Merge branch 'master' into outpost-ldap

.bumpversion.cfg

@@ -1,5 +1,5 @@
 [bumpversion]
-current_version = 2021.4.4
+current_version = 2021.4.5
 tag = True
 commit = True
 parse = (?P<major>\d+)\.(?P<minor>\d+)\.(?P<patch>\d+)\-?(?P<release>.*)

.github/workflows/release.yml

@@ -24,9 +24,9 @@ jobs:
         with:
           push: true
           tags: |
-            beryju/authentik-proxy:2021.4.4,
+            beryju/authentik-proxy:2021.4.5,
             beryju/authentik-proxy:latest,
-            ghcr.io/goauthentik/authentik:2021.4.4,
+            ghcr.io/goauthentik/authentik:2021.4.5,
             ghcr.io/goauthentik/authentik:latest
           platforms: linux/amd64,linux/arm64,linux/arm/v7,linux/arm/v8
   build-proxy:
@@ -56,9 +56,9 @@ jobs:
         with:
           push: true
           tags: |
-            beryju/authentik-proxy:2021.4.4,
+            beryju/authentik-proxy:2021.4.5,
             beryju/authentik-proxy:latest,
-            ghcr.io/goauthentik/proxy:2021.4.4,
+            ghcr.io/goauthentik/proxy:2021.4.5,
             ghcr.io/goauthentik/proxy:latest
           context: proxy/
           file: proxy/proxy.Dockerfile
@@ -84,9 +84,9 @@ jobs:
         with:
           push: true
           tags: |
-            beryju/authentik-static:2021.4.4,
+            beryju/authentik-static:2021.4.5,
             beryju/authentik-static:latest,
-            ghcr.io/goauthentik/static:2021.4.4,
+            ghcr.io/goauthentik/static:2021.4.5,
             ghcr.io/goauthentik/static:latest
           context: web/
           platforms: linux/amd64,linux/arm64,linux/arm/v7,linux/arm/v8
@@ -121,5 +121,5 @@ jobs:
           SENTRY_PROJECT: authentik
           SENTRY_URL: https://sentry.beryju.org
         with:
-          tagName: 2021.4.4
+          tagName: 2021.4.5
           environment: beryjuorg-prod

Pipfile.lock

@@ -116,17 +116,18 @@
         },
         "boto3": {
             "hashes": [
-                "sha256:edd2f14f64e0afd2373cd9b2c839004c751afedc593ea3baca3ab36f7206644d"
+                "sha256:35b099fa55f5db6e99a92855b9f320736121ae985340adfc73bc46fb443809e9",
+                "sha256:53fd4c7df86f78e51168f832b42ca1c284333b3f5af0266bf10d13af41aeff5c"
             ],
             "index": "pypi",
-            "version": "==1.17.60"
+            "version": "==1.17.61"
         },
         "botocore": {
             "hashes": [
-                "sha256:bb63a112ef415638328e4535b75dbc32ebd88f06b7937ce1d297aa5b5527335a",
+                "sha256:c765ddd0648e32b375ced8b82bfcc3f8437107278b2d2c73b7da7f41297b5388",
-                "sha256:e19947a8978e99467e7b1843308d1adc8febaa4e221021d4befdaec83d993ee7"
+                "sha256:d48f94573c75a6c1d6d0152b9e21432083a1b0a0fc39b41f57128464982cb0a0"
             ],
-            "version": "==1.20.60"
+            "version": "==1.20.61"
         },
         "cachetools": {
             "hashes": [
@@ -952,10 +953,10 @@
         },
         "python-dotenv": {
             "hashes": [
-                "sha256:471b782da0af10da1a80341e8438fca5fadeba2881c54360d5fd8d03d03a4f4a",
+                "sha256:00aa34e92d992e9f8383730816359647f358f4a3be1ba45e5a5cefd27ee91544",
-                "sha256:49782a97c9d641e8a09ae1d9af0856cc587c8d2474919342d5104d85be9890b2"
+                "sha256:b1ae5e9643d5ed987fc57cc2583021e38db531946518130777734f9589b3141f"
             ],
-            "version": "==0.17.0"
+            "version": "==0.17.1"
         },
         "pytz": {
             "hashes": [

authentik/__init__.py

@@ -1,3 +1,3 @@
 """authentik"""
-__version__ = "2021.4.4"
+__version__ = "2021.4.5"
 ENV_GIT_HASH_KEY = "GIT_BUILD_HASH"

authentik/crypto/api.py

@@ -39,7 +39,7 @@ class CertificateKeyPairSerializer(ModelSerializer):
         """Show if this keypair has a private key configured or not"""
         return instance.key_data != "" and instance.key_data is not None
 
-    def validate_certificate_data(self, value):
+    def validate_certificate_data(self, value: str) -> str:
         """Verify that input is a valid PEM x509 Certificate"""
         try:
             load_pem_x509_certificate(value.encode("utf-8"), default_backend())
@@ -47,7 +47,7 @@ class CertificateKeyPairSerializer(ModelSerializer):
             raise ValidationError("Unable to load certificate.")
         return value
 
