release: 2023.10.6

* providers/oauth2: fix CVE-2024-21637 (#8104)

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* update changelog

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

---------

Signed-off-by: Jens Langhammer <jens@goauthentik.io>
Co-authored-by: Jens L <jens@goauthentik.io>

.bumpversion.cfg

@@ -1,5 +1,5 @@
 [bumpversion]
-current_version = 2023.10.4
+current_version = 2023.10.6
 tag = True
 commit = True
 parse = (?P<major>\d+)\.(?P<minor>\d+)\.(?P<patch>\d+)

.github/workflows/ci-main.yml

@@ -61,6 +61,10 @@ jobs:
       - uses: actions/checkout@v4
         with:
           fetch-depth: 0
+      - name: Setup authentik env
+        uses: ./.github/actions/setup
+        with:
+          postgresql_version: ${{ matrix.psql }}
       - name: checkout stable
         run: |
           # Delete all poetry envs
@@ -72,7 +76,7 @@ jobs:
           git checkout version/$(python -c "from authentik import __version__; print(__version__)")
           rm -rf .github/ scripts/
           mv ../.github ../scripts .
-      - name: Setup authentik env (stable)
+      - name: Setup authentik env (ensure stable deps are installed)
         uses: ./.github/actions/setup
         with:
           postgresql_version: ${{ matrix.psql }}
@@ -86,20 +90,14 @@ jobs:
           git clean -d -fx .
           git checkout $GITHUB_SHA
           # Delete previous poetry env
-          rm -rf /home/runner/.cache/pypoetry/virtualenvs/*
+          rm -rf $(poetry env info --path)
+          poetry install
       - name: Setup authentik env (ensure latest deps are installed)
         uses: ./.github/actions/setup
         with:
           postgresql_version: ${{ matrix.psql }}
       - name: migrate to latest
-        run: |
+        run: poetry run python -m lifecycle.migrate
-          poetry run python -m lifecycle.migrate
-      - name: run tests
-        env:
-          # Test in the main database that we just migrated from the previous stable version
-          AUTHENTIK_POSTGRESQL__TEST__NAME: authentik
-        run: |
-          poetry run make test
   test-unittest:
     name: test-unittest - PostgreSQL ${{ matrix.psql }}
     runs-on: ubuntu-latest

.github/workflows/ci-outpost.yml

@@ -16,7 +16,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
-      - uses: actions/setup-go@v5
+      - uses: actions/setup-go@v4
         with:
           go-version-file: "go.mod"
       - name: Prepare and generate API
@@ -37,7 +37,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
-      - uses: actions/setup-go@v5
+      - uses: actions/setup-go@v4
         with:
           go-version-file: "go.mod"
       - name: Setup authentik env
@@ -125,7 +125,7 @@ jobs:
       - uses: actions/checkout@v4
         with:
           ref: ${{ github.event.pull_request.head.sha }}
-      - uses: actions/setup-go@v5
+      - uses: actions/setup-go@v4
         with:
           go-version-file: "go.mod"
       - uses: actions/setup-node@v4

.github/workflows/codeql-analysis.yml

@@ -27,10 +27,10 @@ jobs:
       - name: Setup authentik env
         uses: ./.github/actions/setup
       - name: Initialize CodeQL
-        uses: github/codeql-action/init@v3
+        uses: github/codeql-action/init@v2
         with:
           languages: ${{ matrix.language }}
       - name: Autobuild
-        uses: github/codeql-action/autobuild@v3
+        uses: github/codeql-action/autobuild@v2
       - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@v3
+        uses: github/codeql-action/analyze@v2

.github/workflows/gha-cache-cleanup.yml

@@ -6,10 +6,6 @@ on:
     types:
       - closed
 
-permissions:
-  # Permission to delete cache
-  actions: write
-
 jobs:
   cleanup:
     runs-on: ubuntu-latest

.github/workflows/release-publish.yml

@@ -67,7 +67,7 @@ jobs:
           - radius
     steps:
       - uses: actions/checkout@v4
-      - uses: actions/setup-go@v5
+      - uses: actions/setup-go@v4
         with:
           go-version-file: "go.mod"
       - name: Set up QEMU
@@ -126,7 +126,7 @@ jobs:
         goarch: [amd64, arm64]
     steps:
       - uses: actions/checkout@v4
-      - uses: actions/setup-go@v5
+      - uses: actions/setup-go@v4
         with:
           go-version-file: "go.mod"
       - uses: actions/setup-node@v4

.github/workflows/release-tag.yml

@@ -30,7 +30,7 @@ jobs:
           private_key: ${{ secrets.GH_APP_PRIVATE_KEY }}
       - name: Extract version number
         id: get_version
-        uses: actions/github-script@v7
+        uses: actions/github-script@v6
         with:
           github-token: ${{ steps.generate_token.outputs.token }}
           script: |

.github/workflows/repo-stale.yml

@@ -18,7 +18,7 @@ jobs:
         with:
           app_id: ${{ secrets.GH_APP_ID }}
           private_key: ${{ secrets.GH_APP_PRIVATE_KEY }}
-      - uses: actions/stale@v9
+      - uses: actions/stale@v8
         with:
           repo-token: ${{ steps.generate_token.outputs.token }}
           days-before-stale: 60

.github/workflows/translation-advice.yml

@@ -7,12 +7,7 @@ on:
     paths:
       - "!**"
       - "locale/**"
-      - "!locale/en/**"
+      - "web/src/locales/**"
-      - "web/xliff/**"
-
-permissions:
-  # Permission to write comment
-  pull-requests: write
 
 jobs:
   post-comment:

.github/workflows/translation-rename.yml

@@ -6,10 +6,6 @@ on:
   pull_request:
     types: [opened, reopened]
 
-permissions:
-  # Permission to rename PR
-  pull-requests: write
-
 jobs:
   rename_pr:
     runs-on: ubuntu-latest

.vscode/extensions.json

@@ -14,7 +14,6 @@
         "ms-python.pylint",
         "ms-python.python",
         "ms-python.vscode-pylance",
-        "ms-python.black-formatter",
         "redhat.vscode-yaml",
         "Tobermory.es6-string-html",
         "unifiedjs.vscode-mdx",

.vscode/settings.json

@@ -19,8 +19,10 @@
         "slo",
         "scim",
     ],
+    "python.linting.pylintEnabled": true,
     "todo-tree.tree.showCountsInTree": true,
     "todo-tree.tree.showBadges": true,
+    "python.formatting.provider": "black",
     "yaml.customTags": [
         "!Find sequence",
         "!KeyOf scalar",

Dockerfile

@@ -37,7 +37,7 @@ COPY ./gen-ts-api /work/web/node_modules/@goauthentik/api
 RUN npm run build
 
 # Stage 3: Build go proxy
-FROM --platform=${BUILDPLATFORM} docker.io/golang:1.21.5-bookworm AS go-builder
+FROM --platform=${BUILDPLATFORM} docker.io/golang:1.21.4-bookworm AS go-builder
 
 ARG TARGETOS
 ARG TARGETARCH
@@ -83,7 +83,7 @@ RUN --mount=type=secret,id=GEOIPUPDATE_ACCOUNT_ID \
     /bin/sh -c "/usr/bin/entry.sh || echo 'Failed to get GeoIP database, disabling'; exit 0"
 
 # Stage 5: Python dependencies
-FROM docker.io/python:3.12.1-slim-bookworm AS python-deps
+FROM docker.io/python:3.11.5-bookworm AS python-deps
 
 WORKDIR /ak-root/poetry
 
@@ -108,7 +108,7 @@ RUN --mount=type=bind,target=./pyproject.toml,src=./pyproject.toml \
     poetry install --only=main --no-ansi --no-interaction
 
 # Stage 6: Run
-FROM docker.io/python:3.12.1-slim-bookworm AS final-image
+FROM docker.io/python:3.11.5-slim-bookworm AS final-image
 
 ARG GIT_BUILD_HASH
 ARG VERSION
@@ -125,7 +125,7 @@ WORKDIR /
 # We cannot cache this layer otherwise we'll end up with a bigger image
 RUN apt-get update && \
     # Required for runtime
-    apt-get install -y --no-install-recommends libpq5 openssl libxmlsec1-openssl libmaxminddb0 ca-certificates && \
+    apt-get install -y --no-install-recommends libpq5 openssl libxmlsec1-openssl libmaxminddb0 && \
     # Required for bootstrap & healtcheck
     apt-get install -y --no-install-recommends runit && \
     apt-get clean && \

Makefile

@@ -110,14 +110,11 @@ gen-diff:  ## (Release) generate the changelog diff between the current schema a
 		--markdown /local/diff.md \
 		/local/old_schema.yml /local/schema.yml
 	rm old_schema.yml
-	sed -i 's/{/{/g' diff.md
-	sed -i 's/}/}/g' diff.md
 	npx prettier --write diff.md
 
 gen-clean:
-	rm -rf gen-go-api/
+	rm -rf web/api/src/
-	rm -rf gen-ts-api/
+	rm -rf api/
-	rm -rf web/node_modules/@goauthentik/api/
 
 gen-client-ts:  ## Build and install the authentik API for Typescript into the authentik UI Application
 	docker run \

SECURITY.md

@@ -1,9 +1,5 @@
 authentik takes security very seriously. We follow the rules of [responsible disclosure](https://en.wikipedia.org/wiki/Responsible_disclosure), and we urge our community to do so as well, instead of reporting vulnerabilities publicly. This allows us to patch the issue quickly, announce it's existence and release the fixed version.
 
-## Independent audits and pentests
-
-In May/June of 2023 [Cure53](https://cure53.de) conducted an audit and pentest. The [results](https://cure53.de/pentest-report_authentik.pdf) are published on the [Cure53 website](https://cure53.de/#publications-2023). For more details about authentik's response to the findings of the audit refer to [2023-06 Cure53 Code audit](https://goauthentik.io/docs/security/2023-06-cure53).
-
 ## What authentik classifies as a CVE
 
 CVE (Common Vulnerability and Exposure) is a system designed to aggregate all vulnerabilities. As such, a CVE will be issued when there is a either vulnerability or exposure. Per NIST, A vulnerability is:

authentik/__init__.py

@@ -2,7 +2,7 @@
 from os import environ
 from typing import Optional
 
-__version__ = "2023.10.4"
+__version__ = "2023.10.6"
 ENV_GIT_HASH_KEY = "GIT_BUILD_HASH"
 
 

authentik/admin/api/system.py

@@ -30,7 +30,7 @@ class RuntimeDict(TypedDict):
     uname: str
 
 
-class SystemInfoSerializer(PassiveSerializer):
+class SystemSerializer(PassiveSerializer):
     """Get system information."""
 
     http_headers = SerializerMethodField()
@@ -91,14 +91,14 @@ class SystemView(APIView):
     permission_classes = [HasPermission("authentik_rbac.view_system_info")]
     pagination_class = None
     filter_backends = []
-    serializer_class = SystemInfoSerializer
+    serializer_class = SystemSerializer
 
-    @extend_schema(responses={200: SystemInfoSerializer(many=False)})
+    @extend_schema(responses={200: SystemSerializer(many=False)})
     def get(self, request: Request) -> Response:
         """Get system information."""
-        return Response(SystemInfoSerializer(request).data)
+        return Response(SystemSerializer(request).data)
 
-    @extend_schema(responses={200: SystemInfoSerializer(many=False)})
+    @extend_schema(responses={200: SystemSerializer(many=False)})
     def post(self, request: Request) -> Response:
         """Get system information."""
-        return Response(SystemInfoSerializer(request).data)
+        return Response(SystemSerializer(request).data)

authentik/api/tests/test_auth.py

@@ -12,8 +12,6 @@ from authentik.blueprints.tests import reconcile_app
 from authentik.core.models import Token, TokenIntents, User, UserTypes
 from authentik.core.tests.utils import create_test_admin_user, create_test_flow
 from authentik.lib.generators import generate_id
-from authentik.outposts.apps import MANAGED_OUTPOST
-from authentik.outposts.models import Outpost
 from authentik.providers.oauth2.constants import SCOPE_AUTHENTIK_API
 from authentik.providers.oauth2.models import AccessToken, OAuth2Provider
 
@@ -51,12 +49,8 @@ class TestAPIAuth(TestCase):
         with self.assertRaises(AuthenticationFailed):
             bearer_auth(f"Bearer {token.key}".encode())
 
-    @reconcile_app("authentik_outposts")
+    def test_managed_outpost(self):
-    def test_managed_outpost_fail(self):
         """Test managed outpost"""
-        outpost = Outpost.objects.filter(managed=MANAGED_OUTPOST).first()
-        outpost.user.delete()
-        outpost.delete()
         with self.assertRaises(AuthenticationFailed):
             bearer_auth(f"Bearer {settings.SECRET_KEY}".encode())
 

authentik/api/v3/config.py

@@ -93,10 +93,10 @@ class ConfigView(APIView):
                     "traces_sample_rate": float(CONFIG.get("error_reporting.sample_rate", 0.4)),
                 },
                 "capabilities": self.get_capabilities(),
-                "cache_timeout": CONFIG.get_int("cache.timeout"),
+                "cache_timeout": CONFIG.get_int("redis.cache_timeout"),
-                "cache_timeout_flows": CONFIG.get_int("cache.timeout_flows"),
+                "cache_timeout_flows": CONFIG.get_int("redis.cache_timeout_flows"),
-                "cache_timeout_policies": CONFIG.get_int("cache.timeout_policies"),
+                "cache_timeout_policies": CONFIG.get_int("redis.cache_timeout_policies"),
-                "cache_timeout_reputation": CONFIG.get_int("cache.timeout_reputation"),
+                "cache_timeout_reputation": CONFIG.get_int("redis.cache_timeout_reputation"),
             }
         )
 

authentik/blueprints/api.py

@@ -3,7 +3,7 @@ from django.utils.translation import gettext_lazy as _
 from drf_spectacular.utils import extend_schema, inline_serializer
 from rest_framework.decorators import action
 from rest_framework.exceptions import ValidationError
-from rest_framework.fields import CharField, DateTimeField
+from rest_framework.fields import CharField, DateTimeField, JSONField
 from rest_framework.request import Request
 from rest_framework.response import Response
 from rest_framework.serializers import ListSerializer, ModelSerializer
@@ -15,7 +15,7 @@ from authentik.blueprints.v1.importer import Importer
 from authentik.blueprints.v1.oci import OCI_PREFIX
 from authentik.blueprints.v1.tasks import apply_blueprint, blueprints_find_dict
 from authentik.core.api.used_by import UsedByMixin
-from authentik.core.api.utils import JSONDictField, PassiveSerializer
+from authentik.core.api.utils import PassiveSerializer
 
 
 class ManagedSerializer:
@@ -28,7 +28,7 @@ class MetadataSerializer(PassiveSerializer):
     """Serializer for blueprint metadata"""
 
     name = CharField()
-    labels = JSONDictField()
+    labels = JSONField()
 
 
 class BlueprintInstanceSerializer(ModelSerializer):

authentik/blueprints/apps.py

@@ -40,7 +40,7 @@ class ManagedAppConfig(AppConfig):
                 meth()
                 self._logger.debug("Successfully reconciled", name=name)
             except (DatabaseError, ProgrammingError, InternalError) as exc:
-                self._logger.debug("Failed to run reconcile", name=name, exc=exc)
+                self._logger.warning("Failed to run reconcile", name=name, exc=exc)
 
 
 class AuthentikBlueprintsConfig(ManagedAppConfig):

authentik/blueprints/v1/meta/apply_blueprint.py

@@ -2,11 +2,11 @@
 from typing import TYPE_CHECKING
 
 from rest_framework.exceptions import ValidationError
-from rest_framework.fields import BooleanField
+from rest_framework.fields import BooleanField, JSONField
 from structlog.stdlib import get_logger
 
 from authentik.blueprints.v1.meta.registry import BaseMetaModel, MetaResult, registry
-from authentik.core.api.utils import JSONDictField, PassiveSerializer
+from authentik.core.api.utils import PassiveSerializer, is_dict
 
 if TYPE_CHECKING:
     from authentik.blueprints.models import BlueprintInstance
@@ -17,7 +17,7 @@ LOGGER = get_logger()
 class ApplyBlueprintMetaSerializer(PassiveSerializer):
     """Serializer for meta apply blueprint model"""
 
