From 20572c728d58f063f0dfd159197fb50bb638ff06 Mon Sep 17 00:00:00 2001
From: Jens Langhammer <jens.langhammer@beryju.org>
Date: Mon, 23 Aug 2021 16:05:29 +0200
Subject: [PATCH 01/22] core: add new token intent and auth backend

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
---
 authentik/core/models.py              |  3 +++
 authentik/core/token_auth.py          | 29 +++++++++++++++++++++++++++
 authentik/stages/password/__init__.py |  1 +
 authentik/stages/password/models.py   | 10 ++++++---
 4 files changed, 40 insertions(+), 3 deletions(-)
 create mode 100644 authentik/core/token_auth.py

diff --git a/authentik/core/models.py b/authentik/core/models.py
index bc3fa43ae..214e4217f 100644
--- a/authentik/core/models.py
+++ b/authentik/core/models.py
@@ -408,6 +408,9 @@ class TokenIntents(models.TextChoices):
     # Recovery use for the recovery app
     INTENT_RECOVERY = "recovery"
 
+    # App-specific passwords
+    INTENT_APP_PASSWORD = "app_password"
+
 
 class Token(ManagedModel, ExpiringModel):
     """Token used to authenticate the User for API Access or confirm another Stage like Email."""
diff --git a/authentik/core/token_auth.py b/authentik/core/token_auth.py
new file mode 100644
index 000000000..1c95ce996
--- /dev/null
+++ b/authentik/core/token_auth.py
@@ -0,0 +1,29 @@
+"""Authenticate with tokens"""
+
+from typing import Any, Optional
+
+from django.contrib.auth.backends import ModelBackend
+from django.http.request import HttpRequest
+
+from authentik.core.models import Token, TokenIntents, User
+
+
+class TokenBackend(ModelBackend):
+    """Authenticate with token"""
+
+    def authenticate(
+        self, request: HttpRequest, username: Optional[str], password: Optional[str], **kwargs: Any
+    ) -> Optional[User]:
+        try:
+            user = User._default_manager.get_by_natural_key(username)
+        except User.DoesNotExist:
+            # Run the default password hasher once to reduce the timing
+            # difference between an existing and a nonexistent user (#20760).
+            User().set_password(password)
+            return None
+        tokens = Token.filter_not_expired(
+            user=user, key=password, intent=TokenIntents.INTENT_APP_PASSWORD
+        )
+        if not tokens.exists():
+            return None
+        return user
diff --git a/authentik/stages/password/__init__.py b/authentik/stages/password/__init__.py
index a9c71fe82..9e42ec060 100644
--- a/authentik/stages/password/__init__.py
+++ b/authentik/stages/password/__init__.py
@@ -1,3 +1,4 @@
 """Backend paths"""
 BACKEND_DJANGO = "django.contrib.auth.backends.ModelBackend"
 BACKEND_LDAP = "authentik.sources.ldap.auth.LDAPBackend"
+BACKEND_TOKEN = "authentik.core.token_auth.TokenBackend"
diff --git a/authentik/stages/password/models.py b/authentik/stages/password/models.py
index e0df6b77b..66fd5d043 100644
--- a/authentik/stages/password/models.py
+++ b/authentik/stages/password/models.py
@@ -9,7 +9,7 @@ from rest_framework.serializers import BaseSerializer
 
 from authentik.core.types import UserSettingSerializer
 from authentik.flows.models import ConfigurableStage, Stage
-from authentik.stages.password import BACKEND_DJANGO, BACKEND_LDAP
+from authentik.stages.password import BACKEND_DJANGO, BACKEND_LDAP, BACKEND_TOKEN
 
 
 def get_authentication_backends():
@@ -17,11 +17,15 @@ def get_authentication_backends():
     return [
         (
             BACKEND_DJANGO,
-            _("authentik-internal Userdatabase"),
+            _("User database + standard password"),
+        ),
+        (
+            BACKEND_TOKEN,
+            _("User database + app passwords"),
         ),
         (
             BACKEND_LDAP,
-            _("authentik LDAP"),
+            _("User database + LDAP password"),
         ),
     ]
 

From 9a6a3e66b8dc66c5a892a3f925443ec680a33803 Mon Sep 17 00:00:00 2001
From: Jens Langhammer <jens.langhammer@beryju.org>
Date: Mon, 23 Aug 2021 16:14:33 +0200
Subject: [PATCH 02/22] root: update schema

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
---
 authentik/core/models.py              | 2 +-
 authentik/stages/password/__init__.py | 2 +-
 schema.yml                            | 3 +++
 3 files changed, 5 insertions(+), 2 deletions(-)

diff --git a/authentik/core/models.py b/authentik/core/models.py
index 214e4217f..de64221b4 100644
--- a/authentik/core/models.py
+++ b/authentik/core/models.py
@@ -409,7 +409,7 @@ class TokenIntents(models.TextChoices):
     INTENT_RECOVERY = "recovery"
 
     # App-specific passwords
-    INTENT_APP_PASSWORD = "app_password"
+    INTENT_APP_PASSWORD = "app_password"  # nosec
 
 
 class Token(ManagedModel, ExpiringModel):
diff --git a/authentik/stages/password/__init__.py b/authentik/stages/password/__init__.py
index 9e42ec060..2bfdc92e1 100644
--- a/authentik/stages/password/__init__.py
+++ b/authentik/stages/password/__init__.py
@@ -1,4 +1,4 @@
 """Backend paths"""
 BACKEND_DJANGO = "django.contrib.auth.backends.ModelBackend"
 BACKEND_LDAP = "authentik.sources.ldap.auth.LDAPBackend"
-BACKEND_TOKEN = "authentik.core.token_auth.TokenBackend"
+BACKEND_TOKEN = "authentik.core.token_auth.TokenBackend"  # nosec
diff --git a/schema.yml b/schema.yml
index 271547231..38587c822 100644
--- a/schema.yml
+++ b/schema.yml
@@ -2515,6 +2515,7 @@ paths:
           type: string
           enum:
           - api
+          - app_password
           - recovery
           - verification
       - name: ordering
@@ -20382,6 +20383,7 @@ components:
     BackendsEnum:
       enum:
       - django.contrib.auth.backends.ModelBackend
+      - authentik.core.token_auth.TokenBackend
       - authentik.sources.ldap.auth.LDAPBackend
       type: string
     BindingTypeEnum:
@@ -22211,6 +22213,7 @@ components:
       - verification
       - api
       - recovery
+      - app_password
       type: string
     InvalidResponseActionEnum:
       enum:

From f217d34a98e60d309cc3965a8cede5c84e40d72f Mon Sep 17 00:00:00 2001
From: Jens Langhammer <jens.langhammer@beryju.org>
Date: Mon, 23 Aug 2021 16:20:49 +0200
Subject: [PATCH 03/22] web/admin: allow users to create app password tokens

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
---
 authentik/core/api/tokens.py                    |  8 +++++++-
 web/src/pages/user-settings/UserSettingsPage.ts |  2 +-
 .../pages/user-settings/tokens/UserTokenForm.ts |  8 ++++++--
 .../pages/user-settings/tokens/UserTokenList.ts | 17 ++++++++++++++---
 4 files changed, 28 insertions(+), 7 deletions(-)

diff --git a/authentik/core/api/tokens.py b/authentik/core/api/tokens.py
index e8268ebe8..f8e14a2e8 100644
--- a/authentik/core/api/tokens.py
+++ b/authentik/core/api/tokens.py
@@ -2,6 +2,7 @@
 from django.http.response import Http404
 from drf_spectacular.utils import OpenApiResponse, extend_schema
 from rest_framework.decorators import action
+from rest_framework.exceptions import ValidationError
 from rest_framework.fields import CharField
 from rest_framework.request import Request
 from rest_framework.response import Response
@@ -22,6 +23,12 @@ class TokenSerializer(ManagedSerializer, ModelSerializer):
 
     user = UserSerializer(required=False)
 
+    def validate_intent(self, value: str) -> str:
+        """Ensure only API or App password tokens are created."""
+        if value not in [TokenIntents.INTENT_API, TokenIntents.INTENT_APP_PASSWORD]:
+            raise ValidationError(f"Invalid intent {value}")
+        return value
+
     class Meta:
 
         model = Token
@@ -69,7 +76,6 @@ class TokenViewSet(UsedByMixin, ModelViewSet):
     def perform_create(self, serializer: TokenSerializer):
         serializer.save(
             user=self.request.user,
-            intent=TokenIntents.INTENT_API,
             expiring=self.request.user.attributes.get(USER_ATTRIBUTE_TOKEN_EXPIRING, True),
         )
 
diff --git a/web/src/pages/user-settings/UserSettingsPage.ts b/web/src/pages/user-settings/UserSettingsPage.ts
index 88534871b..e7b627857 100644
--- a/web/src/pages/user-settings/UserSettingsPage.ts
+++ b/web/src/pages/user-settings/UserSettingsPage.ts
@@ -148,7 +148,7 @@ export class UserSettingsPage extends LitElement {
                     </section>
                     <section
                         slot="page-tokens"
-                        data-tab-title="${t`Tokens`}"
+                        data-tab-title="${t`Tokens and App passwords`}"
                         class="pf-c-page__main-section pf-m-no-padding-mobile"
                     >
                         <ak-user-token-list></ak-user-token-list>
diff --git a/web/src/pages/user-settings/tokens/UserTokenForm.ts b/web/src/pages/user-settings/tokens/UserTokenForm.ts
index 68a035d7a..3c4ffd4c2 100644
--- a/web/src/pages/user-settings/tokens/UserTokenForm.ts
+++ b/web/src/pages/user-settings/tokens/UserTokenForm.ts
@@ -1,6 +1,6 @@
-import { CoreApi, Token } from "@goauthentik/api";
+import { CoreApi, IntentEnum, Token } from "@goauthentik/api";
 import { t } from "@lingui/macro";
-import { customElement } from "lit-element";
+import { customElement, property } from "lit-element";
 import { html, TemplateResult } from "lit-html";
 import { DEFAULT_CONFIG } from "../../../api/Config";
 import { ifDefined } from "lit-html/directives/if-defined";
@@ -9,6 +9,9 @@ import { ModelForm } from "../../../elements/forms/ModelForm";
 
 @customElement("ak-user-token-form")
 export class UserTokenForm extends ModelForm<Token, string> {
+    @property()
+    intent: IntentEnum = IntentEnum.Api;
+
     loadInstance(pk: string): Promise<Token> {
         return new CoreApi(DEFAULT_CONFIG).coreTokensRetrieve({
             identifier: pk,
@@ -30,6 +33,7 @@ export class UserTokenForm extends ModelForm<Token, string> {
                 tokenRequest: data,
             });
         } else {
+            data.intent = this.intent;
             return new CoreApi(DEFAULT_CONFIG).coreTokensCreate({
                 tokenRequest: data,
             });
diff --git a/web/src/pages/user-settings/tokens/UserTokenList.ts b/web/src/pages/user-settings/tokens/UserTokenList.ts
index 2b542d32b..76d743f42 100644
--- a/web/src/pages/user-settings/tokens/UserTokenList.ts
+++ b/web/src/pages/user-settings/tokens/UserTokenList.ts
@@ -10,7 +10,7 @@ import "../../../elements/buttons/Dropdown";
 import "../../../elements/buttons/TokenCopyButton";
 import { Table, TableColumn } from "../../../elements/table/Table";
 import { PAGE_SIZE } from "../../../constants";
-import { CoreApi, Token } from "@goauthentik/api";
+import { CoreApi, IntentEnum, Token } from "@goauthentik/api";
 import { DEFAULT_CONFIG } from "../../../api/Config";
 import "./UserTokenForm";
 
@@ -48,8 +48,19 @@ export class UserTokenList extends Table<Token> {
             <ak-forms-modal>
                 <span slot="submit"> ${t`Create`} </span>
                 <span slot="header"> ${t`Create Token`} </span>
-                <ak-user-token-form slot="form"> </ak-user-token-form>
-                <button slot="trigger" class="pf-c-button pf-m-primary">${t`Create`}</button>
+                <ak-user-token-form intent=${IntentEnum.Api} slot="form"> </ak-user-token-form>
+                <button slot="trigger" class="pf-c-button pf-m-secondary">
+                    ${t`Create Token`}
+                </button>
+            </ak-forms-modal>
+            <ak-forms-modal>
+                <span slot="submit"> ${t`Create`} </span>
+                <span slot="header"> ${t`Create App password`} </span>
+                <ak-user-token-form intent=${IntentEnum.AppPassword} slot="form">
+                </ak-user-token-form>
+                <button slot="trigger" class="pf-c-button pf-m-secondary">
+                    ${t`Create App password`}
+                </button>
             </ak-forms-modal>
             ${super.renderToolbar()}
         `;

From c4832206fa3d21d696d804021ad465f2a3778ae4 Mon Sep 17 00:00:00 2001
From: Jens Langhammer <jens.langhammer@beryju.org>
Date: Mon, 23 Aug 2021 16:33:12 +0200
Subject: [PATCH 04/22] web/admin: display token's intents

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
---
 web/src/locales/en.po                         | 29 ++++++++++++++++++-
 web/src/locales/pseudo-LOCALE.po              | 29 ++++++++++++++++++-
 web/src/pages/tokens/TokenListPage.ts         | 17 ++++++++++-
 .../user-settings/tokens/UserTokenList.ts     | 11 +++++++
 4 files changed, 83 insertions(+), 3 deletions(-)

diff --git a/web/src/locales/en.po b/web/src/locales/en.po
index f2c776929..c09f84d65 100644
--- a/web/src/locales/en.po
+++ b/web/src/locales/en.po
@@ -63,6 +63,10 @@ msgstr "ANY, any policy must match to grant access."
 msgid "ANY, any policy must match to include this stage access."
 msgstr "ANY, any policy must match to include this stage access."
 
+#: src/pages/tokens/TokenListPage.ts
+msgid "API Access"
+msgstr "API Access"
+
 #: src/pages/stages/authenticator_duo/AuthenticatorDuoStageForm.ts
 msgid "API Hostname"
 msgstr "API Hostname"
@@ -231,6 +235,10 @@ msgstr "Always require consent"
 msgid "App"
 msgstr "App"
 
+#: src/pages/tokens/TokenListPage.ts
+msgid "App password"
+msgstr "App password"
+
 #: src/elements/user/UserConsentList.ts
 #: src/pages/admin-overview/TopApplicationsTable.ts
 #: src/pages/providers/ProviderListPage.ts
@@ -952,6 +960,11 @@ msgstr "Copy recovery link"
 msgid "Create"
 msgstr "Create"
 
+#: src/pages/user-settings/tokens/UserTokenList.ts
+#: src/pages/user-settings/tokens/UserTokenList.ts
+msgid "Create App password"
+msgstr "Create App password"
+
 #: src/pages/applications/ApplicationListPage.ts
 #: src/pages/providers/RelatedApplicationButton.ts
 msgid "Create Application"
@@ -1018,6 +1031,7 @@ msgstr "Create Stage binding"
 msgid "Create Tenant"
 msgstr "Create Tenant"
 
+#: src/pages/user-settings/tokens/UserTokenList.ts
 #: src/pages/user-settings/tokens/UserTokenList.ts
 msgid "Create Token"
 msgstr "Create Token"
@@ -2047,6 +2061,11 @@ msgstr "Integration key"
 msgid "Integrations"
 msgstr "Integrations"
 
+#: src/pages/tokens/TokenListPage.ts
+#: src/pages/user-settings/tokens/UserTokenList.ts
+msgid "Intent"
+msgstr "Intent"
+
 #: src/pages/providers/proxy/ProxyProviderViewPage.ts
 msgid "Internal Host"
 msgstr "Internal Host"
@@ -3203,6 +3222,7 @@ msgid "Receive a push notification on your phone to prove your identity."
 msgstr "Receive a push notification on your phone to prove your identity."
 
