bump go api client

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

.bumpversion.cfg

@@ -1,5 +1,5 @@
 [bumpversion]
-current_version = 2024.10.4
+current_version = 2024.10.2
 tag = True
 commit = True
 parse = (?P<major>\d+)\.(?P<minor>\d+)\.(?P<patch>\d+)(?:-(?P<rc_t>[a-zA-Z-]+)(?P<rc_n>[1-9]\\d*))?

Makefile

@@ -149,7 +149,7 @@ gen-client-ts: gen-clean-ts  ## Build and install the authentik API for Typescri
 	docker run \
 		--rm -v ${PWD}:/local \
 		--user ${UID}:${GID} \
-		docker.io/openapitools/openapi-generator-cli:v6.5.0 generate \
+		docker.io/openapitools/openapi-generator-cli:v7.10.0 generate \
 		-i /local/schema.yml \
 		-g typescript-fetch \
 		-o /local/${GEN_API_TS} \
@@ -165,7 +165,7 @@ gen-client-py: gen-clean-py ## Build and install the authentik API for Python
 	docker run \
 		--rm -v ${PWD}:/local \
 		--user ${UID}:${GID} \
-		docker.io/openapitools/openapi-generator-cli:v7.4.0 generate \
+		docker.io/openapitools/openapi-generator-cli:v7.10.0 generate \
 		-i /local/schema.yml \
 		-g python \
 		-o /local/${GEN_API_PY} \
@@ -184,13 +184,14 @@ gen-client-go: gen-clean-go  ## Build and install the authentik API for Golang
 	docker run \
 		--rm -v ${PWD}/${GEN_API_GO}:/local \
 		--user ${UID}:${GID} \
-		docker.io/openapitools/openapi-generator-cli:v6.5.0 generate \
+		docker.io/openapitools/openapi-generator-cli:v7.10.0 generate \
 		-i /local/schema.yml \
 		-g go \
 		-o /local/ \
 		-c /local/config.yaml
 	go mod edit -replace goauthentik.io/api/v3=./${GEN_API_GO}
-	rm -rf ./${GEN_API_GO}/config.yaml ./${GEN_API_GO}/templates/
+	rm -rf ./${GEN_API_GO}/config.yaml ./${GEN_API_GO}/templates/ ./${GEN_API_GO}/test
+	go run golang.org/x/tools/cmd/goimports@latest -w ./${GEN_API_GO}
 
 gen-dev-config:  ## Generate a local development config file
 	python -m scripts.generate_config

authentik/__init__.py

@@ -2,7 +2,7 @@
 
 from os import environ
 
-__version__ = "2024.10.4"
+__version__ = "2024.10.2"
 ENV_GIT_HASH_KEY = "GIT_BUILD_HASH"
 
 

authentik/core/tests/test_applications_api.py

@@ -12,7 +12,7 @@ from authentik.core.tests.utils import create_test_admin_user, create_test_flow
 from authentik.lib.generators import generate_id
 from authentik.policies.dummy.models import DummyPolicy
 from authentik.policies.models import PolicyBinding
-from authentik.providers.oauth2.models import OAuth2Provider, RedirectURI, RedirectURIMatchingMode
+from authentik.providers.oauth2.models import OAuth2Provider
 from authentik.providers.proxy.models import ProxyProvider
 from authentik.providers.saml.models import SAMLProvider
 
@@ -24,7 +24,7 @@ class TestApplicationsAPI(APITestCase):
         self.user = create_test_admin_user()
         self.provider = OAuth2Provider.objects.create(
             name="test",
-            redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "http://some-other-domain")],
+            redirect_uris="http://some-other-domain",
             authorization_flow=create_test_flow(),
         )
         self.allowed: Application = Application.objects.create(

authentik/core/tests/test_transactional_applications_api.py

@@ -35,7 +35,6 @@ class TestTransactionalApplicationsAPI(APITestCase):
                     "name": uid,
                     "authorization_flow": str(create_test_flow().pk),
                     "invalidation_flow": str(create_test_flow().pk),
-                    "redirect_uris": [],
                 },
             },
         )
@@ -90,7 +89,6 @@ class TestTransactionalApplicationsAPI(APITestCase):
                     "name": uid,
                     "authorization_flow": str(authorization_flow.pk),
                     "invalidation_flow": str(authorization_flow.pk),
-                    "redirect_uris": [],
                 },
                 "policy_bindings": [{"group": group.pk, "order": 0}],
             },
@@ -122,7 +120,6 @@ class TestTransactionalApplicationsAPI(APITestCase):
                     "name": uid,
                     "authorization_flow": "",
                     "invalidation_flow": "",
-                    "redirect_uris": [],
                 },
             },
         )

authentik/crypto/tests.py

@@ -18,7 +18,7 @@ from authentik.crypto.models import CertificateKeyPair
 from authentik.crypto.tasks import MANAGED_DISCOVERED, certificate_discovery
 from authentik.lib.config import CONFIG
 from authentik.lib.generators import generate_id, generate_key
-from authentik.providers.oauth2.models import OAuth2Provider, RedirectURI, RedirectURIMatchingMode
+from authentik.providers.oauth2.models import OAuth2Provider
 
 
 class TestCrypto(APITestCase):
@@ -274,7 +274,7 @@ class TestCrypto(APITestCase):
             client_id="test",
             client_secret=generate_key(),
             authorization_flow=create_test_flow(),
-            redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "http://localhost")],
+            redirect_uris="http://localhost",
             signing_key=keypair,
         )
         response = self.client.get(
@@ -306,7 +306,7 @@ class TestCrypto(APITestCase):
             client_id="test",
             client_secret=generate_key(),
             authorization_flow=create_test_flow(),
-            redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "http://localhost")],
+            redirect_uris="http://localhost",
             signing_key=keypair,
         )
         response = self.client.get(

authentik/providers/oauth2/api/providers.py

@@ -1,18 +1,15 @@
 """OAuth2Provider API Views"""
 
 from copy import copy
-from re import compile
-from re import error as RegexError
 
 from django.urls import reverse
 from django.utils import timezone
-from django.utils.translation import gettext_lazy as _
 from drf_spectacular.types import OpenApiTypes
 from drf_spectacular.utils import OpenApiParameter, OpenApiResponse, extend_schema
 from guardian.shortcuts import get_objects_for_user
 from rest_framework.decorators import action
 from rest_framework.exceptions import ValidationError
-from rest_framework.fields import CharField, ChoiceField
+from rest_framework.fields import CharField
 from rest_framework.generics import get_object_or_404
 from rest_framework.request import Request
 from rest_framework.response import Response
@@ -23,39 +20,13 @@ from authentik.core.api.used_by import UsedByMixin
 from authentik.core.api.utils import PassiveSerializer, PropertyMappingPreviewSerializer
 from authentik.core.models import Provider
 from authentik.providers.oauth2.id_token import IDToken
-from authentik.providers.oauth2.models import (
-    AccessToken,
-    OAuth2Provider,
-    RedirectURIMatchingMode,
-    ScopeMapping,
-)
+from authentik.providers.oauth2.models import AccessToken, OAuth2Provider, ScopeMapping
 from authentik.rbac.decorators import permission_required
 
 
-class RedirectURISerializer(PassiveSerializer):
-    """A single allowed redirect URI entry"""
-
-    matching_mode = ChoiceField(choices=RedirectURIMatchingMode.choices)
-    url = CharField()
-
-
 class OAuth2ProviderSerializer(ProviderSerializer):
     """OAuth2Provider Serializer"""
 
-    redirect_uris = RedirectURISerializer(many=True, source="_redirect_uris")
-
-    def validate_redirect_uris(self, data: list) -> list:
-        for entry in data:
-            if entry.get("matching_mode") == RedirectURIMatchingMode.REGEX:
-                url = entry.get("url")
-                try:
-                    compile(url)
-                except RegexError:
-                    raise ValidationError(
-                        _("Invalid Regex Pattern: {url}".format(url=url))
-                    ) from None
-        return data
-
     class Meta:
         model = OAuth2Provider
         fields = ProviderSerializer.Meta.fields + [
@@ -108,6 +79,7 @@ class OAuth2ProviderViewSet(UsedByMixin, ModelViewSet):
         "refresh_token_validity",
         "include_claims_in_id_token",
         "signing_key",
+        "redirect_uris",
         "sub_mode",
         "property_mappings",
         "issuer_mode",

authentik/providers/oauth2/errors.py

@@ -7,7 +7,7 @@ from django.http import HttpRequest, HttpResponse, HttpResponseRedirect
 from authentik.events.models import Event, EventAction
 from authentik.lib.sentry import SentryIgnoredException
 from authentik.lib.views import bad_request_message
-from authentik.providers.oauth2.models import GrantTypes, RedirectURI
+from authentik.providers.oauth2.models import GrantTypes
 
 
 class OAuth2Error(SentryIgnoredException):
@@ -46,9 +46,9 @@ class RedirectUriError(OAuth2Error):
     )
 
     provided_uri: str
-    allowed_uris: list[RedirectURI]
+    allowed_uris: list[str]
 
-    def __init__(self, provided_uri: str, allowed_uris: list[RedirectURI]) -> None:
+    def __init__(self, provided_uri: str, allowed_uris: list[str]) -> None:
         super().__init__()
         self.provided_uri = provided_uri
         self.allowed_uris = allowed_uris

authentik/providers/oauth2/migrations/0022_remove_accesstoken_session_id_and_more.py

@@ -37,7 +37,7 @@ def migrate_session(apps: Apps, schema_editor: BaseDatabaseSchemaEditor):
 class Migration(migrations.Migration):
 
     dependencies = [
-        ("authentik_core", "0039_source_group_matching_mode_alter_group_name_and_more"),
+        ("authentik_core", "0040_provider_invalidation_flow"),
         ("authentik_providers_oauth2", "0021_oauth2provider_encryption_key_and_more"),
     ]
 

authentik/providers/oauth2/migrations/0023_alter_accesstoken_refreshtoken_use_hash_index.py

@@ -8,7 +8,7 @@ from django.db import migrations
 class Migration(migrations.Migration):
 
     dependencies = [
-        ("authentik_core", "0039_source_group_matching_mode_alter_group_name_and_more"),
+        ("authentik_core", "0040_provider_invalidation_flow"),
         ("authentik_providers_oauth2", "0022_remove_accesstoken_session_id_and_more"),
         migrations.swappable_dependency(settings.AUTH_USER_MODEL),
     ]

authentik/providers/oauth2/migrations/0024_remove_oauth2provider_redirect_uris_and_more.py

@@ -1,49 +0,0 @@
-# Generated by Django 5.0.9 on 2024-11-04 12:56
-from dataclasses import asdict
-from django.apps.registry import Apps
-
-from django.db.backends.base.schema import BaseDatabaseSchemaEditor
-
-from django.db import migrations, models
-
-
-def migrate_redirect_uris(apps: Apps, schema_editor: BaseDatabaseSchemaEditor):
-    from authentik.providers.oauth2.models import RedirectURI, RedirectURIMatchingMode
-
-    OAuth2Provider = apps.get_model("authentik_providers_oauth2", "oauth2provider")
-
-    db_alias = schema_editor.connection.alias
-    for provider in OAuth2Provider.objects.using(db_alias).all():
-        uris = []
-        for old in provider.old_redirect_uris.split("\n"):
-            mode = RedirectURIMatchingMode.STRICT
-            if old == "*" or old == ".*":
-                mode = RedirectURIMatchingMode.REGEX
-            uris.append(asdict(RedirectURI(mode, url=old)))
-        provider._redirect_uris = uris
-        provider.save()
-
-
-class Migration(migrations.Migration):
-
-    dependencies = [
-        ("authentik_providers_oauth2", "0023_alter_accesstoken_refreshtoken_use_hash_index"),
-    ]
-
-    operations = [
-        migrations.RenameField(
-            model_name="oauth2provider",
-            old_name="redirect_uris",
-            new_name="old_redirect_uris",
-        ),
-        migrations.AddField(
-            model_name="oauth2provider",
-            name="_redirect_uris",
-            field=models.JSONField(default=dict, verbose_name="Redirect URIs"),
-        ),
-        migrations.RunPython(migrate_redirect_uris, lambda *args: ...),
-        migrations.RemoveField(
-            model_name="oauth2provider",
-            name="old_redirect_uris",
-        ),
-    ]

authentik/providers/oauth2/models.py

@@ -3,7 +3,7 @@
 import base64
 import binascii
 import json
-from dataclasses import asdict, dataclass
+from dataclasses import asdict
 from functools import cached_property
 from hashlib import sha256
 from typing import Any
@@ -12,7 +12,6 @@ from urllib.parse import urlparse, urlunparse
 from cryptography.hazmat.primitives.asymmetric.ec import EllipticCurvePrivateKey
 from cryptography.hazmat.primitives.asymmetric.rsa import RSAPrivateKey
 from cryptography.hazmat.primitives.asymmetric.types import PrivateKeyTypes
-from dacite import Config
 from dacite.core import from_dict
 from django.contrib.postgres.indexes import HashIndex
 from django.db import models
@@ -78,25 +77,11 @@ class IssuerMode(models.TextChoices):
     """Configure how the `iss` field is created."""
 
     GLOBAL = "global", _("Same identifier is used for all providers")
-    PER_PROVIDER = (
-        "per_provider",
-        _("Each provider has a different issuer, based on the application slug."),
+    PER_PROVIDER = "per_provider", _(
+        "Each provider has a different issuer, based on the application slug."
     )
 
 
-class RedirectURIMatchingMode(models.TextChoices):
-    STRICT = "strict", _("Strict URL comparison")
-    REGEX = "regex", _("Regular Expression URL matching")
-
-
-@dataclass
-class RedirectURI:
-    """A single redirect URI entry"""
-
-    matching_mode: RedirectURIMatchingMode
-    url: str
-
-
 class ResponseTypes(models.TextChoices):
     """Response Type required by the client."""
 
@@ -171,9 +156,11 @@ class OAuth2Provider(WebfingerProvider, Provider):
         verbose_name=_("Client Secret"),
         default=generate_client_secret,
     )
-    _redirect_uris = models.JSONField(
-        default=dict,
+    redirect_uris = models.TextField(
+        default="",
+        blank=True,
         verbose_name=_("Redirect URIs"),
+        help_text=_("Enter each URI on a new line."),
     )
 
     include_claims_in_id_token = models.BooleanField(
@@ -284,33 +271,12 @@ class OAuth2Provider(WebfingerProvider, Provider):
         except Provider.application.RelatedObjectDoesNotExist:
             return None
 
-    @property
-    def redirect_uris(self) -> list[RedirectURI]:
-        uris = []
-        for entry in self._redirect_uris:
-            uris.append(
-                from_dict(
-                    RedirectURI,
-                    entry,
-                    config=Config(type_hooks={RedirectURIMatchingMode: RedirectURIMatchingMode}),
-                )
-            )
-        return uris
-
-    @redirect_uris.setter
-    def redirect_uris(self, value: list[RedirectURI]):
-        cleansed = []
-        for entry in value:
-            cleansed.append(asdict(entry))
-        self._redirect_uris = cleansed
-
     @property
     def launch_url(self) -> str | None:
         """Guess launch_url based on first redirect_uri"""
-        redirects = self.redirect_uris
-        if len(redirects) < 1:
+        if self.redirect_uris == "":
             return None
-        main_url = redirects[0].url
+        main_url = self.redirect_uris.split("\n", maxsplit=1)[0]
         try:
             launch_url = urlparse(main_url)._replace(path="")
             return urlunparse(launch_url)

authentik/providers/oauth2/tests/test_api.py

@@ -10,13 +10,7 @@ from rest_framework.test import APITestCase
 from authentik.blueprints.tests import apply_blueprint
 from authentik.core.models import Application
 from authentik.core.tests.utils import create_test_admin_user, create_test_flow
-from authentik.lib.generators import generate_id
-from authentik.providers.oauth2.models import (
-    OAuth2Provider,
-    RedirectURI,
-    RedirectURIMatchingMode,
-    ScopeMapping,
-)
+from authentik.providers.oauth2.models import OAuth2Provider, ScopeMapping
 
 
 class TestAPI(APITestCase):
@@ -27,7 +21,7 @@ class TestAPI(APITestCase):
         self.provider: OAuth2Provider = OAuth2Provider.objects.create(
             name="test",
             authorization_flow=create_test_flow(),
-            redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "http://testserver")],
+            redirect_uris="http://testserver",
         )
         self.provider.property_mappings.set(ScopeMapping.objects.all())
         self.app = Application.objects.create(name="test", slug="test", provider=self.provider)
@@ -56,29 +50,9 @@ class TestAPI(APITestCase):
     @skipUnless(version_info >= (3, 11, 4), "This behaviour is only Python 3.11.4 and up")
     def test_launch_url(self):
         """Test launch_url"""
-        self.provider.redirect_uris = [
-            RedirectURI(
-                RedirectURIMatchingMode.REGEX,
-                "https://[\\d\\w]+.pr.test.goauthentik.io/source/oauth/callback/authentik/",
-            ),
-        ]
+        self.provider.redirect_uris = (
+            "https://[\\d\\w]+.pr.test.goauthentik.io/source/oauth/callback/authentik/\n"
+        )
         self.provider.save()
         self.provider.refresh_from_db()
         self.assertIsNone(self.provider.launch_url)
-
-    def test_validate_redirect_uris(self):
-        """Test redirect_uris API"""
-        response = self.client.post(
-            reverse("authentik_api:oauth2provider-list"),
-            data={
-                "name": generate_id(),
-                "authorization_flow": create_test_flow().pk,
-                "invalidation_flow": create_test_flow().pk,
-                "redirect_uris": [
-                    {"matching_mode": "strict", "url": "http://goauthentik.io"},
-                    {"matching_mode": "regex", "url": "**"},
-                ],
-            },
-        )
-        self.assertJSONEqual(response.content, {"redirect_uris": ["Invalid Regex Pattern: **"]})
-        self.assertEqual(response.status_code, 400)

authentik/providers/oauth2/tests/test_authorize.py

@@ -19,8 +19,6 @@ from authentik.providers.oauth2.models import (
     AuthorizationCode,
     GrantTypes,
     OAuth2Provider,
-    RedirectURI,
-    RedirectURIMatchingMode,
     ScopeMapping,
 )
 from authentik.providers.oauth2.tests.utils import OAuthTestCase
@@ -41,7 +39,7 @@ class TestAuthorize(OAuthTestCase):
             name=generate_id(),
             client_id="test",
             authorization_flow=create_test_flow(),
-            redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "http://local.invalid/Foo")],
+            redirect_uris="http://local.invalid/Foo",
         )
         with self.assertRaises(AuthorizeError):
             request = self.factory.get(
@@ -66,7 +64,7 @@ class TestAuthorize(OAuthTestCase):
             name=generate_id(),
             client_id="test",
             authorization_flow=create_test_flow(),
-            redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "http://local.invalid/Foo")],
+            redirect_uris="http://local.invalid/Foo",
         )
         with self.assertRaises(AuthorizeError):
             request = self.factory.get(
@@ -86,7 +84,7 @@ class TestAuthorize(OAuthTestCase):
             name=generate_id(),
             client_id="test",
             authorization_flow=create_test_flow(),
-            redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "http://local.invalid")],
+            redirect_uris="http://local.invalid",
         )
         with self.assertRaises(RedirectUriError):
             request = self.factory.get("/", data={"response_type": "code", "client_id": "test"})
@@ -108,7 +106,7 @@ class TestAuthorize(OAuthTestCase):
             name=generate_id(),
             client_id="test",
             authorization_flow=create_test_flow(),
-            redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "data:local.invalid")],
+            redirect_uris="data:local.invalid",
         )
         with self.assertRaises(RedirectUriError):
             request = self.factory.get(
@@ -127,7 +125,7 @@ class TestAuthorize(OAuthTestCase):
             name=generate_id(),
             client_id="test",
             authorization_flow=create_test_flow(),
-            redirect_uris=[],
+            redirect_uris="",
         )
         with self.assertRaises(RedirectUriError):
             request = self.factory.get("/", data={"response_type": "code", "client_id": "test"})
@@ -142,7 +140,7 @@ class TestAuthorize(OAuthTestCase):
         )
         OAuthAuthorizationParams.from_request(request)
         provider.refresh_from_db()
-        self.assertEqual(provider.redirect_uris, [RedirectURI(RedirectURIMatchingMode.STRICT, "+")])
+        self.assertEqual(provider.redirect_uris, "+")
 
     def test_invalid_redirect_uri_regex(self):
         """test missing/invalid redirect URI"""
@@ -150,7 +148,7 @@ class TestAuthorize(OAuthTestCase):
             name=generate_id(),
             client_id="test",
             authorization_flow=create_test_flow(),
-            redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "http://local.invalid?")],
+            redirect_uris="http://local.invalid?",
         )
         with self.assertRaises(RedirectUriError):
             request = self.factory.get("/", data={"response_type": "code", "client_id": "test"})
@@ -172,7 +170,7 @@ class TestAuthorize(OAuthTestCase):
             name=generate_id(),
             client_id="test",
             authorization_flow=create_test_flow(),
-            redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "+")],
+            redirect_uris="+",
         )
         with self.assertRaises(RedirectUriError):
             request = self.factory.get("/", data={"response_type": "code", "client_id": "test"})
@@ -215,7 +213,7 @@ class TestAuthorize(OAuthTestCase):
             name=generate_id(),
             client_id="test",
             authorization_flow=create_test_flow(),
-            redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "http://local.invalid/Foo")],
+            redirect_uris="http://local.invalid/Foo",
         )
         provider.property_mappings.set(
             ScopeMapping.objects.filter(
@@ -303,7 +301,7 @@ class TestAuthorize(OAuthTestCase):
             name=generate_id(),
             client_id="test",
             authorization_flow=flow,
-            redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "foo://localhost")],
+            redirect_uris="foo://localhost",
             access_code_validity="seconds=100",
         )
         Application.objects.create(name="app", slug="app", provider=provider)
@@ -345,7 +343,7 @@ class TestAuthorize(OAuthTestCase):
             name=generate_id(),
             client_id="test",
             authorization_flow=flow,
-            redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "http://localhost")],
+            redirect_uris="http://localhost",
             signing_key=self.keypair,
         )
         provider.property_mappings.set(
@@ -422,7 +420,7 @@ class TestAuthorize(OAuthTestCase):
             name=generate_id(),
             client_id="test",
             authorization_flow=flow,
-            redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "http://localhost")],
+            redirect_uris="http://localhost",
             signing_key=self.keypair,
             encryption_key=self.keypair,
         )
@@ -488,7 +486,7 @@ class TestAuthorize(OAuthTestCase):
             name=generate_id(),
             client_id="test",
             authorization_flow=flow,
-            redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "http://localhost")],
+            redirect_uris="http://localhost",
             signing_key=self.keypair,
         )
         Application.objects.create(name="app", slug="app", provider=provider)
@@ -543,7 +541,7 @@ class TestAuthorize(OAuthTestCase):
             name=generate_id(),
             client_id=generate_id(),
             authorization_flow=flow,
-            redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "http://localhost")],
+            redirect_uris="http://localhost",
             signing_key=self.keypair,
         )
         provider.property_mappings.set(
@@ -601,7 +599,7 @@ class TestAuthorize(OAuthTestCase):
             name=generate_id(),
             client_id=generate_id(),
             authorization_flow=flow,
-            redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "http://localhost")],
+            redirect_uris="http://localhost",
             signing_key=self.keypair,
         )
         app = Application.objects.create(name=generate_id(), slug=generate_id(), provider=provider)

authentik/providers/oauth2/tests/test_introspect.py

@@ -11,14 +11,7 @@ from authentik.core.models import Application
 from authentik.core.tests.utils import create_test_admin_user, create_test_cert, create_test_flow
 from authentik.lib.generators import generate_id
 from authentik.providers.oauth2.constants import ACR_AUTHENTIK_DEFAULT
-from authentik.providers.oauth2.models import (
-    AccessToken,
-    IDToken,
-    OAuth2Provider,
-    RedirectURI,
-    RedirectURIMatchingMode,
-    RefreshToken,
-)
+from authentik.providers.oauth2.models import AccessToken, IDToken, OAuth2Provider, RefreshToken
 from authentik.providers.oauth2.tests.utils import OAuthTestCase
 
 
@@ -30,7 +23,7 @@ class TesOAuth2Introspection(OAuthTestCase):
         self.provider: OAuth2Provider = OAuth2Provider.objects.create(
             name=generate_id(),
             authorization_flow=create_test_flow(),
-            redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "")],
+            redirect_uris="",
             signing_key=create_test_cert(),
         )
         self.app = Application.objects.create(
@@ -125,7 +118,7 @@ class TesOAuth2Introspection(OAuthTestCase):
         provider: OAuth2Provider = OAuth2Provider.objects.create(
             name=generate_id(),
             authorization_flow=create_test_flow(),
-            redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "")],
+            redirect_uris="",
             signing_key=create_test_cert(),
         )
         auth = b64encode(f"{provider.client_id}:{provider.client_secret}".encode()).decode()

authentik/providers/oauth2/tests/test_jwks.py

@@ -13,7 +13,7 @@ from authentik.core.tests.utils import create_test_cert, create_test_flow
 from authentik.crypto.builder import PrivateKeyAlg
 from authentik.crypto.models import CertificateKeyPair
 from authentik.lib.generators import generate_id
-from authentik.providers.oauth2.models import OAuth2Provider, RedirectURI, RedirectURIMatchingMode
+from authentik.providers.oauth2.models import OAuth2Provider
 from authentik.providers.oauth2.tests.utils import OAuthTestCase
 
 TEST_CORDS_CERT = """
@@ -49,7 +49,7 @@ class TestJWKS(OAuthTestCase):
             name="test",
             client_id="test",
             authorization_flow=create_test_flow(),
-            redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "http://local.invalid")],
+            redirect_uris="http://local.invalid",
             signing_key=create_test_cert(),
         )
         app = Application.objects.create(name="test", slug="test", provider=provider)
@@ -68,7 +68,7 @@ class TestJWKS(OAuthTestCase):
             name="test",
             client_id="test",
             authorization_flow=create_test_flow(),
-            redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "http://local.invalid")],
+            redirect_uris="http://local.invalid",
         )
         app = Application.objects.create(name="test", slug="test", provider=provider)
         response = self.client.get(
@@ -82,7 +82,7 @@ class TestJWKS(OAuthTestCase):
             name="test",
             client_id="test",
             authorization_flow=create_test_flow(),
-            redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "http://local.invalid")],
+            redirect_uris="http://local.invalid",
             signing_key=create_test_cert(PrivateKeyAlg.ECDSA),
         )
         app = Application.objects.create(name="test", slug="test", provider=provider)
@@ -99,7 +99,7 @@ class TestJWKS(OAuthTestCase):
             name="test",
             client_id="test",
             authorization_flow=create_test_flow(),
-            redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "http://local.invalid")],
+            redirect_uris="http://local.invalid",
             signing_key=create_test_cert(PrivateKeyAlg.ECDSA),
             encryption_key=create_test_cert(PrivateKeyAlg.ECDSA),
         )
@@ -122,7 +122,7 @@ class TestJWKS(OAuthTestCase):
             name="test",
             client_id="test",
             authorization_flow=create_test_flow(),
-            redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "http://local.invalid")],
+            redirect_uris="http://local.invalid",
             signing_key=cert,
         )
         app = Application.objects.create(name="test", slug="test", provider=provider)

authentik/providers/oauth2/tests/test_revoke.py

@@ -10,14 +10,7 @@ from django.utils import timezone
 from authentik.core.models import Application
 from authentik.core.tests.utils import create_test_admin_user, create_test_cert, create_test_flow
 from authentik.lib.generators import generate_id
-from authentik.providers.oauth2.models import (
-    AccessToken,
-    IDToken,
-    OAuth2Provider,
-    RedirectURI,
-    RedirectURIMatchingMode,
-    RefreshToken,
-)
+from authentik.providers.oauth2.models import AccessToken, IDToken, OAuth2Provider, RefreshToken
 from authentik.providers.oauth2.tests.utils import OAuthTestCase
 
 
@@ -29,7 +22,7 @@ class TesOAuth2Revoke(OAuthTestCase):
         self.provider: OAuth2Provider = OAuth2Provider.objects.create(
             name=generate_id(),
             authorization_flow=create_test_flow(),
-            redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "")],
+            redirect_uris="",
             signing_key=create_test_cert(),
         )
         self.app = Application.objects.create(

authentik/providers/oauth2/tests/test_token.py

@@ -22,8 +22,6 @@ from authentik.providers.oauth2.models import (
     AccessToken,
     AuthorizationCode,
     OAuth2Provider,
-    RedirectURI,
-    RedirectURIMatchingMode,
     RefreshToken,
     ScopeMapping,
 )
@@ -44,7 +42,7 @@ class TestToken(OAuthTestCase):
         provider = OAuth2Provider.objects.create(
             name=generate_id(),
             authorization_flow=create_test_flow(),
-            redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "http://TestServer")],
+            redirect_uris="http://TestServer",
             signing_key=self.keypair,
         )
         header = b64encode(f"{provider.client_id}:{provider.client_secret}".encode()).decode()
@@ -71,7 +69,7 @@ class TestToken(OAuthTestCase):
         provider = OAuth2Provider.objects.create(
             name=generate_id(),
             authorization_flow=create_test_flow(),
-            redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "http://testserver")],
+            redirect_uris="http://testserver",
             signing_key=self.keypair,
         )
         header = b64encode(f"{provider.client_id}:{provider.client_secret}".encode()).decode()
@@ -92,7 +90,7 @@ class TestToken(OAuthTestCase):
         provider = OAuth2Provider.objects.create(
             name=generate_id(),
             authorization_flow=create_test_flow(),
-            redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "http://local.invalid")],
+            redirect_uris="http://local.invalid",
             signing_key=self.keypair,
         )
         header = b64encode(f"{provider.client_id}:{provider.client_secret}".encode()).decode()
@@ -120,7 +118,7 @@ class TestToken(OAuthTestCase):
         provider = OAuth2Provider.objects.create(
             name=generate_id(),
             authorization_flow=create_test_flow(),
-            redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "http://local.invalid")],
+            redirect_uris="http://local.invalid",
             signing_key=self.keypair,
         )
         # Needs to be assigned to an application for iss to be set
@@ -159,7 +157,7 @@ class TestToken(OAuthTestCase):
         provider = OAuth2Provider.objects.create(
             name=generate_id(),
             authorization_flow=create_test_flow(),
-            redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "http://local.invalid")],
+            redirect_uris="http://local.invalid",
             signing_key=self.keypair,
             encryption_key=self.keypair,
         )
@@ -190,7 +188,7 @@ class TestToken(OAuthTestCase):
         provider = OAuth2Provider.objects.create(
             name=generate_id(),
             authorization_flow=create_test_flow(),
-            redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "http://local.invalid")],
+            redirect_uris="http://local.invalid",
             signing_key=self.keypair,
         )
         provider.property_mappings.set(
@@ -252,7 +250,7 @@ class TestToken(OAuthTestCase):
         provider = OAuth2Provider.objects.create(
             name=generate_id(),
             authorization_flow=create_test_flow(),
-            redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "http://local.invalid")],
+            redirect_uris="http://local.invalid",
             signing_key=self.keypair,
         )
         provider.property_mappings.set(
@@ -310,7 +308,7 @@ class TestToken(OAuthTestCase):
         provider = OAuth2Provider.objects.create(
             name=generate_id(),
             authorization_flow=create_test_flow(),
-            redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "http://testserver")],
+            redirect_uris="http://testserver",
             signing_key=self.keypair,
         )
         provider.property_mappings.set(

authentik/providers/oauth2/tests/test_token_cc_jwt_source.py

@@ -19,12 +19,7 @@ from authentik.providers.oauth2.constants import (
     SCOPE_OPENID_PROFILE,
     TOKEN_TYPE,
 )
-from authentik.providers.oauth2.models import (
-    OAuth2Provider,
-    RedirectURI,
-    RedirectURIMatchingMode,
-    ScopeMapping,
-)
+from authentik.providers.oauth2.models import OAuth2Provider, ScopeMapping
 from authentik.providers.oauth2.tests.utils import OAuthTestCase
 from authentik.providers.oauth2.views.jwks import JWKSView
 from authentik.sources.oauth.models import OAuthSource
@@ -59,7 +54,7 @@ class TestTokenClientCredentialsJWTSource(OAuthTestCase):
         self.provider: OAuth2Provider = OAuth2Provider.objects.create(
             name="test",
             authorization_flow=create_test_flow(),
-            redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "http://testserver")],
+            redirect_uris="http://testserver",
             signing_key=self.cert,
         )
         self.provider.jwks_sources.add(self.source)

authentik/providers/oauth2/tests/test_token_cc_standard.py

@@ -19,13 +19,7 @@ from authentik.providers.oauth2.constants import (
     TOKEN_TYPE,
 )
 from authentik.providers.oauth2.errors import TokenError
-from authentik.providers.oauth2.models import (
-    AccessToken,
-    OAuth2Provider,
-    RedirectURI,
-    RedirectURIMatchingMode,
-    ScopeMapping,
-)
+from authentik.providers.oauth2.models import OAuth2Provider, ScopeMapping
 from authentik.providers.oauth2.tests.utils import OAuthTestCase
 