-    def validate_key_data(self, value):
+    def validate_key_data(self, value: str) -> str:
         """Verify that input is a valid PEM RSA Key"""
         # Since this field is optional, data can be empty.
         if value != "":
@@ -57,8 +57,10 @@ class CertificateKeyPairSerializer(ModelSerializer):
                     password=None,
                     backend=default_backend(),
                 )
-            except ValueError:
+            except (ValueError, TypeError):
-                raise ValidationError("Unable to load private key.")
+                raise ValidationError(
+                    "Unable to load private key (possibly encrypted?)."
+                )
         return value
 
     class Meta:

authentik/outposts/controllers/base.py

@@ -61,6 +61,4 @@ class BaseController:
     def get_container_image(self) -> str:
         """Get container image to use for this outpost"""
         image_name_template: str = CONFIG.y("outposts.docker_image_base")
-        return image_name_template.format(
+        return image_name_template % {"type": self.outpost.type, "version": __version__}
-            {"type": self.outpost.type, "version": __version__}
-        )

authentik/sources/saml/processors/response.py

@@ -54,7 +54,7 @@ class ResponseProcessor:
     _source: SAMLSource
 
     _root: Any
-    _root_xml: str
+    _root_xml: bytes
 
     _http_request: HttpRequest
 
@@ -69,7 +69,7 @@ class ResponseProcessor:
         if not raw_response:
             raise MissingSAMLResponse("Request does not contain 'SAMLResponse'")
         # Check if response is compressed, b64 decode it
-        self._root_xml = b64decode(raw_response.encode()).decode()
+        self._root_xml = b64decode(raw_response.encode())
         self._root = fromstring(self._root_xml)
 
         if self._source.signing_kp:
@@ -186,7 +186,7 @@ class ResponseProcessor:
                 expected=self._source.name_id_policy,
                 got=name_id.attrib["Format"],
             )
-        # transient NameIDs are handeled seperately as they don't have to go through flows.
+        # transient NameIDs are handled separately as they don't have to go through flows.
         if name_id.attrib["Format"] == SAML_NAME_ID_FORMAT_TRANSIENT:
             return self._handle_name_id_transient(request)
 

authentik/sources/saml/views.py

@@ -1,4 +1,6 @@
 """saml sp views"""
+from urllib.parse import ParseResult, parse_qsl, urlparse, urlunparse
+
 from django.contrib.auth import logout
 from django.contrib.auth.mixins import LoginRequiredMixin
 from django.http import Http404, HttpRequest, HttpResponse
@@ -104,8 +106,24 @@ class InitiateView(View):
         auth_n_req = RequestProcessor(source, request, relay_state)
         # If the source is configured for Redirect bindings, we can just redirect there
         if source.binding_type == SAMLBindingTypes.REDIRECT:
-            url_args = urlencode(auth_n_req.build_auth_n_detached())
+            # Parse the initial SSO URL
-            return redirect(f"{source.sso_url}?{url_args}")
+            sso_url = urlparse(source.sso_url)
+            # Parse the querystring into a dict...
+            url_kwargs = dict(parse_qsl(sso_url.query))
+            # ... and update it with the SAML args
+            url_kwargs.update(auth_n_req.build_auth_n_detached())
+            # Encode it back into a string
+            res = ParseResult(
+                scheme=sso_url.scheme,
+                netloc=sso_url.hostname or "",
+                path=sso_url.path,
+                params=sso_url.params,
+                query=urlencode(url_kwargs),
+                fragment=sso_url.fragment,
+            )
+            # and merge it back into a URL
+            final_url = urlunparse(res)
+            return redirect(final_url)
         # As POST Binding we show a form
         saml_request = nice64(auth_n_req.build_auth_n())
         injected_stages = []

authentik/stages/identification/migrations/0008_alter_identificationstage_user_fields.py

@@ -0,0 +1,27 @@
+# Generated by Django 3.2 on 2021-04-29 22:56
+
+import django.contrib.postgres.fields
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ("authentik_stages_identification", "0007_remove_identificationstage_template"),
+    ]
+
+    operations = [
+        migrations.AlterField(
+            model_name="identificationstage",
+            name="user_fields",
+            field=django.contrib.postgres.fields.ArrayField(
+                base_field=models.CharField(
+                    choices=[("email", "E Mail"), ("username", "Username")],
+                    max_length=100,
+                ),
+                blank=True,
+                help_text="Fields of the user object to match against. (Hold shift to select multiple options)",
+                size=None,
+            ),
+        ),
+    ]

authentik/stages/identification/models.py

@@ -22,6 +22,7 @@ class IdentificationStage(Stage):
 
     user_fields = ArrayField(
         models.CharField(max_length=100, choices=UserFields.choices),
+        blank=True,
         help_text=_(
             (
                 "Fields of the user object to match against. "

authentik/stages/identification/stage.py

@@ -7,7 +7,7 @@ from django.db.models import Q
 from django.http import HttpResponse
 from django.urls import reverse
 from django.utils.translation import gettext as _
-from rest_framework.fields import CharField
+from rest_framework.fields import CharField, ListField
 from rest_framework.serializers import ValidationError
 from structlog.stdlib import get_logger
 
@@ -20,7 +20,7 @@ from authentik.flows.stage import (
     ChallengeStageView,
 )
 from authentik.flows.views import SESSION_KEY_APPLICATION_PRE
-from authentik.stages.identification.models import IdentificationStage, UserFields
+from authentik.stages.identification.models import IdentificationStage
 
 LOGGER = get_logger()
 
@@ -28,7 +28,7 @@ LOGGER = get_logger()
 class IdentificationChallenge(Challenge):
     """Identification challenges with all UI elements"""
 
