter for, is not a nested attributes value and as such is invalid
--- a/blueprints/default/flow-default-authentication-flow.yaml
+++ b/blueprints/default/flow-default-authentication-flow.yaml
@ -82,3 +82,5 @@ entries:
    order: 10
    target: !KeyOf default-authentication-flow-password-binding
    policy: !KeyOf default-authentication-flow-password-optional
  attrs:
    failure_result: true
--- a/blueprints/schema.json
+++ b/blueprints/schema.json
@ -2,7 +2,7 @@
    "$schema": "http://json-schema.org/draft-07/schema",
    "$id": "https://goauthentik.io/blueprints/schema.json",
    "type": "object",
-    "title": "authentik 2024.6.0 Blueprint schema",
+    "title": "authentik 2024.6.5 Blueprint schema",
    "required": [
        "version",
        "entries"
--- a/docker-compose.yml
+++ b/docker-compose.yml
@ -31,7 +31,7 @@ services:
    volumes:
      - redis:/data
  server:
-    image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2024.6.0}
+    image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2024.6.5}
    restart: unless-stopped
    command: server
    environment:
@ -52,7 +52,7 @@ services:
      - postgresql
      - redis
  worker:
-    image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2024.6.0}
+    image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2024.6.5}
    restart: unless-stopped
    command: worker
    environment:
--- a/go.mod
+++ b/go.mod
@ -28,7 +28,7 @@ require (
 	github.com/spf13/cobra v1.8.0
 	github.com/stretchr/testify v1.9.0
 	github.com/wwt/guac v1.3.2
-	goauthentik.io/api/v3 v3.2024042.11
+	goauthentik.io/api/v3 v3.2024060.5
 	golang.org/x/exp v0.0.0-20230210204819-062eb4c674ab
 	golang.org/x/oauth2 v0.21.0
 	golang.org/x/sync v0.7.0
--- a/go.sum
+++ b/go.sum
@ -294,8 +294,8 @@ go.opentelemetry.io/otel/trace v1.24.0 h1:CsKnnL4dUAr/0llH9FKuc698G04IrpWV0MQA/Y
 go.opentelemetry.io/otel/trace v1.24.0/go.mod h1:HPc3Xr/cOApsBI154IU0OI0HJexz+aw5uPdbs3UCjNU=
 go.uber.org/goleak v1.2.1 h1:NBol2c7O1ZokfZ0LEU9K6Whx/KnwvepVetCUhtKja4A=
 go.uber.org/goleak v1.2.1/go.mod h1:qlT2yGI9QafXHhZZLxlSuNsMw3FFLxBr+tBRlmO1xH4=
-goauthentik.io/api/v3 v3.2024042.11 h1:cGgUz1E8rlMphGvv04VI7i+MgT8eidZbxTpza5zd96I=
+goauthentik.io/api/v3 v3.2024060.5 h1:AjvPUZoObk7a86ZZaz2tmruteY+1vAEfVzIOzQpWSXM=
-goauthentik.io/api/v3 v3.2024042.11/go.mod h1:zz+mEZg8rY/7eEjkMGWJ2DnGqk+zqxuybGCGrR2O4Kw=
+goauthentik.io/api/v3 v3.2024060.5/go.mod h1:zz+mEZg8rY/7eEjkMGWJ2DnGqk+zqxuybGCGrR2O4Kw=
 golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
 golang.org/x/crypto v0.0.0-20190510104115-cbcb75029529/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
 golang.org/x/crypto v0.0.0-20190605123033-f99c8df09eb5/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
--- a/internal/constants/constants.go
+++ b/internal/constants/constants.go
@ -29,4 +29,4 @@ func UserAgent() string {
 	return fmt.Sprintf("authentik@%s", FullVersion())
 }
-const VERSION = "2024.6.0"
+const VERSION = "2024.6.5"
--- a/internal/outpost/ak/api_ws.go
+++ b/internal/outpost/ak/api_ws.go
@ -183,7 +183,19 @@ func (ac *APIController) startWSHealth() {
 func (ac *APIController) startIntervalUpdater() {
 	logger := ac.logger.WithField("loop", "interval-updater")
-	ticker := time.NewTicker(5 * time.Minute)
+	getInterval := func() time.Duration {
 		// Ensure timer interval is not negative or 0
 		// for 0 we assume migration or unconfigured, so default to 5 minutes
 		if ac.Outpost.RefreshIntervalS <= 0 {
 			return 5 * time.Minute
 		}
 		// Clamp interval to be at least 30 seconds
 		if ac.Outpost.RefreshIntervalS < 30 {
 			return 30 * time.Second
 		}
 		return time.Duration(ac.Outpost.RefreshIntervalS) * time.Second
 	}
 	ticker := time.NewTicker(getInterval())
 	for ; true; <-ticker.C {
 		logger.Debug("Running interval update")
 		err := ac.OnRefresh()
@ -198,6 +210,7 @@ func (ac *APIController) startIntervalUpdater() {
 				"build":        constants.BUILD("tagged"),
 			}).SetToCurrentTime()
 		}
 		ticker.Reset(getInterval())
 	}
 }
--- a/internal/outpost/proxyv2/templates/error.html
+++ b/internal/outpost/proxyv2/templates/error.html
@ -48,9 +48,9 @@
                <footer class="pf-c-login__footer">
                    <ul class="pf-c-list pf-m-inline">
                        <li>
-                            <a href="https://goauthentik.io?utm_source=authentik_outpost&utm_campaign=proxy_error">
+                            <span>
                                Powered by authentik
-                            </a>
+                            </span>
                        </li>
                    </ul>
                </footer>
--- a/lifecycle/system_migrations/tenant_files.py
+++ b/lifecycle/system_migrations/tenant_files.py
@ -1,6 +1,7 @@
 # flake8: noqa
 from pathlib import Path
 from authentik.lib.config import CONFIG
 from lifecycle.migrate import BaseMigration
 MEDIA_ROOT = Path(__file__).parent.parent.parent / "media"
@ -9,7 +10,9 @@ TENANT_MEDIA_ROOT = MEDIA_ROOT / "public"
 class Migration(BaseMigration):
    def needs_migration(self) -> bool:
-        return not TENANT_MEDIA_ROOT.exists()
+        return (
            not TENANT_MEDIA_ROOT.exists() and CONFIG.get("storage.media.backend", "file") != "s3"
        )
    def run(self):
        TENANT_MEDIA_ROOT.mkdir(parents=True)
--- a/package.json
+++ b/package.json
@ -1,5 +1,5 @@
 {
    "name": "@goauthentik/authentik",
-    "version": "2024.6.0",
+    "version": "2024.6.5",
    "private": true
 }
--- a/poetry.lock
+++ b/poetry.lock
@ -1,4 +1,4 @@
-# This file is automatically @generated by Poetry 1.8.2 and should not be changed by hand.
+# This file is automatically @generated by Poetry 1.8.3 and should not be changed by hand.
 [[package]]
 name = "aiohttp"
@ -1513,20 +1513,6 @@ files = [
 dnspython = ">=2.0.0"
 idna = ">=2.0.0"
 [[package]]
 name = "facebook-sdk"
 version = "3.1.0"
 description = "This client library is designed to support the Facebook Graph API and the official Facebook JavaScript SDK, which is the canonical way to implement Facebook authentication."
 optional = false
 python-versions = "*"
 files = [
    {file = "facebook-sdk-3.1.0.tar.gz", hash = "sha256:cabcd2e69ea3d9f042919c99b353df7aa1e2be86d040121f6e9f5e63c1cf0f8d"},
    {file = "facebook_sdk-3.1.0-py2.py3-none-any.whl", hash = "sha256:2e987b3e0f466a6f4ee77b935eb023dba1384134f004a2af21f1cfff7fe0806e"},
 ]
 [package.dependencies]
 requests = "*"
 [[package]]
 name = "fido2"
 version = "1.1.3"
@ -2954,9 +2940,14 @@ version = "0.0.14"
 description = "Python module for oci specifications"
 optional = false
 python-versions = "*"
-files = [
+files = []
-    {file = "opencontainers-0.0.14.tar.gz", hash = "sha256:fde3b8099b56b5c956415df8933e2227e1914e805a277b844f2f9e52341738f2"},
+develop = false
-]
+
 [package.source]
 type = "git"
 url = "https://github.com/vsoch/oci-python"
 reference = "20d69d9cc50a0fef31605b46f06da0c94f1ec3cf"
 resolved_reference = "20d69d9cc50a0fef31605b46f06da0c94f1ec3cf"
 [[package]]
 name = "opentelemetry-api"
@ -5350,4 +5341,4 @@ files = [
 [metadata]
 lock-version = "2.0"
 python-versions = "~3.12"
-content-hash = "f960013b56683ab42d82f8b49b2822dffc76046e3d22695ebb737b405a98dbaf"
+content-hash = "055376879ff784080ab95c02eaa012fb1dad1213b1faa0dd1d61b0b812859b6d"
--- a/pyproject.toml
+++ b/pyproject.toml
@ -1,6 +1,6 @@
 [tool.poetry]
 name = "authentik"
-version = "2024.6.0"
+version = "2024.6.5"
 description = ""
 authors = ["authentik Team <hello@goauthentik.io>"]
@ -110,7 +110,6 @@ docker = "*"
 drf-spectacular = "*"
 dumb-init = "*"
 duo-client = "*"
 facebook-sdk = "*"
 fido2 = "*"
 flower = "*"
 geoip2 = "*"
@ -121,7 +120,7 @@ kubernetes = "*"
 ldap3 = "*"
 lxml = "*"
 msgraph-sdk = "*"
-opencontainers = { extras = ["reggie"], version = "*" }
+opencontainers = { git = "https://github.com/vsoch/oci-python", rev = "20d69d9cc50a0fef31605b46f06da0c94f1ec3cf", extras = ["reggie"] }
 packaging = "*"
 paramiko = "*"
 psycopg = { extras = ["c"], version = "*" }
--- a/schema.yml
+++ b/schema.yml
@ -1,7 +1,7 @@
 openapi: 3.0.3
 info:
  title: authentik
-  version: 2024.6.0
+  version: 2024.6.5
  description: Making authentication simple.