 
@@ -39,7 +33,7 @@ class TestTokenClientCredentialsStandard(OAuthTestCase):
         self.provider = OAuth2Provider.objects.create(
             name="test",
             authorization_flow=create_test_flow(),
-            redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "http://testserver")],
+            redirect_uris="http://testserver",
             signing_key=create_test_cert(),
         )
         self.provider.property_mappings.set(ScopeMapping.objects.all())
@@ -113,48 +107,6 @@ class TestTokenClientCredentialsStandard(OAuthTestCase):
             {"error": "invalid_grant", "error_description": TokenError.errors["invalid_grant"]},
         )
 
-    def test_incorrect_scopes(self):
-        """test scope that isn't configured"""
-        response = self.client.post(
-            reverse("authentik_providers_oauth2:token"),
-            {
-                "grant_type": GRANT_TYPE_CLIENT_CREDENTIALS,
-                "scope": f"{SCOPE_OPENID} {SCOPE_OPENID_EMAIL} {SCOPE_OPENID_PROFILE} extra_scope",
-                "client_id": self.provider.client_id,
-                "client_secret": self.provider.client_secret,
-            },
-        )
-        self.assertEqual(response.status_code, 200)
-        body = loads(response.content.decode())
-        self.assertEqual(body["token_type"], TOKEN_TYPE)
-        token = AccessToken.objects.filter(
-            provider=self.provider, token=body["access_token"]
-        ).first()
-        self.assertSetEqual(
-            set(token.scope), {SCOPE_OPENID, SCOPE_OPENID_EMAIL, SCOPE_OPENID_PROFILE}
-        )
-        _, alg = self.provider.jwt_key
-        jwt = decode(
-            body["access_token"],
-            key=self.provider.signing_key.public_key,
-            algorithms=[alg],
-            audience=self.provider.client_id,
-        )
-        self.assertEqual(
-            jwt["given_name"], "Autogenerated user from application test (client credentials)"
-        )
-        self.assertEqual(jwt["preferred_username"], "ak-test-client_credentials")
-        jwt = decode(
-            body["id_token"],
-            key=self.provider.signing_key.public_key,
-            algorithms=[alg],
-            audience=self.provider.client_id,
-        )
-        self.assertEqual(
-            jwt["given_name"], "Autogenerated user from application test (client credentials)"
-        )
-        self.assertEqual(jwt["preferred_username"], "ak-test-client_credentials")
-
     def test_successful(self):
         """test successful"""
         response = self.client.post(

authentik/providers/oauth2/tests/test_token_cc_standard_compat.py

@@ -20,12 +20,7 @@ from authentik.providers.oauth2.constants import (
     TOKEN_TYPE,
 )
 from authentik.providers.oauth2.errors import TokenError
-from authentik.providers.oauth2.models import (
-    OAuth2Provider,
-    RedirectURI,
-    RedirectURIMatchingMode,
-    ScopeMapping,
-)
+from authentik.providers.oauth2.models import OAuth2Provider, ScopeMapping
 from authentik.providers.oauth2.tests.utils import OAuthTestCase
 
 
@@ -39,7 +34,7 @@ class TestTokenClientCredentialsStandardCompat(OAuthTestCase):
         self.provider = OAuth2Provider.objects.create(
             name="test",
             authorization_flow=create_test_flow(),
-            redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "http://testserver")],
+            redirect_uris="http://testserver",
             signing_key=create_test_cert(),
         )
         self.provider.property_mappings.set(ScopeMapping.objects.all())

authentik/providers/oauth2/tests/test_token_cc_user_pw.py

@@ -19,12 +19,7 @@ from authentik.providers.oauth2.constants import (
     TOKEN_TYPE,
 )
 from authentik.providers.oauth2.errors import TokenError
-from authentik.providers.oauth2.models import (
-    OAuth2Provider,
-    RedirectURI,
-    RedirectURIMatchingMode,
-    ScopeMapping,
-)
+from authentik.providers.oauth2.models import OAuth2Provider, ScopeMapping
 from authentik.providers.oauth2.tests.utils import OAuthTestCase
 
 
@@ -38,7 +33,7 @@ class TestTokenClientCredentialsUserNamePassword(OAuthTestCase):
         self.provider = OAuth2Provider.objects.create(
             name="test",
             authorization_flow=create_test_flow(),
-            redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "http://testserver")],
+            redirect_uris="http://testserver",
             signing_key=create_test_cert(),
         )
         self.provider.property_mappings.set(ScopeMapping.objects.all())

authentik/providers/oauth2/tests/test_token_device.py

@@ -9,19 +9,8 @@ from authentik.blueprints.tests import apply_blueprint
 from authentik.core.models import Application
 from authentik.core.tests.utils import create_test_admin_user, create_test_cert, create_test_flow
 from authentik.lib.generators import generate_code_fixed_length, generate_id
-from authentik.providers.oauth2.constants import (
-    GRANT_TYPE_DEVICE_CODE,
-    SCOPE_OPENID,
-    SCOPE_OPENID_EMAIL,
-)
-from authentik.providers.oauth2.models import (
-    AccessToken,
-    DeviceToken,
-    OAuth2Provider,
-    RedirectURI,
-    RedirectURIMatchingMode,
-    ScopeMapping,
-)
+from authentik.providers.oauth2.constants import GRANT_TYPE_DEVICE_CODE
+from authentik.providers.oauth2.models import DeviceToken, OAuth2Provider, ScopeMapping
 from authentik.providers.oauth2.tests.utils import OAuthTestCase
 
 
@@ -35,7 +24,7 @@ class TestTokenDeviceCode(OAuthTestCase):
         self.provider = OAuth2Provider.objects.create(
             name="test",
             authorization_flow=create_test_flow(),
-            redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "http://testserver")],
+            redirect_uris="http://testserver",
             signing_key=create_test_cert(),
         )
         self.provider.property_mappings.set(ScopeMapping.objects.all())
@@ -91,28 +80,3 @@ class TestTokenDeviceCode(OAuthTestCase):
             },
         )
         self.assertEqual(res.status_code, 200)
-
-    def test_code_mismatched_scope(self):
-        """Test code with user (mismatched scopes)"""
-        device_token = DeviceToken.objects.create(
-            provider=self.provider,
-            user_code=generate_code_fixed_length(),
-            device_code=generate_id(),
-            user=self.user,
-            scope=[SCOPE_OPENID, SCOPE_OPENID_EMAIL],
-        )
-        res = self.client.post(
-            reverse("authentik_providers_oauth2:token"),
-            data={
-                "client_id": self.provider.client_id,
-                "grant_type": GRANT_TYPE_DEVICE_CODE,
-                "device_code": device_token.device_code,
-                "scope": f"{SCOPE_OPENID} {SCOPE_OPENID_EMAIL} invalid",
-            },
-        )
-        self.assertEqual(res.status_code, 200)
-        body = loads(res.content)
-        token = AccessToken.objects.filter(
-            provider=self.provider, token=body["access_token"]
-        ).first()
-        self.assertSetEqual(set(token.scope), {SCOPE_OPENID, SCOPE_OPENID_EMAIL})

authentik/providers/oauth2/tests/test_token_pkce.py

@@ -10,12 +10,7 @@ from authentik.core.models import Application
 from authentik.core.tests.utils import create_test_admin_user, create_test_flow
 from authentik.lib.generators import generate_id
 from authentik.providers.oauth2.constants import GRANT_TYPE_AUTHORIZATION_CODE
-from authentik.providers.oauth2.models import (
-    AuthorizationCode,
-    OAuth2Provider,
-    RedirectURI,
-    RedirectURIMatchingMode,
-)
+from authentik.providers.oauth2.models import AuthorizationCode, OAuth2Provider
 from authentik.providers.oauth2.tests.utils import OAuthTestCase
 
 
@@ -35,7 +30,7 @@ class TestTokenPKCE(OAuthTestCase):
             name=generate_id(),
             client_id="test",
             authorization_flow=flow,
-            redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "foo://localhost")],
+            redirect_uris="foo://localhost",
             access_code_validity="seconds=100",
         )
         Application.objects.create(name="app", slug="app", provider=provider)
@@ -98,7 +93,7 @@ class TestTokenPKCE(OAuthTestCase):
             name=generate_id(),
             client_id="test",
             authorization_flow=flow,
-            redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "foo://localhost")],
+            redirect_uris="foo://localhost",
             access_code_validity="seconds=100",
         )
         Application.objects.create(name="app", slug="app", provider=provider)
@@ -159,7 +154,7 @@ class TestTokenPKCE(OAuthTestCase):
             name=generate_id(),
             client_id="test",
             authorization_flow=flow,
-            redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "foo://localhost")],
+            redirect_uris="foo://localhost",
             access_code_validity="seconds=100",
         )
         Application.objects.create(name="app", slug="app", provider=provider)
@@ -215,7 +210,7 @@ class TestTokenPKCE(OAuthTestCase):
             name=generate_id(),
             client_id="test",
             authorization_flow=flow,
-            redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "foo://localhost")],
+            redirect_uris="foo://localhost",
             access_code_validity="seconds=100",
         )
         Application.objects.create(name="app", slug="app", provider=provider)

authentik/providers/oauth2/tests/test_userinfo.py

@@ -11,14 +11,7 @@ from authentik.core.models import Application
 from authentik.core.tests.utils import create_test_admin_user, create_test_cert, create_test_flow
 from authentik.events.models import Event, EventAction
 from authentik.lib.generators import generate_id
-from authentik.providers.oauth2.models import (
-    AccessToken,
-    IDToken,
-    OAuth2Provider,
-    RedirectURI,
-    RedirectURIMatchingMode,
-    ScopeMapping,
-)
+from authentik.providers.oauth2.models import AccessToken, IDToken, OAuth2Provider, ScopeMapping
 from authentik.providers.oauth2.tests.utils import OAuthTestCase
 
 
@@ -32,7 +25,7 @@ class TestUserinfo(OAuthTestCase):
         self.provider: OAuth2Provider = OAuth2Provider.objects.create(
             name=generate_id(),
             authorization_flow=create_test_flow(),
-            redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "")],
+            redirect_uris="",
             signing_key=create_test_cert(),
         )
         self.provider.property_mappings.set(ScopeMapping.objects.all())

authentik/providers/oauth2/views/authorize.py

@@ -56,8 +56,6 @@ from authentik.providers.oauth2.models import (
     AuthorizationCode,
     GrantTypes,
     OAuth2Provider,
-    RedirectURI,
-    RedirectURIMatchingMode,
     ResponseMode,
     ResponseTypes,
     ScopeMapping,
@@ -189,39 +187,40 @@ class OAuthAuthorizationParams:
 
     def check_redirect_uri(self):
         """Redirect URI validation."""
-        allowed_redirect_urls = self.provider.redirect_uris
+        allowed_redirect_urls = self.provider.redirect_uris.split()
         if not self.redirect_uri:
             LOGGER.warning("Missing redirect uri.")
             raise RedirectUriError("", allowed_redirect_urls)
 
-        if len(allowed_redirect_urls) < 1:
+        if self.provider.redirect_uris == "":
             LOGGER.info("Setting redirect for blank redirect_uris", redirect=self.redirect_uri)
-            self.provider.redirect_uris = [
-                RedirectURI(RedirectURIMatchingMode.STRICT, self.redirect_uri)
-            ]
+            self.provider.redirect_uris = self.redirect_uri
             self.provider.save()
-            allowed_redirect_urls = self.provider.redirect_uris
+            allowed_redirect_urls = self.provider.redirect_uris.split()
 
-        match_found = False
-        for allowed in allowed_redirect_urls:
-            if allowed.matching_mode == RedirectURIMatchingMode.STRICT:
-                if self.redirect_uri == allowed.url:
-                    match_found = True
-                    break
-            if allowed.matching_mode == RedirectURIMatchingMode.REGEX:
-                try:
-                    if fullmatch(allowed.url, self.redirect_uri):
-                        match_found = True
-                        break
-                except RegexError as exc:
-                    LOGGER.warning(
-                        "Failed to parse regular expression",
-                        exc=exc,
-                        url=allowed.url,
-                        provider=self.provider,
-                    )
-        if not match_found:
-            raise RedirectUriError(self.redirect_uri, allowed_redirect_urls)
+        if self.provider.redirect_uris == "*":
+            LOGGER.info("Converting redirect_uris to regex", redirect=self.redirect_uri)
+            self.provider.redirect_uris = ".*"
+            self.provider.save()
+            allowed_redirect_urls = self.provider.redirect_uris.split()
+
+        try:
+            if not any(fullmatch(x, self.redirect_uri) for x in allowed_redirect_urls):
+                LOGGER.warning(
+                    "Invalid redirect uri (regex comparison)",
+                    redirect_uri_given=self.redirect_uri,
+                    redirect_uri_expected=allowed_redirect_urls,
+                )
+                raise RedirectUriError(self.redirect_uri, allowed_redirect_urls)
+        except RegexError as exc:
+            LOGGER.info("Failed to parse regular expression, checking directly", exc=exc)
+            if not any(x == self.redirect_uri for x in allowed_redirect_urls):
+                LOGGER.warning(
+                    "Invalid redirect uri (strict comparison)",
+                    redirect_uri_given=self.redirect_uri,
+                    redirect_uri_expected=allowed_redirect_urls,
+                )
+                raise RedirectUriError(self.redirect_uri, allowed_redirect_urls) from None
         # Check against forbidden schemes
         if urlparse(self.redirect_uri).scheme in FORBIDDEN_URI_SCHEMES:
             raise RedirectUriError(self.redirect_uri, allowed_redirect_urls)

authentik/providers/oauth2/views/provider.py

@@ -162,5 +162,5 @@ class ProviderInfoView(View):
             OAuth2Provider, pk=application.provider_id
         )
         response = super().dispatch(request, *args, **kwargs)
-        cors_allow(request, response, *[x.url for x in self.provider.redirect_uris])
+        cors_allow(request, response, *self.provider.redirect_uris.split("\n"))
         return response

authentik/providers/oauth2/views/token.py

@@ -58,9 +58,7 @@ from authentik.providers.oauth2.models import (
     ClientTypes,
     DeviceToken,
     OAuth2Provider,
-    RedirectURIMatchingMode,
     RefreshToken,
-    ScopeMapping,
 )
 from authentik.providers.oauth2.utils import TokenResponse, cors_allow, extract_client_auth
 from authentik.providers.oauth2.views.authorize import FORBIDDEN_URI_SCHEMES
@@ -79,7 +77,7 @@ class TokenParams:
     redirect_uri: str
     grant_type: str
     state: str
-    scope: set[str]
+    scope: list[str]
 
     provider: OAuth2Provider
 
@@ -114,26 +112,11 @@ class TokenParams:
             redirect_uri=request.POST.get("redirect_uri", ""),
             grant_type=request.POST.get("grant_type", ""),
             state=request.POST.get("state", ""),
-            scope=set(request.POST.get("scope", "").split()),
+            scope=request.POST.get("scope", "").split(),
             # PKCE parameter.
             code_verifier=request.POST.get("code_verifier"),
         )
 
-    def __check_scopes(self):
-        allowed_scope_names = set(
-            ScopeMapping.objects.filter(provider__in=[self.provider]).values_list(
-                "scope_name", flat=True
-            )
-        )
-        scopes_to_check = self.scope
-        if not scopes_to_check.issubset(allowed_scope_names):
-            LOGGER.info(
-                "Application requested scopes not configured, setting to overlap",
-                scope_allowed=allowed_scope_names,
-                scope_given=self.scope,
-            )
-            self.scope = self.scope.intersection(allowed_scope_names)
-
     def __check_policy_access(self, app: Application, request: HttpRequest, **kwargs):
         with start_span(
             op="authentik.providers.oauth2.token.policy",
@@ -166,7 +149,7 @@ class TokenParams:
                     client_id=self.provider.client_id,
                 )
                 raise TokenError("invalid_client")
-        self.__check_scopes()
+
         if self.grant_type == GRANT_TYPE_AUTHORIZATION_CODE:
             with start_span(
                 op="authentik.providers.oauth2.post.parse.code",
@@ -196,7 +179,42 @@ class TokenParams:
             LOGGER.warning("Missing authorization code")
             raise TokenError("invalid_grant")
 
-        self.__check_redirect_uri(request)
+        allowed_redirect_urls = self.provider.redirect_uris.split()
+        # At this point, no provider should have a blank redirect_uri, in case they do
+        # this will check an empty array and raise an error
+        try:
+            if not any(fullmatch(x, self.redirect_uri) for x in allowed_redirect_urls):
+                LOGGER.warning(
+                    "Invalid redirect uri (regex comparison)",
+                    redirect_uri=self.redirect_uri,
+                    expected=allowed_redirect_urls,
+                )
+                Event.new(
+                    EventAction.CONFIGURATION_ERROR,
+                    message="Invalid redirect URI used by provider",
+                    provider=self.provider,
+                    redirect_uri=self.redirect_uri,
+                    expected=allowed_redirect_urls,
+                ).from_http(request)
+                raise TokenError("invalid_client")
+        except RegexError as exc:
+            LOGGER.info("Failed to parse regular expression, checking directly", exc=exc)
+            if not any(x == self.redirect_uri for x in allowed_redirect_urls):
+                LOGGER.warning(
+                    "Invalid redirect uri (strict comparison)",
+                    redirect_uri=self.redirect_uri,
+                    expected=allowed_redirect_urls,
+                )
+                Event.new(
+                    EventAction.CONFIGURATION_ERROR,
+                    message="Invalid redirect_uri configured",
+                    provider=self.provider,
+                ).from_http(request)
+                raise TokenError("invalid_client") from None
+
+        # Check against forbidden schemes
+        if urlparse(self.redirect_uri).scheme in FORBIDDEN_URI_SCHEMES:
+            raise TokenError("invalid_request")
 
         self.authorization_code = AuthorizationCode.objects.filter(code=raw_code).first()
         if not self.authorization_code:
@@ -236,48 +254,6 @@ class TokenParams:
         if not self.authorization_code.code_challenge and self.code_verifier:
             raise TokenError("invalid_grant")
 
-    def __check_redirect_uri(self, request: HttpRequest):
-        allowed_redirect_urls = self.provider.redirect_uris
-        # At this point, no provider should have a blank redirect_uri, in case they do
-        # this will check an empty array and raise an error
-
-        match_found = False
-        for allowed in allowed_redirect_urls:
-            if allowed.matching_mode == RedirectURIMatchingMode.STRICT:
-                if self.redirect_uri == allowed.url:
-                    match_found = True
-                    break
-            if allowed.matching_mode == RedirectURIMatchingMode.REGEX:
-                try:
-                    if fullmatch(allowed.url, self.redirect_uri):
-                        match_found = True
-                        break
-                except RegexError as exc:
-                    LOGGER.warning(
-                        "Failed to parse regular expression",
-                        exc=exc,
-                        url=allowed.url,
-                        provider=self.provider,
-                    )
-                    Event.new(
-                        EventAction.CONFIGURATION_ERROR,
-                        message="Invalid redirect_uri configured",
-                        provider=self.provider,
-                    ).from_http(request)
-        if not match_found:
-            Event.new(
-                EventAction.CONFIGURATION_ERROR,
-                message="Invalid redirect URI used by provider",
-                provider=self.provider,
-                redirect_uri=self.redirect_uri,
-                expected=allowed_redirect_urls,
-            ).from_http(request)
-            raise TokenError("invalid_client")
-
-        # Check against forbidden schemes
-        if urlparse(self.redirect_uri).scheme in FORBIDDEN_URI_SCHEMES:
-            raise TokenError("invalid_request")
-
     def __post_init_refresh(self, raw_token: str, request: HttpRequest):
         if not raw_token:
             LOGGER.warning("Missing refresh token")
@@ -521,7 +497,7 @@ class TokenView(View):
         response = super().dispatch(request, *args, **kwargs)
         allowed_origins = []
         if self.provider:
-            allowed_origins = [x.url for x in self.provider.redirect_uris]
+            allowed_origins = self.provider.redirect_uris.split("\n")
         cors_allow(self.request, response, *allowed_origins)
         return response
 
@@ -734,7 +710,7 @@ class TokenView(View):
             "id_token": access_token.id_token.to_jwt(self.provider),
         }
 
-        if SCOPE_OFFLINE_ACCESS in self.params.device_code.scope:
+        if SCOPE_OFFLINE_ACCESS in self.params.scope:
             refresh_token_expiry = now + timedelta_from_string(self.provider.refresh_token_validity)
             refresh_token = RefreshToken(
                 user=self.params.device_code.user,

authentik/providers/oauth2/views/userinfo.py

@@ -108,7 +108,7 @@ class UserInfoView(View):
         response = super().dispatch(request, *args, **kwargs)
         allowed_origins = []
         if self.token:
-            allowed_origins = [x.url for x in self.token.provider.redirect_uris]
+            allowed_origins = self.token.provider.redirect_uris.split("\n")
         cors_allow(self.request, response, *allowed_origins)
         return response
 

authentik/providers/proxy/api.py

@@ -13,7 +13,6 @@ from authentik.core.api.providers import ProviderSerializer
 from authentik.core.api.used_by import UsedByMixin
 from authentik.core.api.utils import ModelSerializer, PassiveSerializer
 from authentik.lib.utils.time import timedelta_from_string
-from authentik.providers.oauth2.api.providers import RedirectURISerializer
 from authentik.providers.oauth2.models import ScopeMapping
 from authentik.providers.oauth2.views.provider import ProviderInfoView
 from authentik.providers.proxy.models import ProxyMode, ProxyProvider
@@ -40,7 +39,7 @@ class ProxyProviderSerializer(ProviderSerializer):
     """ProxyProvider Serializer"""
 
     client_id = CharField(read_only=True)
-    redirect_uris = RedirectURISerializer(many=True, read_only=True, source="_redirect_uris")
+    redirect_uris = CharField(read_only=True)
     outpost_set = ListField(child=CharField(), read_only=True, source="outpost_set.all")
 
     def validate_basic_auth_enabled(self, value: bool) -> bool:
@@ -122,6 +121,7 @@ class ProxyProviderViewSet(UsedByMixin, ModelViewSet):
         "basic_auth_password_attribute": ["iexact"],
         "basic_auth_user_attribute": ["iexact"],
         "mode": ["iexact"],
+        "redirect_uris": ["iexact"],
         "cookie_domain": ["iexact"],
     }
     search_fields = ["name"]

authentik/providers/proxy/models.py

@@ -13,13 +13,7 @@ from rest_framework.serializers import Serializer
 from authentik.crypto.models import CertificateKeyPair
 from authentik.lib.models import DomainlessURLValidator
 from authentik.outposts.models import OutpostModel
-from authentik.providers.oauth2.models import (
-    ClientTypes,
-    OAuth2Provider,
-    RedirectURI,
-    RedirectURIMatchingMode,
-    ScopeMapping,
-)
+from authentik.providers.oauth2.models import ClientTypes, OAuth2Provider, ScopeMapping
 
 SCOPE_AK_PROXY = "ak_proxy"
 OUTPOST_CALLBACK_SIGNATURE = "X-authentik-auth-callback"
@@ -30,14 +24,14 @@ def get_cookie_secret():
     return "".join(SystemRandom().choice(string.ascii_uppercase + string.digits) for _ in range(32))
 
 
-def _get_callback_url(uri: str) -> list[RedirectURI]:
-    return [
-        RedirectURI(
-            RedirectURIMatchingMode.STRICT,
-            urljoin(uri, "outpost.goauthentik.io/callback") + f"?{OUTPOST_CALLBACK_SIGNATURE}=true",
-        ),
-        RedirectURI(RedirectURIMatchingMode.STRICT, uri + f"?{OUTPOST_CALLBACK_SIGNATURE}=true"),
-    ]
+def _get_callback_url(uri: str) -> str:
+    return "\n".join(
+        [
+            urljoin(uri, "outpost.goauthentik.io/callback")
+            + f"\\?{OUTPOST_CALLBACK_SIGNATURE}=true",
+            uri + f"\\?{OUTPOST_CALLBACK_SIGNATURE}=true",
+        ]
+    )
 
 
 class ProxyMode(models.TextChoices):

authentik/root/monitoring.py

@@ -1,8 +1,6 @@
 """Metrics view"""
 
-from hmac import compare_digest
-from pathlib import Path
-from tempfile import gettempdir
+from base64 import b64encode
 
 from django.conf import settings
 from django.db import connections
@@ -18,21 +16,22 @@ monitoring_set = Signal()
 
 
 class MetricsView(View):
-    """Wrapper around ExportToDjangoView with authentication, accessed by the authentik router"""
-
-    def __init__(self, **kwargs):
-        _tmp = Path(gettempdir())
-        with open(_tmp / "authentik-core-metrics.key") as _f:
-            self.monitoring_key = _f.read()
+    """Wrapper around ExportToDjangoView, using http-basic auth"""
 
     def get(self, request: HttpRequest) -> HttpResponse:
         """Check for HTTP-Basic auth"""
         auth_header = request.META.get("HTTP_AUTHORIZATION", "")
         auth_type, _, given_credentials = auth_header.partition(" ")
-        authed = auth_type == "Bearer" and compare_digest(given_credentials, self.monitoring_key)
+        credentials = f"monitor:{settings.SECRET_KEY}"
+        expected = b64encode(str.encode(credentials)).decode()
+        authed = auth_type == "Basic" and given_credentials == expected
         if not authed and not settings.DEBUG:
-            return HttpResponse(status=401)
+            response = HttpResponse(status=401)
+            response["WWW-Authenticate"] = 'Basic realm="authentik-monitoring"'
+            return response
+
         monitoring_set.send_robust(self)
+
         return ExportToDjangoView(request)
 
 

authentik/root/tests.py

@@ -1,9 +1,8 @@
 """root tests"""
 
-from pathlib import Path
-from secrets import token_urlsafe
-from tempfile import gettempdir
+from base64 import b64encode
 
+from django.conf import settings
 from django.test import TestCase
 from django.urls import reverse
 
@@ -11,16 +10,6 @@ from django.urls import reverse
 class TestRoot(TestCase):
     """Test root application"""
 
-    def setUp(self):
-        _tmp = Path(gettempdir())
-        self.token = token_urlsafe(32)
-        with open(_tmp / "authentik-core-metrics.key", "w") as _f:
-            _f.write(self.token)
-
-    def tearDown(self):
-        _tmp = Path(gettempdir())
-        (_tmp / "authentik-core-metrics.key").unlink()
-
     def test_monitoring_error(self):
         """Test monitoring without any credentials"""
         response = self.client.get(reverse("metrics"))
@@ -28,7 +17,8 @@ class TestRoot(TestCase):
 
     def test_monitoring_ok(self):
         """Test monitoring with credentials"""
-        auth_headers = {"HTTP_AUTHORIZATION": f"Bearer {self.token}"}
+        creds = "Basic " + b64encode(f"monitor:{settings.SECRET_KEY}".encode()).decode("utf-8")
+        auth_headers = {"HTTP_AUTHORIZATION": creds}
         response = self.client.get(reverse("metrics"), **auth_headers)
         self.assertEqual(response.status_code, 200)
 

blueprints/schema.json

@@ -2,7 +2,7 @@
     "$schema": "http://json-schema.org/draft-07/schema",
     "$id": "https://goauthentik.io/blueprints/schema.json",
     "type": "object",
-    "title": "authentik 2024.10.4 Blueprint schema",
+    "title": "authentik 2024.10.2 Blueprint schema",
     "required": [
         "version",
         "entries"
@@ -5570,30 +5570,9 @@
                     "description": "Key used to encrypt the tokens. When set, tokens will be encrypted and returned as JWEs."
                 },
                 "redirect_uris": {
-                    "type": "array",
-                    "items": {
-                        "type": "object",
-                        "properties": {
-                            "matching_mode": {
-                                "type": "string",
-                                "enum": [
-                                    "strict",
-                                    "regex"
-                                ],
-                                "title": "Matching mode"
-                            },
-                            "url": {
-                                "type": "string",
-                                "minLength": 1,
-                                "title": "Url"
-                            }
-                        },
-                        "required": [
-                            "matching_mode",
-                            "url"
-                        ]
-                    },
-                    "title": "Redirect uris"
+                    "type": "string",
+                    "title": "Redirect URIs",
+                    "description": "Enter each URI on a new line."
                 },
                 "sub_mode": {
                     "type": "string",

docker-compose.yml

@@ -31,7 +31,7 @@ services:
     volumes:
       - redis:/data
   server:
-    image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2024.10.4}
+    image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2024.10.2}
     restart: unless-stopped
     command: server
     environment:
@@ -52,7 +52,7 @@ services:
       - postgresql
       - redis
   worker:
-    image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2024.10.4}
+    image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2024.10.2}
     restart: unless-stopped
     command: worker
     environment:

go.mod

@@ -29,7 +29,7 @@ require (
 	github.com/spf13/cobra v1.8.1
 	github.com/stretchr/testify v1.9.0
 	github.com/wwt/guac v1.3.2
-	goauthentik.io/api/v3 v3.2024104.1
+	goauthentik.io/api/v3 v3.2024102.3
 	golang.org/x/exp v0.0.0-20230210204819-062eb4c674ab
 	golang.org/x/oauth2 v0.24.0
 	golang.org/x/sync v0.9.0

go.sum

@@ -299,8 +299,8 @@ go.opentelemetry.io/otel/trace v1.24.0 h1:CsKnnL4dUAr/0llH9FKuc698G04IrpWV0MQA/Y
 go.opentelemetry.io/otel/trace v1.24.0/go.mod h1:HPc3Xr/cOApsBI154IU0OI0HJexz+aw5uPdbs3UCjNU=
 go.uber.org/goleak v1.3.0 h1:2K3zAYmnTNqV73imy9J1T3WC+gmCePx2hEGkimedGto=
 go.uber.org/goleak v1.3.0/go.mod h1:CoHD4mav9JJNrW/WLlf7HGZPjdw8EucARQHekz1X6bE=
-goauthentik.io/api/v3 v3.2024104.1 h1:N09HAJ66W965QEYpx6sJzcaQxPsnFykVwkzVjVK/zH0=
-goauthentik.io/api/v3 v3.2024104.1/go.mod h1:zz+mEZg8rY/7eEjkMGWJ2DnGqk+zqxuybGCGrR2O4Kw=
+goauthentik.io/api/v3 v3.2024102.3 h1:akjkJMS7tj4Df/oRb0kylkZnRYskRhereXXbhvcvi1g=
+goauthentik.io/api/v3 v3.2024102.3/go.mod h1:zz+mEZg8rY/7eEjkMGWJ2DnGqk+zqxuybGCGrR2O4Kw=
 golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
 golang.org/x/crypto v0.0.0-20190510104115-cbcb75029529/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
 golang.org/x/crypto v0.0.0-20190605123033-f99c8df09eb5/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=

internal/constants/constants.go

@@ -29,4 +29,4 @@ func UserAgent() string {
 	return fmt.Sprintf("authentik@%s", FullVersion())
 }
 