-    input_type = CharField()
+    user_fields = ListField(child=CharField(), allow_empty=True, allow_null=True)
     application_pre = CharField(required=False)
 
     enroll_url = CharField(required=False)
@@ -83,11 +83,9 @@ class IdentificationStageView(ChallengeStageView):
                 "type": ChallengeTypes.NATIVE.value,
                 "component": "ak-stage-identification",
                 "primary_action": _("Log in"),
-                "input_type": "text",
+                "user_fields": current_stage.user_fields,
             }
         )
-        if current_stage.user_fields == [UserFields.E_MAIL]:
-            challenge.initial_data["input_type"] = "email"
         # If the user has been redirected to us whilst trying to access an
         # application, SESSION_KEY_APPLICATION_PRE is set in the session
         if SESSION_KEY_APPLICATION_PRE in self.request.session:

authentik/stages/identification/tests.py

@@ -106,7 +106,7 @@ class TestIdentificationStage(TestCase):
                 "background": flow.background.url,
                 "type": ChallengeTypes.NATIVE.value,
                 "component": "ak-stage-identification",
-                "input_type": "email",
+                "user_fields": ["email"],
                 "enroll_url": reverse(
                     "authentik_core:if-flow",
                     kwargs={"flow_slug": "unique-enrollment-string"},
@@ -149,7 +149,7 @@ class TestIdentificationStage(TestCase):
                 "background": flow.background.url,
                 "type": ChallengeTypes.NATIVE.value,
                 "component": "ak-stage-identification",
-                "input_type": "email",
+                "user_fields": ["email"],
                 "recovery_url": reverse(
                     "authentik_core:if-flow",
                     kwargs={"flow_slug": "unique-recovery-string"},

docker-compose.yml

@@ -20,7 +20,7 @@ services:
     networks:
       - internal
   server:
-    image: ${AUTHENTIK_IMAGE:-beryju/authentik}:${AUTHENTIK_TAG:-2021.4.4}
+    image: ${AUTHENTIK_IMAGE:-beryju/authentik}:${AUTHENTIK_TAG:-2021.4.5}
     restart: unless-stopped
     command: server
     environment:
@@ -48,7 +48,7 @@ services:
     env_file:
       - .env
   worker:
-    image: ${AUTHENTIK_IMAGE:-beryju/authentik}:${AUTHENTIK_TAG:-2021.4.4}
+    image: ${AUTHENTIK_IMAGE:-beryju/authentik}:${AUTHENTIK_TAG:-2021.4.5}
     restart: unless-stopped
     command: worker
     networks:
@@ -68,7 +68,7 @@ services:
     env_file:
       - .env
   static:
-    image: ${AUTHENTIK_IMAGE_STATIC:-beryju/authentik-static}:${AUTHENTIK_TAG:-2021.4.4}
+    image: ${AUTHENTIK_IMAGE_STATIC:-beryju/authentik-static}:${AUTHENTIK_TAG:-2021.4.5}
     restart: unless-stopped
     networks:
       - internal

helm/Chart.yaml

@@ -4,7 +4,7 @@ name: authentik
 home: https://goauthentik.io
 sources:
   - https://github.com/goauthentik/authentik
-version: "2021.4.4"
+version: "2021.4.5"
 icon: https://raw.githubusercontent.com/goauthentik/authentik/master/web/icons/icon.svg
 dependencies:
   - name: postgresql

helm/README.md

@@ -5,7 +5,7 @@
 | image.name                        | beryju/authentik        | Image used to run the authentik server and worker |
 | image.name_static                 | beryju/authentik-static | Image used to run the authentik static server (CSS and JS Files) |
 | image.name_outposts               | beryju/authentik-%(type)s:%(version)s | Image used for managed outposts. Placeholders: %(type)s: Outpost type; proxy, ldap, etc. %(version)s: Current version; 2021.4.1 |
-| image.tag                         | 2021.4.4                | Image tag |
+| image.tag                         | 2021.4.5                | Image tag |
 | image.pullPolicy                  | IfNotPresent            | Image Pull Policy used for all deployments |
 | serverReplicas                    | 1                       | Replicas for the Server deployment |
 | workerReplicas                    | 1                       | Replicas for the Worker deployment |

helm/values.yaml

@@ -8,7 +8,7 @@ image:
   # %(type)s: Outpost type; proxy, ldap, etc
   # %(version)s: Current version; 2021.4.1
   name_outposts: "beryju/authentik-%(type)s:%(version)s"
-  tag: 2021.4.4
+  tag: 2021.4.5
   pullPolicy: IfNotPresent
 
 serverReplicas: 1

outpost/pkg/version.go

@@ -1,3 +1,3 @@
 package pkg
 
-const VERSION = "2021.4.4"
+const VERSION = "2021.4.5"

swagger.yaml

@@ -18375,7 +18375,6 @@ definitions:
   IdentificationStage:
     required:
       - name
-      - user_fields
     type: object
     properties:
       pk:

web/nginx.conf

@@ -81,7 +81,7 @@ http {
         location /static/ {
             expires 31d;
             add_header Cache-Control "public, no-transform";
-            add_header X-authentik-version "2021.4.4";
+            add_header X-authentik-version "2021.4.5";
             add_header Vary X-authentik-version;
         }
 