 #: src/pages/flows/FlowForm.ts
+#: src/pages/tokens/TokenListPage.ts
 #: src/pages/users/UserListPage.ts
 msgid "Recovery"
 msgstr "Recovery"
@@ -4388,10 +4408,13 @@ msgstr "Token(s)"
 #: src/flows/stages/authenticator_static/AuthenticatorStaticStage.ts
 #: src/interfaces/AdminInterface.ts
 #: src/pages/tokens/TokenListPage.ts
-#: src/pages/user-settings/UserSettingsPage.ts
 msgid "Tokens"
 msgstr "Tokens"
 
+#: src/pages/user-settings/UserSettingsPage.ts
+msgid "Tokens and App passwords"
+msgstr "Tokens and App passwords"
+
 #: src/pages/tokens/TokenListPage.ts
 msgid "Tokens are used throughout authentik for Email validation stages, Recovery keys and API access."
 msgstr "Tokens are used throughout authentik for Email validation stages, Recovery keys and API access."
@@ -4859,6 +4882,10 @@ msgstr "Validation Policies"
 msgid "Validity days"
 msgstr "Validity days"
 
+#: src/pages/tokens/TokenListPage.ts
+msgid "Verification"
+msgstr "Verification"
+
 #: src/pages/providers/saml/SAMLProviderForm.ts
 msgid "Verification Certificate"
 msgstr "Verification Certificate"
diff --git a/web/src/locales/pseudo-LOCALE.po b/web/src/locales/pseudo-LOCALE.po
index 5de2beb61..36be57c10 100644
--- a/web/src/locales/pseudo-LOCALE.po
+++ b/web/src/locales/pseudo-LOCALE.po
@@ -63,6 +63,10 @@ msgstr ""
 msgid "ANY, any policy must match to include this stage access."
 msgstr ""
 
+#: src/pages/tokens/TokenListPage.ts
+msgid "API Access"
+msgstr ""
+
 #: src/pages/stages/authenticator_duo/AuthenticatorDuoStageForm.ts
 msgid "API Hostname"
 msgstr ""
@@ -231,6 +235,10 @@ msgstr ""
 msgid "App"
 msgstr ""
 
+#: src/pages/tokens/TokenListPage.ts
+msgid "App password"
+msgstr ""
+
 #: src/elements/user/UserConsentList.ts
 #: src/pages/admin-overview/TopApplicationsTable.ts
 #: src/pages/providers/ProviderListPage.ts
@@ -946,6 +954,11 @@ msgstr ""
 msgid "Create"
 msgstr ""
 
+#: src/pages/user-settings/tokens/UserTokenList.ts
+#: src/pages/user-settings/tokens/UserTokenList.ts
+msgid "Create App password"
+msgstr ""
+
 #: src/pages/applications/ApplicationListPage.ts
 #: src/pages/providers/RelatedApplicationButton.ts
 msgid "Create Application"
@@ -1012,6 +1025,7 @@ msgstr ""
 msgid "Create Tenant"
 msgstr ""
 
+#: src/pages/user-settings/tokens/UserTokenList.ts
 #: src/pages/user-settings/tokens/UserTokenList.ts
 msgid "Create Token"
 msgstr ""
@@ -2039,6 +2053,11 @@ msgstr ""
 msgid "Integrations"
 msgstr ""
 
+#: src/pages/tokens/TokenListPage.ts
+#: src/pages/user-settings/tokens/UserTokenList.ts
+msgid "Intent"
+msgstr ""
+
 #: src/pages/providers/proxy/ProxyProviderViewPage.ts
 msgid "Internal Host"
 msgstr ""
@@ -3195,6 +3214,7 @@ msgid "Receive a push notification on your phone to prove your identity."
 msgstr ""
 
 #: src/pages/flows/FlowForm.ts
+#: src/pages/tokens/TokenListPage.ts
 #: src/pages/users/UserListPage.ts
 msgid "Recovery"
 msgstr ""
@@ -4373,10 +4393,13 @@ msgstr ""
 #: src/flows/stages/authenticator_static/AuthenticatorStaticStage.ts
 #: src/interfaces/AdminInterface.ts
 #: src/pages/tokens/TokenListPage.ts
-#: src/pages/user-settings/UserSettingsPage.ts
 msgid "Tokens"
 msgstr ""
 
+#: src/pages/user-settings/UserSettingsPage.ts
+msgid "Tokens and App passwords"
+msgstr ""
+
 #: src/pages/tokens/TokenListPage.ts
 msgid "Tokens are used throughout authentik for Email validation stages, Recovery keys and API access."
 msgstr ""
@@ -4844,6 +4867,10 @@ msgstr ""
 msgid "Validity days"
 msgstr ""
 
+#: src/pages/tokens/TokenListPage.ts
+msgid "Verification"
+msgstr ""
+
 #: src/pages/providers/saml/SAMLProviderForm.ts
 msgid "Verification Certificate"
 msgstr ""
diff --git a/web/src/pages/tokens/TokenListPage.ts b/web/src/pages/tokens/TokenListPage.ts
index cec399447..604b756e4 100644
--- a/web/src/pages/tokens/TokenListPage.ts
+++ b/web/src/pages/tokens/TokenListPage.ts
@@ -8,9 +8,22 @@ import "../../elements/buttons/TokenCopyButton";
 import "../../elements/forms/DeleteBulkForm";
 import { TableColumn } from "../../elements/table/Table";
 import { PAGE_SIZE } from "../../constants";
-import { CoreApi, Token } from "@goauthentik/api";
+import { CoreApi, IntentEnum, Token } from "@goauthentik/api";
 import { DEFAULT_CONFIG } from "../../api/Config";
 
+export function IntentToLabel(intent: IntentEnum): string {
+    switch (intent) {
+        case IntentEnum.Api:
+            return t`API Access`;
+        case IntentEnum.AppPassword:
+            return t`App password`;
+        case IntentEnum.Recovery:
+            return t`Recovery`;
+        case IntentEnum.Verification:
+            return t`Verification`;
+    }
+}
+
 @customElement("ak-token-list")
 export class TokenListPage extends TablePage<Token> {
     searchEnabled(): boolean {
@@ -46,6 +59,7 @@ export class TokenListPage extends TablePage<Token> {
             new TableColumn(t`User`, "user"),
             new TableColumn(t`Expires?`, "expiring"),
             new TableColumn(t`Expiry date`, "expires"),
+            new TableColumn(t`Intent`, "intent"),
             new TableColumn(t`Actions`),
         ];
     }
@@ -78,6 +92,7 @@ export class TokenListPage extends TablePage<Token> {
             html`${item.user?.username}`,
             html`${item.expiring ? t`Yes` : t`No`}`,
             html`${item.expiring ? item.expires?.toLocaleString() : "-"}`,
+            html`${IntentToLabel(item.intent || IntentEnum.Api)}`,
             html`
                 <ak-token-copy-button identifier="${item.identifier}">
                     ${t`Copy Key`}
diff --git a/web/src/pages/user-settings/tokens/UserTokenList.ts b/web/src/pages/user-settings/tokens/UserTokenList.ts
index 76d743f42..b9e6fc5c1 100644
--- a/web/src/pages/user-settings/tokens/UserTokenList.ts
+++ b/web/src/pages/user-settings/tokens/UserTokenList.ts
@@ -13,6 +13,7 @@ import { PAGE_SIZE } from "../../../constants";
 import { CoreApi, IntentEnum, Token } from "@goauthentik/api";
 import { DEFAULT_CONFIG } from "../../../api/Config";
 import "./UserTokenForm";
+import { IntentToLabel } from "../../tokens/TokenListPage";
 
 @customElement("ak-user-token-list")
 export class UserTokenList extends Table<Token> {
@@ -100,6 +101,16 @@ export class UserTokenList extends Table<Token> {
                                 </div>
                             </dd>
                         </div>
+                        <div class="pf-c-description-list__group">
+                            <dt class="pf-c-description-list__term">
+                                <span class="pf-c-description-list__text">${t`Intent`}</span>
+                            </dt>
+                            <dd class="pf-c-description-list__description">
+                                <div class="pf-c-description-list__text">
+                                    ${IntentToLabel(item.intent || IntentEnum.Api)}
+                                </div>
+                            </dd>
+                        </div>
                     </dl>
                 </div>
             </td>

From 4cf76fdcdaf6728a0d5a144497d53c1652c5d8ba Mon Sep 17 00:00:00 2001
From: Jens Langhammer <jens.langhammer@beryju.org>
Date: Mon, 23 Aug 2021 16:38:46 +0200
Subject: [PATCH 05/22] stages/password: auto-enable app password backend

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
---
 .../migrations/0028_alter_token_intent.py     | 26 ++++++++++
 .../flows/migrations/0008_default_flows.py    |  4 +-
 authentik/stages/password/__init__.py         |  2 +-
 .../password/migrations/0007_app_password.py  | 52 +++++++++++++++++++
 authentik/stages/password/models.py           |  4 +-
 5 files changed, 83 insertions(+), 5 deletions(-)
 create mode 100644 authentik/core/migrations/0028_alter_token_intent.py
 create mode 100644 authentik/stages/password/migrations/0007_app_password.py

diff --git a/authentik/core/migrations/0028_alter_token_intent.py b/authentik/core/migrations/0028_alter_token_intent.py
new file mode 100644
index 000000000..77fe3e0a1
--- /dev/null
+++ b/authentik/core/migrations/0028_alter_token_intent.py
@@ -0,0 +1,26 @@
+# Generated by Django 3.2.6 on 2021-08-23 14:35
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ("authentik_core", "0027_bootstrap_token"),
+    ]
+
+    operations = [
+        migrations.AlterField(
+            model_name="token",
+            name="intent",
+            field=models.TextField(
+                choices=[
+                    ("verification", "Intent Verification"),
+                    ("api", "Intent Api"),
+                    ("recovery", "Intent Recovery"),
+                    ("app_password", "Intent App Password"),
+                ],
+                default="verification",
+            ),
+        ),
+    ]
diff --git a/authentik/flows/migrations/0008_default_flows.py b/authentik/flows/migrations/0008_default_flows.py
index 8de070f80..e2498b6c5 100644
--- a/authentik/flows/migrations/0008_default_flows.py
+++ b/authentik/flows/migrations/0008_default_flows.py
@@ -6,7 +6,7 @@ from django.db.backends.base.schema import BaseDatabaseSchemaEditor
 
 from authentik.flows.models import FlowDesignation
 from authentik.stages.identification.models import UserFields
-from authentik.stages.password import BACKEND_DJANGO, BACKEND_LDAP
+from authentik.stages.password import BACKEND_APP_PASSWORD, BACKEND_DJANGO, BACKEND_LDAP
 
 
 def create_default_authentication_flow(apps: Apps, schema_editor: BaseDatabaseSchemaEditor):
@@ -26,7 +26,7 @@ def create_default_authentication_flow(apps: Apps, schema_editor: BaseDatabaseSc
 
     password_stage, _ = PasswordStage.objects.using(db_alias).update_or_create(
         name="default-authentication-password",
-        defaults={"backends": [BACKEND_DJANGO, BACKEND_LDAP]},
+        defaults={"backends": [BACKEND_DJANGO, BACKEND_LDAP, BACKEND_APP_PASSWORD]},
     )
 
     login_stage, _ = UserLoginStage.objects.using(db_alias).update_or_create(
diff --git a/authentik/stages/password/__init__.py b/authentik/stages/password/__init__.py
index 2bfdc92e1..fe333bd84 100644
--- a/authentik/stages/password/__init__.py
+++ b/authentik/stages/password/__init__.py
@@ -1,4 +1,4 @@
 """Backend paths"""
 BACKEND_DJANGO = "django.contrib.auth.backends.ModelBackend"
 BACKEND_LDAP = "authentik.sources.ldap.auth.LDAPBackend"
-BACKEND_TOKEN = "authentik.core.token_auth.TokenBackend"  # nosec
+BACKEND_APP_PASSWORD = "authentik.core.token_auth.TokenBackend"  # nosec
diff --git a/authentik/stages/password/migrations/0007_app_password.py b/authentik/stages/password/migrations/0007_app_password.py
new file mode 100644
index 000000000..168424c95
--- /dev/null
+++ b/authentik/stages/password/migrations/0007_app_password.py
@@ -0,0 +1,52 @@
+# Generated by Django 3.2.6 on 2021-08-23 14:34
+import django.contrib.postgres.fields
+from django.apps.registry import Apps
+from django.db import migrations, models
+from django.db.backends.base.schema import BaseDatabaseSchemaEditor
+
+from authentik.stages.password import BACKEND_APP_PASSWORD
+
+
+def update_default_backends(apps: Apps, schema_editor: BaseDatabaseSchemaEditor):
+    PasswordStage = apps.get_model("authentik_stages_password", "passwordstage")
+    db_alias = schema_editor.connection.alias
+
+    stages = PasswordStage.objects.using(db_alias).filter(name="default-authentication-password")
+    if not stages.exists():
+        return
+    stage = stages.first()
+    stage.backends.append(BACKEND_APP_PASSWORD)
+    stage.save()
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ("authentik_flows", "0008_default_flows"),
+        ("authentik_stages_password", "0006_passwordchange_rename"),
+    ]
+
+    operations = [
+        migrations.AlterField(
+            model_name="passwordstage",
+            name="backends",
+            field=django.contrib.postgres.fields.ArrayField(
+                base_field=models.TextField(
+                    choices=[
+                        (
+                            "django.contrib.auth.backends.ModelBackend",
+                            "User database + standard password",
+                        ),
+                        ("authentik.core.token_auth.TokenBackend", "User database + app passwords"),
+                        (
+                            "authentik.sources.ldap.auth.LDAPBackend",
+                            "User database + LDAP password",
+                        ),
+                    ]
+                ),
+                help_text="Selection of backends to test the password against.",
+                size=None,
+            ),
+        ),
+        migrations.RunPython(update_default_backends),
+    ]
diff --git a/authentik/stages/password/models.py b/authentik/stages/password/models.py
index 66fd5d043..50932f29e 100644
--- a/authentik/stages/password/models.py
+++ b/authentik/stages/password/models.py
@@ -9,7 +9,7 @@ from rest_framework.serializers import BaseSerializer
 
 from authentik.core.types import UserSettingSerializer
 from authentik.flows.models import ConfigurableStage, Stage
-from authentik.stages.password import BACKEND_DJANGO, BACKEND_LDAP, BACKEND_TOKEN
+from authentik.stages.password import BACKEND_APP_PASSWORD, BACKEND_DJANGO, BACKEND_LDAP
 
 
 def get_authentication_backends():
@@ -20,7 +20,7 @@ def get_authentication_backends():
             _("User database + standard password"),
         ),
         (
-            BACKEND_TOKEN,
+            BACKEND_APP_PASSWORD,
             _("User database + app passwords"),
         ),
         (

From 00e9b91f562edecb139785a6ec381737844e8a37 Mon Sep 17 00:00:00 2001
From: Jens Langhammer <jens.langhammer@beryju.org>
Date: Mon, 23 Aug 2021 16:47:38 +0200
Subject: [PATCH 06/22] web/admin: fix missing app passwords backend

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
---
 authentik/core/token_auth.py                  |  2 +-
 web/src/locales/en.po                         | 24 ++++++++++++++-----
 web/src/locales/pseudo-LOCALE.po              | 24 ++++++++++++++-----
 .../stages/password/PasswordStageForm.ts      | 12 ++++++++--
 4 files changed, 47 insertions(+), 15 deletions(-)

diff --git a/authentik/core/token_auth.py b/authentik/core/token_auth.py
index 1c95ce996..cc52ed116 100644
--- a/authentik/core/token_auth.py
+++ b/authentik/core/token_auth.py
@@ -26,4 +26,4 @@ class TokenBackend(ModelBackend):
         )
         if not tokens.exists():
             return None
-        return user
+        return tokens.first().user
diff --git a/web/src/locales/en.po b/web/src/locales/en.po
index c09f84d65..ac173bc2f 100644
--- a/web/src/locales/en.po
+++ b/web/src/locales/en.po
@@ -4763,6 +4763,18 @@ msgstr "User Reputation"
 msgid "User Settings"
 msgstr "User Settings"
 
+#: src/pages/stages/password/PasswordStageForm.ts
+msgid "User database + LDAP password"
+msgstr "User database + LDAP password"
+
+#: src/pages/stages/password/PasswordStageForm.ts
+msgid "User database + app passwords"
+msgstr "User database + app passwords"
+
+#: src/pages/stages/password/PasswordStageForm.ts
+msgid "User database + standard password"
+msgstr "User database + standard password"
+
 #: src/pages/user-settings/UserSettingsPage.ts
 msgid "User details"
 msgstr "User details"
@@ -5049,13 +5061,13 @@ msgstr "You can only select providers that match the type of the outpost."
 msgid "You're currently impersonating {0}. Click to stop."
 msgstr "You're currently impersonating {0}. Click to stop."
 