-const VERSION = "2024.10.4"
+const VERSION = "2024.10.2"

internal/outpost/ak/api.go

@@ -80,7 +80,7 @@ func NewAPIController(akURL url.URL, token string) *APIController {
 	var outposts *api.PaginatedOutpostList
 	var err error
 	for {
-		outposts, _, err = apiClient.OutpostsApi.OutpostsInstancesList(context.Background()).Execute()
+		outposts, _, err = apiClient.OutpostsAPI.OutpostsInstancesList(context.Background()).Execute()
 
 		if err == nil {
 			break
@@ -96,7 +96,7 @@ func NewAPIController(akURL url.URL, token string) *APIController {
 
 	log.WithField("name", outpost.Name).Debug("Fetched outpost configuration")
 
-	akConfig, _, err := apiClient.RootApi.RootConfigRetrieve(context.Background()).Execute()
+	akConfig, _, err := apiClient.RootAPI.RootConfigRetrieve(context.Background()).Execute()
 	if err != nil {
 		log.WithError(err).Error("Failed to fetch global configuration")
 		return nil
@@ -174,7 +174,7 @@ func (a *APIController) Token() string {
 func (a *APIController) OnRefresh() error {
 	// Because we don't know the outpost UUID, we simply do a list and pick the first
 	// The service account this token belongs to should only have access to a single outpost
-	outposts, _, err := a.Client.OutpostsApi.OutpostsInstancesList(context.Background()).Execute()
+	outposts, _, err := a.Client.OutpostsAPI.OutpostsInstancesList(context.Background()).Execute()
 	if err != nil {
 		log.WithError(err).Error("Failed to fetch outpost configuration")
 		return err

internal/outpost/ak/crypto.go

@@ -9,7 +9,7 @@ import (
 )
 
 type CryptoStore struct {
-	api *api.CryptoApiService
+	api *api.CryptoAPIService
 
 	log *log.Entry
 
@@ -17,7 +17,7 @@ type CryptoStore struct {
 	certificates map[string]*tls.Certificate
 }
 
-func NewCryptoStore(cryptoApi *api.CryptoApiService) *CryptoStore {
+func NewCryptoStore(cryptoApi *api.CryptoAPIService) *CryptoStore {
 	return &CryptoStore{
 		api:          cryptoApi,
 		log:          log.WithField("logger", "authentik.outpost.cryptostore"),

internal/outpost/flow/executor.go

@@ -139,7 +139,7 @@ func (fe *FlowExecutor) SetSession(s *http.Cookie) {
 func (fe *FlowExecutor) WarmUp() error {
 	gcsp := sentry.StartSpan(fe.Context, "authentik.outposts.flow_executor.get_challenge")
 	defer gcsp.Finish()
-	req := fe.api.FlowsApi.FlowsExecutorGet(gcsp.Context(), fe.flowSlug).Query(fe.Params.Encode())
+	req := fe.api.FlowsAPI.FlowsExecutorGet(gcsp.Context(), fe.flowSlug).Query(fe.Params.Encode())
 	_, _, err := req.Execute()
 	return err
 }
@@ -156,7 +156,7 @@ func (fe *FlowExecutor) Execute() (bool, error) {
 func (fe *FlowExecutor) getInitialChallenge() (*api.ChallengeTypes, error) {
 	// Get challenge
 	gcsp := sentry.StartSpan(fe.Context, "authentik.outposts.flow_executor.get_challenge")
-	req := fe.api.FlowsApi.FlowsExecutorGet(gcsp.Context(), fe.flowSlug).Query(fe.Params.Encode())
+	req := fe.api.FlowsAPI.FlowsExecutorGet(gcsp.Context(), fe.flowSlug).Query(fe.Params.Encode())
 	challenge, _, err := req.Execute()
 	if err != nil {
 		return nil, err
@@ -179,7 +179,7 @@ func (fe *FlowExecutor) getInitialChallenge() (*api.ChallengeTypes, error) {
 func (fe *FlowExecutor) solveFlowChallenge(challenge *api.ChallengeTypes, depth int) (bool, error) {
 	// Resole challenge
 	scsp := sentry.StartSpan(fe.Context, "authentik.outposts.flow_executor.solve_challenge")
-	responseReq := fe.api.FlowsApi.FlowsExecutorSolve(scsp.Context(), fe.flowSlug).Query(fe.Params.Encode())
+	responseReq := fe.api.FlowsAPI.FlowsExecutorSolve(scsp.Context(), fe.flowSlug).Query(fe.Params.Encode())
 	i := challenge.GetActualInstance()
 	if i == nil {
 		return false, errors.New("response request instance was null")

internal/outpost/ldap/bind/direct/bind.go

@@ -58,7 +58,7 @@ func (db *DirectBinder) Bind(username string, req *bind.Request) (ldap.LDAPResul
 		return ldap.LDAPResultInvalidCredentials, nil
 	}
 
-	access, _, err := fe.ApiClient().OutpostsApi.OutpostsLdapAccessCheck(
+	access, _, err := fe.ApiClient().OutpostsAPI.OutpostsLdapAccessCheck(
 		req.Context(), db.si.GetProviderID(),
 	).AppSlug(db.si.GetAppSlug()).Execute()
 	if !access.Access.Passing {
@@ -84,7 +84,7 @@ func (db *DirectBinder) Bind(username string, req *bind.Request) (ldap.LDAPResul
 	req.Log().Info("User has access")
 	uisp := sentry.StartSpan(req.Context(), "authentik.providers.ldap.bind.user_info")
 	// Get user info to store in context
-	userInfo, _, err := fe.ApiClient().CoreApi.CoreUsersMeRetrieve(context.Background()).Execute()
+	userInfo, _, err := fe.ApiClient().CoreAPI.CoreUsersMeRetrieve(context.Background()).Execute()
 	if err != nil {
 		metrics.RequestsRejected.With(prometheus.Labels{
 			"outpost_name": db.si.GetOutpostName(),

internal/outpost/ldap/ldap.go

@@ -30,7 +30,7 @@ func NewServer(ac *ak.APIController) *LDAPServer {
 	ls := &LDAPServer{
 		log:       log.WithField("logger", "authentik.outpost.ldap"),
 		ac:        ac,
-		cs:        ak.NewCryptoStore(ac.Client.CryptoApi),
+		cs:        ak.NewCryptoStore(ac.Client.CryptoAPI),
 		providers: []*ProviderInstance{},
 	}
 	s := ldap.NewServer()

internal/outpost/ldap/refresh.go

@@ -30,7 +30,7 @@ func (ls *LDAPServer) getCurrentProvider(pk int32) *ProviderInstance {
 }
 
 func (ls *LDAPServer) Refresh() error {
-	apiProviders, err := ak.Paginator(ls.ac.Client.OutpostsApi.OutpostsLdapList(context.Background()), ak.PaginatorOptions{
+	apiProviders, err := ak.Paginator(ls.ac.Client.OutpostsAPI.OutpostsLdapList(context.Background()), ak.PaginatorOptions{
 		PageSize: 100,
 		Logger:   ls.log,
 	})

internal/outpost/ldap/search/direct/direct.go

@@ -113,7 +113,7 @@ func (ds *DirectSearcher) Search(req *search.Request) (ldap.ServerSearchResult,
 		errs.Go(func() error {
 			if flags.CanSearch {
 				uapisp := sentry.StartSpan(errCtx, "authentik.providers.ldap.search.api_user")
-				searchReq, skip := utils.ParseFilterForUser(c.CoreApi.CoreUsersList(uapisp.Context()).IncludeGroups(true), parsedFilter, false)
+				searchReq, skip := utils.ParseFilterForUser(c.CoreAPI.CoreUsersList(uapisp.Context()).IncludeGroups(true), parsedFilter, false)
 
 				if skip {
 					req.Log().Trace("Skip backend request")
@@ -132,7 +132,7 @@ func (ds *DirectSearcher) Search(req *search.Request) (ldap.ServerSearchResult,
 			} else {
 				if flags.UserInfo == nil {
 					uapisp := sentry.StartSpan(errCtx, "authentik.providers.ldap.search.api_user")
-					u, _, err := c.CoreApi.CoreUsersRetrieve(uapisp.Context(), flags.UserPk).Execute()
+					u, _, err := c.CoreAPI.CoreUsersRetrieve(uapisp.Context(), flags.UserPk).Execute()
 					uapisp.Finish()
 
 					if err != nil {
@@ -155,7 +155,7 @@ func (ds *DirectSearcher) Search(req *search.Request) (ldap.ServerSearchResult,
 	if needGroups {
 		errs.Go(func() error {
 			gapisp := sentry.StartSpan(errCtx, "authentik.providers.ldap.search.api_group")
-			searchReq, skip := utils.ParseFilterForGroup(c.CoreApi.CoreGroupsList(gapisp.Context()).IncludeUsers(true), parsedFilter, false)
+			searchReq, skip := utils.ParseFilterForGroup(c.CoreAPI.CoreGroupsList(gapisp.Context()).IncludeUsers(true), parsedFilter, false)
 			if skip {
 				req.Log().Trace("Skip backend request")
 				return nil

internal/outpost/ldap/search/memory/memory.go

@@ -39,12 +39,12 @@ func NewMemorySearcher(si server.LDAPServerInstance) *MemorySearcher {
 	}
 	ms.log.Debug("initialised memory searcher")
 	// Error is not handled here, we get an empty/truncated list and the error is logged
-	users, _ := ak.Paginator(ms.si.GetAPIClient().CoreApi.CoreUsersList(context.TODO()).IncludeGroups(true), ak.PaginatorOptions{
+	users, _ := ak.Paginator(ms.si.GetAPIClient().CoreAPI.CoreUsersList(context.TODO()).IncludeGroups(true), ak.PaginatorOptions{
 		PageSize: 100,
 		Logger:   ms.log,
 	})
 	ms.users = users
-	groups, _ := ak.Paginator(ms.si.GetAPIClient().CoreApi.CoreGroupsList(context.TODO()).IncludeUsers(true), ak.PaginatorOptions{
+	groups, _ := ak.Paginator(ms.si.GetAPIClient().CoreAPI.CoreGroupsList(context.TODO()).IncludeUsers(true), ak.PaginatorOptions{
 		PageSize: 100,
 		Logger:   ms.log,
 	})

internal/outpost/proxyv2/application/mode_common.go

@@ -120,7 +120,7 @@ func (a *Application) ReportMisconfiguration(r *http.Request, msg string, fields
 		ClientIp: *api.NewNullableString(api.PtrString(r.RemoteAddr)),
 		Context:  fields,
 	}
-	_, _, err := a.ak.Client.EventsApi.EventsEventsCreate(context.Background()).EventRequest(req).Execute()
+	_, _, err := a.ak.Client.EventsAPI.EventsEventsCreate(context.Background()).EventRequest(req).Execute()
 	if err != nil {
 		a.log.WithError(err).Warning("failed to report configuration error")
 	}

internal/outpost/proxyv2/proxyv2.go

@@ -56,7 +56,7 @@ func NewProxyServer(ac *ak.APIController) *ProxyServer {
 		globalMux.Use(sentryhttp.New(sentryhttp.Options{}).Handle)
 	}
 	s := &ProxyServer{
-		cryptoStore: ak.NewCryptoStore(ac.Client.CryptoApi),
+		cryptoStore: ak.NewCryptoStore(ac.Client.CryptoAPI),
 		apps:        make(map[string]*application.Application),
 		log:         l,
 		mux:         rootMux,

internal/outpost/proxyv2/refresh.go

@@ -15,7 +15,7 @@ import (
 )
 
 func (ps *ProxyServer) Refresh() error {
-	providers, err := ak.Paginator(ps.akAPI.Client.OutpostsApi.OutpostsProxyList(context.Background()), ak.PaginatorOptions{
+	providers, err := ak.Paginator(ps.akAPI.Client.OutpostsAPI.OutpostsProxyList(context.Background()), ak.PaginatorOptions{
 		PageSize: 100,
 		Logger:   ps.log,
 	})

internal/outpost/radius/api.go

@@ -31,7 +31,7 @@ func parseCIDRs(raw string) []*net.IPNet {
 }
 
 func (rs *RadiusServer) Refresh() error {
-	apiProviders, err := ak.Paginator(rs.ac.Client.OutpostsApi.OutpostsRadiusList(context.Background()), ak.PaginatorOptions{
+	apiProviders, err := ak.Paginator(rs.ac.Client.OutpostsAPI.OutpostsRadiusList(context.Background()), ak.PaginatorOptions{
 		PageSize: 100,
 		Logger:   rs.log,
 	})

internal/outpost/radius/handle_access_request.go

@@ -45,7 +45,7 @@ func (rs *RadiusServer) Handle_AccessRequest(w radius.ResponseWriter, r *RadiusR
 		_ = w.Write(r.Response(radius.CodeAccessReject))
 		return
 	}
-	access, _, err := fe.ApiClient().OutpostsApi.OutpostsRadiusAccessCheck(
+	access, _, err := fe.ApiClient().OutpostsAPI.OutpostsRadiusAccessCheck(
 		r.Context(), r.pi.providerId,
 	).AppSlug(r.pi.appSlug).Execute()
 	if err != nil {

internal/web/brand_tls/brand_tls.go

@@ -22,7 +22,7 @@ type Watcher struct {
 }
 
 func NewWatcher(client *api.APIClient) *Watcher {
-	cs := ak.NewCryptoStore(client.CryptoApi)
+	cs := ak.NewCryptoStore(client.CryptoAPI)
 	l := log.WithField("logger", "authentik.router.brand_tls")
 	cert, err := crypto.GenerateSelfSignedCert()
 	if err != nil {
@@ -47,7 +47,7 @@ func (w *Watcher) Start() {
 
 func (w *Watcher) Check() {
 	w.log.Info("updating brand certificates")
-	brands, err := ak.Paginator(w.client.CoreApi.CoreBrandsList(context.Background()), ak.PaginatorOptions{
+	brands, err := ak.Paginator(w.client.CoreAPI.CoreBrandsList(context.Background()), ak.PaginatorOptions{
 		PageSize: 100,
 		Logger:   w.log,
 	})

internal/web/metrics.go

@@ -1,15 +1,11 @@
 package web
 
 import (
-	"encoding/base64"
 	"fmt"
 	"io"
 	"net/http"
-	"os"
-	"path"
 
 	"github.com/gorilla/mux"
-	"github.com/gorilla/securecookie"
 	"github.com/prometheus/client_golang/prometheus"
 	"github.com/prometheus/client_golang/prometheus/promauto"
 	"github.com/prometheus/client_golang/prometheus/promhttp"
@@ -18,25 +14,14 @@ import (
 	"goauthentik.io/internal/utils/sentry"
 )
 
-const MetricsKeyFile = "authentik-core-metrics.key"
-
 var Requests = promauto.NewHistogramVec(prometheus.HistogramOpts{
 	Name: "authentik_main_request_duration_seconds",
 	Help: "API request latencies in seconds",
 }, []string{"dest"})
 
 func (ws *WebServer) runMetricsServer() {
-	l := log.WithField("logger", "authentik.router.metrics")
-	tmp := os.TempDir()
-	key := base64.StdEncoding.EncodeToString(securecookie.GenerateRandomKey(64))
-	keyPath := path.Join(tmp, MetricsKeyFile)
-	err := os.WriteFile(keyPath, []byte(key), 0o600)
-	if err != nil {
-		l.WithError(err).Warning("failed to save metrics key")
-		return
-	}
-
 	m := mux.NewRouter()
+	l := log.WithField("logger", "authentik.router.metrics")
 	m.Use(sentry.SentryNoSampleMiddleware)
 	m.Path("/metrics").HandlerFunc(func(rw http.ResponseWriter, r *http.Request) {
 		promhttp.InstrumentMetricHandler(
@@ -51,7 +36,7 @@ func (ws *WebServer) runMetricsServer() {
 			l.WithError(err).Warning("failed to get upstream metrics")
 			return
 		}
-		re.Header.Set("Authorization", fmt.Sprintf("Bearer %s", key))
+		re.SetBasicAuth("monitor", config.Get().SecretKey)
 		res, err := ws.upstreamHttpClient().Do(re)
 		if err != nil {
 			l.WithError(err).Warning("failed to get upstream metrics")
@@ -64,13 +49,9 @@ func (ws *WebServer) runMetricsServer() {
 		}
 	})
 	l.WithField("listen", config.Get().Listen.Metrics).Info("Starting Metrics server")
-	err = http.ListenAndServe(config.Get().Listen.Metrics, m)
+	err := http.ListenAndServe(config.Get().Listen.Metrics, m)
 	if err != nil {
 		l.WithError(err).Warning("Failed to start metrics server")
 	}
 	l.WithField("listen", config.Get().Listen.Metrics).Info("Stopping Metrics server")
-	err = os.Remove(keyPath)
-	if err != nil {
-		l.WithError(err).Warning("failed to remove metrics key file")
-	}
 }

internal/web/static.go

@@ -42,11 +42,8 @@ func (ws *WebServer) configureStatic() {
 
 	// Media files, if backend is file
 	if config.Get().Storage.Media.Backend == "file" {
-		fsMedia := http.StripPrefix("/media", http.FileServer(http.Dir(config.Get().Storage.Media.File.Path)))
-		staticRouter.PathPrefix("/media/").HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-		    w.Header().Set("Content-Security-Policy", "default-src 'none'; style-src 'unsafe-inline'; sandbox")
-		    fsMedia.ServeHTTP(w, r)
-		})
+		fsMedia := http.FileServer(http.Dir(config.Get().Storage.Media.File.Path))
+		staticRouter.PathPrefix("/media/").Handler(http.StripPrefix("/media", fsMedia))
 	}
 
 	staticRouter.PathPrefix("/if/help/").Handler(http.StripPrefix("/if/help/", http.FileServer(http.Dir("./website/help/"))))

internal/web/web.go

@@ -53,7 +53,7 @@ func NewWebServer() *WebServer {
 	loggingHandler.Use(web.NewLoggingHandler(l, nil))
 
 	tmp := os.TempDir()
-	socketPath := path.Join(tmp, UnixSocketName)
+	socketPath := path.Join(tmp, "authentik-core.sock")
 
 	// create http client to talk to backend, normal client if we're in debug more
 	// and a client that connects to our socket when in non debug mode

locale/it/LC_MESSAGES/django.po

@@ -19,7 +19,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: PACKAGE VERSION\n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2024-11-18 00:09+0000\n"
+"POT-Creation-Date: 2024-10-28 00:09+0000\n"
 "PO-Revision-Date: 2022-09-26 16:47+0000\n"
 "Last-Translator: tom max, 2024\n"
 "Language-Team: Italian (https://app.transifex.com/authentik/teams/119923/it/)\n"
@@ -121,10 +121,6 @@ msgstr "Brand"
 msgid "Brands"
 msgstr "Brands"
 
-#: authentik/core/api/devices.py
-msgid "Extra description not available"
-msgstr "Descrizione extra non disponibile"
-
 #: authentik/core/api/providers.py
 msgid ""
 "When not set all providers are returned. When set to true, only backchannel "
@@ -135,11 +131,6 @@ msgstr ""
 " vengono restituiti solo i provider di backchannel. Se impostato su falso, i"
 " provider di backchannel vengono esclusi"
 
-#: authentik/core/api/transactional_applications.py
-#, python-brace-format
-msgid "User lacks permission to create {model}"
-msgstr "L'utente non ha i diritti per creare {model}"
-
 #: authentik/core/api/users.py
 msgid "No leading or trailing slashes allowed."
 msgstr "Non sono consentite barre oblique iniziali o finali."
@@ -1249,10 +1240,6 @@ msgstr ""
 msgid "Password not set in context"
 msgstr "Password non impostata nel contesto"
 
-#: authentik/policies/password/models.py
-msgid "Invalid password."
-msgstr "Password invalida."
-
 #: authentik/policies/password/models.py
 #, python-format
 msgid "Password exists on %(count)d online lists."
@@ -3563,12 +3550,6 @@ msgstr ""
 msgid "Globally enable/disable impersonation."
 msgstr "Abilita/disabilita globalmente la l'impersonazione."
 
-#: authentik/tenants/models.py
-msgid "Require administrators to provide a reason for impersonating a user."
-msgstr ""
-"Richiedi agli amministratori di fornire una ragione per impersonare un "
-"utente."
-
 #: authentik/tenants/models.py
 msgid "Default token duration"
 msgstr "Durata token predefinita"

package.json

@@ -1,5 +1,5 @@
 {
     "name": "@goauthentik/authentik",
-    "version": "2024.10.4",
+    "version": "2024.10.2",
     "private": true
 }

poetry.lock

@@ -560,55 +560,48 @@ files = [
 
 [[package]]
 name = "cbor2"
-version = "5.6.5"
+version = "5.6.4"
 description = "CBOR (de)serializer with extensive tag support"
 optional = false
 python-versions = ">=3.8"
 files = [
-    {file = "cbor2-5.6.5-cp310-cp310-macosx_10_9_x86_64.whl", hash = "sha256:e16c4a87fc999b4926f5c8f6c696b0d251b4745bc40f6c5aee51d69b30b15ca2"},
-    {file = "cbor2-5.6.5-cp310-cp310-macosx_11_0_arm64.whl", hash = "sha256:87026fc838370d69f23ed8572939bd71cea2b3f6c8f8bb8283f573374b4d7f33"},
-    {file = "cbor2-5.6.5-cp310-cp310-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:a88f029522aec5425fc2f941b3df90da7688b6756bd3f0472ab886d21208acbd"},
-    {file = "cbor2-5.6.5-cp310-cp310-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:b9d15b638539b68aa5d5eacc56099b4543a38b2d2c896055dccf7e83d24b7955"},
-    {file = "cbor2-5.6.5-cp310-cp310-musllinux_1_2_aarch64.whl", hash = "sha256:47261f54a024839ec649b950013c4de5b5f521afe592a2688eebbe22430df1dc"},
-    {file = "cbor2-5.6.5-cp310-cp310-musllinux_1_2_x86_64.whl", hash = "sha256:559dcf0d897260a9e95e7b43556a62253e84550b77147a1ad4d2c389a2a30192"},
-    {file = "cbor2-5.6.5-cp310-cp310-win_amd64.whl", hash = "sha256:5b856fda4c50c5bc73ed3664e64211fa4f015970ed7a15a4d6361bd48462feaf"},
-    {file = "cbor2-5.6.5-cp311-cp311-macosx_10_9_x86_64.whl", hash = "sha256:863e0983989d56d5071270790e7ed8ddbda88c9e5288efdb759aba2efee670bc"},
-    {file = "cbor2-5.6.5-cp311-cp311-macosx_11_0_arm64.whl", hash = "sha256:5cff06464b8f4ca6eb9abcba67bda8f8334a058abc01005c8e616728c387ad32"},
-    {file = "cbor2-5.6.5-cp311-cp311-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:f4c7dbcdc59ea7f5a745d3e30ee5e6b6ff5ce7ac244aa3de6786391b10027bb3"},
-    {file = "cbor2-5.6.5-cp311-cp311-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:34cf5ab0dc310c3d0196caa6ae062dc09f6c242e2544bea01691fe60c0230596"},
-    {file = "cbor2-5.6.5-cp311-cp311-musllinux_1_2_aarch64.whl", hash = "sha256:6797b824b26a30794f2b169c0575301ca9b74ae99064e71d16e6ba0c9057de51"},
-    {file = "cbor2-5.6.5-cp311-cp311-musllinux_1_2_x86_64.whl", hash = "sha256:73b9647eed1493097db6aad61e03d8f1252080ee041a1755de18000dd2c05f37"},
-    {file = "cbor2-5.6.5-cp311-cp311-win_amd64.whl", hash = "sha256:6e14a1bf6269d25e02ef1d4008e0ce8880aa271d7c6b4c329dba48645764f60e"},
-    {file = "cbor2-5.6.5-cp312-cp312-macosx_10_13_x86_64.whl", hash = "sha256:e25c2aebc9db99af7190e2261168cdde8ed3d639ca06868e4f477cf3a228a8e9"},
-    {file = "cbor2-5.6.5-cp312-cp312-macosx_11_0_arm64.whl", hash = "sha256:fde21ac1cf29336a31615a2c469a9cb03cf0add3ae480672d4d38cda467d07fc"},
-    {file = "cbor2-5.6.5-cp312-cp312-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:a8947c102cac79d049eadbd5e2ffb8189952890df7cbc3ee262bbc2f95b011a9"},
-    {file = "cbor2-5.6.5-cp312-cp312-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:38886c41bebcd7dca57739439455bce759f1e4c551b511f618b8e9c1295b431b"},
-    {file = "cbor2-5.6.5-cp312-cp312-musllinux_1_2_aarch64.whl", hash = "sha256:ae2b49226224e92851c333b91d83292ec62eba53a19c68a79890ce35f1230d70"},
-    {file = "cbor2-5.6.5-cp312-cp312-musllinux_1_2_x86_64.whl", hash = "sha256:f2764804ffb6553283fc4afb10a280715905a4cea4d6dc7c90d3e89c4a93bc8d"},
-    {file = "cbor2-5.6.5-cp312-cp312-win_amd64.whl", hash = "sha256:a3ac50485cf67dfaab170a3e7b527630e93cb0a6af8cdaa403054215dff93adf"},
-    {file = "cbor2-5.6.5-cp313-cp313-macosx_10_13_x86_64.whl", hash = "sha256:f0d0a9c5aabd48ecb17acf56004a7542a0b8d8212be52f3102b8218284bd881e"},
-    {file = "cbor2-5.6.5-cp313-cp313-macosx_11_0_arm64.whl", hash = "sha256:61ceb77e6aa25c11c814d4fe8ec9e3bac0094a1f5bd8a2a8c95694596ea01e08"},
-    {file = "cbor2-5.6.5-cp313-cp313-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:97a7e409b864fecf68b2ace8978eb5df1738799a333ec3ea2b9597bfcdd6d7d2"},
-    {file = "cbor2-5.6.5-cp313-cp313-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:7f6d69f38f7d788b04c09ef2b06747536624b452b3c8b371ab78ad43b0296fab"},
-    {file = "cbor2-5.6.5-cp313-cp313-musllinux_1_2_aarch64.whl", hash = "sha256:f91e6d74fa6917df31f8757fdd0e154203b0dd0609ec53eb957016a2b474896a"},
-    {file = "cbor2-5.6.5-cp313-cp313-musllinux_1_2_x86_64.whl", hash = "sha256:5ce13a27ef8fddf643fc17a753fe34aa72b251d03c23da6a560c005dc171085b"},
-    {file = "cbor2-5.6.5-cp313-cp313-win_amd64.whl", hash = "sha256:54c72a3207bb2d4480c2c39dad12d7971ce0853a99e3f9b8d559ce6eac84f66f"},
-    {file = "cbor2-5.6.5-cp38-cp38-macosx_10_9_x86_64.whl", hash = "sha256:4586a4f65546243096e56a3f18f29d60752ee9204722377021b3119a03ed99ff"},
-    {file = "cbor2-5.6.5-cp38-cp38-macosx_11_0_arm64.whl", hash = "sha256:3d1a18b3a58dcd9b40ab55c726160d4a6b74868f2a35b71f9e726268b46dc6a2"},
-    {file = "cbor2-5.6.5-cp38-cp38-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:a83b76367d1c3e69facbcb8cdf65ed6948678e72f433137b41d27458aa2a40cb"},
-    {file = "cbor2-5.6.5-cp38-cp38-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:90bfa36944caccec963e6ab7e01e64e31cc6664535dc06e6295ee3937c999cbb"},
-    {file = "cbor2-5.6.5-cp38-cp38-musllinux_1_2_aarch64.whl", hash = "sha256:37096663a5a1c46a776aea44906cbe5fa3952f29f50f349179c00525d321c862"},
-    {file = "cbor2-5.6.5-cp38-cp38-musllinux_1_2_x86_64.whl", hash = "sha256:93676af02bd9a0b4a62c17c5b20f8e9c37b5019b1a24db70a2ee6cb770423568"},
-    {file = "cbor2-5.6.5-cp38-cp38-win_amd64.whl", hash = "sha256:8f747b7a9aaa58881a0c5b4cd4a9b8fb27eca984ed261a769b61de1f6b5bd1e6"},
-    {file = "cbor2-5.6.5-cp39-cp39-macosx_10_9_x86_64.whl", hash = "sha256:94885903105eec66d7efb55f4ce9884fdc5a4d51f3bd75b6fedc68c5c251511b"},
-    {file = "cbor2-5.6.5-cp39-cp39-macosx_11_0_arm64.whl", hash = "sha256:fe11c2eb518c882cfbeed456e7a552e544893c17db66fe5d3230dbeaca6b615c"},
-    {file = "cbor2-5.6.5-cp39-cp39-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:66dd25dd919cddb0b36f97f9ccfa51947882f064729e65e6bef17c28535dc459"},
-    {file = "cbor2-5.6.5-cp39-cp39-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:fa61a02995f3a996c03884cf1a0b5733f88cbfd7fa0e34944bf678d4227ee712"},
-    {file = "cbor2-5.6.5-cp39-cp39-musllinux_1_2_aarch64.whl", hash = "sha256:824f202b556fc204e2e9a67d6d6d624e150fbd791278ccfee24e68caec578afd"},
-    {file = "cbor2-5.6.5-cp39-cp39-musllinux_1_2_x86_64.whl", hash = "sha256:7488aec919f8408f9987a3a32760bd385d8628b23a35477917aa3923ff6ad45f"},
-    {file = "cbor2-5.6.5-cp39-cp39-win_amd64.whl", hash = "sha256:a34ee99e86b17444ecbe96d54d909dd1a20e2da9f814ae91b8b71cf1ee2a95e4"},
-    {file = "cbor2-5.6.5-py3-none-any.whl", hash = "sha256:3038523b8fc7de312bb9cdcbbbd599987e64307c4db357cd2030c472a6c7d468"},
-    {file = "cbor2-5.6.5.tar.gz", hash = "sha256:b682820677ee1dbba45f7da11898d2720f92e06be36acec290867d5ebf3d7e09"},
+    {file = "cbor2-5.6.4-cp310-cp310-macosx_10_9_x86_64.whl", hash = "sha256:c40c68779a363f47a11ded7b189ba16767391d5eae27fac289e7f62b730ae1fc"},
+    {file = "cbor2-5.6.4-cp310-cp310-macosx_11_0_arm64.whl", hash = "sha256:c0625c8d3c487e509458459de99bf052f62eb5d773cc9fc141c6a6ea9367726d"},
+    {file = "cbor2-5.6.4-cp310-cp310-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:de7137622204168c3a57882f15dd09b5135bda2bcb1cf8b56b58d26b5150dfca"},
+    {file = "cbor2-5.6.4-cp310-cp310-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:e3545e1e62ec48944b81da2c0e0a736ca98b9e4653c2365cae2f10ae871e9113"},
+    {file = "cbor2-5.6.4-cp310-cp310-musllinux_1_1_aarch64.whl", hash = "sha256:d6749913cd00a24eba17406a0bfc872044036c30a37eb2fcde7acfd975317e8a"},
+    {file = "cbor2-5.6.4-cp310-cp310-musllinux_1_1_x86_64.whl", hash = "sha256:57db966ab08443ee54b6f154f72021a41bfecd4ba897fe108728183ad8784a2a"},
+    {file = "cbor2-5.6.4-cp310-cp310-win_amd64.whl", hash = "sha256:380e0c7f4db574dcd86e6eee1b0041863b0aae7efd449d49b0b784cf9a481b9b"},
+    {file = "cbor2-5.6.4-cp311-cp311-macosx_10_9_x86_64.whl", hash = "sha256:5c763d50a1714e0356b90ad39194fc8ef319356b89fb001667a2e836bfde88e3"},
+    {file = "cbor2-5.6.4-cp311-cp311-macosx_11_0_arm64.whl", hash = "sha256:58a7ac8861857a9f9b0de320a4808a2a5f68a2599b4c14863e2748d5a4686c99"},
+    {file = "cbor2-5.6.4-cp311-cp311-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:7d715b2f101730335e84a25fe0893e2b6adf049d6d44da123bf243b8c875ffd8"},
+    {file = "cbor2-5.6.4-cp311-cp311-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:3f53a67600038cb9668720b309fdfafa8c16d1a02570b96d2144d58d66774318"},
+    {file = "cbor2-5.6.4-cp311-cp311-musllinux_1_1_aarch64.whl", hash = "sha256:f898bab20c4f42dca3688c673ff97c2f719b1811090430173c94452603fbcf13"},
+    {file = "cbor2-5.6.4-cp311-cp311-musllinux_1_1_x86_64.whl", hash = "sha256:5e5d50fb9f47d295c1b7f55592111350424283aff4cc88766c656aad0300f11f"},
+    {file = "cbor2-5.6.4-cp311-cp311-win_amd64.whl", hash = "sha256:7f9d867dcd814ab8383ad132eb4063e2b69f6a9f688797b7a8ca34a4eadb3944"},
+    {file = "cbor2-5.6.4-cp312-cp312-macosx_10_9_x86_64.whl", hash = "sha256:e0860ca88edf8aaec5461ce0e498eb5318f1bcc70d93f90091b7a1f1d351a167"},
+    {file = "cbor2-5.6.4-cp312-cp312-macosx_11_0_arm64.whl", hash = "sha256:c38a0ed495a63a8bef6400158746a9cb03c36f89aeed699be7ffebf82720bf86"},
+    {file = "cbor2-5.6.4-cp312-cp312-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:0c8d8c2f208c223a61bed48dfd0661694b891e423094ed30bac2ed75032142aa"},
+    {file = "cbor2-5.6.4-cp312-cp312-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:24cd2ce6136e1985da989e5ba572521023a320dcefad5d1fff57fba261de80ca"},
+    {file = "cbor2-5.6.4-cp312-cp312-musllinux_1_1_aarch64.whl", hash = "sha256:7facce04aed2bf69ef43bdffb725446fe243594c2451921e89cc305bede16f02"},
+    {file = "cbor2-5.6.4-cp312-cp312-musllinux_1_1_x86_64.whl", hash = "sha256:f9c8ee0d89411e5e039a4f3419befe8b43c0dd8746eedc979e73f4c06fe0ef97"},
+    {file = "cbor2-5.6.4-cp312-cp312-win_amd64.whl", hash = "sha256:9b45d554daa540e2f29f1747df9f08f8d98ade65a67b1911791bc193d33a5923"},
+    {file = "cbor2-5.6.4-cp38-cp38-macosx_10_9_x86_64.whl", hash = "sha256:0a5cb2c16687ccd76b38cfbfdb34468ab7d5635fb92c9dc5e07831c1816bd0a9"},
+    {file = "cbor2-5.6.4-cp38-cp38-macosx_11_0_arm64.whl", hash = "sha256:6f985f531f7495527153c4f66c8c143e4cf8a658ec9e87b14bc5438e0a8d0911"},
+    {file = "cbor2-5.6.4-cp38-cp38-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:a9d9c7b4bd7c3ea7e5587d4f1bbe073b81719530ddadb999b184074f064896e2"},
+    {file = "cbor2-5.6.4-cp38-cp38-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:64d06184dcdc275c389fee3cd0ea80b5e1769763df15f93ecd0bf4c281817365"},
+    {file = "cbor2-5.6.4-cp38-cp38-musllinux_1_1_aarch64.whl", hash = "sha256:e9ba7116f201860fb4c3e80ef36be63851ec7e4a18af70fea22d09cab0b000bf"},
+    {file = "cbor2-5.6.4-cp38-cp38-musllinux_1_1_x86_64.whl", hash = "sha256:341468ae58bdedaa05c907ab16e90dd0d5c54d7d1e66698dfacdbc16a31e815b"},
+    {file = "cbor2-5.6.4-cp38-cp38-win_amd64.whl", hash = "sha256:bcb4994be1afcc81f9167c220645d878b608cae92e19f6706e770f9bc7bbff6c"},
+    {file = "cbor2-5.6.4-cp39-cp39-macosx_10_9_x86_64.whl", hash = "sha256:41c43abffe217dce70ae51c7086530687670a0995dfc90cc35f32f2cf4d86392"},
+    {file = "cbor2-5.6.4-cp39-cp39-macosx_11_0_arm64.whl", hash = "sha256:227a7e68ba378fe53741ed892b5b03fe472b5bd23ef26230a71964accebf50a2"},
+    {file = "cbor2-5.6.4-cp39-cp39-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:13521b7c9a0551fcc812d36afd03fc554fa4e1b193659bb5d4d521889aa81154"},
+    {file = "cbor2-5.6.4-cp39-cp39-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:6f4816d290535d20c7b7e2663b76da5b0deb4237b90275c202c26343d8852b8a"},
+    {file = "cbor2-5.6.4-cp39-cp39-musllinux_1_1_aarch64.whl", hash = "sha256:1e98d370106821335efcc8fbe4136ea26b4747bf29ca0e66512b6c4f6f5cc59f"},
+    {file = "cbor2-5.6.4-cp39-cp39-musllinux_1_1_x86_64.whl", hash = "sha256:68743a18e16167ff37654a29321f64f0441801dba68359c82dc48173cc6c87e1"},
+    {file = "cbor2-5.6.4-cp39-cp39-win_amd64.whl", hash = "sha256:7ba5e9c6ed17526d266a1116c045c0941f710860c5f2495758df2e0d848c1b6d"},
+    {file = "cbor2-5.6.4-py3-none-any.whl", hash = "sha256:fe411c4bf464f5976605103ebcd0f60b893ac3e4c7c8d8bc8f4a0cb456e33c60"},
+    {file = "cbor2-5.6.4.tar.gz", hash = "sha256:1c533c50dde86bef1c6950602054a0ffa3c376e8b0e20c7b8f5b108793f6983e"},
 ]
 