-    identifiers = JSONDictField()
+    identifiers = JSONField(validators=[is_dict])
     required = BooleanField(default=True)
 
     # We cannot override `instance` as that will confuse rest_framework

authentik/core/api/groups.py

@@ -8,7 +8,7 @@ from django_filters.filterset import FilterSet
 from drf_spectacular.utils import OpenApiResponse, extend_schema
 from guardian.shortcuts import get_objects_for_user
 from rest_framework.decorators import action
-from rest_framework.fields import CharField, IntegerField
+from rest_framework.fields import CharField, IntegerField, JSONField
 from rest_framework.request import Request
 from rest_framework.response import Response
 from rest_framework.serializers import ListSerializer, ModelSerializer, ValidationError
@@ -16,7 +16,7 @@ from rest_framework.viewsets import ModelViewSet
 
 from authentik.api.decorators import permission_required
 from authentik.core.api.used_by import UsedByMixin
-from authentik.core.api.utils import JSONDictField, PassiveSerializer
+from authentik.core.api.utils import PassiveSerializer, is_dict
 from authentik.core.models import Group, User
 from authentik.rbac.api.roles import RoleSerializer
 
@@ -24,7 +24,7 @@ from authentik.rbac.api.roles import RoleSerializer
 class GroupMemberSerializer(ModelSerializer):
     """Stripped down user serializer to show relevant users for groups"""
 
-    attributes = JSONDictField(required=False)
+    attributes = JSONField(validators=[is_dict], required=False)
     uid = CharField(read_only=True)
 
     class Meta:
@@ -44,7 +44,7 @@ class GroupMemberSerializer(ModelSerializer):
 class GroupSerializer(ModelSerializer):
     """Group Serializer"""
 
-    attributes = JSONDictField(required=False)
+    attributes = JSONField(validators=[is_dict], required=False)
     users_obj = ListSerializer(
         child=GroupMemberSerializer(), read_only=True, source="users", required=False
     )

authentik/core/api/providers.py

@@ -42,7 +42,6 @@ class ProviderSerializer(ModelSerializer, MetaNameSerializer):
             "name",
             "authentication_flow",
             "authorization_flow",
-            "invalidation_flow",
             "property_mappings",
             "component",
             "assigned_application_slug",

authentik/core/api/users.py

@@ -32,7 +32,13 @@ from drf_spectacular.utils import (
 )
 from guardian.shortcuts import get_anonymous_user, get_objects_for_user
 from rest_framework.decorators import action
-from rest_framework.fields import CharField, IntegerField, ListField, SerializerMethodField
+from rest_framework.fields import (
+    CharField,
+    IntegerField,
+    JSONField,
+    ListField,
+    SerializerMethodField,
+)
 from rest_framework.request import Request
 from rest_framework.response import Response
 from rest_framework.serializers import (
@@ -51,7 +57,7 @@ from authentik.admin.api.metrics import CoordinateSerializer
 from authentik.api.decorators import permission_required
 from authentik.blueprints.v1.importer import SERIALIZER_CONTEXT_BLUEPRINT
 from authentik.core.api.used_by import UsedByMixin
-from authentik.core.api.utils import JSONDictField, LinkSerializer, PassiveSerializer
+from authentik.core.api.utils import LinkSerializer, PassiveSerializer, is_dict
 from authentik.core.middleware import (
     SESSION_KEY_IMPERSONATE_ORIGINAL_USER,
     SESSION_KEY_IMPERSONATE_USER,
@@ -83,7 +89,7 @@ LOGGER = get_logger()
 class UserGroupSerializer(ModelSerializer):
     """Simplified Group Serializer for user's groups"""
 
-    attributes = JSONDictField(required=False)
+    attributes = JSONField(required=False)
     parent_name = CharField(source="parent.name", read_only=True)
 
     class Meta:
@@ -104,7 +110,7 @@ class UserSerializer(ModelSerializer):
 
     is_superuser = BooleanField(read_only=True)
     avatar = CharField(read_only=True)
-    attributes = JSONDictField(required=False)
+    attributes = JSONField(validators=[is_dict], required=False)
     groups = PrimaryKeyRelatedField(
         allow_empty=True, many=True, source="ak_groups", queryset=Group.objects.all(), default=list
     )

authentik/core/api/utils.py

@@ -2,9 +2,6 @@
 from typing import Any
 
 from django.db.models import Model
-from drf_spectacular.extensions import OpenApiSerializerFieldExtension
-from drf_spectacular.plumbing import build_basic_type
-from drf_spectacular.types import OpenApiTypes
 from rest_framework.fields import CharField, IntegerField, JSONField
 from rest_framework.serializers import Serializer, SerializerMethodField, ValidationError
 
@@ -16,21 +13,6 @@ def is_dict(value: Any):
     raise ValidationError("Value must be a dictionary, and not have any duplicate keys.")
 
 
-class JSONDictField(JSONField):
-    """JSON Field which only allows dictionaries"""
-
-    default_validators = [is_dict]
-
-
-class JSONExtension(OpenApiSerializerFieldExtension):
-    """Generate API Schema for JSON fields as"""
-
-    target_class = "authentik.core.api.utils.JSONDictField"
-
-    def map_serializer_field(self, auto_schema, direction):
-        return build_basic_type(OpenApiTypes.OBJECT)
-
-
 class PassiveSerializer(Serializer):
     """Base serializer class which doesn't implement create/update methods"""
 
@@ -44,7 +26,7 @@ class PassiveSerializer(Serializer):
 class PropertyMappingPreviewSerializer(PassiveSerializer):
     """Preview how the current user is mapped via the property mappings selected in a provider"""
 
-    preview = JSONDictField(read_only=True)
+    preview = JSONField(read_only=True)
 
 
 class MetaNameSerializer(PassiveSerializer):

authentik/core/expression/evaluator.py

@@ -44,6 +44,7 @@ class PropertyMappingEvaluator(BaseEvaluator):
         if request:
             req.http_request = request
         self._context["request"] = req
+        req.context.update(**kwargs)
         self._context.update(**kwargs)
         self.dry_run = dry_run
 

authentik/core/migrations/0029_provider_invalidation_flow.py

@@ -1,26 +0,0 @@
-# Generated by Django 4.1.7 on 2023-03-24 13:21
-
-import django.db.models.deletion
-from django.db import migrations, models
-
-
-class Migration(migrations.Migration):
-    dependencies = [
-        ("authentik_flows", "0025_alter_flowstagebinding_evaluate_on_plan_and_more"),
-        ("authentik_core", "0028_provider_authentication_flow"),
-    ]
-
-    operations = [
-        migrations.AddField(
-            model_name="provider",
-            name="invalidation_flow",
-            field=models.ForeignKey(
-                default=None,
-                help_text="Flow used ending the session from a provider.",
-                null=True,
-                on_delete=django.db.models.deletion.SET_DEFAULT,
-                related_name="provider_invalidation",
-                to="authentik_flows.flow",
-            ),
-        ),
-    ]

authentik/core/models.py

@@ -296,23 +296,14 @@ class Provider(SerializerModel):
         ),
         related_name="provider_authentication",
     )
+
     authorization_flow = models.ForeignKey(
         "authentik_flows.Flow",
-        # Set to cascade even though null is allowed, since most providers
-        # still require an authorization flow set
         on_delete=models.CASCADE,
         null=True,
         help_text=_("Flow used when authorizing this provider."),
         related_name="provider_authorization",
     )
-    invalidation_flow = models.ForeignKey(
-        "authentik_flows.Flow",
-        on_delete=models.SET_DEFAULT,
-        default=None,
-        null=True,
-        help_text=_("Flow used ending the session from a provider."),
-        related_name="provider_invalidation",
-    )
 
     property_mappings = models.ManyToManyField("PropertyMapping", default=None, blank=True)
 
@@ -526,7 +517,7 @@ class Source(ManagedModel, SerializerModel, PolicyBindingModel):
     objects = InheritanceManager()
 
     @property
-    def icon_url(self) -> Optional[str]:
+    def get_icon(self) -> Optional[str]:
         """Get the URL to the Icon. If the name is /static or
         starts with http it is returned as-is"""
         if not self.icon:

authentik/core/templates/if/end_session.html

@@ -0,0 +1,43 @@
+{% extends 'login/base_full.html' %}
+
+{% load static %}
+{% load i18n %}
+
+{% block title %}
+{% trans 'End session' %} - {{ tenant.branding_title }}
+{% endblock %}
+
+{% block card_title %}
+{% blocktrans with application=application.name %}
+You've logged out of {{ application }}.
+{% endblocktrans %}
+{% endblock %}
+
+{% block card %}
+<form method="POST" class="pf-c-form">
+    <p>
+        {% blocktrans with application=application.name branding_title=tenant.branding_title %}
+            You've logged out of {{ application }}. You can go back to the overview to launch another application, or log out of your {{ branding_title }} account.
+        {% endblocktrans %}
+    </p>
+
+    <a id="ak-back-home" href="{% url 'authentik_core:root-redirect' %}" class="pf-c-button pf-m-primary">
+        {% trans 'Go back to overview' %}
+    </a>
+
+    <a id="logout" href="{% url 'authentik_flows:default-invalidation' %}" class="pf-c-button pf-m-secondary">
+        {% blocktrans with branding_title=tenant.branding_title %}
+            Log out of {{ branding_title }}
+        {% endblocktrans %}
+    </a>
+
+    {% if application.get_launch_url %}
+    <a href="{{ application.get_launch_url }}" class="pf-c-button pf-m-secondary">
+        {% blocktrans with application=application.name %}
+            Log back into {{ application }}
+        {% endblocktrans %}
+    </a>
+    {% endif %}
+
+</form>
+{% endblock %}

authentik/core/templates/if/flow.html

@@ -27,7 +27,7 @@ window.authentik.flow = {
 
 {% block body %}
 <ak-message-container></ak-message-container>
-<ak-flow-executor flowSlug="{{ flow.slug }}">
+<ak-flow-executor>
     <ak-loading></ak-loading>
 </ak-flow-executor>
 {% endblock %}

authentik/core/urls.py

@@ -20,6 +20,7 @@ from authentik.core.api.users import UserViewSet
 from authentik.core.views import apps
 from authentik.core.views.debug import AccessDeniedView
 from authentik.core.views.interface import FlowInterfaceView, InterfaceView
+from authentik.core.views.session import EndSessionView
 from authentik.root.asgi_middleware import SessionMiddleware
 from authentik.root.messages.consumer import MessageConsumer
 from authentik.root.middleware import ChannelsLoggingMiddleware
@@ -54,6 +55,11 @@ urlpatterns = [
         ensure_csrf_cookie(FlowInterfaceView.as_view()),
         name="if-flow",
     ),
+    path(
+        "if/session-end/<slug:application_slug>/",
+        ensure_csrf_cookie(EndSessionView.as_view()),
+        name="if-session-end",
+    ),
     # Fallback for WS
     path("ws/outpost/<uuid:pk>/", InterfaceView.as_view(template_name="if/admin.html")),
     path(

authentik/core/views/session.py

@@ -0,0 +1,22 @@
+"""authentik Session Views"""
+from typing import Any
+
+from django.shortcuts import get_object_or_404
+from django.views.generic.base import TemplateView
+
+from authentik.core.models import Application
+from authentik.policies.views import PolicyAccessView
+
+
+class EndSessionView(TemplateView, PolicyAccessView):
+    """Allow the client to end the Session"""
+
+    template_name = "if/end_session.html"
+
+    def resolve_provider_application(self):
+        self.application = get_object_or_404(Application, slug=self.kwargs["application_slug"])
+
+    def get_context_data(self, **kwargs: Any) -> dict[str, Any]:
+        context = super().get_context_data(**kwargs)
+        context["application"] = self.application
+        return context

authentik/events/api/events.py

@@ -5,7 +5,7 @@ from json import loads
 import django_filters
 from django.db.models.aggregates import Count
 from django.db.models.fields.json import KeyTextTransform, KeyTransform
-from django.db.models.functions import ExtractDay, ExtractHour
+from django.db.models.functions import ExtractDay
 from drf_spectacular.types import OpenApiTypes
 from drf_spectacular.utils import OpenApiParameter, extend_schema
 from guardian.shortcuts import get_objects_for_user
@@ -149,15 +149,7 @@ class EventViewSet(ModelViewSet):
         return Response(EventTopPerUserSerializer(instance=events, many=True).data)
 
     @extend_schema(
-        responses={200: CoordinateSerializer(many=True)},
+        methods=["GET"],
-    )
-    @action(detail=False, methods=["GET"], pagination_class=None)
-    def volume(self, request: Request) -> Response:
-        """Get event volume for specified filters and timeframe"""
-        queryset = self.filter_queryset(self.get_queryset())
-        return Response(queryset.get_events_per(timedelta(days=7), ExtractHour, 7 * 3))
-
-    @extend_schema(
         responses={200: CoordinateSerializer(many=True)},
         filters=[],
         parameters=[

authentik/flows/challenge.py

@@ -121,18 +121,8 @@ class FlowErrorChallenge(Challenge):
 class AccessDeniedChallenge(WithUserInfoChallenge):
     """Challenge when a flow's active stage calls `stage_invalid()`."""
 