-#: src/pages/stages/password/PasswordStageForm.ts
-msgid "authentik Builtin Database"
-msgstr "authentik Builtin Database"
+#: 
+#~ msgid "authentik Builtin Database"
+#~ msgstr "authentik Builtin Database"
 
-#: src/pages/stages/password/PasswordStageForm.ts
-msgid "authentik LDAP Backend"
-msgstr "authentik LDAP Backend"
+#: 
+#~ msgid "authentik LDAP Backend"
+#~ msgstr "authentik LDAP Backend"
 
 #: src/elements/forms/DeleteForm.ts
 msgid "connecting object will be deleted"
diff --git a/web/src/locales/pseudo-LOCALE.po b/web/src/locales/pseudo-LOCALE.po
index 36be57c10..1a9d0ae1f 100644
--- a/web/src/locales/pseudo-LOCALE.po
+++ b/web/src/locales/pseudo-LOCALE.po
@@ -4748,6 +4748,18 @@ msgstr ""
 msgid "User Settings"
 msgstr ""
 
+#: src/pages/stages/password/PasswordStageForm.ts
+msgid "User database + LDAP password"
+msgstr ""
+
+#: src/pages/stages/password/PasswordStageForm.ts
+msgid "User database + app passwords"
+msgstr ""
+
+#: src/pages/stages/password/PasswordStageForm.ts
+msgid "User database + standard password"
+msgstr ""
+
 #: src/pages/user-settings/UserSettingsPage.ts
 msgid "User details"
 msgstr ""
@@ -5032,13 +5044,13 @@ msgstr ""
 msgid "You're currently impersonating {0}. Click to stop."
 msgstr ""
 
-#: src/pages/stages/password/PasswordStageForm.ts
-msgid "authentik Builtin Database"
-msgstr ""
+#: 
+#~ msgid "authentik Builtin Database"
+#~ msgstr ""
 
-#: src/pages/stages/password/PasswordStageForm.ts
-msgid "authentik LDAP Backend"
-msgstr ""
+#: 
+#~ msgid "authentik LDAP Backend"
+#~ msgstr ""
 
 #: src/elements/forms/DeleteForm.ts
 msgid "connecting object will be deleted"
diff --git a/web/src/pages/stages/password/PasswordStageForm.ts b/web/src/pages/stages/password/PasswordStageForm.ts
index 07152dfc4..dbe56340c 100644
--- a/web/src/pages/stages/password/PasswordStageForm.ts
+++ b/web/src/pages/stages/password/PasswordStageForm.ts
@@ -81,7 +81,15 @@ export class PasswordStageForm extends ModelForm<PasswordStage, string> {
                                     BackendsEnum.DjangoContribAuthBackendsModelBackend,
                                 )}
                             >
-                                ${t`authentik Builtin Database`}
+                                ${t`User database + standard password`}
+                            </option>
+                            <option
+                                value=${BackendsEnum.AuthentikCoreTokenAuthTokenBackend}
+                                ?selected=${this.isBackendSelected(
+                                    BackendsEnum.AuthentikCoreTokenAuthTokenBackend,
+                                )}
+                            >
+                                ${t`User database + app passwords`}
                             </option>
                             <option
                                 value=${BackendsEnum.AuthentikSourcesLdapAuthLdapBackend}
@@ -89,7 +97,7 @@ export class PasswordStageForm extends ModelForm<PasswordStage, string> {
                                     BackendsEnum.AuthentikSourcesLdapAuthLdapBackend,
                                 )}
                             >
-                                ${t`authentik LDAP Backend`}
+                                ${t`User database + LDAP password`}
                             </option>
                         </select>
                         <p class="pf-c-form__helper-text">

From 69a015361962d9ab1dd4d45a1bad1dca5b512c47 Mon Sep 17 00:00:00 2001
From: Jens Langhammer <jens.langhammer@beryju.org>
Date: Mon, 23 Aug 2021 17:07:06 +0200
Subject: [PATCH 07/22] core: use custom inbuilt backend, set backend login
 information in flow plan for events

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
---
 authentik/core/auth.py                        | 56 +++++++++++++++++++
 authentik/core/sources/flow_manager.py        |  4 +-
 authentik/core/token_auth.py                  | 29 ----------
 authentik/events/signals.py                   |  5 ++
 .../flows/migrations/0008_default_flows.py    |  4 +-
 authentik/recovery/views.py                   |  4 +-
 authentik/root/settings.py                    |  3 +-
 authentik/sources/ldap/auth.py                | 10 ++++
 authentik/sources/ldap/settings.py            |  4 --
 authentik/sources/saml/processors/response.py |  6 +-
 authentik/stages/identification/tests.py      |  6 +-
 authentik/stages/invitation/tests.py          |  6 +-
 authentik/stages/password/__init__.py         |  4 +-
 .../password/migrations/0007_app_password.py  | 21 +++++--
 authentik/stages/password/models.py           |  4 +-
 authentik/stages/password/stage.py            |  2 +
 authentik/stages/password/tests.py            |  4 +-
 authentik/stages/user_login/stage.py          |  4 +-
 authentik/stages/user_logout/tests.py         |  4 +-
 19 files changed, 115 insertions(+), 65 deletions(-)
 create mode 100644 authentik/core/auth.py
 delete mode 100644 authentik/core/token_auth.py

diff --git a/authentik/core/auth.py b/authentik/core/auth.py
new file mode 100644
index 000000000..42a84cf14
--- /dev/null
+++ b/authentik/core/auth.py
@@ -0,0 +1,56 @@
+"""Authenticate with tokens"""
+
+from typing import Any, Optional
+
+from django.contrib.auth.backends import ModelBackend
+from django.http.request import HttpRequest
+
+from authentik.core.models import Token, TokenIntents, User
+from authentik.flows.planner import FlowPlan
+from authentik.flows.views import SESSION_KEY_PLAN
+from authentik.stages.password.stage import PLAN_CONTEXT_METHOD, PLAN_CONTEXT_METHOD_ARGS
+
+
+class InbuiltBackend(ModelBackend):
+    """Inbuilt backend"""
+
+    def authenticate(
+        self, request: HttpRequest, username: Optional[str], password: Optional[str], **kwargs: Any
+    ) -> Optional[User]:
+        user = super().authenticate(request, username=username, password=password, **kwargs)
+        if not user:
+            return None
+        # Since we can't directly pass other variables to signals, and we want to log the method
+        # and the token used, we assume we're running in a flow and set a variable in the context
+        flow_plan: FlowPlan = request.session[SESSION_KEY_PLAN]
+        flow_plan.context[PLAN_CONTEXT_METHOD] = "password"
+        request.session[SESSION_KEY_PLAN] = flow_plan
+        return user
+
+
+class TokenBackend(ModelBackend):
+    """Authenticate with token"""
+
+    def authenticate(
+        self, request: HttpRequest, username: Optional[str], password: Optional[str], **kwargs: Any
+    ) -> Optional[User]:
+        try:
+            user = User._default_manager.get_by_natural_key(username)
+        except User.DoesNotExist:
+            # Run the default password hasher once to reduce the timing
+            # difference between an existing and a nonexistent user (#20760).
+            User().set_password(password)
+            return None
+        tokens = Token.filter_not_expired(
+            user=user, key=password, intent=TokenIntents.INTENT_APP_PASSWORD
+        )
+        if not tokens.exists():
+            return None
+        token = tokens.first()
+        # Since we can't directly pass other variables to signals, and we want to log the method
+        # and the token used, we assume we're running in a flow and set a variable in the context
+        flow_plan: FlowPlan = request.session[SESSION_KEY_PLAN]
+        flow_plan.context[PLAN_CONTEXT_METHOD] = "app_password"
+        flow_plan.context[PLAN_CONTEXT_METHOD_ARGS] = {"token": token}
+        request.session[SESSION_KEY_PLAN] = flow_plan
+        return token.user
diff --git a/authentik/core/sources/flow_manager.py b/authentik/core/sources/flow_manager.py
index 7666da07f..0cac12440 100644
--- a/authentik/core/sources/flow_manager.py
+++ b/authentik/core/sources/flow_manager.py
@@ -25,7 +25,7 @@ from authentik.flows.planner import (
 from authentik.flows.views import NEXT_ARG_NAME, SESSION_KEY_GET, SESSION_KEY_PLAN
 from authentik.lib.utils.urls import redirect_with_qs
 from authentik.policies.utils import delete_none_keys
-from authentik.stages.password import BACKEND_DJANGO
+from authentik.stages.password import BACKEND_INBUILT
 from authentik.stages.password.stage import PLAN_CONTEXT_AUTHENTICATION_BACKEND
 from authentik.stages.prompt.stage import PLAN_CONTEXT_PROMPT
 
@@ -189,7 +189,7 @@ class SourceFlowManager:
         kwargs.update(
             {
                 # Since we authenticate the user by their token, they have no backend set
-                PLAN_CONTEXT_AUTHENTICATION_BACKEND: BACKEND_DJANGO,
+                PLAN_CONTEXT_AUTHENTICATION_BACKEND: BACKEND_INBUILT,
                 PLAN_CONTEXT_SSO: True,
                 PLAN_CONTEXT_SOURCE: self.source,
                 PLAN_CONTEXT_REDIRECT: final_redirect,
diff --git a/authentik/core/token_auth.py b/authentik/core/token_auth.py
deleted file mode 100644
index cc52ed116..000000000
--- a/authentik/core/token_auth.py
+++ /dev/null
@@ -1,29 +0,0 @@
-"""Authenticate with tokens"""
-
-from typing import Any, Optional
-
-from django.contrib.auth.backends import ModelBackend
-from django.http.request import HttpRequest
-
-from authentik.core.models import Token, TokenIntents, User
-
-
-class TokenBackend(ModelBackend):
-    """Authenticate with token"""
-
-    def authenticate(
-        self, request: HttpRequest, username: Optional[str], password: Optional[str], **kwargs: Any
-    ) -> Optional[User]:
-        try:
-            user = User._default_manager.get_by_natural_key(username)
-        except User.DoesNotExist:
-            # Run the default password hasher once to reduce the timing
-            # difference between an existing and a nonexistent user (#20760).
-            User().set_password(password)
-            return None
-        tokens = Token.filter_not_expired(
-            user=user, key=password, intent=TokenIntents.INTENT_APP_PASSWORD
-        )
-        if not tokens.exists():
-            return None
-        return tokens.first().user
diff --git a/authentik/events/signals.py b/authentik/events/signals.py
index 7a4b5a032..be46da3d4 100644
--- a/authentik/events/signals.py
+++ b/authentik/events/signals.py
@@ -15,6 +15,7 @@ from authentik.flows.planner import PLAN_CONTEXT_SOURCE, FlowPlan
 from authentik.flows.views import SESSION_KEY_PLAN
 from authentik.stages.invitation.models import Invitation
 from authentik.stages.invitation.signals import invitation_used
+from authentik.stages.password.stage import PLAN_CONTEXT_METHOD, PLAN_CONTEXT_METHOD_ARGS
 from authentik.stages.user_write.signals import user_write
 
 
@@ -47,6 +48,10 @@ def on_user_logged_in(sender, request: HttpRequest, user: User, **_):
         if PLAN_CONTEXT_SOURCE in flow_plan.context:
             # Login request came from an external source, save it in the context
             thread.kwargs["using_source"] = flow_plan.context[PLAN_CONTEXT_SOURCE]
+        if PLAN_CONTEXT_METHOD in flow_plan.context:
+            thread.kwargs["method"] = flow_plan.context[PLAN_CONTEXT_METHOD]
+            # Save the login method used
+            thread.kwargs["method_args"] = flow_plan.context.get(PLAN_CONTEXT_METHOD_ARGS, {})
     thread.user = user
     thread.run()
 
diff --git a/authentik/flows/migrations/0008_default_flows.py b/authentik/flows/migrations/0008_default_flows.py
index e2498b6c5..d507f209c 100644
--- a/authentik/flows/migrations/0008_default_flows.py
+++ b/authentik/flows/migrations/0008_default_flows.py
@@ -6,7 +6,7 @@ from django.db.backends.base.schema import BaseDatabaseSchemaEditor
 
 from authentik.flows.models import FlowDesignation
 from authentik.stages.identification.models import UserFields
-from authentik.stages.password import BACKEND_APP_PASSWORD, BACKEND_DJANGO, BACKEND_LDAP
+from authentik.stages.password import BACKEND_APP_PASSWORD, BACKEND_INBUILT, BACKEND_LDAP
 
 
 def create_default_authentication_flow(apps: Apps, schema_editor: BaseDatabaseSchemaEditor):
@@ -26,7 +26,7 @@ def create_default_authentication_flow(apps: Apps, schema_editor: BaseDatabaseSc
 
     password_stage, _ = PasswordStage.objects.using(db_alias).update_or_create(
         name="default-authentication-password",
-        defaults={"backends": [BACKEND_DJANGO, BACKEND_LDAP, BACKEND_APP_PASSWORD]},
+        defaults={"backends": [BACKEND_INBUILT, BACKEND_LDAP, BACKEND_APP_PASSWORD]},
     )
 
     login_stage, _ = UserLoginStage.objects.using(db_alias).update_or_create(
diff --git a/authentik/recovery/views.py b/authentik/recovery/views.py
index 27b0023af..3253ab332 100644
--- a/authentik/recovery/views.py
+++ b/authentik/recovery/views.py
@@ -7,7 +7,7 @@ from django.utils.translation import gettext as _
 from django.views import View
 
 from authentik.core.models import Token, TokenIntents
-from authentik.stages.password import BACKEND_DJANGO
+from authentik.stages.password import BACKEND_INBUILT
 
 
 class UseTokenView(View):
@@ -19,7 +19,7 @@ class UseTokenView(View):
         if not tokens.exists():
             raise Http404
         token = tokens.first()
-        login(request, token.user, backend=BACKEND_DJANGO)
+        login(request, token.user, backend=BACKEND_INBUILT)
         token.delete()
         messages.warning(request, _("Used recovery-link to authenticate."))
         return redirect("authentik_core:if-admin")
diff --git a/authentik/root/settings.py b/authentik/root/settings.py
index ab3f59cc5..08dc5697b 100644
--- a/authentik/root/settings.py
+++ b/authentik/root/settings.py
@@ -73,7 +73,8 @@ LANGUAGE_COOKIE_NAME = f"authentik_language{_cookie_suffix}"
 SESSION_COOKIE_NAME = f"authentik_session{_cookie_suffix}"
 
 AUTHENTICATION_BACKENDS = [
-    "django.contrib.auth.backends.ModelBackend",
+    "authentik.core.auth.InbuiltBackend",
+    "authentik.core.auth.TokenBackend",
     "guardian.backends.ObjectPermissionBackend",
 ]
 
diff --git a/authentik/sources/ldap/auth.py b/authentik/sources/ldap/auth.py
index 9cf55d36d..10bd55b40 100644
--- a/authentik/sources/ldap/auth.py
+++ b/authentik/sources/ldap/auth.py
@@ -7,7 +7,10 @@ from django.http import HttpRequest
 from structlog.stdlib import get_logger
 
 from authentik.core.models import User
+from authentik.flows.planner import FlowPlan
+from authentik.flows.views import SESSION_KEY_PLAN
 from authentik.sources.ldap.models import LDAPSource
+from authentik.stages.password.stage import PLAN_CONTEXT_METHOD, PLAN_CONTEXT_METHOD_ARGS
 
 LOGGER = get_logger()
 LDAP_DISTINGUISHED_NAME = "distinguishedName"
@@ -24,6 +27,13 @@ class LDAPBackend(ModelBackend):
             LOGGER.debug("LDAP Auth attempt", source=source)
             user = self.auth_user(source, **kwargs)
             if user:
+                # Since we can't directly pass other variables to signals, and we want to log
+                # the method and the token used, we assume we're running in a flow and
+                # set a variable in the context
+                flow_plan: FlowPlan = request.session[SESSION_KEY_PLAN]
+                flow_plan.context[PLAN_CONTEXT_METHOD] = "ldap"
+                flow_plan.context[PLAN_CONTEXT_METHOD_ARGS] = {"source": source}
+                request.session[SESSION_KEY_PLAN] = flow_plan
                 return user
         return None
 
diff --git a/authentik/sources/ldap/settings.py b/authentik/sources/ldap/settings.py
index 850e9a04d..d3b90e901 100644
--- a/authentik/sources/ldap/settings.py
+++ b/authentik/sources/ldap/settings.py
@@ -1,10 +1,6 @@
 """LDAP Settings"""
 from celery.schedules import crontab
 
-AUTHENTICATION_BACKENDS = [
-    "authentik.sources.ldap.auth.LDAPBackend",
-]
-
 CELERY_BEAT_SCHEDULE = {
     "sources_ldap_sync": {
         "task": "authentik.sources.ldap.tasks.ldap_sync_all",
diff --git a/authentik/sources/saml/processors/response.py b/authentik/sources/saml/processors/response.py
index 0e41b44c8..c2537770c 100644
--- a/authentik/sources/saml/processors/response.py
+++ b/authentik/sources/saml/processors/response.py
@@ -39,7 +39,7 @@ from authentik.sources.saml.processors.constants import (
 from authentik.sources.saml.processors.request import SESSION_REQUEST_ID
 from authentik.stages.password.stage import PLAN_CONTEXT_AUTHENTICATION_BACKEND
 from authentik.stages.prompt.stage import PLAN_CONTEXT_PROMPT
-from authentik.stages.user_login.stage import BACKEND_DJANGO
+from authentik.stages.user_login.stage import BACKEND_INBUILT
 