 [package.extras]
@@ -1146,37 +1139,37 @@ tests = ["django", "hypothesis", "pytest", "pytest-asyncio"]
 
 [[package]]
 name = "debugpy"
-version = "1.8.9"
+version = "1.8.8"
 description = "An implementation of the Debug Adapter Protocol for Python"
 optional = false
 python-versions = ">=3.8"
 files = [
-    {file = "debugpy-1.8.9-cp310-cp310-macosx_14_0_x86_64.whl", hash = "sha256:cfe1e6c6ad7178265f74981edf1154ffce97b69005212fbc90ca22ddfe3d017e"},
-    {file = "debugpy-1.8.9-cp310-cp310-manylinux_2_5_x86_64.manylinux1_x86_64.manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:ada7fb65102a4d2c9ab62e8908e9e9f12aed9d76ef44880367bc9308ebe49a0f"},
-    {file = "debugpy-1.8.9-cp310-cp310-win32.whl", hash = "sha256:c36856343cbaa448171cba62a721531e10e7ffb0abff838004701454149bc037"},
-    {file = "debugpy-1.8.9-cp310-cp310-win_amd64.whl", hash = "sha256:17c5e0297678442511cf00a745c9709e928ea4ca263d764e90d233208889a19e"},
-    {file = "debugpy-1.8.9-cp311-cp311-macosx_14_0_universal2.whl", hash = "sha256:b74a49753e21e33e7cf030883a92fa607bddc4ede1aa4145172debc637780040"},
-    {file = "debugpy-1.8.9-cp311-cp311-manylinux_2_5_x86_64.manylinux1_x86_64.manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:62d22dacdb0e296966d7d74a7141aaab4bec123fa43d1a35ddcb39bf9fd29d70"},
-    {file = "debugpy-1.8.9-cp311-cp311-win32.whl", hash = "sha256:8138efff315cd09b8dcd14226a21afda4ca582284bf4215126d87342bba1cc66"},
-    {file = "debugpy-1.8.9-cp311-cp311-win_amd64.whl", hash = "sha256:ff54ef77ad9f5c425398efb150239f6fe8e20c53ae2f68367eba7ece1e96226d"},
-    {file = "debugpy-1.8.9-cp312-cp312-macosx_14_0_universal2.whl", hash = "sha256:957363d9a7a6612a37458d9a15e72d03a635047f946e5fceee74b50d52a9c8e2"},
-    {file = "debugpy-1.8.9-cp312-cp312-manylinux_2_5_x86_64.manylinux1_x86_64.manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:5e565fc54b680292b418bb809f1386f17081d1346dca9a871bf69a8ac4071afe"},
-    {file = "debugpy-1.8.9-cp312-cp312-win32.whl", hash = "sha256:3e59842d6c4569c65ceb3751075ff8d7e6a6ada209ceca6308c9bde932bcef11"},
-    {file = "debugpy-1.8.9-cp312-cp312-win_amd64.whl", hash = "sha256:66eeae42f3137eb428ea3a86d4a55f28da9bd5a4a3d369ba95ecc3a92c1bba53"},
-    {file = "debugpy-1.8.9-cp313-cp313-macosx_14_0_universal2.whl", hash = "sha256:957ecffff80d47cafa9b6545de9e016ae8c9547c98a538ee96ab5947115fb3dd"},
-    {file = "debugpy-1.8.9-cp313-cp313-manylinux_2_5_x86_64.manylinux1_x86_64.manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:1efbb3ff61487e2c16b3e033bc8595aea578222c08aaf3c4bf0f93fadbd662ee"},
-    {file = "debugpy-1.8.9-cp313-cp313-win32.whl", hash = "sha256:7c4d65d03bee875bcb211c76c1d8f10f600c305dbd734beaed4077e902606fee"},
-    {file = "debugpy-1.8.9-cp313-cp313-win_amd64.whl", hash = "sha256:e46b420dc1bea64e5bbedd678148be512442bc589b0111bd799367cde051e71a"},
-    {file = "debugpy-1.8.9-cp38-cp38-macosx_14_0_x86_64.whl", hash = "sha256:472a3994999fe6c0756945ffa359e9e7e2d690fb55d251639d07208dbc37caea"},
-    {file = "debugpy-1.8.9-cp38-cp38-manylinux_2_5_x86_64.manylinux1_x86_64.manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:365e556a4772d7d0d151d7eb0e77ec4db03bcd95f26b67b15742b88cacff88e9"},
-    {file = "debugpy-1.8.9-cp38-cp38-win32.whl", hash = "sha256:54a7e6d3014c408eb37b0b06021366ee985f1539e12fe49ca2ee0d392d9ceca5"},
-    {file = "debugpy-1.8.9-cp38-cp38-win_amd64.whl", hash = "sha256:8e99c0b1cc7bf86d83fb95d5ccdc4ad0586d4432d489d1f54e4055bcc795f693"},
-    {file = "debugpy-1.8.9-cp39-cp39-macosx_14_0_x86_64.whl", hash = "sha256:7e8b079323a56f719977fde9d8115590cb5e7a1cba2fcee0986ef8817116e7c1"},
-    {file = "debugpy-1.8.9-cp39-cp39-manylinux_2_5_x86_64.manylinux1_x86_64.manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:6953b335b804a41f16a192fa2e7851bdcfd92173cbb2f9f777bb934f49baab65"},
-    {file = "debugpy-1.8.9-cp39-cp39-win32.whl", hash = "sha256:7e646e62d4602bb8956db88b1e72fe63172148c1e25c041e03b103a25f36673c"},
-    {file = "debugpy-1.8.9-cp39-cp39-win_amd64.whl", hash = "sha256:3d9755e77a2d680ce3d2c5394a444cf42be4a592caaf246dbfbdd100ffcf7ae5"},
-    {file = "debugpy-1.8.9-py2.py3-none-any.whl", hash = "sha256:cc37a6c9987ad743d9c3a14fa1b1a14b7e4e6041f9dd0c8abf8895fe7a97b899"},
-    {file = "debugpy-1.8.9.zip", hash = "sha256:1339e14c7d980407248f09824d1b25ff5c5616651689f1e0f0e51bdead3ea13e"},
+    {file = "debugpy-1.8.8-cp310-cp310-macosx_14_0_x86_64.whl", hash = "sha256:e59b1607c51b71545cb3496876544f7186a7a27c00b436a62f285603cc68d1c6"},
+    {file = "debugpy-1.8.8-cp310-cp310-manylinux_2_5_x86_64.manylinux1_x86_64.manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:a6531d952b565b7cb2fbd1ef5df3d333cf160b44f37547a4e7cf73666aca5d8d"},
+    {file = "debugpy-1.8.8-cp310-cp310-win32.whl", hash = "sha256:b01f4a5e5c5fb1d34f4ccba99a20ed01eabc45a4684f4948b5db17a319dfb23f"},
+    {file = "debugpy-1.8.8-cp310-cp310-win_amd64.whl", hash = "sha256:535f4fb1c024ddca5913bb0eb17880c8f24ba28aa2c225059db145ee557035e9"},
+    {file = "debugpy-1.8.8-cp311-cp311-macosx_14_0_universal2.whl", hash = "sha256:c399023146e40ae373753a58d1be0a98bf6397fadc737b97ad612886b53df318"},
+    {file = "debugpy-1.8.8-cp311-cp311-manylinux_2_5_x86_64.manylinux1_x86_64.manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:09cc7b162586ea2171eea055985da2702b0723f6f907a423c9b2da5996ad67ba"},
+    {file = "debugpy-1.8.8-cp311-cp311-win32.whl", hash = "sha256:eea8821d998ebeb02f0625dd0d76839ddde8cbf8152ebbe289dd7acf2cdc6b98"},
+    {file = "debugpy-1.8.8-cp311-cp311-win_amd64.whl", hash = "sha256:d4483836da2a533f4b1454dffc9f668096ac0433de855f0c22cdce8c9f7e10c4"},
+    {file = "debugpy-1.8.8-cp312-cp312-macosx_14_0_universal2.whl", hash = "sha256:0cc94186340be87b9ac5a707184ec8f36547fb66636d1029ff4f1cc020e53996"},
+    {file = "debugpy-1.8.8-cp312-cp312-manylinux_2_5_x86_64.manylinux1_x86_64.manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:64674e95916e53c2e9540a056e5f489e0ad4872645399d778f7c598eacb7b7f9"},
+    {file = "debugpy-1.8.8-cp312-cp312-win32.whl", hash = "sha256:5c6e885dbf12015aed73770f29dec7023cb310d0dc2ba8bfbeb5c8e43f80edc9"},
+    {file = "debugpy-1.8.8-cp312-cp312-win_amd64.whl", hash = "sha256:19ffbd84e757a6ca0113574d1bf5a2298b3947320a3e9d7d8dc3377f02d9f864"},
+    {file = "debugpy-1.8.8-cp313-cp313-macosx_14_0_universal2.whl", hash = "sha256:705cd123a773d184860ed8dae99becd879dfec361098edbefb5fc0d3683eb804"},
+    {file = "debugpy-1.8.8-cp313-cp313-manylinux_2_5_x86_64.manylinux1_x86_64.manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:890fd16803f50aa9cb1a9b9b25b5ec321656dd6b78157c74283de241993d086f"},
+    {file = "debugpy-1.8.8-cp313-cp313-win32.whl", hash = "sha256:90244598214bbe704aa47556ec591d2f9869ff9e042e301a2859c57106649add"},
+    {file = "debugpy-1.8.8-cp313-cp313-win_amd64.whl", hash = "sha256:4b93e4832fd4a759a0c465c967214ed0c8a6e8914bced63a28ddb0dd8c5f078b"},
+    {file = "debugpy-1.8.8-cp38-cp38-macosx_14_0_x86_64.whl", hash = "sha256:143ef07940aeb8e7316de48f5ed9447644da5203726fca378f3a6952a50a9eae"},
+    {file = "debugpy-1.8.8-cp38-cp38-manylinux_2_5_x86_64.manylinux1_x86_64.manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:f95651bdcbfd3b27a408869a53fbefcc2bcae13b694daee5f1365b1b83a00113"},
+    {file = "debugpy-1.8.8-cp38-cp38-win32.whl", hash = "sha256:26b461123a030e82602a750fb24d7801776aa81cd78404e54ab60e8b5fecdad5"},
+    {file = "debugpy-1.8.8-cp38-cp38-win_amd64.whl", hash = "sha256:f3cbf1833e644a3100eadb6120f25be8a532035e8245584c4f7532937edc652a"},
+    {file = "debugpy-1.8.8-cp39-cp39-macosx_14_0_x86_64.whl", hash = "sha256:53709d4ec586b525724819dc6af1a7703502f7e06f34ded7157f7b1f963bb854"},
+    {file = "debugpy-1.8.8-cp39-cp39-manylinux_2_5_x86_64.manylinux1_x86_64.manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:3a9c013077a3a0000e83d97cf9cc9328d2b0bbb31f56b0e99ea3662d29d7a6a2"},
+    {file = "debugpy-1.8.8-cp39-cp39-win32.whl", hash = "sha256:ffe94dd5e9a6739a75f0b85316dc185560db3e97afa6b215628d1b6a17561cb2"},
+    {file = "debugpy-1.8.8-cp39-cp39-win_amd64.whl", hash = "sha256:5c0e5a38c7f9b481bf31277d2f74d2109292179081f11108e668195ef926c0f9"},
+    {file = "debugpy-1.8.8-py2.py3-none-any.whl", hash = "sha256:ec684553aba5b4066d4de510859922419febc710df7bba04fe9e7ef3de15d34f"},
+    {file = "debugpy-1.8.8.zip", hash = "sha256:e6355385db85cbd666be703a96ab7351bc9e6c61d694893206f8001e22aee091"},
 ]
 
 [[package]]
@@ -1797,13 +1790,13 @@ grpcio-gcp = ["grpcio-gcp (>=0.2.2,<1.0.dev0)"]
 
 [[package]]
 name = "google-api-python-client"
-version = "2.154.0"
+version = "2.153.0"
 description = "Google API Client Library for Python"
 optional = false
 python-versions = ">=3.7"
 files = [
-    {file = "google_api_python_client-2.154.0-py2.py3-none-any.whl", hash = "sha256:a521bbbb2ec0ba9d6f307cdd64ed6e21eeac372d1bd7493a4ab5022941f784ad"},
-    {file = "google_api_python_client-2.154.0.tar.gz", hash = "sha256:1b420062e03bfcaa1c79e2e00a612d29a6a934151ceb3d272fe150a656dc8f17"},
+    {file = "google_api_python_client-2.153.0-py2.py3-none-any.whl", hash = "sha256:6ff13bbfa92a57972e33ec3808e18309e5981b8ca1300e5da23bf2b4d6947384"},
+    {file = "google_api_python_client-2.153.0.tar.gz", hash = "sha256:35cce8647f9c163fc04fb4d811fc91aae51954a2bdd74918decbe0e65d791dd2"},
 ]
 
 [package.dependencies]
@@ -2000,58 +1993,51 @@ pyparsing = {version = ">=2.4.2,<3.0.0 || >3.0.0,<3.0.1 || >3.0.1,<3.0.2 || >3.0
 
 [[package]]
 name = "httptools"
-version = "0.6.4"
+version = "0.6.1"
 description = "A collection of framework independent HTTP protocol utils."
 optional = false
 python-versions = ">=3.8.0"
 files = [
-    {file = "httptools-0.6.4-cp310-cp310-macosx_10_9_universal2.whl", hash = "sha256:3c73ce323711a6ffb0d247dcd5a550b8babf0f757e86a52558fe5b86d6fefcc0"},
-    {file = "httptools-0.6.4-cp310-cp310-macosx_11_0_arm64.whl", hash = "sha256:345c288418f0944a6fe67be8e6afa9262b18c7626c3ef3c28adc5eabc06a68da"},
-    {file = "httptools-0.6.4-cp310-cp310-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:deee0e3343f98ee8047e9f4c5bc7cedbf69f5734454a94c38ee829fb2d5fa3c1"},
-    {file = "httptools-0.6.4-cp310-cp310-manylinux_2_5_x86_64.manylinux1_x86_64.manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:ca80b7485c76f768a3bc83ea58373f8db7b015551117375e4918e2aa77ea9b50"},
-    {file = "httptools-0.6.4-cp310-cp310-musllinux_1_2_aarch64.whl", hash = "sha256:90d96a385fa941283ebd231464045187a31ad932ebfa541be8edf5b3c2328959"},
-    {file = "httptools-0.6.4-cp310-cp310-musllinux_1_2_x86_64.whl", hash = "sha256:59e724f8b332319e2875efd360e61ac07f33b492889284a3e05e6d13746876f4"},
-    {file = "httptools-0.6.4-cp310-cp310-win_amd64.whl", hash = "sha256:c26f313951f6e26147833fc923f78f95604bbec812a43e5ee37f26dc9e5a686c"},
-    {file = "httptools-0.6.4-cp311-cp311-macosx_10_9_universal2.whl", hash = "sha256:f47f8ed67cc0ff862b84a1189831d1d33c963fb3ce1ee0c65d3b0cbe7b711069"},
-    {file = "httptools-0.6.4-cp311-cp311-macosx_11_0_arm64.whl", hash = "sha256:0614154d5454c21b6410fdf5262b4a3ddb0f53f1e1721cfd59d55f32138c578a"},
-    {file = "httptools-0.6.4-cp311-cp311-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:f8787367fbdfccae38e35abf7641dafc5310310a5987b689f4c32cc8cc3ee975"},
-    {file = "httptools-0.6.4-cp311-cp311-manylinux_2_5_x86_64.manylinux1_x86_64.manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:40b0f7fe4fd38e6a507bdb751db0379df1e99120c65fbdc8ee6c1d044897a636"},
-    {file = "httptools-0.6.4-cp311-cp311-musllinux_1_2_aarch64.whl", hash = "sha256:40a5ec98d3f49904b9fe36827dcf1aadfef3b89e2bd05b0e35e94f97c2b14721"},
-    {file = "httptools-0.6.4-cp311-cp311-musllinux_1_2_x86_64.whl", hash = "sha256:dacdd3d10ea1b4ca9df97a0a303cbacafc04b5cd375fa98732678151643d4988"},
-    {file = "httptools-0.6.4-cp311-cp311-win_amd64.whl", hash = "sha256:288cd628406cc53f9a541cfaf06041b4c71d751856bab45e3702191f931ccd17"},
-    {file = "httptools-0.6.4-cp312-cp312-macosx_10_13_universal2.whl", hash = "sha256:df017d6c780287d5c80601dafa31f17bddb170232d85c066604d8558683711a2"},
-    {file = "httptools-0.6.4-cp312-cp312-macosx_11_0_arm64.whl", hash = "sha256:85071a1e8c2d051b507161f6c3e26155b5c790e4e28d7f236422dbacc2a9cc44"},
-    {file = "httptools-0.6.4-cp312-cp312-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:69422b7f458c5af875922cdb5bd586cc1f1033295aa9ff63ee196a87519ac8e1"},
-    {file = "httptools-0.6.4-cp312-cp312-manylinux_2_5_x86_64.manylinux1_x86_64.manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:16e603a3bff50db08cd578d54f07032ca1631450ceb972c2f834c2b860c28ea2"},
-    {file = "httptools-0.6.4-cp312-cp312-musllinux_1_2_aarch64.whl", hash = "sha256:ec4f178901fa1834d4a060320d2f3abc5c9e39766953d038f1458cb885f47e81"},
-    {file = "httptools-0.6.4-cp312-cp312-musllinux_1_2_x86_64.whl", hash = "sha256:f9eb89ecf8b290f2e293325c646a211ff1c2493222798bb80a530c5e7502494f"},
-    {file = "httptools-0.6.4-cp312-cp312-win_amd64.whl", hash = "sha256:db78cb9ca56b59b016e64b6031eda5653be0589dba2b1b43453f6e8b405a0970"},
-    {file = "httptools-0.6.4-cp313-cp313-macosx_10_13_universal2.whl", hash = "sha256:ade273d7e767d5fae13fa637f4d53b6e961fb7fd93c7797562663f0171c26660"},
-    {file = "httptools-0.6.4-cp313-cp313-macosx_11_0_arm64.whl", hash = "sha256:856f4bc0478ae143bad54a4242fccb1f3f86a6e1be5548fecfd4102061b3a083"},
-    {file = "httptools-0.6.4-cp313-cp313-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:322d20ea9cdd1fa98bd6a74b77e2ec5b818abdc3d36695ab402a0de8ef2865a3"},
-    {file = "httptools-0.6.4-cp313-cp313-manylinux_2_5_x86_64.manylinux1_x86_64.manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:4d87b29bd4486c0093fc64dea80231f7c7f7eb4dc70ae394d70a495ab8436071"},
-    {file = "httptools-0.6.4-cp313-cp313-musllinux_1_2_aarch64.whl", hash = "sha256:342dd6946aa6bda4b8f18c734576106b8a31f2fe31492881a9a160ec84ff4bd5"},
-    {file = "httptools-0.6.4-cp313-cp313-musllinux_1_2_x86_64.whl", hash = "sha256:4b36913ba52008249223042dca46e69967985fb4051951f94357ea681e1f5dc0"},
-    {file = "httptools-0.6.4-cp313-cp313-win_amd64.whl", hash = "sha256:28908df1b9bb8187393d5b5db91435ccc9c8e891657f9cbb42a2541b44c82fc8"},
-    {file = "httptools-0.6.4-cp38-cp38-macosx_10_9_universal2.whl", hash = "sha256:d3f0d369e7ffbe59c4b6116a44d6a8eb4783aae027f2c0b366cf0aa964185dba"},
-    {file = "httptools-0.6.4-cp38-cp38-macosx_11_0_arm64.whl", hash = "sha256:94978a49b8f4569ad607cd4946b759d90b285e39c0d4640c6b36ca7a3ddf2efc"},
-    {file = "httptools-0.6.4-cp38-cp38-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:40dc6a8e399e15ea525305a2ddba998b0af5caa2566bcd79dcbe8948181eeaff"},
-    {file = "httptools-0.6.4-cp38-cp38-manylinux_2_5_x86_64.manylinux1_x86_64.manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:ab9ba8dcf59de5181f6be44a77458e45a578fc99c31510b8c65b7d5acc3cf490"},
-    {file = "httptools-0.6.4-cp38-cp38-musllinux_1_2_aarch64.whl", hash = "sha256:fc411e1c0a7dcd2f902c7c48cf079947a7e65b5485dea9decb82b9105ca71a43"},
-    {file = "httptools-0.6.4-cp38-cp38-musllinux_1_2_x86_64.whl", hash = "sha256:d54efd20338ac52ba31e7da78e4a72570cf729fac82bc31ff9199bedf1dc7440"},
-    {file = "httptools-0.6.4-cp38-cp38-win_amd64.whl", hash = "sha256:df959752a0c2748a65ab5387d08287abf6779ae9165916fe053e68ae1fbdc47f"},
-    {file = "httptools-0.6.4-cp39-cp39-macosx_10_9_universal2.whl", hash = "sha256:85797e37e8eeaa5439d33e556662cc370e474445d5fab24dcadc65a8ffb04003"},
-    {file = "httptools-0.6.4-cp39-cp39-macosx_11_0_arm64.whl", hash = "sha256:db353d22843cf1028f43c3651581e4bb49374d85692a85f95f7b9a130e1b2cab"},
-    {file = "httptools-0.6.4-cp39-cp39-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:d1ffd262a73d7c28424252381a5b854c19d9de5f56f075445d33919a637e3547"},
-    {file = "httptools-0.6.4-cp39-cp39-manylinux_2_5_x86_64.manylinux1_x86_64.manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:703c346571fa50d2e9856a37d7cd9435a25e7fd15e236c397bf224afaa355fe9"},
-    {file = "httptools-0.6.4-cp39-cp39-musllinux_1_2_aarch64.whl", hash = "sha256:aafe0f1918ed07b67c1e838f950b1c1fabc683030477e60b335649b8020e1076"},
-    {file = "httptools-0.6.4-cp39-cp39-musllinux_1_2_x86_64.whl", hash = "sha256:0e563e54979e97b6d13f1bbc05a96109923e76b901f786a5eae36e99c01237bd"},
-    {file = "httptools-0.6.4-cp39-cp39-win_amd64.whl", hash = "sha256:b799de31416ecc589ad79dd85a0b2657a8fe39327944998dea368c1d4c9e55e6"},
-    {file = "httptools-0.6.4.tar.gz", hash = "sha256:4e93eee4add6493b59a5c514da98c939b244fce4a0d8879cd3f466562f4b7d5c"},
+    {file = "httptools-0.6.1-cp310-cp310-macosx_10_9_universal2.whl", hash = "sha256:d2f6c3c4cb1948d912538217838f6e9960bc4a521d7f9b323b3da579cd14532f"},
+    {file = "httptools-0.6.1-cp310-cp310-macosx_10_9_x86_64.whl", hash = "sha256:00d5d4b68a717765b1fabfd9ca755bd12bf44105eeb806c03d1962acd9b8e563"},
+    {file = "httptools-0.6.1-cp310-cp310-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:639dc4f381a870c9ec860ce5c45921db50205a37cc3334e756269736ff0aac58"},
+    {file = "httptools-0.6.1-cp310-cp310-manylinux_2_5_x86_64.manylinux1_x86_64.manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:e57997ac7fb7ee43140cc03664de5f268813a481dff6245e0075925adc6aa185"},
+    {file = "httptools-0.6.1-cp310-cp310-musllinux_1_1_aarch64.whl", hash = "sha256:0ac5a0ae3d9f4fe004318d64b8a854edd85ab76cffbf7ef5e32920faef62f142"},
+    {file = "httptools-0.6.1-cp310-cp310-musllinux_1_1_x86_64.whl", hash = "sha256:3f30d3ce413088a98b9db71c60a6ada2001a08945cb42dd65a9a9fe228627658"},
+    {file = "httptools-0.6.1-cp310-cp310-win_amd64.whl", hash = "sha256:1ed99a373e327f0107cb513b61820102ee4f3675656a37a50083eda05dc9541b"},
+    {file = "httptools-0.6.1-cp311-cp311-macosx_10_9_universal2.whl", hash = "sha256:7a7ea483c1a4485c71cb5f38be9db078f8b0e8b4c4dc0210f531cdd2ddac1ef1"},
+    {file = "httptools-0.6.1-cp311-cp311-macosx_10_9_x86_64.whl", hash = "sha256:85ed077c995e942b6f1b07583e4eb0a8d324d418954fc6af913d36db7c05a5a0"},
+    {file = "httptools-0.6.1-cp311-cp311-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:8b0bb634338334385351a1600a73e558ce619af390c2b38386206ac6a27fecfc"},
+    {file = "httptools-0.6.1-cp311-cp311-manylinux_2_5_x86_64.manylinux1_x86_64.manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:7d9ceb2c957320def533671fc9c715a80c47025139c8d1f3797477decbc6edd2"},
+    {file = "httptools-0.6.1-cp311-cp311-musllinux_1_1_aarch64.whl", hash = "sha256:4f0f8271c0a4db459f9dc807acd0eadd4839934a4b9b892f6f160e94da309837"},
+    {file = "httptools-0.6.1-cp311-cp311-musllinux_1_1_x86_64.whl", hash = "sha256:6a4f5ccead6d18ec072ac0b84420e95d27c1cdf5c9f1bc8fbd8daf86bd94f43d"},
+    {file = "httptools-0.6.1-cp311-cp311-win_amd64.whl", hash = "sha256:5cceac09f164bcba55c0500a18fe3c47df29b62353198e4f37bbcc5d591172c3"},
+    {file = "httptools-0.6.1-cp312-cp312-macosx_10_9_universal2.whl", hash = "sha256:75c8022dca7935cba14741a42744eee13ba05db00b27a4b940f0d646bd4d56d0"},
+    {file = "httptools-0.6.1-cp312-cp312-macosx_10_9_x86_64.whl", hash = "sha256:48ed8129cd9a0d62cf4d1575fcf90fb37e3ff7d5654d3a5814eb3d55f36478c2"},
+    {file = "httptools-0.6.1-cp312-cp312-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:6f58e335a1402fb5a650e271e8c2d03cfa7cea46ae124649346d17bd30d59c90"},
+    {file = "httptools-0.6.1-cp312-cp312-manylinux_2_5_x86_64.manylinux1_x86_64.manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:93ad80d7176aa5788902f207a4e79885f0576134695dfb0fefc15b7a4648d503"},
+    {file = "httptools-0.6.1-cp312-cp312-musllinux_1_1_aarch64.whl", hash = "sha256:9bb68d3a085c2174c2477eb3ffe84ae9fb4fde8792edb7bcd09a1d8467e30a84"},
+    {file = "httptools-0.6.1-cp312-cp312-musllinux_1_1_x86_64.whl", hash = "sha256:b512aa728bc02354e5ac086ce76c3ce635b62f5fbc32ab7082b5e582d27867bb"},
+    {file = "httptools-0.6.1-cp312-cp312-win_amd64.whl", hash = "sha256:97662ce7fb196c785344d00d638fc9ad69e18ee4bfb4000b35a52efe5adcc949"},
+    {file = "httptools-0.6.1-cp38-cp38-macosx_10_9_universal2.whl", hash = "sha256:8e216a038d2d52ea13fdd9b9c9c7459fb80d78302b257828285eca1c773b99b3"},
+    {file = "httptools-0.6.1-cp38-cp38-macosx_10_9_x86_64.whl", hash = "sha256:3e802e0b2378ade99cd666b5bffb8b2a7cc8f3d28988685dc300469ea8dd86cb"},
+    {file = "httptools-0.6.1-cp38-cp38-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:4bd3e488b447046e386a30f07af05f9b38d3d368d1f7b4d8f7e10af85393db97"},
+    {file = "httptools-0.6.1-cp38-cp38-manylinux_2_5_x86_64.manylinux1_x86_64.manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:fe467eb086d80217b7584e61313ebadc8d187a4d95bb62031b7bab4b205c3ba3"},
+    {file = "httptools-0.6.1-cp38-cp38-musllinux_1_1_aarch64.whl", hash = "sha256:3c3b214ce057c54675b00108ac42bacf2ab8f85c58e3f324a4e963bbc46424f4"},
+    {file = "httptools-0.6.1-cp38-cp38-musllinux_1_1_x86_64.whl", hash = "sha256:8ae5b97f690badd2ca27cbf668494ee1b6d34cf1c464271ef7bfa9ca6b83ffaf"},
+    {file = "httptools-0.6.1-cp38-cp38-win_amd64.whl", hash = "sha256:405784577ba6540fa7d6ff49e37daf104e04f4b4ff2d1ac0469eaa6a20fde084"},
+    {file = "httptools-0.6.1-cp39-cp39-macosx_10_9_universal2.whl", hash = "sha256:95fb92dd3649f9cb139e9c56604cc2d7c7bf0fc2e7c8d7fbd58f96e35eddd2a3"},
+    {file = "httptools-0.6.1-cp39-cp39-macosx_10_9_x86_64.whl", hash = "sha256:dcbab042cc3ef272adc11220517278519adf8f53fd3056d0e68f0a6f891ba94e"},
+    {file = "httptools-0.6.1-cp39-cp39-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:0cf2372e98406efb42e93bfe10f2948e467edfd792b015f1b4ecd897903d3e8d"},
+    {file = "httptools-0.6.1-cp39-cp39-manylinux_2_5_x86_64.manylinux1_x86_64.manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:678fcbae74477a17d103b7cae78b74800d795d702083867ce160fc202104d0da"},
+    {file = "httptools-0.6.1-cp39-cp39-musllinux_1_1_aarch64.whl", hash = "sha256:e0b281cf5a125c35f7f6722b65d8542d2e57331be573e9e88bc8b0115c4a7a81"},
+    {file = "httptools-0.6.1-cp39-cp39-musllinux_1_1_x86_64.whl", hash = "sha256:95658c342529bba4e1d3d2b1a874db16c7cca435e8827422154c9da76ac4e13a"},
+    {file = "httptools-0.6.1-cp39-cp39-win_amd64.whl", hash = "sha256:7ebaec1bf683e4bf5e9fbb49b8cc36da482033596a415b3e4ebab5a4c0d7ec5e"},
+    {file = "httptools-0.6.1.tar.gz", hash = "sha256:c6e26c30455600b95d94b1b836085138e82f177351454ee841c148f93a9bad5a"},
 ]
 