-    component = CharField(default="ak-stage-access-denied")
-
     error_message = CharField(required=False)
-
+    component = CharField(default="ak-stage-access-denied")
-
-class SessionEndChallenge(WithUserInfoChallenge):
-    """Challenge for ending a session"""
-
-    component = CharField(default="ak-stage-session-end")
-
-    application_name = CharField(required=True)
-    application_launch_url = CharField(required=False)
 
 
 class PermissionDict(TypedDict):

authentik/flows/models.py

@@ -105,9 +105,7 @@ class Stage(SerializerModel):
 
 
 def in_memory_stage(view: type["StageView"], **kwargs) -> Stage:
-    """Creates an in-memory stage instance, based on a `view` as view.
+    """Creates an in-memory stage instance, based on a `view` as view."""
-    Any key-word arguments are set as attributes on the stage object,
-    accessible via `self.executor.current_stage`."""
     stage = Stage()
     # Because we can't pickle a locally generated function,
     # we set the view as a separate property and reference a generic function

authentik/flows/planner.py

@@ -33,7 +33,7 @@ PLAN_CONTEXT_SOURCE = "source"
 # Is set by the Flow Planner when a FlowToken was used, and the currently active flow plan
 # was restored.
 PLAN_CONTEXT_IS_RESTORED = "is_restored"
-CACHE_TIMEOUT = CONFIG.get_int("cache.timeout_flows")
+CACHE_TIMEOUT = CONFIG.get_int("redis.cache_timeout_flows")
 CACHE_PREFIX = "goauthentik.io/flows/planner/"
 
 

authentik/flows/tests/test_executor.py

@@ -472,7 +472,6 @@ class TestFlowExecutor(FlowTestCase):
         ident_stage = IdentificationStage.objects.create(
             name="ident",
             user_fields=[UserFields.E_MAIL],
-            pretend_user_exists=False,
         )
         FlowStageBinding.objects.create(
             target=flow,

authentik/lib/avatars.py

@@ -154,15 +154,7 @@ def generate_avatar_from_name(
 
 def avatar_mode_generated(user: "User", mode: str) -> Optional[str]:
     """Wrapper that converts generated avatar to base64 svg"""
-    # By default generate based off of user's display name
+    svg = generate_avatar_from_name(user.name if user.name.strip() != "" else "a k")
-    name = user.name.strip()
-    if name == "":
-        # Fallback to username
-        name = user.username.strip()
-    # If we still don't have anything, fallback to `a k`
-    if name == "":
-        name = "a k"
-    svg = generate_avatar_from_name(name)
     return f"data:image/svg+xml;base64,{b64encode(svg.encode('utf-8')).decode('utf-8')}"
 
 

authentik/lib/config.py

@@ -1,6 +1,4 @@
 """authentik core config loader"""
-import base64
-import json
 import os
 from collections.abc import Mapping
 from contextlib import contextmanager
@@ -24,25 +22,6 @@ SEARCH_PATHS = ["authentik/lib/default.yml", "/etc/authentik/config.yml", ""] +
 ENV_PREFIX = "AUTHENTIK"
 ENVIRONMENT = os.getenv(f"{ENV_PREFIX}_ENV", "local")
 
-REDIS_ENV_KEYS = [
-    f"{ENV_PREFIX}_REDIS__HOST",
-    f"{ENV_PREFIX}_REDIS__PORT",
-    f"{ENV_PREFIX}_REDIS__DB",
-    f"{ENV_PREFIX}_REDIS__USERNAME",
-    f"{ENV_PREFIX}_REDIS__PASSWORD",
-    f"{ENV_PREFIX}_REDIS__TLS",
-    f"{ENV_PREFIX}_REDIS__TLS_REQS",
-]
-
-DEPRECATIONS = {
-    "redis.broker_url": "broker.url",
-    "redis.broker_transport_options": "broker.transport_options",
-    "redis.cache_timeout": "cache.timeout",
-    "redis.cache_timeout_flows": "cache.timeout_flows",
-    "redis.cache_timeout_policies": "cache.timeout_policies",
-    "redis.cache_timeout_reputation": "cache.timeout_reputation",
-}
-
 
 def get_path_from_dict(root: dict, path: str, sep=".", default=None) -> Any:
     """Recursively walk through `root`, checking each part of `path` separated by `sep`.
@@ -102,10 +81,6 @@ class AttrEncoder(JSONEncoder):
         return super().default(o)
 
 
-class UNSET:
-    """Used to test whether configuration key has not been set."""
-
-
 class ConfigLoader:
     """Search through SEARCH_PATHS and load configuration. Environment variables starting with
     `ENV_PREFIX` are also applied.
@@ -138,40 +113,6 @@ class ConfigLoader:
                         self.update_from_file(env_file)
         self.update_from_env()
         self.update(self.__config, kwargs)
-        self.check_deprecations()
-
-    def check_deprecations(self):
-        """Warn if any deprecated configuration options are used"""
-
-        def _pop_deprecated_key(current_obj, dot_parts, index):
-            """Recursive function to remove deprecated keys in configuration"""
-            dot_part = dot_parts[index]
-            if index == len(dot_parts) - 1:
-                return current_obj.pop(dot_part)
-            value = _pop_deprecated_key(current_obj[dot_part], dot_parts, index + 1)
-            if not current_obj[dot_part]:
-                current_obj.pop(dot_part)
-            return value
-
-        for deprecation, replacement in DEPRECATIONS.items():
-            if self.get(deprecation, default=UNSET) is not UNSET:
-                message = (
-                    f"'{deprecation}' has been deprecated in favor of '{replacement}'! "
-                    + "Please update your configuration."
-                )
-                self.log(
-                    "warning",
-                    message,
-                )
-                try:
-                    from authentik.events.models import Event, EventAction
-
-                    Event.new(EventAction.CONFIGURATION_ERROR, message=message).save()
-                except ImportError:
-                    continue
-
-                deprecated_attr = _pop_deprecated_key(self.__config, deprecation.split("."), 0)
-                self.set(replacement, deprecated_attr.value)
 
     def log(self, level: str, message: str, **kwargs):
         """Custom Log method, we want to ensure ConfigLoader always logs JSON even when
@@ -239,10 +180,6 @@ class ConfigLoader:
                 error=str(exc),
             )
 
-    def update_from_dict(self, update: dict):
-        """Update config from dict"""
-        self.__config.update(update)
-
     def update_from_env(self):
         """Check environment variables"""
         outer = {}
@@ -251,13 +188,19 @@ class ConfigLoader:
             if not key.startswith(ENV_PREFIX):
                 continue
             relative_key = key.replace(f"{ENV_PREFIX}_", "", 1).replace("__", ".").lower()
+            # Recursively convert path from a.b.c into outer[a][b][c]
+            current_obj = outer
+            dot_parts = relative_key.split(".")
+            for dot_part in dot_parts[:-1]:
+                if dot_part not in current_obj:
+                    current_obj[dot_part] = {}
+                current_obj = current_obj[dot_part]
             # Check if the value is json, and try to load it
             try:
                 value = loads(value)
             except JSONDecodeError:
                 pass
-            attr_value = Attr(value, Attr.Source.ENV, relative_key)
+            current_obj[dot_parts[-1]] = Attr(value, Attr.Source.ENV, key)
-            set_path_in_dict(outer, relative_key, attr_value)
             idx += 1
         if idx > 0:
             self.log("debug", "Loaded environment variables", count=idx)
@@ -298,23 +241,6 @@ class ConfigLoader:
         """Wrapper for get that converts value into boolean"""
         return str(self.get(path, default)).lower() == "true"
 
-    def get_dict_from_b64_json(self, path: str, default=None) -> dict:
-        """Wrapper for get that converts value from Base64 encoded string into dictionary"""
-        config_value = self.get(path)
-        if config_value is None:
-            return {}
-        try:
-            b64decoded_str = base64.b64decode(config_value).decode("utf-8")
-            b64decoded_str = b64decoded_str.strip().lstrip("{").rstrip("}")
-            b64decoded_str = "{" + b64decoded_str + "}"
-            return json.loads(b64decoded_str)
-        except (JSONDecodeError, TypeError, ValueError) as exc:
-            self.log(
-                "warning",
-                f"Ignored invalid configuration for '{path}' due to exception: {str(exc)}",
-            )
-            return default if isinstance(default, dict) else {}
-
     def set(self, path: str, value: Any, sep="."):
         """Set value using same syntax as get()"""
         set_path_in_dict(self.raw, path, Attr(value), sep=sep)

authentik/lib/default.yml

@@ -8,8 +8,6 @@ postgresql:
   password: "env://POSTGRES_PASSWORD"
   use_pgbouncer: false
   use_pgpool: false
-  test:
-    name: test_authentik
 
 listen:
   listen_http: 0.0.0.0:9000
@@ -30,28 +28,14 @@ listen:
 redis:
   host: localhost
   port: 6379
-  db: 0
-  username: ""
   password: ""
   tls: false
   tls_reqs: "none"
-
+  db: 0
-# broker:
+  cache_timeout: 300
-  # url: ""
+  cache_timeout_flows: 300
-  # transport_options: ""
+  cache_timeout_policies: 300
-
+  cache_timeout_reputation: 300
-cache:
-  # url: ""
-  timeout: 300
-  timeout_flows: 300
-  timeout_policies: 300
-  timeout_reputation: 300
-
-# channel:
-  # url: ""
-
-# result_backend:
-  # url: ""
 
 paths:
   media: ./media

authentik/lib/tests/test_config.py

@@ -1,32 +1,20 @@
 """Test config loader"""
-import base64
-from json import dumps
 from os import chmod, environ, unlink, write
 from tempfile import mkstemp
-from unittest import mock
 
 from django.conf import ImproperlyConfigured
 from django.test import TestCase
 
-from authentik.lib.config import ENV_PREFIX, UNSET, Attr, AttrEncoder, ConfigLoader
+from authentik.lib.config import ENV_PREFIX, ConfigLoader
 
 
 class TestConfig(TestCase):
     """Test config loader"""
 
-    check_deprecations_env_vars = {
-        ENV_PREFIX + "_REDIS__BROKER_URL": "redis://myredis:8327/43",
-        ENV_PREFIX + "_REDIS__BROKER_TRANSPORT_OPTIONS": "bWFzdGVybmFtZT1teW1hc3Rlcg==",
-        ENV_PREFIX + "_REDIS__CACHE_TIMEOUT": "124s",
-        ENV_PREFIX + "_REDIS__CACHE_TIMEOUT_FLOWS": "32m",
-        ENV_PREFIX + "_REDIS__CACHE_TIMEOUT_POLICIES": "3920ns",
-        ENV_PREFIX + "_REDIS__CACHE_TIMEOUT_REPUTATION": "298382us",
-    }
-
-    @mock.patch.dict(environ, {ENV_PREFIX + "_test__test": "bar"})
     def test_env(self):
         """Test simple instance"""
         config = ConfigLoader()
+        environ[ENV_PREFIX + "_test__test"] = "bar"
         config.update_from_env()
         self.assertEqual(config.get("test.test"), "bar")
 
@@ -39,20 +27,12 @@ class TestConfig(TestCase):
             self.assertEqual(config.get("foo.bar"), "baz")
         self.assertEqual(config.get("foo.bar"), "bar")
 
-    @mock.patch.dict(environ, {"foo": "bar"})
     def test_uri_env(self):
         """Test URI parsing (environment)"""
         config = ConfigLoader()
-        foo_uri = "env://foo"
+        environ["foo"] = "bar"
-        foo_parsed = config.parse_uri(foo_uri)
+        self.assertEqual(config.parse_uri("env://foo").value, "bar")
-        self.assertEqual(foo_parsed.value, "bar")
+        self.assertEqual(config.parse_uri("env://foo?bar").value, "bar")
-        self.assertEqual(foo_parsed.source_type, Attr.Source.URI)
-        self.assertEqual(foo_parsed.source, foo_uri)
-        foo_bar_uri = "env://foo?bar"
-        foo_bar_parsed = config.parse_uri(foo_bar_uri)
-        self.assertEqual(foo_bar_parsed.value, "bar")
-        self.assertEqual(foo_bar_parsed.source_type, Attr.Source.URI)
-        self.assertEqual(foo_bar_parsed.source, foo_bar_uri)
 
     def test_uri_file(self):
         """Test URI parsing (file load)"""
@@ -111,60 +91,3 @@ class TestConfig(TestCase):
         config = ConfigLoader()
         config.set("foo", "bar")
         self.assertEqual(config.get_int("foo", 1234), 1234)
-
-    def test_get_dict_from_b64_json(self):
-        """Test get_dict_from_b64_json"""
-        config = ConfigLoader()
-        test_value = '  { "foo": "bar"   }   '.encode("utf-8")
-        b64_value = base64.b64encode(test_value)
-        config.set("foo", b64_value)
-        self.assertEqual(config.get_dict_from_b64_json("foo"), {"foo": "bar"})
-
-    def test_get_dict_from_b64_json_missing_brackets(self):
-        """Test get_dict_from_b64_json with missing brackets"""
-        config = ConfigLoader()
-        test_value = ' "foo": "bar"     '.encode("utf-8")
-        b64_value = base64.b64encode(test_value)
-        config.set("foo", b64_value)
-        self.assertEqual(config.get_dict_from_b64_json("foo"), {"foo": "bar"})
-
-    def test_get_dict_from_b64_json_invalid(self):
-        """Test get_dict_from_b64_json with invalid value"""
-        config = ConfigLoader()
-        config.set("foo", "bar")
-        self.assertEqual(config.get_dict_from_b64_json("foo"), {})
-
-    def test_attr_json_encoder(self):
-        """Test AttrEncoder"""
-        test_attr = Attr("foo", Attr.Source.ENV, "AUTHENTIK_REDIS__USERNAME")
-        json_attr = dumps(test_attr, indent=4, cls=AttrEncoder)
-        self.assertEqual(json_attr, '"foo"')
-
-    def test_attr_json_encoder_no_attr(self):
-        """Test AttrEncoder if no Attr is passed"""
-
-        class Test:
-            """Non Attr class"""
-
-        with self.assertRaises(TypeError):
-            test_obj = Test()
-            dumps(test_obj, indent=4, cls=AttrEncoder)
-
-    @mock.patch.dict(environ, check_deprecations_env_vars)
-    def test_check_deprecations(self):
-        """Test config key re-write for deprecated env vars"""
-        config = ConfigLoader()
-        config.update_from_env()
-        config.check_deprecations()
-        self.assertEqual(config.get("redis.broker_url", UNSET), UNSET)
-        self.assertEqual(config.get("redis.broker_transport_options", UNSET), UNSET)
-        self.assertEqual(config.get("redis.cache_timeout", UNSET), UNSET)
-        self.assertEqual(config.get("redis.cache_timeout_flows", UNSET), UNSET)
-        self.assertEqual(config.get("redis.cache_timeout_policies", UNSET), UNSET)
-        self.assertEqual(config.get("redis.cache_timeout_reputation", UNSET), UNSET)
-        self.assertEqual(config.get("broker.url"), "redis://myredis:8327/43")
-        self.assertEqual(config.get("broker.transport_options"), "bWFzdGVybmFtZT1teW1hc3Rlcg==")
-        self.assertEqual(config.get("cache.timeout"), "124s")
-        self.assertEqual(config.get("cache.timeout_flows"), "32m")
-        self.assertEqual(config.get("cache.timeout_policies"), "3920ns")
-        self.assertEqual(config.get("cache.timeout_reputation"), "298382us")

authentik/outposts/api/outposts.py

@@ -9,16 +9,16 @@ from rest_framework.fields import BooleanField, CharField, DateTimeField
 from rest_framework.relations import PrimaryKeyRelatedField
 from rest_framework.request import Request
 from rest_framework.response import Response
-from rest_framework.serializers import ModelSerializer, ValidationError
+from rest_framework.serializers import JSONField, ModelSerializer, ValidationError
 from rest_framework.viewsets import ModelViewSet
 
 from authentik import get_build_hash
 from authentik.core.api.providers import ProviderSerializer
 from authentik.core.api.used_by import UsedByMixin
-from authentik.core.api.utils import JSONDictField, PassiveSerializer
+from authentik.core.api.utils import PassiveSerializer, is_dict
 from authentik.core.models import Provider
 from authentik.outposts.api.service_connections import ServiceConnectionSerializer
-from authentik.outposts.apps import MANAGED_OUTPOST
+from authentik.outposts.apps import MANAGED_OUTPOST, MANAGED_OUTPOST_NAME
 from authentik.outposts.models import (
     Outpost,
     OutpostConfig,
@@ -34,7 +34,7 @@ from authentik.providers.radius.models import RadiusProvider
 class OutpostSerializer(ModelSerializer):
     """Outpost Serializer"""
 
