add tests

Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space>
add version
2024-09-25 15:07:00 +02:00 · 2024-09-25 14:42:24 +02:00 · 2024-09-25 14:37:27 +02:00
882 changed files with 40224 additions and 55657 deletions
--- a/.bumpversion.cfg
+++ b/.bumpversion.cfg
@ -1,5 +1,5 @@
 [bumpversion]
-current_version = 2024.10.4
+current_version = 2024.8.2
 tag = True
 commit = True
 parse = (?P<major>\d+)\.(?P<minor>\d+)\.(?P<patch>\d+)(?:-(?P<rc_t>[a-zA-Z-]+)(?P<rc_n>[1-9]\\d*))?
--- a/.github/actions/setup/action.yml
+++ b/.github/actions/setup/action.yml
@ -14,7 +14,7 @@ runs:
      run: |
        pipx install poetry || true
        sudo apt-get update
-        sudo apt-get install --no-install-recommends -y libpq-dev openssl libxmlsec1-dev pkg-config gettext libkrb5-dev krb5-kdc krb5-user krb5-admin-server
+        sudo apt-get install --no-install-recommends -y libpq-dev openssl libxmlsec1-dev pkg-config gettext
    - name: Setup python and restore poetry
      uses: actions/setup-python@v5
      with:
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@ -23,6 +23,7 @@ updates:
  - package-ecosystem: npm
    directories:
      - "/web"
      - "/tests/wdio"
      - "/web/sfe"
    schedule:
      interval: daily
--- a/.github/pull_request_template.md
+++ b/.github/pull_request_template.md
@ -1,7 +1,7 @@
 <!--
 👋 Hi there! Welcome.
-Please check the Contributing guidelines: https://docs.goauthentik.io/docs/developer-docs/#how-can-i-contribute
+Please check the Contributing guidelines: https://goauthentik.io/developer-docs/#how-can-i-contribute
 -->
 ## Details
--- a/.github/workflows/ci-main.yml
+++ b/.github/workflows/ci-main.yml
@ -116,7 +116,7 @@ jobs:
          poetry run make test
          poetry run coverage xml
      - if: ${{ always() }}
-        uses: codecov/codecov-action@v5
+        uses: codecov/codecov-action@v4
        with:
          flags: unit
          token: ${{ secrets.CODECOV_TOKEN }}
@ -140,7 +140,7 @@ jobs:
          poetry run coverage run manage.py test tests/integration
          poetry run coverage xml
      - if: ${{ always() }}
-        uses: codecov/codecov-action@v5
+        uses: codecov/codecov-action@v4
        with:
          flags: integration
          token: ${{ secrets.CODECOV_TOKEN }}
@ -180,7 +180,7 @@ jobs:
        uses: ./.github/actions/setup
      - name: Setup e2e env (chrome, etc)
        run: |
-          docker compose -f tests/e2e/docker-compose.yml up -d --quiet-pull
+          docker compose -f tests/e2e/docker-compose.yml up -d
      - id: cache-web
        uses: actions/cache@v4
        with:
@ -198,7 +198,7 @@ jobs:
          poetry run coverage run manage.py test ${{ matrix.job.glob }}
          poetry run coverage xml
      - if: ${{ always() }}
-        uses: codecov/codecov-action@v5
+        uses: codecov/codecov-action@v4
        with:
          flags: e2e
          token: ${{ secrets.CODECOV_TOKEN }}
--- a/.github/workflows/ci-web.yml
+++ b/.github/workflows/ci-web.yml
@ -24,11 +24,17 @@ jobs:
          - prettier-check
        project:
          - web
          - tests/wdio
        include:
          - command: tsc
            project: web
          - command: lit-analyse
            project: web
        exclude:
          - command: lint:lockfile
            project: tests/wdio
          - command: tsc
            project: tests/wdio
    steps:
      - uses: actions/checkout@v4
      - uses: actions/setup-node@v4
@ -44,7 +50,15 @@ jobs:
      - name: Lint
        working-directory: ${{ matrix.project }}/
        run: npm run ${{ matrix.command }}
  ci-web-mark:
    needs:
      - lint
    runs-on: ubuntu-latest
    steps:
      - run: echo mark
  build:
    needs:
      - ci-web-mark
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
@ -60,13 +74,6 @@ jobs:
      - name: build
        working-directory: web/
        run: npm run build
  ci-web-mark:
    needs:
      - build
      - lint
    runs-on: ubuntu-latest
    steps:
      - run: echo mark
  test:
    needs:
      - ci-web-mark
--- a/.vscode/settings.json
+++ b/.vscode/settings.json
@ -6,7 +6,6 @@
        "authn",
        "entra",
        "goauthentik",
        "jwe",
        "jwks",
        "kubernetes",
        "oidc",
--- a/11
+++ b/11
@ -80,7 +80,7 @@ RUN --mount=type=cache,sharing=locked,target=/go/pkg/mod \
    go build -o /go/authentik ./cmd/server
 # Stage 4: MaxMind GeoIP
-FROM --platform=${BUILDPLATFORM} ghcr.io/maxmind/geoipupdate:v7.1.0 AS geoip
+FROM --platform=${BUILDPLATFORM} ghcr.io/maxmind/geoipupdate:v7.0.1 AS geoip
 ENV GEOIPUPDATE_EDITION_IDS="GeoLite2-City GeoLite2-ASN"
 ENV GEOIPUPDATE_VERBOSE="1"
@ -94,7 +94,7 @@ RUN --mount=type=secret,id=GEOIPUPDATE_ACCOUNT_ID \
    /bin/sh -c "/usr/bin/entry.sh || echo 'Failed to get GeoIP database, disabling'; exit 0"
 # Stage 5: Python dependencies
-FROM ghcr.io/goauthentik/fips-python:3.12.7-slim-bookworm-fips-full AS python-deps
+FROM ghcr.io/goauthentik/fips-python:3.12.6-slim-bookworm-fips-full AS python-deps
 ARG TARGETARCH
 ARG TARGETVARIANT
@ -110,7 +110,7 @@ RUN rm -f /etc/apt/apt.conf.d/docker-clean; echo 'Binary::apt::APT::Keep-Downloa
 RUN --mount=type=cache,id=apt-$TARGETARCH$TARGETVARIANT,sharing=locked,target=/var/cache/apt \
    apt-get update && \
    # Required for installing pip packages
-    apt-get install -y --no-install-recommends build-essential pkg-config libpq-dev libkrb5-dev
+    apt-get install -y --no-install-recommends build-essential pkg-config libpq-dev
 RUN --mount=type=bind,target=./pyproject.toml,src=./pyproject.toml \
    --mount=type=bind,target=./poetry.lock,src=./poetry.lock \
@ -124,7 +124,7 @@ RUN --mount=type=bind,target=./pyproject.toml,src=./pyproject.toml \
    pip install --force-reinstall /wheels/*"
 # Stage 6: Run
-FROM ghcr.io/goauthentik/fips-python:3.12.7-slim-bookworm-fips-full AS final-image
+FROM ghcr.io/goauthentik/fips-python:3.12.6-slim-bookworm-fips-full AS final-image
 ARG VERSION
 ARG GIT_BUILD_HASH
@ -141,7 +141,7 @@ WORKDIR /
 # We cannot cache this layer otherwise we'll end up with a bigger image
 RUN apt-get update && \
    # Required for runtime
-    apt-get install -y --no-install-recommends libpq5 libmaxminddb0 ca-certificates libkrb5-3 libkadm5clnt-mit12 libkdb5-10 && \
+    apt-get install -y --no-install-recommends libpq5 libmaxminddb0 ca-certificates && \
    # Required for bootstrap & healtcheck
    apt-get install -y --no-install-recommends runit && \
    apt-get clean && \
@ -161,7 +161,6 @@ COPY ./tests /tests
 COPY ./manage.py /
 COPY ./blueprints /blueprints
 COPY ./lifecycle/ /lifecycle
 COPY ./authentik/sources/kerberos/krb5.conf /etc/krb5.conf
 COPY --from=go-builder /go/authentik /bin/authentik
 COPY --from=python-deps /ak-root/venv /ak-root/venv
 COPY --from=web-builder /work/web/dist/ /web/dist/
--- a/3
+++ b/3
@ -19,13 +19,14 @@ pg_name := $(shell python -m authentik.lib.config postgresql.name 2>/dev/null)
 CODESPELL_ARGS = -D - -D .github/codespell-dictionary.txt \
 		-I .github/codespell-words.txt \
 		-S 'web/src/locales/**' \
-		-S 'website/docs/developer-docs/api/reference/**' \
+		-S 'website/developer-docs/api/reference/**' \
 		authentik \
 		internal \
 		cmd \
 		web/src \
 		website/src \
 		website/blog \
 		website/developer-docs \
 		website/docs \
 		website/integrations \
 		website/src
--- a/README.md
+++ b/README.md
@ -34,7 +34,7 @@ For bigger setups, there is a Helm Chart [here](https://github.com/goauthentik/h
 ## Development
-See [Developer Documentation](https://docs.goauthentik.io/docs/developer-docs/?utm_source=github)
+See [Developer Documentation](https://goauthentik.io/developer-docs/?utm_source=github)
 ## Security
--- a/SECURITY.md
+++ b/SECURITY.md
@ -18,10 +18,10 @@ Even if the issue is not a CVE, we still greatly appreciate your help in hardeni
 (.x being the latest patch release for each version)
-| Version   | Supported |
+| Version  | Supported |
-| --------- | --------- |
+| -------- | --------- |
-| 2024.8.x  | ✅        |
+| 2024.6.x | ✅        |
-| 2024.10.x | ✅        |
+| 2024.8.x | ✅        |
 ## Reporting a Vulnerability
--- a/authentik/init.py
+++ b/authentik/init.py
@ -2,7 +2,7 @@
 from os import environ
-__version__ = "2024.10.4"
+__version__ = "2024.8.2"
 ENV_GIT_HASH_KEY = "GIT_BUILD_HASH"
--- a/authentik/admin/analytics.py
+++ b/authentik/admin/analytics.py
@ -0,0 +1,20 @@
 """authentik admin analytics"""
 from typing import Any
 from django.utils.translation import gettext_lazy as _
 from authentik.root.celery import CELERY_APP
 def get_analytics_description() -> dict[str, str]:
    return {
        "worker_count": _("Number of running workers"),
    }
 def get_analytics_data() -> dict[str, Any]:
    worker_count = len(CELERY_APP.control.ping(timeout=0.5))
    return {
        "worker_count": worker_count,
    }
--- a/authentik/admin/api/version_history.py
+++ b/authentik/admin/api/version_history.py
@ -1,33 +0,0 @@
 from rest_framework.permissions import IsAdminUser
 from rest_framework.viewsets import ReadOnlyModelViewSet
 from authentik.admin.models import VersionHistory
 from authentik.core.api.utils import ModelSerializer
 class VersionHistorySerializer(ModelSerializer):
    """VersionHistory Serializer"""
    class Meta:
        model = VersionHistory
        fields = [
            "id",
            "timestamp",
            "version",
            "build",
        ]
 class VersionHistoryViewSet(ReadOnlyModelViewSet):
    """VersionHistory Viewset"""
    queryset = VersionHistory.objects.all()
    serializer_class = VersionHistorySerializer
    permission_classes = [IsAdminUser]
    filterset_fields = [
        "version",
        "build",
    ]
    search_fields = ["version", "build"]
    ordering = ["-timestamp"]
    pagination_class = None
--- a/authentik/admin/models.py
+++ b/authentik/admin/models.py
@ -1,22 +0,0 @@
 """authentik admin models"""
 from django.db import models
 from django.utils.translation import gettext_lazy as _
 class VersionHistory(models.Model):
    id = models.BigAutoField(primary_key=True)
    timestamp = models.DateTimeField()
    version = models.TextField()
    build = models.TextField()
    class Meta:
        managed = False
        db_table = "authentik_version_history"
        ordering = ("-timestamp",)
        verbose_name = _("Version history")
        verbose_name_plural = _("Version history")
        default_permissions = []
    def __str__(self):
        return f"{self.version}.{self.build} ({self.timestamp})"
--- a/authentik/admin/urls.py
+++ b/authentik/admin/urls.py
@ -6,7 +6,6 @@ from authentik.admin.api.meta import AppsViewSet, ModelViewSet
 from authentik.admin.api.metrics import AdministrationMetricsViewSet
 from authentik.admin.api.system import SystemView
 from authentik.admin.api.version import VersionView
 from authentik.admin.api.version_history import VersionHistoryViewSet
 from authentik.admin.api.workers import WorkerView
 api_urlpatterns = [
@ -18,7 +17,6 @@ api_urlpatterns = [
        name="admin_metrics",
    ),
    path("admin/version/", VersionView.as_view(), name="admin_version"),
    ("admin/version/history", VersionHistoryViewSet, "version_history"),
    path("admin/workers/", WorkerView.as_view(), name="admin_workers"),
    path("admin/system/", SystemView.as_view(), name="admin_system"),
 ]
--- a/authentik/enterprise/stages/authenticator_endpoint_gdtc/migrations/init.py
+++ b/authentik/enterprise/stages/authenticator_endpoint_gdtc/migrations/init.py
--- a/authentik/analytics/api.py
+++ b/authentik/analytics/api.py
@ -0,0 +1,54 @@
 """authentik analytics api"""
 from drf_spectacular.utils import extend_schema, inline_serializer
 from rest_framework.fields import CharField, DictField
 from rest_framework.request import Request
 from rest_framework.response import Response
 from rest_framework.viewsets import ViewSet
 from authentik.analytics.utils import get_analytics_data, get_analytics_description
 from authentik.core.api.utils import PassiveSerializer
 from authentik.rbac.permissions import HasPermission
 class AnalyticsDescriptionSerializer(PassiveSerializer):
    label = CharField()
    desc = CharField()
 class AnalyticsDescriptionViewSet(ViewSet):
    """Read-only view of analytics descriptions"""
    permission_classes = [HasPermission("authentik_rbac.view_system_settings")]
    @extend_schema(responses={200: AnalyticsDescriptionSerializer})
    def list(self, request: Request) -> Response:
        """Read-only view of analytics descriptions"""
        data = []
        for label, desc in get_analytics_description().items():
            data.append({"label": label, "desc": desc})
        return Response(AnalyticsDescriptionSerializer(data, many=True).data)
 class AnalyticsDataViewSet(ViewSet):
    """Read-only view of analytics descriptions"""
    permission_classes = [HasPermission("authentik_rbac.edit_system_settings")]
    @extend_schema(
        responses={
            200: inline_serializer(
                name="AnalyticsData",
                fields={
                    "data": DictField(),
                },
            )
        }
    )
    def list(self, request: Request) -> Response:
        """Read-only view of analytics descriptions"""
        return Response(
            {
                "data": get_analytics_data(force=True),
            }
        )
--- a/authentik/analytics/apps.py
+++ b/authentik/analytics/apps.py
@ -0,0 +1,12 @@
 """authentik analytics app config"""
 from authentik.blueprints.apps import ManagedAppConfig
 class AuthentikAdminConfig(ManagedAppConfig):
    """authentik analytics app config"""
    name = "authentik.analytics"
    label = "authentik_analytics"
    verbose_name = "authentik Analytics"
    default = True
--- a/authentik/analytics/models.py
+++ b/authentik/analytics/models.py
@ -0,0 +1,19 @@
 """authentik analytics mixins"""
 from typing import Any
 from django.utils.translation import gettext_lazy as _
 class AnalyticsMixin:
    @classmethod
    def get_analytics_description(cls) -> dict[str, str]:
        object_name = _(cls._meta.verbose_name)
        count_desc = _("Number of {object_name} objects".format_map({"object_name": object_name}))
        return {
            "count": count_desc,
        }
    @classmethod
    def get_analytics_data(cls) -> dict[str, Any]:
        return {"count": cls.objects.all().count()}
--- a/authentik/analytics/settings.py
+++ b/authentik/analytics/settings.py
@ -0,0 +1,17 @@
 """authentik admin settings"""
 from celery.schedules import crontab
 from authentik.lib.utils.time import fqdn_rand
 CELERY_BEAT_SCHEDULE = {
    "analytics_send": {
        "task": "authentik.analytics.tasks.send_analytics",
        "schedule": crontab(
            minute=fqdn_rand("analytics_send"),
            hour=fqdn_rand("analytics_send", stop=24),
            day_of_week=fqdn_rand("analytics_send", 7),
        ),
        "options": {"queue": "authentik_scheduled"},
    }
 }
--- a/authentik/analytics/tasks.py
+++ b/authentik/analytics/tasks.py
@ -0,0 +1,45 @@
 """authentik admin tasks"""
 import orjson
 from django.utils.translation import gettext_lazy as _
 from requests import RequestException
 from structlog.stdlib import get_logger
 from authentik.analytics.utils import get_analytics_data
 from authentik.events.models import Event, EventAction
 from authentik.events.system_tasks import SystemTask, TaskStatus, prefill_task
 from authentik.lib.utils.http import get_http_session
 from authentik.root.celery import CELERY_APP
 from authentik.tenants.models import Tenant
 LOGGER = get_logger()
@CELERY_APP.task(bind=True, base=SystemTask)
@prefill_task
 def send_analytics(self: SystemTask):
    """Send analytics"""
    for tenant in Tenant.objects.filter(ready=True):
        data = get_analytics_data(current_tenant=tenant)
        if not tenant.analytics_enabled or not data:
            self.set_status(TaskStatus.WARNING, "Analytics disabled. Nothing was sent.")
            return
        try:
            response = get_http_session().post(
                "https://customers.goauthentik.io/api/analytics/post/", json=data
            )
            response.raise_for_status()
            self.set_status(
                TaskStatus.SUCCESSFUL,
                "Successfully sent analytics",
                orjson.dumps(
                    data, option=orjson.OPT_INDENT_2 | orjson.OPT_NON_STR_KEYS | orjson.OPT_UTC_Z
                ).decode(),
            )
            Event.new(
                EventAction.ANALYTICS_SENT,
                message=_("Analytics sent"),
                analytics_data=data,
            ).save()
        except (RequestException, IndexError) as exc:
            self.set_error(exc)
--- a/authentik/analytics/tests.py
+++ b/authentik/analytics/tests.py
@ -0,0 +1,76 @@
 """authentik analytics tests"""
 from json import loads
 from requests_mock import Mocker
 from django.test import TestCase
 from django.urls import reverse
 from authentik import __version__
 from authentik.analytics.tasks import send_analytics
 from authentik.analytics.utils import get_analytics_apps_data, get_analytics_apps_description, get_analytics_data, get_analytics_description, get_analytics_models_data, get_analytics_models_description
 from authentik.core.models import Group, User
 from authentik.events.models import Event, EventAction
 from authentik.lib.generators import generate_id
 from authentik.tenants.utils import get_current_tenant
 class TestAnalytics(TestCase):
    """test analytics api"""
    def setUp(self) -> None:
        super().setUp()
        self.user = User.objects.create(username=generate_id())
        self.group = Group.objects.create(name=generate_id(), is_superuser=True)
        self.group.users.add(self.user)
        self.client.force_login(self.user)
        self.tenant = get_current_tenant()
    def test_description_api(self):
        """Test Version API"""
        response = self.client.get(reverse("authentik_api:analytics-description-list"))
        self.assertEqual(response.status_code, 200)
        loads(response.content)
    def test_data_api(self):
        """Test Version API"""
        response = self.client.get(reverse("authentik_api:analytics-data-list"))
        self.assertEqual(response.status_code, 200)
        body = loads(response.content)
        self.assertEqual(body["data"]["version"], __version__)
    def test_sending_enabled(self):
        """Test analytics sending"""
        self.tenant.analytics_enabled = True
        self.tenant.save()
        with Mocker() as mocker:
            mocker.post("https://customers.goauthentik.io/api/analytics/post/", status_code=200)
            send_analytics.delay().get()
            self.assertTrue(
                Event.objects.filter(
                    action=EventAction.ANALYTICS_SENT
                ).exists()
            )
    def test_sending_disabled(self):
        """Test analytics sending"""
        self.tenant.analytics_enabled = False
        self.tenant.save()
        send_analytics.delay().get()
        self.assertFalse(
            Event.objects.filter(
                action=EventAction.ANALYTICS_SENT
            ).exists()
        )
    def test_description_data_match_apps(self):
        """Test description and data keys match"""
        description = get_analytics_apps_description()
        data = get_analytics_apps_data()
        self.assertEqual(data.keys(), description.keys())
    def test_description_data_match_models(self):
        """Test description and data keys match"""
        description = get_analytics_models_description()
        data = get_analytics_models_data()
        self.assertEqual(data.keys(), description.keys())
--- a/authentik/analytics/urls.py
+++ b/authentik/analytics/urls.py
@ -0,0 +1,8 @@
 """API URLs"""
 from authentik.analytics.api import AnalyticsDataViewSet, AnalyticsDescriptionViewSet
 api_urlpatterns = [
    ("analytics/description", AnalyticsDescriptionViewSet, "analytics-description"),
    ("analytics/data", AnalyticsDataViewSet, "analytics-data"),
 ]
--- a/authentik/analytics/utils.py
+++ b/authentik/analytics/utils.py
@ -0,0 +1,112 @@
 """authentik analytics utils"""
 from hashlib import sha256
 from importlib import import_module
 from typing import Any
 from structlog import get_logger
 from authentik import get_full_version
 from authentik.analytics.models import AnalyticsMixin
 from authentik.lib.utils.reflection import get_apps
 from authentik.root.install_id import get_install_id
 from authentik.tenants.models import Tenant
 from authentik.tenants.utils import get_current_tenant
 LOGGER = get_logger()
 def get_analytics_apps() -> dict:
    modules = {}
    for _authentik_app in get_apps():
        try:
            module = import_module(f"{_authentik_app.name}.analytics")
        except ModuleNotFoundError:
            continue
        except ImportError as exc:
            LOGGER.warning(
                "Could not import app's analytics", app_name=_authentik_app.name, exc=exc
            )
            continue
        if not hasattr(module, "get_analytics_description") or not hasattr(
            module, "get_analytics_data"
        ):
            LOGGER.debug(
                "App does not define API URLs",
                app_name=_authentik_app.name,
            )
            continue
        modules[_authentik_app.label] = module
    return modules
 def get_analytics_apps_description() -> dict[str, str]:
    result = {}
    for app_label, module in get_analytics_apps().items():
        for k, v in module.get_analytics_description().items():
            result[f"{app_label}/app/{k}"] = v
    return result
 def get_analytics_apps_data() -> dict[str, Any]:
    result = {}
    for app_label, module in get_analytics_apps().items():
        for k, v in module.get_analytics_data().items():
            result[f"{app_label}/app/{k}"] = v
    return result
 def get_analytics_models() -> list[AnalyticsMixin]:
    def get_subclasses(cls):
        for subclass in cls.__subclasses__():
            if subclass.__subclasses__():
                yield from get_subclasses(subclass)
            elif not subclass._meta.abstract:
                yield subclass
    return list(get_subclasses(AnalyticsMixin))
 def get_analytics_models_description() -> dict[str, str]:
    result = {}
    for model in get_analytics_models():
        for k, v in model.get_analytics_description().items():
            result[f"{model._meta.app_label}/models/{model._meta.object_name}/{k}"] = v
    return result
 def get_analytics_models_data() -> dict[str, Any]:
    result = {}
    for model in get_analytics_models():
        for k, v in model.get_analytics_data().items():
            result[f"{model._meta.app_label}/models/{model._meta.object_name}/{k}"] = v
    return result
 def get_analytics_description() -> dict[str, str]:
    return {
        **get_analytics_apps_description(),
        **get_analytics_models_description(),
    }
 def get_analytics_data(current_tenant: Tenant | None = None, force: bool = False) -> dict[str, Any]:
    current_tenant = current_tenant or get_current_tenant()
    if not current_tenant.analytics_enabled and not force:
        return {}
    data = {
        **get_analytics_apps_data(),
        **get_analytics_models_data(),
    }
    to_remove = []
    for key in data.keys():
        if key not in current_tenant.analytics_sources:
            to_remove.append(key)
    for key in to_remove:
        del data[key]
    return {
        **data,
        "install_id_hash": sha256(get_install_id().encode()).hexdigest(),
        "tenant_hash": sha256(current_tenant.tenant_uuid.bytes).hexdigest(),
        "version": get_full_version(),
    }
--- a/authentik/api/templates/api/browser.html
+++ b/authentik/api/templates/api/browser.html
@ -7,7 +7,7 @@ API Browser - {{ brand.branding_title }}
 {% endblock %}
 {% block head %}
-<script src="{% versioned_script 'dist/standalone/api-browser/index-%v.js' %}" type="module"></script>
+{% versioned_script "dist/standalone/api-browser/index-%v.js" %}
 <meta name="theme-color" content="#151515" media="(prefers-color-scheme: light)">
 <meta name="theme-color" content="#151515" media="(prefers-color-scheme: dark)">
 {% endblock %}
--- a/authentik/blueprints/api.py
+++ b/authentik/blueprints/api.py
@ -51,11 +51,9 @@ class BlueprintInstanceSerializer(ModelSerializer):
        context = self.instance.context if self.instance else {}
        valid, logs = Importer.from_string(content, context).validate()
        if not valid:
            text_logs = "\n".join([x["event"] for x in logs])
            raise ValidationError(
-                [
+                _("Failed to validate blueprint: {logs}".format_map({"logs": text_logs}))
                    _("Failed to validate blueprint"),
                    *[f"- {x.event}" for x in logs],
                ]
            )
        return content
--- a/authentik/blueprints/migrations/0001_initial.py
+++ b/authentik/blueprints/migrations/0001_initial.py
@ -29,7 +29,9 @@ def check_blueprint_v1_file(BlueprintInstance: type, db_alias, path: Path):
        if version != 1:
            return
        blueprint_file.seek(0)
-    instance = BlueprintInstance.objects.using(db_alias).filter(path=path).first()
+    instance: BlueprintInstance = (
        BlueprintInstance.objects.using(db_alias).filter(path=path).first()
    )
    rel_path = path.relative_to(Path(CONFIG.get("blueprints_dir")))
    meta = None
    if metadata:
--- a/authentik/blueprints/tests/test_packaged.py
+++ b/authentik/blueprints/tests/test_packaged.py
@ -27,8 +27,7 @@ def blueprint_tester(file_name: Path) -> Callable:
        base = Path("blueprints/")
        rel_path = Path(file_name).relative_to(base)
        importer = Importer.from_string(BlueprintInstance(path=str(rel_path)).retrieve())
-        validation, logs = importer.validate()
+        self.assertTrue(importer.validate()[0])
        self.assertTrue(validation, logs)
        self.assertTrue(importer.apply())
    return tester
--- a/authentik/blueprints/tests/test_v1_api.py
+++ b/authentik/blueprints/tests/test_v1_api.py
@ -78,5 +78,5 @@ class TestBlueprintsV1API(APITestCase):
        self.assertEqual(res.status_code, 400)
        self.assertJSONEqual(
            res.content.decode(),
-            {"content": ["Failed to validate blueprint", "- Invalid blueprint version"]},
+            {"content": ["Failed to validate blueprint: Invalid blueprint version"]},
        )
--- a/authentik/blueprints/v1/importer.py
+++ b/authentik/blueprints/v1/importer.py
@ -51,10 +51,6 @@ from authentik.enterprise.providers.microsoft_entra.models import (
    MicrosoftEntraProviderUser,
 )
 from authentik.enterprise.providers.rac.models import ConnectionToken
 from authentik.enterprise.stages.authenticator_endpoint_gdtc.models import (
    EndpointDevice,
    EndpointDeviceConnection,
 )
 from authentik.events.logs import LogEvent, capture_logs
 from authentik.events.models import SystemTask
 from authentik.events.utils import cleanse_dict
@ -73,7 +69,7 @@ from authentik.stages.authenticator_webauthn.models import WebAuthnDeviceType
 from authentik.tenants.models import Tenant
 # Context set when the serializer is created in a blueprint context
-# Update website/docs/customize/blueprints/v1/models.md when used
+# Update website/developer-docs/blueprints/v1/models.md when used
 SERIALIZER_CONTEXT_BLUEPRINT = "blueprint_entry"
@ -123,8 +119,6 @@ def excluded_models() -> list[type[Model]]:
        GoogleWorkspaceProviderGroup,
        MicrosoftEntraProviderUser,
        MicrosoftEntraProviderGroup,
        EndpointDevice,
        EndpointDeviceConnection,
    )
@ -293,11 +287,7 @@ class Importer:
        serializer_kwargs = {}
        model_instance = existing_models.first()
-        if (
+        if not isinstance(model(), BaseMetaModel) and model_instance:
            not isinstance(model(), BaseMetaModel)
            and model_instance
            and entry.state != BlueprintEntryDesiredState.MUST_CREATED
        ):
            self.logger.debug(
                "Initialise serializer with instance",
                model=model,
@ -307,12 +297,11 @@ class Importer:
            serializer_kwargs["instance"] = model_instance
            serializer_kwargs["partial"] = True
        elif model_instance and entry.state == BlueprintEntryDesiredState.MUST_CREATED:
            msg = (
                f"State is set to {BlueprintEntryDesiredState.MUST_CREATED.value} "
                "and object exists already",
            )
            raise EntryInvalidError.from_entry(
-                ValidationError({k: msg for k in entry.identifiers.keys()}, "unique"),
+                (
                    f"State is set to {BlueprintEntryDesiredState.MUST_CREATED} "
                    "and object exists already",
                ),
                entry,
            )
        else:
@ -440,7 +429,7 @@ class Importer:
        orig_import = deepcopy(self._import)
        if self._import.version != 1:
            self.logger.warning("Invalid blueprint version")
-            return False, [LogEvent("Invalid blueprint version", log_level="warning", logger=None)]
+            return False, [{"event": "Invalid blueprint version"}]
        with (
            transaction_rollback(),
            capture_logs() as logs,
--- a/authentik/brands/middleware.py
+++ b/authentik/brands/middleware.py
@ -4,7 +4,7 @@ from collections.abc import Callable
 from django.http.request import HttpRequest
 from django.http.response import HttpResponse
-from django.utils.translation import override
+from django.utils.translation import activate
 from authentik.brands.utils import get_brand_for_request
@ -18,12 +18,10 @@ class BrandMiddleware:
        self.get_response = get_response
    def __call__(self, request: HttpRequest) -> HttpResponse:
        locale_to_set = None
        if not hasattr(request, "brand"):
            brand = get_brand_for_request(request)
            request.brand = brand
            locale = brand.default_locale
            if locale != "":
-                locale_to_set = locale
+                activate(locale)
-        with override(locale_to_set):
+        return self.get_response(request)
            return self.get_response(request)
--- a/authentik/core/api/devices.py
+++ b/authentik/core/api/devices.py
@ -1,55 +1,39 @@
 """Authenticator Devices API Views"""
 from django.utils.translation import gettext_lazy as _
 from drf_spectacular.types import OpenApiTypes
 from drf_spectacular.utils import OpenApiParameter, extend_schema
 from rest_framework.fields import (
    BooleanField,
    CharField,
    DateTimeField,
    IntegerField,
    SerializerMethodField,
 )
-from rest_framework.permissions import IsAuthenticated
+from rest_framework.permissions import IsAdminUser, IsAuthenticated
 from rest_framework.request import Request
 from rest_framework.response import Response
 from rest_framework.viewsets import ViewSet
 from authentik.core.api.utils import MetaNameSerializer
 from authentik.enterprise.stages.authenticator_endpoint_gdtc.models import EndpointDevice
 from authentik.rbac.decorators import permission_required
 from authentik.stages.authenticator import device_classes, devices_for_user
 from authentik.stages.authenticator.models import Device
 from authentik.stages.authenticator_webauthn.models import WebAuthnDevice
 class DeviceSerializer(MetaNameSerializer):
    """Serializer for Duo authenticator devices"""
-    pk = CharField()
+    pk = IntegerField()
    name = CharField()
    type = SerializerMethodField()
    confirmed = BooleanField()
    created = DateTimeField(read_only=True)
    last_updated = DateTimeField(read_only=True)
    last_used = DateTimeField(read_only=True, allow_null=True)
    extra_description = SerializerMethodField()
    def get_type(self, instance: Device) -> str:
        """Get type of device"""
        return instance._meta.label
    def get_extra_description(self, instance: Device) -> str:
        """Get extra description"""
        if isinstance(instance, WebAuthnDevice):
            return (
                instance.device_type.description
                if instance.device_type
                else _("Extra description not available")
            )
        if isinstance(instance, EndpointDevice):
            return instance.data.get("deviceSignals", {}).get("deviceModel")
        return ""
 class DeviceViewSet(ViewSet):
    """Viewset for authenticator devices"""
@ -68,7 +52,7 @@ class AdminDeviceViewSet(ViewSet):
    """Viewset for authenticator devices"""
    serializer_class = DeviceSerializer
-    permission_classes = []
+    permission_classes = [IsAdminUser]
    def get_devices(self, **kwargs):
        """Get all devices in all child classes"""
@ -86,10 +70,6 @@ class AdminDeviceViewSet(ViewSet):
        ],
        responses={200: DeviceSerializer(many=True)},
    )
    @permission_required(
        None,
        [f"{model._meta.app_label}.view_{model._meta.model_name}" for model in device_classes()],
    )
    def list(self, request: Request) -> Response:
        """Get all devices for current user"""
        kwargs = {}
--- a/authentik/core/api/providers.py
+++ b/authentik/core/api/providers.py
@ -38,7 +38,6 @@ class ProviderSerializer(ModelSerializer, MetaNameSerializer):
            "name",
            "authentication_flow",
            "authorization_flow",
            "invalidation_flow",
            "property_mappings",
            "component",
            "assigned_application_slug",
@ -51,7 +50,6 @@ class ProviderSerializer(ModelSerializer, MetaNameSerializer):
        ]
        extra_kwargs = {
            "authorization_flow": {"required": True, "allow_null": False},
            "invalidation_flow": {"required": True, "allow_null": False},
        }
--- a/authentik/core/api/transactional_applications.py
+++ b/authentik/core/api/transactional_applications.py
@ -1,12 +1,10 @@
 """transactional application and provider creation"""
 from django.apps import apps
 from django.db.models import Model
 from django.utils.translation import gettext as _
 from drf_spectacular.utils import PolymorphicProxySerializer, extend_schema, extend_schema_field
-from rest_framework.exceptions import PermissionDenied, ValidationError
+from rest_framework.exceptions import ValidationError
 from rest_framework.fields import BooleanField, CharField, ChoiceField, DictField, ListField
-from rest_framework.permissions import IsAuthenticated
+from rest_framework.permissions import IsAdminUser
 from rest_framework.request import Request
 from rest_framework.response import Response
 from rest_framework.views import APIView
@ -24,7 +22,6 @@ from authentik.core.api.applications import ApplicationSerializer
 from authentik.core.api.utils import PassiveSerializer
 from authentik.core.models import Provider
 from authentik.lib.utils.reflection import all_subclasses
 from authentik.policies.api.bindings import PolicyBindingSerializer
 def get_provider_serializer_mapping():
@ -48,13 +45,6 @@ class TransactionProviderField(DictField):
    """Dictionary field which can hold provider creation data"""
 class TransactionPolicyBindingSerializer(PolicyBindingSerializer):
    """PolicyBindingSerializer which does not require target as target is set implicitly"""
    class Meta(PolicyBindingSerializer.Meta):
        fields = [x for x in PolicyBindingSerializer.Meta.fields if x != "target"]
 class TransactionApplicationSerializer(PassiveSerializer):
    """Serializer for creating a provider and an application in one transaction"""
@ -62,8 +52,6 @@ class TransactionApplicationSerializer(PassiveSerializer):
    provider_model = ChoiceField(choices=list(get_provider_serializer_mapping().keys()))
    provider = TransactionProviderField()
    policy_bindings = TransactionPolicyBindingSerializer(many=True, required=False)
    _provider_model: type[Provider] = None
    def validate_provider_model(self, fq_model_name: str) -> str:
@ -108,19 +96,6 @@ class TransactionApplicationSerializer(PassiveSerializer):
                id="app",
            )
        )
        for binding in attrs.get("policy_bindings", []):
            binding["target"] = KeyOf(None, ScalarNode(tag="", value="app"))
            for key, value in binding.items():
                if not isinstance(value, Model):
                    continue
                binding[key] = value.pk
            blueprint.entries.append(
                BlueprintEntry(
                    model="authentik_policies.policybinding",
                    state=BlueprintEntryDesiredState.MUST_CREATED,
                    identifiers=binding,
                )
            )
        importer = Importer(blueprint, {})
        try:
            valid, _ = importer.validate(raise_validation_errors=True)
@ -145,7 +120,8 @@ class TransactionApplicationResponseSerializer(PassiveSerializer):
 class TransactionalApplicationView(APIView):
    """Create provider and application and attach them in a single transaction"""
-    permission_classes = [IsAuthenticated]
+    # TODO: Migrate to a more specific permission
    permission_classes = [IsAdminUser]
    @extend_schema(
        request=TransactionApplicationSerializer(),
@ -157,23 +133,8 @@ class TransactionalApplicationView(APIView):
        """Convert data into a blueprint, validate it and apply it"""
        data = TransactionApplicationSerializer(data=request.data)
        data.is_valid(raise_exception=True)
-        blueprint: Blueprint = data.validated_data
+
-        for entry in blueprint.entries:
+        importer = Importer(data.validated_data, {})
            full_model = entry.get_model(blueprint)
            app, __, model = full_model.partition(".")
            if not request.user.has_perm(f"{app}.add_{model}"):
                raise PermissionDenied(
                    {
                        entry.id: _(
                            "User lacks permission to create {model}".format_map(
                                {
                                    "model": full_model,
                                }
                            )
                        )
                    }
                )
        importer = Importer(blueprint, {})
        applied = importer.apply()
        response = {"applied": False, "logs": []}
        response["applied"] = applied
--- a/authentik/core/api/users.py
+++ b/authentik/core/api/users.py
@ -666,12 +666,7 @@ class UserViewSet(UsedByMixin, ModelViewSet):
    @permission_required("authentik_core.impersonate")
    @extend_schema(
-        request=inline_serializer(
+        request=OpenApiTypes.NONE,
            "ImpersonationSerializer",
            {
                "reason": CharField(required=True),
            },
        ),
        responses={
            "204": OpenApiResponse(description="Successfully started impersonation"),
            "401": OpenApiResponse(description="Access denied"),
@ -684,26 +679,17 @@ class UserViewSet(UsedByMixin, ModelViewSet):
            LOGGER.debug("User attempted to impersonate", user=request.user)
            return Response(status=401)
        user_to_be = self.get_object()
-        reason = request.data.get("reason", "")
+        if not request.user.has_perm("impersonate", user_to_be):
        # Check both object-level perms and global perms
        if not request.user.has_perm(
            "authentik_core.impersonate", user_to_be
        ) and not request.user.has_perm("authentik_core.impersonate"):
            LOGGER.debug("User attempted to impersonate without permissions", user=request.user)
            return Response(status=401)
        if user_to_be.pk == self.request.user.pk:
            LOGGER.debug("User attempted to impersonate themselves", user=request.user)
            return Response(status=401)
        if not reason and request.tenant.impersonation_require_reason:
            LOGGER.debug(
                "User attempted to impersonate without providing a reason", user=request.user
            )
            return Response(status=401)
        request.session[SESSION_KEY_IMPERSONATE_ORIGINAL_USER] = request.user
        request.session[SESSION_KEY_IMPERSONATE_USER] = user_to_be
-        Event.new(EventAction.IMPERSONATION_STARTED, reason=reason).from_http(request, user_to_be)
+        Event.new(EventAction.IMPERSONATION_STARTED).from_http(request, user_to_be)
        return Response(status=201)
--- a/authentik/core/management/commands/shell.py
+++ b/authentik/core/management/commands/shell.py
@ -4,7 +4,6 @@ import code
 import platform
 import sys
 import traceback
 from pprint import pprint
 from django.apps import apps
 from django.core.management.base import BaseCommand
@ -35,9 +34,7 @@ class Command(BaseCommand):
    def get_namespace(self):
        """Prepare namespace with all models"""
-        namespace = {
+        namespace = {}
            "pprint": pprint,
        }
        # Gather Django models and constants from each app
        for app in apps.get_app_configs():
--- a/authentik/core/middleware.py
+++ b/authentik/core/middleware.py
@ -5,7 +5,7 @@ from contextvars import ContextVar
 from uuid import uuid4
 from django.http import HttpRequest, HttpResponse
-from django.utils.translation import override
+from django.utils.translation import activate
 from sentry_sdk.api import set_tag
 from structlog.contextvars import STRUCTLOG_KEY_PREFIX
@ -31,19 +31,17 @@ class ImpersonateMiddleware:
    def __call__(self, request: HttpRequest) -> HttpResponse:
        # No permission checks are done here, they need to be checked before
        # SESSION_KEY_IMPERSONATE_USER is set.
        locale_to_set = None
        if request.user.is_authenticated:
            locale = request.user.locale(request)
            if locale != "":
-                locale_to_set = locale
+                activate(locale)
        if SESSION_KEY_IMPERSONATE_USER in request.session:
            request.user = request.session[SESSION_KEY_IMPERSONATE_USER]
            # Ensure that the user is active, otherwise nothing will work
            request.user.is_active = True
-        with override(locale_to_set):
+        return self.get_response(request)
            return self.get_response(request)
 class RequestIDMiddleware:
--- a/authentik/core/migrations/0040_provider_invalidation_flow.py
+++ b/authentik/core/migrations/0040_provider_invalidation_flow.py
@ -1,55 +0,0 @@
 # Generated by Django 5.0.9 on 2024-10-02 11:35
 import django.db.models.deletion
 from django.db import migrations, models
 from django.apps.registry import Apps
 from django.db import migrations, models
 from django.db.backends.base.schema import BaseDatabaseSchemaEditor
 def migrate_invalidation_flow_default(apps: Apps, schema_editor: BaseDatabaseSchemaEditor):
    from authentik.flows.models import FlowDesignation, FlowAuthenticationRequirement
    db_alias = schema_editor.connection.alias
    Flow = apps.get_model("authentik_flows", "Flow")
    Provider = apps.get_model("authentik_core", "Provider")
    # So this flow is managed via a blueprint, bue we're in a migration so we don't want to rely on that
    # since the blueprint is just an empty flow we can just create it here
    # and let it be managed by the blueprint later
    flow, _ = Flow.objects.using(db_alias).update_or_create(
        slug="default-provider-invalidation-flow",
        defaults={
            "name": "Logged out of application",
            "title": "You've logged out of %(app)s.",
            "authentication": FlowAuthenticationRequirement.NONE,
            "designation": FlowDesignation.INVALIDATION,
        },
    )
    Provider.objects.using(db_alias).filter(invalidation_flow=None).update(invalidation_flow=flow)
 class Migration(migrations.Migration):
    dependencies = [
        ("authentik_core", "0039_source_group_matching_mode_alter_group_name_and_more"),
        ("authentik_flows", "0027_auto_20231028_1424"),
    ]
    operations = [
        migrations.AddField(
            model_name="provider",
            name="invalidation_flow",
            field=models.ForeignKey(
                default=None,
                help_text="Flow used ending the session from a provider.",
                null=True,
                on_delete=django.db.models.deletion.SET_DEFAULT,
                related_name="provider_invalidation",
                to="authentik_flows.flow",
            ),
        ),
        migrations.RunPython(migrate_invalidation_flow_default),
    ]
--- a/authentik/core/models.py
+++ b/authentik/core/models.py
@ -23,6 +23,7 @@ from model_utils.managers import InheritanceManager
 from rest_framework.serializers import Serializer
 from structlog.stdlib import get_logger
 from authentik.analytics.models import AnalyticsMixin
 from authentik.blueprints.models import ManagedModel
 from authentik.core.expression.exceptions import PropertyMappingExpressionException
 from authentik.core.types import UILoginButton, UserSettingSerializer
@ -168,7 +169,7 @@ class GroupQuerySet(CTEQuerySet):
        return cte.join(Group, group_uuid=cte.col.group_uuid).with_cte(cte)
-class Group(SerializerModel, AttributesMixin):
+class Group(SerializerModel, AttributesMixin, AnalyticsMixin):
    """Group model which supports a basic hierarchy and has attributes"""
    group_uuid = models.UUIDField(primary_key=True, editable=False, default=uuid4)
@ -258,7 +259,7 @@ class UserManager(DjangoUserManager):
        return self.get_queryset().exclude_anonymous()
-class User(SerializerModel, GuardianUserMixin, AttributesMixin, AbstractUser):
+class User(SerializerModel, GuardianUserMixin, AttributesMixin, AbstractUser, AnalyticsMixin):
    """authentik User model, based on django's contrib auth user model."""
    uuid = models.UUIDField(default=uuid4, editable=False, unique=True)
@ -330,13 +331,11 @@ class User(SerializerModel, GuardianUserMixin, AttributesMixin, AbstractUser):
        """superuser == staff user"""
        return self.is_superuser  # type: ignore
-    def set_password(self, raw_password, signal=True, sender=None):
+    def set_password(self, raw_password, signal=True):
        if self.pk and signal:
            from authentik.core.signals import password_changed
-            if not sender:
+            password_changed.send(sender=self, user=self, password=raw_password)
                sender = self
            password_changed.send(sender=sender, user=self, password=raw_password)
        self.password_change_date = now()
        return super().set_password(raw_password)
@ -378,7 +377,7 @@ class User(SerializerModel, GuardianUserMixin, AttributesMixin, AbstractUser):
        return get_avatar(self)
-class Provider(SerializerModel):
+class Provider(SerializerModel, AnalyticsMixin):
    """Application-independent Provider instance. For example SAML2 Remote, OAuth2 Application"""
    name = models.TextField(unique=True)
@ -393,23 +392,14 @@ class Provider(SerializerModel):
        ),
        related_name="provider_authentication",
    )
    authorization_flow = models.ForeignKey(
        "authentik_flows.Flow",
        # Set to cascade even though null is allowed, since most providers
        # still require an authorization flow set
        on_delete=models.CASCADE,
        null=True,
        help_text=_("Flow used when authorizing this provider."),
        related_name="provider_authorization",
    )
    invalidation_flow = models.ForeignKey(
        "authentik_flows.Flow",
        on_delete=models.SET_DEFAULT,
        default=None,
        null=True,
        help_text=_("Flow used ending the session from a provider."),
        related_name="provider_invalidation",
    )
    property_mappings = models.ManyToManyField("PropertyMapping", default=None, blank=True)
@ -481,7 +471,7 @@ class ApplicationQuerySet(QuerySet):
        return qs
-class Application(SerializerModel, PolicyBindingModel):
+class Application(SerializerModel, PolicyBindingModel, AnalyticsMixin):
    """Every Application which uses authentik for authentication/identification/authorization
    needs an Application record. Other authentication types can subclass this Model to
    add custom fields and other properties"""
@ -614,7 +604,7 @@ class SourceGroupMatchingModes(models.TextChoices):
    )
-class Source(ManagedModel, SerializerModel, PolicyBindingModel):
+class Source(ManagedModel, SerializerModel, PolicyBindingModel, AnalyticsMixin):
    """Base Authentication source, i.e. an OAuth Provider, SAML Remote or LDAP Server"""
    name = models.TextField(help_text=_("Source's display Name."))
@ -746,7 +736,7 @@ class Source(ManagedModel, SerializerModel, PolicyBindingModel):
        ]
-class UserSourceConnection(SerializerModel, CreatedUpdatedModel):
+class UserSourceConnection(SerializerModel, CreatedUpdatedModel, AnalyticsMixin):
    """Connection between User and Source."""
    user = models.ForeignKey(User, on_delete=models.CASCADE)
@ -766,7 +756,7 @@ class UserSourceConnection(SerializerModel, CreatedUpdatedModel):
        unique_together = (("user", "source"),)
-class GroupSourceConnection(SerializerModel, CreatedUpdatedModel):
+class GroupSourceConnection(SerializerModel, CreatedUpdatedModel, AnalyticsMixin):
    """Connection between Group and Source."""
    group = models.ForeignKey(Group, on_delete=models.CASCADE)
@ -890,7 +880,7 @@ class Token(SerializerModel, ManagedModel, ExpiringModel):
        ).save()
-class PropertyMapping(SerializerModel, ManagedModel):
+class PropertyMapping(SerializerModel, ManagedModel, AnalyticsMixin):
    """User-defined key -> x mapping which can be used by providers to expose extra data."""
    pm_uuid = models.UUIDField(primary_key=True, editable=False, default=uuid4)
--- a/authentik/core/sources/flow_manager.py
+++ b/authentik/core/sources/flow_manager.py
@ -1,9 +1,11 @@
 """Source decision helper"""
 from enum import Enum
 from typing import Any
 from django.contrib import messages
 from django.db import IntegrityError, transaction
 from django.db.models.query_utils import Q
 from django.http import HttpRequest, HttpResponse
 from django.shortcuts import redirect
 from django.urls import reverse
@ -14,11 +16,12 @@ from authentik.core.models import (
    Group,
    GroupSourceConnection,
    Source,
    SourceGroupMatchingModes,
    SourceUserMatchingModes,
    User,
    UserSourceConnection,
 )
 from authentik.core.sources.mapper import SourceMapper
 from authentik.core.sources.matcher import Action, SourceMatcher
 from authentik.core.sources.stage import (
    PLAN_CONTEXT_SOURCES_CONNECTION,
    PostSourceStage,
@ -51,6 +54,16 @@ SESSION_KEY_OVERRIDE_FLOW_TOKEN = "authentik/flows/source_override_flow_token"
 PLAN_CONTEXT_SOURCE_GROUPS = "source_groups"
 class Action(Enum):
    """Actions that can be decided based on the request
    and source settings"""
    LINK = "link"
    AUTH = "auth"
    ENROLL = "enroll"
    DENY = "deny"
 class MessageStage(StageView):
    """Show a pre-configured message after the flow is done"""
@ -73,7 +86,6 @@ class SourceFlowManager:
    source: Source
    mapper: SourceMapper
    matcher: SourceMatcher
    request: HttpRequest
    identifier: str
@ -96,9 +108,6 @@ class SourceFlowManager:
    ) -> None:
        self.source = source
        self.mapper = SourceMapper(self.source)
        self.matcher = SourceMatcher(
            self.source, self.user_connection_type, self.group_connection_type
        )
        self.request = request
        self.identifier = identifier
        self.user_info = user_info
@ -122,24 +131,66 @@ class SourceFlowManager:
    def get_action(self, **kwargs) -> tuple[Action, UserSourceConnection | None]:  # noqa: PLR0911
        """decide which action should be taken"""
        new_connection = self.user_connection_type(source=self.source, identifier=self.identifier)
        # When request is authenticated, always link
        if self.request.user.is_authenticated:
            new_connection = self.user_connection_type(
                source=self.source, identifier=self.identifier
            )
            new_connection.user = self.request.user
            new_connection = self.update_user_connection(new_connection, **kwargs)
            if existing := self.user_connection_type.objects.filter(
                source=self.source, identifier=self.identifier
            ).first():
                existing = self.update_user_connection(existing)
                return Action.AUTH, existing
            return Action.LINK, new_connection
-        action, connection = self.matcher.get_user_action(self.identifier, self.user_properties)
+        existing_connections = self.user_connection_type.objects.filter(
-        if connection:
+            source=self.source, identifier=self.identifier
-            connection = self.update_user_connection(connection, **kwargs)
+        )
-        return action, connection
+        if existing_connections.exists():
            connection = existing_connections.first()
            return Action.AUTH, self.update_user_connection(connection, **kwargs)
        # No connection exists, but we match on identifier, so enroll
        if self.source.user_matching_mode == SourceUserMatchingModes.IDENTIFIER:
            # We don't save the connection here cause it doesn't have a user assigned yet
            return Action.ENROLL, self.update_user_connection(new_connection, **kwargs)
        # Check for existing users with matching attributes
        query = Q()
        # Either query existing user based on email or username
        if self.source.user_matching_mode in [
            SourceUserMatchingModes.EMAIL_LINK,
            SourceUserMatchingModes.EMAIL_DENY,
        ]:
            if not self.user_properties.get("email", None):
                self._logger.warning("Refusing to use none email")
                return Action.DENY, None
            query = Q(email__exact=self.user_properties.get("email", None))
        if self.source.user_matching_mode in [
            SourceUserMatchingModes.USERNAME_LINK,
            SourceUserMatchingModes.USERNAME_DENY,
        ]:
            if not self.user_properties.get("username", None):
                self._logger.warning("Refusing to use none username")
                return Action.DENY, None
            query = Q(username__exact=self.user_properties.get("username", None))
        self._logger.debug("trying to link with existing user", query=query)
        matching_users = User.objects.filter(query)
        # No matching users, always enroll
        if not matching_users.exists():
            self._logger.debug("no matching users found, enrolling")
            return Action.ENROLL, self.update_user_connection(new_connection, **kwargs)
        user = matching_users.first()
        if self.source.user_matching_mode in [
            SourceUserMatchingModes.EMAIL_LINK,
            SourceUserMatchingModes.USERNAME_LINK,
        ]:
            new_connection.user = user
            new_connection = self.update_user_connection(new_connection, **kwargs)
            return Action.LINK, new_connection
        if self.source.user_matching_mode in [
            SourceUserMatchingModes.EMAIL_DENY,
            SourceUserMatchingModes.USERNAME_DENY,
        ]:
            self._logger.info("denying source because user exists", user=user)
            return Action.DENY, None
        # Should never get here as default enroll case is returned above.
        return Action.DENY, None  # pragma: no cover
    def update_user_connection(
        self, connection: UserSourceConnection, **kwargs
@ -277,6 +328,7 @@ class SourceFlowManager:
        connection: UserSourceConnection,
    ) -> HttpResponse:
        """Login user and redirect."""
        flow_kwargs = {PLAN_CONTEXT_PENDING_USER: connection.user}
        return self._prepare_flow(
            self.source.authentication_flow,
            connection,
@ -290,11 +342,7 @@ class SourceFlowManager:
                    ),
                )
            ],
-            **{
+            **flow_kwargs,
                PLAN_CONTEXT_PENDING_USER: connection.user,
                PLAN_CONTEXT_PROMPT: delete_none_values(self.user_properties),
                PLAN_CONTEXT_USER_PATH: self.source.get_user_path(),
            },
        )
    def handle_existing_link(
@ -360,16 +408,74 @@ class SourceFlowManager:
 class GroupUpdateStage(StageView):
    """Dynamically injected stage which updates the user after enrollment/authentication."""
    def get_action(
        self, group_id: str, group_properties: dict[str, Any | dict[str, Any]]
    ) -> tuple[Action, GroupSourceConnection | None]:
        """decide which action should be taken"""
        new_connection = self.group_connection_type(source=self.source, identifier=group_id)
        existing_connections = self.group_connection_type.objects.filter(
            source=self.source, identifier=group_id
        )
        if existing_connections.exists():
            return Action.LINK, existing_connections.first()
        # No connection exists, but we match on identifier, so enroll
        if self.source.group_matching_mode == SourceGroupMatchingModes.IDENTIFIER:
            # We don't save the connection here cause it doesn't have a user assigned yet
            return Action.ENROLL, new_connection
        # Check for existing groups with matching attributes
        query = Q()
        if self.source.group_matching_mode in [
            SourceGroupMatchingModes.NAME_LINK,
            SourceGroupMatchingModes.NAME_DENY,
        ]:
            if not group_properties.get("name", None):
                LOGGER.warning(
                    "Refusing to use none group name", source=self.source, group_id=group_id
                )
                return Action.DENY, None
            query = Q(name__exact=group_properties.get("name"))
        LOGGER.debug(
            "trying to link with existing group", source=self.source, query=query, group_id=group_id
        )
        matching_groups = Group.objects.filter(query)
        # No matching groups, always enroll
        if not matching_groups.exists():
            LOGGER.debug(
                "no matching groups found, enrolling", source=self.source, group_id=group_id
            )
            return Action.ENROLL, new_connection
        group = matching_groups.first()
        if self.source.group_matching_mode in [
            SourceGroupMatchingModes.NAME_LINK,
        ]:
            new_connection.group = group
            return Action.LINK, new_connection
        if self.source.group_matching_mode in [
            SourceGroupMatchingModes.NAME_DENY,
        ]:
            LOGGER.info(
                "denying source because group exists",
                source=self.source,
                group=group,
                group_id=group_id,
            )
            return Action.DENY, None
        # Should never get here as default enroll case is returned above.
        return Action.DENY, None  # pragma: no cover
    def handle_group(
        self, group_id: str, group_properties: dict[str, Any | dict[str, Any]]
    ) -> Group | None:
-        action, connection = self.matcher.get_group_action(group_id, group_properties)
+        action, connection = self.get_action(group_id, group_properties)
        if action == Action.ENROLL:
            group = Group.objects.create(**group_properties)
            connection.group = group
            connection.save()
            return group
-        elif action in (Action.LINK, Action.AUTH):
+        elif action == Action.LINK:
            group = connection.group
            group.update_attributes(group_properties)
            connection.save()
@ -383,7 +489,6 @@ class GroupUpdateStage(StageView):
        self.group_connection_type: GroupSourceConnection = (
            self.executor.current_stage.group_connection_type
        )
        self.matcher = SourceMatcher(self.source, None, self.group_connection_type)
        raw_groups: dict[str, dict[str, Any | dict[str, Any]]] = self.executor.plan.context[
            PLAN_CONTEXT_SOURCE_GROUPS
--- a/authentik/core/sources/matcher.py
+++ b/authentik/core/sources/matcher.py
@ -1,152 +0,0 @@
 """Source user and group matching"""
 from dataclasses import dataclass
 from enum import Enum
 from typing import Any
 from django.db.models import Q
 from structlog import get_logger
 from authentik.core.models import (
    Group,
    GroupSourceConnection,
    Source,
    SourceGroupMatchingModes,
    SourceUserMatchingModes,
    User,
    UserSourceConnection,
 )
 class Action(Enum):
    """Actions that can be decided based on the request and source settings"""
    LINK = "link"
    AUTH = "auth"
    ENROLL = "enroll"
    DENY = "deny"
@dataclass
 class MatchableProperty:
    property: str
    link_mode: SourceUserMatchingModes | SourceGroupMatchingModes
    deny_mode: SourceUserMatchingModes | SourceGroupMatchingModes
 class SourceMatcher:
    def __init__(
        self,
        source: Source,
        user_connection_type: type[UserSourceConnection],
        group_connection_type: type[GroupSourceConnection],
    ):
        self.source = source
        self.user_connection_type = user_connection_type
        self.group_connection_type = group_connection_type
        self._logger = get_logger().bind(source=self.source)
    def get_action(
        self,
        object_type: type[User | Group],
        matchable_properties: list[MatchableProperty],
        identifier: str,
        properties: dict[str, Any | dict[str, Any]],
    ) -> tuple[Action, UserSourceConnection | GroupSourceConnection | None]:
        connection_type = None
        matching_mode = None
        identifier_matching_mode = None
        if object_type == User:
            connection_type = self.user_connection_type
            matching_mode = self.source.user_matching_mode
            identifier_matching_mode = SourceUserMatchingModes.IDENTIFIER
        if object_type == Group:
            connection_type = self.group_connection_type
            matching_mode = self.source.group_matching_mode
            identifier_matching_mode = SourceGroupMatchingModes.IDENTIFIER
        if not connection_type or not matching_mode or not identifier_matching_mode:
            return Action.DENY, None
        new_connection = connection_type(source=self.source, identifier=identifier)
        existing_connections = connection_type.objects.filter(
            source=self.source, identifier=identifier
        )
        if existing_connections.exists():
            return Action.AUTH, existing_connections.first()
        # No connection exists, but we match on identifier, so enroll
        if matching_mode == identifier_matching_mode:
            # We don't save the connection here cause it doesn't have a user/group assigned yet
            return Action.ENROLL, new_connection
        # Check for existing users with matching attributes
        query = Q()
        for matchable_property in matchable_properties:
            property = matchable_property.property
            if matching_mode in [matchable_property.link_mode, matchable_property.deny_mode]:
                if not properties.get(property, None):
                    self._logger.warning(
                        "Refusing to use none property", identifier=identifier, property=property
                    )
                    return Action.DENY, None
                query_args = {
                    f"{property}__exact": properties[property],
                }
                query = Q(**query_args)
        self._logger.debug(
            "Trying to link with existing object", query=query, identifier=identifier
        )
        matching_objects = object_type.objects.filter(query)
        # Not matching objects, always enroll
        if not matching_objects.exists():
            self._logger.debug("No matching objects found, enrolling")
            return Action.ENROLL, new_connection
        obj = matching_objects.first()
        if matching_mode in [mp.link_mode for mp in matchable_properties]:
            attr = None
            if object_type == User:
                attr = "user"
            if object_type == Group:
                attr = "group"
            setattr(new_connection, attr, obj)
            return Action.LINK, new_connection
        if matching_mode in [mp.deny_mode for mp in matchable_properties]:
            self._logger.info("Denying source because object exists", obj=obj)
            return Action.DENY, None
        # Should never get here as default enroll case is returned above.
        return Action.DENY, None  # pragma: no cover
    def get_user_action(
        self, identifier: str, properties: dict[str, Any | dict[str, Any]]
    ) -> tuple[Action, UserSourceConnection | None]:
        return self.get_action(
            User,
            [
                MatchableProperty(
                    "username",
                    SourceUserMatchingModes.USERNAME_LINK,
                    SourceUserMatchingModes.USERNAME_DENY,
                ),
                MatchableProperty(
                    "email", SourceUserMatchingModes.EMAIL_LINK, SourceUserMatchingModes.EMAIL_DENY
                ),
            ],
            identifier,
            properties,
        )
    def get_group_action(
        self, identifier: str, properties: dict[str, Any | dict[str, Any]]
    ) -> tuple[Action, GroupSourceConnection | None]:
        return self.get_action(
            Group,
            [
                MatchableProperty(
                    "name", SourceGroupMatchingModes.NAME_LINK, SourceGroupMatchingModes.NAME_DENY
                ),
            ],
            identifier,
            properties,
        )
--- a/authentik/core/templates/base/skeleton.html
+++ b/authentik/core/templates/base/skeleton.html
@ -15,8 +15,8 @@
        {% endblock %}
        <link rel="stylesheet" type="text/css" href="{% static 'dist/authentik.css' %}">
        <link rel="stylesheet" type="text/css" href="{% static 'dist/custom.css' %}" data-inject>
-        <script src="{% versioned_script 'dist/poly-%v.js' %}" type="module"></script>
+        {% versioned_script "dist/poly-%v.js" %}
-        <script src="{% versioned_script 'dist/standalone/loading/index-%v.js' %}" type="module"></script>
+        {% versioned_script "dist/standalone/loading/index-%v.js" %}
        {% block head %}
        {% endblock %}
        <meta name="sentry-trace" content="{{ sentry_trace }}" />
--- a/authentik/core/templates/if/admin.html
+++ b/authentik/core/templates/if/admin.html
@ -3,7 +3,7 @@
 {% load authentik_core %}
 {% block head %}
-<script src="{% versioned_script 'dist/admin/AdminInterface-%v.js' %}" type="module"></script>
+{% versioned_script "dist/admin/AdminInterface-%v.js" %}
 <meta name="theme-color" content="#18191a" media="(prefers-color-scheme: dark)">
 <meta name="theme-color" content="#ffffff" media="(prefers-color-scheme: light)">
 {% include "base/header_js.html" %}
--- a/authentik/core/templates/if/end_session.html
+++ b/authentik/core/templates/if/end_session.html
@ -0,0 +1,43 @@
 {% extends 'login/base_full.html' %}
 {% load static %}
 {% load i18n %}
 {% block title %}
 {% trans 'End session' %} - {{ brand.branding_title }}
 {% endblock %}
 {% block card_title %}
 {% blocktrans with application=application.name %}
 You've logged out of {{ application }}.
 {% endblocktrans %}
 {% endblock %}
 {% block card %}
 <form method="POST" class="pf-c-form">
    <p>
        {% blocktrans with application=application.name branding_title=brand.branding_title %}
            You've logged out of {{ application }}. You can go back to the overview to launch another application, or log out of your {{ branding_title }} account.
        {% endblocktrans %}
    </p>
    <a id="ak-back-home" href="{% url 'authentik_core:root-redirect' %}" class="pf-c-button pf-m-primary">
        {% trans 'Go back to overview' %}
    </a>
    <a id="logout" href="{% url 'authentik_flows:default-invalidation' %}" class="pf-c-button pf-m-secondary">
        {% blocktrans with branding_title=brand.branding_title %}
            Log out of {{ branding_title }}
        {% endblocktrans %}
    </a>
    {% if application.get_launch_url %}
    <a href="{{ application.get_launch_url }}" class="pf-c-button pf-m-secondary">
        {% blocktrans with application=application.name %}
            Log back into {{ application }}
        {% endblocktrans %}
    </a>
    {% endif %}
 </form>
 {% endblock %}
--- a/authentik/core/templates/if/user.html
+++ b/authentik/core/templates/if/user.html
@ -3,7 +3,7 @@
 {% load authentik_core %}
 {% block head %}
-<script src="{% versioned_script 'dist/user/UserInterface-%v.js' %}" type="module"></script>
+{% versioned_script "dist/user/UserInterface-%v.js" %}
 <meta name="theme-color" content="#1c1e21" media="(prefers-color-scheme: light)">
 <meta name="theme-color" content="#1c1e21" media="(prefers-color-scheme: dark)">
 {% include "base/header_js.html" %}
--- a/authentik/core/templatetags/authentik_core.py
+++ b/authentik/core/templatetags/authentik_core.py
@ -2,6 +2,7 @@
 from django import template
 from django.templatetags.static import static as static_loader
 from django.utils.safestring import mark_safe
 from authentik import get_full_version
@ -11,4 +12,10 @@ register = template.Library()
@register.simple_tag()
 def versioned_script(path: str) -> str:
    """Wrapper around {% static %} tag that supports setting the version"""
-    return static_loader(path.replace("%v", get_full_version()))
+    returned_lines = [
        (
            f'<script src="{static_loader(path.replace("%v", get_full_version()))}'
            '" type="module"></script>'
        ),
    ]
    return mark_safe("".join(returned_lines))  # nosec
--- a/authentik/core/tests/test_applications_api.py
+++ b/authentik/core/tests/test_applications_api.py
@ -12,7 +12,7 @@ from authentik.core.tests.utils import create_test_admin_user, create_test_flow
 from authentik.lib.generators import generate_id
 from authentik.policies.dummy.models import DummyPolicy
 from authentik.policies.models import PolicyBinding
-from authentik.providers.oauth2.models import OAuth2Provider, RedirectURI, RedirectURIMatchingMode
+from authentik.providers.oauth2.models import OAuth2Provider
 from authentik.providers.proxy.models import ProxyProvider
 from authentik.providers.saml.models import SAMLProvider
@ -24,7 +24,7 @@ class TestApplicationsAPI(APITestCase):
        self.user = create_test_admin_user()
        self.provider = OAuth2Provider.objects.create(
            name="test",
-            redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "http://some-other-domain")],
+            redirect_uris="http://some-other-domain",
            authorization_flow=create_test_flow(),
        )
        self.allowed: Application = Application.objects.create(
@ -134,7 +134,6 @@ class TestApplicationsAPI(APITestCase):
                            "assigned_application_name": "allowed",
                            "assigned_application_slug": "allowed",
                            "authentication_flow": None,
                            "invalidation_flow": None,
                            "authorization_flow": str(self.provider.authorization_flow.pk),
                            "component": "ak-provider-oauth2-form",
                            "meta_model_name": "authentik_providers_oauth2.oauth2provider",
@ -187,7 +186,6 @@ class TestApplicationsAPI(APITestCase):
                            "assigned_application_name": "allowed",
                            "assigned_application_slug": "allowed",
                            "authentication_flow": None,
                            "invalidation_flow": None,
                            "authorization_flow": str(self.provider.authorization_flow.pk),
                            "component": "ak-provider-oauth2-form",
                            "meta_model_name": "authentik_providers_oauth2.oauth2provider",
--- a/authentik/core/tests/test_devices_api.py
+++ b/authentik/core/tests/test_devices_api.py
@ -1,59 +0,0 @@
 """Test Devices API"""
 from json import loads
 from django.urls import reverse
 from rest_framework.test import APITestCase
 from authentik.core.tests.utils import create_test_admin_user, create_test_user
 class TestDevicesAPI(APITestCase):
    """Test applications API"""
    def setUp(self) -> None:
        self.admin = create_test_admin_user()
        self.user1 = create_test_user()
        self.device1 = self.user1.staticdevice_set.create()
        self.user2 = create_test_user()
        self.device2 = self.user2.staticdevice_set.create()
    def test_user_api(self):
        """Test user API"""
        self.client.force_login(self.user1)
        response = self.client.get(
            reverse(
                "authentik_api:device-list",
            )
        )
        self.assertEqual(response.status_code, 200)
        body = loads(response.content.decode())
        self.assertEqual(len(body), 1)
        self.assertEqual(body[0]["pk"], str(self.device1.pk))
    def test_user_api_as_admin(self):
        """Test user API"""
        self.client.force_login(self.admin)
        response = self.client.get(
            reverse(
                "authentik_api:device-list",
            )
        )
        self.assertEqual(response.status_code, 200)
        body = loads(response.content.decode())
        self.assertEqual(len(body), 0)
    def test_admin_api(self):
        """Test admin API"""
        self.client.force_login(self.admin)
        response = self.client.get(
            reverse(
                "authentik_api:admin-device-list",
            )
        )
        self.assertEqual(response.status_code, 200)
        body = loads(response.content.decode())
        self.assertEqual(len(body), 2)
        self.assertEqual(
            {body[0]["pk"], body[1]["pk"]}, {str(self.device1.pk), str(self.device2.pk)}
        )
--- a/authentik/core/tests/test_impersonation.py
+++ b/authentik/core/tests/test_impersonation.py
@ -29,8 +29,7 @@ class TestImpersonation(APITestCase):
            reverse(
                "authentik_api:user-impersonate",
                kwargs={"pk": self.other_user.pk},
-            ),
+            )
            data={"reason": "some reason"},
        )
        response = self.client.get(reverse("authentik_api:user-me"))
@ -45,27 +44,6 @@ class TestImpersonation(APITestCase):
        self.assertEqual(response_body["user"]["username"], self.user.username)
        self.assertNotIn("original", response_body)
    def test_impersonate_global(self):
        """Test impersonation with global permissions"""
        new_user = create_test_user()
        assign_perm("authentik_core.impersonate", new_user)
        assign_perm("authentik_core.view_user", new_user)
        self.client.force_login(new_user)
        response = self.client.post(
            reverse(
                "authentik_api:user-impersonate",
                kwargs={"pk": self.other_user.pk},
            ),
            data={"reason": "some reason"},
        )
        self.assertEqual(response.status_code, 201)
        response = self.client.get(reverse("authentik_api:user-me"))
        response_body = loads(response.content.decode())
        self.assertEqual(response_body["user"]["username"], self.other_user.username)
        self.assertEqual(response_body["original"]["username"], new_user.username)
    def test_impersonate_scoped(self):
        """Test impersonation with scoped permissions"""
        new_user = create_test_user()
@ -77,8 +55,7 @@ class TestImpersonation(APITestCase):
            reverse(
                "authentik_api:user-impersonate",
                kwargs={"pk": self.other_user.pk},
-            ),
+            )
            data={"reason": "some reason"},
        )
        self.assertEqual(response.status_code, 201)
@ -92,8 +69,7 @@ class TestImpersonation(APITestCase):
        self.client.force_login(self.other_user)
        response = self.client.post(
-            reverse("authentik_api:user-impersonate", kwargs={"pk": self.user.pk}),
+            reverse("authentik_api:user-impersonate", kwargs={"pk": self.user.pk})
            data={"reason": "some reason"},
        )
        self.assertEqual(response.status_code, 403)
@ -109,8 +85,7 @@ class TestImpersonation(APITestCase):
        self.client.force_login(self.user)
        response = self.client.post(
-            reverse("authentik_api:user-impersonate", kwargs={"pk": self.other_user.pk}),
+            reverse("authentik_api:user-impersonate", kwargs={"pk": self.other_user.pk})
            data={"reason": "some reason"},
        )
        self.assertEqual(response.status_code, 401)
@ -123,22 +98,7 @@ class TestImpersonation(APITestCase):
        self.client.force_login(self.user)
        response = self.client.post(
-            reverse("authentik_api:user-impersonate", kwargs={"pk": self.user.pk}),
+            reverse("authentik_api:user-impersonate", kwargs={"pk": self.user.pk})
            data={"reason": "some reason"},
        )
        self.assertEqual(response.status_code, 401)
        response = self.client.get(reverse("authentik_api:user-me"))
        response_body = loads(response.content.decode())
        self.assertEqual(response_body["user"]["username"], self.user.username)
    def test_impersonate_reason_required(self):
        """test impersonation that user must provide reason"""
        self.client.force_login(self.user)
        response = self.client.post(
            reverse("authentik_api:user-impersonate", kwargs={"pk": self.user.pk}),
            data={"reason": ""},
        )
        self.assertEqual(response.status_code, 401)
--- a/authentik/core/tests/test_source_flow_manager.py
+++ b/authentik/core/tests/test_source_flow_manager.py
@ -81,22 +81,6 @@ class TestSourceFlowManager(TestCase):
            reverse("authentik_core:if-user") + "#/settings;page-sources",
        )
    def test_authenticated_auth(self):
        """Test authenticated user linking"""
        user = User.objects.create(username="foo", email="foo@bar.baz")
        UserOAuthSourceConnection.objects.create(
            user=user, source=self.source, identifier=self.identifier
        )
        request = get_request("/", user=user)
        flow_manager = OAuthSourceFlowManager(
            self.source, request, self.identifier, {"info": {}}, {}
        )
        action, connection = flow_manager.get_action()
        self.assertEqual(action, Action.AUTH)
        self.assertIsNotNone(connection.pk)
        response = flow_manager.get_flow()
        self.assertEqual(response.status_code, 302)
    def test_unauthenticated_link(self):
        """Test un-authenticated user linking"""
        flow_manager = OAuthSourceFlowManager(
--- a/authentik/core/tests/test_transactional_applications_api.py
+++ b/authentik/core/tests/test_transactional_applications_api.py
@ -1,13 +1,11 @@
 """Test Transactional API"""
 from django.urls import reverse
 from guardian.shortcuts import assign_perm
 from rest_framework.test import APITestCase
-from authentik.core.models import Application, Group
+from authentik.core.models import Application
-from authentik.core.tests.utils import create_test_flow, create_test_user
+from authentik.core.tests.utils import create_test_admin_user, create_test_flow
 from authentik.lib.generators import generate_id
 from authentik.policies.models import PolicyBinding
 from authentik.providers.oauth2.models import OAuth2Provider
@ -15,68 +13,12 @@ class TestTransactionalApplicationsAPI(APITestCase):
    """Test Transactional API"""
    def setUp(self) -> None:
-        self.user = create_test_user()
+        self.user = create_test_admin_user()
        assign_perm("authentik_core.add_application", self.user)
        assign_perm("authentik_providers_oauth2.add_oauth2provider", self.user)
    def test_create_transactional(self):
        """Test transactional Application + provider creation"""
        self.client.force_login(self.user)
        uid = generate_id()
        response = self.client.put(
            reverse("authentik_api:core-transactional-application"),
            data={
                "app": {
                    "name": uid,
                    "slug": uid,
                },
                "provider_model": "authentik_providers_oauth2.oauth2provider",
                "provider": {
                    "name": uid,
                    "authorization_flow": str(create_test_flow().pk),
                    "invalidation_flow": str(create_test_flow().pk),
                    "redirect_uris": [],
                },
            },
        )
        self.assertJSONEqual(response.content.decode(), {"applied": True, "logs": []})
        provider = OAuth2Provider.objects.filter(name=uid).first()
        self.assertIsNotNone(provider)
        app = Application.objects.filter(slug=uid).first()
        self.assertIsNotNone(app)
        self.assertEqual(app.provider.pk, provider.pk)
    def test_create_transactional_permission_denied(self):
        """Test transactional Application + provider creation (missing permissions)"""
        self.client.force_login(self.user)
        uid = generate_id()
        response = self.client.put(
            reverse("authentik_api:core-transactional-application"),
            data={
                "app": {
                    "name": uid,
                    "slug": uid,
                },
                "provider_model": "authentik_providers_saml.samlprovider",
                "provider": {
                    "name": uid,
                    "authorization_flow": str(create_test_flow().pk),
                    "invalidation_flow": str(create_test_flow().pk),
                    "acs_url": "https://goauthentik.io",
                },
            },
        )
        self.assertJSONEqual(
            response.content.decode(),
            {"provider": "User lacks permission to create authentik_providers_saml.samlprovider"},
        )
    def test_create_transactional_bindings(self):
        """Test transactional Application + provider creation"""
        assign_perm("authentik_policies.add_policybinding", self.user)
        self.client.force_login(self.user)
        uid = generate_id()
        group = Group.objects.create(name=generate_id())
        authorization_flow = create_test_flow()
        response = self.client.put(
            reverse("authentik_api:core-transactional-application"),
@ -89,10 +31,7 @@ class TestTransactionalApplicationsAPI(APITestCase):
                "provider": {
                    "name": uid,
                    "authorization_flow": str(authorization_flow.pk),
                    "invalidation_flow": str(authorization_flow.pk),
                    "redirect_uris": [],
                },
                "policy_bindings": [{"group": group.pk, "order": 0}],
            },
        )
        self.assertJSONEqual(response.content.decode(), {"applied": True, "logs": []})
@ -101,10 +40,6 @@ class TestTransactionalApplicationsAPI(APITestCase):
        app = Application.objects.filter(slug=uid).first()
        self.assertIsNotNone(app)
        self.assertEqual(app.provider.pk, provider.pk)
        binding = PolicyBinding.objects.filter(target=app).first()
        self.assertIsNotNone(binding)
        self.assertEqual(binding.target, app)
        self.assertEqual(binding.group, group)
    def test_create_transactional_invalid(self):
        """Test transactional Application + provider creation"""
@ -121,46 +56,10 @@ class TestTransactionalApplicationsAPI(APITestCase):
                "provider": {
                    "name": uid,
                    "authorization_flow": "",
                    "invalidation_flow": "",
                    "redirect_uris": [],
                },
            },
        )
        self.assertJSONEqual(
            response.content.decode(),
-            {
+            {"provider": {"authorization_flow": ["This field may not be null."]}},
                "provider": {
                    "authorization_flow": ["This field may not be null."],
                    "invalidation_flow": ["This field may not be null."],
                }
            },
        )
    def test_create_transactional_duplicate_name_provider(self):
        """Test transactional Application + provider creation"""
        self.client.force_login(self.user)
        uid = generate_id()
        OAuth2Provider.objects.create(
            name=uid,
            authorization_flow=create_test_flow(),
            invalidation_flow=create_test_flow(),
        )
        response = self.client.put(
            reverse("authentik_api:core-transactional-application"),
            data={
                "app": {
                    "name": uid,
                    "slug": uid,
                },
                "provider_model": "authentik_providers_oauth2.oauth2provider",
                "provider": {
                    "name": uid,
                    "authorization_flow": str(create_test_flow().pk),
                    "invalidation_flow": str(create_test_flow().pk),
                },
            },
        )
        self.assertJSONEqual(
            response.content.decode(),
            {"provider": {"name": ["State is set to must_created and object exists already"]}},
        )
--- a/authentik/core/urls.py
+++ b/authentik/core/urls.py
@ -5,6 +5,7 @@ from channels.sessions import CookieMiddleware
 from django.conf import settings
 from django.contrib.auth.decorators import login_required
 from django.urls import path
 from django.views.decorators.csrf import ensure_csrf_cookie
 from authentik.core.api.applications import ApplicationViewSet
 from authentik.core.api.authenticated_sessions import AuthenticatedSessionViewSet
@ -23,6 +24,7 @@ from authentik.core.views.interface import (
    InterfaceView,
    RootRedirectView,
 )
 from authentik.core.views.session import EndSessionView
 from authentik.flows.views.interface import FlowInterfaceView
 from authentik.root.asgi_middleware import SessionMiddleware
 from authentik.root.messages.consumer import MessageConsumer
@ -43,21 +45,26 @@ urlpatterns = [
    # Interfaces
    path(
        "if/admin/",
-        BrandDefaultRedirectView.as_view(template_name="if/admin.html"),
+        ensure_csrf_cookie(BrandDefaultRedirectView.as_view(template_name="if/admin.html")),
        name="if-admin",
    ),
    path(
        "if/user/",
-        BrandDefaultRedirectView.as_view(template_name="if/user.html"),
+        ensure_csrf_cookie(BrandDefaultRedirectView.as_view(template_name="if/user.html")),
        name="if-user",
    ),
    path(
        "if/flow/<slug:flow_slug>/",
        # FIXME: move this url to the flows app...also will cause all
        # of the reverse calls to be adjusted
-        FlowInterfaceView.as_view(),
+        ensure_csrf_cookie(FlowInterfaceView.as_view()),
        name="if-flow",
    ),
    path(
        "if/session-end/<slug:application_slug>/",
        ensure_csrf_cookie(EndSessionView.as_view()),
        name="if-session-end",
    ),
    # Fallback for WS
    path("ws/outpost/<uuid:pk>/", InterfaceView.as_view(template_name="if/admin.html")),
    path(
--- a/authentik/core/views/session.py
+++ b/authentik/core/views/session.py
@ -0,0 +1,23 @@
 """authentik Session Views"""
 from typing import Any
 from django.shortcuts import get_object_or_404
 from django.views.generic.base import TemplateView
 from authentik.core.models import Application
 from authentik.policies.views import PolicyAccessView
 class EndSessionView(TemplateView, PolicyAccessView):
    """Allow the client to end the Session"""
    template_name = "if/end_session.html"
    def resolve_provider_application(self):
        self.application = get_object_or_404(Application, slug=self.kwargs["application_slug"])
    def get_context_data(self, **kwargs: Any) -> dict[str, Any]:
        context = super().get_context_data(**kwargs)
        context["application"] = self.application
        return context
--- a/authentik/crypto/api.py
+++ b/authentik/crypto/api.py
@ -24,7 +24,6 @@ from rest_framework.fields import (
 from rest_framework.filters import OrderingFilter, SearchFilter
 from rest_framework.request import Request
 from rest_framework.response import Response
 from rest_framework.validators import UniqueValidator
 from rest_framework.viewsets import ModelViewSet
 from structlog.stdlib import get_logger
@ -182,10 +181,7 @@ class CertificateDataSerializer(PassiveSerializer):
 class CertificateGenerationSerializer(PassiveSerializer):
    """Certificate generation parameters"""
-    common_name = CharField(
+    common_name = CharField()
        validators=[UniqueValidator(queryset=CertificateKeyPair.objects.all())],
        source="name",
    )
    subject_alt_name = CharField(required=False, allow_blank=True, label=_("Subject-alt name"))
    validity_days = IntegerField(initial=365)
    alg = ChoiceField(default=PrivateKeyAlg.RSA, choices=PrivateKeyAlg.choices)
@ -246,10 +242,11 @@ class CertificateKeyPairViewSet(UsedByMixin, ModelViewSet):
    def generate(self, request: Request) -> Response:
        """Generate a new, self-signed certificate-key pair"""
        data = CertificateGenerationSerializer(data=request.data)
-        data.is_valid(raise_exception=True)
+        if not data.is_valid():
            return Response(data.errors, status=400)
        raw_san = data.validated_data.get("subject_alt_name", "")
        sans = raw_san.split(",") if raw_san != "" else []
-        builder = CertificateBuilder(data.validated_data["name"])
+        builder = CertificateBuilder(data.validated_data["common_name"])
        builder.alg = data.validated_data["alg"]
        builder.build(
            subject_alt_names=sans,
--- a/authentik/crypto/tests.py
+++ b/authentik/crypto/tests.py
@ -18,7 +18,7 @@ from authentik.crypto.models import CertificateKeyPair
 from authentik.crypto.tasks import MANAGED_DISCOVERED, certificate_discovery
 from authentik.lib.config import CONFIG
 from authentik.lib.generators import generate_id, generate_key
-from authentik.providers.oauth2.models import OAuth2Provider, RedirectURI, RedirectURIMatchingMode
+from authentik.providers.oauth2.models import OAuth2Provider
 class TestCrypto(APITestCase):
@ -89,17 +89,6 @@ class TestCrypto(APITestCase):
        self.assertIsInstance(ext[1], DNSName)
        self.assertEqual(ext[1].value, "baz")
    def test_builder_api_duplicate(self):
        """Test Builder (via API)"""
        cert = create_test_cert()
        self.client.force_login(create_test_admin_user())
        res = self.client.post(
            reverse("authentik_api:certificatekeypair-generate"),
            data={"common_name": cert.name, "subject_alt_name": "bar,baz", "validity_days": 3},
        )
        self.assertEqual(res.status_code, 400)
        self.assertJSONEqual(res.content, {"common_name": ["This field must be unique."]})
    def test_builder_api_empty_san(self):
        """Test Builder (via API)"""
        self.client.force_login(create_test_admin_user())
@ -274,7 +263,7 @@ class TestCrypto(APITestCase):
            client_id="test",
            client_secret=generate_key(),
            authorization_flow=create_test_flow(),
-            redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "http://localhost")],
+            redirect_uris="http://localhost",
            signing_key=keypair,
        )
        response = self.client.get(
@ -306,7 +295,7 @@ class TestCrypto(APITestCase):
            client_id="test",
            client_secret=generate_key(),
            authorization_flow=create_test_flow(),
-            redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "http://localhost")],
+            redirect_uris="http://localhost",
            signing_key=keypair,
        )
        response = self.client.get(
--- a/authentik/enterprise/providers/rac/api/providers.py
+++ b/authentik/enterprise/providers/rac/api/providers.py
@ -16,28 +16,13 @@ class RACProviderSerializer(EnterpriseRequiredMixin, ProviderSerializer):
    class Meta:
        model = RACProvider
-        fields = [
+        fields = ProviderSerializer.Meta.fields + [
            "pk",
            "name",
            "authentication_flow",
            "authorization_flow",
            "property_mappings",
            "component",
            "assigned_application_slug",
            "assigned_application_name",
            "assigned_backchannel_application_slug",
            "assigned_backchannel_application_name",
            "verbose_name",
            "verbose_name_plural",
            "meta_model_name",
            "settings",
            "outpost_set",
            "connection_expiry",
            "delete_token_on_disconnect",
        ]
-        extra_kwargs = {
+        extra_kwargs = ProviderSerializer.Meta.extra_kwargs
            "authorization_flow": {"required": True, "allow_null": False},
        }
 class RACProviderViewSet(UsedByMixin, ModelViewSet):
--- a/authentik/enterprise/providers/rac/templates/if/rac.html
+++ b/authentik/enterprise/providers/rac/templates/if/rac.html
@ -3,7 +3,7 @@
 {% load authentik_core %}
 {% block head %}
-<script src="{% versioned_script 'dist/enterprise/rac/index-%v.js' %}" type="module"></script>
+{% versioned_script "dist/enterprise/rac/index-%v.js" %}
 <meta name="theme-color" content="#18191a" media="(prefers-color-scheme: dark)">
 <meta name="theme-color" content="#ffffff" media="(prefers-color-scheme: light)">
 <link rel="icon" href="{{ tenant.branding_favicon }}">
--- a/authentik/enterprise/providers/rac/tests/test_api.py
+++ b/authentik/enterprise/providers/rac/tests/test_api.py
@ -1,46 +0,0 @@
 """Test RAC Provider"""
 from datetime import timedelta
 from time import mktime
 from unittest.mock import MagicMock, patch
 from django.urls import reverse
 from django.utils.timezone import now
 from rest_framework.test import APITestCase
 from authentik.core.tests.utils import create_test_admin_user, create_test_flow
 from authentik.enterprise.license import LicenseKey
 from authentik.enterprise.models import License
 from authentik.lib.generators import generate_id
 class TestAPI(APITestCase):
    """Test Provider API"""
    def setUp(self) -> None:
        self.user = create_test_admin_user()
    @patch(
        "authentik.enterprise.license.LicenseKey.validate",
        MagicMock(
            return_value=LicenseKey(
                aud="",
                exp=int(mktime((now() + timedelta(days=3000)).timetuple())),
                name=generate_id(),
                internal_users=100,
                external_users=100,
            )
        ),
    )
    def test_create(self):
        """Test creation of RAC Provider"""
        License.objects.create(key=generate_id())
        self.client.force_login(self.user)
        response = self.client.post(
            reverse("authentik_api:racprovider-list"),
            data={
                "name": generate_id(),
                "authorization_flow": create_test_flow().pk,
            },
        )
        self.assertEqual(response.status_code, 201)
--- a/authentik/enterprise/providers/rac/urls.py
+++ b/authentik/enterprise/providers/rac/urls.py
@ -3,6 +3,7 @@
 from channels.auth import AuthMiddleware
 from channels.sessions import CookieMiddleware
 from django.urls import path
 from django.views.decorators.csrf import ensure_csrf_cookie
 from authentik.enterprise.providers.rac.api.connection_tokens import ConnectionTokenViewSet
 from authentik.enterprise.providers.rac.api.endpoints import EndpointViewSet
@ -18,12 +19,12 @@ from authentik.root.middleware import ChannelsLoggingMiddleware
 urlpatterns = [
    path(
        "application/rac/<slug:app>/<uuid:endpoint>/",
-        RACStartView.as_view(),
+        ensure_csrf_cookie(RACStartView.as_view()),
        name="start",
    ),
    path(
        "if/rac/<str:token>/",
-        RACInterface.as_view(),
+        ensure_csrf_cookie(RACInterface.as_view()),
        name="if-rac",
    ),
 ]
--- a/authentik/enterprise/settings.py
+++ b/authentik/enterprise/settings.py
@ -17,7 +17,6 @@ TENANT_APPS = [
    "authentik.enterprise.providers.google_workspace",
    "authentik.enterprise.providers.microsoft_entra",
    "authentik.enterprise.providers.rac",
    "authentik.enterprise.stages.authenticator_endpoint_gdtc",
    "authentik.enterprise.stages.source",
 ]
--- a/authentik/enterprise/stages/authenticator_endpoint_gdtc/api.py
+++ b/authentik/enterprise/stages/authenticator_endpoint_gdtc/api.py
@ -1,82 +0,0 @@
 """AuthenticatorEndpointGDTCStage API Views"""
 from django_filters.rest_framework.backends import DjangoFilterBackend
 from rest_framework import mixins
 from rest_framework.filters import OrderingFilter, SearchFilter
 from rest_framework.permissions import IsAdminUser
 from rest_framework.serializers import ModelSerializer
 from rest_framework.viewsets import GenericViewSet, ModelViewSet
 from structlog.stdlib import get_logger
 from authentik.api.authorization import OwnerFilter, OwnerPermissions
 from authentik.core.api.used_by import UsedByMixin
 from authentik.enterprise.api import EnterpriseRequiredMixin
 from authentik.enterprise.stages.authenticator_endpoint_gdtc.models import (
    AuthenticatorEndpointGDTCStage,
    EndpointDevice,
 )
 from authentik.flows.api.stages import StageSerializer
 LOGGER = get_logger()
 class AuthenticatorEndpointGDTCStageSerializer(EnterpriseRequiredMixin, StageSerializer):
    """AuthenticatorEndpointGDTCStage Serializer"""
    class Meta:
        model = AuthenticatorEndpointGDTCStage
        fields = StageSerializer.Meta.fields + [
            "configure_flow",
            "friendly_name",
            "credentials",
        ]
 class AuthenticatorEndpointGDTCStageViewSet(UsedByMixin, ModelViewSet):
    """AuthenticatorEndpointGDTCStage Viewset"""
    queryset = AuthenticatorEndpointGDTCStage.objects.all()
    serializer_class = AuthenticatorEndpointGDTCStageSerializer
    filterset_fields = [
        "name",
        "configure_flow",
    ]
    search_fields = ["name"]
    ordering = ["name"]
 class EndpointDeviceSerializer(ModelSerializer):
    """Serializer for Endpoint authenticator devices"""
    class Meta:
        model = EndpointDevice
        fields = ["pk", "name"]
        depth = 2
 class EndpointDeviceViewSet(
    mixins.RetrieveModelMixin,
    mixins.ListModelMixin,
    UsedByMixin,
    GenericViewSet,
 ):
    """Viewset for Endpoint authenticator devices"""
    queryset = EndpointDevice.objects.all()
    serializer_class = EndpointDeviceSerializer
    search_fields = ["name"]
    filterset_fields = ["name"]
    ordering = ["name"]
    permission_classes = [OwnerPermissions]
    filter_backends = [OwnerFilter, DjangoFilterBackend, OrderingFilter, SearchFilter]
 class EndpointAdminDeviceViewSet(ModelViewSet):
    """Viewset for Endpoint authenticator devices (for admins)"""
    permission_classes = [IsAdminUser]
    queryset = EndpointDevice.objects.all()
    serializer_class = EndpointDeviceSerializer
    search_fields = ["name"]
    filterset_fields = ["name"]
    ordering = ["name"]
--- a/authentik/enterprise/stages/authenticator_endpoint_gdtc/apps.py
+++ b/authentik/enterprise/stages/authenticator_endpoint_gdtc/apps.py
@ -1,13 +0,0 @@
 """authentik Endpoint app config"""
 from authentik.enterprise.apps import EnterpriseConfig
 class AuthentikStageAuthenticatorEndpointConfig(EnterpriseConfig):
    """authentik endpoint config"""
    name = "authentik.enterprise.stages.authenticator_endpoint_gdtc"
    label = "authentik_stages_authenticator_endpoint_gdtc"
    verbose_name = "authentik Enterprise.Stages.Authenticator.Endpoint GDTC"
    default = True
    mountpoint = "endpoint/gdtc/"
--- a/authentik/enterprise/stages/authenticator_endpoint_gdtc/migrations/0001_initial.py
+++ b/authentik/enterprise/stages/authenticator_endpoint_gdtc/migrations/0001_initial.py
@ -1,115 +0,0 @@
 # Generated by Django 5.0.9 on 2024-10-22 11:40
 import django.db.models.deletion
 import uuid
 from django.conf import settings
 from django.db import migrations, models
 class Migration(migrations.Migration):
    initial = True
    dependencies = [
        ("authentik_flows", "0027_auto_20231028_1424"),
        migrations.swappable_dependency(settings.AUTH_USER_MODEL),
    ]
    operations = [
        migrations.CreateModel(
            name="AuthenticatorEndpointGDTCStage",
            fields=[
                (
                    "stage_ptr",
                    models.OneToOneField(
                        auto_created=True,
                        on_delete=django.db.models.deletion.CASCADE,
                        parent_link=True,
                        primary_key=True,
                        serialize=False,
                        to="authentik_flows.stage",
                    ),
                ),
                ("friendly_name", models.TextField(null=True)),
                ("credentials", models.JSONField()),
                (
                    "configure_flow",
                    models.ForeignKey(
                        blank=True,
                        help_text="Flow used by an authenticated user to configure this Stage. If empty, user will not be able to configure this stage.",
                        null=True,
                        on_delete=django.db.models.deletion.SET_NULL,
                        to="authentik_flows.flow",
                    ),
                ),
            ],
            options={
                "verbose_name": "Endpoint Authenticator Google Device Trust Connector Stage",
                "verbose_name_plural": "Endpoint Authenticator Google Device Trust Connector Stages",
            },
            bases=("authentik_flows.stage", models.Model),
        ),
        migrations.CreateModel(
            name="EndpointDevice",
            fields=[
                ("created", models.DateTimeField(auto_now_add=True)),
                ("last_updated", models.DateTimeField(auto_now=True)),
                (
                    "name",
                    models.CharField(
                        help_text="The human-readable name of this device.", max_length=64
                    ),
                ),
                (
                    "confirmed",
                    models.BooleanField(default=True, help_text="Is this device ready for use?"),
                ),
                ("last_used", models.DateTimeField(null=True)),
                ("uuid", models.UUIDField(default=uuid.uuid4, primary_key=True, serialize=False)),
                (
                    "host_identifier",
                    models.TextField(
                        help_text="A unique identifier for the endpoint device, usually the device serial number",
                        unique=True,
                    ),
                ),
                ("data", models.JSONField()),
                (
                    "user",
                    models.ForeignKey(
                        on_delete=django.db.models.deletion.CASCADE, to=settings.AUTH_USER_MODEL
                    ),
                ),
            ],
            options={
                "verbose_name": "Endpoint Device",
                "verbose_name_plural": "Endpoint Devices",
            },
        ),
        migrations.CreateModel(
            name="EndpointDeviceConnection",
            fields=[
                (
                    "id",
                    models.AutoField(
                        auto_created=True, primary_key=True, serialize=False, verbose_name="ID"
                    ),
                ),
                ("attributes", models.JSONField()),
                (
                    "device",
                    models.ForeignKey(
                        on_delete=django.db.models.deletion.CASCADE,
                        to="authentik_stages_authenticator_endpoint_gdtc.endpointdevice",
                    ),
                ),
                (
                    "stage",
                    models.ForeignKey(
                        on_delete=django.db.models.deletion.CASCADE,
                        to="authentik_stages_authenticator_endpoint_gdtc.authenticatorendpointgdtcstage",
                    ),
                ),
            ],
        ),
    ]
--- a/authentik/enterprise/stages/authenticator_endpoint_gdtc/models.py
+++ b/authentik/enterprise/stages/authenticator_endpoint_gdtc/models.py
@ -1,101 +0,0 @@
 """Endpoint stage"""
 from uuid import uuid4
 from django.contrib.auth import get_user_model
 from django.db import models
 from django.utils.translation import gettext_lazy as _
 from google.oauth2.service_account import Credentials
 from rest_framework.serializers import BaseSerializer, Serializer
 from authentik.core.types import UserSettingSerializer
 from authentik.flows.models import ConfigurableStage, FriendlyNamedStage, Stage
 from authentik.flows.stage import StageView
 from authentik.lib.models import SerializerModel
 from authentik.stages.authenticator.models import Device
 class AuthenticatorEndpointGDTCStage(ConfigurableStage, FriendlyNamedStage, Stage):
    """Setup Google Chrome Device-trust connection"""
    credentials = models.JSONField()
    def google_credentials(self):
        return {
            "credentials": Credentials.from_service_account_info(
                self.credentials, scopes=["https://www.googleapis.com/auth/verifiedaccess"]
            ),
        }
    @property
    def serializer(self) -> type[BaseSerializer]:
        from authentik.enterprise.stages.authenticator_endpoint_gdtc.api import (
            AuthenticatorEndpointGDTCStageSerializer,
        )
        return AuthenticatorEndpointGDTCStageSerializer
    @property
    def view(self) -> type[StageView]:
        from authentik.enterprise.stages.authenticator_endpoint_gdtc.stage import (
            AuthenticatorEndpointStageView,
        )
        return AuthenticatorEndpointStageView
    @property
    def component(self) -> str:
        return "ak-stage-authenticator-endpoint-gdtc-form"
    def ui_user_settings(self) -> UserSettingSerializer | None:
        return UserSettingSerializer(
            data={
                "title": self.friendly_name or str(self._meta.verbose_name),
                "component": "ak-user-settings-authenticator-endpoint",
            }
        )
    def __str__(self) -> str:
        return f"Endpoint Authenticator Google Device Trust Connector Stage {self.name}"
    class Meta:
        verbose_name = _("Endpoint Authenticator Google Device Trust Connector Stage")
        verbose_name_plural = _("Endpoint Authenticator Google Device Trust Connector Stages")
 class EndpointDevice(SerializerModel, Device):
    """Endpoint Device for a single user"""
    uuid = models.UUIDField(primary_key=True, default=uuid4)
    host_identifier = models.TextField(
        unique=True,
        help_text="A unique identifier for the endpoint device, usually the device serial number",
    )
    user = models.ForeignKey(get_user_model(), on_delete=models.CASCADE)
    data = models.JSONField()
    @property
    def serializer(self) -> Serializer:
        from authentik.enterprise.stages.authenticator_endpoint_gdtc.api import (
            EndpointDeviceSerializer,
        )
        return EndpointDeviceSerializer
    def __str__(self):
        return str(self.name) or str(self.user_id)
    class Meta:
        verbose_name = _("Endpoint Device")
        verbose_name_plural = _("Endpoint Devices")
 class EndpointDeviceConnection(models.Model):
    device = models.ForeignKey(EndpointDevice, on_delete=models.CASCADE)
    stage = models.ForeignKey(AuthenticatorEndpointGDTCStage, on_delete=models.CASCADE)
    attributes = models.JSONField()
    def __str__(self) -> str:
        return f"Endpoint device connection {self.device_id} to {self.stage_id}"
--- a/authentik/enterprise/stages/authenticator_endpoint_gdtc/stage.py
+++ b/authentik/enterprise/stages/authenticator_endpoint_gdtc/stage.py
@ -1,32 +0,0 @@
 from django.http import HttpResponse
 from django.urls import reverse
 from django.utils.translation import gettext_lazy as _
 from authentik.flows.challenge import (
    Challenge,
    ChallengeResponse,
    FrameChallenge,
    FrameChallengeResponse,
 )
 from authentik.flows.stage import ChallengeStageView
 class AuthenticatorEndpointStageView(ChallengeStageView):
    """Endpoint stage"""
    response_class = FrameChallengeResponse
    def get_challenge(self, *args, **kwargs) -> Challenge:
        return FrameChallenge(
            data={
                "component": "xak-flow-frame",
                "url": self.request.build_absolute_uri(
                    reverse("authentik_stages_authenticator_endpoint_gdtc:chrome")
                ),
                "loading_overlay": True,
                "loading_text": _("Verifying your browser..."),
            }
        )
    def challenge_valid(self, response: ChallengeResponse) -> HttpResponse:
        return self.executor.stage_ok()
--- a/authentik/enterprise/stages/authenticator_endpoint_gdtc/templates/stages/authenticator_endpoint/google_chrome_dtc.html
+++ b/authentik/enterprise/stages/authenticator_endpoint_gdtc/templates/stages/authenticator_endpoint/google_chrome_dtc.html
@ -1,9 +0,0 @@
 <html>
 <script>
  window.parent.postMessage({
    message: "submit",
    source: "goauthentik.io",
    context: "flow-executor"
  });
 </script>
 </html>
--- a/authentik/enterprise/stages/authenticator_endpoint_gdtc/urls.py
+++ b/authentik/enterprise/stages/authenticator_endpoint_gdtc/urls.py
@ -1,26 +0,0 @@
 """API URLs"""
 from django.urls import path
 from authentik.enterprise.stages.authenticator_endpoint_gdtc.api import (
    AuthenticatorEndpointGDTCStageViewSet,
    EndpointAdminDeviceViewSet,
    EndpointDeviceViewSet,
 )
 from authentik.enterprise.stages.authenticator_endpoint_gdtc.views.dtc import (
    GoogleChromeDeviceTrustConnector,
 )
 urlpatterns = [
    path("chrome/", GoogleChromeDeviceTrustConnector.as_view(), name="chrome"),
 ]
 api_urlpatterns = [
    ("authenticators/endpoint", EndpointDeviceViewSet),
    (
        "authenticators/admin/endpoint",
        EndpointAdminDeviceViewSet,
        "admin-endpointdevice",
    ),
    ("stages/authenticator/endpoint_gdtc", AuthenticatorEndpointGDTCStageViewSet),
 ]
--- a/authentik/enterprise/stages/authenticator_endpoint_gdtc/views/init.py
+++ b/authentik/enterprise/stages/authenticator_endpoint_gdtc/views/init.py
--- a/authentik/enterprise/stages/authenticator_endpoint_gdtc/views/dtc.py
+++ b/authentik/enterprise/stages/authenticator_endpoint_gdtc/views/dtc.py
@ -1,84 +0,0 @@
 from json import dumps, loads
 from typing import Any
 from django.http import HttpRequest, HttpResponse, HttpResponseRedirect
 from django.template.response import TemplateResponse
 from django.urls import reverse
 from django.views import View
 from googleapiclient.discovery import build
 from authentik.enterprise.stages.authenticator_endpoint_gdtc.models import (
    AuthenticatorEndpointGDTCStage,
    EndpointDevice,
    EndpointDeviceConnection,
 )
 from authentik.flows.planner import PLAN_CONTEXT_PENDING_USER, FlowPlan
 from authentik.flows.views.executor import SESSION_KEY_PLAN
 from authentik.stages.password.stage import PLAN_CONTEXT_METHOD, PLAN_CONTEXT_METHOD_ARGS
 # Header we get from chrome that initiates verified access
 HEADER_DEVICE_TRUST = "X-Device-Trust"
 # Header we send to the client with the challenge
 HEADER_ACCESS_CHALLENGE = "X-Verified-Access-Challenge"
 # Header we get back from the client that we verify with google
 HEADER_ACCESS_CHALLENGE_RESPONSE = "X-Verified-Access-Challenge-Response"
 # Header value for x-device-trust that initiates the flow
 DEVICE_TRUST_VERIFIED_ACCESS = "VerifiedAccess"
 class GoogleChromeDeviceTrustConnector(View):
    """Google Chrome Device-trust connector based endpoint authenticator"""
    def get_flow_plan(self) -> FlowPlan:
        flow_plan: FlowPlan = self.request.session[SESSION_KEY_PLAN]
        return flow_plan
    def setup(self, request: HttpRequest, *args: Any, **kwargs: Any) -> None:
        super().setup(request, *args, **kwargs)
        stage: AuthenticatorEndpointGDTCStage = self.get_flow_plan().bindings[0].stage
        self.google_client = build(
            "verifiedaccess",
            "v2",
            cache_discovery=False,
            **stage.google_credentials(),
        )
    def get(self, request: HttpRequest) -> HttpResponse:
        x_device_trust = request.headers.get(HEADER_DEVICE_TRUST)
        x_access_challenge_response = request.headers.get(HEADER_ACCESS_CHALLENGE_RESPONSE)
        if x_device_trust == "VerifiedAccess" and x_access_challenge_response is None:
            challenge = self.google_client.challenge().generate().execute()
            res = HttpResponseRedirect(
                self.request.build_absolute_uri(
                    reverse("authentik_stages_authenticator_endpoint_gdtc:chrome")
                )
            )
            res[HEADER_ACCESS_CHALLENGE] = dumps(challenge)
            return res
        if x_access_challenge_response:
            response = (
                self.google_client.challenge()
                .verify(body=loads(x_access_challenge_response))
                .execute()
            )
            # Remove deprecated string representation of deviceSignals
            response.pop("deviceSignal", None)
            flow_plan: FlowPlan = self.get_flow_plan()
            device, _ = EndpointDevice.objects.update_or_create(
                host_identifier=response["deviceSignals"]["serialNumber"],
                user=flow_plan.context.get(PLAN_CONTEXT_PENDING_USER),
                defaults={"name": response["deviceSignals"]["hostname"], "data": response},
            )
            EndpointDeviceConnection.objects.update_or_create(
                device=device,
                stage=flow_plan.bindings[0].stage,
                defaults={
                    "attributes": response,
                },
            )
            flow_plan.context.setdefault(PLAN_CONTEXT_METHOD, "trusted_endpoint")
            flow_plan.context.setdefault(PLAN_CONTEXT_METHOD_ARGS, {})
            flow_plan.context[PLAN_CONTEXT_METHOD_ARGS].setdefault("endpoints", [])
            flow_plan.context[PLAN_CONTEXT_METHOD_ARGS]["endpoints"].append(response)
            request.session[SESSION_KEY_PLAN] = flow_plan
        return TemplateResponse(request, "stages/authenticator_endpoint/google_chrome_dtc.html")
--- a/authentik/events/context_processors/asn.py
+++ b/authentik/events/context_processors/asn.py
@ -50,7 +50,7 @@ class ASNContextProcessor(MMDBContextProcessor):
        """Wrapper for Reader.asn"""
        with start_span(
            op="authentik.events.asn.asn",
-            name=ip_address,
+            description=ip_address,
        ):
            if not self.configured():
                return None
--- a/authentik/events/context_processors/geoip.py
+++ b/authentik/events/context_processors/geoip.py
@ -51,7 +51,7 @@ class GeoIPContextProcessor(MMDBContextProcessor):
        """Wrapper for Reader.city"""
        with start_span(
            op="authentik.events.geo.city",
-            name=ip_address,
+            description=ip_address,
        ):
            if not self.configured():
                return None
--- a/authentik/events/migrations/0008_alter_event_action.py
+++ b/authentik/events/migrations/0008_alter_event_action.py
@ -0,0 +1,49 @@
 # Generated by Django 5.0.9 on 2024-09-25 11:06
 from django.db import migrations, models
 class Migration(migrations.Migration):
    dependencies = [
        ("authentik_events", "0007_event_authentik_e_action_9a9dd9_idx_and_more"),
    ]
    operations = [
        migrations.AlterField(
            model_name="event",
            name="action",
            field=models.TextField(
                choices=[
                    ("login", "Login"),
                    ("login_failed", "Login Failed"),
                    ("logout", "Logout"),
                    ("user_write", "User Write"),
                    ("suspicious_request", "Suspicious Request"),
                    ("password_set", "Password Set"),
                    ("secret_view", "Secret View"),
                    ("secret_rotate", "Secret Rotate"),
                    ("invitation_used", "Invite Used"),
                    ("authorize_application", "Authorize Application"),
                    ("source_linked", "Source Linked"),
                    ("impersonation_started", "Impersonation Started"),
                    ("impersonation_ended", "Impersonation Ended"),
                    ("flow_execution", "Flow Execution"),
                    ("policy_execution", "Policy Execution"),
                    ("policy_exception", "Policy Exception"),
                    ("property_mapping_exception", "Property Mapping Exception"),
                    ("system_task_execution", "System Task Execution"),
                    ("system_task_exception", "System Task Exception"),
                    ("system_exception", "System Exception"),
                    ("configuration_error", "Configuration Error"),
                    ("model_created", "Model Created"),
                    ("model_updated", "Model Updated"),
                    ("model_deleted", "Model Deleted"),
                    ("email_sent", "Email Sent"),
                    ("analytics_sent", "Analytics Sent"),
                    ("update_available", "Update Available"),
                    ("custom_", "Custom Prefix"),
                ]
            ),
        ),
    ]
--- a/authentik/events/models.py
+++ b/authentik/events/models.py
@ -60,7 +60,7 @@ def default_event_duration():
    """Default duration an Event is saved.
    This is used as a fallback when no brand is available"""
    try:
-        tenant = get_current_tenant(only=["event_retention"])
+        tenant = get_current_tenant()
        return now() + timedelta_from_string(tenant.event_retention)
    except Tenant.DoesNotExist:
        return now() + timedelta(days=365)
@ -119,6 +119,7 @@ class EventAction(models.TextChoices):
    MODEL_DELETED = "model_deleted"
    EMAIL_SENT = "email_sent"
    ANALYTICS_SENT = "analytics_sent"
    UPDATE_AVAILABLE = "update_available"
    CUSTOM_PREFIX = "custom_"
--- a/authentik/events/signals.py
+++ b/authentik/events/signals.py
@ -1,16 +1,13 @@
 """authentik events signal listener"""
 from importlib import import_module
 from typing import Any
 from django.conf import settings
 from django.contrib.auth.signals import user_logged_in, user_logged_out
 from django.db.models.signals import post_save, pre_delete
 from django.dispatch import receiver
 from django.http import HttpRequest
 from rest_framework.request import Request
-from authentik.core.models import AuthenticatedSession, User
+from authentik.core.models import User
 from authentik.core.signals import login_failed, password_changed
 from authentik.events.apps import SYSTEM_TASK_STATUS
 from authentik.events.models import Event, EventAction, SystemTask
@ -26,7 +23,6 @@ from authentik.stages.user_write.signals import user_write
 from authentik.tenants.utils import get_current_tenant
 SESSION_LOGIN_EVENT = "login_event"
 _session_engine = import_module(settings.SESSION_ENGINE)
@receiver(user_logged_in)
@ -47,20 +43,11 @@ def on_user_logged_in(sender, request: HttpRequest, user: User, **_):
            kwargs[PLAN_CONTEXT_OUTPOST] = flow_plan.context[PLAN_CONTEXT_OUTPOST]
    event = Event.new(EventAction.LOGIN, **kwargs).from_http(request, user=user)
    request.session[SESSION_LOGIN_EVENT] = event
    request.session.save()
-def get_login_event(request_or_session: HttpRequest | AuthenticatedSession | None) -> Event | None:
+def get_login_event(request: HttpRequest) -> Event | None:
    """Wrapper to get login event that can be mocked in tests"""
-    session = None
+    return request.session.get(SESSION_LOGIN_EVENT, None)
    if not request_or_session:
        return None
    if isinstance(request_or_session, HttpRequest | Request):
        session = request_or_session.session
    if isinstance(request_or_session, AuthenticatedSession):
        SessionStore = _session_engine.SessionStore
        session = SessionStore(request_or_session.session_key)
    return session.get(SESSION_LOGIN_EVENT, None)
@receiver(user_logged_out)
--- a/authentik/flows/challenge.py
+++ b/authentik/flows/challenge.py
@ -8,7 +8,7 @@ from uuid import UUID
 from django.core.serializers.json import DjangoJSONEncoder
 from django.db import models
 from django.http import JsonResponse
-from rest_framework.fields import BooleanField, CharField, ChoiceField, DictField
+from rest_framework.fields import CharField, ChoiceField, DictField
 from rest_framework.request import Request
 from authentik.core.api.utils import PassiveSerializer
@ -110,21 +110,8 @@ class FlowErrorChallenge(Challenge):
 class AccessDeniedChallenge(WithUserInfoChallenge):
    """Challenge when a flow's active stage calls `stage_invalid()`."""
    component = CharField(default="ak-stage-access-denied")
    error_message = CharField(required=False)
-
+    component = CharField(default="ak-stage-access-denied")
 class SessionEndChallenge(WithUserInfoChallenge):
    """Challenge for ending a session"""
    component = CharField(default="ak-stage-session-end")
    application_name = CharField(required=False)
    application_launch_url = CharField(required=False)
    invalidation_flow_url = CharField(required=False)
    brand_name = CharField(required=True)
 class PermissionDict(TypedDict):
@ -160,20 +147,6 @@ class AutoSubmitChallengeResponse(ChallengeResponse):
    component = CharField(default="ak-stage-autosubmit")
 class FrameChallenge(Challenge):
    """Challenge type to render a frame"""
    component = CharField(default="xak-flow-frame")
    url = CharField()
    loading_overlay = BooleanField(default=False)
    loading_text = CharField()
 class FrameChallengeResponse(ChallengeResponse):
    component = CharField(default="xak-flow-frame")
 class DataclassEncoder(DjangoJSONEncoder):
    """Convert any dataclass to json"""
--- a/authentik/flows/migrations/0027_auto_20231028_1424.py
+++ b/authentik/flows/migrations/0027_auto_20231028_1424.py
@ -6,18 +6,20 @@ from django.db.backends.base.schema import BaseDatabaseSchemaEditor
 def set_oobe_flow_authentication(apps: Apps, schema_editor: BaseDatabaseSchemaEditor):
-    from guardian.conf import settings as guardian_settings
+    from guardian.shortcuts import get_anonymous_user
    Flow = apps.get_model("authentik_flows", "Flow")
    User = apps.get_model("authentik_core", "User")
    db_alias = schema_editor.connection.alias
-    users = (
+    users = User.objects.using(db_alias).exclude(username="akadmin")
-        User.objects.using(db_alias)
+    try:
-        .exclude(username="akadmin")
+        users = users.exclude(pk=get_anonymous_user().pk)
-        .exclude(username=guardian_settings.ANONYMOUS_USER_NAME)
+
-    )
+    except Exception:  # nosec
        pass
    if users.exists():
        Flow.objects.using(db_alias).filter(slug="initial-setup").update(
            authentication="require_superuser"
--- a/authentik/flows/models.py
+++ b/authentik/flows/models.py
@ -107,9 +107,7 @@ class Stage(SerializerModel):
 def in_memory_stage(view: type["StageView"], **kwargs) -> Stage:
-    """Creates an in-memory stage instance, based on a `view` as view.
+    """Creates an in-memory stage instance, based on a `view` as view."""
    Any key-word arguments are set as attributes on the stage object,
    accessible via `self.executor.current_stage`."""
    stage = Stage()
    # Because we can't pickle a locally generated function,
    # we set the view as a separate property and reference a generic function
--- a/authentik/flows/planner.py
+++ b/authentik/flows/planner.py
@ -166,7 +166,7 @@ class FlowPlanner:
    def plan(self, request: HttpRequest, default_context: dict[str, Any] | None = None) -> FlowPlan:
        """Check each of the flows' policies, check policies for each stage with PolicyBinding
        and return ordered list"""
-        with start_span(op="authentik.flow.planner.plan", name=self.flow.slug) as span:
+        with start_span(op="authentik.flow.planner.plan", description=self.flow.slug) as span:
            span: Span
            span.set_data("flow", self.flow)
            span.set_data("request", request)
@ -233,7 +233,7 @@ class FlowPlanner:
        with (
            start_span(
                op="authentik.flow.planner.build_plan",
-                name=self.flow.slug,
+                description=self.flow.slug,
            ) as span,
            HIST_FLOWS_PLAN_TIME.labels(flow_slug=self.flow.slug).time(),
        ):
--- a/authentik/flows/stage.py
+++ b/authentik/flows/stage.py
@ -13,7 +13,7 @@ from rest_framework.request import Request
 from sentry_sdk import start_span
 from structlog.stdlib import BoundLogger, get_logger
-from authentik.core.models import Application, User
+from authentik.core.models import User
 from authentik.flows.challenge import (
    AccessDeniedChallenge,
    Challenge,
@ -21,7 +21,6 @@ from authentik.flows.challenge import (
    ContextualFlowInfo,
    HttpChallengeResponse,
    RedirectChallenge,
    SessionEndChallenge,
    WithUserInfoChallenge,
 )
 from authentik.flows.exceptions import StageInvalidException
@ -126,7 +125,7 @@ class ChallengeStageView(StageView):
            with (
                start_span(
                    op="authentik.flow.stage.challenge_invalid",
-                    name=self.__class__.__name__,
+                    description=self.__class__.__name__,
                ),
                HIST_FLOWS_STAGE_TIME.labels(
                    stage_type=self.__class__.__name__, method="challenge_invalid"
@ -136,7 +135,7 @@ class ChallengeStageView(StageView):
        with (
            start_span(
                op="authentik.flow.stage.challenge_valid",
-                name=self.__class__.__name__,
+                description=self.__class__.__name__,
            ),
            HIST_FLOWS_STAGE_TIME.labels(
                stage_type=self.__class__.__name__, method="challenge_valid"
@ -162,7 +161,7 @@ class ChallengeStageView(StageView):
        with (
            start_span(
                op="authentik.flow.stage.get_challenge",
-                name=self.__class__.__name__,
+                description=self.__class__.__name__,
            ),
            HIST_FLOWS_STAGE_TIME.labels(
                stage_type=self.__class__.__name__, method="get_challenge"
@ -175,7 +174,7 @@ class ChallengeStageView(StageView):
                return self.executor.stage_invalid()
        with start_span(
            op="authentik.flow.stage._get_challenge",
-            name=self.__class__.__name__,
+            description=self.__class__.__name__,
        ):
            if not hasattr(challenge, "initial_data"):
                challenge.initial_data = {}
@ -231,7 +230,7 @@ class ChallengeStageView(StageView):
        return HttpChallengeResponse(challenge_response)
-class AccessDeniedStage(ChallengeStageView):
+class AccessDeniedChallengeView(ChallengeStageView):
    """Used internally by FlowExecutor's stage_invalid()"""
    error_message: str | None
@ -269,31 +268,3 @@ class RedirectStage(ChallengeStageView):
    def challenge_valid(self, response: ChallengeResponse) -> HttpResponse:
        return HttpChallengeResponse(self.get_challenge())
 class SessionEndStage(ChallengeStageView):
    """Stage inserted when a flow is used as invalidation flow. By default shows actions
    that the user is likely to take after signing out of a provider."""
    def get_challenge(self, *args, **kwargs) -> Challenge:
        application: Application | None = self.executor.plan.context.get(PLAN_CONTEXT_APPLICATION)
        data = {
            "component": "ak-stage-session-end",
            "brand_name": self.request.brand.branding_title,
        }
        if application:
            data["application_name"] = application.name
            data["application_launch_url"] = application.get_launch_url(self.get_pending_user())
        if self.request.brand.flow_invalidation:
            data["invalidation_flow_url"] = reverse(
                "authentik_core:if-flow",
                kwargs={
                    "flow_slug": self.request.brand.flow_invalidation.slug,
                },
            )
        return SessionEndChallenge(data=data)
    # This can never be reached since this challenge is created on demand and only the
    # .get() method is called
    def challenge_valid(self, response: ChallengeResponse) -> HttpResponse:  # pragma: no cover
        return self.executor.cancel()
--- a/authentik/flows/templates/if/flow.html
+++ b/authentik/flows/templates/if/flow.html
@ -18,7 +18,7 @@ window.authentik.flow = {
 {% endblock %}
 {% block head %}
-<script src="{% versioned_script 'dist/flow/FlowInterface-%v.js' %}" type="module"></script>
+{% versioned_script "dist/flow/FlowInterface-%v.js" %}
 <style>
 :root {
    --ak-flow-background: url("{{ flow.background_url }}");
--- a/authentik/flows/tests/test_inspector.py
+++ b/authentik/flows/tests/test_inspector.py
@ -46,7 +46,6 @@ class TestFlowInspector(APITestCase):
            res.content,
            {
                "allow_show_password": False,
                "captcha_stage": None,
                "component": "ak-stage-identification",
                "flow_info": {
                    "background": flow.background_url,
--- a/authentik/flows/views/executor.py
+++ b/authentik/flows/views/executor.py
@ -54,7 +54,7 @@ from authentik.flows.planner import (
    FlowPlan,
    FlowPlanner,
 )
-from authentik.flows.stage import AccessDeniedStage, StageView
+from authentik.flows.stage import AccessDeniedChallengeView, StageView
 from authentik.lib.sentry import SentryIgnoredException
 from authentik.lib.utils.errors import exception_to_string
 from authentik.lib.utils.reflection import all_subclasses, class_to_path
@ -153,7 +153,7 @@ class FlowExecutorView(APIView):
        return plan
    def dispatch(self, request: HttpRequest, flow_slug: str) -> HttpResponse:
-        with start_span(op="authentik.flow.executor.dispatch", name=self.flow.slug) as span:
+        with start_span(op="authentik.flow.executor.dispatch", description=self.flow.slug) as span:
            span.set_data("authentik Flow", self.flow.slug)
            get_params = QueryDict(request.GET.get(QS_QUERY, ""))
            if QS_KEY_TOKEN in get_params:
@ -273,7 +273,7 @@ class FlowExecutorView(APIView):
            with (
                start_span(
                    op="authentik.flow.executor.stage",
-                    name=class_path,
+                    description=class_path,
                ) as span,
                HIST_FLOW_EXECUTION_STAGE_TIME.labels(
                    method=request.method.upper(),
@ -324,7 +324,7 @@ class FlowExecutorView(APIView):
            with (
                start_span(
                    op="authentik.flow.executor.stage",
-                    name=class_path,
+                    description=class_path,
                ) as span,
                HIST_FLOW_EXECUTION_STAGE_TIME.labels(
                    method=request.method.upper(),
@ -441,7 +441,7 @@ class FlowExecutorView(APIView):
            )
            return self.restart_flow(keep_context)
        self.cancel()
-        challenge_view = AccessDeniedStage(self, error_message)
+        challenge_view = AccessDeniedChallengeView(self, error_message)
        challenge_view.request = self.request
        return to_stage_response(self.request, challenge_view.get(self.request))
--- a/authentik/lib/default.yml
+++ b/authentik/lib/default.yml
@ -1,4 +1,4 @@
-# update website/docs/install-config/configuration/configuration.mdx
+# update website/docs/installation/configuration.mdx
 # This is the default configuration file
 postgresql:
  host: localhost
@ -105,10 +105,6 @@ ldap:
  tls:
    ciphers: null
 sources:
  kerberos:
    task_timeout_hours: 2
 reputation:
  expiry: 86400
--- a/authentik/lib/tests/test_http.py
+++ b/authentik/lib/tests/test_http.py
@ -30,11 +30,6 @@ class TestHTTP(TestCase):
        request = self.factory.get("/", HTTP_X_FORWARDED_FOR="127.0.0.2")
        self.assertEqual(ClientIPMiddleware.get_client_ip(request), "127.0.0.2")
    def test_forward_for_invalid(self):
        """Test invalid forward for"""
        request = self.factory.get("/", HTTP_X_FORWARDED_FOR="foobar")
        self.assertEqual(ClientIPMiddleware.get_client_ip(request), ClientIPMiddleware.default_ip)
    def test_fake_outpost(self):
        """Test faked IP which is overridden by an outpost"""
        token = Token.objects.create(
@ -58,17 +53,6 @@ class TestHTTP(TestCase):
            },
        )
        self.assertEqual(ClientIPMiddleware.get_client_ip(request), "127.0.0.1")
        # Invalid, not a real IP
        self.user.type = UserTypes.INTERNAL_SERVICE_ACCOUNT
        self.user.save()
        request = self.factory.get(
            "/",
            **{
                ClientIPMiddleware.outpost_remote_ip_header: "foobar",
                ClientIPMiddleware.outpost_token_header: token.key,
            },
        )
        self.assertEqual(ClientIPMiddleware.get_client_ip(request), "127.0.0.1")
        # Valid
        self.user.type = UserTypes.INTERNAL_SERVICE_ACCOUNT
        self.user.save()
--- a/authentik/lib/utils/http.py
+++ b/authentik/lib/utils/http.py
@ -21,14 +21,7 @@ class DebugSession(Session):
    def send(self, req: PreparedRequest, *args, **kwargs):
        request_id = str(uuid4())
-        LOGGER.debug(
+        LOGGER.debug("HTTP request sent", uid=request_id, path=req.path_url, headers=req.headers)
            "HTTP request sent",
            uid=request_id,
            url=req.url,
            method=req.method,
            headers=req.headers,
            body=req.body,
        )
        resp = super().send(req, *args, **kwargs)
        LOGGER.debug(
            "HTTP response received",
--- a/authentik/outposts/models.py
+++ b/authentik/outposts/models.py
@ -53,7 +53,7 @@ class ServiceConnectionInvalid(SentryIgnoredException):
 class OutpostConfig:
    """Configuration an outpost uses to configure it self"""
-    # update website/docs/add-secure-apps/outposts/_config.md
+    # update website/docs/outposts/_config.md
    authentik_host: str = ""
    authentik_host_insecure: bool = False
--- a/authentik/policies/engine.py
+++ b/authentik/policies/engine.py
@ -113,7 +113,7 @@ class PolicyEngine:
        with (
            start_span(
                op="authentik.policy.engine.build",
-                name=self.__pbm,
+                description=self.__pbm,
            ) as span,
            HIST_POLICIES_ENGINE_TOTAL_TIME.labels(
                obj_type=class_to_path(self.__pbm.__class__),
--- a/authentik/policies/event_matcher/migrations/0024_alter_eventmatcherpolicy_action.py
+++ b/authentik/policies/event_matcher/migrations/0024_alter_eventmatcherpolicy_action.py
@ -0,0 +1,52 @@
 # Generated by Django 5.0.9 on 2024-09-25 11:06
 from django.db import migrations, models
 class Migration(migrations.Migration):
    dependencies = [
        ("authentik_policies_event_matcher", "0023_alter_eventmatcherpolicy_action_and_more"),
    ]
    operations = [
        migrations.AlterField(
            model_name="eventmatcherpolicy",
            name="action",
            field=models.TextField(
                choices=[
                    ("login", "Login"),
                    ("login_failed", "Login Failed"),
                    ("logout", "Logout"),
                    ("user_write", "User Write"),
                    ("suspicious_request", "Suspicious Request"),
                    ("password_set", "Password Set"),
                    ("secret_view", "Secret View"),
                    ("secret_rotate", "Secret Rotate"),
                    ("invitation_used", "Invite Used"),
                    ("authorize_application", "Authorize Application"),
                    ("source_linked", "Source Linked"),
                    ("impersonation_started", "Impersonation Started"),
                    ("impersonation_ended", "Impersonation Ended"),
                    ("flow_execution", "Flow Execution"),
                    ("policy_execution", "Policy Execution"),
                    ("policy_exception", "Policy Exception"),
                    ("property_mapping_exception", "Property Mapping Exception"),
                    ("system_task_execution", "System Task Execution"),
                    ("system_task_exception", "System Task Exception"),
                    ("system_exception", "System Exception"),
                    ("configuration_error", "Configuration Error"),
                    ("model_created", "Model Created"),
                    ("model_updated", "Model Updated"),
                    ("model_deleted", "Model Deleted"),
                    ("email_sent", "Email Sent"),
                    ("analytics_sent", "Analytics Sent"),
                    ("update_available", "Update Available"),
                    ("custom_", "Custom Prefix"),
                ],
                default=None,
                help_text="Match created events with this action type. When left empty, all action types will be matched.",
                null=True,
            ),
        ),
    ]
--- a/authentik/policies/event_matcher/models.py
+++ b/authentik/policies/event_matcher/models.py
@ -108,7 +108,7 @@ class EventMatcherPolicy(Policy):
                result=result,
            )
            matches.append(result)
-        passing = all(x.passing for x in matches)
+        passing = any(x.passing for x in matches)
        messages = chain(*[x.messages for x in matches])
        result = PolicyResult(passing, *messages)
        result.source_results = matches
--- a/authentik/policies/event_matcher/tests.py
+++ b/authentik/policies/event_matcher/tests.py
@ -77,24 +77,11 @@ class TestEventMatcherPolicy(TestCase):
        request = PolicyRequest(get_anonymous_user())
        request.context["event"] = event
        policy: EventMatcherPolicy = EventMatcherPolicy.objects.create(
-            client_ip="1.2.3.5", app="foo"
+            client_ip="1.2.3.5", app="bar"
        )
        response = policy.passes(request)
        self.assertFalse(response.passing)
    def test_multiple(self):
        """Test multiple"""
        event = Event.new(EventAction.LOGIN)
        event.app = "foo"
        event.client_ip = "1.2.3.4"
        request = PolicyRequest(get_anonymous_user())
        request.context["event"] = event
        policy: EventMatcherPolicy = EventMatcherPolicy.objects.create(
            client_ip="1.2.3.4", app="foo"
        )
        response = policy.passes(request)
        self.assertTrue(response.passing)
    def test_invalid(self):
        """Test passing event"""
        request = PolicyRequest(get_anonymous_user())
--- a/authentik/policies/password/models.py
+++ b/authentik/policies/password/models.py
@ -89,10 +89,6 @@ class PasswordPolicy(Policy):
    def passes_static(self, password: str, request: PolicyRequest) -> PolicyResult:
        """Check static rules"""
        error_message = self.error_message
        if error_message == "":
            error_message = _("Invalid password.")
        if len(password) < self.length_min:
            LOGGER.debug("password failed", check="static", reason="length")
            return PolicyResult(False, self.error_message)
--- a/authentik/providers/ldap/api.py
+++ b/authentik/providers/ldap/api.py
@ -87,7 +87,6 @@ class LDAPOutpostConfigSerializer(ModelSerializer):
    application_slug = SerializerMethodField()
    bind_flow_slug = CharField(source="authorization_flow.slug")
    unbind_flow_slug = SerializerMethodField()
    def get_application_slug(self, instance: LDAPProvider) -> str:
        """Prioritise backchannel slug over direct application slug"""
@ -95,16 +94,6 @@ class LDAPOutpostConfigSerializer(ModelSerializer):
            return instance.backchannel_application.slug
        return instance.application.slug
    def get_unbind_flow_slug(self, instance: LDAPProvider) -> str | None:
        """Get slug for unbind flow, defaulting to brand's default flow."""
        flow = instance.invalidation_flow
        if not flow and "request" in self.context:
            request = self.context.get("request")
            flow = request.brand.flow_invalidation
        if not flow:
            return None
        return flow.slug
    class Meta:
        model = LDAPProvider
        fields = [
@ -112,7 +101,6 @@ class LDAPOutpostConfigSerializer(ModelSerializer):
            "name",
            "base_dn",
            "bind_flow_slug",
            "unbind_flow_slug",
            "application_slug",
            "certificate",
            "tls_server_name",
@ -159,10 +147,7 @@ class LDAPOutpostConfigViewSet(ListModelMixin, GenericViewSet):
        access_response = PolicyResult(result.passing)
        response = self.LDAPCheckAccessSerializer(
            instance={
-                "has_search_permission": (
+                "has_search_permission": request.user.has_perm("search_full_directory", provider),
                    request.user.has_perm("search_full_directory", provider)
                    or request.user.has_perm("authentik_providers_ldap.search_full_directory")
                ),
                "access": access_response,
            }
        )
--- a/authentik/providers/oauth2/api/providers.py
+++ b/authentik/providers/oauth2/api/providers.py
@ -1,18 +1,15 @@
 """OAuth2Provider API Views"""
 from copy import copy
 from re import compile
 from re import error as RegexError
 from django.urls import reverse
 from django.utils import timezone
 from django.utils.translation import gettext_lazy as _
 from drf_spectacular.types import OpenApiTypes
 from drf_spectacular.utils import OpenApiParameter, OpenApiResponse, extend_schema
 from guardian.shortcuts import get_objects_for_user
 from rest_framework.decorators import action
 from rest_framework.exceptions import ValidationError
-from rest_framework.fields import CharField, ChoiceField
+from rest_framework.fields import CharField
 from rest_framework.generics import get_object_or_404
 from rest_framework.request import Request
 from rest_framework.response import Response
@ -23,39 +20,13 @@ from authentik.core.api.used_by import UsedByMixin
 from authentik.core.api.utils import PassiveSerializer, PropertyMappingPreviewSerializer
 from authentik.core.models import Provider
 from authentik.providers.oauth2.id_token import IDToken
-from authentik.providers.oauth2.models import (
+from authentik.providers.oauth2.models import AccessToken, OAuth2Provider, ScopeMapping
    AccessToken,
    OAuth2Provider,
    RedirectURIMatchingMode,
    ScopeMapping,
 )
 from authentik.rbac.decorators import permission_required
 class RedirectURISerializer(PassiveSerializer):
    """A single allowed redirect URI entry"""
    matching_mode = ChoiceField(choices=RedirectURIMatchingMode.choices)
    url = CharField()
 class OAuth2ProviderSerializer(ProviderSerializer):
    """OAuth2Provider Serializer"""
    redirect_uris = RedirectURISerializer(many=True, source="_redirect_uris")
    def validate_redirect_uris(self, data: list) -> list:
        for entry in data:
            if entry.get("matching_mode") == RedirectURIMatchingMode.REGEX:
                url = entry.get("url")
                try:
                    compile(url)
                except RegexError:
                    raise ValidationError(
                        _("Invalid Regex Pattern: {url}".format(url=url))
                    ) from None
        return data
    class Meta:
        model = OAuth2Provider
        fields = ProviderSerializer.Meta.fields + [
@ -68,7 +39,6 @@ class OAuth2ProviderSerializer(ProviderSerializer):
            "refresh_token_validity",
            "include_claims_in_id_token",
            "signing_key",
            "encryption_key",
            "redirect_uris",
            "sub_mode",
            "property_mappings",
@ -108,6 +78,7 @@ class OAuth2ProviderViewSet(UsedByMixin, ModelViewSet):
        "refresh_token_validity",
        "include_claims_in_id_token",
        "signing_key",
        "redirect_uris",
        "sub_mode",
        "property_mappings",
        "issuer_mode",
--- a/authentik/providers/oauth2/errors.py
+++ b/authentik/providers/oauth2/errors.py
@ -7,7 +7,7 @@ from django.http import HttpRequest, HttpResponse, HttpResponseRedirect
 from authentik.events.models import Event, EventAction
 from authentik.lib.sentry import SentryIgnoredException
 from authentik.lib.views import bad_request_message
-from authentik.providers.oauth2.models import GrantTypes, RedirectURI
+from authentik.providers.oauth2.models import GrantTypes
 class OAuth2Error(SentryIgnoredException):
@ -46,9 +46,9 @@ class RedirectUriError(OAuth2Error):
    )
    provided_uri: str
-    allowed_uris: list[RedirectURI]
+    allowed_uris: list[str]
-    def __init__(self, provided_uri: str, allowed_uris: list[RedirectURI]) -> None:
+    def __init__(self, provided_uri: str, allowed_uris: list[str]) -> None:
        super().__init__()
        self.provided_uri = provided_uri
        self.allowed_uris = allowed_uris
--- a/authentik/providers/oauth2/id_token.py
+++ b/authentik/providers/oauth2/id_token.py
@ -1,7 +1,6 @@
 """id_token utils"""
 from dataclasses import asdict, dataclass, field
 from hashlib import sha256
 from typing import TYPE_CHECKING, Any
 from django.db import models
@ -24,13 +23,8 @@ if TYPE_CHECKING:
    from authentik.providers.oauth2.models import BaseGrantModel, OAuth2Provider
 def hash_session_key(session_key: str) -> str:
    """Hash the session key for inclusion in JWTs as `sid`"""
    return sha256(session_key.encode("ascii")).hexdigest()
 class SubModes(models.TextChoices):
-    """Mode after which 'sub' attribute is generated, for compatibility reasons"""
+    """Mode after which 'sub' attribute is generateed, for compatibility reasons"""
    HASHED_USER_ID = "hashed_user_id", _("Based on the Hashed User ID")
    USER_ID = "user_id", _("Based on user ID")
@ -57,8 +51,7 @@ class IDToken:
    and potentially other requested Claims. The ID Token is represented as a
    JSON Web Token (JWT) [JWT].
-    https://openid.net/specs/openid-connect-core-1_0.html#IDToken
+    https://openid.net/specs/openid-connect-core-1_0.html#IDToken"""
    https://www.iana.org/assignments/jwt/jwt.xhtml"""
    # Issuer, https://www.rfc-editor.org/rfc/rfc7519.html#section-4.1.1
    iss: str | None = None
@ -86,8 +79,6 @@ class IDToken:
    nonce: str | None = None
    # Access Token hash value, http://openid.net/specs/openid-connect-core-1_0.html
    at_hash: str | None = None
    # Session ID, https://openid.net/specs/openid-connect-frontchannel-1_0.html#ClaimsContents
    sid: str | None = None
    claims: dict[str, Any] = field(default_factory=dict)
@ -125,11 +116,9 @@ class IDToken:
        now = timezone.now()
        id_token.iat = int(now.timestamp())
        id_token.auth_time = int(token.auth_time.timestamp())
        if token.session:
            id_token.sid = hash_session_key(token.session.session_key)
        # We use the timestamp of the user's last successful login (EventAction.LOGIN) for auth_time
-        auth_event = get_login_event(token.session)
+        auth_event = get_login_event(request)
        if auth_event:
            # Also check which method was used for authentication
            method = auth_event.context.get(PLAN_CONTEXT_METHOD, "")
--- a/authentik/providers/oauth2/migrations/0007_auto_20201016_1107_squashed_0017_alter_oauth2provider_token_validity.py
+++ b/authentik/providers/oauth2/migrations/0007_auto_20201016_1107_squashed_0017_alter_oauth2provider_token_validity.py
@ -3,7 +3,6 @@
 import django.db.models.deletion
 from django.apps.registry import Apps
 from django.db import migrations, models
 from django.db.backends.base.schema import BaseDatabaseSchemaEditor
 import authentik.lib.utils.time
@ -15,7 +14,7 @@ scope_uid_map = {
 }
-def set_managed_flag(apps: Apps, schema_editor: BaseDatabaseSchemaEditor):
+def set_managed_flag(apps: Apps, schema_editor):
    ScopeMapping = apps.get_model("authentik_providers_oauth2", "ScopeMapping")
    db_alias = schema_editor.connection.alias
    for mapping in ScopeMapping.objects.using(db_alias).filter(name__startswith="Autogenerated "):
--- a/authentik/providers/oauth2/migrations/0019_accesstoken_authentik_p_token_4bc870_idx_and_more.py
+++ b/authentik/providers/oauth2/migrations/0019_accesstoken_authentik_p_token_4bc870_idx_and_more.py
@ -1,26 +0,0 @@
 # Generated by Django 5.0.9 on 2024-09-26 16:25
 from django.conf import settings
 from django.db import migrations, models
 class Migration(migrations.Migration):
    dependencies = [
        ("authentik_providers_oauth2", "0018_alter_accesstoken_expires_and_more"),
        migrations.swappable_dependency(settings.AUTH_USER_MODEL),
    ]
    # Original preserved
    # See https://github.com/goauthentik/authentik/issues/11874
    # operations = [
    #     migrations.AddIndex(
    #         model_name="accesstoken",
    #         index=models.Index(fields=["token"], name="authentik_p_token_4bc870_idx"),
    #     ),
    #     migrations.AddIndex(
    #         model_name="refreshtoken",
    #         index=models.Index(fields=["token"], name="authentik_p_token_1a841f_idx"),
    #     ),
    # ]
    operations = []
--- a/authentik/providers/oauth2/migrations/0020_remove_accesstoken_authentik_p_token_4bc870_idx_and_more.py
+++ b/authentik/providers/oauth2/migrations/0020_remove_accesstoken_authentik_p_token_4bc870_idx_and_more.py
@ -1,34 +0,0 @@
 # Generated by Django 5.0.9 on 2024-09-27 14:50
 from django.conf import settings
 from django.db import migrations, models
 class Migration(migrations.Migration):
    dependencies = [
        ("authentik_providers_oauth2", "0019_accesstoken_authentik_p_token_4bc870_idx_and_more"),
        migrations.swappable_dependency(settings.AUTH_USER_MODEL),
    ]
    # Original preserved
    # See https://github.com/goauthentik/authentik/issues/11874
    # operations = [
    #     migrations.RemoveIndex(
    #         model_name="accesstoken",
    #         name="authentik_p_token_4bc870_idx",
    #     ),
    #     migrations.RemoveIndex(
    #         model_name="refreshtoken",
    #         name="authentik_p_token_1a841f_idx",
    #     ),
    #     migrations.AddIndex(
    #         model_name="accesstoken",
    #         index=models.Index(fields=["token", "provider"], name="authentik_p_token_f99422_idx"),
    #     ),
    #     migrations.AddIndex(
    #         model_name="refreshtoken",
    #         index=models.Index(fields=["token", "provider"], name="authentik_p_token_a1d921_idx"),
    #     ),
    # ]
    operations = []
--- a/authentik/providers/oauth2/migrations/0021_oauth2provider_encryption_key_and_more.py
+++ b/authentik/providers/oauth2/migrations/0021_oauth2provider_encryption_key_and_more.py
@ -1,42 +0,0 @@
 # Generated by Django 5.0.9 on 2024-10-16 14:53
 import django.db.models.deletion
 from django.db import migrations, models
 class Migration(migrations.Migration):
    dependencies = [
        ("authentik_crypto", "0004_alter_certificatekeypair_name"),
        (
            "authentik_providers_oauth2",
            "0020_remove_accesstoken_authentik_p_token_4bc870_idx_and_more",
        ),
    ]
    operations = [
        migrations.AddField(
            model_name="oauth2provider",
            name="encryption_key",
            field=models.ForeignKey(
                help_text="Key used to encrypt the tokens. When set, tokens will be encrypted and returned as JWEs.",
                null=True,
                on_delete=django.db.models.deletion.SET_NULL,
                related_name="oauth2provider_encryption_key_set",
                to="authentik_crypto.certificatekeypair",
                verbose_name="Encryption Key",
            ),
        ),
        migrations.AlterField(
            model_name="oauth2provider",
            name="signing_key",
            field=models.ForeignKey(
                help_text="Key used to sign the tokens.",
                null=True,
                on_delete=django.db.models.deletion.SET_NULL,
                related_name="oauth2provider_signing_key_set",
                to="authentik_crypto.certificatekeypair",
                verbose_name="Signing Key",
            ),
        ),
    ]
--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
Marc 'risson' Schmitt	435ba598bb	add tests Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space>	2024-09-25 15:07:00 +02:00
Marc 'risson' Schmitt	582511abcc	add version Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space>	2024-09-25 14:42:24 +02:00
Marc 'risson' Schmitt	80ea1dae81	analytics: init Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space>	2024-09-25 14:37:27 +02:00