 [package.extras]
-test = ["Cython (>=0.29.24)"]
+test = ["Cython (>=0.29.24,<0.30.0)"]
 
 [[package]]
 name = "httpx"
@@ -3725,20 +3711,20 @@ files = [
 
 [[package]]
 name = "pydantic"
-version = "2.10.1"
+version = "2.9.2"
 description = "Data validation using Python type hints"
 optional = false
 python-versions = ">=3.8"
 files = [
-    {file = "pydantic-2.10.1-py3-none-any.whl", hash = "sha256:a8d20db84de64cf4a7d59e899c2caf0fe9d660c7cfc482528e7020d7dd189a7e"},
-    {file = "pydantic-2.10.1.tar.gz", hash = "sha256:a4daca2dc0aa429555e0656d6bf94873a7dc5f54ee42b1f5873d666fb3f35560"},
+    {file = "pydantic-2.9.2-py3-none-any.whl", hash = "sha256:f048cec7b26778210e28a0459867920654d48e5e62db0958433636cde4254f12"},
+    {file = "pydantic-2.9.2.tar.gz", hash = "sha256:d155cef71265d1e9807ed1c32b4c8deec042a44a50a4188b25ac67ecd81a9c0f"},
 ]
 
 [package.dependencies]
 annotated-types = ">=0.6.0"
 email-validator = {version = ">=2.0.0", optional = true, markers = "extra == \"email\""}
-pydantic-core = "2.27.1"
-typing-extensions = ">=4.12.2"
+pydantic-core = "2.23.4"
+typing-extensions = {version = ">=4.6.1", markers = "python_version < \"3.13\""}
 
 [package.extras]
 email = ["email-validator (>=2.0.0)"]
@@ -3746,111 +3732,100 @@ timezone = ["tzdata"]
 
 [[package]]
 name = "pydantic-core"
-version = "2.27.1"
+version = "2.23.4"
 description = "Core functionality for Pydantic validation and serialization"
 optional = false
 python-versions = ">=3.8"
 files = [
-    {file = "pydantic_core-2.27.1-cp310-cp310-macosx_10_12_x86_64.whl", hash = "sha256:71a5e35c75c021aaf400ac048dacc855f000bdfed91614b4a726f7432f1f3d6a"},
-    {file = "pydantic_core-2.27.1-cp310-cp310-macosx_11_0_arm64.whl", hash = "sha256:f82d068a2d6ecfc6e054726080af69a6764a10015467d7d7b9f66d6ed5afa23b"},
-    {file = "pydantic_core-2.27.1-cp310-cp310-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:121ceb0e822f79163dd4699e4c54f5ad38b157084d97b34de8b232bcaad70278"},
-    {file = "pydantic_core-2.27.1-cp310-cp310-manylinux_2_17_armv7l.manylinux2014_armv7l.whl", hash = "sha256:4603137322c18eaf2e06a4495f426aa8d8388940f3c457e7548145011bb68e05"},
-    {file = "pydantic_core-2.27.1-cp310-cp310-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:a33cd6ad9017bbeaa9ed78a2e0752c5e250eafb9534f308e7a5f7849b0b1bfb4"},
-    {file = "pydantic_core-2.27.1-cp310-cp310-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:15cc53a3179ba0fcefe1e3ae50beb2784dede4003ad2dfd24f81bba4b23a454f"},
-    {file = "pydantic_core-2.27.1-cp310-cp310-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:45d9c5eb9273aa50999ad6adc6be5e0ecea7e09dbd0d31bd0c65a55a2592ca08"},
-    {file = "pydantic_core-2.27.1-cp310-cp310-manylinux_2_5_i686.manylinux1_i686.whl", hash = "sha256:8bf7b66ce12a2ac52d16f776b31d16d91033150266eb796967a7e4621707e4f6"},
-    {file = "pydantic_core-2.27.1-cp310-cp310-musllinux_1_1_aarch64.whl", hash = "sha256:655d7dd86f26cb15ce8a431036f66ce0318648f8853d709b4167786ec2fa4807"},
-    {file = "pydantic_core-2.27.1-cp310-cp310-musllinux_1_1_armv7l.whl", hash = "sha256:5556470f1a2157031e676f776c2bc20acd34c1990ca5f7e56f1ebf938b9ab57c"},
-    {file = "pydantic_core-2.27.1-cp310-cp310-musllinux_1_1_x86_64.whl", hash = "sha256:f69ed81ab24d5a3bd93861c8c4436f54afdf8e8cc421562b0c7504cf3be58206"},
-    {file = "pydantic_core-2.27.1-cp310-none-win32.whl", hash = "sha256:f5a823165e6d04ccea61a9f0576f345f8ce40ed533013580e087bd4d7442b52c"},
-    {file = "pydantic_core-2.27.1-cp310-none-win_amd64.whl", hash = "sha256:57866a76e0b3823e0b56692d1a0bf722bffb324839bb5b7226a7dbd6c9a40b17"},
-    {file = "pydantic_core-2.27.1-cp311-cp311-macosx_10_12_x86_64.whl", hash = "sha256:ac3b20653bdbe160febbea8aa6c079d3df19310d50ac314911ed8cc4eb7f8cb8"},
-    {file = "pydantic_core-2.27.1-cp311-cp311-macosx_11_0_arm64.whl", hash = "sha256:a5a8e19d7c707c4cadb8c18f5f60c843052ae83c20fa7d44f41594c644a1d330"},
-    {file = "pydantic_core-2.27.1-cp311-cp311-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:7f7059ca8d64fea7f238994c97d91f75965216bcbe5f695bb44f354893f11d52"},
-    {file = "pydantic_core-2.27.1-cp311-cp311-manylinux_2_17_armv7l.manylinux2014_armv7l.whl", hash = "sha256:bed0f8a0eeea9fb72937ba118f9db0cb7e90773462af7962d382445f3005e5a4"},
-    {file = "pydantic_core-2.27.1-cp311-cp311-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:a3cb37038123447cf0f3ea4c74751f6a9d7afef0eb71aa07bf5f652b5e6a132c"},
-    {file = "pydantic_core-2.27.1-cp311-cp311-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:84286494f6c5d05243456e04223d5a9417d7f443c3b76065e75001beb26f88de"},
-    {file = "pydantic_core-2.27.1-cp311-cp311-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:acc07b2cfc5b835444b44a9956846b578d27beeacd4b52e45489e93276241025"},
-    {file = "pydantic_core-2.27.1-cp311-cp311-manylinux_2_5_i686.manylinux1_i686.whl", hash = "sha256:4fefee876e07a6e9aad7a8c8c9f85b0cdbe7df52b8a9552307b09050f7512c7e"},
-    {file = "pydantic_core-2.27.1-cp311-cp311-musllinux_1_1_aarch64.whl", hash = "sha256:258c57abf1188926c774a4c94dd29237e77eda19462e5bb901d88adcab6af919"},
-    {file = "pydantic_core-2.27.1-cp311-cp311-musllinux_1_1_armv7l.whl", hash = "sha256:35c14ac45fcfdf7167ca76cc80b2001205a8d5d16d80524e13508371fb8cdd9c"},
-    {file = "pydantic_core-2.27.1-cp311-cp311-musllinux_1_1_x86_64.whl", hash = "sha256:d1b26e1dff225c31897696cab7d4f0a315d4c0d9e8666dbffdb28216f3b17fdc"},
-    {file = "pydantic_core-2.27.1-cp311-none-win32.whl", hash = "sha256:2cdf7d86886bc6982354862204ae3b2f7f96f21a3eb0ba5ca0ac42c7b38598b9"},
-    {file = "pydantic_core-2.27.1-cp311-none-win_amd64.whl", hash = "sha256:3af385b0cee8df3746c3f406f38bcbfdc9041b5c2d5ce3e5fc6637256e60bbc5"},
-    {file = "pydantic_core-2.27.1-cp311-none-win_arm64.whl", hash = "sha256:81f2ec23ddc1b476ff96563f2e8d723830b06dceae348ce02914a37cb4e74b89"},
-    {file = "pydantic_core-2.27.1-cp312-cp312-macosx_10_12_x86_64.whl", hash = "sha256:9cbd94fc661d2bab2bc702cddd2d3370bbdcc4cd0f8f57488a81bcce90c7a54f"},
-    {file = "pydantic_core-2.27.1-cp312-cp312-macosx_11_0_arm64.whl", hash = "sha256:5f8c4718cd44ec1580e180cb739713ecda2bdee1341084c1467802a417fe0f02"},
-    {file = "pydantic_core-2.27.1-cp312-cp312-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:15aae984e46de8d376df515f00450d1522077254ef6b7ce189b38ecee7c9677c"},
-    {file = "pydantic_core-2.27.1-cp312-cp312-manylinux_2_17_armv7l.manylinux2014_armv7l.whl", hash = "sha256:1ba5e3963344ff25fc8c40da90f44b0afca8cfd89d12964feb79ac1411a260ac"},
-    {file = "pydantic_core-2.27.1-cp312-cp312-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:992cea5f4f3b29d6b4f7f1726ed8ee46c8331c6b4eed6db5b40134c6fe1768bb"},
-    {file = "pydantic_core-2.27.1-cp312-cp312-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:0325336f348dbee6550d129b1627cb8f5351a9dc91aad141ffb96d4937bd9529"},
-    {file = "pydantic_core-2.27.1-cp312-cp312-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:7597c07fbd11515f654d6ece3d0e4e5093edc30a436c63142d9a4b8e22f19c35"},
-    {file = "pydantic_core-2.27.1-cp312-cp312-manylinux_2_5_i686.manylinux1_i686.whl", hash = "sha256:3bbd5d8cc692616d5ef6fbbbd50dbec142c7e6ad9beb66b78a96e9c16729b089"},
-    {file = "pydantic_core-2.27.1-cp312-cp312-musllinux_1_1_aarch64.whl", hash = "sha256:dc61505e73298a84a2f317255fcc72b710b72980f3a1f670447a21efc88f8381"},
-    {file = "pydantic_core-2.27.1-cp312-cp312-musllinux_1_1_armv7l.whl", hash = "sha256:e1f735dc43da318cad19b4173dd1ffce1d84aafd6c9b782b3abc04a0d5a6f5bb"},
-    {file = "pydantic_core-2.27.1-cp312-cp312-musllinux_1_1_x86_64.whl", hash = "sha256:f4e5658dbffe8843a0f12366a4c2d1c316dbe09bb4dfbdc9d2d9cd6031de8aae"},
-    {file = "pydantic_core-2.27.1-cp312-none-win32.whl", hash = "sha256:672ebbe820bb37988c4d136eca2652ee114992d5d41c7e4858cdd90ea94ffe5c"},
-    {file = "pydantic_core-2.27.1-cp312-none-win_amd64.whl", hash = "sha256:66ff044fd0bb1768688aecbe28b6190f6e799349221fb0de0e6f4048eca14c16"},
-    {file = "pydantic_core-2.27.1-cp312-none-win_arm64.whl", hash = "sha256:9a3b0793b1bbfd4146304e23d90045f2a9b5fd5823aa682665fbdaf2a6c28f3e"},
-    {file = "pydantic_core-2.27.1-cp313-cp313-macosx_10_12_x86_64.whl", hash = "sha256:f216dbce0e60e4d03e0c4353c7023b202d95cbaeff12e5fd2e82ea0a66905073"},
-    {file = "pydantic_core-2.27.1-cp313-cp313-macosx_11_0_arm64.whl", hash = "sha256:a2e02889071850bbfd36b56fd6bc98945e23670773bc7a76657e90e6b6603c08"},
-    {file = "pydantic_core-2.27.1-cp313-cp313-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:42b0e23f119b2b456d07ca91b307ae167cc3f6c846a7b169fca5326e32fdc6cf"},
-    {file = "pydantic_core-2.27.1-cp313-cp313-manylinux_2_17_armv7l.manylinux2014_armv7l.whl", hash = "sha256:764be71193f87d460a03f1f7385a82e226639732214b402f9aa61f0d025f0737"},
-    {file = "pydantic_core-2.27.1-cp313-cp313-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:1c00666a3bd2f84920a4e94434f5974d7bbc57e461318d6bb34ce9cdbbc1f6b2"},
-    {file = "pydantic_core-2.27.1-cp313-cp313-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:3ccaa88b24eebc0f849ce0a4d09e8a408ec5a94afff395eb69baf868f5183107"},
-    {file = "pydantic_core-2.27.1-cp313-cp313-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:c65af9088ac534313e1963443d0ec360bb2b9cba6c2909478d22c2e363d98a51"},
-    {file = "pydantic_core-2.27.1-cp313-cp313-manylinux_2_5_i686.manylinux1_i686.whl", hash = "sha256:206b5cf6f0c513baffaeae7bd817717140770c74528f3e4c3e1cec7871ddd61a"},
-    {file = "pydantic_core-2.27.1-cp313-cp313-musllinux_1_1_aarch64.whl", hash = "sha256:062f60e512fc7fff8b8a9d680ff0ddaaef0193dba9fa83e679c0c5f5fbd018bc"},
-    {file = "pydantic_core-2.27.1-cp313-cp313-musllinux_1_1_armv7l.whl", hash = "sha256:a0697803ed7d4af5e4c1adf1670af078f8fcab7a86350e969f454daf598c4960"},
-    {file = "pydantic_core-2.27.1-cp313-cp313-musllinux_1_1_x86_64.whl", hash = "sha256:58ca98a950171f3151c603aeea9303ef6c235f692fe555e883591103da709b23"},
-    {file = "pydantic_core-2.27.1-cp313-none-win32.whl", hash = "sha256:8065914ff79f7eab1599bd80406681f0ad08f8e47c880f17b416c9f8f7a26d05"},
-    {file = "pydantic_core-2.27.1-cp313-none-win_amd64.whl", hash = "sha256:ba630d5e3db74c79300d9a5bdaaf6200172b107f263c98a0539eeecb857b2337"},
-    {file = "pydantic_core-2.27.1-cp313-none-win_arm64.whl", hash = "sha256:45cf8588c066860b623cd11c4ba687f8d7175d5f7ef65f7129df8a394c502de5"},
-    {file = "pydantic_core-2.27.1-cp38-cp38-macosx_10_12_x86_64.whl", hash = "sha256:5897bec80a09b4084aee23f9b73a9477a46c3304ad1d2d07acca19723fb1de62"},
-    {file = "pydantic_core-2.27.1-cp38-cp38-macosx_11_0_arm64.whl", hash = "sha256:d0165ab2914379bd56908c02294ed8405c252250668ebcb438a55494c69f44ab"},
-    {file = "pydantic_core-2.27.1-cp38-cp38-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:6b9af86e1d8e4cfc82c2022bfaa6f459381a50b94a29e95dcdda8442d6d83864"},
-    {file = "pydantic_core-2.27.1-cp38-cp38-manylinux_2_17_armv7l.manylinux2014_armv7l.whl", hash = "sha256:5f6c8a66741c5f5447e047ab0ba7a1c61d1e95580d64bce852e3df1f895c4067"},
-    {file = "pydantic_core-2.27.1-cp38-cp38-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:9a42d6a8156ff78981f8aa56eb6394114e0dedb217cf8b729f438f643608cbcd"},
-    {file = "pydantic_core-2.27.1-cp38-cp38-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:64c65f40b4cd8b0e049a8edde07e38b476da7e3aaebe63287c899d2cff253fa5"},
-    {file = "pydantic_core-2.27.1-cp38-cp38-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:9fdcf339322a3fae5cbd504edcefddd5a50d9ee00d968696846f089b4432cf78"},
-    {file = "pydantic_core-2.27.1-cp38-cp38-manylinux_2_5_i686.manylinux1_i686.whl", hash = "sha256:bf99c8404f008750c846cb4ac4667b798a9f7de673ff719d705d9b2d6de49c5f"},
-    {file = "pydantic_core-2.27.1-cp38-cp38-musllinux_1_1_aarch64.whl", hash = "sha256:8f1edcea27918d748c7e5e4d917297b2a0ab80cad10f86631e488b7cddf76a36"},
-    {file = "pydantic_core-2.27.1-cp38-cp38-musllinux_1_1_armv7l.whl", hash = "sha256:159cac0a3d096f79ab6a44d77a961917219707e2a130739c64d4dd46281f5c2a"},
-    {file = "pydantic_core-2.27.1-cp38-cp38-musllinux_1_1_x86_64.whl", hash = "sha256:029d9757eb621cc6e1848fa0b0310310de7301057f623985698ed7ebb014391b"},
-    {file = "pydantic_core-2.27.1-cp38-none-win32.whl", hash = "sha256:a28af0695a45f7060e6f9b7092558a928a28553366519f64083c63a44f70e618"},
-    {file = "pydantic_core-2.27.1-cp38-none-win_amd64.whl", hash = "sha256:2d4567c850905d5eaaed2f7a404e61012a51caf288292e016360aa2b96ff38d4"},
-    {file = "pydantic_core-2.27.1-cp39-cp39-macosx_10_12_x86_64.whl", hash = "sha256:e9386266798d64eeb19dd3677051f5705bf873e98e15897ddb7d76f477131967"},
-    {file = "pydantic_core-2.27.1-cp39-cp39-macosx_11_0_arm64.whl", hash = "sha256:4228b5b646caa73f119b1ae756216b59cc6e2267201c27d3912b592c5e323b60"},
-    {file = "pydantic_core-2.27.1-cp39-cp39-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:0b3dfe500de26c52abe0477dde16192ac39c98f05bf2d80e76102d394bd13854"},
-    {file = "pydantic_core-2.27.1-cp39-cp39-manylinux_2_17_armv7l.manylinux2014_armv7l.whl", hash = "sha256:aee66be87825cdf72ac64cb03ad4c15ffef4143dbf5c113f64a5ff4f81477bf9"},
-    {file = "pydantic_core-2.27.1-cp39-cp39-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:3b748c44bb9f53031c8cbc99a8a061bc181c1000c60a30f55393b6e9c45cc5bd"},
-    {file = "pydantic_core-2.27.1-cp39-cp39-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:5ca038c7f6a0afd0b2448941b6ef9d5e1949e999f9e5517692eb6da58e9d44be"},
-    {file = "pydantic_core-2.27.1-cp39-cp39-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:6e0bd57539da59a3e4671b90a502da9a28c72322a4f17866ba3ac63a82c4498e"},
-    {file = "pydantic_core-2.27.1-cp39-cp39-manylinux_2_5_i686.manylinux1_i686.whl", hash = "sha256:ac6c2c45c847bbf8f91930d88716a0fb924b51e0c6dad329b793d670ec5db792"},
-    {file = "pydantic_core-2.27.1-cp39-cp39-musllinux_1_1_aarch64.whl", hash = "sha256:b94d4ba43739bbe8b0ce4262bcc3b7b9f31459ad120fb595627eaeb7f9b9ca01"},
-    {file = "pydantic_core-2.27.1-cp39-cp39-musllinux_1_1_armv7l.whl", hash = "sha256:00e6424f4b26fe82d44577b4c842d7df97c20be6439e8e685d0d715feceb9fb9"},
-    {file = "pydantic_core-2.27.1-cp39-cp39-musllinux_1_1_x86_64.whl", hash = "sha256:38de0a70160dd97540335b7ad3a74571b24f1dc3ed33f815f0880682e6880131"},
-    {file = "pydantic_core-2.27.1-cp39-none-win32.whl", hash = "sha256:7ccebf51efc61634f6c2344da73e366c75e735960b5654b63d7e6f69a5885fa3"},
-    {file = "pydantic_core-2.27.1-cp39-none-win_amd64.whl", hash = "sha256:a57847b090d7892f123726202b7daa20df6694cbd583b67a592e856bff603d6c"},
-    {file = "pydantic_core-2.27.1-pp310-pypy310_pp73-macosx_10_12_x86_64.whl", hash = "sha256:3fa80ac2bd5856580e242dbc202db873c60a01b20309c8319b5c5986fbe53ce6"},
-    {file = "pydantic_core-2.27.1-pp310-pypy310_pp73-macosx_11_0_arm64.whl", hash = "sha256:d950caa237bb1954f1b8c9227b5065ba6875ac9771bb8ec790d956a699b78676"},
-    {file = "pydantic_core-2.27.1-pp310-pypy310_pp73-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:0e4216e64d203e39c62df627aa882f02a2438d18a5f21d7f721621f7a5d3611d"},
-    {file = "pydantic_core-2.27.1-pp310-pypy310_pp73-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:02a3d637bd387c41d46b002f0e49c52642281edacd2740e5a42f7017feea3f2c"},
-    {file = "pydantic_core-2.27.1-pp310-pypy310_pp73-manylinux_2_5_i686.manylinux1_i686.whl", hash = "sha256:161c27ccce13b6b0c8689418da3885d3220ed2eae2ea5e9b2f7f3d48f1d52c27"},
-    {file = "pydantic_core-2.27.1-pp310-pypy310_pp73-musllinux_1_1_aarch64.whl", hash = "sha256:19910754e4cc9c63bc1c7f6d73aa1cfee82f42007e407c0f413695c2f7ed777f"},
-    {file = "pydantic_core-2.27.1-pp310-pypy310_pp73-musllinux_1_1_armv7l.whl", hash = "sha256:e173486019cc283dc9778315fa29a363579372fe67045e971e89b6365cc035ed"},
-    {file = "pydantic_core-2.27.1-pp310-pypy310_pp73-musllinux_1_1_x86_64.whl", hash = "sha256:af52d26579b308921b73b956153066481f064875140ccd1dfd4e77db89dbb12f"},
-    {file = "pydantic_core-2.27.1-pp310-pypy310_pp73-win_amd64.whl", hash = "sha256:981fb88516bd1ae8b0cbbd2034678a39dedc98752f264ac9bc5839d3923fa04c"},
-    {file = "pydantic_core-2.27.1-pp39-pypy39_pp73-macosx_10_12_x86_64.whl", hash = "sha256:5fde892e6c697ce3e30c61b239330fc5d569a71fefd4eb6512fc6caec9dd9e2f"},
-    {file = "pydantic_core-2.27.1-pp39-pypy39_pp73-macosx_11_0_arm64.whl", hash = "sha256:816f5aa087094099fff7edabb5e01cc370eb21aa1a1d44fe2d2aefdfb5599b31"},
-    {file = "pydantic_core-2.27.1-pp39-pypy39_pp73-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:9c10c309e18e443ddb108f0ef64e8729363adbfd92d6d57beec680f6261556f3"},
-    {file = "pydantic_core-2.27.1-pp39-pypy39_pp73-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:98476c98b02c8e9b2eec76ac4156fd006628b1b2d0ef27e548ffa978393fd154"},
-    {file = "pydantic_core-2.27.1-pp39-pypy39_pp73-manylinux_2_5_i686.manylinux1_i686.whl", hash = "sha256:c3027001c28434e7ca5a6e1e527487051136aa81803ac812be51802150d880dd"},
-    {file = "pydantic_core-2.27.1-pp39-pypy39_pp73-musllinux_1_1_aarch64.whl", hash = "sha256:7699b1df36a48169cdebda7ab5a2bac265204003f153b4bd17276153d997670a"},
-    {file = "pydantic_core-2.27.1-pp39-pypy39_pp73-musllinux_1_1_armv7l.whl", hash = "sha256:1c39b07d90be6b48968ddc8c19e7585052088fd7ec8d568bb31ff64c70ae3c97"},
-    {file = "pydantic_core-2.27.1-pp39-pypy39_pp73-musllinux_1_1_x86_64.whl", hash = "sha256:46ccfe3032b3915586e469d4972973f893c0a2bb65669194a5bdea9bacc088c2"},
-    {file = "pydantic_core-2.27.1-pp39-pypy39_pp73-win_amd64.whl", hash = "sha256:62ba45e21cf6571d7f716d903b5b7b6d2617e2d5d67c0923dc47b9d41369f840"},
-    {file = "pydantic_core-2.27.1.tar.gz", hash = "sha256:62a763352879b84aa31058fc931884055fd75089cccbd9d58bb6afd01141b235"},
+    {file = "pydantic_core-2.23.4-cp310-cp310-macosx_10_12_x86_64.whl", hash = "sha256:b10bd51f823d891193d4717448fab065733958bdb6a6b351967bd349d48d5c9b"},
+    {file = "pydantic_core-2.23.4-cp310-cp310-macosx_11_0_arm64.whl", hash = "sha256:4fc714bdbfb534f94034efaa6eadd74e5b93c8fa6315565a222f7b6f42ca1166"},
+    {file = "pydantic_core-2.23.4-cp310-cp310-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:63e46b3169866bd62849936de036f901a9356e36376079b05efa83caeaa02ceb"},
+    {file = "pydantic_core-2.23.4-cp310-cp310-manylinux_2_17_armv7l.manylinux2014_armv7l.whl", hash = "sha256:ed1a53de42fbe34853ba90513cea21673481cd81ed1be739f7f2efb931b24916"},
+    {file = "pydantic_core-2.23.4-cp310-cp310-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:cfdd16ab5e59fc31b5e906d1a3f666571abc367598e3e02c83403acabc092e07"},
+    {file = "pydantic_core-2.23.4-cp310-cp310-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:255a8ef062cbf6674450e668482456abac99a5583bbafb73f9ad469540a3a232"},
+    {file = "pydantic_core-2.23.4-cp310-cp310-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:4a7cd62e831afe623fbb7aabbb4fe583212115b3ef38a9f6b71869ba644624a2"},
+    {file = "pydantic_core-2.23.4-cp310-cp310-manylinux_2_5_i686.manylinux1_i686.whl", hash = "sha256:f09e2ff1f17c2b51f2bc76d1cc33da96298f0a036a137f5440ab3ec5360b624f"},
+    {file = "pydantic_core-2.23.4-cp310-cp310-musllinux_1_1_aarch64.whl", hash = "sha256:e38e63e6f3d1cec5a27e0afe90a085af8b6806ee208b33030e65b6516353f1a3"},
+    {file = "pydantic_core-2.23.4-cp310-cp310-musllinux_1_1_x86_64.whl", hash = "sha256:0dbd8dbed2085ed23b5c04afa29d8fd2771674223135dc9bc937f3c09284d071"},
+    {file = "pydantic_core-2.23.4-cp310-none-win32.whl", hash = "sha256:6531b7ca5f951d663c339002e91aaebda765ec7d61b7d1e3991051906ddde119"},
+    {file = "pydantic_core-2.23.4-cp310-none-win_amd64.whl", hash = "sha256:7c9129eb40958b3d4500fa2467e6a83356b3b61bfff1b414c7361d9220f9ae8f"},
+    {file = "pydantic_core-2.23.4-cp311-cp311-macosx_10_12_x86_64.whl", hash = "sha256:77733e3892bb0a7fa797826361ce8a9184d25c8dffaec60b7ffe928153680ba8"},
+    {file = "pydantic_core-2.23.4-cp311-cp311-macosx_11_0_arm64.whl", hash = "sha256:1b84d168f6c48fabd1f2027a3d1bdfe62f92cade1fb273a5d68e621da0e44e6d"},
+    {file = "pydantic_core-2.23.4-cp311-cp311-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:df49e7a0861a8c36d089c1ed57d308623d60416dab2647a4a17fe050ba85de0e"},
+    {file = "pydantic_core-2.23.4-cp311-cp311-manylinux_2_17_armv7l.manylinux2014_armv7l.whl", hash = "sha256:ff02b6d461a6de369f07ec15e465a88895f3223eb75073ffea56b84d9331f607"},
+    {file = "pydantic_core-2.23.4-cp311-cp311-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:996a38a83508c54c78a5f41456b0103c30508fed9abcad0a59b876d7398f25fd"},
+    {file = "pydantic_core-2.23.4-cp311-cp311-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:d97683ddee4723ae8c95d1eddac7c192e8c552da0c73a925a89fa8649bf13eea"},
+    {file = "pydantic_core-2.23.4-cp311-cp311-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:216f9b2d7713eb98cb83c80b9c794de1f6b7e3145eef40400c62e86cee5f4e1e"},
+    {file = "pydantic_core-2.23.4-cp311-cp311-manylinux_2_5_i686.manylinux1_i686.whl", hash = "sha256:6f783e0ec4803c787bcea93e13e9932edab72068f68ecffdf86a99fd5918878b"},
+    {file = "pydantic_core-2.23.4-cp311-cp311-musllinux_1_1_aarch64.whl", hash = "sha256:d0776dea117cf5272382634bd2a5c1b6eb16767c223c6a5317cd3e2a757c61a0"},
+    {file = "pydantic_core-2.23.4-cp311-cp311-musllinux_1_1_x86_64.whl", hash = "sha256:d5f7a395a8cf1621939692dba2a6b6a830efa6b3cee787d82c7de1ad2930de64"},
+    {file = "pydantic_core-2.23.4-cp311-none-win32.whl", hash = "sha256:74b9127ffea03643e998e0c5ad9bd3811d3dac8c676e47db17b0ee7c3c3bf35f"},
+    {file = "pydantic_core-2.23.4-cp311-none-win_amd64.whl", hash = "sha256:98d134c954828488b153d88ba1f34e14259284f256180ce659e8d83e9c05eaa3"},
+    {file = "pydantic_core-2.23.4-cp312-cp312-macosx_10_12_x86_64.whl", hash = "sha256:f3e0da4ebaef65158d4dfd7d3678aad692f7666877df0002b8a522cdf088f231"},
+    {file = "pydantic_core-2.23.4-cp312-cp312-macosx_11_0_arm64.whl", hash = "sha256:f69a8e0b033b747bb3e36a44e7732f0c99f7edd5cea723d45bc0d6e95377ffee"},
+    {file = "pydantic_core-2.23.4-cp312-cp312-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:723314c1d51722ab28bfcd5240d858512ffd3116449c557a1336cbe3919beb87"},
+    {file = "pydantic_core-2.23.4-cp312-cp312-manylinux_2_17_armv7l.manylinux2014_armv7l.whl", hash = "sha256:bb2802e667b7051a1bebbfe93684841cc9351004e2badbd6411bf357ab8d5ac8"},
+    {file = "pydantic_core-2.23.4-cp312-cp312-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:d18ca8148bebe1b0a382a27a8ee60350091a6ddaf475fa05ef50dc35b5df6327"},
+    {file = "pydantic_core-2.23.4-cp312-cp312-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:33e3d65a85a2a4a0dc3b092b938a4062b1a05f3a9abde65ea93b233bca0e03f2"},
+    {file = "pydantic_core-2.23.4-cp312-cp312-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:128585782e5bfa515c590ccee4b727fb76925dd04a98864182b22e89a4e6ed36"},
+    {file = "pydantic_core-2.23.4-cp312-cp312-manylinux_2_5_i686.manylinux1_i686.whl", hash = "sha256:68665f4c17edcceecc112dfed5dbe6f92261fb9d6054b47d01bf6371a6196126"},
+    {file = "pydantic_core-2.23.4-cp312-cp312-musllinux_1_1_aarch64.whl", hash = "sha256:20152074317d9bed6b7a95ade3b7d6054845d70584216160860425f4fbd5ee9e"},
+    {file = "pydantic_core-2.23.4-cp312-cp312-musllinux_1_1_x86_64.whl", hash = "sha256:9261d3ce84fa1d38ed649c3638feefeae23d32ba9182963e465d58d62203bd24"},
+    {file = "pydantic_core-2.23.4-cp312-none-win32.whl", hash = "sha256:4ba762ed58e8d68657fc1281e9bb72e1c3e79cc5d464be146e260c541ec12d84"},
+    {file = "pydantic_core-2.23.4-cp312-none-win_amd64.whl", hash = "sha256:97df63000f4fea395b2824da80e169731088656d1818a11b95f3b173747b6cd9"},
+    {file = "pydantic_core-2.23.4-cp313-cp313-macosx_10_12_x86_64.whl", hash = "sha256:7530e201d10d7d14abce4fb54cfe5b94a0aefc87da539d0346a484ead376c3cc"},
+    {file = "pydantic_core-2.23.4-cp313-cp313-macosx_11_0_arm64.whl", hash = "sha256:df933278128ea1cd77772673c73954e53a1c95a4fdf41eef97c2b779271bd0bd"},
+    {file = "pydantic_core-2.23.4-cp313-cp313-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:0cb3da3fd1b6a5d0279a01877713dbda118a2a4fc6f0d821a57da2e464793f05"},
+    {file = "pydantic_core-2.23.4-cp313-cp313-manylinux_2_17_armv7l.manylinux2014_armv7l.whl", hash = "sha256:42c6dcb030aefb668a2b7009c85b27f90e51e6a3b4d5c9bc4c57631292015b0d"},
+    {file = "pydantic_core-2.23.4-cp313-cp313-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:696dd8d674d6ce621ab9d45b205df149399e4bb9aa34102c970b721554828510"},
+    {file = "pydantic_core-2.23.4-cp313-cp313-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:2971bb5ffe72cc0f555c13e19b23c85b654dd2a8f7ab493c262071377bfce9f6"},
+    {file = "pydantic_core-2.23.4-cp313-cp313-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:8394d940e5d400d04cad4f75c0598665cbb81aecefaca82ca85bd28264af7f9b"},
+    {file = "pydantic_core-2.23.4-cp313-cp313-manylinux_2_5_i686.manylinux1_i686.whl", hash = "sha256:0dff76e0602ca7d4cdaacc1ac4c005e0ce0dcfe095d5b5259163a80d3a10d327"},
+    {file = "pydantic_core-2.23.4-cp313-cp313-musllinux_1_1_aarch64.whl", hash = "sha256:7d32706badfe136888bdea71c0def994644e09fff0bfe47441deaed8e96fdbc6"},
+    {file = "pydantic_core-2.23.4-cp313-cp313-musllinux_1_1_x86_64.whl", hash = "sha256:ed541d70698978a20eb63d8c5d72f2cc6d7079d9d90f6b50bad07826f1320f5f"},
+    {file = "pydantic_core-2.23.4-cp313-none-win32.whl", hash = "sha256:3d5639516376dce1940ea36edf408c554475369f5da2abd45d44621cb616f769"},
+    {file = "pydantic_core-2.23.4-cp313-none-win_amd64.whl", hash = "sha256:5a1504ad17ba4210df3a045132a7baeeba5a200e930f57512ee02909fc5c4cb5"},
+    {file = "pydantic_core-2.23.4-cp38-cp38-macosx_10_12_x86_64.whl", hash = "sha256:d4488a93b071c04dc20f5cecc3631fc78b9789dd72483ba15d423b5b3689b555"},
+    {file = "pydantic_core-2.23.4-cp38-cp38-macosx_11_0_arm64.whl", hash = "sha256:81965a16b675b35e1d09dd14df53f190f9129c0202356ed44ab2728b1c905658"},
+    {file = "pydantic_core-2.23.4-cp38-cp38-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:4ffa2ebd4c8530079140dd2d7f794a9d9a73cbb8e9d59ffe24c63436efa8f271"},
+    {file = "pydantic_core-2.23.4-cp38-cp38-manylinux_2_17_armv7l.manylinux2014_armv7l.whl", hash = "sha256:61817945f2fe7d166e75fbfb28004034b48e44878177fc54d81688e7b85a3665"},
+    {file = "pydantic_core-2.23.4-cp38-cp38-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:29d2c342c4bc01b88402d60189f3df065fb0dda3654744d5a165a5288a657368"},
+    {file = "pydantic_core-2.23.4-cp38-cp38-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:5e11661ce0fd30a6790e8bcdf263b9ec5988e95e63cf901972107efc49218b13"},
+    {file = "pydantic_core-2.23.4-cp38-cp38-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:9d18368b137c6295db49ce7218b1a9ba15c5bc254c96d7c9f9e924a9bc7825ad"},
+    {file = "pydantic_core-2.23.4-cp38-cp38-manylinux_2_5_i686.manylinux1_i686.whl", hash = "sha256:ec4e55f79b1c4ffb2eecd8a0cfba9955a2588497d96851f4c8f99aa4a1d39b12"},
+    {file = "pydantic_core-2.23.4-cp38-cp38-musllinux_1_1_aarch64.whl", hash = "sha256:374a5e5049eda9e0a44c696c7ade3ff355f06b1fe0bb945ea3cac2bc336478a2"},
+    {file = "pydantic_core-2.23.4-cp38-cp38-musllinux_1_1_x86_64.whl", hash = "sha256:5c364564d17da23db1106787675fc7af45f2f7b58b4173bfdd105564e132e6fb"},
+    {file = "pydantic_core-2.23.4-cp38-none-win32.whl", hash = "sha256:d7a80d21d613eec45e3d41eb22f8f94ddc758a6c4720842dc74c0581f54993d6"},
+    {file = "pydantic_core-2.23.4-cp38-none-win_amd64.whl", hash = "sha256:5f5ff8d839f4566a474a969508fe1c5e59c31c80d9e140566f9a37bba7b8d556"},
+    {file = "pydantic_core-2.23.4-cp39-cp39-macosx_10_12_x86_64.whl", hash = "sha256:a4fa4fc04dff799089689f4fd502ce7d59de529fc2f40a2c8836886c03e0175a"},
+    {file = "pydantic_core-2.23.4-cp39-cp39-macosx_11_0_arm64.whl", hash = "sha256:0a7df63886be5e270da67e0966cf4afbae86069501d35c8c1b3b6c168f42cb36"},
+    {file = "pydantic_core-2.23.4-cp39-cp39-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:dcedcd19a557e182628afa1d553c3895a9f825b936415d0dbd3cd0bbcfd29b4b"},
+    {file = "pydantic_core-2.23.4-cp39-cp39-manylinux_2_17_armv7l.manylinux2014_armv7l.whl", hash = "sha256:5f54b118ce5de9ac21c363d9b3caa6c800341e8c47a508787e5868c6b79c9323"},
+    {file = "pydantic_core-2.23.4-cp39-cp39-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:86d2f57d3e1379a9525c5ab067b27dbb8a0642fb5d454e17a9ac434f9ce523e3"},
+    {file = "pydantic_core-2.23.4-cp39-cp39-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:de6d1d1b9e5101508cb37ab0d972357cac5235f5c6533d1071964c47139257df"},
+    {file = "pydantic_core-2.23.4-cp39-cp39-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:1278e0d324f6908e872730c9102b0112477a7f7cf88b308e4fc36ce1bdb6d58c"},
+    {file = "pydantic_core-2.23.4-cp39-cp39-manylinux_2_5_i686.manylinux1_i686.whl", hash = "sha256:9a6b5099eeec78827553827f4c6b8615978bb4b6a88e5d9b93eddf8bb6790f55"},
+    {file = "pydantic_core-2.23.4-cp39-cp39-musllinux_1_1_aarch64.whl", hash = "sha256:e55541f756f9b3ee346b840103f32779c695a19826a4c442b7954550a0972040"},
+    {file = "pydantic_core-2.23.4-cp39-cp39-musllinux_1_1_x86_64.whl", hash = "sha256:a5c7ba8ffb6d6f8f2ab08743be203654bb1aaa8c9dcb09f82ddd34eadb695605"},
+    {file = "pydantic_core-2.23.4-cp39-none-win32.whl", hash = "sha256:37b0fe330e4a58d3c58b24d91d1eb102aeec675a3db4c292ec3928ecd892a9a6"},
+    {file = "pydantic_core-2.23.4-cp39-none-win_amd64.whl", hash = "sha256:1498bec4c05c9c787bde9125cfdcc63a41004ff167f495063191b863399b1a29"},
+    {file = "pydantic_core-2.23.4-pp310-pypy310_pp73-macosx_10_12_x86_64.whl", hash = "sha256:f455ee30a9d61d3e1a15abd5068827773d6e4dc513e795f380cdd59932c782d5"},
+    {file = "pydantic_core-2.23.4-pp310-pypy310_pp73-macosx_11_0_arm64.whl", hash = "sha256:1e90d2e3bd2c3863d48525d297cd143fe541be8bbf6f579504b9712cb6b643ec"},
+    {file = "pydantic_core-2.23.4-pp310-pypy310_pp73-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:2e203fdf807ac7e12ab59ca2bfcabb38c7cf0b33c41efeb00f8e5da1d86af480"},
+    {file = "pydantic_core-2.23.4-pp310-pypy310_pp73-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:e08277a400de01bc72436a0ccd02bdf596631411f592ad985dcee21445bd0068"},
+    {file = "pydantic_core-2.23.4-pp310-pypy310_pp73-manylinux_2_5_i686.manylinux1_i686.whl", hash = "sha256:f220b0eea5965dec25480b6333c788fb72ce5f9129e8759ef876a1d805d00801"},
+    {file = "pydantic_core-2.23.4-pp310-pypy310_pp73-musllinux_1_1_aarch64.whl", hash = "sha256:d06b0c8da4f16d1d1e352134427cb194a0a6e19ad5db9161bf32b2113409e728"},
+    {file = "pydantic_core-2.23.4-pp310-pypy310_pp73-musllinux_1_1_x86_64.whl", hash = "sha256:ba1a0996f6c2773bd83e63f18914c1de3c9dd26d55f4ac302a7efe93fb8e7433"},
+    {file = "pydantic_core-2.23.4-pp310-pypy310_pp73-win_amd64.whl", hash = "sha256:9a5bce9d23aac8f0cf0836ecfc033896aa8443b501c58d0602dbfd5bd5b37753"},
+    {file = "pydantic_core-2.23.4-pp39-pypy39_pp73-macosx_10_12_x86_64.whl", hash = "sha256:78ddaaa81421a29574a682b3179d4cf9e6d405a09b99d93ddcf7e5239c742e21"},
+    {file = "pydantic_core-2.23.4-pp39-pypy39_pp73-macosx_11_0_arm64.whl", hash = "sha256:883a91b5dd7d26492ff2f04f40fbb652de40fcc0afe07e8129e8ae779c2110eb"},
+    {file = "pydantic_core-2.23.4-pp39-pypy39_pp73-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:88ad334a15b32a791ea935af224b9de1bf99bcd62fabf745d5f3442199d86d59"},
+    {file = "pydantic_core-2.23.4-pp39-pypy39_pp73-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:233710f069d251feb12a56da21e14cca67994eab08362207785cf8c598e74577"},
+    {file = "pydantic_core-2.23.4-pp39-pypy39_pp73-manylinux_2_5_i686.manylinux1_i686.whl", hash = "sha256:19442362866a753485ba5e4be408964644dd6a09123d9416c54cd49171f50744"},
+    {file = "pydantic_core-2.23.4-pp39-pypy39_pp73-musllinux_1_1_aarch64.whl", hash = "sha256:624e278a7d29b6445e4e813af92af37820fafb6dcc55c012c834f9e26f9aaaef"},
+    {file = "pydantic_core-2.23.4-pp39-pypy39_pp73-musllinux_1_1_x86_64.whl", hash = "sha256:f5ef8f42bec47f21d07668a043f077d507e5bf4e668d5c6dfe6aaba89de1a5b8"},
+    {file = "pydantic_core-2.23.4-pp39-pypy39_pp73-win_amd64.whl", hash = "sha256:aea443fffa9fbe3af1a9ba721a87f926fe548d32cab71d188a6ede77d0ff244e"},
+    {file = "pydantic_core-2.23.4.tar.gz", hash = "sha256:2584f7cf844ac4d970fba483a717dbe10c1c1c96a969bf65d61ffe94df1b2863"},
 ]
 