-    config = JSONDictField(source="_config")
+    config = JSONField(validators=[is_dict], source="_config")
     # Need to set allow_empty=True for the embedded outpost with no providers
     # is checked for other providers in the API Viewset
     providers = PrimaryKeyRelatedField(
@@ -47,6 +47,16 @@ class OutpostSerializer(ModelSerializer):
         source="service_connection", read_only=True
     )
 
+    def validate_name(self, name: str) -> str:
+        """Validate name (especially for embedded outpost)"""
+        if not self.instance:
+            return name
+        if self.instance.managed == MANAGED_OUTPOST and name != MANAGED_OUTPOST_NAME:
+            raise ValidationError("Embedded outpost's name cannot be changed")
+        if self.instance.name == MANAGED_OUTPOST_NAME:
+            self.instance.managed = MANAGED_OUTPOST
+        return name
+
     def validate_providers(self, providers: list[Provider]) -> list[Provider]:
         """Check that all providers match the type of the outpost"""
         type_map = {
@@ -95,7 +105,7 @@ class OutpostSerializer(ModelSerializer):
 class OutpostDefaultConfigSerializer(PassiveSerializer):
     """Global default outpost config"""
 
-    config = JSONDictField(read_only=True)
+    config = JSONField(read_only=True)
 
 
 class OutpostHealthSerializer(PassiveSerializer):

authentik/outposts/apps.py

@@ -15,6 +15,7 @@ GAUGE_OUTPOSTS_LAST_UPDATE = Gauge(
     ["outpost", "uid", "version"],
 )
 MANAGED_OUTPOST = "goauthentik.io/outposts/embedded"
+MANAGED_OUTPOST_NAME = "authentik Embedded Outpost"
 
 
 class AuthentikOutpostConfig(ManagedAppConfig):
@@ -35,14 +36,17 @@ class AuthentikOutpostConfig(ManagedAppConfig):
             DockerServiceConnection,
             KubernetesServiceConnection,
             Outpost,
-            OutpostConfig,
             OutpostType,
         )
 
+        if outpost := Outpost.objects.filter(name=MANAGED_OUTPOST_NAME, managed="").first():
+            outpost.managed = MANAGED_OUTPOST
+            outpost.save()
+            return
         outpost, updated = Outpost.objects.update_or_create(
             defaults={
-                "name": "authentik Embedded Outpost",
                 "type": OutpostType.PROXY,
+                "name": MANAGED_OUTPOST_NAME,
             },
             managed=MANAGED_OUTPOST,
         )
@@ -51,10 +55,4 @@ class AuthentikOutpostConfig(ManagedAppConfig):
                 outpost.service_connection = KubernetesServiceConnection.objects.first()
             elif DockerServiceConnection.objects.exists():
                 outpost.service_connection = DockerServiceConnection.objects.first()
-            outpost.config = OutpostConfig(
-                kubernetes_disabled_components=[
-                    "deployment",
-                    "secret",
-                ]
-            )
             outpost.save()

authentik/outposts/consumer.py

@@ -93,7 +93,7 @@ class OutpostConsumer(AuthJsonConsumer):
                 expected=self.outpost.config.kubernetes_replicas,
             ).dec()
 
-    def receive_json(self, content: Data, **kwargs):
+    def receive_json(self, content: Data):
         msg = from_dict(WebsocketMessage, content)
         uid = msg.args.get("uuid", self.channel_name)
         self.last_uid = uid

authentik/outposts/controllers/k8s/deployment.py

@@ -43,6 +43,10 @@ class DeploymentReconciler(KubernetesObjectReconciler[V1Deployment]):
         self.api = AppsV1Api(controller.client)
         self.outpost = self.controller.outpost
 
+    @property
+    def noop(self) -> bool:
+        return self.is_embedded
+
     @staticmethod
     def reconciler_name() -> str:
         return "deployment"

authentik/outposts/controllers/k8s/secret.py

@@ -24,6 +24,10 @@ class SecretReconciler(KubernetesObjectReconciler[V1Secret]):
         super().__init__(controller)
         self.api = CoreV1Api(controller.client)
 
+    @property
+    def noop(self) -> bool:
+        return self.is_embedded
+
     @staticmethod
     def reconciler_name() -> str:
         return "secret"

authentik/outposts/controllers/k8s/service_monitor.py

@@ -77,7 +77,10 @@ class PrometheusServiceMonitorReconciler(KubernetesObjectReconciler[PrometheusSe
 
     @property
     def noop(self) -> bool:
-        return (not self._crd_exists()) or (self.is_embedded)
+        if not self._crd_exists():
+            self.logger.debug("CRD doesn't exist")
+            return True
+        return self.is_embedded
 
     def _crd_exists(self) -> bool:
         """Check if the Prometheus ServiceMonitor exists"""

authentik/outposts/tests/test_api.py

@@ -2,11 +2,13 @@
 from django.urls import reverse
 from rest_framework.test import APITestCase
 
+from authentik.blueprints.tests import reconcile_app
 from authentik.core.models import PropertyMapping
 from authentik.core.tests.utils import create_test_admin_user, create_test_flow
 from authentik.lib.generators import generate_id
 from authentik.outposts.api.outposts import OutpostSerializer
-from authentik.outposts.models import OutpostType, default_outpost_config
+from authentik.outposts.apps import MANAGED_OUTPOST
+from authentik.outposts.models import Outpost, OutpostType, default_outpost_config
 from authentik.providers.ldap.models import LDAPProvider
 from authentik.providers.proxy.models import ProxyProvider
 
@@ -22,7 +24,36 @@ class TestOutpostServiceConnectionsAPI(APITestCase):
         self.user = create_test_admin_user()
         self.client.force_login(self.user)
 
-    def test_outpost_validaton(self):
+    @reconcile_app("authentik_outposts")
+    def test_managed_name_change(self):
+        """Test name change for embedded outpost"""
+        embedded_outpost = Outpost.objects.filter(managed=MANAGED_OUTPOST).first()
+        self.assertIsNotNone(embedded_outpost)
+        response = self.client.patch(
+            reverse("authentik_api:outpost-detail", kwargs={"pk": embedded_outpost.pk}),
+            {"name": "foo"},
+        )
+        self.assertEqual(response.status_code, 400)
+        self.assertJSONEqual(
+            response.content, {"name": ["Embedded outpost's name cannot be changed"]}
+        )
+
+    @reconcile_app("authentik_outposts")
+    def test_managed_without_managed(self):
+        """Test name change for embedded outpost"""
+        embedded_outpost = Outpost.objects.filter(managed=MANAGED_OUTPOST).first()
+        self.assertIsNotNone(embedded_outpost)
+        embedded_outpost.managed = ""
+        embedded_outpost.save()
+        response = self.client.patch(
+            reverse("authentik_api:outpost-detail", kwargs={"pk": embedded_outpost.pk}),
+            {"name": "foo"},
+        )
+        self.assertEqual(response.status_code, 200)
+        embedded_outpost.refresh_from_db()
+        self.assertEqual(embedded_outpost.managed, MANAGED_OUTPOST)
+
+    def test_outpost_validation(self):
         """Test Outpost validation"""
         valid = OutpostSerializer(
             data={

authentik/policies/api/exec.py

@@ -1,8 +1,8 @@
 """Serializer for policy execution"""
-from rest_framework.fields import BooleanField, CharField, DictField, ListField
+from rest_framework.fields import BooleanField, CharField, DictField, JSONField, ListField
 from rest_framework.relations import PrimaryKeyRelatedField
 
-from authentik.core.api.utils import JSONDictField, PassiveSerializer
+from authentik.core.api.utils import PassiveSerializer, is_dict
 from authentik.core.models import User
 
 
@@ -10,7 +10,7 @@ class PolicyTestSerializer(PassiveSerializer):
     """Test policy execution for a user with context"""
 
     user = PrimaryKeyRelatedField(queryset=User.objects.all())
-    context = JSONDictField(required=False)
+    context = JSONField(required=False, validators=[is_dict])
 
 
 class PolicyTestResultSerializer(PassiveSerializer):

authentik/policies/process.py

@@ -20,7 +20,7 @@ from authentik.policies.types import CACHE_PREFIX, PolicyRequest, PolicyResult
 LOGGER = get_logger()
 
 FORK_CTX = get_context("fork")
-CACHE_TIMEOUT = CONFIG.get_int("cache.timeout_policies")
+CACHE_TIMEOUT = CONFIG.get_int("redis.cache_timeout_policies")
 PROCESS_CLASS = FORK_CTX.Process
 
 

authentik/policies/reputation/signals.py

@@ -13,7 +13,7 @@ from authentik.policies.reputation.tasks import save_reputation
 from authentik.stages.identification.signals import identification_failed
 
 LOGGER = get_logger()
-CACHE_TIMEOUT = CONFIG.get_int("cache.timeout_reputation")
+CACHE_TIMEOUT = CONFIG.get_int("redis.cache_timeout_reputation")
 
 
 def update_score(request: HttpRequest, identifier: str, amount: int):

authentik/providers/oauth2/migrations/0017_accesstoken_session_id_authorizationcode_session_id_and_more.py

@@ -0,0 +1,27 @@
+# Generated by Django 5.0 on 2023-12-22 23:20
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+    dependencies = [
+        ("authentik_providers_oauth2", "0016_alter_refreshtoken_token"),
+    ]
+
+    operations = [
+        migrations.AddField(
+            model_name="accesstoken",
+            name="session_id",
+            field=models.CharField(blank=True, default=""),
+        ),
+        migrations.AddField(
+            model_name="authorizationcode",
+            name="session_id",
+            field=models.CharField(blank=True, default=""),
+        ),
+        migrations.AddField(
+            model_name="refreshtoken",
+            name="session_id",
+            field=models.CharField(blank=True, default=""),
+        ),
+    ]

authentik/providers/oauth2/models.py

@@ -296,6 +296,7 @@ class BaseGrantModel(models.Model):
     revoked = models.BooleanField(default=False)
     _scope = models.TextField(default="", verbose_name=_("Scopes"))
     auth_time = models.DateTimeField(verbose_name="Authentication time")
+    session_id = models.CharField(default="", blank=True)
 
     @property
     def scope(self) -> list[str]:

authentik/providers/oauth2/tests/test_authorize.py

@@ -85,6 +85,25 @@ class TestAuthorize(OAuthTestCase):
             )
             OAuthAuthorizationParams.from_request(request)
 
+    def test_blocked_redirect_uri(self):
+        """test missing/invalid redirect URI"""
+        OAuth2Provider.objects.create(
+            name=generate_id(),
+            client_id="test",
+            authorization_flow=create_test_flow(),
+            redirect_uris="data:local.invalid",
+        )
+        with self.assertRaises(RedirectUriError):
+            request = self.factory.get(
+                "/",
+                data={
+                    "response_type": "code",
+                    "client_id": "test",
+                    "redirect_uri": "data:localhost",
+                },
+            )
+            OAuthAuthorizationParams.from_request(request)
+
     def test_invalid_redirect_uri_empty(self):
         """test missing/invalid redirect URI"""
         provider = OAuth2Provider.objects.create(

authentik/providers/oauth2/urls.py

@@ -11,7 +11,6 @@ from authentik.providers.oauth2.api.tokens import (
 )
 from authentik.providers.oauth2.views.authorize import AuthorizationFlowInitView
 from authentik.providers.oauth2.views.device_backchannel import DeviceView
-from authentik.providers.oauth2.views.end_session import EndSessionView
 from authentik.providers.oauth2.views.introspection import TokenIntrospectionView
 from authentik.providers.oauth2.views.jwks import JWKSView
 from authentik.providers.oauth2.views.provider import ProviderInfoView
@@ -44,7 +43,7 @@ urlpatterns = [
     ),
     path(
         "<slug:application_slug>/end-session/",
-        EndSessionView.as_view(),
+        RedirectView.as_view(pattern_name="authentik_core:if-session-end", query_string=True),
         name="end-session",
     ),
     path("<slug:application_slug>/jwks/", JWKSView.as_view(), name="jwks"),

authentik/providers/oauth2/views/authorize.py

@@ -1,6 +1,7 @@
 """authentik OAuth2 Authorization views"""
 from dataclasses import dataclass, field
 from datetime import timedelta
+from hashlib import sha256
 from json import dumps
 from re import error as RegexError
 from re import fullmatch
@@ -74,6 +75,7 @@ PLAN_CONTEXT_PARAMS = "goauthentik.io/providers/oauth2/params"
 SESSION_KEY_LAST_LOGIN_UID = "authentik/providers/oauth2/last_login_uid"
 