web/package.json

@@ -35,10 +35,10 @@
         ]
     },
     "dependencies": {
-        "@babel/core": "^7.13.16",
+        "@babel/core": "^7.14.0",
         "@babel/plugin-proposal-decorators": "^7.13.15",
         "@babel/plugin-transform-runtime": "^7.13.15",
-        "@babel/preset-env": "^7.13.15",
+        "@babel/preset-env": "^7.14.0",
         "@babel/preset-typescript": "^7.13.0",
         "@fortawesome/fontawesome-free": "^5.15.3",
         "@lingui/cli": "^3.8.10",
@@ -50,11 +50,11 @@
         "@rollup/plugin-babel": "^5.3.0",
         "@rollup/plugin-replace": "^2.4.2",
         "@rollup/plugin-typescript": "^8.2.1",
-        "@sentry/browser": "^6.3.3",
+        "@sentry/browser": "^6.3.4",
-        "@sentry/tracing": "^6.3.3",
+        "@sentry/tracing": "^6.3.4",
         "@types/chart.js": "^2.9.32",
         "@types/codemirror": "0.0.109",
-        "@types/grecaptcha": "^3.0.1",
+        "@types/grecaptcha": "^3.0.2",
         "@typescript-eslint/eslint-plugin": "^4.22.0",
         "@typescript-eslint/parser": "^4.22.0",
         "@webcomponents/webcomponentsjs": "^2.5.0",
@@ -73,7 +73,7 @@
         "lit-html": "^1.4.0",
         "moment": "^2.29.1",
         "rapidoc": "^9.0.0",
-        "rollup": "^2.45.2",
+        "rollup": "^2.46.0",
         "rollup-plugin-commonjs": "^10.1.0",
         "rollup-plugin-copy": "^3.4.0",
         "rollup-plugin-cssimport": "^1.0.2",

web/src/constants.ts

@@ -3,7 +3,7 @@ export const SUCCESS_CLASS = "pf-m-success";
 export const ERROR_CLASS = "pf-m-danger";
 export const PROGRESS_CLASS = "pf-m-in-progress";
 export const CURRENT_CLASS = "pf-m-current";
-export const VERSION = "2021.4.4";
+export const VERSION = "2021.4.5";
 export const PAGE_SIZE = 20;
 export const EVENT_REFRESH = "ak-refresh";
 export const EVENT_NOTIFICATION_TOGGLE = "ak-notification-toggle";

web/src/flows/stages/identification/IdentificationStage.ts

@@ -22,7 +22,7 @@ export const PasswordManagerPrefill: {
 
 export interface IdentificationChallenge extends Challenge {
 
-    input_type: string;
+    user_fields?: string[];
     primary_action: string;
     sources?: UILoginButton[];
 
@@ -154,6 +154,43 @@ export class IdentificationStage extends BaseStage {
             </div>`;
     }
 
+    renderInput(): TemplateResult {
+        let label = "";
+        let type = "text";
+        if (!this.challenge?.user_fields) {
+            return html`<p>
+                ${t`Select one of the sources below to login.`}
+            </p>`;
+        }
+        if (this.challenge?.user_fields === ["email"]) {
+            label = t`Email`;
+            type = "email";
+        } else if (this.challenge?.user_fields === ["username"]) {
+            label = t`Username`;
+        } else {
+            label = t`Email or username`;
+        }
+        return html`<ak-form-element
+                label=${label}
+                ?required="${true}"
+                class="pf-c-form__group"
+                .errors=${(this.challenge?.response_errors || {})["uid_field"]}>
+                <!-- @ts-ignore -->
+                <input type=${type}
+                    name="uid_field"
+                    placeholder="Email or Username"
+                    autofocus=""
+                    autocomplete="username"
+                    class="pf-c-form-control"
+                    required>
+            </ak-form-element>
+            <div class="pf-c-form__group pf-m-action">
+                <button type="submit" class="pf-c-button pf-m-primary pf-m-block">
+                    ${this.challenge.primary_action}
+                </button>
+            </div>`;
+    }
+
     render(): TemplateResult {
         if (!this.challenge) {
             return html`<ak-empty-state
@@ -173,26 +210,7 @@ export class IdentificationStage extends BaseStage {
                             ${t`Login to continue to ${this.challenge.application_pre}.`}
                         </p>`:
                         html``}
-
+                    ${this.renderInput()}
-                    <ak-form-element
-                        label="${t`Email or Username`}"
-                        ?required="${true}"
-                        class="pf-c-form__group"
-                        .errors=${(this.challenge?.response_errors || {})["uid_field"]}>
-                        <input type="text"
-                            name="uid_field"
-                            placeholder="Email or Username"
-                            autofocus=""
-                            autocomplete="username"
-                            class="pf-c-form-control"
-                            required>
-                    </ak-form-element>
-
-                    <div class="pf-c-form__group pf-m-action">
-                        <button type="submit" class="pf-c-button pf-m-primary pf-m-block">
-                            ${this.challenge.primary_action}
-                        </button>
-                    </div>
                 </form>
             </div>
             <footer class="pf-c-login__main-footer">

web/src/locales/en.po

@@ -428,7 +428,7 @@ msgstr "Can be in the format of 'unix://' when connecting to a local docker daem
 msgid "Cancel"
 msgstr "Cancel"
 
-#: src/pages/stages/identification/IdentificationStageForm.ts:92
+#: src/pages/stages/identification/IdentificationStageForm.ts:91
 msgid "Case insensitive matching"
 msgstr "Case insensitive matching"
 
@@ -1086,8 +1086,9 @@ msgstr "Edit User"
 msgid "Either no applications are defined, or you don't have access to any."
 msgstr "Either no applications are defined, or you don't have access to any."
 