 LOGGER = get_logger()
 if TYPE_CHECKING:
@@ -136,7 +136,7 @@ class ResponseProcessor:
             self._source.authentication_flow,
             **{
                 PLAN_CONTEXT_PENDING_USER: user,
-                PLAN_CONTEXT_AUTHENTICATION_BACKEND: BACKEND_DJANGO,
+                PLAN_CONTEXT_AUTHENTICATION_BACKEND: BACKEND_INBUILT,
             },
         )
 
@@ -199,7 +199,7 @@ class ResponseProcessor:
                 self._source.authentication_flow,
                 **{
                     PLAN_CONTEXT_PENDING_USER: matching_users.first(),
-                    PLAN_CONTEXT_AUTHENTICATION_BACKEND: BACKEND_DJANGO,
+                    PLAN_CONTEXT_AUTHENTICATION_BACKEND: BACKEND_INBUILT,
                     PLAN_CONTEXT_REDIRECT: final_redirect,
                 },
             )
diff --git a/authentik/stages/identification/tests.py b/authentik/stages/identification/tests.py
index c9d5e267f..fb2beeabe 100644
--- a/authentik/stages/identification/tests.py
+++ b/authentik/stages/identification/tests.py
@@ -9,7 +9,7 @@ from authentik.flows.models import Flow, FlowDesignation, FlowStageBinding
 from authentik.providers.oauth2.generators import generate_client_secret
 from authentik.sources.oauth.models import OAuthSource
 from authentik.stages.identification.models import IdentificationStage, UserFields
-from authentik.stages.password import BACKEND_DJANGO
+from authentik.stages.password import BACKEND_INBUILT
 from authentik.stages.password.models import PasswordStage
 
 
@@ -68,7 +68,7 @@ class TestIdentificationStage(TestCase):
 
     def test_valid_with_password(self):
         """Test with valid email and password in single step"""
-        pw_stage = PasswordStage.objects.create(name="password", backends=[BACKEND_DJANGO])
+        pw_stage = PasswordStage.objects.create(name="password", backends=[BACKEND_INBUILT])
         self.stage.password_stage = pw_stage
         self.stage.save()
         form_data = {"uid_field": self.user.email, "password": self.password}
@@ -86,7 +86,7 @@ class TestIdentificationStage(TestCase):
 
     def test_invalid_with_password(self):
         """Test with valid email and invalid password in single step"""
-        pw_stage = PasswordStage.objects.create(name="password", backends=[BACKEND_DJANGO])
+        pw_stage = PasswordStage.objects.create(name="password", backends=[BACKEND_INBUILT])
         self.stage.password_stage = pw_stage
         self.stage.save()
         form_data = {
diff --git a/authentik/stages/invitation/tests.py b/authentik/stages/invitation/tests.py
index 45d0c97f5..6f84dca7b 100644
--- a/authentik/stages/invitation/tests.py
+++ b/authentik/stages/invitation/tests.py
@@ -17,7 +17,7 @@ from authentik.flows.tests.test_views import TO_STAGE_RESPONSE_MOCK
 from authentik.flows.views import SESSION_KEY_PLAN
 from authentik.stages.invitation.models import Invitation, InvitationStage
 from authentik.stages.invitation.stage import INVITATION_TOKEN_KEY, PLAN_CONTEXT_PROMPT
-from authentik.stages.password import BACKEND_DJANGO
+from authentik.stages.password import BACKEND_INBUILT
 from authentik.stages.password.stage import PLAN_CONTEXT_AUTHENTICATION_BACKEND
 
 
@@ -45,7 +45,7 @@ class TestUserLoginStage(TestCase):
         """Test without any invitation, continue_flow_without_invitation not set."""
         plan = FlowPlan(flow_pk=self.flow.pk.hex, bindings=[self.binding], markers=[StageMarker()])
         plan.context[PLAN_CONTEXT_PENDING_USER] = self.user
-        plan.context[PLAN_CONTEXT_AUTHENTICATION_BACKEND] = BACKEND_DJANGO
+        plan.context[PLAN_CONTEXT_AUTHENTICATION_BACKEND] = BACKEND_INBUILT
         session = self.client.session
         session[SESSION_KEY_PLAN] = plan
         session.save()
@@ -74,7 +74,7 @@ class TestUserLoginStage(TestCase):
         self.stage.save()
         plan = FlowPlan(flow_pk=self.flow.pk.hex, bindings=[self.binding], markers=[StageMarker()])
         plan.context[PLAN_CONTEXT_PENDING_USER] = self.user
-        plan.context[PLAN_CONTEXT_AUTHENTICATION_BACKEND] = BACKEND_DJANGO
+        plan.context[PLAN_CONTEXT_AUTHENTICATION_BACKEND] = BACKEND_INBUILT
         session = self.client.session
         session[SESSION_KEY_PLAN] = plan
         session.save()
diff --git a/authentik/stages/password/__init__.py b/authentik/stages/password/__init__.py
index fe333bd84..d5c73cc96 100644
--- a/authentik/stages/password/__init__.py
+++ b/authentik/stages/password/__init__.py
@@ -1,4 +1,4 @@
 """Backend paths"""
-BACKEND_DJANGO = "django.contrib.auth.backends.ModelBackend"
+BACKEND_INBUILT = "authentik.core.auth.InbuiltBackend"
 BACKEND_LDAP = "authentik.sources.ldap.auth.LDAPBackend"
-BACKEND_APP_PASSWORD = "authentik.core.token_auth.TokenBackend"  # nosec
+BACKEND_APP_PASSWORD = "authentik.core.auth.TokenBackend"  # nosec
diff --git a/authentik/stages/password/migrations/0007_app_password.py b/authentik/stages/password/migrations/0007_app_password.py
index 168424c95..349758219 100644
--- a/authentik/stages/password/migrations/0007_app_password.py
+++ b/authentik/stages/password/migrations/0007_app_password.py
@@ -4,7 +4,7 @@ from django.apps.registry import Apps
 from django.db import migrations, models
 from django.db.backends.base.schema import BaseDatabaseSchemaEditor
 
-from authentik.stages.password import BACKEND_APP_PASSWORD
+from authentik.stages.password import BACKEND_APP_PASSWORD, BACKEND_INBUILT
 
 
 def update_default_backends(apps: Apps, schema_editor: BaseDatabaseSchemaEditor):
@@ -19,6 +19,18 @@ def update_default_backends(apps: Apps, schema_editor: BaseDatabaseSchemaEditor)
     stage.save()
 
 
+def replace_inbuilt(apps: Apps, schema_editor: BaseDatabaseSchemaEditor):
+    PasswordStage = apps.get_model("authentik_stages_password", "passwordstage")
+    db_alias = schema_editor.connection.alias
+
+    for stage in PasswordStage.objects.using(db_alias).all():
+        if "django.contrib.auth.backends.ModelBackend" not in stage.backends:
+            continue
+        stage.backends.remove("django.contrib.auth.backends.ModelBackend")
+        stage.backends.append(BACKEND_INBUILT)
+        stage.save()
+
+
 class Migration(migrations.Migration):
 
     dependencies = [
@@ -33,11 +45,8 @@ class Migration(migrations.Migration):
             field=django.contrib.postgres.fields.ArrayField(
                 base_field=models.TextField(
                     choices=[
-                        (
-                            "django.contrib.auth.backends.ModelBackend",
-                            "User database + standard password",
-                        ),
-                        ("authentik.core.token_auth.TokenBackend", "User database + app passwords"),
+                        ("authentik.core.auth.InbuiltBackend", "User database + standard password"),
+                        ("authentik.core.auth.TokenBackend", "User database + app passwords"),
                         (
                             "authentik.sources.ldap.auth.LDAPBackend",
                             "User database + LDAP password",
diff --git a/authentik/stages/password/models.py b/authentik/stages/password/models.py
index 50932f29e..5369052a2 100644
--- a/authentik/stages/password/models.py
+++ b/authentik/stages/password/models.py
@@ -9,14 +9,14 @@ from rest_framework.serializers import BaseSerializer
 
 from authentik.core.types import UserSettingSerializer
 from authentik.flows.models import ConfigurableStage, Stage
-from authentik.stages.password import BACKEND_APP_PASSWORD, BACKEND_DJANGO, BACKEND_LDAP
+from authentik.stages.password import BACKEND_APP_PASSWORD, BACKEND_INBUILT, BACKEND_LDAP
 
 
 def get_authentication_backends():
     """Return all available authentication backends as tuple set"""
     return [
         (
-            BACKEND_DJANGO,
+            BACKEND_INBUILT,
             _("User database + standard password"),
         ),
         (
diff --git a/authentik/stages/password/stage.py b/authentik/stages/password/stage.py
index f5cf96c22..aaef61618 100644
--- a/authentik/stages/password/stage.py
+++ b/authentik/stages/password/stage.py
@@ -27,6 +27,8 @@ from authentik.stages.password.models import PasswordStage
 
 LOGGER = get_logger()
 PLAN_CONTEXT_AUTHENTICATION_BACKEND = "user_backend"
+PLAN_CONTEXT_METHOD = "method"
+PLAN_CONTEXT_METHOD_ARGS = "method_args"
 SESSION_INVALID_TRIES = "user_invalid_tries"
 
 
diff --git a/authentik/stages/password/tests.py b/authentik/stages/password/tests.py
index 39a191098..b30a3187c 100644
--- a/authentik/stages/password/tests.py
+++ b/authentik/stages/password/tests.py
@@ -14,7 +14,7 @@ from authentik.flows.planner import PLAN_CONTEXT_PENDING_USER, FlowPlan
 from authentik.flows.tests.test_views import TO_STAGE_RESPONSE_MOCK
 from authentik.flows.views import SESSION_KEY_PLAN
 from authentik.providers.oauth2.generators import generate_client_secret
-from authentik.stages.password import BACKEND_DJANGO
+from authentik.stages.password import BACKEND_INBUILT
 from authentik.stages.password.models import PasswordStage
 
 MOCK_BACKEND_AUTHENTICATE = MagicMock(side_effect=PermissionDenied("test"))
@@ -36,7 +36,7 @@ class TestPasswordStage(TestCase):
             slug="test-password",
             designation=FlowDesignation.AUTHENTICATION,
         )
-        self.stage = PasswordStage.objects.create(name="password", backends=[BACKEND_DJANGO])
+        self.stage = PasswordStage.objects.create(name="password", backends=[BACKEND_INBUILT])
         self.binding = FlowStageBinding.objects.create(target=self.flow, stage=self.stage, order=2)
 
     @patch(
diff --git a/authentik/stages/user_login/stage.py b/authentik/stages/user_login/stage.py
index 773ccc3ab..9de80233d 100644
--- a/authentik/stages/user_login/stage.py
+++ b/authentik/stages/user_login/stage.py
@@ -8,7 +8,7 @@ from structlog.stdlib import get_logger
 from authentik.flows.planner import PLAN_CONTEXT_PENDING_USER
 from authentik.flows.stage import StageView
 from authentik.lib.utils.time import timedelta_from_string
-from authentik.stages.password import BACKEND_DJANGO
+from authentik.stages.password import BACKEND_INBUILT
 from authentik.stages.password.stage import PLAN_CONTEXT_AUTHENTICATION_BACKEND
 
 LOGGER = get_logger()
@@ -26,7 +26,7 @@ class UserLoginStageView(StageView):
             LOGGER.debug(message)
             return self.executor.stage_invalid()
         backend = self.executor.plan.context.get(
-            PLAN_CONTEXT_AUTHENTICATION_BACKEND, BACKEND_DJANGO
+            PLAN_CONTEXT_AUTHENTICATION_BACKEND, BACKEND_INBUILT
         )
         login(
             self.request,
diff --git a/authentik/stages/user_logout/tests.py b/authentik/stages/user_logout/tests.py
index 2958e3f97..cf2ec16bd 100644
--- a/authentik/stages/user_logout/tests.py
+++ b/authentik/stages/user_logout/tests.py
@@ -9,7 +9,7 @@ from authentik.flows.markers import StageMarker
 from authentik.flows.models import Flow, FlowDesignation, FlowStageBinding
 from authentik.flows.planner import PLAN_CONTEXT_PENDING_USER, FlowPlan
 from authentik.flows.views import SESSION_KEY_PLAN
-from authentik.stages.password import BACKEND_DJANGO
+from authentik.stages.password import BACKEND_INBUILT
 from authentik.stages.password.stage import PLAN_CONTEXT_AUTHENTICATION_BACKEND
 from authentik.stages.user_logout.models import UserLogoutStage
 
@@ -34,7 +34,7 @@ class TestUserLogoutStage(TestCase):
         """Test with a valid pending user and backend"""
         plan = FlowPlan(flow_pk=self.flow.pk.hex, bindings=[self.binding], markers=[StageMarker()])
         plan.context[PLAN_CONTEXT_PENDING_USER] = self.user
-        plan.context[PLAN_CONTEXT_AUTHENTICATION_BACKEND] = BACKEND_DJANGO
+        plan.context[PLAN_CONTEXT_AUTHENTICATION_BACKEND] = BACKEND_INBUILT
         session = self.client.session
         session[SESSION_KEY_PLAN] = plan
         session.save()

From 07a4f474f4531a2484d94b256c5513e8a1d9bedb Mon Sep 17 00:00:00 2001
From: Jens Langhammer <jens.langhammer@beryju.org>
Date: Mon, 23 Aug 2021 17:23:55 +0200
Subject: [PATCH 08/22] website/docs: add docs for `auth_method` and
 `auth_method_args` fields

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
---
 authentik/events/signals.py                   |  6 ++--
 authentik/stages/password/stage.py            |  4 +--
 schema.yml                                    |  4 +--
 .../stages/password/PasswordStageForm.ts      | 12 ++++----
 website/docs/policies/expression.mdx          | 28 +++++++++++++++++++
 5 files changed, 41 insertions(+), 13 deletions(-)

diff --git a/authentik/events/signals.py b/authentik/events/signals.py
index be46da3d4..35f651e53 100644
--- a/authentik/events/signals.py
+++ b/authentik/events/signals.py
@@ -47,11 +47,11 @@ def on_user_logged_in(sender, request: HttpRequest, user: User, **_):
         flow_plan: FlowPlan = request.session[SESSION_KEY_PLAN]
         if PLAN_CONTEXT_SOURCE in flow_plan.context:
             # Login request came from an external source, save it in the context
-            thread.kwargs["using_source"] = flow_plan.context[PLAN_CONTEXT_SOURCE]
+            thread.kwargs[PLAN_CONTEXT_SOURCE] = flow_plan.context[PLAN_CONTEXT_SOURCE]
         if PLAN_CONTEXT_METHOD in flow_plan.context:
-            thread.kwargs["method"] = flow_plan.context[PLAN_CONTEXT_METHOD]
+            thread.kwargs[PLAN_CONTEXT_METHOD] = flow_plan.context[PLAN_CONTEXT_METHOD]
             # Save the login method used
-            thread.kwargs["method_args"] = flow_plan.context.get(PLAN_CONTEXT_METHOD_ARGS, {})
+            thread.kwargs[PLAN_CONTEXT_METHOD_ARGS] = flow_plan.context.get(PLAN_CONTEXT_METHOD_ARGS, {})
     thread.user = user
     thread.run()
 
diff --git a/authentik/stages/password/stage.py b/authentik/stages/password/stage.py
index aaef61618..646f68bdf 100644
--- a/authentik/stages/password/stage.py
+++ b/authentik/stages/password/stage.py
@@ -27,8 +27,8 @@ from authentik.stages.password.models import PasswordStage
 