  contact:
    email: hello@goauthentik.io
@ -13080,6 +13080,15 @@ paths:
        name: identifier
        schema:
          type: string
      - in: query
        name: identifier_in
        schema:
          type: array
          items:
            type: string
        description: Multiple values may be separated by commas.
        explode: false
        style: form
      - in: query
        name: ip
        schema:
@ -36625,6 +36634,7 @@ components:
        href:
          type: string
          readOnly: true
          nullable: true
        name:
          type: string
          readOnly: true
@ -39488,6 +39498,9 @@ components:
          allOf:
          - $ref: '#/components/schemas/ServiceConnection'
          readOnly: true
        refresh_interval_s:
          type: integer
          readOnly: true
        token_identifier:
          type: string
          description: Get Token identifier
@ -39509,6 +39522,7 @@ components:
      - pk
      - providers
      - providers_obj
      - refresh_interval_s
      - service_connection_obj
      - token_identifier
      - type
--- a/tests/e2e/test-saml-idp/saml20-sp-remote.php
+++ b/tests/e2e/test-saml-idp/saml20-sp-remote.php
@ -0,0 +1,23 @@
 <?php
 /**
 * SAML 2.0 remote SP metadata for SimpleSAMLphp.
 *
 * See: https://simplesamlphp.org/docs/stable/simplesamlphp-reference-sp-remote
 */
 $metadata[getenv('SIMPLESAMLPHP_SP_ENTITY_ID')] = array(
    'AssertionConsumerService' => getenv('SIMPLESAMLPHP_SP_ASSERTION_CONSUMER_SERVICE'),
    'SingleLogoutService' => getenv('SIMPLESAMLPHP_SP_SINGLE_LOGOUT_SERVICE'),
 );
 if (null != getenv('SIMPLESAMLPHP_SP_NAME_ID_FORMAT')) {
    $metadata[getenv('SIMPLESAMLPHP_SP_ENTITY_ID')] = array_merge($metadata[getenv('SIMPLESAMLPHP_SP_ENTITY_ID')], array('NameIDFormat' => getenv('SIMPLESAMLPHP_SP_NAME_ID_FORMAT')));
 }
 if (null != getenv('SIMPLESAMLPHP_SP_NAME_ID_ATTRIBUTE')) {
    $metadata[getenv('SIMPLESAMLPHP_SP_ENTITY_ID')] = array_merge($metadata[getenv('SIMPLESAMLPHP_SP_ENTITY_ID')], array('simplesaml.nameidattribute' => getenv('SIMPLESAMLPHP_SP_NAME_ID_ATTRIBUTE')));
 }
 if (null != getenv('SIMPLESAMLPHP_SP_SIGN_ASSERTION')) {
    $metadata[getenv('SIMPLESAMLPHP_SP_ENTITY_ID')] = array_merge($metadata[getenv('SIMPLESAMLPHP_SP_ENTITY_ID')], array('saml20.sign.assertion' => ('true' == getenv('SIMPLESAMLPHP_SP_SIGN_ASSERTION'))));
 }
--- a/tests/e2e/test_provider_ldap.py
+++ b/tests/e2e/test_provider_ldap.py
@ -5,7 +5,6 @@ from time import sleep
 from docker.client import DockerClient, from_env
 from docker.models.containers import Container
 from guardian.shortcuts import get_anonymous_user
 from ldap3 import ALL, ALL_ATTRIBUTES, ALL_OPERATIONAL_ATTRIBUTES, SUBTREE, Connection, Server
 from ldap3.core.exceptions import LDAPInvalidCredentialsResult
@ -180,15 +179,13 @@ class TestProviderLDAP(SeleniumTestCase):
        )
        with self.assertRaises(LDAPInvalidCredentialsResult):
            _connection.bind()
        anon = get_anonymous_user()
        self.assertTrue(
            Event.objects.filter(
                action=EventAction.LOGIN_FAILED,
                user={
-                    "pk": anon.pk,
+                    "pk": self.user.pk,
-                    "email": anon.email,
+                    "email": self.user.email,
-                    "username": anon.username,
+                    "username": self.user.username,
                    "is_anonymous": True,
                },
            ).exists(),
        )
--- a/tests/e2e/test_source_oauth_oauth2.py
+++ b/tests/e2e/test_source_oauth_oauth2.py
@ -1,5 +1,6 @@
 """test OAuth Source"""
 from json import loads
 from pathlib import Path
 from time import sleep
 from typing import Any
@ -194,3 +195,41 @@ class TestSourceOAuth2(SeleniumTestCase):
        self.driver.get(self.if_user_url("/settings"))
        self.assert_user(User(username="foo", name="admin", email="admin@example.com"))
    @retry()
    @apply_blueprint(
        "default/flow-default-authentication-flow.yaml",
        "default/flow-default-invalidation-flow.yaml",
    )
    @apply_blueprint(
        "default/flow-default-source-authentication.yaml",
        "default/flow-default-source-enrollment.yaml",
        "default/flow-default-source-pre-authentication.yaml",
    )
    def test_oauth_link(self):
        """test OAuth Source link OIDC"""
        self.create_objects()
        self.driver.get(self.live_server_url)
        self.login()
        self.driver.get(
            self.url("authentik_sources_oauth:oauth-client-login", source_slug=self.slug)
        )
        # Now we should be at the IDP, wait for the login field
        self.wait.until(ec.presence_of_element_located((By.ID, "login")))
        self.driver.find_element(By.ID, "login").send_keys("admin@example.com")
        self.driver.find_element(By.ID, "password").send_keys("password")
        self.driver.find_element(By.ID, "password").send_keys(Keys.ENTER)
        # Wait until we're logged in
        self.wait.until(ec.presence_of_element_located((By.CSS_SELECTOR, "button[type=submit]")))
        self.driver.find_element(By.CSS_SELECTOR, "button[type=submit]").click()
        self.driver.get(self.url("authentik_api:usersourceconnection-list") + "?format=json")
        body_json = loads(self.driver.find_element(By.CSS_SELECTOR, "pre").text)
        results = body_json["results"]
        self.assertEqual(len(results), 1)
        connection = results[0]
        self.assertEqual(connection["source"]["slug"], self.slug)
        self.assertEqual(connection["user"], self.user.pk)
--- a/tests/e2e/test_source_saml.py
+++ b/tests/e2e/test_source_saml.py
@ -1,5 +1,6 @@
 """test SAML Source"""
 from pathlib import Path
 from time import sleep
 from typing import Any
@ -88,8 +89,20 @@ class TestSourceSAML(SeleniumTestCase):
                interval=5 * 1_000 * 1_000_000,
                start_period=1 * 1_000 * 1_000_000,
            ),
            "volumes": {
                str(
                    (Path(__file__).parent / Path("test-saml-idp/saml20-sp-remote.php")).absolute()
                ): {
                    "bind": "/var/www/simplesamlphp/metadata/saml20-sp-remote.php",
                    "mode": "ro",
                }
            },
            "environment": {
                "SIMPLESAMLPHP_SP_ENTITY_ID": "entity-id",
                "SIMPLESAMLPHP_SP_NAME_ID_FORMAT": (
                    "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"
                ),
                "SIMPLESAMLPHP_SP_NAME_ID_ATTRIBUTE": "email",
                "SIMPLESAMLPHP_SP_ASSERTION_CONSUMER_SERVICE": (
                    self.url("authentik_sources_saml:acs", source_slug=self.slug)
                ),
@ -318,3 +331,109 @@ class TestSourceSAML(SeleniumTestCase):
            .exclude(pk=self.user.pk)
            .first()
        )
    @retry()
    @apply_blueprint(
        "default/flow-default-authentication-flow.yaml",
        "default/flow-default-invalidation-flow.yaml",
    )
    @apply_blueprint(
        "default/flow-default-source-authentication.yaml",
        "default/flow-default-source-enrollment.yaml",
        "default/flow-default-source-pre-authentication.yaml",
    )
    def test_idp_post_auto_enroll_auth(self):
        """test SAML Source With post binding (auto redirect)"""
        # Bootstrap all needed objects
        authentication_flow = Flow.objects.get(slug="default-source-authentication")
        enrollment_flow = Flow.objects.get(slug="default-source-enrollment")
        pre_authentication_flow = Flow.objects.get(slug="default-source-pre-authentication")
        keypair = CertificateKeyPair.objects.create(
            name=generate_id(),
            certificate_data=IDP_CERT,
            key_data=IDP_KEY,
        )
        source = SAMLSource.objects.create(
            name=generate_id(),
            slug=self.slug,
            authentication_flow=authentication_flow,
            enrollment_flow=enrollment_flow,
            pre_authentication_flow=pre_authentication_flow,
            issuer="entity-id",
            sso_url=f"http://{self.host}:8080/simplesaml/saml2/idp/SSOService.php",
            binding_type=SAMLBindingTypes.POST_AUTO,
            signing_kp=keypair,
        )
        ident_stage = IdentificationStage.objects.first()