+#: src/flows/stages/identification/IdentificationStage.ts:138
 #: src/pages/events/TransportForm.ts:46
-#: src/pages/stages/identification/IdentificationStageForm.ts:82
+#: src/pages/stages/identification/IdentificationStageForm.ts:81
 #: src/pages/user-settings/UserDetailsPage.ts:71
 #: src/pages/users/UserForm.ts:61
 #: src/pages/users/UserViewPage.ts:100
@@ -1098,9 +1099,9 @@ msgstr "Email"
 msgid "Email address"
 msgstr "Email address"
 
-#: src/flows/stages/identification/IdentificationStage.ts:150
+#: src/flows/stages/identification/IdentificationStage.ts:145
-msgid "Email or Username"
+msgid "Email or username"
-msgstr "Email or Username"
+msgstr "Email or username"
 
 #: src/pages/stages/prompt/PromptForm.ts:51
 msgid "Email: Text field with Email type."
@@ -1145,7 +1146,7 @@ msgstr "Enrollment"
 
 #: src/pages/sources/oauth/OAuthSourceForm.ts:210
 #: src/pages/sources/saml/SAMLSourceForm.ts:266
-#: src/pages/stages/identification/IdentificationStageForm.ts:107
+#: src/pages/stages/identification/IdentificationStageForm.ts:106
 msgid "Enrollment flow"
 msgstr "Enrollment flow"
 
@@ -1342,9 +1343,9 @@ msgstr "Field which contains members of a group."
 msgid "Fields"
 msgstr "Fields"
 
-#: src/pages/stages/identification/IdentificationStageForm.ts:85
+#: src/pages/stages/identification/IdentificationStageForm.ts:84
-msgid "Fields a user can identify themselves with."
+msgid "Fields a user can identify themselves with. If no fields are selected, the user will only be able to use sources."
-msgstr "Fields a user can identify themselves with."
+msgstr "Fields a user can identify themselves with. If no fields are selected, the user will only be able to use sources."
 
 #: src/pages/flows/FlowImportForm.ts:34
 #: src/pages/flows/FlowListPage.ts:79
@@ -1510,7 +1511,7 @@ msgstr "Hide managed mappings"
 #: src/pages/sources/ldap/LDAPSourceForm.ts:167
 #: src/pages/sources/ldap/LDAPSourceForm.ts:193
 #: src/pages/stages/authenticator_validate/AuthenticatorValidateStageForm.ts:114
-#: src/pages/stages/identification/IdentificationStageForm.ts:86
+#: src/pages/stages/identification/IdentificationStageForm.ts:85
 #: src/pages/stages/password/PasswordStageForm.ts:86
 #: src/pages/stages/prompt/PromptStageForm.ts:87
 #: src/pages/stages/prompt/PromptStageForm.ts:121
@@ -1704,7 +1705,7 @@ msgstr "Library"
 #: src/flows/stages/consent/ConsentStage.ts:28
 #: src/flows/stages/dummy/DummyStage.ts:27
 #: src/flows/stages/email/EmailStage.ts:26
-#: src/flows/stages/identification/IdentificationStage.ts:133
+#: src/flows/stages/identification/IdentificationStage.ts:170
 #: src/flows/stages/password/PasswordStage.ts:31
 #: src/flows/stages/prompt/PromptStage.ts:126
 #: src/pages/applications/ApplicationViewPage.ts:43
@@ -1757,8 +1758,8 @@ msgstr "Loading"
 #: src/pages/stages/authenticator_totp/AuthenticatorTOTPStageForm.ts:96
 #: src/pages/stages/authenticator_validate/AuthenticatorValidateStageForm.ts:131
 #: src/pages/stages/email/EmailStageForm.ts:170
-#: src/pages/stages/identification/IdentificationStageForm.ts:120
+#: src/pages/stages/identification/IdentificationStageForm.ts:119
-#: src/pages/stages/identification/IdentificationStageForm.ts:138
+#: src/pages/stages/identification/IdentificationStageForm.ts:137
 #: src/pages/stages/password/PasswordStageForm.ts:106
 #: src/pages/stages/prompt/PromptStageForm.ts:85
 #: src/pages/stages/prompt/PromptStageForm.ts:118
@@ -1779,7 +1780,7 @@ msgstr "Log the currently pending user in."
 msgid "Login password is synced from LDAP into authentik automatically. Enable this option only to write password changes in authentik back to LDAP."
 msgstr "Login password is synced from LDAP into authentik automatically. Enable this option only to write password changes in authentik back to LDAP."
 
-#: src/flows/stages/identification/IdentificationStage.ts:145
+#: src/flows/stages/identification/IdentificationStage.ts:182
 msgid "Login to continue to {0}."
 msgstr "Login to continue to {0}."
 
@@ -2165,11 +2166,11 @@ msgstr "Optional URL if the IDP supports Single-Logout."
 msgid "Optional data which is loaded into the flow's 'prompt_data' context variable. YAML or JSON."
 msgstr "Optional data which is loaded into the flow's 'prompt_data' context variable. YAML or JSON."
 
-#: src/pages/stages/identification/IdentificationStageForm.ts:122
+#: src/pages/stages/identification/IdentificationStageForm.ts:121
 msgid "Optional enrollment flow, which is linked at the bottom of the page."
 msgstr "Optional enrollment flow, which is linked at the bottom of the page."
 