 LOGGER = get_logger()
 PLAN_CONTEXT_AUTHENTICATION_BACKEND = "user_backend"
-PLAN_CONTEXT_METHOD = "method"
-PLAN_CONTEXT_METHOD_ARGS = "method_args"
+PLAN_CONTEXT_METHOD = "auth_method"
+PLAN_CONTEXT_METHOD_ARGS = "auth_method_args"
 SESSION_INVALID_TRIES = "user_invalid_tries"
 
 
diff --git a/schema.yml b/schema.yml
index 38587c822..421488100 100644
--- a/schema.yml
+++ b/schema.yml
@@ -20382,8 +20382,8 @@ components:
       - url
     BackendsEnum:
       enum:
-      - django.contrib.auth.backends.ModelBackend
-      - authentik.core.token_auth.TokenBackend
+      - authentik.core.auth.InbuiltBackend
+      - authentik.core.auth.TokenBackend
       - authentik.sources.ldap.auth.LDAPBackend
       type: string
     BindingTypeEnum:
diff --git a/web/src/pages/stages/password/PasswordStageForm.ts b/web/src/pages/stages/password/PasswordStageForm.ts
index dbe56340c..acbcebc10 100644
--- a/web/src/pages/stages/password/PasswordStageForm.ts
+++ b/web/src/pages/stages/password/PasswordStageForm.ts
@@ -76,25 +76,25 @@ export class PasswordStageForm extends ModelForm<PasswordStage, string> {
                     >
                         <select name="users" class="pf-c-form-control" multiple>
                             <option
-                                value=${BackendsEnum.DjangoContribAuthBackendsModelBackend}
+                                value=${BackendsEnum.CoreAuthInbuiltBackend}
                                 ?selected=${this.isBackendSelected(
-                                    BackendsEnum.DjangoContribAuthBackendsModelBackend,
+                                    BackendsEnum.CoreAuthInbuiltBackend,
                                 )}
                             >
                                 ${t`User database + standard password`}
                             </option>
                             <option
-                                value=${BackendsEnum.AuthentikCoreTokenAuthTokenBackend}
+                                value=${BackendsEnum.CoreAuthTokenBackend}
                                 ?selected=${this.isBackendSelected(
-                                    BackendsEnum.AuthentikCoreTokenAuthTokenBackend,
+                                    BackendsEnum.CoreAuthTokenBackend,
                                 )}
                             >
                                 ${t`User database + app passwords`}
                             </option>
                             <option
-                                value=${BackendsEnum.AuthentikSourcesLdapAuthLdapBackend}
+                                value=${BackendsEnum.SourcesLdapAuthLdapBackend}
                                 ?selected=${this.isBackendSelected(
-                                    BackendsEnum.AuthentikSourcesLdapAuthLdapBackend,
+                                    BackendsEnum.SourcesLdapAuthLdapBackend,
                                 )}
                             >
                                 ${t`User database + LDAP password`}
diff --git a/website/docs/policies/expression.mdx b/website/docs/policies/expression.mdx
index f3977a3ed..d48178037 100644
--- a/website/docs/policies/expression.mdx
+++ b/website/docs/policies/expression.mdx
@@ -59,3 +59,31 @@ This includes the following:
 - `prompt_data`: Data which has been saved from a prompt stage or an external source.
 - `application`: The application the user is in the process of authorizing.
 - `pending_user`: The currently pending user, see [User](/docs/expressions/reference/user-object)
+- `auth_method`: Authentication method set (this value is set by password stages)
+
+    Depending on method, `auth_method_args` is also set.
+
+    Can be any of:
+
+    - `password`: Standard password login
+    - `app_password`: App passowrd (token)
+
+        Sets `auth_method_args` to
+        ```json
+        {
+            "token": {
+                "pk": "f6d639aac81940f38dcfdc6e0fe2a786",
+                "app": "authentik_core",
+                "name": "test (expires=2021-08-23 15:45:54.725880+00:00)",
+                "model_name": "token"
+            }
+        }
+        ```
+    - `ldap`: LDAP bind authentication
+
+        Sets `auth_method_args` to
+        ```json
+        {
+            "source": {} // Information about the source used
+        }
+        ```

From 0b280c0a477c587d11adb091df8821e7dc16db0b Mon Sep 17 00:00:00 2001
From: Jens Langhammer <jens.langhammer@beryju.org>
Date: Mon, 23 Aug 2021 17:26:07 +0200
Subject: [PATCH 09/22] website: fix example flows using incorrect backend

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
---
 authentik/stages/password/tests.py                    | 2 +-
 website/static/flows/login-2fa.akflow                 | 3 ++-
 website/static/flows/login-conditional-captcha.akflow | 3 ++-
 3 files changed, 5 insertions(+), 3 deletions(-)

diff --git a/authentik/stages/password/tests.py b/authentik/stages/password/tests.py
index b30a3187c..ea4100d78 100644
--- a/authentik/stages/password/tests.py
+++ b/authentik/stages/password/tests.py
@@ -158,7 +158,7 @@ class TestPasswordStage(TestCase):
         TO_STAGE_RESPONSE_MOCK,
     )
     @patch(
-        "django.contrib.auth.backends.ModelBackend.authenticate",
+        "authentik.core.auth.InbuiltBackend.authenticate",
         MOCK_BACKEND_AUTHENTICATE,
     )
     def test_permission_denied(self):
diff --git a/website/static/flows/login-2fa.akflow b/website/static/flows/login-2fa.akflow
index 35e9fc87c..f7eecc83c 100644
--- a/website/static/flows/login-2fa.akflow
+++ b/website/static/flows/login-2fa.akflow
@@ -52,7 +52,8 @@
             "model": "authentik_stages_password.passwordstage",
             "attrs": {
                 "backends": [
-                    "django.contrib.auth.backends.ModelBackend",
+                    "authentik.core.auth.InbuiltBackend",
+                    "authentik.core.auth.TokenBackend",
                     "authentik.sources.ldap.auth.LDAPBackend"
                 ]
             }
diff --git a/website/static/flows/login-conditional-captcha.akflow b/website/static/flows/login-conditional-captcha.akflow
index f5e040ad8..d7b16a98c 100644
--- a/website/static/flows/login-conditional-captcha.akflow
+++ b/website/static/flows/login-conditional-captcha.akflow
@@ -55,7 +55,8 @@
             "model": "authentik_stages_password.passwordstage",
             "attrs": {
                 "backends": [
-                    "django.contrib.auth.backends.ModelBackend",
+                    "authentik.core.auth.InbuiltBackend",
+                    "authentik.core.auth.TokenBackend",
                     "authentik.sources.ldap.auth.LDAPBackend"
                 ]
             }

From 09e3d616e98eceda59e85e75c72e1714db0b026f Mon Sep 17 00:00:00 2001
From: Jens Langhammer <jens.langhammer@beryju.org>
Date: Mon, 23 Aug 2021 17:29:12 +0200
Subject: [PATCH 10/22] root: add alias for akflow files

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
---
 .vscode/settings.json | 22 ++++++++++++++++++++++
 1 file changed, 22 insertions(+)
 create mode 100644 .vscode/settings.json

diff --git a/.vscode/settings.json b/.vscode/settings.json
new file mode 100644
index 000000000..90277c2e6
--- /dev/null
+++ b/.vscode/settings.json
@@ -0,0 +1,22 @@
+{
+    "cSpell.words": [
+        "asgi",
+        "authentik",
+        "authn",
+        "goauthentik",
+        "jwks",
+        "oidc",
+        "openid",
+        "plex",
+        "saml",
+        "totp",
+        "webauthn"
+    ],
+    "python.linting.pylintEnabled": true,
+    "todo-tree.tree.showCountsInTree": true,
+    "todo-tree.tree.showBadges": true,
+    "python.formatting.provider": "black",
+    "files.associations": {
+        "*.akflow": "json"
+    }
+}

From 033c9a3bd3ef1ee08633d98d74dfe7404deab740 Mon Sep 17 00:00:00 2001
From: Jens Langhammer <jens.langhammer@beryju.org>
Date: Mon, 23 Aug 2021 17:33:35 +0200
Subject: [PATCH 11/22] core: fix token intent not defaulting correctly

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
---
 authentik/core/api/tokens.py | 10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)

diff --git a/authentik/core/api/tokens.py b/authentik/core/api/tokens.py
index f8e14a2e8..517f230d2 100644
--- a/authentik/core/api/tokens.py
+++ b/authentik/core/api/tokens.py
@@ -1,4 +1,5 @@
 """Tokens API Viewset"""
+from typing import Any
 from django.http.response import Http404
 from drf_spectacular.utils import OpenApiResponse, extend_schema
 from rest_framework.decorators import action
@@ -23,11 +24,12 @@ class TokenSerializer(ManagedSerializer, ModelSerializer):
 
     user = UserSerializer(required=False)
 
-    def validate_intent(self, value: str) -> str:
+    def validate(self, data: dict[Any, str]) -> dict[Any, str]:
         """Ensure only API or App password tokens are created."""
-        if value not in [TokenIntents.INTENT_API, TokenIntents.INTENT_APP_PASSWORD]:
-            raise ValidationError(f"Invalid intent {value}")
-        return value
+        data.setdefault("intent", TokenIntents.INTENT_API)
+        if data.get("intent") not in [TokenIntents.INTENT_API, TokenIntents.INTENT_APP_PASSWORD]:
+            raise ValidationError(f"Invalid intent {data.get('intent')}")
+        return data
 
     class Meta:
 

From 59f04963beaefb865450b65f31b0236661f09ca2 Mon Sep 17 00:00:00 2001
From: Jens Langhammer <jens.langhammer@beryju.org>
Date: Mon, 23 Aug 2021 17:39:19 +0200
Subject: [PATCH 12/22] website: update akflows orders

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
---
 website/static/flows/enrollment-2-stage.akflow         |  8 ++++----
 .../static/flows/enrollment-email-verification.akflow  | 10 +++++-----
 website/static/flows/login-2fa.akflow                  | 10 +++++-----
 website/static/flows/login-conditional-captcha.akflow  |  8 ++++----
 .../static/flows/recovery-email-verification.akflow    | 10 +++++-----
 website/static/flows/unenrollment.akflow               |  2 +-
 6 files changed, 24 insertions(+), 24 deletions(-)

diff --git a/website/static/flows/enrollment-2-stage.akflow b/website/static/flows/enrollment-2-stage.akflow
index 68b726154..13b364c87 100644
--- a/website/static/flows/enrollment-2-stage.akflow
+++ b/website/static/flows/enrollment-2-stage.akflow
@@ -133,7 +133,7 @@
                 "pk": "34e1e7d5-8eed-4549-bc7a-305069ff7df0",
                 "target": "773c6673-e4a2-423f-8d32-95b7b4a41cf3",
                 "stage": "20375f30-7fa7-4562-8f6e-0f61889f2963",
-                "order": 0
+                "order": 10
             },
             "model": "authentik_flows.flowstagebinding",
             "attrs": {
@@ -145,7 +145,7 @@
                 "pk": "e40467a6-3052-488c-a1b5-1ad7a80fe7b3",
                 "target": "773c6673-e4a2-423f-8d32-95b7b4a41cf3",
                 "stage": "6c342b94-790d-425a-ae31-6196b6570722",
-                "order": 1
+                "order": 11
             },
             "model": "authentik_flows.flowstagebinding",
             "attrs": {
@@ -157,7 +157,7 @@
                 "pk": "76bc594e-2715-49ab-bd40-994abd9a7b70",
                 "target": "773c6673-e4a2-423f-8d32-95b7b4a41cf3",
                 "stage": "a4090add-f483-4ac6-8917-10b493ef843e",
-                "order": 2
+                "order": 20
             },
             "model": "authentik_flows.flowstagebinding",
             "attrs": {
@@ -169,7 +169,7 @@
                 "pk": "2f324f6d-7646-4108-a6e2-e7f90985477f",
                 "target": "773c6673-e4a2-423f-8d32-95b7b4a41cf3",
                 "stage": "77090897-eb3f-40db-81e6-b4074b1998c4",
-                "order": 3
+                "order": 100
             },
             "model": "authentik_flows.flowstagebinding",
             "attrs": {
diff --git a/website/static/flows/enrollment-email-verification.akflow b/website/static/flows/enrollment-email-verification.akflow
index 24f15ff5c..0eb99c3dd 100644
--- a/website/static/flows/enrollment-email-verification.akflow
+++ b/website/static/flows/enrollment-email-verification.akflow
@@ -154,7 +154,7 @@
                 "pk": "34e1e7d5-8eed-4549-bc7a-305069ff7df0",
                 "target": "773c6673-e4a2-423f-8d32-95b7b4a41cf3",
                 "stage": "20375f30-7fa7-4562-8f6e-0f61889f2963",
-                "order": 0
+                "order": 10
             },
             "model": "authentik_flows.flowstagebinding",
             "attrs": {
@@ -166,7 +166,7 @@
                 "pk": "e40467a6-3052-488c-a1b5-1ad7a80fe7b3",
                 "target": "773c6673-e4a2-423f-8d32-95b7b4a41cf3",
                 "stage": "6c342b94-790d-425a-ae31-6196b6570722",
-                "order": 1
+                "order": 11
             },
             "model": "authentik_flows.flowstagebinding",
             "attrs": {
@@ -178,7 +178,7 @@
                 "pk": "76bc594e-2715-49ab-bd40-994abd9a7b70",
                 "target": "773c6673-e4a2-423f-8d32-95b7b4a41cf3",
                 "stage": "a4090add-f483-4ac6-8917-10b493ef843e",
-                "order": 2
+                "order": 20
             },
             "model": "authentik_flows.flowstagebinding",
             "attrs": {
@@ -190,7 +190,7 @@
                 "pk": "1db34a14-8985-4184-b5c9-254cd585d94f",
                 "target": "773c6673-e4a2-423f-8d32-95b7b4a41cf3",
                 "stage": "096e6282-6b30-4695-bd03-3b143eab5580",
-                "order": 3
+                "order": 30
             },
             "model": "authentik_flows.flowstagebinding",
             "attrs": {
@@ -202,7 +202,7 @@
                 "pk": "2f324f6d-7646-4108-a6e2-e7f90985477f",
                 "target": "773c6673-e4a2-423f-8d32-95b7b4a41cf3",
                 "stage": "77090897-eb3f-40db-81e6-b4074b1998c4",
-                "order": 4
+                "order": 40
             },
             "model": "authentik_flows.flowstagebinding",
             "attrs": {
diff --git a/website/static/flows/login-2fa.akflow b/website/static/flows/login-2fa.akflow
index f7eecc83c..180ea3f36 100644
--- a/website/static/flows/login-2fa.akflow
+++ b/website/static/flows/login-2fa.akflow
@@ -39,7 +39,7 @@
         {
             "identifiers": {
                 "pk": "37f709c3-8817-45e8-9a93-80a925d293c2",
-                "name": "default-authentication-flow-totp"
+                "name": "default-authentication-flow-mfa"
             },
             "model": "authentik_stages_authenticator_validate.AuthenticatorValidateStage",
             "attrs": {}
@@ -63,7 +63,7 @@
                 "pk": "a3056482-b692-4e3a-93f1-7351c6a351c7",
                 "target": "563ece21-e9a4-47e5-a264-23ffd923e393",
                 "stage": "5f594f27-0def-488d-9855-fe604eb13de5",
-                "order": 0
+                "order": 10
             },
             "model": "authentik_flows.flowstagebinding",
             "attrs": {
@@ -75,7 +75,7 @@
                 "pk": "4e8538cf-3e18-4a68-82ae-6df6725fa2e6",
                 "target": "563ece21-e9a4-47e5-a264-23ffd923e393",
                 "stage": "d8affa62-500c-4c5c-a01f-5835e1ffdf40",
-                "order": 1
+                "order": 20
             },
             "model": "authentik_flows.flowstagebinding",
             "attrs": {
@@ -87,7 +87,7 @@
                 "pk": "688aec6f-5622-42c6-83a5-d22072d7e798",
                 "target": "563ece21-e9a4-47e5-a264-23ffd923e393",
                 "stage": "37f709c3-8817-45e8-9a93-80a925d293c2",
-                "order": 2
+                "order": 30
             },
             "model": "authentik_flows.flowstagebinding",
             "attrs": {
@@ -99,7 +99,7 @@
                 "pk": "f3fede3a-a9b5-4232-9ec7-be7ff4194b27",
                 "target": "563ece21-e9a4-47e5-a264-23ffd923e393",
                 "stage": "69d41125-3987-499b-8d74-ef27b54b88c8",
-                "order": 3
+                "order": 100
             },
             "model": "authentik_flows.flowstagebinding",
             "attrs": {
diff --git a/website/static/flows/login-conditional-captcha.akflow b/website/static/flows/login-conditional-captcha.akflow
index d7b16a98c..44ffa44ae 100644
--- a/website/static/flows/login-conditional-captcha.akflow
+++ b/website/static/flows/login-conditional-captcha.akflow
@@ -66,7 +66,7 @@
                 "pk": "a3056482-b692-4e3a-93f1-7351c6a351c7",
                 "target": "563ece21-e9a4-47e5-a264-23ffd923e393",
                 "stage": "5f594f27-0def-488d-9855-fe604eb13de5",
-                "order": 0
+                "order": 10
             },
             "model": "authentik_flows.flowstagebinding",
             "attrs": {
@@ -78,7 +78,7 @@
                 "pk": "4e8538cf-3e18-4a68-82ae-6df6725fa2e6",
                 "target": "563ece21-e9a4-47e5-a264-23ffd923e393",
                 "stage": "d8affa62-500c-4c5c-a01f-5835e1ffdf40",
-                "order": 1
+                "order": 20
             },
             "model": "authentik_flows.flowstagebinding",
             "attrs": {
@@ -90,7 +90,7 @@
                 "pk": "3bcd6af0-48a6-4e18-87f3-d251a1a58226",
                 "target": "563ece21-e9a4-47e5-a264-23ffd923e393",
                 "stage": "a368cafc-1494-45e9-b75b-b5e7ac2bd3e4",
-                "order": 2
+                "order": 30
             },
             "model": "authentik_flows.flowstagebinding",
             "attrs": {
@@ -103,7 +103,7 @@
                 "pk": "f3fede3a-a9b5-4232-9ec7-be7ff4194b27",
                 "target": "563ece21-e9a4-47e5-a264-23ffd923e393",
                 "stage": "69d41125-3987-499b-8d74-ef27b54b88c8",
-                "order": 3
+                "order": 100
             },
             "model": "authentik_flows.flowstagebinding",
             "attrs": {
diff --git a/website/static/flows/recovery-email-verification.akflow b/website/static/flows/recovery-email-verification.akflow
index de3568d7e..d3b92c835 100644
--- a/website/static/flows/recovery-email-verification.akflow
+++ b/website/static/flows/recovery-email-verification.akflow
@@ -123,7 +123,7 @@
                 "pk": "7af7558e-2196-4b9f-a08e-d38420b7cfbb",
                 "target": "a5993183-89c0-43d2-a7f4-ddffb17baba7",
                 "stage": "e54045a7-6ecb-4ad9-ad37-28e72d8e565e",
-                "order": 0
+                "order": 10
             },
             "model": "authentik_flows.flowstagebinding",
             "attrs": {
@@ -135,7 +135,7 @@
                 "pk": "29446fd6-dd93-4e92-9830-2d81debad5ae",
                 "target": "a5993183-89c0-43d2-a7f4-ddffb17baba7",
                 "stage": "66f948dc-3f74-42b2-b26b-b8b9df109efb",
-                "order": 1
+                "order": 20
             },
             "model": "authentik_flows.flowstagebinding",
             "attrs": {
@@ -147,7 +147,7 @@
                 "pk": "1219d06e-2c06-4c5b-a162-78e3959c6cf0",
                 "target": "a5993183-89c0-43d2-a7f4-ddffb17baba7",
                 "stage": "975d5502-1e22-4d10-b560-fbc5bd70ff4d",
-                "order": 2
+                "order": 30
             },
             "model": "authentik_flows.flowstagebinding",
             "attrs": {
@@ -159,7 +159,7 @@
                 "pk": "66de86ba-0707-46a0-8475-ff2e260d6935",
                 "target": "a5993183-89c0-43d2-a7f4-ddffb17baba7",
                 "stage": "3909fd60-b013-4668-8806-12e9507dab97",
-                "order": 3
+                "order": 40
             },
             "model": "authentik_flows.flowstagebinding",
             "attrs": {
@@ -171,7 +171,7 @@
                 "pk": "9cec2334-d4a2-4895-a2b2-bc5ae4e9639a",
                 "target": "a5993183-89c0-43d2-a7f4-ddffb17baba7",
                 "stage": "fcdd4206-0d35-4ad2-a59f-5a72422936bb",
-                "order": 4
+                "order": 100
             },
             "model": "authentik_flows.flowstagebinding",
             "attrs": {
diff --git a/website/static/flows/unenrollment.akflow b/website/static/flows/unenrollment.akflow
index b37d481a6..d14f37e43 100644
--- a/website/static/flows/unenrollment.akflow
+++ b/website/static/flows/unenrollment.akflow
@@ -26,7 +26,7 @@
                 "pk": "eb9aff2b-b95d-40b3-ad08-233aa77bbcf3",
                 "target": "59a576ce-2f23-4a63-b63a-d18dc7e550f5",
                 "stage": "c62ac2a4-2735-4a0f-abd0-8523d68c1209",
-                "order": 0
+                "order": 10
             },
             "model": "authentik_flows.flowstagebinding",
             "attrs": {

From a9af40f85c6f825abfa48acb2132de13bd730733 Mon Sep 17 00:00:00 2001
From: Jens Langhammer <jens.langhammer@beryju.org>
Date: Mon, 23 Aug 2021 17:43:17 +0200
Subject: [PATCH 13/22] web/admin: improve delete modal for stage bindings and
 policy bindings

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
---
 web/src/locales/en.po                       | 7 +++++++
 web/src/locales/pseudo-LOCALE.po            | 7 +++++++
 web/src/pages/flows/BoundStagesList.ts      | 6 ++++++
 web/src/pages/policies/BoundPoliciesList.ts | 6 ++++++
 4 files changed, 26 insertions(+)

diff --git a/web/src/locales/en.po b/web/src/locales/en.po
index ac173bc2f..95ab42d42 100644
--- a/web/src/locales/en.po
+++ b/web/src/locales/en.po
@@ -2826,6 +2826,7 @@ msgstr "Optionally set this to your parent domain, if you want authentication an
 #: src/pages/flows/BoundStagesList.ts
 #: src/pages/flows/StageBindingForm.ts
 #: src/pages/policies/BoundPoliciesList.ts
+#: src/pages/policies/BoundPoliciesList.ts
 #: src/pages/policies/PolicyBindingForm.ts
 #: src/pages/stages/prompt/PromptForm.ts
 #: src/pages/stages/prompt/PromptListPage.ts
@@ -2973,6 +2974,7 @@ msgstr "Policy / Group / User Bindings"
 msgid "Policy / Policies"
 msgstr "Policy / Policies"
 
+#: src/pages/policies/BoundPoliciesList.ts
 #: src/pages/policies/BoundPoliciesList.ts
 msgid "Policy / User / Group"
 msgstr "Policy / User / Group"
@@ -3716,6 +3718,7 @@ msgstr "Sources"
 msgid "Sources of identities, which can either be synced into authentik's database, like LDAP, or can be used by users to authenticate and enroll themselves, like OAuth and social logins"
 msgstr "Sources of identities, which can either be synced into authentik's database, like LDAP, or can be used by users to authenticate and enroll themselves, like OAuth and social logins"
 
+#: src/pages/flows/BoundStagesList.ts
 #: src/pages/flows/StageBindingForm.ts
 msgid "Stage"
 msgstr "Stage"
@@ -3736,6 +3739,10 @@ msgstr "Stage Configuration"
 msgid "Stage binding(s)"
 msgstr "Stage binding(s)"
 
+#: src/pages/flows/BoundStagesList.ts
+msgid "Stage type"
+msgstr "Stage type"
+
 #: src/pages/stages/authenticator_validate/AuthenticatorValidateStageForm.ts
 msgid "Stage used to configure Authenticator when user doesn't have any compatible devices. After this configuration Stage passes, the user is not prompted again."
 msgstr "Stage used to configure Authenticator when user doesn't have any compatible devices. After this configuration Stage passes, the user is not prompted again."
diff --git a/web/src/locales/pseudo-LOCALE.po b/web/src/locales/pseudo-LOCALE.po
index 1a9d0ae1f..21142156d 100644
--- a/web/src/locales/pseudo-LOCALE.po
+++ b/web/src/locales/pseudo-LOCALE.po
@@ -2818,6 +2818,7 @@ msgstr ""
 #: src/pages/flows/BoundStagesList.ts
 #: src/pages/flows/StageBindingForm.ts
 #: src/pages/policies/BoundPoliciesList.ts
+#: src/pages/policies/BoundPoliciesList.ts
 #: src/pages/policies/PolicyBindingForm.ts
 #: src/pages/stages/prompt/PromptForm.ts
 #: src/pages/stages/prompt/PromptListPage.ts
@@ -2965,6 +2966,7 @@ msgstr ""
 msgid "Policy / Policies"
 msgstr ""
 
+#: src/pages/policies/BoundPoliciesList.ts
 #: src/pages/policies/BoundPoliciesList.ts
 msgid "Policy / User / Group"
 msgstr ""
@@ -3708,6 +3710,7 @@ msgstr ""
 msgid "Sources of identities, which can either be synced into authentik's database, like LDAP, or can be used by users to authenticate and enroll themselves, like OAuth and social logins"
 msgstr ""
 
+#: src/pages/flows/BoundStagesList.ts
 #: src/pages/flows/StageBindingForm.ts
 msgid "Stage"
 msgstr ""
@@ -3728,6 +3731,10 @@ msgstr ""
 msgid "Stage binding(s)"
 msgstr ""
 
+#: src/pages/flows/BoundStagesList.ts
+msgid "Stage type"
+msgstr ""
+
 #: src/pages/stages/authenticator_validate/AuthenticatorValidateStageForm.ts
 msgid "Stage used to configure Authenticator when user doesn't have any compatible devices. After this configuration Stage passes, the user is not prompted again."
 msgstr ""
diff --git a/web/src/pages/flows/BoundStagesList.ts b/web/src/pages/flows/BoundStagesList.ts
index ab83c39c7..4c30865de 100644
--- a/web/src/pages/flows/BoundStagesList.ts
+++ b/web/src/pages/flows/BoundStagesList.ts
@@ -48,6 +48,12 @@ export class BoundStagesList extends Table<FlowStageBinding> {
         return html`<ak-forms-delete-bulk
             objectLabel=${t`Stage binding(s)`}
             .objects=${this.selectedElements}
+            .metadata=${(item: FlowStageBinding) => {
+                return [
+                    { key: t`Stage`, value: item.stageObj?.name },
+                    { key: t`Stage type`, value: item.stageObj?.verboseName },
+                ];
+            }}
             .usedBy=${(item: FlowStageBinding) => {
                 return new FlowsApi(DEFAULT_CONFIG).flowsBindingsUsedByList({
                     fsbUuid: item.pk,
diff --git a/web/src/pages/policies/BoundPoliciesList.ts b/web/src/pages/policies/BoundPoliciesList.ts
index a33b4f65f..14fdaaa0e 100644
--- a/web/src/pages/policies/BoundPoliciesList.ts
+++ b/web/src/pages/policies/BoundPoliciesList.ts
@@ -100,6 +100,12 @@ export class BoundPoliciesList extends Table<PolicyBinding> {
         return html`<ak-forms-delete-bulk
             objectLabel=${t`Policy binding(s)`}
             .objects=${this.selectedElements}
+            .metadata=${(item: PolicyBinding) => {
+                return [
+                    { key: t`Order`, value: item.order },
+                    { key: t`Policy / User / Group`, value: this.getPolicyUserGroupRow(item) },
+                ];
+            }}
             .usedBy=${(item: PolicyBinding) => {
                 return new PoliciesApi(DEFAULT_CONFIG).policiesBindingsUsedByList({
                     policyBindingUuid: item.pk,

From e27a6fdeeb9950d1c17a386cc5885f440ed52e5a Mon Sep 17 00:00:00 2001
From: Jens Langhammer <jens.langhammer@beryju.org>
Date: Mon, 23 Aug 2021 17:47:21 +0200
Subject: [PATCH 14/22] events: fix linting

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
---
 authentik/core/api/tokens.py                              | 1 +
 authentik/events/signals.py                               | 4 +++-
 authentik/stages/password/migrations/0007_app_password.py | 1 -
 3 files changed, 4 insertions(+), 2 deletions(-)

diff --git a/authentik/core/api/tokens.py b/authentik/core/api/tokens.py
index 517f230d2..a109a684e 100644
--- a/authentik/core/api/tokens.py
+++ b/authentik/core/api/tokens.py
@@ -1,5 +1,6 @@
 """Tokens API Viewset"""
 from typing import Any
+
 from django.http.response import Http404
 from drf_spectacular.utils import OpenApiResponse, extend_schema
 from rest_framework.decorators import action
diff --git a/authentik/events/signals.py b/authentik/events/signals.py
index 35f651e53..b659f2b42 100644
--- a/authentik/events/signals.py
+++ b/authentik/events/signals.py
@@ -51,7 +51,9 @@ def on_user_logged_in(sender, request: HttpRequest, user: User, **_):
         if PLAN_CONTEXT_METHOD in flow_plan.context:
             thread.kwargs[PLAN_CONTEXT_METHOD] = flow_plan.context[PLAN_CONTEXT_METHOD]
             # Save the login method used
-            thread.kwargs[PLAN_CONTEXT_METHOD_ARGS] = flow_plan.context.get(PLAN_CONTEXT_METHOD_ARGS, {})
+            thread.kwargs[PLAN_CONTEXT_METHOD_ARGS] = flow_plan.context.get(
+                PLAN_CONTEXT_METHOD_ARGS, {}
+            )
     thread.user = user
     thread.run()
 
diff --git a/authentik/stages/password/migrations/0007_app_password.py b/authentik/stages/password/migrations/0007_app_password.py
index 349758219..41d99be77 100644
--- a/authentik/stages/password/migrations/0007_app_password.py
+++ b/authentik/stages/password/migrations/0007_app_password.py
@@ -34,7 +34,6 @@ def replace_inbuilt(apps: Apps, schema_editor: BaseDatabaseSchemaEditor):
 class Migration(migrations.Migration):
 
     dependencies = [
-        ("authentik_flows", "0008_default_flows"),
         ("authentik_stages_password", "0006_passwordchange_rename"),
     ]
 

From 1b8750e13bc8004fd1cb876cbeb9fb481a5ec906 Mon Sep 17 00:00:00 2001
From: Jens Langhammer <jens.langhammer@beryju.org>
Date: Mon, 23 Aug 2021 17:50:42 +0200
Subject: [PATCH 15/22] website: make default login-2fa flow ignore 2fa with
 app passwords

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
---
 website/static/flows/login-2fa.akflow | 31 ++++++++++++++++++++++++++-
 1 file changed, 30 insertions(+), 1 deletion(-)

diff --git a/website/static/flows/login-2fa.akflow b/website/static/flows/login-2fa.akflow
index 180ea3f36..acd2d96f2 100644
--- a/website/static/flows/login-2fa.akflow
+++ b/website/static/flows/login-2fa.akflow
@@ -13,6 +13,18 @@
                 "designation": "authentication"
             }
         },
+        {
+            "identifiers": {
+                "pk": "7db93f1e-788b-4af6-8dc6-5cdeb59d8be7"
+            },
+            "model": "authentik_policies_expression.expressionpolicy",
+            "attrs": {
+                "name": "test-not-app-password",
+                "execution_logging": false,
+                "bound_to": 1,
+                "expression": "return auth_method != \"app_password\""
+            }
+        },
         {
             "identifiers": {
                 "pk": "69d41125-3987-499b-8d74-ef27b54b88c8",
@@ -91,7 +103,10 @@
             },
             "model": "authentik_flows.flowstagebinding",
             "attrs": {
-                "re_evaluate_policies": false
+                "evaluate_on_plan": false,
+                "re_evaluate_policies": true,
+                "policy_engine_mode": "any",
+                "invalid_response_action": "retry"
             }
         },
         {
@@ -105,6 +120,20 @@
             "attrs": {
                 "re_evaluate_policies": false
             }
+        },
+        {
+            "identifiers": {
+                "pk": "6e40ae4d-a4ed-4bd7-a784-27b1fe5859d2",
+                "policy": "7db93f1e-788b-4af6-8dc6-5cdeb59d8be7",
+                "target": "688aec6f-5622-42c6-83a5-d22072d7e798",
+                "order": 0
+            },
+            "model": "authentik_policies.policybinding",
+            "attrs": {
+                "negate": false,
+                "enabled": true,
+                "timeout": 30
+            }
         }
     ]
 }

From 5face5410ffb5df49b6b5c6fb0be8b3d9d4ec79b Mon Sep 17 00:00:00 2001
From: Jens Langhammer <jens.langhammer@beryju.org>
Date: Mon, 23 Aug 2021 17:54:19 +0200
Subject: [PATCH 16/22] web/admin: select all password stage backends by
 default

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
---
 authentik/core/api/tokens.py                          | 10 +++++-----
 authentik/flows/transfer/common.py                    |  2 ++
 .../stages/identification/IdentificationStageForm.ts  | 11 ++++++++++-
 web/src/pages/stages/password/PasswordStageForm.ts    |  5 ++++-
 4 files changed, 21 insertions(+), 7 deletions(-)

diff --git a/authentik/core/api/tokens.py b/authentik/core/api/tokens.py
index a109a684e..c4f8e0b7c 100644
--- a/authentik/core/api/tokens.py
+++ b/authentik/core/api/tokens.py
@@ -25,12 +25,12 @@ class TokenSerializer(ManagedSerializer, ModelSerializer):
 
     user = UserSerializer(required=False)
 
-    def validate(self, data: dict[Any, str]) -> dict[Any, str]:
+    def validate(self, attrs: dict[Any, str]) -> dict[Any, str]:
         """Ensure only API or App password tokens are created."""
-        data.setdefault("intent", TokenIntents.INTENT_API)
-        if data.get("intent") not in [TokenIntents.INTENT_API, TokenIntents.INTENT_APP_PASSWORD]:
-            raise ValidationError(f"Invalid intent {data.get('intent')}")
-        return data
+        attrs.setdefault("intent", TokenIntents.INTENT_API)
+        if attrs.get("intent") not in [TokenIntents.INTENT_API, TokenIntents.INTENT_APP_PASSWORD]:
+            raise ValidationError(f"Invalid intent {attrs.get('intent')}")
+        return attrs
 
     class Meta:
 
diff --git a/authentik/flows/transfer/common.py b/authentik/flows/transfer/common.py
index fb42282ad..031a43e2d 100644
--- a/authentik/flows/transfer/common.py
+++ b/authentik/flows/transfer/common.py
@@ -25,6 +25,8 @@ def get_attrs(obj: SerializerModel) -> dict[str, Any]:
         "component",
         "flow_set",
         "promptstage_set",
+        "policybindingmodel_ptr_id",
+        "export_url",
     )
     for to_remove_name in to_remove:
         if to_remove_name in data:
diff --git a/web/src/pages/stages/identification/IdentificationStageForm.ts b/web/src/pages/stages/identification/IdentificationStageForm.ts
index dd9b67097..b29ad8688 100644
--- a/web/src/pages/stages/identification/IdentificationStageForm.ts
+++ b/web/src/pages/stages/identification/IdentificationStageForm.ts
@@ -156,11 +156,20 @@ export class IdentificationStageForm extends ModelForm<IdentificationStage, stri
                                     .sourcesAllList({})
                                     .then((sources) => {
                                         return sources.results.map((source) => {
-                                            const selected = Array.from(
+                                            let selected = Array.from(
                                                 this.instance?.sources || [],
                                             ).some((su) => {
                                                 return su == source.pk;
                                             });
+                                            // Creating a new instance, auto-select built-in source
+                                            // Only when no other sources exist
+                                            if (
+                                                !this.instance &&
+                                                source.component === "" &&
+                                                sources.results.length < 2
+                                            ) {
+                                                selected = true;
+                                            }
                                             return html`<option
                                                 value=${ifDefined(source.pk)}
                                                 ?selected=${selected}
diff --git a/web/src/pages/stages/password/PasswordStageForm.ts b/web/src/pages/stages/password/PasswordStageForm.ts
index acbcebc10..6c62a21bc 100644
--- a/web/src/pages/stages/password/PasswordStageForm.ts
+++ b/web/src/pages/stages/password/PasswordStageForm.ts
@@ -46,8 +46,11 @@ export class PasswordStageForm extends ModelForm<PasswordStage, string> {
     };
 
     isBackendSelected(field: BackendsEnum): boolean {
+        if (!this.instance) {
+            return true;
+        }
         return (
-            (this.instance?.backends || []).filter((isField) => {
+            this.instance.backends.filter((isField) => {
                 return field === isField;
             }).length > 0
         );

From 2878597603e9d20124d89e3584bf476b037d2158 Mon Sep 17 00:00:00 2001
From: Jens Langhammer <jens.langhammer@beryju.org>
Date: Mon, 23 Aug 2021 18:25:31 +0200
Subject: [PATCH 17/22] root: fix mis-matched postgres version for CI

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
---
 scripts/ci.docker-compose.yml | 2 +-
 scripts/docker-compose.yml    | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/scripts/ci.docker-compose.yml b/scripts/ci.docker-compose.yml
index 9639c2ea1..1be22faa6 100644
--- a/scripts/ci.docker-compose.yml
+++ b/scripts/ci.docker-compose.yml
@@ -3,7 +3,7 @@ version: '3.7'
 services:
   postgresql:
     container_name: postgres
-    image: library/postgres:11
+    image: library/postgres:12
     volumes:
     - db-data:/var/lib/postgresql/data
     environment:
diff --git a/scripts/docker-compose.yml b/scripts/docker-compose.yml
index 966c6c305..46855e3bb 100644
--- a/scripts/docker-compose.yml
+++ b/scripts/docker-compose.yml
@@ -3,7 +3,7 @@ version: '3.7'
 services:
   postgresql:
     container_name: postgres
-    image: library/postgres:11
+    image: library/postgres:12
     volumes:
     - db-data:/var/lib/postgresql/data
     environment:

From b2f077645a69f8c406530506d1bb424542042e02 Mon Sep 17 00:00:00 2001
From: Jens Langhammer <jens.langhammer@beryju.org>
Date: Mon, 23 Aug 2021 18:38:35 +0200
Subject: [PATCH 18/22] web: fix lint error

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
---
 web/src/pages/policies/BoundPoliciesList.ts | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/web/src/pages/policies/BoundPoliciesList.ts b/web/src/pages/policies/BoundPoliciesList.ts
index 14fdaaa0e..429b51914 100644
--- a/web/src/pages/policies/BoundPoliciesList.ts
+++ b/web/src/pages/policies/BoundPoliciesList.ts
@@ -102,7 +102,7 @@ export class BoundPoliciesList extends Table<PolicyBinding> {
             .objects=${this.selectedElements}
             .metadata=${(item: PolicyBinding) => {
                 return [
-                    { key: t`Order`, value: item.order },
+                    { key: t`Order`, value: item.order.toString() },
                     { key: t`Policy / User / Group`, value: this.getPolicyUserGroupRow(item) },
                 ];
             }}

From 27cc5d71386a6d03c2eea9cd4099333a07ddc39d Mon Sep 17 00:00:00 2001
From: Jens Langhammer <jens.langhammer@beryju.org>
Date: Mon, 23 Aug 2021 19:05:54 +0200
Subject: [PATCH 19/22] core: fix authentication error when no request is given

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
---
 authentik/core/auth.py         | 20 +++++++++++---------
 authentik/sources/ldap/auth.py | 15 +++------------
 2 files changed, 14 insertions(+), 21 deletions(-)

diff --git a/authentik/core/auth.py b/authentik/core/auth.py
index 42a84cf14..851177bec 100644
--- a/authentik/core/auth.py
+++ b/authentik/core/auth.py
@@ -20,15 +20,22 @@ class InbuiltBackend(ModelBackend):
         user = super().authenticate(request, username=username, password=password, **kwargs)
         if not user:
             return None
+        self.set_method("password", request)
+        return user
+
+    def set_method(self, method: str, request: Optional[HttpRequest], **kwargs):
+        """Set method data on current flow, if possbiel"""
+        if not request:
+            return
         # Since we can't directly pass other variables to signals, and we want to log the method
         # and the token used, we assume we're running in a flow and set a variable in the context
         flow_plan: FlowPlan = request.session[SESSION_KEY_PLAN]
-        flow_plan.context[PLAN_CONTEXT_METHOD] = "password"
+        flow_plan.context[PLAN_CONTEXT_METHOD] = method
+        flow_plan.context[PLAN_CONTEXT_METHOD_ARGS] = kwargs
         request.session[SESSION_KEY_PLAN] = flow_plan
-        return user
 
 
-class TokenBackend(ModelBackend):
+class TokenBackend(InbuiltBackend):
     """Authenticate with token"""
 
     def authenticate(
@@ -47,10 +54,5 @@ class TokenBackend(ModelBackend):
         if not tokens.exists():
             return None
         token = tokens.first()
-        # Since we can't directly pass other variables to signals, and we want to log the method
-        # and the token used, we assume we're running in a flow and set a variable in the context
-        flow_plan: FlowPlan = request.session[SESSION_KEY_PLAN]
-        flow_plan.context[PLAN_CONTEXT_METHOD] = "app_password"
-        flow_plan.context[PLAN_CONTEXT_METHOD_ARGS] = {"token": token}
-        request.session[SESSION_KEY_PLAN] = flow_plan
+        self.set_method("password", request, token=token)
         return token.user
diff --git a/authentik/sources/ldap/auth.py b/authentik/sources/ldap/auth.py
index 10bd55b40..0d052a42a 100644
--- a/authentik/sources/ldap/auth.py
+++ b/authentik/sources/ldap/auth.py
@@ -2,21 +2,18 @@
 from typing import Optional
 
 import ldap3
-from django.contrib.auth.backends import ModelBackend
 from django.http import HttpRequest
 from structlog.stdlib import get_logger
 
+from authentik.core.auth import InbuiltBackend
 from authentik.core.models import User
-from authentik.flows.planner import FlowPlan
-from authentik.flows.views import SESSION_KEY_PLAN
 from authentik.sources.ldap.models import LDAPSource
-from authentik.stages.password.stage import PLAN_CONTEXT_METHOD, PLAN_CONTEXT_METHOD_ARGS
 
 LOGGER = get_logger()
 LDAP_DISTINGUISHED_NAME = "distinguishedName"
 
 
-class LDAPBackend(ModelBackend):
+class LDAPBackend(InbuiltBackend):
     """Authenticate users against LDAP Server"""
 
     def authenticate(self, request: HttpRequest, **kwargs):
@@ -27,13 +24,7 @@ class LDAPBackend(ModelBackend):
             LOGGER.debug("LDAP Auth attempt", source=source)
             user = self.auth_user(source, **kwargs)
             if user:
-                # Since we can't directly pass other variables to signals, and we want to log
-                # the method and the token used, we assume we're running in a flow and
-                # set a variable in the context
-                flow_plan: FlowPlan = request.session[SESSION_KEY_PLAN]
-                flow_plan.context[PLAN_CONTEXT_METHOD] = "ldap"
-                flow_plan.context[PLAN_CONTEXT_METHOD_ARGS] = {"source": source}
-                request.session[SESSION_KEY_PLAN] = flow_plan
+                self.set_method("ldap", request, source=source)
                 return user
         return None
 

From 0d00b9cc0d6c92ebe6f3cb560a9839c95fe00a6b Mon Sep 17 00:00:00 2001
From: Jens Langhammer <jens.langhammer@beryju.org>
Date: Mon, 23 Aug 2021 19:14:24 +0200
Subject: [PATCH 20/22] ci: set debug log level

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
---
 scripts/generate_ci_config.py | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/scripts/generate_ci_config.py b/scripts/generate_ci_config.py
index 55c9fd5b1..e8ff268a6 100644
--- a/scripts/generate_ci_config.py
+++ b/scripts/generate_ci_config.py
@@ -4,5 +4,6 @@ from yaml import safe_dump
 
 with open("local.env.yml", "w") as _config:
     safe_dump({
-        "secret_key": generate_client_id()
+        "secret_key": generate_client_id(),
+        "log_level": "debug"
     }, _config, default_flow_style=False)

From 888526a2a77d86cd4bd59ffcd2f8a8df59709dd2 Mon Sep 17 00:00:00 2001
From: Jens Langhammer <jens.langhammer@beryju.org>
Date: Mon, 23 Aug 2021 19:30:06 +0200
Subject: [PATCH 21/22] stages/user_write: fix wrong fallback authentication
 backend

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
---
 authentik/stages/user_write/stage.py | 7 ++-----
 1 file changed, 2 insertions(+), 5 deletions(-)

diff --git a/authentik/stages/user_write/stage.py b/authentik/stages/user_write/stage.py
index ea86fe9a3..39945ba95 100644
--- a/authentik/stages/user_write/stage.py
+++ b/authentik/stages/user_write/stage.py
@@ -1,7 +1,6 @@
 """Write stage logic"""
 from django.contrib import messages
 from django.contrib.auth import update_session_auth_hash
-from django.contrib.auth.backends import ModelBackend
 from django.db import transaction
 from django.db.utils import IntegrityError
 from django.http import HttpRequest, HttpResponse
@@ -13,7 +12,7 @@ from authentik.core.models import USER_ATTRIBUTE_SOURCES, User, UserSourceConnec
 from authentik.core.sources.stage import PLAN_CONTEXT_SOURCES_CONNECTION
 from authentik.flows.planner import PLAN_CONTEXT_PENDING_USER
 from authentik.flows.stage import StageView
-from authentik.lib.utils.reflection import class_to_path
+from authentik.stages.password import BACKEND_INBUILT
 from authentik.stages.password.stage import PLAN_CONTEXT_AUTHENTICATION_BACKEND
 from authentik.stages.prompt.stage import PLAN_CONTEXT_PROMPT
 from authentik.stages.user_write.signals import user_write
@@ -42,9 +41,7 @@ class UserWriteStageView(StageView):
             self.executor.plan.context[PLAN_CONTEXT_PENDING_USER] = User(
                 is_active=not self.executor.current_stage.create_users_as_inactive
             )
-            self.executor.plan.context[PLAN_CONTEXT_AUTHENTICATION_BACKEND] = class_to_path(
-                ModelBackend
-            )
+            self.executor.plan.context[PLAN_CONTEXT_AUTHENTICATION_BACKEND] = BACKEND_INBUILT
             LOGGER.debug(
                 "Created new user",
                 flow_slug=self.executor.flow.slug,

From a2578ffaade7c35641b1c0f277026b0e9d155d06 Mon Sep 17 00:00:00 2001
From: Jens Langhammer <jens.langhammer@beryju.org>
Date: Mon, 23 Aug 2021 20:00:27 +0200
Subject: [PATCH 22/22] core: add token tests for invalid intent and token auth

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
---
 .../core/tests/test_source_flow_manager.py    | 37 +++++-----------
 authentik/core/tests/test_token_api.py        |  8 ++++
 authentik/core/tests/test_token_auth.py       | 40 +++++++++++++++++
 authentik/flows/tests/test_planner.py         |  7 +--
 authentik/lib/tests/utils.py                  | 27 ++++++++++++
 .../saml/tests/test_auth_n_request.py         | 44 +++----------------
 authentik/providers/saml/tests/test_schema.py | 17 ++-----
 .../stages/authenticator_validate/tests.py    |  8 +---
 8 files changed, 99 insertions(+), 89 deletions(-)
 create mode 100644 authentik/core/tests/test_token_auth.py
 create mode 100644 authentik/lib/tests/utils.py

diff --git a/authentik/core/tests/test_source_flow_manager.py b/authentik/core/tests/test_source_flow_manager.py
index a869b403b..02f3cf8d4 100644
--- a/authentik/core/tests/test_source_flow_manager.py
+++ b/authentik/core/tests/test_source_flow_manager.py
@@ -1,15 +1,12 @@
 """Test Source flow_manager"""
 from django.contrib.auth.models import AnonymousUser
-from django.contrib.messages.middleware import MessageMiddleware
-from django.contrib.sessions.middleware import SessionMiddleware
-from django.http.request import HttpRequest
 from django.test import TestCase
 from django.test.client import RequestFactory
 from guardian.utils import get_anonymous_user
 
 from authentik.core.models import SourceUserMatchingModes, User
 from authentik.core.sources.flow_manager import Action
-from authentik.flows.tests.test_planner import dummy_get_response
+from authentik.lib.tests.utils import get_request
 from authentik.providers.oauth2.generators import generate_client_id
 from authentik.sources.oauth.models import OAuthSource, UserOAuthSourceConnection
 from authentik.sources.oauth.views.callback import OAuthSourceFlowManager
@@ -24,22 +21,10 @@ class TestSourceFlowManager(TestCase):
         self.factory = RequestFactory()
         self.identifier = generate_client_id()
 