        ident_stage.sources.set([source])
        ident_stage.save()
        self.driver.get(self.live_server_url)
        flow_executor = self.get_shadow_root("ak-flow-executor")
        identification_stage = self.get_shadow_root("ak-stage-identification", flow_executor)
        wait = WebDriverWait(identification_stage, self.wait_timeout)
        wait.until(
            ec.presence_of_element_located(
                (By.CSS_SELECTOR, ".pf-c-login__main-footer-links-item > button")
            )
        )
        identification_stage.find_element(
            By.CSS_SELECTOR, ".pf-c-login__main-footer-links-item > button"
        ).click()
        # Now we should be at the IDP, wait for the username field
        self.wait.until(ec.presence_of_element_located((By.ID, "username")))
        self.driver.find_element(By.ID, "username").send_keys("user1")
        self.driver.find_element(By.ID, "password").send_keys("user1pass")
        self.driver.find_element(By.ID, "password").send_keys(Keys.ENTER)
        # Wait until we're logged in
        self.wait_for_url(self.if_user_url("/library"))
        self.driver.get(self.if_user_url("/settings"))
        self.assert_user(
            User.objects.exclude(username="akadmin")
            .exclude(username__startswith="ak-outpost")
            .exclude_anonymous()
            .exclude(pk=self.user.pk)
            .first()
        )
        # Clear all cookies and log in again
        self.driver.delete_all_cookies()
        self.driver.get(self.live_server_url)
        flow_executor = self.get_shadow_root("ak-flow-executor")
        identification_stage = self.get_shadow_root("ak-stage-identification", flow_executor)
        wait = WebDriverWait(identification_stage, self.wait_timeout)
        wait.until(
            ec.presence_of_element_located(
                (By.CSS_SELECTOR, ".pf-c-login__main-footer-links-item > button")
            )
        )
        identification_stage.find_element(
            By.CSS_SELECTOR, ".pf-c-login__main-footer-links-item > button"
        ).click()
        # Now we should be at the IDP, wait for the username field
        self.wait.until(ec.presence_of_element_located((By.ID, "username")))
        self.driver.find_element(By.ID, "username").send_keys("user1")
        self.driver.find_element(By.ID, "password").send_keys("user1pass")
        self.driver.find_element(By.ID, "password").send_keys(Keys.ENTER)
        # Wait until we're logged in
        self.wait_for_url(self.if_user_url("/library"))
        self.driver.get(self.if_user_url("/settings"))
        # sleep(999999)
        self.assert_user(
            User.objects.exclude(username="akadmin")
            .exclude(username__startswith="ak-outpost")
            .exclude_anonymous()
            .exclude(pk=self.user.pk)
            .first()
        )
--- a/web/package-lock.json
+++ b/web/package-lock.json
--- a/web/package.json
+++ b/web/package.json
@ -38,7 +38,7 @@
        "@codemirror/theme-one-dark": "^6.1.2",
        "@formatjs/intl-listformat": "^7.5.7",
        "@fortawesome/fontawesome-free": "^6.5.2",
-        "@goauthentik/api": "^2024.4.2-1718378698",
+        "@goauthentik/api": "^2024.6.0-1719577139",
        "@lit/context": "^1.1.2",
        "@lit/localize": "^0.12.1",
        "@lit/reactive-element": "^2.0.4",
--- a/web/sfe/index.ts
+++ b/web/sfe/index.ts
@ -0,0 +1,529 @@
 import { fromByteArray } from "base64-js";
 import "formdata-polyfill";
 import $ from "jquery";
 import "weakmap-polyfill";
 import {
    type AuthenticatorValidationChallenge,
    type AutosubmitChallenge,
    type ChallengeTypes,
    ChallengeTypesFromJSON,
    type ContextualFlowInfo,
    type DeviceChallenge,
    type ErrorDetail,
    type IdentificationChallenge,
    type PasswordChallenge,
    type RedirectChallenge,
 } from "@goauthentik/api";
 interface GlobalAuthentik {
    brand: {
        branding_logo: string;
    };
 }
 function ak(): GlobalAuthentik {
    return (
        window as unknown as {
            authentik: GlobalAuthentik;
        }
    ).authentik;
 }
 class SimpleFlowExecutor {
    challenge?: ChallengeTypes;
    flowSlug: string;
    container: HTMLDivElement;
    constructor(container: HTMLDivElement) {
        this.flowSlug = window.location.pathname.split("/")[3];
        this.container = container;
    }
    get apiURL() {
        return `/api/v3/flows/executor/${this.flowSlug}/?query=${encodeURIComponent(window.location.search.substring(1))}`;
    }
    start() {
        $.ajax({
            type: "GET",
            url: this.apiURL,
            success: (data) => {
                this.challenge = ChallengeTypesFromJSON(data);
                this.renderChallenge();
            },
        });
    }
    submit(data: { [key: string]: unknown } | FormData) {
        $("button[type=submit]").addClass("disabled")
            .html(`<span class="spinner-border spinner-border-sm" aria-hidden="true"></span>
                <span role="status">Loading...</span>`);
        let finalData: { [key: string]: unknown } = {};
        if (data instanceof FormData) {
            finalData = {};
            data.forEach((value, key) => {
                finalData[key] = value;
            });
        } else {
            finalData = data;
        }
        $.ajax({
            type: "POST",
            url: this.apiURL,
            data: JSON.stringify(finalData),
            success: (data) => {
                this.challenge = ChallengeTypesFromJSON(data);
                this.renderChallenge();
            },
            contentType: "application/json",
            dataType: "json",
        });
    }
    renderChallenge() {
        switch (this.challenge?.component) {
            case "ak-stage-identification":
                new IdentificationStage(this, this.challenge).render();
                return;
            case "ak-stage-password":
                new PasswordStage(this, this.challenge).render();
                return;
            case "xak-flow-redirect":
                new RedirectStage(this, this.challenge).render();
                return;
            case "ak-stage-autosubmit":
                new AutosubmitStage(this, this.challenge).render();
                return;
            case "ak-stage-authenticator-validate":
                new AuthenticatorValidateStage(this, this.challenge).render();
                return;
            default:
                this.container.innerText = "Unsupported stage: " + this.challenge?.component;
                return;
        }
    }
 }
 export interface FlowInfoChallenge {
    flowInfo?: ContextualFlowInfo;
    responseErrors?: {
        [key: string]: Array<ErrorDetail>;
    };
 }
 class Stage<T extends FlowInfoChallenge> {
    constructor(
        public executor: SimpleFlowExecutor,
        public challenge: T,
    ) {}
    error(fieldName: string) {
        if (!this.challenge.responseErrors) {
            return [];
        }
        return this.challenge.responseErrors[fieldName] || [];
    }
    renderInputError(fieldName: string) {
        return `${this.error(fieldName)
            .map((error) => {
                return `<div class="invalid-feedback">
                    ${error.string}
                </div>`;
            })
            .join("")}`;
    }
    renderNonFieldErrors() {
        return `${this.error("non_field_errors")
            .map((error) => {
                return `<div class="alert alert-danger" role="alert">
                    ${error.string}
                </div>`;
            })
            .join("")}`;
    }
    html(html: string) {
        this.executor.container.innerHTML = html;
    }
    render() {
        throw new Error("Abstract method");
    }
 }
 class IdentificationStage extends Stage<IdentificationChallenge> {
    render() {
        this.html(`
            <form id="ident-form">
                <img class="mb-4 brand-icon" src="${ak().brand.branding_logo}" alt="">
                <h1 class="h3 mb-3 fw-normal text-center">${this.challenge?.flowInfo?.title}</h1>
                ${
                    this.challenge.applicationPre
                        ? `<p>
                              Login to continue to ${this.challenge.applicationPre}.