 ALLOWED_PROMPT_PARAMS = {PROMPT_NONE, PROMPT_CONSENT, PROMPT_LOGIN}
+FORBIDDEN_URI_SCHEMES = {"javascript", "data", "vbscript"}
 
 
 @dataclass(slots=True)
@@ -174,6 +176,10 @@ class OAuthAuthorizationParams:
         self.check_scope()
         self.check_nonce()
         self.check_code_challenge()
+        if self.request:
+            raise AuthorizeError(
+                self.redirect_uri, "request_not_supported", self.grant_type, self.state
+            )
 
     def check_redirect_uri(self):
         """Redirect URI validation."""
@@ -211,10 +217,9 @@ class OAuthAuthorizationParams:
                     expected=allowed_redirect_urls,
                 )
                 raise RedirectUriError(self.redirect_uri, allowed_redirect_urls)
-        if self.request:
+        # Check against forbidden schemes
-            raise AuthorizeError(
+        if urlparse(self.redirect_uri).scheme in FORBIDDEN_URI_SCHEMES:
-                self.redirect_uri, "request_not_supported", self.grant_type, self.state
+            raise RedirectUriError(self.redirect_uri, allowed_redirect_urls)
-            )
 
     def check_scope(self):
         """Ensure openid scope is set in Hybrid flows, or when requesting an id_token"""
@@ -282,6 +287,7 @@ class OAuthAuthorizationParams:
             expires=now + timedelta_from_string(self.provider.access_code_validity),
             scope=self.scope,
             nonce=self.nonce,
+            session_id=sha256(request.session.session_key.encode("ascii")).hexdigest(),
         )
 
         if self.code_challenge and self.code_challenge_method:
@@ -569,6 +575,7 @@ class OAuthFulfillmentStage(StageView):
             expires=access_token_expiry,
             provider=self.provider,
             auth_time=auth_event.created if auth_event else now,
+            session_id=sha256(self.request.session.session_key.encode("ascii")).hexdigest(),
         )
 
         id_token = IDToken.new(self.provider, token, self.request)

authentik/providers/oauth2/views/end_session.py

@@ -1,39 +0,0 @@
-"""oauth2 provider end_session Views"""
-from django.http import Http404, HttpRequest, HttpResponse
-from django.shortcuts import get_object_or_404
-
-from authentik.core.models import Application
-from authentik.flows.challenge import SessionEndChallenge
-from authentik.flows.models import in_memory_stage
-from authentik.flows.planner import PLAN_CONTEXT_APPLICATION, FlowPlanner
-from authentik.flows.views.executor import SESSION_KEY_PLAN
-from authentik.lib.utils.urls import redirect_with_qs
-from authentik.policies.views import PolicyAccessView
-
-
-class EndSessionView(PolicyAccessView):
-    """Redirect to application's provider's invalidation flow"""
-
-    def resolve_provider_application(self):
-        self.application = get_object_or_404(Application, slug=self.kwargs["application_slug"])
-        self.provider = self.application.get_provider()
-        if not self.provider or not self.provider.invalidation_flow:
-            raise Http404
-
-    def get(self, request: HttpRequest, *args, **kwargs) -> HttpResponse:
-        """Dispatch the flow planner for the invalidation flow"""
-        planner = FlowPlanner(self.provider.invalidation_flow)
-        planner.allow_empty_flows = True
-        plan = planner.plan(
-            request,
-            {
-                PLAN_CONTEXT_APPLICATION: self.application,
-            },
-        )
-        plan.insert_stage(in_memory_stage(SessionEndChallenge))
-        request.session[SESSION_KEY_PLAN] = plan
-        return redirect_with_qs(
-            "authentik_core:if-flow",
-            self.request.GET,
-            flow_slug=self.provider.invalidation_flow.slug,
-        )

authentik/providers/oauth2/views/token.py

@@ -6,6 +6,7 @@ from hashlib import sha256
 from re import error as RegexError
 from re import fullmatch
 from typing import Any, Optional
+from urllib.parse import urlparse
 
 from django.http import HttpRequest, HttpResponse
 from django.utils import timezone
@@ -54,6 +55,7 @@ from authentik.providers.oauth2.models import (
     RefreshToken,
 )
 from authentik.providers.oauth2.utils import TokenResponse, cors_allow, extract_client_auth
+from authentik.providers.oauth2.views.authorize import FORBIDDEN_URI_SCHEMES
 from authentik.sources.oauth.models import OAuthSource
 from authentik.stages.password.stage import PLAN_CONTEXT_METHOD, PLAN_CONTEXT_METHOD_ARGS
 
@@ -205,6 +207,10 @@ class TokenParams:
                 ).from_http(request)
                 raise TokenError("invalid_client")
 
+        # Check against forbidden schemes
+        if urlparse(self.redirect_uri).scheme in FORBIDDEN_URI_SCHEMES:
+            raise TokenError("invalid_request")
+
         self.authorization_code = AuthorizationCode.objects.filter(code=raw_code).first()
         if not self.authorization_code:
             LOGGER.warning("Code does not exist", code=raw_code)
@@ -487,6 +493,7 @@ class TokenView(View):
             # Keep same scopes as previous token
             scope=self.params.authorization_code.scope,
             auth_time=self.params.authorization_code.auth_time,
+            session_id=self.params.authorization_code.session_id,
         )
         access_token.id_token = IDToken.new(
             self.provider,
@@ -502,6 +509,7 @@ class TokenView(View):
             expires=refresh_token_expiry,
             provider=self.provider,
             auth_time=self.params.authorization_code.auth_time,
+            session_id=self.params.authorization_code.session_id,
         )
         id_token = IDToken.new(
             self.provider,
@@ -539,6 +547,7 @@ class TokenView(View):
             # Keep same scopes as previous token
             scope=self.params.refresh_token.scope,
             auth_time=self.params.refresh_token.auth_time,
+            session_id=self.params.refresh_token.session_id,
         )
         access_token.id_token = IDToken.new(
             self.provider,
@@ -554,6 +563,7 @@ class TokenView(View):
             expires=refresh_token_expiry,
             provider=self.provider,
             auth_time=self.params.refresh_token.auth_time,
+            session_id=self.params.refresh_token.session_id,
         )
         id_token = IDToken.new(
             self.provider,

authentik/providers/proxy/tasks.py

@@ -1,4 +1,6 @@
 """proxy provider tasks"""
+from hashlib import sha256
+
 from asgiref.sync import async_to_sync
 from channels.layers import get_channel_layer
 from django.db import DatabaseError, InternalError, ProgrammingError
@@ -23,6 +25,7 @@ def proxy_set_defaults():
 def proxy_on_logout(session_id: str):
     """Update outpost instances connected to a single outpost"""
     layer = get_channel_layer()
+    hashed_session_id = sha256(session_id.encode("ascii")).hexdigest()
     for outpost in Outpost.objects.filter(type=OutpostType.PROXY):
         group = OUTPOST_GROUP % {"outpost_pk": str(outpost.pk)}
         async_to_sync(layer.group_send)(
@@ -30,6 +33,6 @@ def proxy_on_logout(session_id: str):
             {
                 "type": "event.provider.specific",
                 "sub_type": "logout",
-                "session_id": session_id,
+                "session_id": hashed_session_id,
             },
         )

authentik/providers/saml/api/providers.py

@@ -171,9 +171,6 @@ class SAMLProviderImportSerializer(PassiveSerializer):
     authorization_flow = PrimaryKeyRelatedField(
         queryset=Flow.objects.filter(designation=FlowDesignation.AUTHORIZATION),
     )
-    invalidation_flow = PrimaryKeyRelatedField(
-        queryset=Flow.objects.filter(designation=FlowDesignation.INVALIDATION),
-    )
     file = FileField()
 
 
@@ -263,9 +260,7 @@ class SAMLProviderViewSet(UsedByMixin, ModelViewSet):
         try:
             metadata = ServiceProviderMetadataParser().parse(file.read().decode())
             metadata.to_provider(
-                data.validated_data["name"],
+                data.validated_data["name"], data.validated_data["authorization_flow"]
-                data.validated_data["authorization_flow"],
-                data.validated_data["invalidation_flow"],
             )
         except ValueError as exc:  # pragma: no cover
             LOGGER.warning(str(exc))

authentik/providers/saml/processors/metadata_parser.py

@@ -49,13 +49,12 @@ class ServiceProviderMetadata:
 
     signing_keypair: Optional[CertificateKeyPair] = None
 
-    def to_provider(self, name: str, authorization_flow: Flow, invalidation_flow: Flow) -> SAMLProvider:
+    def to_provider(self, name: str, authorization_flow: Flow) -> SAMLProvider:
         """Create a SAMLProvider instance from the details. `name` is required,
         as depending on the metadata CertificateKeypairs might have to be created."""
         provider = SAMLProvider.objects.create(
             name=name,
             authorization_flow=authorization_flow,
-            invalidation_flow=invalidation_flow
         )
         provider.issuer = self.entity_id
         provider.sp_binding = self.acs_binding

authentik/providers/saml/views/slo.py

@@ -3,7 +3,7 @@ from typing import Optional
 
 from django.http import HttpRequest
 from django.http.response import HttpResponse
-from django.shortcuts import get_object_or_404
+from django.shortcuts import get_object_or_404, redirect
 from django.utils.decorators import method_decorator
 from django.views.decorators.clickjacking import xframe_options_sameorigin
 from django.views.decorators.csrf import csrf_exempt
@@ -11,11 +11,6 @@ from structlog.stdlib import get_logger
 
 from authentik.core.models import Application
 from authentik.events.models import Event, EventAction
-from authentik.flows.challenge import SessionEndChallenge
-from authentik.flows.models import in_memory_stage
-from authentik.flows.planner import PLAN_CONTEXT_APPLICATION, FlowPlanner
-from authentik.flows.views.executor import SESSION_KEY_PLAN
-from authentik.lib.utils.urls import redirect_with_qs
 from authentik.lib.views import bad_request_message
 from authentik.policies.views import PolicyAccessView
 from authentik.providers.saml.exceptions import CannotHandleAssertion
@@ -51,20 +46,9 @@ class SAMLSLOView(PolicyAccessView):
         method_response = self.check_saml_request()
         if method_response:
             return method_response
-        planner = FlowPlanner(self.provider.invalidation_flow)
+        return redirect(
-        planner.allow_empty_flows = True
+            "authentik_core:if-session-end",
-        plan = planner.plan(
+            application_slug=self.kwargs["application_slug"],
-            request,
-            {
-                PLAN_CONTEXT_APPLICATION: self.application,
-            },
-        )
-        plan.insert_stage(in_memory_stage(SessionEndChallenge))
-        request.session[SESSION_KEY_PLAN] = plan
-        return redirect_with_qs(
-            "authentik_core:if-flow",
-            self.request.GET,
-            flow_slug=self.provider.invalidation_flow.slug,
         )
 
     def post(self, request: HttpRequest, application_slug: str) -> HttpResponse:

authentik/rbac/api/rbac_roles.py

@@ -24,7 +24,10 @@ class ExtraRoleObjectPermissionSerializer(RoleObjectPermissionSerializer):
 
     def get_app_label_verbose(self, instance: GroupObjectPermission) -> str:
         """Get app label from permission's model"""
-        return apps.get_app_config(instance.content_type.app_label).verbose_name
+        try:
+            return apps.get_app_config(instance.content_type.app_label).verbose_name
+        except LookupError:
+            return instance.content_type.app_label
 
     def get_model_verbose(self, instance: GroupObjectPermission) -> str:
         """Get model label from permission's model"""

authentik/rbac/api/rbac_users.py

@@ -24,7 +24,10 @@ class ExtraUserObjectPermissionSerializer(UserObjectPermissionSerializer):
 
     def get_app_label_verbose(self, instance: UserObjectPermission) -> str:
         """Get app label from permission's model"""
-        return apps.get_app_config(instance.content_type.app_label).verbose_name
+        try:
+            return apps.get_app_config(instance.content_type.app_label).verbose_name
+        except LookupError:
+            return instance.content_type.app_label
 
     def get_model_verbose(self, instance: UserObjectPermission) -> str:
         """Get model label from permission's model"""

authentik/root/sessions/pickle.py

@@ -1,22 +0,0 @@
-"""
-Module for abstract serializer/unserializer base classes.
-"""
-import pickle  # nosec
-
-
-class PickleSerializer:
-    """
-    Simple wrapper around pickle to be used in signing.dumps()/loads() and
-    cache backends.
-    """
-
-    def __init__(self, protocol=None):
-        self.protocol = pickle.HIGHEST_PROTOCOL if protocol is None else protocol
-
-    def dumps(self, obj):
-        """Pickle data to be stored in redis"""
-        return pickle.dumps(obj, self.protocol)
-
-    def loads(self, data):
-        """Unpickle data to be loaded from redis"""
-        return pickle.loads(data)  # nosec

authentik/root/settings.py

@@ -1,4 +1,5 @@
 """root settings for authentik"""
+
 import importlib
 import os
 from hashlib import sha512
@@ -138,7 +139,6 @@ SPECTACULAR_SETTINGS = {
         "EventActions": "authentik.events.models.EventAction",
         "ChallengeChoices": "authentik.flows.challenge.ChallengeTypes",
         "FlowDesignationEnum": "authentik.flows.models.FlowDesignation",
-        "FlowLayoutEnum": "authentik.flows.models.FlowLayout",
         "PolicyEngineMode": "authentik.policies.models.PolicyEngineMode",
         "ProxyMode": "authentik.providers.proxy.models.ProxyMode",
         "PromptTypeEnum": "authentik.stages.prompt.models.FieldTypes",
@@ -195,8 +195,8 @@ _redis_url = (
 CACHES = {
     "default": {
         "BACKEND": "django_redis.cache.RedisCache",
-        "LOCATION": CONFIG.get("cache.url") or f"{_redis_url}/{CONFIG.get('redis.db')}",
+        "LOCATION": f"{_redis_url}/{CONFIG.get('redis.db')}",
-        "TIMEOUT": CONFIG.get_int("cache.timeout", 300),
+        "TIMEOUT": CONFIG.get_int("redis.cache_timeout", 300),
         "OPTIONS": {"CLIENT_CLASS": "django_redis.client.DefaultClient"},
         "KEY_PREFIX": "authentik_cache",
     }
@@ -205,7 +205,7 @@ DJANGO_REDIS_SCAN_ITERSIZE = 1000
 DJANGO_REDIS_IGNORE_EXCEPTIONS = True
 DJANGO_REDIS_LOG_IGNORED_EXCEPTIONS = True
 SESSION_ENGINE = "django.contrib.sessions.backends.cache"
-SESSION_SERIALIZER = "authentik.root.sessions.pickle.PickleSerializer"
+SESSION_SERIALIZER = "django.contrib.sessions.serializers.PickleSerializer"
 SESSION_CACHE_ALIAS = "default"
 # Configured via custom SessionMiddleware
 # SESSION_COOKIE_SAMESITE = "None"
@@ -256,7 +256,7 @@ CHANNEL_LAYERS = {
     "default": {
         "BACKEND": "channels_redis.pubsub.RedisPubSubChannelLayer",
         "CONFIG": {
-            "hosts": [CONFIG.get("channel.url", f"{_redis_url}/{CONFIG.get('redis.db')}")],
+            "hosts": [f"{_redis_url}/{CONFIG.get('redis.db')}"],
             "prefix": "authentik_channels_",
         },
     },
@@ -278,9 +278,6 @@ DATABASES = {
         "SSLROOTCERT": CONFIG.get("postgresql.sslrootcert"),
         "SSLCERT": CONFIG.get("postgresql.sslcert"),
         "SSLKEY": CONFIG.get("postgresql.sslkey"),
-        "TEST": {
-            "NAME": CONFIG.get("postgresql.test.name"),
-        },
     }
 }
 