 [package.dependencies]
@@ -4554,13 +4529,13 @@ websocket-client = ">=1.8,<2.0"
 
 [[package]]
 name = "sentry-sdk"
-version = "2.19.0"
+version = "2.18.0"
 description = "Python client for Sentry (https://sentry.io)"
 optional = false
 python-versions = ">=3.6"
 files = [
-    {file = "sentry_sdk-2.19.0-py2.py3-none-any.whl", hash = "sha256:7b0b3b709dee051337244a09a30dbf6e95afe0d34a1f8b430d45e0982a7c125b"},
-    {file = "sentry_sdk-2.19.0.tar.gz", hash = "sha256:ee4a4d2ae8bfe3cac012dcf3e4607975904c137e1738116549fc3dbbb6ff0e36"},
+    {file = "sentry_sdk-2.18.0-py2.py3-none-any.whl", hash = "sha256:ee70e27d1bbe4cd52a38e1bd28a5fadb9b17bc29d91b5f2b97ae29c0a7610442"},
+    {file = "sentry_sdk-2.18.0.tar.gz", hash = "sha256:0dc21febd1ab35c648391c664df96f5f79fb0d92d7d4225cd9832e53a617cafd"},
 ]
 
 [package.dependencies]
@@ -4586,7 +4561,7 @@ grpcio = ["grpcio (>=1.21.1)", "protobuf (>=3.8.0)"]
 http2 = ["httpcore[http2] (==1.*)"]
 httpx = ["httpx (>=0.16.0)"]
 huey = ["huey (>=2)"]
-huggingface-hub = ["huggingface_hub (>=0.22)"]
+huggingface-hub = ["huggingface-hub (>=0.22)"]
 langchain = ["langchain (>=0.0.210)"]
 launchdarkly = ["launchdarkly-server-sdk (>=9.8.0)"]
 litestar = ["litestar (>=2.0.0)"]
@@ -4595,7 +4570,7 @@ openai = ["openai (>=1.0.0)", "tiktoken (>=0.3.0)"]
 openfeature = ["openfeature-sdk (>=0.7.1)"]
 opentelemetry = ["opentelemetry-distro (>=0.35b0)"]
 opentelemetry-experimental = ["opentelemetry-distro"]
-pure-eval = ["asttokens", "executing", "pure_eval"]
+pure-eval = ["asttokens", "executing", "pure-eval"]
 pymongo = ["pymongo (>=3.1)"]
 pyspark = ["pyspark (>=2.4.4)"]
 quart = ["blinker (>=1.1)", "quart (>=0.16.1)"]
@@ -5066,20 +5041,20 @@ zstd = ["zstandard (>=0.18.0)"]
 
 [[package]]
 name = "uvicorn"
-version = "0.32.1"
+version = "0.32.0"
 description = "The lightning-fast ASGI server."
 optional = false
 python-versions = ">=3.8"
 files = [
-    {file = "uvicorn-0.32.1-py3-none-any.whl", hash = "sha256:82ad92fd58da0d12af7482ecdb5f2470a04c9c9a53ced65b9bbb4a205377602e"},
-    {file = "uvicorn-0.32.1.tar.gz", hash = "sha256:ee9519c246a72b1c084cea8d3b44ed6026e78a4a309cbedae9c37e4cb9fbb175"},
+    {file = "uvicorn-0.32.0-py3-none-any.whl", hash = "sha256:60b8f3a5ac027dcd31448f411ced12b5ef452c646f76f02f8cc3f25d8d26fd82"},
+    {file = "uvicorn-0.32.0.tar.gz", hash = "sha256:f78b36b143c16f54ccdb8190d0a26b5f1901fe5a3c777e1ab29f26391af8551e"},
 ]
 
 [package.dependencies]
 click = ">=7.0"
 colorama = {version = ">=0.4", optional = true, markers = "sys_platform == \"win32\" and extra == \"standard\""}
 h11 = ">=0.8"
-httptools = {version = ">=0.6.3", optional = true, markers = "extra == \"standard\""}
+httptools = {version = ">=0.5.0", optional = true, markers = "extra == \"standard\""}
 python-dotenv = {version = ">=0.13", optional = true, markers = "extra == \"standard\""}
 pyyaml = {version = ">=5.1", optional = true, markers = "extra == \"standard\""}
 uvloop = {version = ">=0.14.0,<0.15.0 || >0.15.0,<0.15.1 || >0.15.1", optional = true, markers = "(sys_platform != \"win32\" and sys_platform != \"cygwin\") and platform_python_implementation != \"PyPy\" and extra == \"standard\""}
@@ -5087,7 +5062,7 @@ watchfiles = {version = ">=0.13", optional = true, markers = "extra == \"standar
 websockets = {version = ">=10.4", optional = true, markers = "extra == \"standard\""}
 
 [package.extras]
-standard = ["colorama (>=0.4)", "httptools (>=0.6.3)", "python-dotenv (>=0.13)", "pyyaml (>=5.1)", "uvloop (>=0.14.0,!=0.15.0,!=0.15.1)", "watchfiles (>=0.13)", "websockets (>=10.4)"]
+standard = ["colorama (>=0.4)", "httptools (>=0.5.0)", "python-dotenv (>=0.13)", "pyyaml (>=5.1)", "uvloop (>=0.14.0,!=0.15.0,!=0.15.1)", "watchfiles (>=0.13)", "websockets (>=10.4)"]
 
 [[package]]
 name = "uvloop"
@@ -5286,20 +5261,20 @@ files = [
 
 [[package]]
 name = "webauthn"
-version = "2.3.0"
+version = "2.2.0"
 description = "Pythonic WebAuthn"
 optional = false
 python-versions = "*"
 files = [
-    {file = "webauthn-2.3.0-py3-none-any.whl", hash = "sha256:872668fd8f32e256e76e4251e04eb0737e77e0760b1db3912af11346cbacef9e"},
-    {file = "webauthn-2.3.0.tar.gz", hash = "sha256:79fca835027d3b39290bfd175d09ca7a2bd6e12163790feb6d9c0b746e4c2ede"},
+    {file = "webauthn-2.2.0-py3-none-any.whl", hash = "sha256:e8e2daace85dde8f6fb436c1bca9aa72d5931dac8829ecc1562cc4e7cc169f6c"},
+    {file = "webauthn-2.2.0.tar.gz", hash = "sha256:70e4f318d293125e3a8609838be0561119f4f8846bc430d524f8da4052ee18cc"},
 ]
 
 [package.dependencies]
-asn1crypto = ">=1.5.1"
-cbor2 = ">=5.6.5"
-cryptography = ">=43.0.3"
-pyOpenSSL = ">=24.2.1"
+asn1crypto = ">=1.4.0"
+cbor2 = ">=5.4.6"
+cryptography = ">=41.0.7"
+pyOpenSSL = ">=23.3.0"
 
 [[package]]
 name = "websocket-client"

pyproject.toml

@@ -1,6 +1,6 @@
 [tool.poetry]
 name = "authentik"
-version = "2024.10.4"
+version = "2024.10.2"
 description = ""
 authors = ["authentik Team <hello@goauthentik.io>"]
 

schema.yml

@@ -1,7 +1,7 @@
 openapi: 3.0.3
 info:
   title: authentik
-  version: 2024.10.4
+  version: 2024.10.2
   description: Making authentication simple.
   contact:
     email: hello@goauthentik.io
@@ -20224,6 +20224,10 @@ paths:
             format: uuid
         explode: true
         style: form
+      - in: query
+        name: redirect_uris
+        schema:
+          type: string
       - in: query
         name: refresh_token_validity
         schema:
@@ -20639,6 +20643,10 @@ paths:
             format: uuid
         explode: true
         style: form
+      - in: query
+        name: redirect_uris__iexact
+        schema:
+          type: string
       - name: search
         required: false
         in: query
@@ -44066,11 +44074,6 @@ components:
       required:
       - challenge
       - name
-    MatchingModeEnum:
-      enum:
-      - strict
-      - regex
-      type: string
     Metadata:
       type: object
       description: Serializer for blueprint metadata
@@ -44773,9 +44776,8 @@ components:
           description: Key used to encrypt the tokens. When set, tokens will be encrypted
             and returned as JWEs.
         redirect_uris:
-          type: array
-          items:
-            $ref: '#/components/schemas/RedirectURI'
+          type: string
+          description: Enter each URI on a new line.
         sub_mode:
           allOf:
           - $ref: '#/components/schemas/SubModeEnum'
@@ -44804,7 +44806,6 @@ components:
       - meta_model_name
       - name
       - pk
-      - redirect_uris
       - verbose_name
       - verbose_name_plural
     OAuth2ProviderRequest:
@@ -44876,9 +44877,8 @@ components:
           description: Key used to encrypt the tokens. When set, tokens will be encrypted
             and returned as JWEs.
         redirect_uris:
-          type: array
-          items:
-            $ref: '#/components/schemas/RedirectURIRequest'
+          type: string
+          description: Enter each URI on a new line.
         sub_mode:
           allOf:
           - $ref: '#/components/schemas/SubModeEnum'
@@ -44900,7 +44900,6 @@ components:
       - authorization_flow
       - invalidation_flow
       - name
-      - redirect_uris
     OAuth2ProviderSetupURLs:
       type: object
       description: OAuth2 Provider Metadata serializer
@@ -48899,9 +48898,8 @@ components:
           description: Key used to encrypt the tokens. When set, tokens will be encrypted
             and returned as JWEs.
         redirect_uris:
-          type: array
-          items:
-            $ref: '#/components/schemas/RedirectURIRequest'
+          type: string
+          description: Enter each URI on a new line.
         sub_mode:
           allOf:
           - $ref: '#/components/schemas/SubModeEnum'
@@ -51498,9 +51496,7 @@ components:
           description: When enabled, this provider will intercept the authorization
             header and authenticate requests based on its value.
         redirect_uris:
-          type: array
-          items:
-            $ref: '#/components/schemas/RedirectURI'
+          type: string
           readOnly: true
         cookie_domain:
           type: string
@@ -52096,29 +52092,6 @@ components:
           type: string
       required:
       - to
-    RedirectURI:
-      type: object
-      description: A single allowed redirect URI entry
-      properties:
-        matching_mode:
-          $ref: '#/components/schemas/MatchingModeEnum'
-        url:
-          type: string
-      required:
-      - matching_mode
-      - url
-    RedirectURIRequest:
-      type: object
-      description: A single allowed redirect URI entry
-      properties:
-        matching_mode:
-          $ref: '#/components/schemas/MatchingModeEnum'
-        url:
-          type: string
-          minLength: 1
-      required:
-      - matching_mode
-      - url
     Reputation:
       type: object
       description: Reputation Serializer

tests/e2e/test_provider_oauth2_github.py

@@ -12,12 +12,7 @@ from authentik.flows.models import Flow
 from authentik.lib.generators import generate_id, generate_key
 from authentik.policies.expression.models import ExpressionPolicy
 from authentik.policies.models import PolicyBinding
-from authentik.providers.oauth2.models import (
-    ClientTypes,
-    OAuth2Provider,
-    RedirectURI,
-    RedirectURIMatchingMode,
-)
+from authentik.providers.oauth2.models import ClientTypes, OAuth2Provider
 from tests.e2e.utils import SeleniumTestCase, retry
 
 
@@ -78,9 +73,7 @@ class TestProviderOAuth2Github(SeleniumTestCase):
             client_id=self.client_id,
             client_secret=self.client_secret,
             client_type=ClientTypes.CONFIDENTIAL,
-            redirect_uris=[
-                RedirectURI(RedirectURIMatchingMode.STRICT, "http://localhost:3000/login/github")
-            ],
+            redirect_uris="http://localhost:3000/login/github",
             authorization_flow=authorization_flow,
         )
         Application.objects.create(
@@ -135,9 +128,7 @@ class TestProviderOAuth2Github(SeleniumTestCase):
             client_id=self.client_id,
             client_secret=self.client_secret,
             client_type=ClientTypes.CONFIDENTIAL,
-            redirect_uris=[
-                RedirectURI(RedirectURIMatchingMode.STRICT, "http://localhost:3000/login/github")
-            ],
+            redirect_uris="http://localhost:3000/login/github",
             authorization_flow=authorization_flow,
         )
         app = Application.objects.create(
@@ -208,9 +199,7 @@ class TestProviderOAuth2Github(SeleniumTestCase):
             client_id=self.client_id,
             client_secret=self.client_secret,
             client_type=ClientTypes.CONFIDENTIAL,
-            redirect_uris=[
-                RedirectURI(RedirectURIMatchingMode.STRICT, "http://localhost:3000/login/github")
-            ],
+            redirect_uris="http://localhost:3000/login/github",
             authorization_flow=authorization_flow,
         )
         app = Application.objects.create(

tests/e2e/test_provider_oauth2_grafana.py

@@ -19,13 +19,7 @@ from authentik.providers.oauth2.constants import (
     SCOPE_OPENID_EMAIL,
     SCOPE_OPENID_PROFILE,
 )
-from authentik.providers.oauth2.models import (
-    ClientTypes,
-    OAuth2Provider,
-    RedirectURI,
-    RedirectURIMatchingMode,
-    ScopeMapping,
-)
+from authentik.providers.oauth2.models import ClientTypes, OAuth2Provider, ScopeMapping
 from tests.e2e.utils import SeleniumTestCase, retry
 
 
@@ -88,7 +82,7 @@ class TestProviderOAuth2OAuth(SeleniumTestCase):
             client_id=self.client_id,
             client_secret=self.client_secret,
             signing_key=create_test_cert(),
-            redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "http://localhost:3000/")],
+            redirect_uris="http://localhost:3000/",
             authorization_flow=authorization_flow,
         )
         provider.property_mappings.set(
@@ -137,11 +131,7 @@ class TestProviderOAuth2OAuth(SeleniumTestCase):
             client_id=self.client_id,
             client_secret=self.client_secret,
             signing_key=create_test_cert(),
-            redirect_uris=[
-                RedirectURI(
-                    RedirectURIMatchingMode.STRICT, "http://localhost:3000/login/generic_oauth"
-                )
-            ],
+            redirect_uris="http://localhost:3000/login/generic_oauth",
             authorization_flow=authorization_flow,
         )
         provider.property_mappings.set(
@@ -210,11 +200,7 @@ class TestProviderOAuth2OAuth(SeleniumTestCase):
             client_id=self.client_id,
             client_secret=self.client_secret,
             signing_key=create_test_cert(),
-            redirect_uris=[
-                RedirectURI(
-                    RedirectURIMatchingMode.STRICT, "http://localhost:3000/login/generic_oauth"
-                )
-            ],
+            redirect_uris="http://localhost:3000/login/generic_oauth",
             authorization_flow=authorization_flow,
             invalidation_flow=invalidation_flow,
         )
@@ -289,11 +275,7 @@ class TestProviderOAuth2OAuth(SeleniumTestCase):
             client_id=self.client_id,
             client_secret=self.client_secret,
             signing_key=create_test_cert(),
-            redirect_uris=[
-                RedirectURI(
-                    RedirectURIMatchingMode.STRICT, "http://localhost:3000/login/generic_oauth"
-                )
-            ],
+            redirect_uris="http://localhost:3000/login/generic_oauth",
         )
         provider.property_mappings.set(
             ScopeMapping.objects.filter(
@@ -373,11 +355,7 @@ class TestProviderOAuth2OAuth(SeleniumTestCase):
             client_id=self.client_id,
             client_secret=self.client_secret,
             signing_key=create_test_cert(),
-            redirect_uris=[
-                RedirectURI(
-                    RedirectURIMatchingMode.STRICT, "http://localhost:3000/login/generic_oauth"
-                )
-            ],
+            redirect_uris="http://localhost:3000/login/generic_oauth",
         )
         provider.property_mappings.set(
             ScopeMapping.objects.filter(

tests/e2e/test_provider_oidc.py

@@ -19,13 +19,7 @@ from authentik.providers.oauth2.constants import (
     SCOPE_OPENID_EMAIL,
     SCOPE_OPENID_PROFILE,
 )
-from authentik.providers.oauth2.models import (
-    ClientTypes,
-    OAuth2Provider,
-    RedirectURI,
-    RedirectURIMatchingMode,
-    ScopeMapping,
-)
+from authentik.providers.oauth2.models import ClientTypes, OAuth2Provider, ScopeMapping
 from tests.e2e.utils import SeleniumTestCase, retry
 