                          </p>`
                        : ""
                }
                <div class="form-label-group my-3 has-validation">
                    <input type="text" autofocus class="form-control" name="uid_field" placeholder="Email / Username">
                </div>
                ${
                    this.challenge.passwordFields
                        ? `<div class="form-label-group my-3 has-validation">
                                <input type="password" class="form-control ${this.error("password").length > 0 ? "is-invalid" : ""}" name="password" placeholder="Password">
                                ${this.renderInputError("password")}
                        </div>`
                        : ""
                }
                ${this.renderNonFieldErrors()}
                <button class="btn btn-primary w-100 py-2" type="submit">${this.challenge.primaryAction}</button>
            </form>`);
        $("#ident-form input[name=uid_field]").trigger("focus");
        $("#ident-form").on("submit", (ev) => {
            ev.preventDefault();
            const data = new FormData(ev.target as HTMLFormElement);
            this.executor.submit(data);
        });
    }
 }
 class PasswordStage extends Stage<PasswordChallenge> {
    render() {
        this.html(`
            <form id="password-form">
                <img class="mb-4 brand-icon" src="${ak().brand.branding_logo}" alt="">
                <h1 class="h3 mb-3 fw-normal text-center">${this.challenge?.flowInfo?.title}</h1>
                <div class="form-label-group my-3 has-validation">
                    <input type="password" autofocus class="form-control ${this.error("password").length > 0 ? "is-invalid" : ""}" name="password" placeholder="Password">
                    ${this.renderInputError("password")}
                </div>
                <button class="btn btn-primary w-100 py-2" type="submit">Continue</button>
            </form>`);
        $("#password-form input").trigger("focus");
        $("#password-form").on("submit", (ev) => {
            ev.preventDefault();
            const data = new FormData(ev.target as HTMLFormElement);
            this.executor.submit(data);
        });
    }
 }
 class RedirectStage extends Stage<RedirectChallenge> {
    render() {
        window.location.assign(this.challenge.to);
    }
 }
 class AutosubmitStage extends Stage<AutosubmitChallenge> {
    render() {
        this.html(`
            <form id="autosubmit-form" action="${this.challenge.url}" method="POST">
                <img class="mb-4 brand-icon" src="${ak().brand.branding_logo}" alt="">
                <h1 class="h3 mb-3 fw-normal text-center">${this.challenge?.flowInfo?.title}</h1>
                ${Object.entries(this.challenge.attrs).map(([key, value]) => {
                    return `<input
                            type="hidden"
                            name="${key}"
                            value="${value}"
                        />`;
                })}
                <div class="d-flex justify-content-center">
                    <div class="spinner-border" role="status">
                        <span class="sr-only">Loading...</span>
                    </div>
                </div>
            </form>`);
        $("#autosubmit-form").submit();
    }
 }
 export interface Assertion {
    id: string;
    rawId: string;
    type: string;
    registrationClientExtensions: string;
    response: {
        clientDataJSON: string;
        attestationObject: string;
    };
 }
 export interface AuthAssertion {
    id: string;
    rawId: string;
    type: string;
    assertionClientExtensions: string;
    response: {
        clientDataJSON: string;
        authenticatorData: string;
        signature: string;
        userHandle: string | null;
    };
 }
 class AuthenticatorValidateStage extends Stage<AuthenticatorValidationChallenge> {
    deviceChallenge?: DeviceChallenge;
    b64enc(buf: Uint8Array): string {
        return fromByteArray(buf).replace(/\+/g, "-").replace(/\//g, "_").replace(/=/g, "");
    }
    b64RawEnc(buf: Uint8Array): string {
        return fromByteArray(buf).replace(/\+/g, "-").replace(/\//g, "_");
    }
    u8arr(input: string): Uint8Array {
        return Uint8Array.from(atob(input.replace(/_/g, "/").replace(/-/g, "+")), (c) =>
            c.charCodeAt(0),
        );
    }
    checkWebAuthnSupport(): boolean {
        if ("credentials" in navigator) {
            return true;
        }
        if (window.location.protocol === "http:" && window.location.hostname !== "localhost") {
            console.warn("WebAuthn requires this page to be accessed via HTTPS.");
            return false;
        }
        console.warn("WebAuthn not supported by browser.");
        return false;
    }
    /**
     * Transforms items in the credentialCreateOptions generated on the server
     * into byte arrays expected by the navigator.credentials.create() call
     */
    transformCredentialCreateOptions(
        credentialCreateOptions: PublicKeyCredentialCreationOptions,
        userId: string,
    ): PublicKeyCredentialCreationOptions {
        const user = credentialCreateOptions.user;
        // Because json can't contain raw bytes, the server base64-encodes the User ID
        // So to get the base64 encoded byte array, we first need to convert it to a regular
        // string, then a byte array, re-encode it and wrap that in an array.
        const stringId = decodeURIComponent(window.atob(userId));
        user.id = this.u8arr(this.b64enc(this.u8arr(stringId)));
        const challenge = this.u8arr(credentialCreateOptions.challenge.toString());
        const transformedCredentialCreateOptions = Object.assign({}, credentialCreateOptions, {
            challenge,
            user,
        });
        return transformedCredentialCreateOptions;
    }
    /**
     * Transforms the binary data in the credential into base64 strings
     * for posting to the server.
     * @param {PublicKeyCredential} newAssertion
     */
    transformNewAssertionForServer(newAssertion: PublicKeyCredential): Assertion {
        const attObj = new Uint8Array(
            (newAssertion.response as AuthenticatorAttestationResponse).attestationObject,
        );
        const clientDataJSON = new Uint8Array(newAssertion.response.clientDataJSON);
        const rawId = new Uint8Array(newAssertion.rawId);
        const registrationClientExtensions = newAssertion.getClientExtensionResults();
        return {
            id: newAssertion.id,
            rawId: this.b64enc(rawId),
            type: newAssertion.type,
            registrationClientExtensions: JSON.stringify(registrationClientExtensions),
            response: {
                clientDataJSON: this.b64enc(clientDataJSON),
                attestationObject: this.b64enc(attObj),
            },
        };
    }
    transformCredentialRequestOptions(
        credentialRequestOptions: PublicKeyCredentialRequestOptions,
    ): PublicKeyCredentialRequestOptions {
        const challenge = this.u8arr(credentialRequestOptions.challenge.toString());
        const allowCredentials = (credentialRequestOptions.allowCredentials || []).map(
            (credentialDescriptor) => {
                const id = this.u8arr(credentialDescriptor.id.toString());
                return Object.assign({}, credentialDescriptor, { id });
            },
        );
        const transformedCredentialRequestOptions = Object.assign({}, credentialRequestOptions, {
            challenge,
            allowCredentials,
        });
        return transformedCredentialRequestOptions;
    }
    /**
     * Encodes the binary data in the assertion into strings for posting to the server.