@@ -352,11 +349,8 @@ CELERY = {
     },
     "task_create_missing_queues": True,
     "task_default_queue": "authentik",
-    "broker_url": CONFIG.get("broker.url")
+    "broker_url": f"{_redis_url}/{CONFIG.get('redis.db')}{_redis_celery_tls_requirements}",
-    or f"{_redis_url}/{CONFIG.get('redis.db')}{_redis_celery_tls_requirements}",
+    "result_backend": f"{_redis_url}/{CONFIG.get('redis.db')}{_redis_celery_tls_requirements}",
-    "broker_transport_options": CONFIG.get_dict_from_b64_json("broker.transport_options"),
-    "result_backend": CONFIG.get("result_backend.url")
-    or f"{_redis_url}/{CONFIG.get('redis.db')}{_redis_celery_tls_requirements}",
 }
 
 # Sentry integration
@@ -415,6 +409,7 @@ if DEBUG:
     CELERY["task_always_eager"] = True
     os.environ[ENV_GIT_HASH_KEY] = "dev"
     INSTALLED_APPS.append("silk")
+    SILKY_PYTHON_PROFILER = True
     MIDDLEWARE = ["silk.middleware.SilkyMiddleware"] + MIDDLEWARE
     REST_FRAMEWORK["DEFAULT_RENDERER_CLASSES"].append(
         "rest_framework.renderers.BrowsableAPIRenderer"

authentik/sources/ldap/api.py

@@ -1,14 +1,13 @@
 """Source API Views"""
-from typing import Any, Optional
+from typing import Any
 
-from django.core.cache import cache
 from django_filters.filters import AllValuesMultipleFilter
 from django_filters.filterset import FilterSet
 from drf_spectacular.types import OpenApiTypes
 from drf_spectacular.utils import extend_schema, extend_schema_field, inline_serializer
 from rest_framework.decorators import action
 from rest_framework.exceptions import ValidationError
-from rest_framework.fields import BooleanField, DictField, ListField, SerializerMethodField
+from rest_framework.fields import DictField, ListField
 from rest_framework.relations import PrimaryKeyRelatedField
 from rest_framework.request import Request
 from rest_framework.response import Response
@@ -18,17 +17,15 @@ from authentik.admin.api.tasks import TaskSerializer
 from authentik.core.api.propertymappings import PropertyMappingSerializer
 from authentik.core.api.sources import SourceSerializer
 from authentik.core.api.used_by import UsedByMixin
-from authentik.core.api.utils import PassiveSerializer
 from authentik.crypto.models import CertificateKeyPair
 from authentik.events.monitored_tasks import TaskInfo
 from authentik.sources.ldap.models import LDAPPropertyMapping, LDAPSource
-from authentik.sources.ldap.tasks import CACHE_KEY_STATUS, SYNC_CLASSES
+from authentik.sources.ldap.tasks import SYNC_CLASSES
 
 
 class LDAPSourceSerializer(SourceSerializer):
     """LDAP Source Serializer"""
 
-    connectivity = SerializerMethodField()
     client_certificate = PrimaryKeyRelatedField(
         allow_null=True,
         help_text="Client certificate to authenticate against the LDAP Server's Certificate.",
@@ -38,10 +35,6 @@ class LDAPSourceSerializer(SourceSerializer):
         required=False,
     )
 
-    def get_connectivity(self, source: LDAPSource) -> Optional[dict[str, dict[str, str]]]:
-        """Get cached source connectivity"""
-        return cache.get(CACHE_KEY_STATUS + source.slug, None)
-
     def validate(self, attrs: dict[str, Any]) -> dict[str, Any]:
         """Check that only a single source has password_sync on"""
         sync_users_password = attrs.get("sync_users_password", True)
@@ -82,18 +75,10 @@ class LDAPSourceSerializer(SourceSerializer):
             "sync_parent_group",
             "property_mappings",
             "property_mappings_group",
-            "connectivity",
         ]
         extra_kwargs = {"bind_password": {"write_only": True}}
 
 
-class LDAPSyncStatusSerializer(PassiveSerializer):
-    """LDAP Source sync status"""
-
-    is_running = BooleanField(read_only=True)
-    tasks = TaskSerializer(many=True, read_only=True)
-
-
 class LDAPSourceViewSet(UsedByMixin, ModelViewSet):
     """LDAP Source Viewset"""
 
@@ -129,19 +114,19 @@ class LDAPSourceViewSet(UsedByMixin, ModelViewSet):
 
     @extend_schema(
         responses={
-            200: LDAPSyncStatusSerializer(),
+            200: TaskSerializer(many=True),
         }
     )
     @action(methods=["GET"], detail=True, pagination_class=None, filter_backends=[])
     def sync_status(self, request: Request, slug: str) -> Response:
         """Get source's sync status"""
-        source: LDAPSource = self.get_object()
+        source = self.get_object()
-        tasks = TaskInfo.by_name(f"ldap_sync:{source.slug}:*") or []
+        results = []
-        status = {
+        tasks = TaskInfo.by_name(f"ldap_sync:{source.slug}:*")
-            "tasks": tasks,
+        if tasks:
-            "is_running": source.sync_lock.locked(),
+            for task in tasks:
-        }
+                results.append(task)
-        return Response(LDAPSyncStatusSerializer(status).data)
+        return Response(TaskSerializer(results, many=True).data)
 
     @extend_schema(
         responses={

authentik/sources/ldap/management/commands/ldap_check_connection.py

@@ -1,24 +0,0 @@
-"""LDAP Connection check"""
-from json import dumps
-
-from django.core.management.base import BaseCommand
-from structlog.stdlib import get_logger
-
-from authentik.sources.ldap.models import LDAPSource
-
-LOGGER = get_logger()
-
-
-class Command(BaseCommand):
-    """Check connectivity to LDAP servers for a source"""
-
-    def add_arguments(self, parser):
-        parser.add_argument("source_slugs", nargs="?", type=str)
-
-    def handle(self, **options):
-        sources = LDAPSource.objects.filter(enabled=True)
-        if options["source_slugs"]:
-            sources = LDAPSource.objects.filter(slug__in=options["source_slugs"])
-        for source in sources.order_by("slug"):
-            status = source.check_connection()
-            self.stdout.write(dumps(status, indent=4))

authentik/sources/ldap/models.py

@@ -1,17 +1,13 @@
 """authentik LDAP Models"""
 from os import chmod
-from os.path import dirname, exists
-from shutil import rmtree
 from ssl import CERT_REQUIRED
 from tempfile import NamedTemporaryFile, mkdtemp
 from typing import Optional
 
-from django.core.cache import cache
 from django.db import models
 from django.utils.translation import gettext_lazy as _
 from ldap3 import ALL, NONE, RANDOM, Connection, Server, ServerPool, Tls
-from ldap3.core.exceptions import LDAPException, LDAPInsufficientAccessRightsResult, LDAPSchemaError
+from ldap3.core.exceptions import LDAPInsufficientAccessRightsResult, LDAPSchemaError
-from redis.lock import Lock
 from rest_framework.serializers import Serializer
 
 from authentik.core.models import Group, PropertyMapping, Source
@@ -121,7 +117,7 @@ class LDAPSource(Source):
 
         return LDAPSourceSerializer
 
-    def server(self, **kwargs) -> ServerPool:
+    def server(self, **kwargs) -> Server:
         """Get LDAP Server/ServerPool"""
         servers = []
         tls_kwargs = {}
@@ -158,10 +154,7 @@ class LDAPSource(Source):
         return ServerPool(servers, RANDOM, active=5, exhaust=True)
 
     def connection(
-        self,
+        self, server_kwargs: Optional[dict] = None, connection_kwargs: Optional[dict] = None
-        server: Optional[Server] = None,
-        server_kwargs: Optional[dict] = None,
-        connection_kwargs: Optional[dict] = None,
     ) -> Connection:
         """Get a fully connected and bound LDAP Connection"""
         server_kwargs = server_kwargs or {}
@@ -171,7 +164,7 @@ class LDAPSource(Source):
         if self.bind_password is not None:
             connection_kwargs.setdefault("password", self.bind_password)
         connection = Connection(
-            server or self.server(**server_kwargs),
+            self.server(**server_kwargs),
             raise_exceptions=True,
             receive_timeout=LDAP_TIMEOUT,
             **connection_kwargs,
@@ -190,60 +183,9 @@ class LDAPSource(Source):
             if server_kwargs.get("get_info", ALL) == NONE:
                 raise exc
             server_kwargs["get_info"] = NONE
-            return self.connection(server, server_kwargs, connection_kwargs)
+            return self.connection(server_kwargs, connection_kwargs)
-        finally:
-            if connection.server.tls.certificate_file is not None and exists(
-                connection.server.tls.certificate_file
-            ):
-                rmtree(dirname(connection.server.tls.certificate_file))
         return RuntimeError("Failed to bind")
 
-    @property
-    def sync_lock(self) -> Lock:
-        """Redis lock for syncing LDAP to prevent multiple parallel syncs happening"""
-        return Lock(
-            cache.client.get_client(),
-            name=f"goauthentik.io/sources/ldap/sync-{self.slug}",
-            # Convert task timeout hours to seconds, and multiply times 3
-            # (see authentik/sources/ldap/tasks.py:54)
-            # multiply by 3 to add even more leeway
-            timeout=(60 * 60 * CONFIG.get_int("ldap.task_timeout_hours")) * 3,
-        )
-
-    def check_connection(self) -> dict[str, dict[str, str]]:
-        """Check LDAP Connection"""
-        from authentik.sources.ldap.sync.base import flatten
-
-        servers = self.server()
-        server_info = {}
-        # Check each individual server
-        for server in servers.servers:
-            server: Server
-            try:
-                connection = self.connection(server=server)
-                server_info[server.host] = {
-                    "vendor": str(flatten(connection.server.info.vendor_name)),
-                    "version": str(flatten(connection.server.info.vendor_version)),
-                    "status": "ok",
-                }
-            except LDAPException as exc:
-                server_info[server.host] = {
-                    "status": str(exc),
-                }
-        # Check server pool
-        try:
-            connection = self.connection()
-            server_info["__all__"] = {
-                "vendor": str(flatten(connection.server.info.vendor_name)),
-                "version": str(flatten(connection.server.info.vendor_version)),
-                "status": "ok",
-            }
-        except LDAPException as exc:
-            server_info["__all__"] = {
-                "status": str(exc),
-            }
-        return server_info
-
     class Meta:
         verbose_name = _("LDAP Source")
         verbose_name_plural = _("LDAP Sources")

authentik/sources/ldap/settings.py

@@ -8,10 +8,5 @@ CELERY_BEAT_SCHEDULE = {
         "task": "authentik.sources.ldap.tasks.ldap_sync_all",
         "schedule": crontab(minute=fqdn_rand("sources_ldap_sync"), hour="*/2"),
         "options": {"queue": "authentik_scheduled"},
-    },
+    }
-    "sources_ldap_connectivity_check": {
-        "task": "authentik.sources.ldap.tasks.ldap_connectivity_check",
-        "schedule": crontab(minute=fqdn_rand("sources_ldap_connectivity_check"), hour="*"),
-        "options": {"queue": "authentik_scheduled"},
-    },
 }

authentik/sources/ldap/signals.py

@@ -14,7 +14,7 @@ from authentik.events.models import Event, EventAction
 from authentik.flows.planner import PLAN_CONTEXT_PENDING_USER
 from authentik.sources.ldap.models import LDAPSource
 from authentik.sources.ldap.password import LDAPPasswordChanger
-from authentik.sources.ldap.tasks import ldap_connectivity_check, ldap_sync_single
+from authentik.sources.ldap.tasks import ldap_sync_single
 from authentik.stages.prompt.signals import password_validate
 
 LOGGER = get_logger()
@@ -32,7 +32,6 @@ def sync_ldap_source_on_save(sender, instance: LDAPSource, **_):
     if not instance.property_mappings.exists() or not instance.property_mappings_group.exists():
         return
     ldap_sync_single.delay(instance.pk)
-    ldap_connectivity_check.delay(instance.pk)
 
 
 @receiver(password_validate)

authentik/sources/ldap/sync/base.py

@@ -17,15 +17,6 @@ from authentik.sources.ldap.models import LDAPPropertyMapping, LDAPSource
 LDAP_UNIQUENESS = "ldap_uniq"
 
 
-def flatten(value: Any) -> Any:
-    """Flatten `value` if its a list"""
-    if isinstance(value, list):
-        if len(value) < 1:
-            return None
-        return value[0]
-    return value
-
-
 class BaseLDAPSynchronizer:
     """Sync LDAP Users and groups into authentik"""
 
@@ -131,6 +122,14 @@ class BaseLDAPSynchronizer:
                 cookie = None
             yield self._connection.response
 