-#: src/pages/stages/identification/IdentificationStageForm.ts:140
+#: src/pages/stages/identification/IdentificationStageForm.ts:139
 msgid "Optional recovery flow, which is linked at the bottom of the page."
 msgstr "Optional recovery flow, which is linked at the bottom of the page."
 
@@ -2503,7 +2504,7 @@ msgstr "Re-evaluate policies"
 msgid "Recovery"
 msgstr "Recovery"
 
-#: src/pages/stages/identification/IdentificationStageForm.ts:125
+#: src/pages/stages/identification/IdentificationStageForm.ts:124
 msgid "Recovery flow"
 msgstr "Recovery flow"
 
@@ -2709,6 +2710,10 @@ msgstr "Select all rows"
 msgid "Select an identification method."
 msgstr "Select an identification method."
 
+#: src/flows/stages/identification/IdentificationStage.ts:134
+msgid "Select one of the sources below to login."
+msgstr "Select one of the sources below to login."
+
 #: src/pages/groups/MemberSelectModal.ts:68
 msgid "Select users to add"
 msgstr "Select users to add"
@@ -2807,7 +2812,7 @@ msgstr "Severity"
 msgid "Show arbitrary input fields to the user, for example during enrollment. Data is saved in the flow context under the 'prompt_data' variable."
 msgstr "Show arbitrary input fields to the user, for example during enrollment. Data is saved in the flow context under the 'prompt_data' variable."
 
-#: src/pages/stages/identification/IdentificationStageForm.ts:101
+#: src/pages/stages/identification/IdentificationStageForm.ts:100
 msgid "Show matched user"
 msgstr "Show matched user"
 
@@ -3741,7 +3746,8 @@ msgstr "User/Group Attribute used for the user part of the HTTP-Basic Header. If
 msgid "Userinfo URL"
 msgstr "Userinfo URL"
 
-#: src/pages/stages/identification/IdentificationStageForm.ts:79
+#: src/flows/stages/identification/IdentificationStage.ts:142
+#: src/pages/stages/identification/IdentificationStageForm.ts:78
 #: src/pages/user-settings/UserDetailsPage.ts:57
 #: src/pages/users/UserForm.ts:47
 #: src/pages/users/UserViewPage.ts:84
@@ -3863,7 +3869,7 @@ msgstr "Webhook (generic)"
 msgid "Webhook URL"
 msgstr "Webhook URL"
 
-#: src/pages/stages/identification/IdentificationStageForm.ts:104
+#: src/pages/stages/identification/IdentificationStageForm.ts:103
 msgid "When a valid username/email has been entered, and this option is enabled, the user's username and avatar will be shown. Otherwise, the text that the user entered will be shown."
 msgstr "When a valid username/email has been entered, and this option is enabled, the user's username and avatar will be shown. Otherwise, the text that the user entered will be shown."
 
@@ -3871,7 +3877,7 @@ msgstr "When a valid username/email has been entered, and this option is enabled
 msgid "When enabled, global Email connection settings will be used and connection settings below will be ignored."
 msgstr "When enabled, global Email connection settings will be used and connection settings below will be ignored."
 
-#: src/pages/stages/identification/IdentificationStageForm.ts:95
+#: src/pages/stages/identification/IdentificationStageForm.ts:94
 msgid "When enabled, user fields are matched regardless of their casing."
 msgstr "When enabled, user fields are matched regardless of their casing."
 

web/src/locales/pseudo-LOCALE.po

@@ -424,7 +424,7 @@ msgstr ""
 msgid "Cancel"
 msgstr ""
 
-#: src/pages/stages/identification/IdentificationStageForm.ts:92
+#: src/pages/stages/identification/IdentificationStageForm.ts:91
 msgid "Case insensitive matching"
 msgstr ""
 
@@ -1078,8 +1078,9 @@ msgstr ""
 msgid "Either no applications are defined, or you don't have access to any."
 msgstr ""
 
+#: src/flows/stages/identification/IdentificationStage.ts:138
 #: src/pages/events/TransportForm.ts:46
-#: src/pages/stages/identification/IdentificationStageForm.ts:82
+#: src/pages/stages/identification/IdentificationStageForm.ts:81
 #: src/pages/user-settings/UserDetailsPage.ts:71
 #: src/pages/users/UserForm.ts:61
 #: src/pages/users/UserViewPage.ts:100
@@ -1090,8 +1091,8 @@ msgstr ""
 msgid "Email address"
 msgstr ""
 
-#: src/flows/stages/identification/IdentificationStage.ts:150
+#: src/flows/stages/identification/IdentificationStage.ts:145
-msgid "Email or Username"
+msgid "Email or username"
 msgstr ""
 
 #: src/pages/stages/prompt/PromptForm.ts:51
@@ -1137,7 +1138,7 @@ msgstr ""
 
 #: src/pages/sources/oauth/OAuthSourceForm.ts:210
 #: src/pages/sources/saml/SAMLSourceForm.ts:266
-#: src/pages/stages/identification/IdentificationStageForm.ts:107
+#: src/pages/stages/identification/IdentificationStageForm.ts:106
 msgid "Enrollment flow"
 msgstr ""
 
@@ -1334,8 +1335,8 @@ msgstr ""
 msgid "Fields"
 msgstr ""
 
-#: src/pages/stages/identification/IdentificationStageForm.ts:85
+#: src/pages/stages/identification/IdentificationStageForm.ts:84
-msgid "Fields a user can identify themselves with."
+msgid "Fields a user can identify themselves with. If no fields are selected, the user will only be able to use sources."
 msgstr ""
 