     * @param {PublicKeyCredential} newAssertion
     */
    transformAssertionForServer(newAssertion: PublicKeyCredential): AuthAssertion {
        const response = newAssertion.response as AuthenticatorAssertionResponse;
        const authData = new Uint8Array(response.authenticatorData);
        const clientDataJSON = new Uint8Array(response.clientDataJSON);
        const rawId = new Uint8Array(newAssertion.rawId);
        const sig = new Uint8Array(response.signature);
        const assertionClientExtensions = newAssertion.getClientExtensionResults();
        return {
            id: newAssertion.id,
            rawId: this.b64enc(rawId),
            type: newAssertion.type,
            assertionClientExtensions: JSON.stringify(assertionClientExtensions),
            response: {
                clientDataJSON: this.b64RawEnc(clientDataJSON),
                signature: this.b64RawEnc(sig),
                authenticatorData: this.b64RawEnc(authData),
                userHandle: null,
            },
        };
    }
    render() {
        if (!this.deviceChallenge) {
            return this.renderChallengePicker();
        }
        switch (this.deviceChallenge.deviceClass) {
            case "static":
            case "totp":
                this.renderCodeInput();
                break;
            case "webauthn":
                this.renderWebauthn();
                break;
            default:
                break;
        }
    }
    renderChallengePicker() {
        const challenges = this.challenge.deviceChallenges.filter((challenge) => {
            if (challenge.deviceClass === "webauthn") {
                if (!this.checkWebAuthnSupport()) {
                    return undefined;
                }
            }
            return challenge;
        });
        this.html(`<form id="picker-form">
                <img class="mb-4 brand-icon" src="${ak().brand.branding_logo}" alt="">
                <h1 class="h3 mb-3 fw-normal text-center">${this.challenge?.flowInfo?.title}</h1>
                ${
                    challenges.length > 0
                        ? "<p>Select an authentication method.</p>"
                        : `
                    <p>No compatible authentication method available</p>
                    `
                }
                ${challenges
                    .map((challenge) => {
                        let label = undefined;
                        switch (challenge.deviceClass) {
                            case "static":
                                label = "Recovery keys";
                                break;
                            case "totp":
                                label = "Traditional authenticator";
                                break;
                            case "webauthn":
                                label = "Security key";
                                break;
                        }
                        if (!label) {
                            return "";
                        }
                        return `<div class="form-label-group my-3 has-validation">
                            <button id="${challenge.deviceClass}-${challenge.deviceUid}" class="btn btn-secondary w-100 py-2" type="button">
                                ${label}
                            </button>
                        </div>`;
                    })
                    .join("")}
            </form>`);
        this.challenge.deviceChallenges.forEach((challenge) => {
            $(`#picker-form button#${challenge.deviceClass}-${challenge.deviceUid}`).on(
                "click",
                () => {
                    this.deviceChallenge = challenge;
                    this.render();
                },
            );
        });
    }
    renderCodeInput() {
        this.html(`
            <form id="totp-form">
                <img class="mb-4 brand-icon" src="${ak().brand.branding_logo}" alt="">
                <h1 class="h3 mb-3 fw-normal text-center">${this.challenge?.flowInfo?.title}</h1>
                <div class="form-label-group my-3 has-validation">
                    <input type="text" autofocus class="form-control ${this.error("code").length > 0 ? "is-invalid" : ""}" name="code" placeholder="Please enter your code" autocomplete="one-time-code">
                    ${this.renderInputError("code")}
                </div>
                <button class="btn btn-primary w-100 py-2" type="submit">Continue</button>
            </form>`);
        $("#totp-form input").trigger("focus");
        $("#totp-form").on("submit", (ev) => {
            ev.preventDefault();
            const data = new FormData(ev.target as HTMLFormElement);
            this.executor.submit(data);
        });
    }
    renderWebauthn() {
        this.html(`
            <form id="totp-form">
                <img class="mb-4 brand-icon" src="${ak().brand.branding_logo}" alt="">
                <h1 class="h3 mb-3 fw-normal text-center">${this.challenge?.flowInfo?.title}</h1>
                <div class="d-flex justify-content-center">
                    <div class="spinner-border" role="status">
                        <span class="sr-only">Loading...</span>
                    </div>
                </div>
            </form>
            `);
        navigator.credentials
            .get({
                publicKey: this.transformCredentialRequestOptions(
                    this.deviceChallenge?.challenge as PublicKeyCredentialRequestOptions,
                ),
            })
            .then((assertion) => {
                if (!assertion) {
                    throw new Error("No assertion");
                }
                try {
                    // we now have an authentication assertion! encode the byte arrays contained
                    // in the assertion data as strings for posting to the server
                    const transformedAssertionForServer = this.transformAssertionForServer(
                        assertion as PublicKeyCredential,
                    );
                    // post the assertion to the server for verification.
                    this.executor.submit({
                        webauthn: transformedAssertionForServer,
                    });
                } catch (err) {
                    throw new Error(`Error when validating assertion on server: ${err}`);
                }
            })
            .catch((error) => {
                console.warn(error);
                this.deviceChallenge = undefined;
                this.render();
            });
    }
 }
 const sfe = new SimpleFlowExecutor($("#flow-sfe-container")[0] as HTMLDivElement);
 sfe.start();
--- a/web/sfe/package-lock.json
+++ b/web/sfe/package-lock.json
--- a/web/sfe/package.json
+++ b/web/sfe/package.json
@ -0,0 +1,28 @@
 {
    "name": "@goauthentik/web-sfe",
    "version": "0.0.0",
    "private": true,
    "license": "MIT",
    "dependencies": {
        "@goauthentik/api": "^2024.6.0-1719577139",
        "base64-js": "^1.5.1",
        "bootstrap": "^4.6.1",
        "formdata-polyfill": "^4.0.10",
        "jquery": "^3.7.1",
        "weakmap-polyfill": "^2.0.4"
    },
    "scripts": {
        "build": "rollup -c rollup.config.js --bundleConfigAsCjs",
        "watch": "rollup -w -c rollup.config.js --bundleConfigAsCjs"
    },
    "devDependencies": {
        "@rollup/plugin-commonjs": "^26.0.1",
        "@rollup/plugin-node-resolve": "^15.2.3",
        "@rollup/plugin-swc": "^0.3.1",
        "@swc/cli": "^0.3.14",
        "@swc/core": "^1.6.6",
        "@types/jquery": "^3.5.30",
        "rollup": "^4.18.0",
        "rollup-plugin-copy": "^3.5.0"
    }
 }
--- a/web/sfe/rollup.config.js
+++ b/web/sfe/rollup.config.js
@ -0,0 +1,40 @@
 import commonjs from "@rollup/plugin-commonjs";
 import resolve from "@rollup/plugin-node-resolve";
 import swc from "@rollup/plugin-swc";
 import copy from "rollup-plugin-copy";
 export default {
    input: "index.ts",
    output: {
        dir: "../dist/sfe",
        format: "cjs",
    },
    context: "window",
    plugins: [
        copy({
            targets: [
                { src: "node_modules/bootstrap/dist/css/bootstrap.min.css", dest: "../dist/sfe" },
            ],
        }),
        resolve({ browser: true }),
        commonjs(),
        swc({
            swc: {
                jsc: {
                    loose: false,
                    externalHelpers: false,
                    // Requires v1.2.50 or upper and requires target to be es2016 or upper.
                    keepClassNames: false,
                },
                minify: false,
                env: {
                    targets: {
                        edge: "17",
                        ie: "11",
                    },
                    mode: "entry",
                },
            },
        }),
    ],
 };
--- a/web/sfe/tsconfig.json
+++ b/web/sfe/tsconfig.json
@ -0,0 +1,7 @@
 {
    "compilerOptions": {
        "types": ["jquery"],
        "esModuleInterop": true,
        "lib": ["DOM", "ES2015", "ES2017"]
    },
 }
--- a/web/src/admin/admin-overview/AdminOverviewPage.ts
+++ b/web/src/admin/admin-overview/AdminOverviewPage.ts
@ -208,7 +208,14 @@ export class AdminOverviewPage extends AdminOverviewBase {
            return html`<li>
                ${ex(
-                    () => html`<a href="${url}" class="pf-u-mb-xl" target="_blank">${content}</a>`,
+                    () =>
                        html`<a
                            href="${url}"
                            class="pf-u-mb-xl"
                            rel="noopener noreferrer"
                            target="_blank"
                            >${content}</a
                        >`,
                    () => html`<a href="${url}" class="pf-u-mb-xl" )>${content}</a>`,
                )}
            </li>`;
--- a/web/src/admin/admin-overview/cards/VersionStatusCard.ts
+++ b/web/src/admin/admin-overview/cards/VersionStatusCard.ts
@ -56,6 +56,6 @@ export class VersionStatusCard extends AdminStatusCard<Version> {
            text = this.value.buildHash?.substring(0, 7);
            link = `https://github.com/goauthentik/authentik/commit/${this.value.buildHash}`;
        }
-        return html`<a href=${link} target="_blank">${text}</a>`;
+        return html`<a rel="noopener noreferrer" href=${link} target="_blank">${text}</a>`;
    }
 }
--- a/web/src/admin/admin-overview/charts/OutpostStatusChart.ts
+++ b/web/src/admin/admin-overview/charts/OutpostStatusChart.ts
@ -56,6 +56,7 @@ export class OutpostStatusChart extends AKChart<SummarizedSyncStatus[]> {
            }),
        );
        this.centerText = outposts.pagination.count.toString();
        outpostStats.sort((a, b) => a.label.localeCompare(b.label));
        return outpostStats;
    }
--- a/web/src/admin/applications/components/ak-provider-search-input.ts
+++ b/web/src/admin/applications/components/ak-provider-search-input.ts
@ -15,7 +15,6 @@ const doGroupBy = (items: Provider[]) => groupBy(items, (item) => item.verboseNa
 async function fetch(query?: string) {
    const args: ProvidersAllListRequest = {
        ordering: "name",
        backchannel: false,
    };
    if (query !== undefined) {
        args.search = query;
--- a/web/src/admin/blueprints/BlueprintForm.ts
+++ b/web/src/admin/blueprints/BlueprintForm.ts
@ -157,6 +157,7 @@ export class BlueprintForm extends ModelForm<BlueprintInstance, string> {
                                  ${msg("See more about OCI support here:")}&nbsp;
                                  <a
                                      target="_blank"
                                      rel="noopener noreferrer"
                                      href="${docLink(
                                          "/developer-docs/blueprints/?utm_source=authentik#storage---oci",
                                      )}"
--- a/web/src/admin/outposts/OutpostDeploymentModal.ts
+++ b/web/src/admin/outposts/OutpostDeploymentModal.ts
@ -23,6 +23,7 @@ export class OutpostDeploymentModal extends ModalButton {
                    <a
                        target="_blank"
                        href="${docLink("/docs/outposts?utm_source=authentik#deploy")}"
                        rel="noopener noreferrer"
                        >${msg("View deployment documentation")}</a
                    >
                </p>
--- a/web/src/admin/outposts/OutpostForm.ts
+++ b/web/src/admin/outposts/OutpostForm.ts
@ -210,9 +210,11 @@ export class OutpostForm extends ModelForm<Outpost, string> {
                    )}
                </p>
                <p class="pf-c-form__helper-text">
-                    See
+                    <a
-                    <a target="_blank" href="${docLink("/docs/outposts?utm_source=authentik")}"
+                        target="_blank"
-                        >documentation</a
+                        rel="noopener noreferrer"
                        href="${docLink("/docs/outposts?utm_source=authentik")}"
                        >${msg("See documentation")}</a
                    >.