+    def _flatten(self, value: Any) -> Any:
+        """Flatten `value` if its a list"""
+        if isinstance(value, list):
+            if len(value) < 1:
+                return None
+            return value[0]
+        return value
+
     def build_user_properties(self, user_dn: str, **kwargs) -> dict[str, Any]:
         """Build attributes for User object based on property mappings."""
         props = self._build_object_properties(user_dn, self._source.property_mappings, **kwargs)
@@ -164,10 +163,10 @@ class BaseLDAPSynchronizer:
                 object_field = mapping.object_field
                 if object_field.startswith("attributes."):
                     # Because returning a list might desired, we can't
-                    # rely on flatten here. Instead, just save the result as-is
+                    # rely on self._flatten here. Instead, just save the result as-is
                     set_path_in_dict(properties, object_field, value)
                 else:
-                    properties[object_field] = flatten(value)
+                    properties[object_field] = self._flatten(value)
             except PropertyMappingExpressionException as exc:
                 Event.new(
                     EventAction.CONFIGURATION_ERROR,
@@ -178,7 +177,7 @@ class BaseLDAPSynchronizer:
                 self._logger.warning("Mapping failed to evaluate", exc=exc, mapping=mapping)
                 continue
         if self._source.object_uniqueness_field in kwargs:
-            properties["attributes"][LDAP_UNIQUENESS] = flatten(
+            properties["attributes"][LDAP_UNIQUENESS] = self._flatten(
                 kwargs.get(self._source.object_uniqueness_field)
             )
         properties["attributes"][LDAP_DISTINGUISHED_NAME] = object_dn

authentik/sources/ldap/sync/groups.py

@@ -7,7 +7,7 @@ from ldap3 import ALL_ATTRIBUTES, ALL_OPERATIONAL_ATTRIBUTES, SUBTREE
 
 from authentik.core.models import Group
 from authentik.events.models import Event, EventAction
-from authentik.sources.ldap.sync.base import LDAP_UNIQUENESS, BaseLDAPSynchronizer, flatten
+from authentik.sources.ldap.sync.base import LDAP_UNIQUENESS, BaseLDAPSynchronizer
 
 
 class GroupLDAPSynchronizer(BaseLDAPSynchronizer):
@@ -39,7 +39,7 @@ class GroupLDAPSynchronizer(BaseLDAPSynchronizer):
             if "attributes" not in group:
                 continue
             attributes = group.get("attributes", {})
-            group_dn = flatten(flatten(group.get("entryDN", group.get("dn"))))
+            group_dn = self._flatten(self._flatten(group.get("entryDN", group.get("dn"))))
             if self._source.object_uniqueness_field not in attributes:
                 self.message(
                     f"Cannot find uniqueness field in attributes: '{group_dn}'",
@@ -47,7 +47,7 @@ class GroupLDAPSynchronizer(BaseLDAPSynchronizer):
                     dn=group_dn,
                 )
                 continue
-            uniq = flatten(attributes[self._source.object_uniqueness_field])
+            uniq = self._flatten(attributes[self._source.object_uniqueness_field])
             try:
                 defaults = self.build_group_properties(group_dn, **attributes)
                 defaults["parent"] = self._source.sync_parent_group

authentik/sources/ldap/sync/users.py

@@ -7,7 +7,7 @@ from ldap3 import ALL_ATTRIBUTES, ALL_OPERATIONAL_ATTRIBUTES, SUBTREE
 
 from authentik.core.models import User
 from authentik.events.models import Event, EventAction
-from authentik.sources.ldap.sync.base import LDAP_UNIQUENESS, BaseLDAPSynchronizer, flatten
+from authentik.sources.ldap.sync.base import LDAP_UNIQUENESS, BaseLDAPSynchronizer
 from authentik.sources.ldap.sync.vendor.freeipa import FreeIPA
 from authentik.sources.ldap.sync.vendor.ms_ad import MicrosoftActiveDirectory
 
@@ -41,7 +41,7 @@ class UserLDAPSynchronizer(BaseLDAPSynchronizer):
             if "attributes" not in user:
                 continue
             attributes = user.get("attributes", {})
-            user_dn = flatten(user.get("entryDN", user.get("dn")))
+            user_dn = self._flatten(user.get("entryDN", user.get("dn")))
             if self._source.object_uniqueness_field not in attributes:
                 self.message(
                     f"Cannot find uniqueness field in attributes: '{user_dn}'",
@@ -49,7 +49,7 @@ class UserLDAPSynchronizer(BaseLDAPSynchronizer):
                     dn=user_dn,
                 )
                 continue
-            uniq = flatten(attributes[self._source.object_uniqueness_field])
+            uniq = self._flatten(attributes[self._source.object_uniqueness_field])
             try:
                 defaults = self.build_user_properties(user_dn, **attributes)
                 self._logger.debug("Writing user with attributes", **defaults)

authentik/sources/ldap/sync/vendor/freeipa.py

@@ -5,7 +5,7 @@ from typing import Any, Generator
 from pytz import UTC
 
 from authentik.core.models import User
-from authentik.sources.ldap.sync.base import BaseLDAPSynchronizer, flatten
+from authentik.sources.ldap.sync.base import BaseLDAPSynchronizer
 
 
 class FreeIPA(BaseLDAPSynchronizer):
@@ -47,7 +47,7 @@ class FreeIPA(BaseLDAPSynchronizer):
             return
         # For some reason, nsaccountlock is not defined properly in the schema as bool
         # hence we get it as a list of strings
-        _is_locked = str(flatten(attributes.get("nsaccountlock", ["FALSE"])))
+        _is_locked = str(self._flatten(attributes.get("nsaccountlock", ["FALSE"])))
         # So we have to attempt to convert it to a bool
         is_locked = _is_locked.lower() == "true"
         # And then invert it since freeipa saves locked and we save active

authentik/sources/ldap/tasks.py

@@ -1,14 +1,13 @@
 """LDAP Sync tasks"""
-from typing import Optional
 from uuid import uuid4
 
 from celery import chain, group
 from django.core.cache import cache
 from ldap3.core.exceptions import LDAPException
 from redis.exceptions import LockError
+from redis.lock import Lock
 from structlog.stdlib import get_logger
 
-from authentik.events.monitored_tasks import CACHE_KEY_PREFIX as CACHE_KEY_PREFIX_TASKS
 from authentik.events.monitored_tasks import MonitoredTask, TaskResult, TaskResultStatus
 from authentik.lib.config import CONFIG
 from authentik.lib.utils.errors import exception_to_string
@@ -27,7 +26,6 @@ SYNC_CLASSES = [
     MembershipLDAPSynchronizer,
 ]
 CACHE_KEY_PREFIX = "goauthentik.io/sources/ldap/page/"
-CACHE_KEY_STATUS = "goauthentik.io/sources/ldap/status/"
 
 
 @CELERY_APP.task()
@@ -37,19 +35,6 @@ def ldap_sync_all():
         ldap_sync_single.apply_async(args=[source.pk])
 
 
-@CELERY_APP.task()
-def ldap_connectivity_check(pk: Optional[str] = None):
-    """Check connectivity for LDAP Sources"""
-    # 2 hour timeout, this task should run every hour
-    timeout = 60 * 60 * 2
-    sources = LDAPSource.objects.filter(enabled=True)
-    if pk:
-        sources = sources.filter(pk=pk)
-    for source in sources:
-        status = source.check_connection()
-        cache.set(CACHE_KEY_STATUS + source.slug, status, timeout=timeout)
-
-
 @CELERY_APP.task(
     # We take the configured hours timeout time by 2.5 as we run user and
     # group in parallel and then membership, so 2x is to cover the serial tasks,
@@ -62,15 +47,12 @@ def ldap_sync_single(source_pk: str):
     source: LDAPSource = LDAPSource.objects.filter(pk=source_pk).first()
     if not source:
         return
-    lock = source.sync_lock
+    lock = Lock(cache.client.get_client(), name=f"goauthentik.io/sources/ldap/sync-{source.slug}")
     if lock.locked():
         LOGGER.debug("LDAP sync locked, skipping task", source=source.slug)
         return
     try:
         with lock:
-            # Delete all sync tasks from the cache
-            keys = cache.keys(f"{CACHE_KEY_PREFIX_TASKS}ldap_sync:{source.slug}*")
-            cache.delete_many(keys)
             task = chain(
                 # User and group sync can happen at once, they have no dependencies on each other
                 group(

authentik/sources/oauth/models.py

@@ -74,7 +74,7 @@ class OAuthSource(Source):
     def ui_login_button(self, request: HttpRequest) -> UILoginButton:
         provider_type = self.source_type
         provider = provider_type()
-        icon = self.icon_url
+        icon = self.get_icon
         if not icon:
             icon = provider.icon_url()
         return UILoginButton(
@@ -85,7 +85,7 @@ class OAuthSource(Source):
 
     def ui_user_settings(self) -> Optional[UserSettingSerializer]:
         provider_type = self.source_type
-        icon = self.icon_url
+        icon = self.get_icon
         if not icon:
             icon = provider_type().icon_url()
         return UserSettingSerializer(
@@ -232,7 +232,7 @@ class UserOAuthSourceConnection(UserSourceConnection):
     access_token = models.TextField(blank=True, null=True, default=None)
 
     @property
-    def serializer(self) -> type[Serializer]:
+    def serializer(self) -> Serializer:
         from authentik.sources.oauth.api.source_connection import (
             UserOAuthSourceConnectionSerializer,
         )

authentik/sources/oauth/types/azure_ad.py

@@ -4,8 +4,8 @@ from typing import Any
 from structlog.stdlib import get_logger
 
 from authentik.sources.oauth.clients.oauth2 import UserprofileHeaderAuthClient
+from authentik.sources.oauth.types.oidc import OpenIDConnectOAuth2Callback
 from authentik.sources.oauth.types.registry import SourceType, registry
-from authentik.sources.oauth.views.callback import OAuthCallback
 from authentik.sources.oauth.views.redirect import OAuthRedirect
 
 LOGGER = get_logger()
@@ -20,7 +20,7 @@ class AzureADOAuthRedirect(OAuthRedirect):
         }
 
 
-class AzureADOAuthCallback(OAuthCallback):
+class AzureADOAuthCallback(OpenIDConnectOAuth2Callback):
     """AzureAD OAuth2 Callback"""
 
     client_class = UserprofileHeaderAuthClient
@@ -50,7 +50,7 @@ class AzureADType(SourceType):
 
     authorization_url = "https://login.microsoftonline.com/common/oauth2/v2.0/authorize"
     access_token_url = "https://login.microsoftonline.com/common/oauth2/v2.0/token"  # nosec
-    profile_url = "https://graph.microsoft.com/v1.0/me"
+    profile_url = "https://login.microsoftonline.com/common/openid/userinfo"
     oidc_well_known_url = (
         "https://login.microsoftonline.com/common/.well-known/openid-configuration"
     )

authentik/sources/oauth/types/oidc.py

@@ -23,7 +23,7 @@ class OpenIDConnectOAuth2Callback(OAuthCallback):
     client_class = UserprofileHeaderAuthClient
 
     def get_user_id(self, info: dict[str, str]) -> str:
-        return info.get("sub", "")
+        return info.get("sub", None)
 
     def get_user_enroll_context(
         self,

authentik/sources/oauth/types/okta.py

@@ -3,8 +3,8 @@ from typing import Any
 
 from authentik.sources.oauth.clients.oauth2 import UserprofileHeaderAuthClient
 from authentik.sources.oauth.models import OAuthSource
+from authentik.sources.oauth.types.oidc import OpenIDConnectOAuth2Callback
 from authentik.sources.oauth.types.registry import SourceType, registry
-from authentik.sources.oauth.views.callback import OAuthCallback
 from authentik.sources.oauth.views.redirect import OAuthRedirect
 
 
@@ -17,7 +17,7 @@ class OktaOAuthRedirect(OAuthRedirect):
         }
 
 
-class OktaOAuth2Callback(OAuthCallback):
+class OktaOAuth2Callback(OpenIDConnectOAuth2Callback):
     """Okta OAuth2 Callback"""
 
     # Okta has the same quirk as azure and throws an error if the access token
@@ -25,9 +25,6 @@ class OktaOAuth2Callback(OAuthCallback):
     # see https://github.com/goauthentik/authentik/issues/1910
     client_class = UserprofileHeaderAuthClient
 
-    def get_user_id(self, info: dict[str, str]) -> str:
-        return info.get("sub", "")
-
     def get_user_enroll_context(
         self,
         info: dict[str, Any],

authentik/sources/oauth/types/twitch.py

@@ -3,8 +3,8 @@ from json import dumps
 from typing import Any, Optional
 
 from authentik.sources.oauth.clients.oauth2 import UserprofileHeaderAuthClient
+from authentik.sources.oauth.types.oidc import OpenIDConnectOAuth2Callback
 from authentik.sources.oauth.types.registry import SourceType, registry
-from authentik.sources.oauth.views.callback import OAuthCallback
 from authentik.sources.oauth.views.redirect import OAuthRedirect
 
 
@@ -27,14 +27,11 @@ class TwitchOAuthRedirect(OAuthRedirect):
         }
 
 
-class TwitchOAuth2Callback(OAuthCallback):
+class TwitchOAuth2Callback(OpenIDConnectOAuth2Callback):
     """Twitch OAuth2 Callback"""
 
     client_class = TwitchClient
 
-    def get_user_id(self, info: dict[str, str]) -> str:
-        return info.get("sub", "")
-
     def get_user_enroll_context(
         self,
         info: dict[str, Any],

authentik/sources/plex/models.py

@@ -62,7 +62,7 @@ class PlexSource(Source):
         return PlexSourceSerializer
 
     def ui_login_button(self, request: HttpRequest) -> UILoginButton:
-        icon = self.icon_url
+        icon = self.get_icon
         if not icon:
             icon = static("authentik/sources/plex.svg")
         return UILoginButton(
@@ -79,7 +79,7 @@ class PlexSource(Source):
         )
 
     def ui_user_settings(self) -> Optional[UserSettingSerializer]:
-        icon = self.icon_url
+        icon = self.get_icon
         if not icon:
             icon = static("authentik/sources/plex.svg")
         return UserSettingSerializer(

authentik/sources/saml/models.py

@@ -200,11 +200,11 @@ class SAMLSource(Source):
                 }
             ),
             name=self.name,
-            icon_url=self.icon_url,
+            icon_url=self.get_icon,
         )
 
     def ui_user_settings(self) -> Optional[UserSettingSerializer]:
-        icon = self.icon_url
+        icon = self.get_icon
         if not icon:
             icon = static(f"authentik/sources/{self.slug}.svg")
         return UserSettingSerializer(

authentik/stages/authenticator_totp/api.py

@@ -1,7 +1,6 @@
 """AuthenticatorTOTPStage API Views"""
 from django_filters.rest_framework.backends import DjangoFilterBackend
 from rest_framework import mixins
-from rest_framework.fields import ChoiceField
 from rest_framework.filters import OrderingFilter, SearchFilter
 from rest_framework.permissions import IsAdminUser
 from rest_framework.serializers import ModelSerializer
@@ -10,18 +9,12 @@ from rest_framework.viewsets import GenericViewSet, ModelViewSet
 from authentik.api.authorization import OwnerFilter, OwnerPermissions
 from authentik.core.api.used_by import UsedByMixin
 from authentik.flows.api.stages import StageSerializer
-from authentik.stages.authenticator_totp.models import (
+from authentik.stages.authenticator_totp.models import AuthenticatorTOTPStage, TOTPDevice
-    AuthenticatorTOTPStage,
-    TOTPDevice,
-    TOTPDigits,
-)
 
 
 class AuthenticatorTOTPStageSerializer(StageSerializer):
     """AuthenticatorTOTPStage Serializer"""
 