-    def get_request(self, user: User) -> HttpRequest:
-        """Helper to create a get request with session and message middleware"""
-        request = self.factory.get("/")
-        request.user = user
-        middleware = SessionMiddleware(dummy_get_response)
-        middleware.process_request(request)
-        request.session.save()
-        middleware = MessageMiddleware(dummy_get_response)
-        middleware.process_request(request)
-        request.session.save()
-        return request
-
     def test_unauthenticated_enroll(self):
         """Test un-authenticated user enrolling"""
         flow_manager = OAuthSourceFlowManager(
-            self.source, self.get_request(AnonymousUser()), self.identifier, {}
+            self.source, get_request("/", user=AnonymousUser()), self.identifier, {}
         )
         action, _ = flow_manager.get_action()
         self.assertEqual(action, Action.ENROLL)
@@ -52,7 +37,7 @@ class TestSourceFlowManager(TestCase):
         )
 
         flow_manager = OAuthSourceFlowManager(
-            self.source, self.get_request(AnonymousUser()), self.identifier, {}
+            self.source, get_request("/", user=AnonymousUser()), self.identifier, {}
         )
         action, _ = flow_manager.get_action()
         self.assertEqual(action, Action.AUTH)
@@ -65,7 +50,7 @@ class TestSourceFlowManager(TestCase):
         )
         user = User.objects.create(username="foo", email="foo@bar.baz")
         flow_manager = OAuthSourceFlowManager(
-            self.source, self.get_request(user), self.identifier, {}
+            self.source, get_request("/", user=user), self.identifier, {}
         )
         action, _ = flow_manager.get_action()
         self.assertEqual(action, Action.LINK)
@@ -78,7 +63,7 @@ class TestSourceFlowManager(TestCase):
 
         # Without email, deny
         flow_manager = OAuthSourceFlowManager(
-            self.source, self.get_request(AnonymousUser()), self.identifier, {}
+            self.source, get_request("/", user=AnonymousUser()), self.identifier, {}
         )
         action, _ = flow_manager.get_action()
         self.assertEqual(action, Action.DENY)
@@ -86,7 +71,7 @@ class TestSourceFlowManager(TestCase):
         # With email
         flow_manager = OAuthSourceFlowManager(
             self.source,
-            self.get_request(AnonymousUser()),
+            get_request("/", user=AnonymousUser()),
             self.identifier,
             {"email": "foo@bar.baz"},
         )
@@ -101,7 +86,7 @@ class TestSourceFlowManager(TestCase):
 
         # Without username, deny
         flow_manager = OAuthSourceFlowManager(
-            self.source, self.get_request(AnonymousUser()), self.identifier, {}
+            self.source, get_request("/", user=AnonymousUser()), self.identifier, {}
         )
         action, _ = flow_manager.get_action()
         self.assertEqual(action, Action.DENY)
@@ -109,7 +94,7 @@ class TestSourceFlowManager(TestCase):
         # With username
         flow_manager = OAuthSourceFlowManager(
             self.source,
-            self.get_request(AnonymousUser()),
+            get_request("/", user=AnonymousUser()),
             self.identifier,
             {"username": "foo"},
         )
@@ -125,7 +110,7 @@ class TestSourceFlowManager(TestCase):
         # With non-existent username, enroll
         flow_manager = OAuthSourceFlowManager(
             self.source,
-            self.get_request(AnonymousUser()),
+            get_request("/", user=AnonymousUser()),
             self.identifier,
             {
                 "username": "bar",
@@ -137,7 +122,7 @@ class TestSourceFlowManager(TestCase):
         # With username
         flow_manager = OAuthSourceFlowManager(
             self.source,
-            self.get_request(AnonymousUser()),
+            get_request("/", user=AnonymousUser()),
             self.identifier,
             {"username": "foo"},
         )
@@ -151,7 +136,7 @@ class TestSourceFlowManager(TestCase):
 
         flow_manager = OAuthSourceFlowManager(
             self.source,
-            self.get_request(AnonymousUser()),
+            get_request("/", user=AnonymousUser()),
             self.identifier,
             {"username": "foo"},
         )
diff --git a/authentik/core/tests/test_token_api.py b/authentik/core/tests/test_token_api.py
index 0e19a9a98..4a34f6bca 100644
--- a/authentik/core/tests/test_token_api.py
+++ b/authentik/core/tests/test_token_api.py
@@ -27,6 +27,14 @@ class TestTokenAPI(APITestCase):
         self.assertEqual(token.intent, TokenIntents.INTENT_API)
         self.assertEqual(token.expiring, True)
 
+    def test_token_create_invalid(self):
+        """Test token creation endpoint (invalid data)"""
+        response = self.client.post(
+            reverse("authentik_api:token-list"),
+            {"identifier": "test-token", "intent": TokenIntents.INTENT_RECOVERY},
+        )
+        self.assertEqual(response.status_code, 400)
+
     def test_token_create_non_expiring(self):
         """Test token creation endpoint"""
         self.user.attributes[USER_ATTRIBUTE_TOKEN_EXPIRING] = False
diff --git a/authentik/core/tests/test_token_auth.py b/authentik/core/tests/test_token_auth.py
new file mode 100644
index 000000000..f7b285bbc
--- /dev/null
+++ b/authentik/core/tests/test_token_auth.py
@@ -0,0 +1,40 @@
+"""Test token auth"""
+from django.test import TestCase
+
+from authentik.core.auth import TokenBackend
+from authentik.core.models import Token, TokenIntents, User
+from authentik.flows.planner import FlowPlan
+from authentik.flows.views import SESSION_KEY_PLAN
+from authentik.lib.tests.utils import get_request
+
+
+class TestTokenAuth(TestCase):
+    """Test token auth"""
+
+    def setUp(self) -> None:
+        self.user = User.objects.create(username="test-user")
+        self.token = Token.objects.create(
+            expiring=False, user=self.user, intent=TokenIntents.INTENT_APP_PASSWORD
+        )
+        # To test with session we need to create a request and pass it through all middlewares
+        self.request = get_request("/")
+        self.request.session[SESSION_KEY_PLAN] = FlowPlan("test")
+
+    def test_token_auth(self):
+        """Test auth with token"""
+        self.assertEqual(
+            TokenBackend().authenticate(self.request, "test-user", self.token.key), self.user
+        )
+
+    def test_token_auth_none(self):
+        """Test auth with token (non-existent user)"""
+        self.assertIsNone(
+            TokenBackend().authenticate(self.request, "test-user-foo", self.token.key), self.user
+        )
+
+    def test_token_auth_invalid(self):
+        """Test auth with token (invalid token)"""
+        self.assertIsNone(
+            TokenBackend().authenticate(self.request, "test-user", self.token.key + "foo"),
+            self.user,
+        )
diff --git a/authentik/flows/tests/test_planner.py b/authentik/flows/tests/test_planner.py
index 63c4c5193..cb7bf44f7 100644
--- a/authentik/flows/tests/test_planner.py
+++ b/authentik/flows/tests/test_planner.py
@@ -3,7 +3,6 @@ from unittest.mock import MagicMock, Mock, PropertyMock, patch
 
 from django.contrib.sessions.middleware import SessionMiddleware
 from django.core.cache import cache
-from django.http import HttpRequest
 from django.test import RequestFactory, TestCase
 from django.urls import reverse
 from guardian.shortcuts import get_anonymous_user
@@ -13,6 +12,7 @@ from authentik.flows.exceptions import EmptyFlowException, FlowNonApplicableExce
 from authentik.flows.markers import ReevaluateMarker, StageMarker
 from authentik.flows.models import Flow, FlowDesignation, FlowStageBinding
 from authentik.flows.planner import PLAN_CONTEXT_PENDING_USER, FlowPlanner, cache_key
+from authentik.lib.tests.utils import dummy_get_response
 from authentik.policies.dummy.models import DummyPolicy
 from authentik.policies.models import PolicyBinding
 from authentik.policies.types import PolicyResult
@@ -24,11 +24,6 @@ CACHE_MOCK = Mock(wraps=cache)
 POLICY_RETURN_TRUE = MagicMock(return_value=PolicyResult(True))
 
 
-def dummy_get_response(request: HttpRequest):  # pragma: no cover
-    """Dummy get_response for SessionMiddleware"""
-    return None
-
-
 class TestFlowPlanner(TestCase):
     """Test planner logic"""
 
diff --git a/authentik/lib/tests/utils.py b/authentik/lib/tests/utils.py
new file mode 100644
index 000000000..35ec8391d
--- /dev/null
+++ b/authentik/lib/tests/utils.py
@@ -0,0 +1,27 @@
+"""Test utils"""
+from django.contrib.messages.middleware import MessageMiddleware
+from django.contrib.sessions.middleware import SessionMiddleware
+from django.http import HttpRequest
+from django.test.client import RequestFactory
+from guardian.utils import get_anonymous_user
+
+
+def dummy_get_response(request: HttpRequest):  # pragma: no cover
+    """Dummy get_response for SessionMiddleware"""
+    return None
+
+
+def get_request(*args, user=None, **kwargs):
+    """Get a request with usable session"""
+    request = RequestFactory().get(*args, **kwargs)
+    if user:
+        request.user = user
+    else:
+        request.user = get_anonymous_user()
+    middleware = SessionMiddleware(dummy_get_response)
+    middleware.process_request(request)
+    request.session.save()
+    middleware = MessageMiddleware(dummy_get_response)
+    middleware.process_request(request)
+    request.session.save()
+    return request
diff --git a/authentik/providers/saml/tests/test_auth_n_request.py b/authentik/providers/saml/tests/test_auth_n_request.py
index ae8986956..a78373fd8 100644
--- a/authentik/providers/saml/tests/test_auth_n_request.py
+++ b/authentik/providers/saml/tests/test_auth_n_request.py
@@ -1,16 +1,14 @@
 """Test AuthN Request generator and parser"""
 from base64 import b64encode
 
-from django.contrib.sessions.middleware import SessionMiddleware
 from django.http.request import QueryDict
 from django.test import RequestFactory, TestCase
-from guardian.utils import get_anonymous_user
 
 from authentik.core.models import User
 from authentik.crypto.models import CertificateKeyPair
 from authentik.events.models import Event, EventAction
 from authentik.flows.models import Flow
-from authentik.flows.tests.test_planner import dummy_get_response
+from authentik.lib.tests.utils import get_request
 from authentik.managed.manager import ObjectManager
 from authentik.providers.saml.models import SAMLPropertyMapping, SAMLProvider
 from authentik.providers.saml.processors.assertion import AssertionProcessor
@@ -99,11 +97,7 @@ class TestAuthNRequest(TestCase):
 
     def test_signed_valid(self):
         """Test generated AuthNRequest with valid signature"""
-        http_request = self.factory.get("/")
-
-        middleware = SessionMiddleware(dummy_get_response)
-        middleware.process_request(http_request)
-        http_request.session.save()
+        http_request = get_request("/")
 
         # First create an AuthNRequest
         request_proc = RequestProcessor(self.source, http_request, "test_state")
@@ -117,12 +111,7 @@ class TestAuthNRequest(TestCase):
 
     def test_request_full_signed(self):
         """Test full SAML Request/Response flow, fully signed"""
-        http_request = self.factory.get("/")
-        http_request.user = get_anonymous_user()
-
-        middleware = SessionMiddleware(dummy_get_response)
-        middleware.process_request(http_request)
-        http_request.session.save()
+        http_request = get_request("/")
 
         # First create an AuthNRequest
         request_proc = RequestProcessor(self.source, http_request, "test_state")
@@ -145,12 +134,7 @@ class TestAuthNRequest(TestCase):
 
     def test_request_id_invalid(self):
         """Test generated AuthNRequest with invalid request ID"""
-        http_request = self.factory.get("/")
-        http_request.user = get_anonymous_user()
-
-        middleware = SessionMiddleware(dummy_get_response)
-        middleware.process_request(http_request)
-        http_request.session.save()
+        http_request = get_request("/")
 
         # First create an AuthNRequest
         request_proc = RequestProcessor(self.source, http_request, "test_state")
@@ -179,11 +163,7 @@ class TestAuthNRequest(TestCase):
 
     def test_signed_valid_detached(self):
         """Test generated AuthNRequest with valid signature (detached)"""
-        http_request = self.factory.get("/")
-
-        middleware = SessionMiddleware(dummy_get_response)
-        middleware.process_request(http_request)
-        http_request.session.save()
+        http_request = get_request("/")
 
         # First create an AuthNRequest
         request_proc = RequestProcessor(self.source, http_request, "test_state")
@@ -243,12 +223,7 @@ class TestAuthNRequest(TestCase):
 
     def test_request_attributes(self):
         """Test full SAML Request/Response flow, fully signed"""
-        http_request = self.factory.get("/")
-        http_request.user = User.objects.get(username="akadmin")
-
-        middleware = SessionMiddleware(dummy_get_response)
-        middleware.process_request(http_request)
-        http_request.session.save()
+        http_request = get_request("/", user=User.objects.get(username="akadmin"))
 
         # First create an AuthNRequest
         request_proc = RequestProcessor(self.source, http_request, "test_state")
@@ -264,12 +239,7 @@ class TestAuthNRequest(TestCase):
 
     def test_request_attributes_invalid(self):
         """Test full SAML Request/Response flow, fully signed"""
-        http_request = self.factory.get("/")
-        http_request.user = User.objects.get(username="akadmin")
-
-        middleware = SessionMiddleware(dummy_get_response)
-        middleware.process_request(http_request)
-        http_request.session.save()
+        http_request = get_request("/", user=User.objects.get(username="akadmin"))
 
         # First create an AuthNRequest
         request_proc = RequestProcessor(self.source, http_request, "test_state")
diff --git a/authentik/providers/saml/tests/test_schema.py b/authentik/providers/saml/tests/test_schema.py
index b5f2d62e3..800df49d9 100644
--- a/authentik/providers/saml/tests/test_schema.py
+++ b/authentik/providers/saml/tests/test_schema.py
@@ -1,18 +1,16 @@
 """Test Requests and Responses against schema"""
 from base64 import b64encode
 
-from django.contrib.sessions.middleware import SessionMiddleware
 from django.test import RequestFactory, TestCase
-from guardian.utils import get_anonymous_user
 from lxml import etree  # nosec
 
 from authentik.crypto.models import CertificateKeyPair
 from authentik.flows.models import Flow
+from authentik.lib.tests.utils import get_request
 from authentik.managed.manager import ObjectManager
 from authentik.providers.saml.models import SAMLPropertyMapping, SAMLProvider
 from authentik.providers.saml.processors.assertion import AssertionProcessor
 from authentik.providers.saml.processors.request_parser import AuthNRequestParser
-from authentik.providers.saml.tests.test_auth_n_request import dummy_get_response
 from authentik.sources.saml.models import SAMLSource
 from authentik.sources.saml.processors.request import RequestProcessor
 
@@ -43,11 +41,7 @@ class TestSchema(TestCase):
 
     def test_request_schema(self):
         """Test generated AuthNRequest against Schema"""
-        http_request = self.factory.get("/")
-
-        middleware = SessionMiddleware(dummy_get_response)
-        middleware.process_request(http_request)
-        http_request.session.save()
+        http_request = get_request("/")
 
         # First create an AuthNRequest
         request_proc = RequestProcessor(self.source, http_request, "test_state")
@@ -60,12 +54,7 @@ class TestSchema(TestCase):
 
     def test_response_schema(self):
         """Test generated AuthNRequest against Schema"""
-        http_request = self.factory.get("/")
-        http_request.user = get_anonymous_user()
-
-        middleware = SessionMiddleware(dummy_get_response)
-        middleware.process_request(http_request)
-        http_request.session.save()
+        http_request = get_request("/")
 
         # First create an AuthNRequest
         request_proc = RequestProcessor(self.source, http_request, "test_state")
diff --git a/authentik/stages/authenticator_validate/tests.py b/authentik/stages/authenticator_validate/tests.py
index 91b0dc8d3..c5071b5cc 100644
--- a/authentik/stages/authenticator_validate/tests.py
+++ b/authentik/stages/authenticator_validate/tests.py
@@ -1,7 +1,6 @@
 """Test validator stage"""
 from unittest.mock import MagicMock, patch
 
-from django.contrib.sessions.middleware import SessionMiddleware
 from django.test import TestCase
 from django.test.client import RequestFactory
 from django.urls.base import reverse
@@ -12,7 +11,7 @@ from rest_framework.exceptions import ValidationError
 from authentik.core.models import User
 from authentik.flows.challenge import ChallengeTypes
 from authentik.flows.models import Flow, FlowStageBinding, NotConfiguredAction
-from authentik.flows.tests.test_planner import dummy_get_response
+from authentik.lib.tests.utils import get_request
 from authentik.providers.oauth2.generators import generate_client_id, generate_client_secret
 from authentik.stages.authenticator_duo.models import AuthenticatorDuoStage, DuoDevice
 from authentik.stages.authenticator_validate.api import AuthenticatorValidateStageSerializer
@@ -97,11 +96,8 @@ class AuthenticatorValidateStageTests(TestCase):
 
     def test_device_challenge_webauthn(self):
         """Test webauthn"""
-        request = self.request_factory.get("/")
+        request = get_request("/")
         request.user = self.user
-        middleware = SessionMiddleware(dummy_get_response)
-        middleware.process_request(request)
-        request.session.save()
 
         webauthn_device = WebAuthnDevice.objects.create(
             user=self.user,