                </p>
            </ak-form-element-horizontal>
@ -245,6 +247,7 @@ export class OutpostForm extends ModelForm<Outpost, string> {
                            ${msg("See more here:")}&nbsp;
                            <a
                                target="_blank"
                                rel="noopener noreferrer"
                                href="${docLink(
                                    "/docs/outposts?utm_source=authentik#configuration",
                                )}"
--- a/web/src/admin/policies/expression/ExpressionPolicyForm.ts
+++ b/web/src/admin/policies/expression/ExpressionPolicyForm.ts
@ -85,6 +85,7 @@ export class ExpressionPolicyForm extends BasePolicyForm<ExpressionPolicy> {
                        <p class="pf-c-form__helper-text">
                            ${msg("Expression using Python.")}
                            <a
                                rel="noopener noreferrer"
                                target="_blank"
                                href="${docLink("/docs/policies/expression?utm_source=authentik")}"
                            >
--- a/web/src/admin/property-mappings/PropertyMappingGoogleWorkspaceForm.ts
+++ b/web/src/admin/property-mappings/PropertyMappingGoogleWorkspaceForm.ts
@ -62,6 +62,7 @@ export class PropertyMappingGoogleWorkspaceForm extends BasePropertyMappingForm<
                    ${msg("Expression using Python.")}
                    <a
                        target="_blank"
                        rel="noopener noreferrer"
                        href="${docLink("/docs/property-mappings/expression?utm_source=authentik")}"
                    >
                        ${msg("See documentation for a list of all variables.")}
--- a/web/src/admin/property-mappings/PropertyMappingLDAPForm.ts
+++ b/web/src/admin/property-mappings/PropertyMappingLDAPForm.ts
@ -71,6 +71,7 @@ export class PropertyMappingLDAPForm extends BasePropertyMappingForm<LDAPPropert
                    ${msg("Expression using Python.")}
                    <a
                        target="_blank"
                        rel="noopener noreferrer"
                        href="${docLink("/docs/property-mappings/expression?utm_source=authentik")}"
                    >
                        ${msg("See documentation for a list of all variables.")}
--- a/web/src/admin/property-mappings/PropertyMappingMicrosoftEntraForm.ts
+++ b/web/src/admin/property-mappings/PropertyMappingMicrosoftEntraForm.ts
@ -62,6 +62,7 @@ export class PropertyMappingMicrosoftEntraForm extends BasePropertyMappingForm<M
                    ${msg("Expression using Python.")}
                    <a
                        target="_blank"
                        rel="noopener noreferrer"
                        href="${docLink("/docs/property-mappings/expression?utm_source=authentik")}"
                    >
                        ${msg("See documentation for a list of all variables.")}
--- a/web/src/admin/property-mappings/PropertyMappingNotification.ts
+++ b/web/src/admin/property-mappings/PropertyMappingNotification.ts
@ -62,6 +62,7 @@ export class PropertyMappingNotification extends ModelForm<NotificationWebhookMa
                    ${msg("Expression using Python.")}
                    <a
                        target="_blank"
                        rel="noopener noreferrer"
                        href="${docLink("/docs/property-mappings/expression?utm_source=authentik")}"
                    >
                        ${msg("See documentation for a list of all variables.")}
--- a/web/src/admin/property-mappings/PropertyMappingRACForm.ts
+++ b/web/src/admin/property-mappings/PropertyMappingRACForm.ts
@ -160,6 +160,7 @@ export class PropertyMappingLDAPForm extends ModelForm<RACPropertyMapping, strin
                            ${msg("Expression using Python.")}
                            <a
                                target="_blank"
                                rel="noopener noreferrer"
                                href="${docLink(
                                    "/docs/property-mappings/expression?utm_source=authentik",
                                )}"
--- a/web/src/admin/property-mappings/PropertyMappingSAMLForm.ts
+++ b/web/src/admin/property-mappings/PropertyMappingSAMLForm.ts
@ -83,6 +83,7 @@ export class PropertyMappingSAMLForm extends BasePropertyMappingForm<SAMLPropert
                    ${msg("Expression using Python.")}
                    <a
                        target="_blank"
                        rel="noopener noreferrer"
                        href="${docLink("/docs/property-mappings/expression?utm_source=authentik")}"
                    >
                        ${msg("See documentation for a list of all variables.")}
--- a/web/src/admin/property-mappings/PropertyMappingSCIMForm.ts
+++ b/web/src/admin/property-mappings/PropertyMappingSCIMForm.ts
@ -56,6 +56,7 @@ export class PropertyMappingSCIMForm extends BasePropertyMappingForm<SCIMMapping
                    ${msg("Expression using Python.")}
                    <a
                        target="_blank"
                        rel="noopener noreferrer"
                        href="${docLink("/docs/property-mappings/expression?utm_source=authentik")}"
                    >
                        ${msg("See documentation for a list of all variables.")}
--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
Jens Langhammer	8469213d82	release: 2024.6.5	2024-09-27 16:21:30 +02:00
gcp-cherry-pick-bot[bot]	78f7b04d5a	security: fix CVE-2024-47070 (cherry-pick #11536 ) (#11540 ) security: fix CVE-2024-47070 (#11536) * security: fix CVE-2024-47070 * Update website/docs/security/CVE-2024-47070.md --------- Signed-off-by: Jens Langhammer <jens@goauthentik.io> Signed-off-by: Jens L. <jens@beryju.org> Co-authored-by: Jens L. <jens@goauthentik.io> Co-authored-by: Tana M Berry <tanamarieberry@yahoo.com>	2024-09-27 16:20:38 +02:00
gcp-cherry-pick-bot[bot]	22e586bd8c	security: fix CVE-2024-47077 (cherry-pick #11535 ) (#11538 ) security: fix CVE-2024-47077 (#11535) Signed-off-by: Jens Langhammer <jens@goauthentik.io> Co-authored-by: Jens L. <jens@goauthentik.io>	2024-09-27 16:19:15 +02:00
Jens Langhammer	8a0b31b922	release: 2024.6.4	2024-08-22 17:19:24 +02:00
gcp-cherry-pick-bot[bot]	359b343f51	security: fix CVE-2024-42490 (cherry-pick #11022 ) (#11025 ) security: fix CVE-2024-42490 (#11022) CVE-2024-42490 Signed-off-by: Jens Langhammer <jens@goauthentik.io> Co-authored-by: Jens L. <jens@goauthentik.io>	2024-08-22 17:18:58 +02:00
gcp-cherry-pick-bot[bot]	b727656b05	sources/ldap: Add enabled filter for ldap_password_validate signal (cherry-pick #10823 ) (#10825 ) sources/ldap: Add enabled filter for ldap_password_validate signal (#10823) Co-authored-by: Allen <63997543+aaw3@users.noreply.github.com>	2024-08-08 14:23:44 +02:00
gcp-cherry-pick-bot[bot]	8f09c2c21c	web/admin: fix selectable card colour in dark theme (cherry-pick #10794 ) (#10795 ) web/admin: fix selectable card colour in dark theme (#10794) Signed-off-by: Jens Langhammer <jens@goauthentik.io> Co-authored-by: Jens L. <jens@goauthentik.io>	2024-08-06 13:46:43 +02:00
Jens Langhammer	8f207c7504	release: 2024.6.3	2024-08-05 18:35:33 +02:00
Marc 'risson' Schmitt	34d30bb549	root: fix opencontainers ref (#10776 ) Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space> Signed-off-by: Jens Langhammer <jens@goauthentik.io> # Conflicts: # poetry.lock	2024-08-05 16:30:54 +02:00
Jens L	b4f04881e0	root: remove warnings (#10774 ) * remove facebook sdk Signed-off-by: Jens Langhammer <jens@goauthentik.io> * switch to newer opencontainers fork Signed-off-by: Jens Langhammer <jens@goauthentik.io> --------- Signed-off-by: Jens Langhammer <jens@goauthentik.io> # Conflicts: # poetry.lock	2024-08-05 14:52:20 +02:00