 #: src/pages/flows/FlowImportForm.ts:34
@@ -1502,7 +1503,7 @@ msgstr ""
 #: src/pages/sources/ldap/LDAPSourceForm.ts:167
 #: src/pages/sources/ldap/LDAPSourceForm.ts:193
 #: src/pages/stages/authenticator_validate/AuthenticatorValidateStageForm.ts:114
-#: src/pages/stages/identification/IdentificationStageForm.ts:86
+#: src/pages/stages/identification/IdentificationStageForm.ts:85
 #: src/pages/stages/password/PasswordStageForm.ts:86
 #: src/pages/stages/prompt/PromptStageForm.ts:87
 #: src/pages/stages/prompt/PromptStageForm.ts:121
@@ -1696,7 +1697,7 @@ msgstr ""
 #: src/flows/stages/consent/ConsentStage.ts:28
 #: src/flows/stages/dummy/DummyStage.ts:27
 #: src/flows/stages/email/EmailStage.ts:26
-#: src/flows/stages/identification/IdentificationStage.ts:133
+#: src/flows/stages/identification/IdentificationStage.ts:170
 #: src/flows/stages/password/PasswordStage.ts:31
 #: src/flows/stages/prompt/PromptStage.ts:126
 #: src/pages/applications/ApplicationViewPage.ts:43
@@ -1749,8 +1750,8 @@ msgstr ""
 #: src/pages/stages/authenticator_totp/AuthenticatorTOTPStageForm.ts:96
 #: src/pages/stages/authenticator_validate/AuthenticatorValidateStageForm.ts:131
 #: src/pages/stages/email/EmailStageForm.ts:170
-#: src/pages/stages/identification/IdentificationStageForm.ts:120
+#: src/pages/stages/identification/IdentificationStageForm.ts:119
-#: src/pages/stages/identification/IdentificationStageForm.ts:138
+#: src/pages/stages/identification/IdentificationStageForm.ts:137
 #: src/pages/stages/password/PasswordStageForm.ts:106
 #: src/pages/stages/prompt/PromptStageForm.ts:85
 #: src/pages/stages/prompt/PromptStageForm.ts:118
@@ -1771,7 +1772,7 @@ msgstr ""
 msgid "Login password is synced from LDAP into authentik automatically. Enable this option only to write password changes in authentik back to LDAP."
 msgstr ""
 
-#: src/flows/stages/identification/IdentificationStage.ts:145
+#: src/flows/stages/identification/IdentificationStage.ts:182
 msgid "Login to continue to {0}."
 msgstr ""
 
@@ -2157,11 +2158,11 @@ msgstr ""
 msgid "Optional data which is loaded into the flow's 'prompt_data' context variable. YAML or JSON."
 msgstr ""
 
-#: src/pages/stages/identification/IdentificationStageForm.ts:122
+#: src/pages/stages/identification/IdentificationStageForm.ts:121
 msgid "Optional enrollment flow, which is linked at the bottom of the page."
 msgstr ""
 
-#: src/pages/stages/identification/IdentificationStageForm.ts:140
+#: src/pages/stages/identification/IdentificationStageForm.ts:139
 msgid "Optional recovery flow, which is linked at the bottom of the page."
 msgstr ""
 
@@ -2495,7 +2496,7 @@ msgstr ""
 msgid "Recovery"
 msgstr ""
 
-#: src/pages/stages/identification/IdentificationStageForm.ts:125
+#: src/pages/stages/identification/IdentificationStageForm.ts:124
 msgid "Recovery flow"
 msgstr ""
 
@@ -2701,6 +2702,10 @@ msgstr ""
 msgid "Select an identification method."
 msgstr ""
 
+#: src/flows/stages/identification/IdentificationStage.ts:134
+msgid "Select one of the sources below to login."
+msgstr ""
+
 #: src/pages/groups/MemberSelectModal.ts:68
 msgid "Select users to add"
 msgstr ""
@@ -2799,7 +2804,7 @@ msgstr ""
 msgid "Show arbitrary input fields to the user, for example during enrollment. Data is saved in the flow context under the 'prompt_data' variable."
 msgstr ""
 
-#: src/pages/stages/identification/IdentificationStageForm.ts:101
+#: src/pages/stages/identification/IdentificationStageForm.ts:100
 msgid "Show matched user"
 msgstr ""
 
@@ -3729,7 +3734,8 @@ msgstr ""
 msgid "Userinfo URL"
 msgstr ""
 
-#: src/pages/stages/identification/IdentificationStageForm.ts:79
+#: src/flows/stages/identification/IdentificationStage.ts:142
+#: src/pages/stages/identification/IdentificationStageForm.ts:78
 #: src/pages/user-settings/UserDetailsPage.ts:57
 #: src/pages/users/UserForm.ts:47
 #: src/pages/users/UserViewPage.ts:84
@@ -3851,7 +3857,7 @@ msgstr ""
 msgid "Webhook URL"
 msgstr ""
 
-#: src/pages/stages/identification/IdentificationStageForm.ts:104
+#: src/pages/stages/identification/IdentificationStageForm.ts:103
 msgid "When a valid username/email has been entered, and this option is enabled, the user's username and avatar will be shown. Otherwise, the text that the user entered will be shown."
 msgstr ""
 
@@ -3859,7 +3865,7 @@ msgstr ""
 msgid "When enabled, global Email connection settings will be used and connection settings below will be ignored."
 msgstr ""
 