 
@@ -73,7 +67,7 @@ class TestProviderOAuth2OIDC(SeleniumTestCase):
             client_id=self.client_id,
             client_secret=self.client_secret,
             signing_key=create_test_cert(),
-            redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "http://localhost:9009/")],
+            redirect_uris="http://localhost:9009/",
             authorization_flow=authorization_flow,
         )
         provider.property_mappings.set(
@@ -122,9 +116,7 @@ class TestProviderOAuth2OIDC(SeleniumTestCase):
             client_id=self.client_id,
             client_secret=self.client_secret,
             signing_key=create_test_cert(),
-            redirect_uris=[
-                RedirectURI(RedirectURIMatchingMode.STRICT, "http://localhost:9009/auth/callback")
-            ],
+            redirect_uris="http://localhost:9009/auth/callback",
             authorization_flow=authorization_flow,
         )
         provider.property_mappings.set(
@@ -196,9 +188,7 @@ class TestProviderOAuth2OIDC(SeleniumTestCase):
             client_id=self.client_id,
             client_secret=self.client_secret,
             signing_key=create_test_cert(),
-            redirect_uris=[
-                RedirectURI(RedirectURIMatchingMode.STRICT, "http://localhost:9009/auth/callback")
-            ],
+            redirect_uris="http://localhost:9009/auth/callback",
         )
         provider.property_mappings.set(
             ScopeMapping.objects.filter(
@@ -269,9 +259,7 @@ class TestProviderOAuth2OIDC(SeleniumTestCase):
             client_id=self.client_id,
             client_secret=self.client_secret,
             signing_key=create_test_cert(),
-            redirect_uris=[
-                RedirectURI(RedirectURIMatchingMode.STRICT, "http://localhost:9009/auth/callback")
-            ],
+            redirect_uris="http://localhost:9009/auth/callback",
         )
         provider.property_mappings.set(
             ScopeMapping.objects.filter(

tests/e2e/test_provider_oidc_implicit.py

@@ -19,13 +19,7 @@ from authentik.providers.oauth2.constants import (
     SCOPE_OPENID_EMAIL,
     SCOPE_OPENID_PROFILE,
 )
-from authentik.providers.oauth2.models import (
-    ClientTypes,
-    OAuth2Provider,
-    RedirectURI,
-    RedirectURIMatchingMode,
-    ScopeMapping,
-)
+from authentik.providers.oauth2.models import ClientTypes, OAuth2Provider, ScopeMapping
 from tests.e2e.utils import SeleniumTestCase, retry
 
 
@@ -74,7 +68,7 @@ class TestProviderOAuth2OIDCImplicit(SeleniumTestCase):
             client_id=self.client_id,
             client_secret=self.client_secret,
             signing_key=create_test_cert(),
-            redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "http://localhost:9009/")],
+            redirect_uris="http://localhost:9009/",
             authorization_flow=authorization_flow,
         )
         provider.property_mappings.set(
@@ -123,9 +117,7 @@ class TestProviderOAuth2OIDCImplicit(SeleniumTestCase):
             client_id=self.client_id,
             client_secret=self.client_secret,
             signing_key=create_test_cert(),
-            redirect_uris=[
-                RedirectURI(RedirectURIMatchingMode.STRICT, "http://localhost:9009/implicit/")
-            ],
+            redirect_uris="http://localhost:9009/implicit/",
             authorization_flow=authorization_flow,
         )
         provider.property_mappings.set(
@@ -178,9 +170,7 @@ class TestProviderOAuth2OIDCImplicit(SeleniumTestCase):
             client_id=self.client_id,
             client_secret=self.client_secret,
             signing_key=create_test_cert(),
-            redirect_uris=[
-                RedirectURI(RedirectURIMatchingMode.STRICT, "http://localhost:9009/implicit/")
-            ],
+            redirect_uris="http://localhost:9009/implicit/",
         )
         provider.property_mappings.set(
             ScopeMapping.objects.filter(
@@ -248,9 +238,7 @@ class TestProviderOAuth2OIDCImplicit(SeleniumTestCase):
             client_id=self.client_id,
             client_secret=self.client_secret,
             signing_key=create_test_cert(),
-            redirect_uris=[
-                RedirectURI(RedirectURIMatchingMode.STRICT, "http://localhost:9009/implicit/")
-            ],
+            redirect_uris="http://localhost:9009/implicit/",
         )
         provider.property_mappings.set(
             ScopeMapping.objects.filter(

web/package-lock.json

@@ -23,7 +23,7 @@
                 "@floating-ui/dom": "^1.6.11",
                 "@formatjs/intl-listformat": "^7.5.7",
                 "@fortawesome/fontawesome-free": "^6.6.0",
-                "@goauthentik/api": "^2024.10.4-1732236707",
+                "@goauthentik/api": "^2024.10.2-1731887740",
                 "@lit-labs/ssr": "^3.2.2",
                 "@lit/context": "^1.1.2",
                 "@lit/localize": "^0.12.2",
@@ -84,7 +84,7 @@
                 "@wdio/cli": "^9.1.2",
                 "@wdio/spec-reporter": "^9.1.2",
                 "chokidar": "^4.0.1",
-                "chromedriver": "^130.0.4",
+                "chromedriver": "^129.0.2",
                 "esbuild": "^0.24.0",
                 "eslint": "^9.11.1",
                 "eslint-plugin-lit": "^1.15.0",
@@ -1775,9 +1775,9 @@
             }
         },
         "node_modules/@goauthentik/api": {
-            "version": "2024.10.4-1732236707",
-            "resolved": "https://registry.npmjs.org/@goauthentik/api/-/api-2024.10.4-1732236707.tgz",
-            "integrity": "sha512-pzqUpv1Xaf7OpPLB6ZkzGPfA6PAN8xGCkrPWfMZMi04XyHzZj4pVgdeb0d/G0XXEZm1z4OzqEJWEm3w8wdhfVw=="
+            "version": "2024.10.2-1731887740",
+            "resolved": "https://registry.npmjs.org/@goauthentik/api/-/api-2024.10.2-1731887740.tgz",
+            "integrity": "sha512-AYFgmLXPvwLsxMdCX0e51FD2Fj8T++L8beU3dyDvlWUp4jH5+2XMG/AtQI3v2mNCyKx1EDlublIVYzpmQnrtag=="
         },
         "node_modules/@goauthentik/web": {
             "resolved": "",
@@ -8699,9 +8699,9 @@
             }
         },
         "node_modules/chromedriver": {
-            "version": "130.0.4",
-            "resolved": "https://registry.npmjs.org/chromedriver/-/chromedriver-130.0.4.tgz",
-            "integrity": "sha512-lpR+PWXszij1k4Ig3t338Zvll9HtCTiwoLM7n4pCCswALHxzmgwaaIFBh3rt9+5wRk9D07oFblrazrBxwaYYAQ==",
+            "version": "129.0.2",
+            "resolved": "https://registry.npmjs.org/chromedriver/-/chromedriver-129.0.2.tgz",
+            "integrity": "sha512-rUEFCJAmAwOdFfaDFtveT97fFeA7NOxlkgyPyN+G09Ws4qGW39aLDxMQBbS9cxQQHhTihqZZobgF5CLVYXnmGA==",
             "dev": true,
             "hasInstallScript": true,
             "dependencies": {

web/package.json

@@ -11,7 +11,7 @@
         "@floating-ui/dom": "^1.6.11",
         "@formatjs/intl-listformat": "^7.5.7",
         "@fortawesome/fontawesome-free": "^6.6.0",
-        "@goauthentik/api": "^2024.10.4-1732236707",
+        "@goauthentik/api": "^2024.10.2-1731887740",
         "@lit-labs/ssr": "^3.2.2",
         "@lit/context": "^1.1.2",
         "@lit/localize": "^0.12.2",
@@ -72,7 +72,7 @@
         "@wdio/cli": "^9.1.2",
         "@wdio/spec-reporter": "^9.1.2",
         "chokidar": "^4.0.1",
-        "chromedriver": "^130.0.4",
+        "chromedriver": "^129.0.2",
         "esbuild": "^0.24.0",
         "eslint": "^9.11.1",
         "eslint-plugin-lit": "^1.15.0",

web/src/admin/applications/wizard/commit/ak-application-wizard-commit-application.ts

@@ -25,7 +25,6 @@ import {
     type TransactionApplicationRequest,
     type TransactionApplicationResponse,
     ValidationError,
-    instanceOfValidationError,
 } from "@goauthentik/api";
 
 import BasePanel from "../BasePanel";
@@ -70,9 +69,6 @@ const successState: State = {
     icon: ["fa-check-circle", "pf-m-success"],
 };
 
-// eslint-disable-next-line @typescript-eslint/no-explicit-any
-const isValidationError = (v: any): v is ValidationError => instanceOfValidationError(v);
-
 @customElement("ak-application-wizard-commit-application")
 export class ApplicationWizardCommitApplication extends BasePanel {
     static get styles() {
@@ -138,25 +134,10 @@ export class ApplicationWizardCommitApplication extends BasePanel {
             // eslint-disable-next-line @typescript-eslint/no-explicit-any
             .catch(async (resolution: any) => {
                 const errors = await parseAPIError(resolution);
-
-                // THIS is a really gross special case; if the user is duplicating the name of an
-                // existing provider, the error appears on the `app` (!) error object. We have to
-                // move that to the `provider.name` error field so it shows up in the right place.
-                if (isValidationError(errors) && Array.isArray(errors?.app?.provider)) {
-                    const providerError = errors.app.provider;
-                    errors.provider = errors.provider ?? {};
-                    errors.provider.name = providerError;
-                    delete errors.app.provider;
-                    if (Object.keys(errors.app).length === 0) {
-                        delete errors.app;
-                    }
-                }
-
-                this.errors = errors;
                 this.dispatchWizardUpdate({
                     update: {
                         ...this.wizard,
-                        errors: this.errors,
+                        errors,
                     },
                     status: "failed",
                 });

web/src/admin/applications/wizard/methods/oauth/ak-application-wizard-authentication-by-oauth.ts

@@ -11,10 +11,6 @@ import {
     redirectUriHelp,
     subjectModeOptions,
 } from "@goauthentik/admin/providers/oauth2/OAuth2ProviderForm";
-import {
-    IRedirectURIInput,
-    akOAuthRedirectURIInput,
-} from "@goauthentik/admin/providers/oauth2/OAuth2ProviderRedirectURI";
 import {
     makeSourceSelector,
     oauth2SourcesProvider,
@@ -35,13 +31,7 @@ import { customElement, state } from "@lit/reactive-element/decorators.js";
 import { html, nothing } from "lit";
 import { ifDefined } from "lit/directives/if-defined.js";
 
-import {
-    ClientTypeEnum,
-    FlowsInstancesListDesignationEnum,
-    MatchingModeEnum,
-    RedirectURI,
-    SourcesApi,
-} from "@goauthentik/api";
+import { ClientTypeEnum, FlowsInstancesListDesignationEnum, SourcesApi } from "@goauthentik/api";
 import { type OAuth2Provider, type PaginatedOAuthSourceList } from "@goauthentik/api";
 
 import BaseProviderPanel from "../BaseProviderPanel";
@@ -130,27 +120,14 @@ export class ApplicationWizardAuthenticationByOauth extends BaseProviderPanel {
                         >
                         </ak-text-input>
 
-                        <ak-form-element-horizontal
-                            label=${msg("Redirect URIs/Origins")}
-                            required
+                        <ak-textarea-input
                             name="redirectUris"
+                            label=${msg("Redirect URIs/Origins (RegEx)")}
+                            .value=${provider?.redirectUris}
+                            .errorMessages=${errors?.redirectUriHelp ?? []}
+                            .bighelp=${redirectUriHelp}
                         >
-                            <ak-array-input
-                                .items=${[]}
-                                .newItem=${() => ({
-                                    matchingMode: MatchingModeEnum.Strict,
-                                    url: "",
-                                })}
-                                .row=${(f?: RedirectURI) =>
-                                    akOAuthRedirectURIInput({
-                                        ".redirectURI": f,
-                                        "style": "width: 100%",
-                                        "name": "oauth2-redirect-uri",
-                                    } as unknown as IRedirectURIInput)}
-                            >
-                            </ak-array-input>
-                            ${redirectUriHelp}
-                        </ak-form-element-horizontal>
+                        </ak-textarea-input>
 
                         <ak-form-element-horizontal
                             label=${msg("Signing Key")}

web/src/admin/providers/oauth2/OAuth2ProviderForm.ts

@@ -1,16 +1,11 @@
 import "@goauthentik/admin/common/ak-crypto-certificate-search";
 import "@goauthentik/admin/common/ak-flow-search/ak-flow-search";
 import { BaseProviderForm } from "@goauthentik/admin/providers/BaseProviderForm";
-import {
-    IRedirectURIInput,
-    akOAuthRedirectURIInput,
-} from "@goauthentik/admin/providers/oauth2/OAuth2ProviderRedirectURI";
 import { DEFAULT_CONFIG } from "@goauthentik/common/api/config";
 import { ascii_letters, digits, first, randomString } from "@goauthentik/common/utils";
 import "@goauthentik/components/ak-radio-input";
 import "@goauthentik/components/ak-text-input";
 import "@goauthentik/components/ak-textarea-input";
-import "@goauthentik/elements/ak-array-input.js";
 import "@goauthentik/elements/ak-dual-select/ak-dual-select-dynamic-selected-provider.js";
 import "@goauthentik/elements/ak-dual-select/ak-dual-select-provider.js";
 import "@goauthentik/elements/forms/FormGroup";
@@ -20,7 +15,7 @@ import "@goauthentik/elements/forms/SearchSelect";
 import "@goauthentik/elements/utils/TimeDeltaHelp";
 
 import { msg } from "@lit/localize";
-import { TemplateResult, css, html } from "lit";
+import { TemplateResult, html } from "lit";
 import { customElement, state } from "lit/decorators.js";
 import { ifDefined } from "lit/directives/if-defined.js";
 
@@ -28,10 +23,8 @@ import {
     ClientTypeEnum,
     FlowsInstancesListDesignationEnum,
     IssuerModeEnum,
-    MatchingModeEnum,
     OAuth2Provider,
     ProvidersApi,
-    RedirectURI,
     SubModeEnum,
 } from "@goauthentik/api";
 
@@ -105,13 +98,13 @@ export const issuerModeOptions = [
 
 const redirectUriHelpMessages = [
     msg(
-        "Valid redirect URIs after a successful authorization flow. Also specify any origins here for Implicit flows.",
+        "Valid redirect URLs after a successful authorization flow. Also specify any origins here for Implicit flows.",
     ),
     msg(
         "If no explicit redirect URIs are specified, the first successfully used redirect URI will be saved.",
     ),
     msg(
-        'To allow any redirect URI, set the mode to Regex and the value to ".*". Be aware of the possible security implications this can have.',
+        'To allow any redirect URI, set this value to ".*". Be aware of the possible security implications this can have.',
     ),
 ];
 
@@ -131,23 +124,11 @@ export class OAuth2ProviderFormPage extends BaseProviderForm<OAuth2Provider> {
     @state()
     showClientSecret = true;
 
-    @state()
-    redirectUris: RedirectURI[] = [];
-
-    static get styles() {
-        return super.styles.concat(css`
-            ak-array-input {
-                width: 100%;
-            }
-        `);
-    }
-
     async loadInstance(pk: number): Promise<OAuth2Provider> {
         const provider = await new ProvidersApi(DEFAULT_CONFIG).providersOauth2Retrieve({
             id: pk,
         });
         this.showClientSecret = provider.clientType === ClientTypeEnum.Confidential;
-        this.redirectUris = provider.redirectUris;
         return provider;
     }
 
@@ -222,24 +203,13 @@ export class OAuth2ProviderFormPage extends BaseProviderForm<OAuth2Provider> {
                         ?hidden=${!this.showClientSecret}
                     >
                     </ak-text-input>
-                    <ak-form-element-horizontal
-                        label=${msg("Redirect URIs/Origins")}
-                        required
+                    <ak-textarea-input
                         name="redirectUris"
+                        label=${msg("Redirect URIs/Origins (RegEx)")}
+                        .value=${provider?.redirectUris}
+                        .bighelp=${redirectUriHelp}
                     >
-                        <ak-array-input
-                            .items=${this.instance?.redirectUris ?? []}
-                            .newItem=${() => ({ matchingMode: MatchingModeEnum.Strict, url: "" })}
-                            .row=${(f?: RedirectURI) =>
-                                akOAuthRedirectURIInput({
-                                    ".redirectURI": f,
-                                    "style": "width: 100%",
-                                    "name": "oauth2-redirect-uri",
-                                } as unknown as IRedirectURIInput)}
-                        >
-                        </ak-array-input>
-                        ${redirectUriHelp}
-                    </ak-form-element-horizontal>
+                    </ak-textarea-input>
 
                     <ak-form-element-horizontal label=${msg("Signing Key")} name="signingKey">
                         <!-- NOTE: 'null' cast to 'undefined' on signingKey to satisfy Lit requirements -->

web/src/admin/providers/oauth2/OAuth2ProviderRedirectURI.ts

@@ -1,104 +0,0 @@
-import "@goauthentik/admin/providers/oauth2/OAuth2ProviderRedirectURI";
-import { AkControlElement } from "@goauthentik/elements/AkControlElement.js";
-import { type Spread } from "@goauthentik/elements/types";
-import { spread } from "@open-wc/lit-helpers";
-
-import { msg } from "@lit/localize";
-import { css, html } from "lit";
-import { customElement, property, queryAll } from "lit/decorators.js";
-import { ifDefined } from "lit/directives/if-defined.js";
-
-import PFFormControl from "@patternfly/patternfly/components/FormControl/form-control.css";
-import PFInputGroup from "@patternfly/patternfly/components/InputGroup/input-group.css";
-import PFBase from "@patternfly/patternfly/patternfly-base.css";
-
-import { MatchingModeEnum, RedirectURI } from "@goauthentik/api";
-
-export interface IRedirectURIInput {
-    redirectURI: RedirectURI;
-}
-
-@customElement("ak-provider-oauth2-redirect-uri")
-export class OAuth2ProviderRedirectURI extends AkControlElement<RedirectURI> {
-    static get styles() {
-        return [
-            PFBase,
-            PFInputGroup,
-            PFFormControl,
-            css`
-                .pf-c-input-group select {
-                    width: 10em;
-                }
-            `,
-        ];
-    }
-
-    @property({ type: Object, attribute: false })
-    redirectURI: RedirectURI = {
-        matchingMode: MatchingModeEnum.Strict,
-        url: "",
-    };
-
-    @queryAll(".ak-form-control")
-    controls?: HTMLInputElement[];
-
-    json() {
-        return Object.fromEntries(
-            Array.from(this.controls ?? []).map((control) => [control.name, control.value]),
-        ) as unknown as RedirectURI;
-    }
-
-    get isValid() {
-        return true;
-    }
-
-    render() {
-        const onChange = () => {
-            this.dispatchEvent(new Event("change", { composed: true, bubbles: true }));
-        };
-
-        return html`<div class="pf-c-input-group">
-            <select
-                name="matchingMode"
-                class="pf-c-form-control ak-form-control"
-                @change=${onChange}
-            >
-                <option
-                    value="${MatchingModeEnum.Strict}"
-                    ?selected=${this.redirectURI.matchingMode === MatchingModeEnum.Strict}
-                >
-                    ${msg("Strict")}
-                </option>
-                <option
-                    value="${MatchingModeEnum.Regex}"
-                    ?selected=${this.redirectURI.matchingMode === MatchingModeEnum.Regex}
-                >
-                    ${msg("Regex")}
-                </option>
-            </select>
-            <input
-                type="text"
-                @change=${onChange}
-                value="${ifDefined(this.redirectURI.url ?? undefined)}"
-                class="pf-c-form-control ak-form-control"
-                required
-                id="url"
-                placeholder=${msg("URL")}
-                name="url"
-                tabindex="1"
-            />
-        </div>`;
-    }
-}
-
-export function akOAuthRedirectURIInput(properties: IRedirectURIInput) {
-    return html`<ak-provider-oauth2-redirect-uri
-        ${spread(properties as unknown as Spread)}
-    ></ak-provider-oauth2-redirect-uri>`;
-}
-
-declare global {
-    interface HTMLElementTagNameMap {
-        "ak-provider-oauth2-redirect-uri": OAuth2ProviderRedirectURI;
-    }
-}

web/src/admin/providers/oauth2/OAuth2ProviderViewPage.ts

@@ -234,11 +234,7 @@ export class OAuth2ProviderViewPage extends AKElement {
                                 </dt>
                                 <dd class="pf-c-description-list__description">
                                     <div class="pf-c-description-list__text">
-                                        <ul>
-                                            ${this.provider.redirectUris.map((ru) => {
-                                                return html`<li>${ru.matchingMode}: ${ru.url}</li>`;
-                                            })}
-                                        </ul>
+                                        ${this.provider.redirectUris}
                                     </div>
                                 </dd>
                             </div>

web/src/admin/providers/proxy/ProxyProviderViewPage.ts

@@ -392,13 +392,9 @@ export class ProxyProviderViewPage extends AKElement {
                                 <dd class="pf-c-description-list__description">
                                     <div class="pf-c-description-list__text">
                                         <ul class="pf-c-list">
-                                            <ul>
-                                                ${this.provider.redirectUris.map((ru) => {
-                                                    return html`<li>
-                                                        ${ru.matchingMode}: ${ru.url}
-                                                    </li>`;
-                                                })}
-                                            </ul>
+                                            ${this.provider.redirectUris.split("\n").map((url) => {
+                                                return html`<li><pre>${url}</pre></li>`;
+                                            })}
                                         </ul>
                                     </div>
                                 </dd>

web/src/common/constants.ts

@@ -3,7 +3,7 @@ export const SUCCESS_CLASS = "pf-m-success";
 export const ERROR_CLASS = "pf-m-danger";
 export const PROGRESS_CLASS = "pf-m-in-progress";
 export const CURRENT_CLASS = "pf-m-current";
-export const VERSION = "2024.10.4";
+export const VERSION = "2024.10.2";
 export const TITLE_DEFAULT = "authentik";
 export const ROUTE_SEPARATOR = ";";
 

web/src/elements/forms/HorizontalFormElement.ts

@@ -2,7 +2,7 @@ import { convertToSlug } from "@goauthentik/common/utils";
 import { AKElement } from "@goauthentik/elements/Base";
 import { FormGroup } from "@goauthentik/elements/forms/FormGroup";
 
-import { msg, str } from "@lit/localize";
+import { msg } from "@lit/localize";
 import { CSSResult, css } from "lit";
 import { TemplateResult, html } from "lit";
 import { customElement, property } from "lit/decorators.js";
@@ -33,7 +33,7 @@ import PFBase from "@patternfly/patternfly/patternfly-base.css";
  *    where the field isn't available for the user to view unless they explicitly request to be able
  *    to see the content; otherwise, a dead password field is shown. There are 10 uses of this
  *    feature.
- *
+ * 
  */
 
 const isAkControl = (el: unknown): boolean =>
@@ -86,7 +86,7 @@ export class HorizontalFormElement extends AKElement {
     writeOnlyActivated = false;
 
     @property({ attribute: false })
-    errorMessages: string[] | string[][] = [];
+    errorMessages: string[] = [];
 
     @property({ type: Boolean })
     slugMode = false;
@@ -183,16 +183,6 @@ export class HorizontalFormElement extends AKElement {
                           </p>`
                         : html``}
                     ${this.errorMessages.map((message) => {
-                        if (message instanceof Object) {
-                            return html`${Object.entries(message).map(([field, errMsg]) => {
-                                return html`<p
-                                    class="pf-c-form__helper-text pf-m-error"
-                                    aria-live="polite"
-                                >
-                                    ${msg(str`${field}: ${errMsg}`)}
-                                </p>`;
-                            })}`;
-                        }
                         return html`<p class="pf-c-form__helper-text pf-m-error" aria-live="polite">
                             ${message}
                         </p>`;

web/xliff/de.xlf

@@ -5741,6 +5741,9 @@ Bindings to groups/users are checked against the user of the event.</source>
 <trans-unit id="s070fdfb03034ca9b">
   <source>One hint, 'New Application Wizard', is currently hidden</source>
 </trans-unit>
+<trans-unit id="s61bd841e66966325">
+  <source>External applications that use authentik as an identity provider via protocols like OAuth2 and SAML. All applications are shown here, even ones you cannot access.</source>
+</trans-unit>
 <trans-unit id="s1cc306d8e28c4464">
   <source>Deny message</source>
 </trans-unit>
@@ -7050,9 +7053,6 @@ Bindings to groups/users are checked against the user of the event.</source>
 </trans-unit>
 <trans-unit id="s92205c10ba1f0f4c">
   <source>This option configures the footer links on the flow executor pages. The URL is limited to web and mail addresses. If the name is left blank, the URL will be shown.</source>
-</trans-unit>
-<trans-unit id="s66f572bec2bde9c4">
-  <source>External applications that use <x id="0" equiv-text="${this.brand.brandingTitle || &quot;authentik&quot;}"/> as an identity provider via protocols like OAuth2 and SAML. All applications are shown here, even ones you cannot access.</source>
 </trans-unit>
     </body>
   </file>

web/xliff/en.xlf

@@ -6006,6 +6006,9 @@ Bindings to groups/users are checked against the user of the event.</source>
 <trans-unit id="s070fdfb03034ca9b">
   <source>One hint, 'New Application Wizard', is currently hidden</source>
 </trans-unit>
+<trans-unit id="s61bd841e66966325">
+  <source>External applications that use authentik as an identity provider via protocols like OAuth2 and SAML. All applications are shown here, even ones you cannot access.</source>
+</trans-unit>
 <trans-unit id="s1cc306d8e28c4464">
   <source>Deny message</source>
 </trans-unit>
@@ -7315,9 +7318,6 @@ Bindings to groups/users are checked against the user of the event.</source>
 </trans-unit>
 <trans-unit id="s92205c10ba1f0f4c">
   <source>This option configures the footer links on the flow executor pages. The URL is limited to web and mail addresses. If the name is left blank, the URL will be shown.</source>
-</trans-unit>
-<trans-unit id="s66f572bec2bde9c4">
-  <source>External applications that use <x id="0" equiv-text="${this.brand.brandingTitle || &quot;authentik&quot;}"/> as an identity provider via protocols like OAuth2 and SAML. All applications are shown here, even ones you cannot access.</source>
 </trans-unit>
     </body>
   </file>

web/xliff/es.xlf

@@ -5658,6 +5658,9 @@ Bindings to groups/users are checked against the user of the event.</source>
 <trans-unit id="s070fdfb03034ca9b">
   <source>One hint, 'New Application Wizard', is currently hidden</source>
 </trans-unit>
+<trans-unit id="s61bd841e66966325">
+  <source>External applications that use authentik as an identity provider via protocols like OAuth2 and SAML. All applications are shown here, even ones you cannot access.</source>
+</trans-unit>
 <trans-unit id="s1cc306d8e28c4464">
   <source>Deny message</source>
 </trans-unit>
@@ -6967,9 +6970,6 @@ Bindings to groups/users are checked against the user of the event.</source>
 </trans-unit>
 <trans-unit id="s92205c10ba1f0f4c">
   <source>This option configures the footer links on the flow executor pages. The URL is limited to web and mail addresses. If the name is left blank, the URL will be shown.</source>
-</trans-unit>
-<trans-unit id="s66f572bec2bde9c4">
-  <source>External applications that use <x id="0" equiv-text="${this.brand.brandingTitle || &quot;authentik&quot;}"/> as an identity provider via protocols like OAuth2 and SAML. All applications are shown here, even ones you cannot access.</source>
 </trans-unit>
     </body>
   </file>

web/xliff/fr.xlf

@@ -7542,6 +7542,10 @@ Les liaisons avec les groupes/utilisateurs sont vérifiées par rapport à l'uti
   <source>One hint, 'New Application Wizard', is currently hidden</source>
   <target>Un indice, l'assistant nouvelle application est actuellement caché</target>
 </trans-unit>
+<trans-unit id="s61bd841e66966325">
+  <source>External applications that use authentik as an identity provider via protocols like OAuth2 and SAML. All applications are shown here, even ones you cannot access.</source>
+  <target>Applications externes qui utilisent authentik comme fournisseur d'identité, en utilisant des protocoles comme OAuth2 et SAML. Toutes les applications sont affichées ici, même celles auxquelles vous n'avez pas accès.</target>
+</trans-unit>
 <trans-unit id="s1cc306d8e28c4464">
   <source>Deny message</source>
   <target>Message de refus</target>
@@ -9274,9 +9278,6 @@ Les liaisons avec les groupes/utilisateurs sont vérifiées par rapport à l'uti
 </trans-unit>
 <trans-unit id="s92205c10ba1f0f4c">
   <source>This option configures the footer links on the flow executor pages. The URL is limited to web and mail addresses. If the name is left blank, the URL will be shown.</source>
-</trans-unit>
-<trans-unit id="s66f572bec2bde9c4">
-  <source>External applications that use <x id="0" equiv-text="${this.brand.brandingTitle || &quot;authentik&quot;}"/> as an identity provider via protocols like OAuth2 and SAML. All applications are shown here, even ones you cannot access.</source>
 </trans-unit>
     </body>
   </file>

web/xliff/it.xlf

@@ -7498,6 +7498,10 @@ Bindings to groups/users are checked against the user of the event.</source>
   <source>One hint, 'New Application Wizard', is currently hidden</source>
   <target>Un suggerimento, "New Application Wizard", è attualmente nascosto</target>
 </trans-unit>
+<trans-unit id="s61bd841e66966325">
+  <source>External applications that use authentik as an identity provider via protocols like OAuth2 and SAML. All applications are shown here, even ones you cannot access.</source>
+  <target>Applicazioni esterne che utilizzano Authenk come fornitore di identità tramite protocolli come OAuth2 e SAML. Tutte le applicazioni sono mostrate qui, anche quelle a cui non è possibile accedere.</target>
+</trans-unit>
 <trans-unit id="s1cc306d8e28c4464">
   <source>Deny message</source>
   <target>Negare il messaggio</target>
@@ -9247,9 +9251,6 @@ Bindings to groups/users are checked against the user of the event.</source>
 </trans-unit>
 <trans-unit id="sc24af6de78468cfa">
   <source>Require administrators to provide a reason for impersonating a user.</source>
-</trans-unit>
-<trans-unit id="s66f572bec2bde9c4">
-  <source>External applications that use <x id="0" equiv-text="${this.brand.brandingTitle || &quot;authentik&quot;}"/> as an identity provider via protocols like OAuth2 and SAML. All applications are shown here, even ones you cannot access.</source>
 </trans-unit>
     </body>
   </file>