gcp-cherry-pick-bot[bot]	5314485426	enterprise/rac: fix error when listing connection tokens as non-superuser (cherry-pick #10771 ) (#10773 ) enterprise/rac: fix error when listing connection tokens as non-superuser (#10771) Signed-off-by: Jens Langhammer <jens@goauthentik.io> Co-authored-by: Jens L. <jens@goauthentik.io>	2024-08-05 14:09:24 +02:00
gcp-cherry-pick-bot[bot]	ad6b6e4576	web: replace all occurences of the theme placeholder (cherry-pick #10749 ) (#10750 ) web: replace all occurences of the theme placeholder (#10749) Replace all occurences of the theme placeholder This allows the placeholder to occur multiple times in the theme url. Signed-off-by: Chasethechicken <neuringe1234@gmail.com> Co-authored-by: Chasethechicken <neuringe1234@gmail.com>	2024-08-05 11:57:32 +02:00
Marc 'risson' Schmitt	fb9aa9d7f7	sources/scim: fix duplicate service account users and changing token (cherry-pick #10735 ) (#10737 ) sources/scim: fix duplicate service account users and changing token (#10735) Signed-off-by: Jens Langhammer <jens@goauthentik.io> Co-authored-by: Jens L. <jens@goauthentik.io>	2024-08-02 14:12:23 +02:00
gcp-cherry-pick-bot[bot]	fe7662f80d	web: fix theme not applying to document correctly (cherry-pick #10721 ) (#10722 ) web: fix theme not applying to document correctly (#10721) Signed-off-by: Jens Langhammer <jens@goauthentik.io> Co-authored-by: Jens L. <jens@goauthentik.io>	2024-08-01 15:09:38 +02:00
Jens Langhammer	d6904b6aa1	release: 2024.6.2	2024-07-31 16:54:24 +02:00
gcp-cherry-pick-bot[bot]	cd581efacd	tests/e2e: fix ldap tests following #10270 (cherry-pick #10288 ) (#10703 ) tests/e2e: fix ldap tests following #10270 (#10288) Co-authored-by: Marc 'risson' Schmitt <marc.schmitt@risson.space>	2024-07-31 16:01:32 +02:00
gcp-cherry-pick-bot[bot]	6c159d120b	outposts: ensure minimum refresh interval (cherry-pick #10701 ) (#10702 ) outposts: ensure minimum refresh interval (#10701) Signed-off-by: Jens Langhammer <jens@goauthentik.io> Co-authored-by: Jens L. <jens@goauthentik.io>	2024-07-31 14:59:14 +02:00
gcp-cherry-pick-bot[bot]	4ddd4e7f88	outposts: make refresh interval configurable (cherry-pick #10138 ) (#10700 ) * outposts: make refresh interval configurable (#10138) * outposts: make refresh interval configurable Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space> * frontend Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space> * black again Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space> * switch to using config attribute Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space> * lint Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space> --------- Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space> * bump api Signed-off-by: Jens Langhammer <jens@goauthentik.io> --------- Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space> Signed-off-by: Jens Langhammer <jens@goauthentik.io> Co-authored-by: Marc 'risson' Schmitt <marc.schmitt@risson.space> Co-authored-by: Jens Langhammer <jens@goauthentik.io>	2024-07-31 14:38:09 +02:00
gcp-cherry-pick-bot[bot]	441912414f	web/admin: show matching user reputation scores in user details (cherry-pick #10276 ) (#10699 ) * web/admin: show matching user reputation scores in user details (#10276) Co-authored-by: Jens Langhammer <jens@goauthentik.io> * bump api Signed-off-by: Jens Langhammer <jens@goauthentik.io> --------- Signed-off-by: Jens Langhammer <jens@goauthentik.io> Co-authored-by: Marc 'risson' Schmitt <marc.schmitt@risson.space> Co-authored-by: Jens Langhammer <jens@goauthentik.io>	2024-07-31 14:37:58 +02:00
Jens L	9e177ed5c0	web: fix dark theme and theme switch (#10667 ) * base locale off of ak-element Signed-off-by: Jens Langhammer <jens@goauthentik.io> * revert temp theme fixes Signed-off-by: Jens Langhammer <jens@goauthentik.io> * fix theme switching Signed-off-by: Jens Langhammer <jens@goauthentik.io> * add basic support for theme-different images Signed-off-by: Jens Langhammer <jens@goauthentik.io> * sort outposts in card Signed-off-by: Jens Langhammer <jens@goauthentik.io> * set default theme based on pre-hydrated brand settings Signed-off-by: Jens Langhammer <jens@goauthentik.io> * activate global theme before root in shadow dom Signed-off-by: Jens Langhammer <jens@goauthentik.io> * logging Signed-off-by: Jens Langhammer <jens@goauthentik.io> * when using _applyTheme, check media matcher Signed-off-by: Jens Langhammer <jens@goauthentik.io> * add docs Signed-off-by: Jens Langhammer <jens@goauthentik.io> --------- Signed-off-by: Jens Langhammer <jens@goauthentik.io> # Conflicts: # web/src/elements/Base.ts # website/docs/core/brands.md	2024-07-29 20:26:44 +02:00
gcp-cherry-pick-bot[bot]	881548176f	events: associate login_failed events to a user if possible (cherry-pick #10270 ) (#10676 ) * events: associate login_failed events to a user if possible (#10270) Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space> * format Signed-off-by: Jens Langhammer <jens@goauthentik.io> --------- Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space> Signed-off-by: Jens Langhammer <jens@goauthentik.io> Co-authored-by: Marc 'risson' Schmitt <marc.schmitt@risson.space> Co-authored-by: Jens Langhammer <jens@goauthentik.io>	2024-07-29 20:00:13 +02:00
gcp-cherry-pick-bot[bot]	56739d0dc4	web/flows: remove continue button from AutoSubmit stage (cherry-pick #10253 ) (#10677 ) web/flows: remove continue button from AutoSubmit stage (#10253) Signed-off-by: Jens Langhammer <jens@goauthentik.io> Co-authored-by: Jens L <jens@goauthentik.io>	2024-07-29 19:32:29 +02:00
gcp-cherry-pick-bot[bot]	b23972e9c9	lifecycle: only create tenant media root if needed (cherry-pick #10616 ) (#10617 ) lifecycle: only create tenant media root if needed (#10616) Co-authored-by: Jens L. <jens@goauthentik.io>	2024-07-24 21:12:48 +02:00
gcp-cherry-pick-bot[bot]	0a9595089e	web/admin: fix missing SAML Provider ECDSA options (cherry-pick #10612 ) (#10618 ) web/admin: fix missing SAML Provider ECDSA options (#10612) * web/admin: fix missing SAML Provider ECDSA options * deduplicate --------- Signed-off-by: Jens Langhammer <jens@goauthentik.io> Co-authored-by: Jens L. <jens@goauthentik.io>	2024-07-24 21:12:23 +02:00
gcp-cherry-pick-bot[bot]	72c22b5fab	core: remove html language tag for pages that are translated (cherry-pick #10611 ) (#10613 ) core: remove html language tag for pages that are translated (#10611) Signed-off-by: Jens Langhammer <jens@goauthentik.io> Co-authored-by: Jens L. <jens@goauthentik.io>	2024-07-24 19:42:48 +02:00
gcp-cherry-pick-bot[bot]	84cdbb0a03	events: fix race condition (cherry-pick #10602 ) (#10609 ) events: fix race condition (#10602) Signed-off-by: Jens Langhammer <jens@goauthentik.io> Co-authored-by: Jens L. <jens@goauthentik.io>	2024-07-24 16:53:03 +02:00
gcp-cherry-pick-bot[bot]	9fc659f121	stages/prompt: fix prompt not editable with invalid expression (cherry-pick #10603 ) (#10604 ) stages/prompt: fix prompt not editable with invalid expression (#10603) Signed-off-by: Jens Langhammer <jens@goauthentik.io> Co-authored-by: Jens L. <jens@goauthentik.io>	2024-07-24 14:36:33 +02:00
gcp-cherry-pick-bot[bot]	db6abf61b8	lib/sync: handle SkipObject in direct triggered tasks (cherry-pick #10590 ) (#10591 ) lib/sync: handle SkipObject in direct triggered tasks (#10590) Signed-off-by: Jens Langhammer <jens@goauthentik.io> Co-authored-by: Jens L. <jens@goauthentik.io>	2024-07-23 15:38:37 +02:00
gcp-cherry-pick-bot[bot]	6426a1d177	core: improve error handling on ASGI level (cherry-pick #10547 ) (#10552 ) core: improve error handling on ASGI level (#10547) Signed-off-by: Jens Langhammer <jens@goauthentik.io> Co-authored-by: Jens L. <jens@goauthentik.io>	2024-07-19 17:19:29 +02:00
Jens Langhammer	9075270b01	release: 2024.6.1	2024-07-11 21:45:54 +02:00
gcp-cherry-pick-bot[bot]	d17a39a431	website/docs: add 2024.6.1 release notes (cherry-pick #10456 ) (#10458 ) website/docs: add 2024.6.1 release notes (#10456) * website/docs: add 2024.6.1 release notes * update * fix version requirement for sfe --------- Signed-off-by: Jens Langhammer <jens@goauthentik.io> Co-authored-by: Jens L <jens@goauthentik.io>	2024-07-11 19:11:28 +02:00
gcp-cherry-pick-bot[bot]	db1d091d2e	core: revert backchannel only filtering (cherry-pick #10455 ) (#10457 ) core: revert backchannel only filtering (#10455) Signed-off-by: Jens Langhammer <jens@goauthentik.io> Co-authored-by: Jens L <jens@goauthentik.io>	2024-07-11 16:58:29 +02:00
gcp-cherry-pick-bot[bot]	f98204e78e	core: fix source flow_manager not resuming flow when linking (cherry-pick #10436 ) (#10438 ) core: fix source flow_manager not resuming flow when linking (#10436) Signed-off-by: Jens Langhammer <jens@goauthentik.io> Co-authored-by: Jens L <jens@goauthentik.io>	2024-07-10 15:20:15 +02:00
gcp-cherry-pick-bot[bot]	3f663cab0f	web/admin: fix access token list calling wrong API (cherry-pick #10434 ) (#10435 ) web/admin: fix access token list calling wrong API (#10434) Signed-off-by: Jens Langhammer <jens@goauthentik.io> Co-authored-by: Jens L <jens@goauthentik.io>	2024-07-10 14:17:47 +02:00
gcp-cherry-pick-bot[bot]	3fe129e107	core: fix migrations missing using db_alias (cherry-pick #10409 ) (#10410 ) core: fix migrations missing using db_alias (#10409) Co-authored-by: Marc 'risson' Schmitt <marc.schmitt@risson.space>	2024-07-09 10:48:29 +02:00
authentik-automation[bot]	f26d41aef9	web: bump API Client version (#10389 ) Signed-off-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: authentik-automation[bot] <135050075+authentik-automation[bot]@users.noreply.github.com> Signed-off-by: Jens Langhammer <jens@goauthentik.io> # Conflicts: # web/package-lock.json # web/package.json	2024-07-05 20:49:31 +02:00
Jens L	5d8b5998ae	web/flows: Simplified flow executor (#10296 ) * initial sfe Signed-off-by: Jens Langhammer <jens@goauthentik.io> * build sfe Signed-off-by: Jens Langhammer <jens@goauthentik.io> * downgrade bootstrap Signed-off-by: Jens Langhammer <jens@goauthentik.io> * fix path Signed-off-by: Jens Langhammer <jens@goauthentik.io> * make IE compatible Signed-off-by: Jens Langhammer <jens@goauthentik.io> * fix query string missing Signed-off-by: Jens Langhammer <jens@goauthentik.io> * add autosubmit stage Signed-off-by: Jens Langhammer <jens@goauthentik.io> * add background image Signed-off-by: Jens Langhammer <jens@goauthentik.io> * add code support Signed-off-by: Jens Langhammer <jens@goauthentik.io> * add support for combo ident/password Signed-off-by: Jens Langhammer <jens@goauthentik.io> * fix logo rendering Signed-off-by: Jens Langhammer <jens@goauthentik.io> * only use for edge 18 and before Signed-off-by: Jens Langhammer <jens@goauthentik.io> * fix lint Signed-off-by: Jens Langhammer <jens@goauthentik.io> * add docs Signed-off-by: Jens Langhammer <jens@goauthentik.io> * add webauthn support Signed-off-by: Jens Langhammer <jens@goauthentik.io> * migrate to TS for some creature comforts Signed-off-by: Jens Langhammer <jens@goauthentik.io> * fix ci Signed-off-by: Jens Langhammer <jens@goauthentik.io> * dedupe dependabot Signed-off-by: Jens Langhammer <jens@goauthentik.io> * use API client...kinda Signed-off-by: Jens Langhammer <jens@goauthentik.io> * add more docs Signed-off-by: Jens Langhammer <jens@goauthentik.io> * add more polyfills yay Signed-off-by: Jens Langhammer <jens@goauthentik.io> * fix Signed-off-by: Jens Langhammer <jens@goauthentik.io> * turn powered by into span prevent issues in restricted browsers where users might not be able to return Signed-off-by: Jens Langhammer <jens@goauthentik.io> * allow non-link footer entries Signed-off-by: Jens Langhammer <jens@goauthentik.io> * fix tsc errors Signed-off-by: Jens Langhammer <jens@goauthentik.io> * Apply suggestions from code review Co-authored-by: Tana M Berry <tanamarieberry@yahoo.com> Signed-off-by: Jens L. <jens@beryju.org> * auto switch for macos Signed-off-by: Jens Langhammer <jens@goauthentik.io> * reword Signed-off-by: Jens Langhammer <jens@goauthentik.io> * Update website/docs/flow/executors/if-flow.md Signed-off-by: Jens L. <jens@beryju.org> * format Signed-off-by: Jens Langhammer <jens@goauthentik.io> --------- Signed-off-by: Jens Langhammer <jens@goauthentik.io> Signed-off-by: Jens L. <jens@beryju.org> Co-authored-by: Tana M Berry <tanamarieberry@yahoo.com> Signed-off-by: Jens Langhammer <jens@goauthentik.io> # Conflicts: # .github/workflows/ci-web.yml # Dockerfile # website/developer-docs/api/flow-executor.md	2024-07-05 20:43:14 +02:00
gcp-cherry-pick-bot[bot]	7a5e136346	stages/authenticator_validate: fix friendly_name being required (cherry-pick #10382 ) (#10385 ) stages/authenticator_validate: fix friendly_name being required (#10382) Signed-off-by: Jens Langhammer <jens@goauthentik.io> Co-authored-by: Jens L <jens@goauthentik.io>	2024-07-05 15:50:14 +02:00
gcp-cherry-pick-bot[bot]	bfbab6357a	sources/oauth: fix link not being saved (cherry-pick #10374 ) (#10376 ) sources/oauth: fix link not being saved (#10374) Signed-off-by: Jens Langhammer <jens@goauthentik.io> Co-authored-by: Jens L <jens@goauthentik.io>	2024-07-04 16:58:38 +02:00
gcp-cherry-pick-bot[bot]	5997b93f15	sources/saml: fix pickle error, add saml auth tests (cherry-pick #10348 ) (#10352 ) sources/saml: fix pickle error, add saml auth tests (#10348) * test with persistent nameid * fix pickle * user_write: dont attempt to write to read only property * add test for enroll + auth * unwrap lazy user --------- Signed-off-by: Jens Langhammer <jens@goauthentik.io> Co-authored-by: Jens L <jens@goauthentik.io>	2024-07-03 18:34:22 +02:00
gcp-cherry-pick-bot[bot]	6cdae09dc0	providers/saml: fix metadata import error handling (cherry-pick #10349 ) (#10350 ) Co-authored-by: Jens L <jens@goauthentik.io> fix metadata import error handling (#10349)	2024-07-03 16:01:50 +00:00
Jens L	ff0ef7a2b3	web: set noopener and noreferrer on all external links (#10304 ) Signed-off-by: Jens Langhammer <jens@goauthentik.io>	2024-07-02 14:54:03 +02:00
gcp-cherry-pick-bot[bot]	3986104a20	provider/scim: Fix exception handling for missing ServiceProviderConfig (cherry-pick #10322 ) (#10335 ) provider/scim: Fix exception handling for missing ServiceProviderConfig (#10322) Co-authored-by: Michael Poutre <m1kep.my.mail@gmail.com>	2024-07-02 13:53:27 +02:00
gcp-cherry-pick-bot[bot]	1aa60e7864	core: remove transitionary old JS urls (cherry-pick #10317 ) (#10321 ) core: remove transitionary old JS urls (#10317) Signed-off-by: Jens Langhammer <jens@goauthentik.io> Co-authored-by: Jens L <jens@goauthentik.io>	2024-07-01 21:00:05 +02:00
gcp-cherry-pick-bot[bot]	045578dd07	web/flows: remove background image link (cherry-pick #10318 ) (#10320 ) web/flows: remove background image link (#10318) Signed-off-by: Jens Langhammer <jens@goauthentik.io> Co-authored-by: Jens L <jens@goauthentik.io>	2024-07-01 20:28:30 +02:00
gcp-cherry-pick-bot[bot]	f23d70dc75	stages/user_login: fix ?next parameter not carried through broken session binding (cherry-pick #10301 ) (#10302 ) stages/user_login: fix ?next parameter not carried through broken session binding (#10301) Signed-off-by: Jens Langhammer <jens@goauthentik.io> Co-authored-by: Jens L <jens@goauthentik.io>	2024-06-29 23:17:13 +02:00
gcp-cherry-pick-bot[bot]	496f3426d9	website/docs: update geoip and asn documentation following field changes (cherry-pick #10265 ) (#10266 ) Co-authored-by: Marc 'risson' Schmitt <marc.schmitt@risson.space> Co-authored-by: Tana M Berry <tanamarieberry@yahoo.com>	2024-06-27 13:26:31 +00:00