-    digits = ChoiceField(choices=TOTPDigits.choices)
-
     class Meta:
         model = AuthenticatorTOTPStage
         fields = StageSerializer.Meta.fields + ["configure_flow", "friendly_name", "digits"]

authentik/stages/authenticator_totp/migrations/0010_alter_totpdevice_key.py

@@ -29,14 +29,4 @@ class Migration(migrations.Migration):
             name="totpdevice",
             options={"verbose_name": "TOTP Device", "verbose_name_plural": "TOTP Devices"},
         ),
-        migrations.AlterField(
-            model_name="authenticatortotpstage",
-            name="digits",
-            field=models.IntegerField(
-                choices=[
-                    ("6", "6 digits, widely compatible"),
-                    ("8", "8 digits, not compatible with apps like Google Authenticator"),
-                ]
-            ),
-        ),
     ]

authentik/stages/authenticator_totp/models.py

@@ -19,11 +19,11 @@ from authentik.stages.authenticator.oath import TOTP
 from authentik.stages.authenticator.util import hex_validator, random_hex
 
 
-class TOTPDigits(models.TextChoices):
+class TOTPDigits(models.IntegerChoices):
     """OTP Time Digits"""
 
-    SIX = "6", _("6 digits, widely compatible")
+    SIX = 6, _("6 digits, widely compatible")
-    EIGHT = "8", _("8 digits, not compatible with apps like Google Authenticator")
+    EIGHT = 8, _("8 digits, not compatible with apps like Google Authenticator")
 
 
 class AuthenticatorTOTPStage(ConfigurableStage, FriendlyNamedStage, Stage):

authentik/stages/authenticator_validate/challenge.py

@@ -7,7 +7,7 @@ from django.http.response import Http404
 from django.shortcuts import get_object_or_404
 from django.utils.translation import gettext as __
 from django.utils.translation import gettext_lazy as _
-from rest_framework.fields import CharField
+from rest_framework.fields import CharField, JSONField
 from rest_framework.serializers import ValidationError
 from structlog.stdlib import get_logger
 from webauthn.authentication.generate_authentication_options import generate_authentication_options
@@ -16,7 +16,7 @@ from webauthn.helpers.base64url_to_bytes import base64url_to_bytes
 from webauthn.helpers.exceptions import InvalidAuthenticationResponse
 from webauthn.helpers.structs import AuthenticationCredential
 
-from authentik.core.api.utils import JSONDictField, PassiveSerializer
+from authentik.core.api.utils import PassiveSerializer
 from authentik.core.models import Application, User
 from authentik.core.signals import login_failed
 from authentik.events.models import Event, EventAction
@@ -40,7 +40,7 @@ class DeviceChallenge(PassiveSerializer):
 
     device_class = CharField()
     device_uid = CharField()
-    challenge = JSONDictField()
+    challenge = JSONField()
 
 
 def get_challenge_for_device(

authentik/stages/authenticator_validate/stage.py

@@ -6,10 +6,10 @@ from typing import Optional
 from django.conf import settings
 from django.http import HttpRequest, HttpResponse
 from jwt import PyJWTError, decode, encode
-from rest_framework.fields import CharField, IntegerField, ListField, UUIDField
+from rest_framework.fields import CharField, IntegerField, JSONField, ListField, UUIDField
 from rest_framework.serializers import ValidationError
 
-from authentik.core.api.utils import JSONDictField, PassiveSerializer
+from authentik.core.api.utils import PassiveSerializer
 from authentik.core.models import User
 from authentik.events.models import Event, EventAction
 from authentik.flows.challenge import ChallengeResponse, ChallengeTypes, WithUserInfoChallenge
@@ -68,7 +68,7 @@ class AuthenticatorValidationChallengeResponse(ChallengeResponse):
     selected_stage = CharField(required=False)
 
     code = CharField(required=False)
-    webauthn = JSONDictField(required=False)
+    webauthn = JSONField(required=False)
     duo = IntegerField(required=False)
     component = CharField(default="ak-stage-authenticator-validate")
 

authentik/stages/authenticator_webauthn/stage.py

@@ -1,7 +1,7 @@
 """WebAuthn stage"""
 from django.http import HttpRequest, HttpResponse
 from django.http.request import QueryDict
-from rest_framework.fields import CharField
+from rest_framework.fields import CharField, JSONField
 from rest_framework.serializers import ValidationError
 from webauthn.helpers.bytes_to_base64url import bytes_to_base64url
 from webauthn.helpers.exceptions import InvalidRegistrationResponse
@@ -16,7 +16,6 @@ from webauthn.registration.verify_registration_response import (
     verify_registration_response,
 )
 
-from authentik.core.api.utils import JSONDictField
 from authentik.core.models import User
 from authentik.flows.challenge import (
     Challenge,
@@ -34,14 +33,14 @@ SESSION_KEY_WEBAUTHN_CHALLENGE = "authentik/stages/authenticator_webauthn/challe
 class AuthenticatorWebAuthnChallenge(WithUserInfoChallenge):
     """WebAuthn Challenge"""
 
-    registration = JSONDictField()
+    registration = JSONField()
     component = CharField(default="ak-stage-authenticator-webauthn")
 
 
 class AuthenticatorWebAuthnChallengeResponse(ChallengeResponse):
     """WebAuthn Challenge response"""
 
-    response = JSONDictField()
+    response = JSONField()
     component = CharField(default="ak-stage-authenticator-webauthn")
 
     request: HttpRequest

authentik/stages/identification/api.py

@@ -33,7 +33,6 @@ class IdentificationStageSerializer(StageSerializer):
             "passwordless_flow",
             "sources",
             "show_source_labels",
-            "pretend_user_exists",
         ]
 
 

authentik/stages/identification/migrations/0014_identificationstage_pretend.py

@@ -1,23 +0,0 @@
-# Generated by Django 4.2.7 on 2023-11-17 16:32
-
-from django.db import migrations, models
-
-
-class Migration(migrations.Migration):
-    dependencies = [
-        (
-            "authentik_stages_identification",
-            "0002_auto_20200530_2204_squashed_0013_identificationstage_passwordless_flow",
-        ),
-    ]
-
-    operations = [
-        migrations.AddField(
-            model_name="identificationstage",
-            name="pretend_user_exists",
-            field=models.BooleanField(
-                default=True,
-                help_text="When enabled, the stage will succeed and continue even when incorrect user info is entered.",
-            ),
-        ),
-    ]

authentik/stages/identification/models.py

@@ -54,13 +54,6 @@ class IdentificationStage(Stage):
             "entered will be shown"
         ),
     )
-    pretend_user_exists = models.BooleanField(
-        default=True,
-        help_text=_(
-            "When enabled, the stage will succeed and continue even when incorrect user info "
-            "is entered."
-        ),
-    )
 
     enrollment_flow = models.ForeignKey(
         Flow,

authentik/stages/identification/stage.py

@@ -121,8 +121,8 @@ class IdentificationChallengeResponse(ChallengeResponse):
             self.pre_user = self.stage.executor.plan.context[PLAN_CONTEXT_PENDING_USER]
             if not current_stage.show_matched_user:
                 self.stage.executor.plan.context[PLAN_CONTEXT_PENDING_USER_IDENTIFIER] = uid_field
-            # when `pretend` is enabled, continue regardless
+            if self.stage.executor.flow.designation == FlowDesignation.RECOVERY:
-            if current_stage.pretend_user_exists:
+                # When used in a recovery flow, always continue to not disclose if a user exists
                 return attrs
             raise ValidationError("Failed to authenticate.")
         self.pre_user = pre_user

authentik/stages/identification/tests.py

@@ -28,7 +28,6 @@ class TestIdentificationStage(FlowTestCase):
         self.stage = IdentificationStage.objects.create(
             name="identification",
             user_fields=[UserFields.E_MAIL],
-            pretend_user_exists=False,
         )
         self.stage.sources.set([source])
         self.stage.save()
@@ -107,26 +106,6 @@ class TestIdentificationStage(FlowTestCase):
             form_data,
         )
         self.assertEqual(response.status_code, 200)
-        self.assertStageResponse(
-            response,
-            self.flow,
-            component="ak-stage-identification",
-            response_errors={
-                "non_field_errors": [{"string": "Failed to authenticate.", "code": "invalid"}]
-            },
-        )
-
-    def test_invalid_with_username_pretend(self):
-        """Test invalid with username (user exists but stage only allows email)"""
-        self.stage.pretend_user_exists = True
-        self.stage.save()
-        form_data = {"uid_field": self.user.username}
-        response = self.client.post(
-            reverse("authentik_api:flow-executor", kwargs={"flow_slug": self.flow.slug}),
-            form_data,
-        )
-        self.assertEqual(response.status_code, 200)
-        self.assertStageRedirects(response, reverse("authentik_core:root-redirect"))
 
     def test_invalid_no_fields(self):
         """Test invalid with username (no user fields are enabled)"""

authentik/stages/invitation/api.py

@@ -1,12 +1,13 @@
 """Invitation Stage API Views"""
 from django_filters.filters import BooleanFilter
 from django_filters.filterset import FilterSet
+from rest_framework.fields import JSONField
 from rest_framework.serializers import ModelSerializer
 from rest_framework.viewsets import ModelViewSet
 
 from authentik.core.api.groups import GroupMemberSerializer
 from authentik.core.api.used_by import UsedByMixin
-from authentik.core.api.utils import JSONDictField
+from authentik.core.api.utils import is_dict
 from authentik.flows.api.flows import FlowSerializer
 from authentik.flows.api.stages import StageSerializer
 from authentik.stages.invitation.models import Invitation, InvitationStage
@@ -46,7 +47,7 @@ class InvitationSerializer(ModelSerializer):
     """Invitation Serializer"""
 
     created_by = GroupMemberSerializer(read_only=True)
-    fixed_data = JSONDictField(required=False)
+    fixed_data = JSONField(validators=[is_dict], required=False)
     flow_obj = FlowSerializer(read_only=True, required=False, source="flow")
 
     class Meta:

blueprints/default/flow-default-provider-invalidation.yaml

@@ -1,13 +0,0 @@
-version: 1
-metadata:
-  name: Default - Provider invalidation flow
-entries:
-- attrs:
-    designation: invalidation
-    name: Logged out of application
-    title: You've logged out of %(app)s.
-    authentication: none
-  identifiers:
-    slug: default-provider-invalidation-flow
-  model: authentik_flows.flow
-  id: flow

blueprints/schema.json

@@ -3831,11 +3831,6 @@
                     "title": "Authorization flow",
                     "description": "Flow used when authorizing this provider."
                 },
-                "invalidation_flow": {
-                    "type": "integer",
-                    "title": "Invalidation flow",
-                    "description": "Flow used ending the session from a provider."
-                },
                 "property_mappings": {
                     "type": "array",
                     "items": {
@@ -3954,11 +3949,6 @@
                     "title": "Authorization flow",
                     "description": "Flow used when authorizing this provider."
                 },
-                "invalidation_flow": {
-                    "type": "integer",
-                    "title": "Invalidation flow",
-                    "description": "Flow used ending the session from a provider."
-                },
                 "property_mappings": {
                     "type": "array",
                     "items": {
@@ -4073,11 +4063,6 @@
                             "title": "Authorization flow",
                             "description": "Flow used when authorizing this provider."
                         },
-                        "invalidation_flow": {
-                            "type": "integer",
-                            "title": "Invalidation flow",
-                            "description": "Flow used ending the session from a provider."
-                        },
                         "property_mappings": {
                             "type": "array",
                             "items": {
@@ -4279,11 +4264,6 @@
                             "title": "Authorization flow",
                             "description": "Flow used when authorizing this provider."
                         },
-                        "invalidation_flow": {
-                            "type": "integer",
-                            "title": "Invalidation flow",
-                            "description": "Flow used ending the session from a provider."
-                        },
                         "property_mappings": {
                             "type": "array",
                             "items": {
@@ -4489,11 +4469,6 @@
                             "title": "Authorization flow",
                             "description": "Flow used when authorizing this provider."
                         },
-                        "invalidation_flow": {
-                            "type": "integer",
-                            "title": "Invalidation flow",
-                            "description": "Flow used ending the session from a provider."
-                        },
                         "property_mappings": {
                             "type": "array",
                             "items": {
@@ -4696,11 +4671,6 @@
                     "title": "Authorization flow",
                     "description": "Flow used when authorizing this provider."
                 },
-                "invalidation_flow": {
-                    "type": "integer",
-                    "title": "Invalidation flow",
-                    "description": "Flow used ending the session from a provider."
-                },
                 "property_mappings": {
                     "type": "array",
                     "items": {
@@ -4806,11 +4776,6 @@
                     "title": "Authorization flow",
                     "description": "Flow used when authorizing this provider."
                 },
-                "invalidation_flow": {
-                    "type": "integer",
-                    "title": "Invalidation flow",
-                    "description": "Flow used ending the session from a provider."
-                },
                 "property_mappings": {
                     "type": "array",
                     "items": {
@@ -4856,11 +4821,6 @@
                     "title": "Authorization flow",
                     "description": "Flow used when authorizing this provider."
                 },
-                "invalidation_flow": {
-                    "type": "integer",
-                    "title": "Invalidation flow",
-                    "description": "Flow used ending the session from a provider."
-                },
                 "property_mappings": {
                     "type": "array",
                     "items": {
@@ -6281,10 +6241,10 @@
                     "title": "Friendly name"
                 },
                 "digits": {
-                    "type": "string",
+                    "type": "integer",
                     "enum": [
-                        "6",
+                        6,
-                        "8"
+                        8
                     ],
                     "title": "Digits"
                 }
@@ -7465,11 +7425,6 @@
                 "show_source_labels": {
                     "type": "boolean",
                     "title": "Show source labels"
-                },
-                "pretend_user_exists": {
-                    "type": "boolean",
-                    "title": "Pretend user exists",
-                    "description": "When enabled, the stage will succeed and continue even when incorrect user info is entered."
                 }
             },
             "required": []

blueprints/system/providers-proxy.yaml

@@ -14,8 +14,11 @@ entries:
       expression: |
         # This mapping is used by the authentik proxy. It passes extra user attributes,
         # which are used for example for the HTTP-Basic Authentication mapping.
+        session_id = None
+        if "token" in request.context:
+            session_id = request.context.get("token").session_id
         return {
-            "sid": request.http_request.session.session_key,
+            "sid": session_id,
             "ak_proxy": {
                 "user_attributes": request.user.group_attributes(request),
                 "is_superuser": request.user.is_superuser,