web/xliff/ko.xlf

@@ -7512,6 +7512,10 @@ Bindings to groups/users are checked against the user of the event.</source>
   <source>One hint, 'New Application Wizard', is currently hidden</source>
   <target>힌트, '새 애플리케이션 마법사'는 현재, 숨겨져 있습니다.</target>
 </trans-unit>
+<trans-unit id="s61bd841e66966325">
+  <source>External applications that use authentik as an identity provider via protocols like OAuth2 and SAML. All applications are shown here, even ones you cannot access.</source>
+  <target>OAuth2 및 SAML과 같은 프로토콜을 통해 인증서를 ID 공급자로 사용하는 외부 애플리케이션. 액세스할 수 없는 애플리케이션을 포함한 모든 애플리케이션이 여기에 표시됩니다.</target>
+</trans-unit>
 <trans-unit id="s1cc306d8e28c4464">
   <source>Deny message</source>
   <target>거부 메시지</target>
@@ -8881,9 +8885,6 @@ Bindings to groups/users are checked against the user of the event.</source>
 </trans-unit>
 <trans-unit id="s92205c10ba1f0f4c">
   <source>This option configures the footer links on the flow executor pages. The URL is limited to web and mail addresses. If the name is left blank, the URL will be shown.</source>
-</trans-unit>
-<trans-unit id="s66f572bec2bde9c4">
-  <source>External applications that use <x id="0" equiv-text="${this.brand.brandingTitle || &quot;authentik&quot;}"/> as an identity provider via protocols like OAuth2 and SAML. All applications are shown here, even ones you cannot access.</source>
 </trans-unit>
     </body>
   </file>

web/xliff/nl.xlf

@@ -7495,6 +7495,9 @@ Bindingen naar groepen/gebruikers worden gecontroleerd tegen de gebruiker van de
 <trans-unit id="s2b1c81130a65a55b">
   <source>Sync currently running.</source>
 </trans-unit>
+<trans-unit id="s61bd841e66966325">
+  <source>External applications that use authentik as an identity provider via protocols like OAuth2 and SAML. All applications are shown here, even ones you cannot access.</source>
+</trans-unit>
 <trans-unit id="sb35c08e3a541188f">
   <source>Also known as Client ID.</source>
 </trans-unit>
@@ -8729,9 +8732,6 @@ Bindingen naar groepen/gebruikers worden gecontroleerd tegen de gebruiker van de
 </trans-unit>
 <trans-unit id="s92205c10ba1f0f4c">
   <source>This option configures the footer links on the flow executor pages. The URL is limited to web and mail addresses. If the name is left blank, the URL will be shown.</source>
-</trans-unit>
-<trans-unit id="s66f572bec2bde9c4">
-  <source>External applications that use <x id="0" equiv-text="${this.brand.brandingTitle || &quot;authentik&quot;}"/> as an identity provider via protocols like OAuth2 and SAML. All applications are shown here, even ones you cannot access.</source>
 </trans-unit>
     </body>
   </file>

web/xliff/pl.xlf

@@ -7546,6 +7546,10 @@ Powiązania z grupami/użytkownikami są sprawdzane względem użytkownika zdarz
   <source>One hint, 'New Application Wizard', is currently hidden</source>
   <target>Jedna podpowiedź, „Kreator nowej aplikacji”, jest obecnie ukryty</target>
 </trans-unit>
+<trans-unit id="s61bd841e66966325">
+  <source>External applications that use authentik as an identity provider via protocols like OAuth2 and SAML. All applications are shown here, even ones you cannot access.</source>
+  <target>Aplikacje zewnętrzne, które używają authentik jako dostawcy tożsamości za pośrednictwem protokołów takich jak OAuth2 i SAML. Tutaj wyświetlane są wszystkie aplikacje, nawet te, do których nie masz dostępu.</target>
+</trans-unit>
 <trans-unit id="s1cc306d8e28c4464">
   <source>Deny message</source>
   <target>Komunikat odmowy</target>
@@ -9144,9 +9148,6 @@ Powiązania z grupami/użytkownikami są sprawdzane względem użytkownika zdarz
 </trans-unit>
 <trans-unit id="s92205c10ba1f0f4c">
   <source>This option configures the footer links on the flow executor pages. The URL is limited to web and mail addresses. If the name is left blank, the URL will be shown.</source>
-</trans-unit>
-<trans-unit id="s66f572bec2bde9c4">
-  <source>External applications that use <x id="0" equiv-text="${this.brand.brandingTitle || &quot;authentik&quot;}"/> as an identity provider via protocols like OAuth2 and SAML. All applications are shown here, even ones you cannot access.</source>
 </trans-unit>
     </body>
   </file>

web/xliff/pseudo-LOCALE.xlf

@@ -7490,6 +7490,10 @@ Bindings to groups/users are checked against the user of the event.</source>
   <source>One hint, 'New Application Wizard', is currently hidden</source>
   <target>Ōńē ĥĩńţ, 'Ńēŵ Àƥƥĺĩćàţĩōń Ŵĩźàŕď', ĩś ćũŕŕēńţĺŷ ĥĩďďēń</target>
 </trans-unit>
+<trans-unit id="s61bd841e66966325">
+  <source>External applications that use authentik as an identity provider via protocols like OAuth2 and SAML. All applications are shown here, even ones you cannot access.</source>
+  <target>Ēxţēŕńàĺ àƥƥĺĩćàţĩōńś ţĥàţ ũśē àũţĥēńţĩķ àś àń ĩďēńţĩţŷ ƥŕōvĩďēŕ vĩà ƥŕōţōćōĺś ĺĩķē ŌÀũţĥ2 àńď ŚÀḾĹ. Àĺĺ àƥƥĺĩćàţĩōńś àŕē śĥōŵń ĥēŕē, ēvēń ōńēś ŷōũ ćàńńōţ àććēśś.</target>
+</trans-unit>
 <trans-unit id="s1cc306d8e28c4464">
   <source>Deny message</source>
   <target>Ďēńŷ ḿēśśàĝē</target>
@@ -9184,7 +9188,4 @@ Bindings to groups/users are checked against the user of the event.</source>
 <trans-unit id="s92205c10ba1f0f4c">
   <source>This option configures the footer links on the flow executor pages. The URL is limited to web and mail addresses. If the name is left blank, the URL will be shown.</source>
 </trans-unit>
-<trans-unit id="s66f572bec2bde9c4">
-  <source>External applications that use <x id="0" equiv-text="${this.brand.brandingTitle || &quot;authentik&quot;}"/> as an identity provider via protocols like OAuth2 and SAML. All applications are shown here, even ones you cannot access.</source>
-</trans-unit>
 </body></file></xliff>

web/xliff/ru.xlf

@@ -7545,6 +7545,10 @@ Bindings to groups/users are checked against the user of the event.</source>
   <source>One hint, 'New Application Wizard', is currently hidden</source>
   <target>Одна подсказка, "Мастер создания нового приложения", в настоящее время скрыта</target>
 </trans-unit>
+<trans-unit id="s61bd841e66966325">
+  <source>External applications that use authentik as an identity provider via protocols like OAuth2 and SAML. All applications are shown here, even ones you cannot access.</source>
+  <target>Внешние приложения, использующие authentik в качестве поставщика идентификационных данных по таким протоколам, как OAuth2 и SAML. Здесь показаны все приложения, даже те, к которым вы не можете получить доступ.</target>
+</trans-unit>
 <trans-unit id="s1cc306d8e28c4464">
   <source>Deny message</source>
   <target>Запретить сообщение</target>
@@ -9207,9 +9211,6 @@ Bindings to groups/users are checked against the user of the event.</source>
 </trans-unit>
 <trans-unit id="s92205c10ba1f0f4c">
   <source>This option configures the footer links on the flow executor pages. The URL is limited to web and mail addresses. If the name is left blank, the URL will be shown.</source>
-</trans-unit>
-<trans-unit id="s66f572bec2bde9c4">
-  <source>External applications that use <x id="0" equiv-text="${this.brand.brandingTitle || &quot;authentik&quot;}"/> as an identity provider via protocols like OAuth2 and SAML. All applications are shown here, even ones you cannot access.</source>
 </trans-unit>
     </body>
   </file>

web/xliff/tr.xlf

@@ -7495,6 +7495,10 @@ Gruplara/kullanıcılara yapılan bağlamalar, etkinliğin kullanıcısına kar
   <source>One hint, 'New Application Wizard', is currently hidden</source>
   <target>Bir ipucu, 'Yeni Uygulama Sihirbazı' şu anda gizli</target>
 </trans-unit>
+<trans-unit id="s61bd841e66966325">
+  <source>External applications that use authentik as an identity provider via protocols like OAuth2 and SAML. All applications are shown here, even ones you cannot access.</source>
+  <target>OAuth2 ve SAML gibi protokoller aracılığıyla kimlik sağlayıcı olarak authentik kullanan harici uygulamalar. Erişemedikleriniz de dahil olmak üzere tüm uygulamalar burada gösterilir.</target>
+</trans-unit>
 <trans-unit id="s1cc306d8e28c4464">
   <source>Deny message</source>
   <target>İletiyi reddet</target>
@@ -9237,9 +9241,6 @@ Gruplara/kullanıcılara yapılan bağlamalar, etkinliğin kullanıcısına kar
 </trans-unit>
 <trans-unit id="s92205c10ba1f0f4c">
   <source>This option configures the footer links on the flow executor pages. The URL is limited to web and mail addresses. If the name is left blank, the URL will be shown.</source>
-</trans-unit>
-<trans-unit id="s66f572bec2bde9c4">
-  <source>External applications that use <x id="0" equiv-text="${this.brand.brandingTitle || &quot;authentik&quot;}"/> as an identity provider via protocols like OAuth2 and SAML. All applications are shown here, even ones you cannot access.</source>
 </trans-unit>
     </body>
   </file>

web/xliff/zh-CN.xlf

@@ -1989,6 +1989,9 @@ doesn't pass when either or both of the selected options are equal or above the
 <trans-unit id="s6ba50bb0842ba1e2">
   <source>Applications</source>
 </trans-unit>
+<trans-unit id="s61bd841e66966325">
+  <source>External applications that use authentik as an identity provider via protocols like OAuth2 and SAML. All applications are shown here, even ones you cannot access.</source>
+</trans-unit>
 <trans-unit id="s96b2fefc550e4b1c">
   <source>Provider Type</source>
 </trans-unit>
@@ -5899,9 +5902,6 @@ Bindings to groups/users are checked against the user of the event.</source>
 <trans-unit id="s92205c10ba1f0f4c">
   <source>This option configures the footer links on the flow executor pages. The URL is limited to web and mail addresses. If the name is left blank, the URL will be shown.</source>
 </trans-unit>
-<trans-unit id="s66f572bec2bde9c4">
-  <source>External applications that use <x id="0" equiv-text="${this.brand.brandingTitle || &quot;authentik&quot;}"/> as an identity provider via protocols like OAuth2 and SAML. All applications are shown here, even ones you cannot access.</source>
-</trans-unit>
 </body>
 </file>
 </xliff>

web/xliff/zh-Hans.xlf

@@ -7544,6 +7544,10 @@ Bindings to groups/users are checked against the user of the event.</source>
   <source>One hint, 'New Application Wizard', is currently hidden</source>
   <target>“新应用程序向导”提示目前已隐藏</target>
 </trans-unit>
+<trans-unit id="s61bd841e66966325">
+  <source>External applications that use authentik as an identity provider via protocols like OAuth2 and SAML. All applications are shown here, even ones you cannot access.</source>
+  <target>通过 OAuth2 和 SAML 等协议，使用 authentik 作为身份提供程序的外部应用程序。此处显示了所有应用程序，即使您无法访问的也包括在内。</target>
+</trans-unit>
 <trans-unit id="s1cc306d8e28c4464">
   <source>Deny message</source>
   <target>拒绝消息</target>
@@ -9293,10 +9297,6 @@ Bindings to groups/users are checked against the user of the event.</source>
 <trans-unit id="s92205c10ba1f0f4c">
   <source>This option configures the footer links on the flow executor pages. The URL is limited to web and mail addresses. If the name is left blank, the URL will be shown.</source>
   <target>此选项配置流程执行器页面上的页脚链接。URL 限为 Web 和电子邮件地址。如果名称留空，则显示 URL 自身。</target>
-</trans-unit>
-<trans-unit id="s66f572bec2bde9c4">
-  <source>External applications that use <x id="0" equiv-text="${this.brand.brandingTitle || &quot;authentik&quot;}"/> as an identity provider via protocols like OAuth2 and SAML. All applications are shown here, even ones you cannot access.</source>
-  <target>通过 OAuth2 和 SAML 等协议，使用 <x id="0" equiv-text="${this.brand.brandingTitle || &quot;authentik&quot;}"/> 作为身份提供程序的外部应用程序。此处显示了所有应用程序，即使您无法访问的也包括在内。</target>
 </trans-unit>
     </body>
   </file>

web/xliff/zh-Hant.xlf

@@ -5699,6 +5699,9 @@ Bindings to groups/users are checked against the user of the event.</source>
 <trans-unit id="s070fdfb03034ca9b">
   <source>One hint, 'New Application Wizard', is currently hidden</source>
 </trans-unit>
+<trans-unit id="s61bd841e66966325">
+  <source>External applications that use authentik as an identity provider via protocols like OAuth2 and SAML. All applications are shown here, even ones you cannot access.</source>
+</trans-unit>
 <trans-unit id="s1cc306d8e28c4464">
   <source>Deny message</source>
 </trans-unit>
@@ -7008,9 +7011,6 @@ Bindings to groups/users are checked against the user of the event.</source>
 </trans-unit>
 <trans-unit id="s92205c10ba1f0f4c">
   <source>This option configures the footer links on the flow executor pages. The URL is limited to web and mail addresses. If the name is left blank, the URL will be shown.</source>
-</trans-unit>
-<trans-unit id="s66f572bec2bde9c4">
-  <source>External applications that use <x id="0" equiv-text="${this.brand.brandingTitle || &quot;authentik&quot;}"/> as an identity provider via protocols like OAuth2 and SAML. All applications are shown here, even ones you cannot access.</source>
 </trans-unit>
     </body>
   </file>

web/xliff/zh_CN.xlf

@@ -7544,6 +7544,10 @@ Bindings to groups/users are checked against the user of the event.</source>
   <source>One hint, 'New Application Wizard', is currently hidden</source>
   <target>“新应用程序向导”提示目前已隐藏</target>
 </trans-unit>
+<trans-unit id="s61bd841e66966325">
+  <source>External applications that use authentik as an identity provider via protocols like OAuth2 and SAML. All applications are shown here, even ones you cannot access.</source>
+  <target>通过 OAuth2 和 SAML 等协议，使用 authentik 作为身份提供程序的外部应用程序。此处显示了所有应用程序，即使您无法访问的也包括在内。</target>
+</trans-unit>
 <trans-unit id="s1cc306d8e28c4464">
   <source>Deny message</source>
   <target>拒绝消息</target>
@@ -9293,10 +9297,6 @@ Bindings to groups/users are checked against the user of the event.</source>
 <trans-unit id="s92205c10ba1f0f4c">
   <source>This option configures the footer links on the flow executor pages. The URL is limited to web and mail addresses. If the name is left blank, the URL will be shown.</source>
   <target>此选项配置流程执行器页面上的页脚链接。URL 限为 Web 和电子邮件地址。如果名称留空，则显示 URL 自身。</target>
-</trans-unit>
-<trans-unit id="s66f572bec2bde9c4">
-  <source>External applications that use <x id="0" equiv-text="${this.brand.brandingTitle || &quot;authentik&quot;}"/> as an identity provider via protocols like OAuth2 and SAML. All applications are shown here, even ones you cannot access.</source>
-  <target>通过 OAuth2 和 SAML 等协议，使用 <x id="0" equiv-text="${this.brand.brandingTitle || &quot;authentik&quot;}"/> 作为身份提供程序的外部应用程序。此处显示了所有应用程序，即使您无法访问的也包括在内。</target>
 </trans-unit>
     </body>
   </file>

web/xliff/zh_TW.xlf

@@ -7486,6 +7486,10 @@ Bindings to groups/users are checked against the user of the event.</source>
   <source>One hint, 'New Application Wizard', is currently hidden</source>
   <target>提示：「新增應用程式設定精靈」目前處於隱藏中</target>
 </trans-unit>
+<trans-unit id="s61bd841e66966325">
+  <source>External applications that use authentik as an identity provider via protocols like OAuth2 and SAML. All applications are shown here, even ones you cannot access.</source>
+  <target>使用 authentik 作為身份供應商的外部應用程式，透過像 OAuth2 和 SAML 這樣的協議。此處顯示所有應用程式，即使是您無法存取的應用程式也包括在內。</target>
+</trans-unit>
 <trans-unit id="s1cc306d8e28c4464">
   <source>Deny message</source>
   <target>拒絕的訊息</target>
@@ -8842,9 +8846,6 @@ Bindings to groups/users are checked against the user of the event.</source>
 </trans-unit>
 <trans-unit id="s92205c10ba1f0f4c">
   <source>This option configures the footer links on the flow executor pages. The URL is limited to web and mail addresses. If the name is left blank, the URL will be shown.</source>
-</trans-unit>
-<trans-unit id="s66f572bec2bde9c4">
-  <source>External applications that use <x id="0" equiv-text="${this.brand.brandingTitle || &quot;authentik&quot;}"/> as an identity provider via protocols like OAuth2 and SAML. All applications are shown here, even ones you cannot access.</source>
 </trans-unit>
     </body>
   </file>

website/docs/developer-docs/releases/index.md

@@ -78,7 +78,7 @@ Short summary of the issue
 
 ### Patches
 
-authentik x, y and z fix this issue, for other versions the workaround below can be used.
+authentik x, y and z fix this issue, for other versions the workaround can be used.
 
 ### Impact
 
@@ -96,7 +96,7 @@ Describe a workaround if possible
 
 If you have any questions or comments about this advisory:
 
--   Email us at [security@goauthentik.io](mailto:security@goauthentik.io).
+-   Email us at [security@goauthentik.io](mailto:security@goauthentik.io)
 ```
 
 </details>

website/docs/releases/2024/v2024.10.md

@@ -157,30 +157,6 @@ helm upgrade authentik authentik/authentik -f values.yaml --version ^2024.10
 -   stages/password: use recovery flow from brand (cherry-pick #11953) (#11969)
 -   web: bump API Client version (#11992)
 
-## Fixed in 2024.10.3
-
--   core: fix source_flow_manager throwing error when authenticated user attempts to re-authenticate with existing link (cherry-pick #12080) (#12081)
--   internal: add CSP header to files in `/media` (cherry-pick #12092) (#12108)
--   providers/ldap: fix global search_full_directory permission not being sufficient (cherry-pick #12028) (#12030)
--   providers/scim: accept string and int for SCIM IDs (cherry-pick #12093) (#12095)
--   rbac: fix incorrect object_description for object-level permissions (cherry-pick #12029) (#12043)
--   root: check remote IP for proxy protocol same as HTTP/etc (cherry-pick #12094) (#12097)
--   root: fix activation of locale not being scoped (cherry-pick #12091) (#12096)
--   security: fix [CVE-2024-52287](../../security/cves/CVE-2024-52287.md), reported by [@matt1097](https://github.com/matt1097) (#12117)
--   security: fix [CVE-2024-52289](../../security/cves/CVE-2024-52289.md), reported by [@PontusHanssen](https://github.com/PontusHanssen) (#12113)
--   security: fix [CVE-2024-52307](../../security/cves/CVE-2024-52307.md), reported by [@mgerstner](https://github.com/mgerstner) (#12115)
--   web/admin: better footer links (#12004)
--   web/flows: fix invisible captcha call (cherry-pick #12048) (#12049)
--   website/docs: add CSP to hardening (cherry-pick #11970) (#12116)
-
-## Fixed in 2024.10.4
-
--   providers/oauth2: fix migration (cherry-pick #12138) (#12139)
--   providers/oauth2: fix migration dependencies (cherry-pick #12123) (#12132)
--   providers/oauth2: fix redirect uri input (cherry-pick #12122) (#12127)
--   providers/proxy: fix redirect_uri (cherry-pick #12121) (#12125)
--   web: bump API Client version (cherry-pick #12129) (#12130)
-
 ## API Changes
 
 ### API Changes in 2024.10.0

website/docs/releases/2024/v2024.8.md

@@ -300,21 +300,6 @@ helm upgrade authentik authentik/authentik -f values.yaml --version ^2024.8
 -   web/admin: fix invalid create date shown for MFA registered before date was saved (cherry-pick #11728) (#11729)
 -   web/admin: fix sync single button throwing error (cherry-pick #11727) (#11730)
 
-## Fixed in 2024.8.5
-
--   security: fix [CVE-2024-52287](../../security/cves/CVE-2024-52287.md), reported by [@matt1097](https://github.com/matt1097) (#12114)
--   security: fix [CVE-2024-52289](../../security/cves/CVE-2024-52289.md), reported by [@PontusHanssen](https://github.com/PontusHanssen) (#12113)
--   security: fix [CVE-2024-52307](../../security/cves/CVE-2024-52307.md), reported by [@mgerstner](https://github.com/mgerstner) (#12115)
--   web/admin: better footer links (#12004)
--   web: bump API Client version (#12118)
-
-## Fixed in 2024.8.6
-
--   providers/oauth2: fix migration (cherry-pick #12138) (#12140)
--   providers/oauth2: fix redirect uri input (cherry-pick #12122) (#12128)
--   providers/proxy: fix redirect_uri (cherry-pick #12121) (#12126)
--   web: bump API Client version (cherry-pick #12129) (#12131)
-
 ## API Changes
 
 #### What's New

website/docs/security/cves/CVE-2024-52287.md

@@ -1,27 +0,0 @@
-# CVE-2024-52287
-
-_Reported by [@matt1097](https://github.com/matt1097)_
-
-## Insufficient validation of OAuth scopes for client_credentials and device_code grants
-
-### Summary
-
-When using the `client_credentials` or `device_code` OAuth grants, it was possible for an attacker to get a token from authentik with scopes that haven't been configured in authentik.
-
-### Details
-
-With the `device_code` grant, it was possible to have a user authorize a set of permitted scopes, and then acquire a token with a different set of scopes, including scopes not configured. This token could potentially be used to send requests to another system which trusts tokens signed by authentik and execute malicious actions on behalf of the user.
-
-With the `client_credentials` grant, because there is no user authorization process, authentik would not validate the scopes requested for the token, allowing tokens to be issued with scopes not configured in authentik. These could similarly be used to execute malicious actions in other systems.
-
-There is no workaround for this issue; however this issue could only be exploited if an attacker possesses a valid set of OAuth2 `client_id` and `client_secret` credentials, and has the knowledge of another system that trusts tokens issued by authentik and what scopes it checks for.
-
-### Patches
-
-authentik 2024.8.5 and 2024.10.3 fix this issue.
-
-### For more information
-
-If you have any questions or comments about this advisory:
-
--   Email us at [security@goauthentik.io](mailto:security@goauthentik.io)

website/docs/security/cves/CVE-2024-52289.md

@@ -1,30 +0,0 @@
-# CVE-2024-52289
-
-_Reported by [@PontusHanssen](https://github.com/PontusHanssen)_
-
-## Insecure default configuration for OAuth2 Redirect URIs
-
-### Summary
-
-Redirect URIs in the OAuth2 provider in authentik are checked by RegEx comparison.
-When no Redirect URIs are configured in a provider, authentik will automatically use the first `redirect_uri` value received as an allowed redirect URI, without escaping characters that have a special meaning in RegEx. Similarly, the documentation did not take this into consideration either.
-
-Given a provider with the Redirect URIs set to `https://foo.example.com`, an attacker can register a domain `fooaexample.com`, and it will correctly pass validation.
-
-### Patches
-
-authentik 2024.8.5 and 2024.10.3 fix this issue.
-
-The patched versions remedy this issue by changing the format that the Redirect URIs are saved in, allowing for the explicit configuration if the URL should be checked strictly or as a RegEx. This means that these patches include a backwards-incompatible database change and API change.
-
-Manual action _is required_ if any provider is intended to use RegEx for Redirect URIs because the migration will set the comparison type to strict for every Redirect URI.
-
-### Workarounds
-
-When configuring OAuth2 providers, make sure to escape any wildcard characters that are not intended to function as a wildcard, for example replace `.` with `\.`.
-
-### For more information
-
-If you have any questions or comments about this advisory:
-
--   Email us at [security@goauthentik.io](mailto:security@goauthentik.io)

website/docs/security/cves/CVE-2024-52307.md

@@ -1,36 +0,0 @@
-# CVE-2024-52307
-
-_Reported by [@mgerstner](https://github.com/mgerstner)_
-
-## Timing attack due to a lack of constant time comparison for metrics view
-
-### Summary
-
-Due to the usage of a non-constant time comparison for the `/-/metrics/` endpoint it was possible to brute-force the `SECRET_KEY`, which is used to authenticate the endpoint. The `/-/metrics/` endpoint returns Prometheus metrics and is not intended to be accessed directly, as the Go proxy running in the authentik server container fetches data from this endpoint and serves it on a separate port (9300 by default), which can be scraped by Prometheus without being exposed publicly.
-
-### Patches
-
-authentik 2024.8.5 and 2024.10.3 fix this issue, for other versions the workaround below can be used.
-
-### Impact
-
-With enough attempts the `SECRET_KEY` of the authentik installation can be brute-forced, which can be used to sign new or modify existing cookies.
-
-### Workarounds
-
-Since the `/-/metrics/` endpoint is not intended to be accessed publicly, requests to the endpoint can be blocked by the reverse proxy/load balancer used in conjunction with authentik.
-
-For example for nginx:
-
-```
-location /-/metrics/ {
-    deny all;
-    return 404;
-}
-```
-
-### For more information
-
-If you have any questions or comments about this advisory:
-
--   Email us at [security@goauthentik.io](mailto:security@goauthentik.io).

website/docs/security/security-hardening.md

@@ -47,32 +47,3 @@ To prevent any user from creating/editing CAPTCHA stages block API requests to t
 -   `/api/v3/managed/blueprints*`
 
 With these restrictions in place, CAPTCHA stages can only be edited using [Blueprints on the file system](../customize/blueprints/index.md#storage---file).
-
-### Content Security Policy (CSP)
-
-:::caution
-Setting up CSP incorrectly might result in the client not loading necessary third-party code.
-:::
-
-:::caution
-In some cases, a CSP header will already be set by authentik (for example, in [user uploaded content](https://github.com/goauthentik/authentik/pull/12092/)). Do not overwrite an already existing header as doing so might result in vulnerabilities. Instead, add a new CSP header.
-:::
-
-Content Security Policy (CSP) is a security standard that mitigates the risk of content injection vulnerabilities. authentik doesn't currently support CSP natively, so setting it up depends on your installation. We recommend using a [reverse proxy](../install-config/reverse-proxy.md) to set a CSP header.
-
-authentik requires at least the following allowed locations:
-
-```
-default-src 'self';
-img-src 'https:' 'http:' 'data:';
-object-src 'none';
-style-src 'self' 'unsafe-inline';    # Required due to Lit/ShadowDOM
-script-src 'self' 'unsafe-inline';   # Required for generated scripts
-```
-
-Your use case might require more allowed locations for various directives, e.g.
-
--   when using a CAPTCHA service
--   when using Sentry
--   when using any custom JavaScript in a prompt stage
--   when using Spotlight Sidecar for development

website/docs/sys-mgmt/settings.md

@@ -35,7 +35,7 @@ Enable the ability for users to change their Email address, defaults to `false`.
 
 ### Allow users to change username
 
-Enable the ability for users to change their usernames, defaults to `false`.
+Enable the ability for users to change their Usernames, defaults to `false`.
 
 ### Event retention
 
@@ -43,11 +43,15 @@ Configure how long [Events](./events/index.md) are retained for within authentik
 
 ### Footer links
 
-This option allows you to add linked text (footer links) on the bottom of flow pages. You can also use this setting to display additional static text to the flow pages, even if no URL is provided.
+This option configures the footer links on the flow executor pages.
 
-The URL is limited to web and email addresses. If the name is left blank, the URL will be shown.
+The setting can be used as follows:
 
-This is a global setting. All flow pages that are rendered by the [Flow Executor](../add-secure-apps/flows-stages/flow/executors/if-flow.md) will display the footer links.
+```json
+[{ "name": "Link Name", "href": "https://goauthentik.io" }]
+```
+
+Starting with authentik 2024.6.1, the `href` attribute is optional, and this option can be used to add additional text to the flow executor pages.
 
 ### GDPR compliance
 

website/integrations/services/hoarder/index.md

@@ -1,56 +0,0 @@
----
-title: Integrate with Hoarder
-sidebar_label: Hoarder
----
-
-# Hoarder
-
-<span class="badge badge--secondary">Support level: Community</span>
-
-## What is Hoarder
-
-> A self-hostable bookmark-everything app (links, notes and images) with AI-based automatic tagging and full-text search.
->
-> -- https://hoarder.app/
-
-## Preparation
-
-The following placeholders are used in this guide:
-
-- `hoarder.company` is the FQDN of the Hoarder install.
-- `authentik.company` is the FQDN of the authentik install.
-
-## authentik configuration
-
-### Provider settings
-
-In authentik, under **Applications** -> **Providers** of the **Admin interface**, create a new **OAuth2/OpenID Provider** with the desired settings.
-
-- Name: `hoarder`
-- Redirect URI: `https://hoarder.company/api/auth/callback/custom`
-
-Everything else is up to you, just make sure to grab the client ID and the client secret!
-
-### Application settings
-
-In authentik, under **Applications** -> **Applications** of the **Admin interface**, create a new Application with the **Create** button that uses `hoarder` provider.
-Optionally apply access restrictions to the application.
-
-## Hoarder configuration
-
-In Hoarder, you will need to add these environment variables:
-
-```sh
-NEXTAUTH_URL=https://hoarder.company
-OAUTH_CLIENT_ID=<Client ID from authentik>
-OAUTH_CLIENT_SECRET=<Client secret from authentik>
-OAUTH_WELLKNOWN_URL=https://authentik.company/application/o/hoarder/.well-known/openid-configuration
-OAUTH_PROVIDER_NAME=authentik
-OAUTH_ALLOW_DANGEROUS_EMAIL_ACCOUNT_LINKING=true
-# Optional: You can add this if you only want to allow login with Authentik
-# DISABLE_PASSWORD_AUTH=true
-# Optional but highly recommended:
-# DISABLE_SIGNUPS=true
-```
-
-Finally, restart the Hoarder server and test your configuration.

website/sidebars.js

@@ -654,41 +654,20 @@ export default {
                     type: "category",
                     label: "CVEs",
                     items: [
-                        {
-                            type: "category",
-                            label: "2024",
-                            items: [
-                                "security/cves/CVE-2024-52307",
-                                "security/cves/CVE-2024-52289",
-                                "security/cves/CVE-2024-52287",
-                                "security/cves/CVE-2024-47077",
-                                "security/cves/CVE-2024-47070",
-                                "security/cves/CVE-2024-38371",
-                                "security/cves/CVE-2024-37905",
-                                "security/cves/CVE-2024-23647",
-                                "security/cves/CVE-2024-21637",
-                            ],
-                        },
-                        {
-                            type: "category",
-                            label: "2023",
-                            items: [
-                                "security/cves/CVE-2023-48228",
-                                "security/cves/GHSA-rjvp-29xq-f62w",
-                                "security/cves/CVE-2023-39522",
-                                "security/cves/CVE-2023-36456",
-                                "security/cves/CVE-2023-26481",
-                            ],
-                        },
-                        {
-                            type: "category",
-                            label: "2022",
-                            items: [
-                                "security/cves/CVE-2022-23555",
-                                "security/cves/CVE-2022-46145",
-                                "security/cves/CVE-2022-46172",
-                            ],
-                        },
+                        "security/cves/CVE-2024-47077",
+                        "security/cves/CVE-2024-47070",
+                        "security/cves/CVE-2024-38371",
+                        "security/cves/CVE-2024-37905",
+                        "security/cves/CVE-2024-23647",
+                        "security/cves/CVE-2024-21637",
+                        "security/cves/CVE-2023-48228",
+                        "security/cves/GHSA-rjvp-29xq-f62w",
+                        "security/cves/CVE-2023-39522",
+                        "security/cves/CVE-2023-36456",
+                        "security/cves/CVE-2023-26481",
+                        "security/cves/CVE-2022-23555",
+                        "security/cves/CVE-2022-46145",
+                        "security/cves/CVE-2022-46172",
                     ],
                 },
             ],