-#: src/pages/stages/identification/IdentificationStageForm.ts:95
+#: src/pages/stages/identification/IdentificationStageForm.ts:94
 msgid "When enabled, user fields are matched regardless of their casing."
 msgstr ""
 

web/src/pages/stages/identification/IdentificationStageForm.ts

@@ -69,7 +69,6 @@ export class IdentificationStageForm extends Form<IdentificationStage> {
                 <div slot="body" class="pf-c-form">
                     <ak-form-element-horizontal
                         label=${t`User fields`}
-                        ?required=${true}
                         name="userFields">
                         <select name="users" class="pf-c-form-control" multiple>
                             <option value=${IdentificationStageUserFieldsEnum.Username} ?selected=${this.isUserFieldSelected(IdentificationStageUserFieldsEnum.Username)}>
@@ -79,7 +78,7 @@ export class IdentificationStageForm extends Form<IdentificationStage> {
                                 ${t`Email`}
                             </option>
                         </select>
-                        <p class="pf-c-form__helper-text">${t`Fields a user can identify themselves with.`}</p>
+                        <p class="pf-c-form__helper-text">${t`Fields a user can identify themselves with. If no fields are selected, the user will only be able to use sources.`}</p>
                         <p class="pf-c-form__helper-text">${t`Hold control/command to select multiple items.`}</p>
                     </ak-form-element-horizontal>
                     <ak-form-element-horizontal name="caseInsensitiveMatching">

website/docs/installation/docker-compose.md

@@ -16,7 +16,7 @@ Download the latest `docker-compose.yml` from [here](https://raw.githubuserconte
 
 To optionally enable error-reporting, run `echo AUTHENTIK_ERROR_REPORTING__ENABLED=true >> .env`
 
-To optionally deploy a different version run `echo AUTHENTIK_TAG=2021.4.4 >> .env`
+To optionally deploy a different version run `echo AUTHENTIK_TAG=2021.4.5 >> .env`
 
 If this is a fresh authentik install run the following commands to generate a password:
 

website/docs/installation/kubernetes.md

@@ -41,7 +41,7 @@ image:
   # %(type)s: Outpost type; proxy, ldap, etc
   # %(version)s: Current version; 2021.4.1
   name_outposts: "beryju/authentik-%(type)s:%(version)s"
-  tag: 2021.4.4
+  tag: 2021.4.5
 
 serverReplicas: 1
 workerReplicas: 1

website/docs/outposts/manual-deploy-docker-compose.md

@@ -11,7 +11,7 @@ version: "3.5"
 
 services:
   authentik_proxy:
-    image: beryju/authentik-proxy:2021.4.4
+    image: beryju/authentik-proxy:2021.4.5
     ports:
       - 4180:4180
       - 4443:4443

website/docs/outposts/manual-deploy-kubernetes.md

@@ -14,7 +14,7 @@ metadata:
     app.kubernetes.io/instance: __OUTPOST_NAME__
     app.kubernetes.io/managed-by: goauthentik.io
     app.kubernetes.io/name: authentik-proxy
-    app.kubernetes.io/version: 2021.4.4
+    app.kubernetes.io/version: 2021.4.5
   name: authentik-outpost-api
 stringData:
   authentik_host: "__AUTHENTIK_URL__"
@@ -29,7 +29,7 @@ metadata:
     app.kubernetes.io/instance: __OUTPOST_NAME__
     app.kubernetes.io/managed-by: goauthentik.io
     app.kubernetes.io/name: authentik-proxy
-    app.kubernetes.io/version: 2021.4.4
+    app.kubernetes.io/version: 2021.4.5
   name: authentik-outpost
 spec:
   ports:
@@ -54,7 +54,7 @@ metadata:
     app.kubernetes.io/instance: __OUTPOST_NAME__
     app.kubernetes.io/managed-by: goauthentik.io
     app.kubernetes.io/name: authentik-proxy
-    app.kubernetes.io/version: 2021.4.4
+    app.kubernetes.io/version: 2021.4.5
   name: authentik-outpost
 spec:
   selector:
@@ -62,14 +62,14 @@ spec:
       app.kubernetes.io/instance: __OUTPOST_NAME__
       app.kubernetes.io/managed-by: goauthentik.io
       app.kubernetes.io/name: authentik-proxy
-      app.kubernetes.io/version: 2021.4.4
+      app.kubernetes.io/version: 2021.4.5
   template:
     metadata:
       labels:
         app.kubernetes.io/instance: __OUTPOST_NAME__
         app.kubernetes.io/managed-by: goauthentik.io
         app.kubernetes.io/name: authentik-proxy
-        app.kubernetes.io/version: 2021.4.4
+        app.kubernetes.io/version: 2021.4.5
     spec:
       containers:
         - env:
@@ -88,7 +88,7 @@ spec:
               secretKeyRef:
                 key: authentik_host_insecure
                 name: authentik-outpost-api
-        image: beryju/authentik-proxy:2021.4.4
+        image: beryju/authentik-proxy:2021.4.5
         name: proxy
         ports:
           - containerPort: 4180
@@ -110,7 +110,7 @@ metadata:
     app.kubernetes.io/instance: __OUTPOST_NAME__
     app.kubernetes.io/managed-by: goauthentik.io
     app.kubernetes.io/name: authentik-proxy
-    app.kubernetes.io/version: 2021.4.4
+    app.kubernetes.io/version: 2021.4.5
   name: authentik-outpost
 spec:
   rules: