update

Signed-off-by: Jens Langhammer <jens@goauthentik.io>
antlr for scim filter parsing, why
2024-05-31 · 2023-11-16 11:52:31 +01:00 · 2023-11-16 11:52:31 +01:00 · 2023-11-16 11:52:14 +01:00 · 2023-11-16 11:52:14 +01:00 · 2023-11-16 11:52:14 +01:00
200 changed files with 22810 additions and 19250 deletions
--- a/.bumpversion.cfg
+++ b/.bumpversion.cfg
@ -1,5 +1,5 @@
 [bumpversion]
-current_version = 2023.10.2
+current_version = 2023.10.3
 tag = True
 commit = True
 parse = (?P<major>\d+)\.(?P<minor>\d+)\.(?P<patch>\d+)
--- a/.github/workflows/ci-main.yml
+++ b/.github/workflows/ci-main.yml
@ -11,6 +11,7 @@ on:
  pull_request:
    branches:
      - main
+      - version-*

 env:
  POSTGRES_DB: authentik
@ -185,6 +186,9 @@ jobs:
  build:
    needs: ci-core-mark
    runs-on: ubuntu-latest
+    permissions:
+      # Needed to upload contianer images to ghcr.io
+      packages: write
    timeout-minutes: 120
    steps:
      - uses: actions/checkout@v4
@ -235,6 +239,9 @@ jobs:
  build-arm64:
    needs: ci-core-mark
    runs-on: ubuntu-latest
+    permissions:
+      # Needed to upload contianer images to ghcr.io
+      packages: write
    timeout-minutes: 120
    steps:
      - uses: actions/checkout@v4
--- a/.github/workflows/ci-outpost.yml
+++ b/.github/workflows/ci-outpost.yml
@ -9,6 +9,7 @@ on:
  pull_request:
    branches:
      - main
+      - version-*

 jobs:
  lint-golint:
@ -65,6 +66,9 @@ jobs:
          - ldap
          - radius
    runs-on: ubuntu-latest
+    permissions:
+      # Needed to upload contianer images to ghcr.io
+      packages: write
    steps:
      - uses: actions/checkout@v4
        with:
--- a/.github/workflows/ci-web.yml
+++ b/.github/workflows/ci-web.yml
@ -9,6 +9,7 @@ on:
  pull_request:
    branches:
      - main
+      - version-*

 jobs:
  lint-eslint:
--- a/.github/workflows/ci-website.yml
+++ b/.github/workflows/ci-website.yml
@ -9,6 +9,7 @@ on:
  pull_request:
    branches:
      - main
+      - version-*

 jobs:
  lint-prettier:
--- a/.github/workflows/release-next-branch.yml
+++ b/.github/workflows/release-next-branch.yml
@ -6,6 +6,7 @@ on:
  workflow_dispatch:

 permissions:
+  # Needed to be able to push to the next branch
  contents: write

 jobs:
--- a/.github/workflows/release-publish.yml
+++ b/.github/workflows/release-publish.yml
@ -7,6 +7,9 @@ on:
 jobs:
  build-server:
    runs-on: ubuntu-latest
+    permissions:
+      # Needed to upload contianer images to ghcr.io
+      packages: write
    steps:
      - uses: actions/checkout@v4
      - name: Set up QEMU
@ -52,6 +55,9 @@ jobs:
            VERSION_FAMILY=${{ steps.ev.outputs.versionFamily }}
  build-outpost:
    runs-on: ubuntu-latest
+    permissions:
+      # Needed to upload contianer images to ghcr.io
+      packages: write
    strategy:
      fail-fast: false
      matrix:
@ -106,6 +112,9 @@ jobs:
  build-outpost-binary:
    timeout-minutes: 120
    runs-on: ubuntu-latest
+    permissions:
+      # Needed to upload binaries to the release
+      contents: write
    strategy:
      fail-fast: false
      matrix:
--- a/.github/workflows/release-tag.yml
+++ b/.github/workflows/release-tag.yml
@ -30,7 +30,7 @@ jobs:
          private_key: ${{ secrets.GH_APP_PRIVATE_KEY }}
      - name: Extract version number
        id: get_version
-        uses: actions/github-script@v6
+        uses: actions/github-script@v7
        with:
          github-token: ${{ steps.generate_token.outputs.token }}
          script: |
--- a/.github/workflows/repo-stale.yml
+++ b/.github/workflows/repo-stale.yml
@ -6,8 +6,8 @@ on:
  workflow_dispatch:

 permissions:
+  # Needed to update issues and PRs
  issues: write
-  pull-requests: write

 jobs:
  stale:
--- a/.github/workflows/translation-advice.yml
+++ b/.github/workflows/translation-advice.yml
@ -7,7 +7,8 @@ on:
    paths:
      - "!**"
      - "locale/**"
-      - "web/src/locales/**"
+      - "!locale/en/**"
+      - "web/xliff/**"

 jobs:
  post-comment:
--- a/13
+++ b/13
@ -35,7 +35,14 @@ COPY ./gen-ts-api /work/web/node_modules/@goauthentik/api
 RUN npm run build

 # Stage 3: Build go proxy
-FROM docker.io/golang:1.21.3-bookworm AS go-builder
+FROM --platform=${BUILDPLATFORM} docker.io/golang:1.21.4-bookworm AS go-builder
+
+ARG TARGETOS
+ARG TARGETARCH
+ARG TARGETVARIANT
+
+ARG GOOS=$TARGETOS
+ARG GOARCH=$TARGETARCH

 WORKDIR /go/src/goauthentik.io

@ -57,10 +64,10 @@ ENV CGO_ENABLED=0

 RUN --mount=type=cache,target=/go/pkg/mod \
    --mount=type=cache,target=/root/.cache/go-build \
-    go build -o /go/authentik ./cmd/server
+    GOARM="${TARGETVARIANT#v}" go build -o /go/authentik ./cmd/server

 # Stage 4: MaxMind GeoIP
-FROM ghcr.io/maxmind/geoipupdate:v6.0 as geoip
+FROM --platform=${BUILDPLATFORM} ghcr.io/maxmind/geoipupdate:v6.0 as geoip

 ENV GEOIPUPDATE_EDITION_IDS="GeoLite2-City"
 ENV GEOIPUPDATE_VERBOSE="true"
--- a/2
+++ b/2
@ -110,6 +110,8 @@ gen-diff:  ## (Release) generate the changelog diff between the current schema a
 		--markdown /local/diff.md \
 		/local/old_schema.yml /local/schema.yml
 	rm old_schema.yml
+	sed -i 's/{/&#123;/g' diff.md
+	sed -i 's/}/&#125;/g' diff.md
 	npx prettier --write diff.md

 gen-clean:
--- a/authentik/init.py
+++ b/authentik/init.py
@ -2,7 +2,7 @@
 from os import environ
 from typing import Optional

-__version__ = "2023.10.2"
+__version__ = "2023.10.3"
 ENV_GIT_HASH_KEY = "GIT_BUILD_HASH"


--- a/authentik/api/schema.py
+++ b/authentik/api/schema.py
@ -13,6 +13,8 @@ from rest_framework.settings import api_settings

 from authentik.api.pagination import PAGINATION_COMPONENT_NAME, PAGINATION_SCHEMA

+from authentik.api.apps import AuthentikAPIConfig
+

 def build_standard_type(obj, **kwargs):
    """Build a basic type with optional add owns."""
@ -100,3 +102,12 @@ def postprocess_schema_responses(result, generator: SchemaGenerator, **kwargs):
            comp = result["components"]["schemas"][component]
            comp["additionalProperties"] = {}
    return result
+
+
+def preprocess_schema_exclude_non_api(endpoints, **kwargs):
+    """Filter out all API Views which are not mounted under /api"""
+    return [
+        (path, path_regex, method, callback)
+        for path, path_regex, method, callback in endpoints
+        if path.startswith("/" + AuthentikAPIConfig.mountpoint)
+    ]
--- a/authentik/api/v3/config.py
+++ b/authentik/api/v3/config.py
@ -93,10 +93,10 @@ class ConfigView(APIView):
                    "traces_sample_rate": float(CONFIG.get("error_reporting.sample_rate", 0.4)),
                },
                "capabilities": self.get_capabilities(),
-                "cache_timeout": CONFIG.get_int("redis.cache_timeout"),
-                "cache_timeout_flows": CONFIG.get_int("redis.cache_timeout_flows"),
-                "cache_timeout_policies": CONFIG.get_int("redis.cache_timeout_policies"),
-                "cache_timeout_reputation": CONFIG.get_int("redis.cache_timeout_reputation"),
+                "cache_timeout": CONFIG.get_int("cache.timeout"),
+                "cache_timeout_flows": CONFIG.get_int("cache.timeout_flows"),
+                "cache_timeout_policies": CONFIG.get_int("cache.timeout_policies"),
+                "cache_timeout_reputation": CONFIG.get_int("cache.timeout_reputation"),
            }
        )

--- a/authentik/core/management/commands/worker.py
+++ b/authentik/core/management/commands/worker.py
@ -17,9 +17,15 @@ class Command(BaseCommand):
    """Run worker"""

    def add_arguments(self, parser):
-        parser.add_argument("-b", "--beat", action="store_true")
+        parser.add_argument(
+            "-b",
+            "--beat",
+            action="store_false",
+            help="When set, this worker will _not_ run Beat (scheduled) tasks",
+        )

    def handle(self, **options):
+        LOGGER.debug("Celery options", **options)
        close_old_connections()
        if CONFIG.get_bool("remote_debug"):
            import debugpy
--- a/authentik/events/signals.py
+++ b/authentik/events/signals.py
@ -13,6 +13,7 @@ from authentik.events.tasks import event_notification_handler, gdpr_cleanup
 from authentik.flows.models import Stage
 from authentik.flows.planner import PLAN_CONTEXT_SOURCE, FlowPlan
 from authentik.flows.views.executor import SESSION_KEY_PLAN
+from authentik.lib.config import CONFIG
 from authentik.stages.invitation.models import Invitation
 from authentik.stages.invitation.signals import invitation_used
 from authentik.stages.password.stage import PLAN_CONTEXT_METHOD, PLAN_CONTEXT_METHOD_ARGS
@ -92,4 +93,5 @@ def event_post_save_notification(sender, instance: Event, **_):
@receiver(pre_delete, sender=User)
 def event_user_pre_delete_cleanup(sender, instance: User, **_):
    """If gdpr_compliance is enabled, remove all the user's events"""
+    if CONFIG.get_bool("gdpr_compliance", True):
        gdpr_cleanup.delay(instance.pk)
--- a/authentik/events/utils.py
+++ b/authentik/events/utils.py
@ -153,6 +153,12 @@ def sanitize_item(value: Any) -> Any:
        return value.isoformat()
    if isinstance(value, timedelta):
        return str(value.total_seconds())
+    if callable(value):
+        return {
+            "type": "callable",
+            "name": value.__name__,
+            "module": value.__module__,
+        }
    return value


--- a/authentik/flows/planner.py
+++ b/authentik/flows/planner.py
@ -33,7 +33,7 @@ PLAN_CONTEXT_SOURCE = "source"
 # Is set by the Flow Planner when a FlowToken was used, and the currently active flow plan
 # was restored.
 PLAN_CONTEXT_IS_RESTORED = "is_restored"
-CACHE_TIMEOUT = CONFIG.get_int("redis.cache_timeout_flows")
+CACHE_TIMEOUT = CONFIG.get_int("cache.timeout_flows")
 CACHE_PREFIX = "goauthentik.io/flows/planner/"


--- a/authentik/lib/config.py
+++ b/authentik/lib/config.py
@ -1,4 +1,6 @@
 """authentik core config loader"""
+import base64
+import json
 import os
 from collections.abc import Mapping
 from contextlib import contextmanager
@ -22,6 +24,25 @@ SEARCH_PATHS = ["authentik/lib/default.yml", "/etc/authentik/config.yml", ""] +
 ENV_PREFIX = "AUTHENTIK"
 ENVIRONMENT = os.getenv(f"{ENV_PREFIX}_ENV", "local")

+REDIS_ENV_KEYS = [
+    f"{ENV_PREFIX}_REDIS__HOST",
+    f"{ENV_PREFIX}_REDIS__PORT",
+    f"{ENV_PREFIX}_REDIS__DB",
+    f"{ENV_PREFIX}_REDIS__USERNAME",
+    f"{ENV_PREFIX}_REDIS__PASSWORD",
+    f"{ENV_PREFIX}_REDIS__TLS",
+    f"{ENV_PREFIX}_REDIS__TLS_REQS",
+]
+
+DEPRECATIONS = {
+    "redis.broker_url": "broker.url",
+    "redis.broker_transport_options": "broker.transport_options",
+    "redis.cache_timeout": "cache.timeout",
+    "redis.cache_timeout_flows": "cache.timeout_flows",
+    "redis.cache_timeout_policies": "cache.timeout_policies",
+    "redis.cache_timeout_reputation": "cache.timeout_reputation",
+}
+

 def get_path_from_dict(root: dict, path: str, sep=".", default=None) -> Any:
    """Recursively walk through `root`, checking each part of `path` separated by `sep`.
@ -81,6 +102,10 @@ class AttrEncoder(JSONEncoder):
        return super().default(o)


+class UNSET:
+    """Used to test whether configuration key has not been set."""
+
+
 class ConfigLoader:
    """Search through SEARCH_PATHS and load configuration. Environment variables starting with
    `ENV_PREFIX` are also applied.
@ -113,6 +138,40 @@ class ConfigLoader:
                        self.update_from_file(env_file)
        self.update_from_env()
        self.update(self.__config, kwargs)
+        self.check_deprecations()
+
+    def check_deprecations(self):
+        """Warn if any deprecated configuration options are used"""
+
+        def _pop_deprecated_key(current_obj, dot_parts, index):
+            """Recursive function to remove deprecated keys in configuration"""
+            dot_part = dot_parts[index]
+            if index == len(dot_parts) - 1:
+                return current_obj.pop(dot_part)
+            value = _pop_deprecated_key(current_obj[dot_part], dot_parts, index + 1)
+            if not current_obj[dot_part]:
+                current_obj.pop(dot_part)
+            return value
+
+        for deprecation, replacement in DEPRECATIONS.items():
+            if self.get(deprecation, default=UNSET) is not UNSET:
+                message = (
+                    f"'{deprecation}' has been deprecated in favor of '{replacement}'! "
+                    + "Please update your configuration."
+                )
+                self.log(
+                    "warning",
+                    message,
+                )
+                try:
+                    from authentik.events.models import Event, EventAction
+
+                    Event.new(EventAction.CONFIGURATION_ERROR, message=message).save()
+                except ImportError:
+                    continue
+
+                deprecated_attr = _pop_deprecated_key(self.__config, deprecation.split("."), 0)
+                self.set(replacement, deprecated_attr.value)

    def log(self, level: str, message: str, **kwargs):
        """Custom Log method, we want to ensure ConfigLoader always logs JSON even when
@ -180,6 +239,10 @@ class ConfigLoader:
                error=str(exc),
            )

+    def update_from_dict(self, update: dict):
+        """Update config from dict"""
+        self.__config.update(update)
+
    def update_from_env(self):
        """Check environment variables"""
        outer = {}
@ -188,19 +251,13 @@ class ConfigLoader:
            if not key.startswith(ENV_PREFIX):
                continue
            relative_key = key.replace(f"{ENV_PREFIX}_", "", 1).replace("__", ".").lower()
-            # Recursively convert path from a.b.c into outer[a][b][c]
-            current_obj = outer
-            dot_parts = relative_key.split(".")
-            for dot_part in dot_parts[:-1]:
-                if dot_part not in current_obj:
-                    current_obj[dot_part] = {}
-                current_obj = current_obj[dot_part]
            # Check if the value is json, and try to load it
            try:
                value = loads(value)
            except JSONDecodeError:
                pass
-            current_obj[dot_parts[-1]] = Attr(value, Attr.Source.ENV, key)
+            attr_value = Attr(value, Attr.Source.ENV, relative_key)
+            set_path_in_dict(outer, relative_key, attr_value)
            idx += 1
        if idx > 0:
            self.log("debug", "Loaded environment variables", count=idx)
@ -241,6 +298,23 @@ class ConfigLoader:
        """Wrapper for get that converts value into boolean"""
        return str(self.get(path, default)).lower() == "true"

+    def get_dict_from_b64_json(self, path: str, default=None) -> dict:
+        """Wrapper for get that converts value from Base64 encoded string into dictionary"""
+        config_value = self.get(path)
+        if config_value is None:
+            return {}
+        try:
+            b64decoded_str = base64.b64decode(config_value).decode("utf-8")
+            b64decoded_str = b64decoded_str.strip().lstrip("{").rstrip("}")
+            b64decoded_str = "{" + b64decoded_str + "}"
+            return json.loads(b64decoded_str)
+        except (JSONDecodeError, TypeError, ValueError) as exc:
+            self.log(
+                "warning",
+                f"Ignored invalid configuration for '{path}' due to exception: {str(exc)}",
+            )
+            return default if isinstance(default, dict) else {}
+
    def set(self, path: str, value: Any, sep="."):
        """Set value using same syntax as get()"""
        set_path_in_dict(self.raw, path, Attr(value), sep=sep)
--- a/authentik/lib/default.yml
+++ b/authentik/lib/default.yml
@ -28,14 +28,28 @@ listen:
 redis:
  host: localhost
  port: 6379
+  db: 0
+  username: ""
  password: ""
  tls: false
  tls_reqs: "none"
-  db: 0
-  cache_timeout: 300
-  cache_timeout_flows: 300
-  cache_timeout_policies: 300
-  cache_timeout_reputation: 300
+
+# broker:
+  # url: ""
+  # transport_options: ""
+
+cache:
+  # url: ""
+  timeout: 300
+  timeout_flows: 300
+  timeout_policies: 300
+  timeout_reputation: 300
+
+# channel:
+  # url: ""
+
+# result_backend:
+  # url: ""

 paths:
  media: ./media
--- a/authentik/lib/tests/test_config.py
+++ b/authentik/lib/tests/test_config.py
@ -1,20 +1,32 @@
 """Test config loader"""
+import base64
+from json import dumps
 from os import chmod, environ, unlink, write
 from tempfile import mkstemp
+from unittest import mock

 from django.conf import ImproperlyConfigured
 from django.test import TestCase

-from authentik.lib.config import ENV_PREFIX, ConfigLoader
+from authentik.lib.config import ENV_PREFIX, UNSET, Attr, AttrEncoder, ConfigLoader


 class TestConfig(TestCase):
    """Test config loader"""

+    check_deprecations_env_vars = {
+        ENV_PREFIX + "_REDIS__BROKER_URL": "redis://myredis:8327/43",
+        ENV_PREFIX + "_REDIS__BROKER_TRANSPORT_OPTIONS": "bWFzdGVybmFtZT1teW1hc3Rlcg==",
+        ENV_PREFIX + "_REDIS__CACHE_TIMEOUT": "124s",
+        ENV_PREFIX + "_REDIS__CACHE_TIMEOUT_FLOWS": "32m",
+        ENV_PREFIX + "_REDIS__CACHE_TIMEOUT_POLICIES": "3920ns",
+        ENV_PREFIX + "_REDIS__CACHE_TIMEOUT_REPUTATION": "298382us",
+    }
+
+    @mock.patch.dict(environ, {ENV_PREFIX + "_test__test": "bar"})
    def test_env(self):
        """Test simple instance"""
        config = ConfigLoader()
-        environ[ENV_PREFIX + "_test__test"] = "bar"
        config.update_from_env()
        self.assertEqual(config.get("test.test"), "bar")

@ -27,12 +39,20 @@ class TestConfig(TestCase):
            self.assertEqual(config.get("foo.bar"), "baz")
        self.assertEqual(config.get("foo.bar"), "bar")

+    @mock.patch.dict(environ, {"foo": "bar"})
    def test_uri_env(self):
        """Test URI parsing (environment)"""
        config = ConfigLoader()
-        environ["foo"] = "bar"
-        self.assertEqual(config.parse_uri("env://foo").value, "bar")
-        self.assertEqual(config.parse_uri("env://foo?bar").value, "bar")
+        foo_uri = "env://foo"
+        foo_parsed = config.parse_uri(foo_uri)
+        self.assertEqual(foo_parsed.value, "bar")
+        self.assertEqual(foo_parsed.source_type, Attr.Source.URI)
+        self.assertEqual(foo_parsed.source, foo_uri)
+        foo_bar_uri = "env://foo?bar"
+        foo_bar_parsed = config.parse_uri(foo_bar_uri)
+        self.assertEqual(foo_bar_parsed.value, "bar")
+        self.assertEqual(foo_bar_parsed.source_type, Attr.Source.URI)
+        self.assertEqual(foo_bar_parsed.source, foo_bar_uri)

    def test_uri_file(self):
        """Test URI parsing (file load)"""
@ -91,3 +111,60 @@ class TestConfig(TestCase):
        config = ConfigLoader()
        config.set("foo", "bar")
        self.assertEqual(config.get_int("foo", 1234), 1234)
+
+    def test_get_dict_from_b64_json(self):
+        """Test get_dict_from_b64_json"""
+        config = ConfigLoader()
+        test_value = '  { "foo": "bar"   }   '.encode("utf-8")
+        b64_value = base64.b64encode(test_value)
+        config.set("foo", b64_value)
+        self.assertEqual(config.get_dict_from_b64_json("foo"), {"foo": "bar"})
+
+    def test_get_dict_from_b64_json_missing_brackets(self):
+        """Test get_dict_from_b64_json with missing brackets"""
+        config = ConfigLoader()
+        test_value = ' "foo": "bar"     '.encode("utf-8")
+        b64_value = base64.b64encode(test_value)
+        config.set("foo", b64_value)
+        self.assertEqual(config.get_dict_from_b64_json("foo"), {"foo": "bar"})
+
+    def test_get_dict_from_b64_json_invalid(self):
+        """Test get_dict_from_b64_json with invalid value"""
+        config = ConfigLoader()
+        config.set("foo", "bar")
+        self.assertEqual(config.get_dict_from_b64_json("foo"), {})
+
+    def test_attr_json_encoder(self):
+        """Test AttrEncoder"""
+        test_attr = Attr("foo", Attr.Source.ENV, "AUTHENTIK_REDIS__USERNAME")
+        json_attr = dumps(test_attr, indent=4, cls=AttrEncoder)
+        self.assertEqual(json_attr, '"foo"')
+
+    def test_attr_json_encoder_no_attr(self):
+        """Test AttrEncoder if no Attr is passed"""
+
+        class Test:
+            """Non Attr class"""
+
+        with self.assertRaises(TypeError):
+            test_obj = Test()
+            dumps(test_obj, indent=4, cls=AttrEncoder)
+
+    @mock.patch.dict(environ, check_deprecations_env_vars)
+    def test_check_deprecations(self):
+        """Test config key re-write for deprecated env vars"""
+        config = ConfigLoader()
+        config.update_from_env()
+        config.check_deprecations()
+        self.assertEqual(config.get("redis.broker_url", UNSET), UNSET)
+        self.assertEqual(config.get("redis.broker_transport_options", UNSET), UNSET)
+        self.assertEqual(config.get("redis.cache_timeout", UNSET), UNSET)
+        self.assertEqual(config.get("redis.cache_timeout_flows", UNSET), UNSET)
+        self.assertEqual(config.get("redis.cache_timeout_policies", UNSET), UNSET)
+        self.assertEqual(config.get("redis.cache_timeout_reputation", UNSET), UNSET)
+        self.assertEqual(config.get("broker.url"), "redis://myredis:8327/43")
+        self.assertEqual(config.get("broker.transport_options"), "bWFzdGVybmFtZT1teW1hc3Rlcg==")
+        self.assertEqual(config.get("cache.timeout"), "124s")
+        self.assertEqual(config.get("cache.timeout_flows"), "32m")
+        self.assertEqual(config.get("cache.timeout_policies"), "3920ns")
+        self.assertEqual(config.get("cache.timeout_reputation"), "298382us")
--- a/authentik/outposts/consumer.py
+++ b/authentik/outposts/consumer.py
@ -93,7 +93,7 @@ class OutpostConsumer(AuthJsonConsumer):
                expected=self.outpost.config.kubernetes_replicas,
            ).dec()

-    def receive_json(self, content: Data):
+    def receive_json(self, content: Data, **kwargs):
        msg = from_dict(WebsocketMessage, content)
        uid = msg.args.get("uuid", self.channel_name)
        self.last_uid = uid
--- a/authentik/policies/event_matcher/migrations/0019_alter_eventmatcherpolicy_app.py
+++ b/authentik/policies/event_matcher/migrations/0019_alter_eventmatcherpolicy_app.py
@ -39,6 +39,7 @@ class Migration(migrations.Migration):
                    ("authentik.sources.oauth", "authentik Sources.OAuth"),
                    ("authentik.sources.plex", "authentik Sources.Plex"),
                    ("authentik.sources.saml", "authentik Sources.SAML"),
+                    ("authentik.sources.scim", "authentik Sources.SCIM"),
                    ("authentik.stages.authenticator_duo", "authentik Stages.Authenticator.Duo"),
                    ("authentik.stages.authenticator_sms", "authentik Stages.Authenticator.SMS"),
                    (
--- a/authentik/policies/process.py
+++ b/authentik/policies/process.py
@ -20,7 +20,7 @@ from authentik.policies.types import CACHE_PREFIX, PolicyRequest, PolicyResult
 LOGGER = get_logger()

 FORK_CTX = get_context("fork")
-CACHE_TIMEOUT = CONFIG.get_int("redis.cache_timeout_policies")
+CACHE_TIMEOUT = CONFIG.get_int("cache.timeout_policies")
 PROCESS_CLASS = FORK_CTX.Process


--- a/authentik/policies/reputation/signals.py
+++ b/authentik/policies/reputation/signals.py
@ -13,7 +13,7 @@ from authentik.policies.reputation.tasks import save_reputation
 from authentik.stages.identification.signals import identification_failed

 LOGGER = get_logger()
-CACHE_TIMEOUT = CONFIG.get_int("redis.cache_timeout_reputation")
+CACHE_TIMEOUT = CONFIG.get_int("cache.timeout_reputation")


 def update_score(request: HttpRequest, identifier: str, amount: int):
--- a/authentik/providers/oauth2/utils.py
+++ b/authentik/providers/oauth2/utils.py
@ -188,6 +188,7 @@ def authenticate_provider(request: HttpRequest) -> Optional[OAuth2Provider]:
    if client_id != provider.client_id or client_secret != provider.client_secret:
        LOGGER.debug("(basic) Provider for basic auth does not exist")
        return None
+    CTX_AUTH_VIA.set("oauth_client_secret")
    return provider


--- a/authentik/providers/oauth2/views/token.py
+++ b/authentik/providers/oauth2/views/token.py
@ -17,6 +17,7 @@ from jwt import PyJWK, PyJWT, PyJWTError, decode
 from sentry_sdk.hub import Hub
 from structlog.stdlib import get_logger

+from authentik.core.middleware import CTX_AUTH_VIA
 from authentik.core.models import (
    USER_ATTRIBUTE_EXPIRES,
    USER_ATTRIBUTE_GENERATED,
@ -448,6 +449,7 @@ class TokenView(View):
                if not self.provider:
                    LOGGER.warning("OAuth2Provider does not exist", client_id=client_id)
                    raise TokenError("invalid_client")
+                CTX_AUTH_VIA.set("oauth_client_secret")
                self.params = TokenParams.parse(request, self.provider, client_id, client_secret)

            with Hub.current.start_span(
--- a/authentik/providers/scim/clients/group.py
+++ b/authentik/providers/scim/clients/group.py
@ -46,7 +46,9 @@ class SCIMGroupClient(SCIMClient[Group, SCIMGroupSchema]):

    def to_scim(self, obj: Group) -> SCIMGroupSchema:
        """Convert authentik user into SCIM"""
-        raw_scim_group = {}
+        raw_scim_group = {
+            "schemas": ("urn:ietf:params:scim:schemas:core:2.0:Group",),
+        }
        for mapping in (
            self.provider.property_mappings_group.all().order_by("name").select_subclasses()
        ):
--- a/authentik/providers/scim/clients/schema.py
+++ b/authentik/providers/scim/clients/schema.py
@ -15,12 +15,14 @@ from pydanticscim.user import User as BaseUser
 class User(BaseUser):
    """Modified User schema with added externalId field"""

+    schemas: tuple[str] = ("urn:ietf:params:scim:schemas:core:2.0:User",)
    externalId: Optional[str] = None


 class Group(BaseGroup):
    """Modified Group schema with added externalId field"""

+    schemas: tuple[str] = ("urn:ietf:params:scim:schemas:core:2.0:Group",)
    externalId: Optional[str] = None


--- a/authentik/providers/scim/clients/user.py
+++ b/authentik/providers/scim/clients/user.py
@ -39,7 +39,9 @@ class SCIMUserClient(SCIMClient[User, SCIMUserSchema]):

    def to_scim(self, obj: User) -> SCIMUserSchema:
        """Convert authentik user into SCIM"""
-        raw_scim_user = {}
+        raw_scim_user = {
+            "schemas": ("urn:ietf:params:scim:schemas:core:2.0:User",),
+        }
        for mapping in self.provider.property_mappings.all().order_by("name").select_subclasses():
            if not isinstance(mapping, SCIMMapping):
                continue
--- a/authentik/providers/scim/tests/test_group.py
+++ b/authentik/providers/scim/tests/test_group.py
@ -61,7 +61,11 @@ class SCIMGroupTests(TestCase):
        self.assertEqual(mock.request_history[1].method, "POST")
        self.assertJSONEqual(
            mock.request_history[1].body,
-            {"externalId": str(group.pk), "displayName": group.name},
+            {
+                "schemas": ["urn:ietf:params:scim:schemas:core:2.0:Group"],
+                "externalId": str(group.pk),
+                "displayName": group.name,
+            },
        )

    @Mocker()
@ -96,7 +100,11 @@ class SCIMGroupTests(TestCase):
            validate(body, loads(schema.read()))
        self.assertEqual(
            body,
-            {"externalId": str(group.pk), "displayName": group.name},
+            {
+                "schemas": ["urn:ietf:params:scim:schemas:core:2.0:Group"],
+                "externalId": str(group.pk),
+                "displayName": group.name,
+            },
        )
        group.save()
        self.assertEqual(mock.call_count, 4)
@ -129,7 +137,11 @@ class SCIMGroupTests(TestCase):
        self.assertEqual(mock.request_history[1].method, "POST")
        self.assertJSONEqual(
            mock.request_history[1].body,
-            {"externalId": str(group.pk), "displayName": group.name},
+            {
+                "schemas": ["urn:ietf:params:scim:schemas:core:2.0:Group"],
+                "externalId": str(group.pk),
+                "displayName": group.name,
+            },
        )
        group.delete()
        self.assertEqual(mock.call_count, 4)
--- a/authentik/providers/scim/tests/test_membership.py
+++ b/authentik/providers/scim/tests/test_membership.py
@ -89,6 +89,7 @@ class SCIMMembershipTests(TestCase):
            self.assertJSONEqual(
                mocker.request_history[3].body,
                {
+                    "schemas": ["urn:ietf:params:scim:schemas:core:2.0:User"],
                    "emails": [],
                    "active": True,
                    "externalId": user.uid,
@ -99,7 +100,11 @@ class SCIMMembershipTests(TestCase):
            )
            self.assertJSONEqual(
                mocker.request_history[5].body,
-                {"externalId": str(group.pk), "displayName": group.name},
+                {
+                    "schemas": ["urn:ietf:params:scim:schemas:core:2.0:Group"],
+                    "externalId": str(group.pk),
+                    "displayName": group.name,
+                },
            )

        with Mocker() as mocker:
@ -118,6 +123,7 @@ class SCIMMembershipTests(TestCase):
            self.assertJSONEqual(
                mocker.request_history[1].body,
                {
+                    "schemas": ["urn:ietf:params:scim:api:messages:2.0:PatchOp"],
                    "Operations": [
                        {
                            "op": "add",
@ -125,7 +131,6 @@ class SCIMMembershipTests(TestCase):
                            "value": [{"value": user_scim_id}],
                        }
                    ],
-                    "schemas": ["urn:ietf:params:scim:api:messages:2.0:PatchOp"],
                },
            )

@ -174,6 +179,7 @@ class SCIMMembershipTests(TestCase):
            self.assertJSONEqual(
                mocker.request_history[3].body,
                {
+                    "schemas": ["urn:ietf:params:scim:schemas:core:2.0:User"],
                    "active": True,
                    "displayName": "",
                    "emails": [],
@ -184,7 +190,11 @@ class SCIMMembershipTests(TestCase):
            )
            self.assertJSONEqual(
                mocker.request_history[5].body,
-                {"externalId": str(group.pk), "displayName": group.name},
+                {
+                    "schemas": ["urn:ietf:params:scim:schemas:core:2.0:Group"],
+                    "externalId": str(group.pk),
+                    "displayName": group.name,
+                },
            )

        with Mocker() as mocker:
@ -203,6 +213,7 @@ class SCIMMembershipTests(TestCase):
            self.assertJSONEqual(
                mocker.request_history[1].body,
                {
+                    "schemas": ["urn:ietf:params:scim:api:messages:2.0:PatchOp"],
                    "Operations": [
                        {
                            "op": "add",
@ -210,7 +221,6 @@ class SCIMMembershipTests(TestCase):
                            "value": [{"value": user_scim_id}],
                        }
                    ],
-                    "schemas": ["urn:ietf:params:scim:api:messages:2.0:PatchOp"],
                },
            )

@ -230,6 +240,7 @@ class SCIMMembershipTests(TestCase):
            self.assertJSONEqual(
                mocker.request_history[1].body,
                {
+                    "schemas": ["urn:ietf:params:scim:api:messages:2.0:PatchOp"],
                    "Operations": [
                        {
                            "op": "remove",
@ -237,6 +248,5 @@ class SCIMMembershipTests(TestCase):
                            "value": [{"value": user_scim_id}],
                        }
                    ],
-                    "schemas": ["urn:ietf:params:scim:api:messages:2.0:PatchOp"],
                },
            )
--- a/authentik/providers/scim/tests/test_user.py
+++ b/authentik/providers/scim/tests/test_user.py
@ -66,6 +66,7 @@ class SCIMUserTests(TestCase):
        self.assertJSONEqual(
            mock.request_history[1].body,
            {
+                "schemas": ["urn:ietf:params:scim:schemas:core:2.0:User"],
                "active": True,
                "emails": [
                    {
@ -121,6 +122,7 @@ class SCIMUserTests(TestCase):
        self.assertEqual(
            body,
            {
+                "schemas": ["urn:ietf:params:scim:schemas:core:2.0:User"],
                "active": True,
                "emails": [
                    {
@ -173,6 +175,7 @@ class SCIMUserTests(TestCase):
        self.assertJSONEqual(
            mock.request_history[1].body,
            {
+                "schemas": ["urn:ietf:params:scim:schemas:core:2.0:User"],
                "active": True,
                "emails": [
                    {
@ -240,6 +243,7 @@ class SCIMUserTests(TestCase):
        self.assertJSONEqual(
            mock.request_history[1].body,
            {
+                "schemas": ["urn:ietf:params:scim:schemas:core:2.0:User"],
                "active": True,
                "emails": [
                    {
--- a/authentik/root/settings.py
+++ b/authentik/root/settings.py
@ -1,5 +1,4 @@
 """root settings for authentik"""
-
 import importlib
 import os
 from hashlib import sha512
@ -83,6 +82,7 @@ INSTALLED_APPS = [
    "authentik.sources.oauth",
    "authentik.sources.plex",
    "authentik.sources.saml",
+    "authentik.sources.scim",
    "authentik.stages.authenticator",
    "authentik.stages.authenticator_duo",
    "authentik.stages.authenticator_sms",
@ -147,6 +147,9 @@ SPECTACULAR_SETTINGS = {
        "UserTypeEnum": "authentik.core.models.UserTypes",
    },
    "ENUM_ADD_EXPLICIT_BLANK_NULL_CHOICE": False,
+    "PREPROCESSING_HOOKS": [
+        "authentik.api.schema.preprocess_schema_exclude_non_api",
+    ],
    "POSTPROCESSING_HOOKS": [
        "authentik.api.schema.postprocess_schema_responses",
        "drf_spectacular.hooks.postprocess_schema_enums",
@ -195,8 +198,8 @@ _redis_url = (
 CACHES = {
    "default": {
        "BACKEND": "django_redis.cache.RedisCache",
-        "LOCATION": f"{_redis_url}/{CONFIG.get('redis.db')}",
-        "TIMEOUT": CONFIG.get_int("redis.cache_timeout", 300),
+        "LOCATION": CONFIG.get("cache.url") or f"{_redis_url}/{CONFIG.get('redis.db')}",
+        "TIMEOUT": CONFIG.get_int("cache.timeout", 300),
        "OPTIONS": {"CLIENT_CLASS": "django_redis.client.DefaultClient"},
        "KEY_PREFIX": "authentik_cache",
    }
@ -256,7 +259,7 @@ CHANNEL_LAYERS = {
    "default": {
        "BACKEND": "channels_redis.pubsub.RedisPubSubChannelLayer",
        "CONFIG": {
-            "hosts": [f"{_redis_url}/{CONFIG.get('redis.db')}"],
+            "hosts": [CONFIG.get("channel.url", f"{_redis_url}/{CONFIG.get('redis.db')}")],
            "prefix": "authentik_channels_",
        },
    },
@ -349,8 +352,11 @@ CELERY = {
    },
    "task_create_missing_queues": True,
    "task_default_queue": "authentik",
-    "broker_url": f"{_redis_url}/{CONFIG.get('redis.db')}{_redis_celery_tls_requirements}",
-    "result_backend": f"{_redis_url}/{CONFIG.get('redis.db')}{_redis_celery_tls_requirements}",
+    "broker_url": CONFIG.get("broker.url")
+    or f"{_redis_url}/{CONFIG.get('redis.db')}{_redis_celery_tls_requirements}",
+    "broker_transport_options": CONFIG.get_dict_from_b64_json("broker.transport_options"),
+    "result_backend": CONFIG.get("result_backend.url")
+    or f"{_redis_url}/{CONFIG.get('redis.db')}{_redis_celery_tls_requirements}",
 }

 # Sentry integration
--- a/authentik/sources/ldap/api.py
+++ b/authentik/sources/ldap/api.py
@ -1,13 +1,14 @@
 """Source API Views"""
-from typing import Any
+from typing import Any, Optional

+from django.core.cache import cache
 from django_filters.filters import AllValuesMultipleFilter
 from django_filters.filterset import FilterSet
 from drf_spectacular.types import OpenApiTypes
 from drf_spectacular.utils import extend_schema, extend_schema_field, inline_serializer
 from rest_framework.decorators import action
 from rest_framework.exceptions import ValidationError
-from rest_framework.fields import DictField, ListField
+from rest_framework.fields import BooleanField, DictField, ListField, SerializerMethodField
 from rest_framework.relations import PrimaryKeyRelatedField
 from rest_framework.request import Request
 from rest_framework.response import Response
@ -17,15 +18,17 @@ from authentik.admin.api.tasks import TaskSerializer
 from authentik.core.api.propertymappings import PropertyMappingSerializer
 from authentik.core.api.sources import SourceSerializer
 from authentik.core.api.used_by import UsedByMixin
+from authentik.core.api.utils import PassiveSerializer
 from authentik.crypto.models import CertificateKeyPair
 from authentik.events.monitored_tasks import TaskInfo
 from authentik.sources.ldap.models import LDAPPropertyMapping, LDAPSource
-from authentik.sources.ldap.tasks import SYNC_CLASSES
+from authentik.sources.ldap.tasks import CACHE_KEY_STATUS, SYNC_CLASSES


 class LDAPSourceSerializer(SourceSerializer):
    """LDAP Source Serializer"""

+    connectivity = SerializerMethodField()
    client_certificate = PrimaryKeyRelatedField(
        allow_null=True,
        help_text="Client certificate to authenticate against the LDAP Server's Certificate.",
@ -35,6 +38,10 @@ class LDAPSourceSerializer(SourceSerializer):
        required=False,
    )

+    def get_connectivity(self, source: LDAPSource) -> Optional[dict[str, dict[str, str]]]:
+        """Get cached source connectivity"""
+        return cache.get(CACHE_KEY_STATUS + source.slug, None)
+
    def validate(self, attrs: dict[str, Any]) -> dict[str, Any]:
        """Check that only a single source has password_sync on"""
        sync_users_password = attrs.get("sync_users_password", True)
@ -75,10 +82,18 @@ class LDAPSourceSerializer(SourceSerializer):
            "sync_parent_group",
            "property_mappings",
            "property_mappings_group",
+            "connectivity",
        ]
        extra_kwargs = {"bind_password": {"write_only": True}}


+class LDAPSyncStatusSerializer(PassiveSerializer):
+    """LDAP Source sync status"""
+
+    is_running = BooleanField(read_only=True)
+    tasks = TaskSerializer(many=True, read_only=True)
+
+
 class LDAPSourceViewSet(UsedByMixin, ModelViewSet):
    """LDAP Source Viewset"""

@ -114,19 +129,19 @@ class LDAPSourceViewSet(UsedByMixin, ModelViewSet):

    @extend_schema(
        responses={
-            200: TaskSerializer(many=True),
+            200: LDAPSyncStatusSerializer(),
        }
    )
    @action(methods=["GET"], detail=True, pagination_class=None, filter_backends=[])
    def sync_status(self, request: Request, slug: str) -> Response:
        """Get source's sync status"""
-        source = self.get_object()
-        results = []
-        tasks = TaskInfo.by_name(f"ldap_sync:{source.slug}:*")
-        if tasks:
-            for task in tasks:
-                results.append(task)
-        return Response(TaskSerializer(results, many=True).data)
+        source: LDAPSource = self.get_object()
+        tasks = TaskInfo.by_name(f"ldap_sync:{source.slug}:*") or []
+        status = {
+            "tasks": tasks,
+            "is_running": source.sync_lock.locked(),
+        }
+        return Response(LDAPSyncStatusSerializer(status).data)

    @extend_schema(
        responses={
--- a/authentik/sources/ldap/management/commands/ldap_check_connection.py
+++ b/authentik/sources/ldap/management/commands/ldap_check_connection.py
@ -0,0 +1,24 @@
+"""LDAP Connection check"""
+from json import dumps
+
+from django.core.management.base import BaseCommand
+from structlog.stdlib import get_logger
+
+from authentik.sources.ldap.models import LDAPSource
+
+LOGGER = get_logger()
+
+
+class Command(BaseCommand):
+    """Check connectivity to LDAP servers for a source"""
+
+    def add_arguments(self, parser):
+        parser.add_argument("source_slugs", nargs="?", type=str)
+
+    def handle(self, **options):
+        sources = LDAPSource.objects.filter(enabled=True)
+        if options["source_slugs"]:
+            sources = LDAPSource.objects.filter(slug__in=options["source_slugs"])
+        for source in sources.order_by("slug"):
+            status = source.check_connection()
+            self.stdout.write(dumps(status, indent=4))
--- a/authentik/sources/ldap/models.py
+++ b/authentik/sources/ldap/models.py
@ -4,10 +4,12 @@ from ssl import CERT_REQUIRED
 from tempfile import NamedTemporaryFile, mkdtemp
 from typing import Optional

+from django.core.cache import cache
 from django.db import models
 from django.utils.translation import gettext_lazy as _
 from ldap3 import ALL, NONE, RANDOM, Connection, Server, ServerPool, Tls
-from ldap3.core.exceptions import LDAPInsufficientAccessRightsResult, LDAPSchemaError
+from ldap3.core.exceptions import LDAPException, LDAPInsufficientAccessRightsResult, LDAPSchemaError
+from redis.lock import Lock
 from rest_framework.serializers import Serializer

 from authentik.core.models import Group, PropertyMapping, Source
@ -117,7 +119,7 @@ class LDAPSource(Source):

        return LDAPSourceSerializer

-    def server(self, **kwargs) -> Server:
+    def server(self, **kwargs) -> ServerPool:
        """Get LDAP Server/ServerPool"""
        servers = []
        tls_kwargs = {}
@ -154,7 +156,10 @@ class LDAPSource(Source):
        return ServerPool(servers, RANDOM, active=5, exhaust=True)

    def connection(
-        self, server_kwargs: Optional[dict] = None, connection_kwargs: Optional[dict] = None
+        self,
+        server: Optional[Server] = None,
+        server_kwargs: Optional[dict] = None,
+        connection_kwargs: Optional[dict] = None,
    ) -> Connection:
        """Get a fully connected and bound LDAP Connection"""
        server_kwargs = server_kwargs or {}
@ -164,7 +169,7 @@ class LDAPSource(Source):
        if self.bind_password is not None:
            connection_kwargs.setdefault("password", self.bind_password)
        connection = Connection(
-            self.server(**server_kwargs),
+            server or self.server(**server_kwargs),
            raise_exceptions=True,
            receive_timeout=LDAP_TIMEOUT,
            **connection_kwargs,
@ -183,9 +188,55 @@ class LDAPSource(Source):
            if server_kwargs.get("get_info", ALL) == NONE:
                raise exc
            server_kwargs["get_info"] = NONE
-            return self.connection(server_kwargs, connection_kwargs)
+            return self.connection(server, server_kwargs, connection_kwargs)
        return RuntimeError("Failed to bind")

+    @property
+    def sync_lock(self) -> Lock:
+        """Redis lock for syncing LDAP to prevent multiple parallel syncs happening"""
+        return Lock(
+            cache.client.get_client(),
+            name=f"goauthentik.io/sources/ldap/sync-{self.slug}",
+            # Convert task timeout hours to seconds, and multiply times 3
+            # (see authentik/sources/ldap/tasks.py:54)
+            # multiply by 3 to add even more leeway
+            timeout=(60 * 60 * CONFIG.get_int("ldap.task_timeout_hours")) * 3,
+        )
+
+    def check_connection(self) -> dict[str, dict[str, str]]:
+        """Check LDAP Connection"""
+        from authentik.sources.ldap.sync.base import flatten
+
+        servers = self.server()
+        server_info = {}
+        # Check each individual server
+        for server in servers.servers:
+            server: Server
+            try:
+                connection = self.connection(server=server)
+                server_info[server.host] = {
+                    "vendor": str(flatten(connection.server.info.vendor_name)),
+                    "version": str(flatten(connection.server.info.vendor_version)),
+                    "status": "ok",
+                }
+            except LDAPException as exc:
+                server_info[server.host] = {
+                    "status": str(exc),
+                }
+        # Check server pool
+        try:
+            connection = self.connection()
+            server_info["__all__"] = {
+                "vendor": str(flatten(connection.server.info.vendor_name)),
+                "version": str(flatten(connection.server.info.vendor_version)),
+                "status": "ok",
+            }
+        except LDAPException as exc:
+            server_info["__all__"] = {
+                "status": str(exc),
+            }
+        return server_info
+
    class Meta:
        verbose_name = _("LDAP Source")
        verbose_name_plural = _("LDAP Sources")
--- a/authentik/sources/ldap/settings.py
+++ b/authentik/sources/ldap/settings.py
@ -8,5 +8,10 @@ CELERY_BEAT_SCHEDULE = {
        "task": "authentik.sources.ldap.tasks.ldap_sync_all",
        "schedule": crontab(minute=fqdn_rand("sources_ldap_sync"), hour="*/2"),
        "options": {"queue": "authentik_scheduled"},
-    }
+    },
+    "sources_ldap_connectivity_check": {
+        "task": "authentik.sources.ldap.tasks.ldap_connectivity_check",
+        "schedule": crontab(minute=fqdn_rand("sources_ldap_connectivity_check"), hour="*"),
+        "options": {"queue": "authentik_scheduled"},
+    },
 }
--- a/authentik/sources/ldap/signals.py
+++ b/authentik/sources/ldap/signals.py
@ -14,7 +14,7 @@ from authentik.events.models import Event, EventAction
 from authentik.flows.planner import PLAN_CONTEXT_PENDING_USER
 from authentik.sources.ldap.models import LDAPSource
 from authentik.sources.ldap.password import LDAPPasswordChanger
-from authentik.sources.ldap.tasks import ldap_sync_single
+from authentik.sources.ldap.tasks import ldap_connectivity_check, ldap_sync_single
 from authentik.stages.prompt.signals import password_validate

 LOGGER = get_logger()
@ -32,6 +32,7 @@ def sync_ldap_source_on_save(sender, instance: LDAPSource, **_):
    if not instance.property_mappings.exists() or not instance.property_mappings_group.exists():
        return
    ldap_sync_single.delay(instance.pk)
+    ldap_connectivity_check.delay(instance.pk)


@receiver(password_validate)
--- a/authentik/sources/ldap/sync/base.py
+++ b/authentik/sources/ldap/sync/base.py
@ -17,6 +17,15 @@ from authentik.sources.ldap.models import LDAPPropertyMapping, LDAPSource
 LDAP_UNIQUENESS = "ldap_uniq"


+def flatten(value: Any) -> Any:
+    """Flatten `value` if its a list"""
+    if isinstance(value, list):
+        if len(value) < 1:
+            return None
+        return value[0]
+    return value
+
+
 class BaseLDAPSynchronizer:
    """Sync LDAP Users and groups into authentik"""

@ -122,14 +131,6 @@ class BaseLDAPSynchronizer:
                cookie = None
            yield self._connection.response

-    def _flatten(self, value: Any) -> Any:
-        """Flatten `value` if its a list"""
-        if isinstance(value, list):
-            if len(value) < 1:
-                return None
-            return value[0]
-        return value
-
    def build_user_properties(self, user_dn: str, **kwargs) -> dict[str, Any]:
        """Build attributes for User object based on property mappings."""
        props = self._build_object_properties(user_dn, self._source.property_mappings, **kwargs)
@ -163,10 +164,10 @@ class BaseLDAPSynchronizer:
                object_field = mapping.object_field
                if object_field.startswith("attributes."):
                    # Because returning a list might desired, we can't
-                    # rely on self._flatten here. Instead, just save the result as-is
+                    # rely on flatten here. Instead, just save the result as-is
                    set_path_in_dict(properties, object_field, value)
                else:
-                    properties[object_field] = self._flatten(value)
+                    properties[object_field] = flatten(value)
            except PropertyMappingExpressionException as exc:
                Event.new(
                    EventAction.CONFIGURATION_ERROR,
@ -177,7 +178,7 @@ class BaseLDAPSynchronizer:
                self._logger.warning("Mapping failed to evaluate", exc=exc, mapping=mapping)
                continue
        if self._source.object_uniqueness_field in kwargs:
-            properties["attributes"][LDAP_UNIQUENESS] = self._flatten(
+            properties["attributes"][LDAP_UNIQUENESS] = flatten(
                kwargs.get(self._source.object_uniqueness_field)
            )
        properties["attributes"][LDAP_DISTINGUISHED_NAME] = object_dn
--- a/authentik/sources/ldap/sync/groups.py
+++ b/authentik/sources/ldap/sync/groups.py
@ -7,7 +7,7 @@ from ldap3 import ALL_ATTRIBUTES, ALL_OPERATIONAL_ATTRIBUTES, SUBTREE

 from authentik.core.models import Group
 from authentik.events.models import Event, EventAction
-from authentik.sources.ldap.sync.base import LDAP_UNIQUENESS, BaseLDAPSynchronizer
+from authentik.sources.ldap.sync.base import LDAP_UNIQUENESS, BaseLDAPSynchronizer, flatten


 class GroupLDAPSynchronizer(BaseLDAPSynchronizer):
@ -39,7 +39,7 @@ class GroupLDAPSynchronizer(BaseLDAPSynchronizer):
            if "attributes" not in group:
                continue
            attributes = group.get("attributes", {})
-            group_dn = self._flatten(self._flatten(group.get("entryDN", group.get("dn"))))
+            group_dn = flatten(flatten(group.get("entryDN", group.get("dn"))))
            if self._source.object_uniqueness_field not in attributes:
                self.message(
                    f"Cannot find uniqueness field in attributes: '{group_dn}'",
@ -47,7 +47,7 @@ class GroupLDAPSynchronizer(BaseLDAPSynchronizer):
                    dn=group_dn,
                )
                continue
-            uniq = self._flatten(attributes[self._source.object_uniqueness_field])
+            uniq = flatten(attributes[self._source.object_uniqueness_field])
            try:
                defaults = self.build_group_properties(group_dn, **attributes)
                defaults["parent"] = self._source.sync_parent_group
--- a/authentik/sources/ldap/sync/users.py
+++ b/authentik/sources/ldap/sync/users.py
@ -7,7 +7,7 @@ from ldap3 import ALL_ATTRIBUTES, ALL_OPERATIONAL_ATTRIBUTES, SUBTREE

 from authentik.core.models import User
 from authentik.events.models import Event, EventAction
-from authentik.sources.ldap.sync.base import LDAP_UNIQUENESS, BaseLDAPSynchronizer
+from authentik.sources.ldap.sync.base import LDAP_UNIQUENESS, BaseLDAPSynchronizer, flatten
 from authentik.sources.ldap.sync.vendor.freeipa import FreeIPA
 from authentik.sources.ldap.sync.vendor.ms_ad import MicrosoftActiveDirectory

@ -41,7 +41,7 @@ class UserLDAPSynchronizer(BaseLDAPSynchronizer):
            if "attributes" not in user:
                continue
            attributes = user.get("attributes", {})
-            user_dn = self._flatten(user.get("entryDN", user.get("dn")))
+            user_dn = flatten(user.get("entryDN", user.get("dn")))
            if self._source.object_uniqueness_field not in attributes:
                self.message(
                    f"Cannot find uniqueness field in attributes: '{user_dn}'",
@ -49,7 +49,7 @@ class UserLDAPSynchronizer(BaseLDAPSynchronizer):
                    dn=user_dn,
                )
                continue
-            uniq = self._flatten(attributes[self._source.object_uniqueness_field])
+            uniq = flatten(attributes[self._source.object_uniqueness_field])
            try:
                defaults = self.build_user_properties(user_dn, **attributes)
                self._logger.debug("Writing user with attributes", **defaults)
--- a/authentik/sources/ldap/sync/vendor/freeipa.py
+++ b/authentik/sources/ldap/sync/vendor/freeipa.py
@ -5,7 +5,7 @@ from typing import Any, Generator
 from pytz import UTC

 from authentik.core.models import User
-from authentik.sources.ldap.sync.base import BaseLDAPSynchronizer
+from authentik.sources.ldap.sync.base import BaseLDAPSynchronizer, flatten


 class FreeIPA(BaseLDAPSynchronizer):
@ -47,7 +47,7 @@ class FreeIPA(BaseLDAPSynchronizer):
            return
        # For some reason, nsaccountlock is not defined properly in the schema as bool
        # hence we get it as a list of strings
-        _is_locked = str(self._flatten(attributes.get("nsaccountlock", ["FALSE"])))
+        _is_locked = str(flatten(attributes.get("nsaccountlock", ["FALSE"])))
        # So we have to attempt to convert it to a bool
        is_locked = _is_locked.lower() == "true"
        # And then invert it since freeipa saves locked and we save active
--- a/authentik/sources/ldap/tasks.py
+++ b/authentik/sources/ldap/tasks.py
@ -1,13 +1,14 @@
 """LDAP Sync tasks"""
+from typing import Optional
 from uuid import uuid4

 from celery import chain, group
 from django.core.cache import cache
 from ldap3.core.exceptions import LDAPException
 from redis.exceptions import LockError
-from redis.lock import Lock
 from structlog.stdlib import get_logger

+from authentik.events.monitored_tasks import CACHE_KEY_PREFIX as CACHE_KEY_PREFIX_TASKS
 from authentik.events.monitored_tasks import MonitoredTask, TaskResult, TaskResultStatus
 from authentik.lib.config import CONFIG
 from authentik.lib.utils.errors import exception_to_string
@ -26,6 +27,7 @@ SYNC_CLASSES = [
    MembershipLDAPSynchronizer,
 ]
 CACHE_KEY_PREFIX = "goauthentik.io/sources/ldap/page/"
+CACHE_KEY_STATUS = "goauthentik.io/sources/ldap/status/"


@CELERY_APP.task()
@ -35,6 +37,19 @@ def ldap_sync_all():
        ldap_sync_single.apply_async(args=[source.pk])


+@CELERY_APP.task()
+def ldap_connectivity_check(pk: Optional[str] = None):
+    """Check connectivity for LDAP Sources"""
+    # 2 hour timeout, this task should run every hour
+    timeout = 60 * 60 * 2
+    sources = LDAPSource.objects.filter(enabled=True)
+    if pk:
+        sources = sources.filter(pk=pk)
+    for source in sources:
+        status = source.check_connection()
+        cache.set(CACHE_KEY_STATUS + source.slug, status, timeout=timeout)
+
+
@CELERY_APP.task(
    # We take the configured hours timeout time by 2.5 as we run user and
    # group in parallel and then membership, so 2x is to cover the serial tasks,
@ -47,12 +62,15 @@ def ldap_sync_single(source_pk: str):
    source: LDAPSource = LDAPSource.objects.filter(pk=source_pk).first()
    if not source:
        return
-    lock = Lock(cache.client.get_client(), name=f"goauthentik.io/sources/ldap/sync-{source.slug}")
+    lock = source.sync_lock
    if lock.locked():
        LOGGER.debug("LDAP sync locked, skipping task", source=source.slug)
        return
    try:
        with lock:
+            # Delete all sync tasks from the cache
+            keys = cache.keys(f"{CACHE_KEY_PREFIX_TASKS}ldap_sync:{source.slug}*")
+            cache.delete_many(keys)
            task = chain(
                # User and group sync can happen at once, they have no dependencies on each other
                group(
--- a/authentik/sources/oauth/types/patreon.py
+++ b/authentik/sources/oauth/types/patreon.py
@ -12,8 +12,9 @@ class PatreonOAuthRedirect(OAuthRedirect):
    """Patreon OAuth2 Redirect"""

    def get_additional_parameters(self, source: OAuthSource):  # pragma: no cover
+        # https://docs.patreon.com/#scopes
        return {
-            "scope": ["openid", "email", "profile"],
+            "scope": ["identity", "identity[email]"],
        }


--- a/authentik/sources/scim/init.py
+++ b/authentik/sources/scim/init.py
--- a/authentik/sources/scim/api.py
+++ b/authentik/sources/scim/api.py
@ -0,0 +1,62 @@
+"""SCIMSource API Views"""
+from django.urls import reverse_lazy
+from rest_framework.fields import SerializerMethodField
+from rest_framework.viewsets import ModelViewSet
+
+from authentik.core.api.sources import SourceSerializer
+from authentik.core.api.tokens import TokenSerializer
+from authentik.core.api.used_by import UsedByMixin
+from authentik.core.models import Token, TokenIntents, User, UserTypes
+from authentik.sources.scim.models import SCIMSource
+
+
+class SCIMSourceSerializer(SourceSerializer):
+    """SCIMSource Serializer"""
+
+    root_url = SerializerMethodField()
+    token_obj = TokenSerializer(source="token", required=False, read_only=True)
+
+    def get_root_url(self, instance: SCIMSource) -> str:
+        """Get Root URL"""
+        relative_url = reverse_lazy(
+            "authentik_sources_scim:v2-root",
+            kwargs={"source_slug": instance.slug},
+        )
+        if "request" not in self.context:
+            return relative_url
+        return self.context["request"].build_absolute_uri(relative_url)
+
+    def create(self, validated_data):
+        instance: SCIMSource = super().create(validated_data)
+        identifier = f"ak-source-scim-{instance.pk}"
+        user = User.objects.create(
+            username=identifier,
+            name=f"SCIM Source {instance.name} Service-Account",
+            type=UserTypes.SERVICE_ACCOUNT,
+        )
+        token = Token.objects.create(
+            user=user,
+            identifier=identifier,
+            intent=TokenIntents.INTENT_API,
+            expiring=False,
+            managed=f"goauthentik.io/sources/scim/{instance.pk}",
+        )
+        instance.token = token
+        instance.save()
+        return instance
+
+    class Meta:
+
+        model = SCIMSource
+        fields = SourceSerializer.Meta.fields + ["token", "root_url", "token_obj"]
+
+
+class SCIMSourceViewSet(UsedByMixin, ModelViewSet):
+    """SCIMSource Viewset"""
+
+    queryset = SCIMSource.objects.all()
+    serializer_class = SCIMSourceSerializer
+    lookup_field = "slug"
+    filterset_fields = ["name", "slug"]
+    search_fields = ["name", "slug", "token__identifier", "token__user__username"]
+    ordering = ["name"]
--- a/authentik/sources/scim/apps.py
+++ b/authentik/sources/scim/apps.py
@ -0,0 +1,11 @@
+"""Authentik SCIM app config"""
+
+from django.apps import AppConfig
+
+
+class AuthentikSourceSCIMConfig(AppConfig):
+    """authentik SCIM Source app config"""
+
+    name = "authentik.sources.scim"
+    label = "authentik_sources_scim"
+    verbose_name = "authentik Sources.SCIM"
--- a/authentik/sources/scim/errors.py
+++ b/authentik/sources/scim/errors.py
@ -0,0 +1,8 @@
+"""SCIM Errors"""
+
+from authentik.lib.sentry import SentryIgnoredException
+
+
+class PatchError(SentryIgnoredException):
+    """Error raised within an atomic block when an error happened
+    so nothing is saved"""
--- a/authentik/sources/scim/filters/ScimFilter.g4
+++ b/authentik/sources/scim/filters/ScimFilter.g4
@ -0,0 +1,61 @@
+grammar ScimFilter;
+
+parse
+    : filter
+    ;
+
+filter
+	: attrPath SP PR                             #presentExp
+	| attrPath SP COMPAREOPERATOR SP VALUE       #operatorExp
+	| NOT? SP* '(' filter ')'                    #braceExp
+	| attrPath '[' valPathFilter ']'             #valPathExp
+	| filter SP AND SP filter                    #andExp
+	| filter SP OR SP filter                     #orExp
+	;										     
+											     
+valPathFilter								     
+	: attrPath SP PR                             #valPathPresentExp
+	| attrPath SP COMPAREOPERATOR SP VALUE       #valPathOperatorExp
+	| NOT? SP* '(' valPathFilter ')'             #valPathBraceExp
+	| valPathFilter SP AND SP valPathFilter      #valPathAndExp
+	| valPathFilter SP OR SP valPathFilter       #valPathOrExp
+	;
+	
+attrPath 
+	: (SCHEMA)? ATTRNAME ('.' ATTRNAME)?
+	;
+
+COMPAREOPERATOR : EQ | NE | CO | SW | EW | GT | GE | LT | LE;
+
+EQ : [eE][qQ];
+NE : [nN][eE];
+CO : [cC][oO];
+SW : [sS][wW];
+EW : [eE][wW];
+PR : [pP][rR];
+GT : [gG][tT];
+GE : [gG][eE];
+LT : [lL][tT];
+LE : [lL][eE];
+
+NOT : [nN][oO][tT];
+AND : [aA][nN][dD];
+OR  : [oO][rR];
+
+SP : ' ';
+
+SCHEMA : 'urn:' (SEGMENT ':')+;
+
+ATTRNAME : ALPHA (ALPHA | DIGIT | '_' | '-')+;
+
+fragment SEGMENT : (ALPHA | DIGIT | '_' | '-' | '.')+;
+
+fragment DIGIT : [0-9];
+
+fragment ALPHA : [a-z] | [A-Z];
+
+ESCAPED_QUOTE : '\\"';
+
+VALUE : '"'(ESCAPED_QUOTE | ~'"')*'"' | 'true' | 'false' | 'null' | DIGIT+('.'DIGIT+)?;
+
+EXCLUDE : [\b | \t | \r | \n]+ -> skip;
--- a/authentik/sources/scim/filters/ScimFilter.interp
+++ b/authentik/sources/scim/filters/ScimFilter.interp
@ -0,0 +1,65 @@
+token literal names:
+null
+'('
+')'
+'['
+']'
+'.'
+null
+null
+null
+null
+null
+null
+null
+null
+null
+null
+null
+null
+null
+null
+' '
+null
+null
+'\\"'
+null
+null
+
+token symbolic names:
+null
+null
+null
+null
+null
+null
+COMPAREOPERATOR
+EQ
+NE
+CO
+SW
+EW
+PR
+GT
+GE
+LT
+LE
+NOT
+AND
+OR
+SP
+SCHEMA
+ATTRNAME
+ESCAPED_QUOTE
+VALUE
+EXCLUDE
+
+rule names:
+parse
+filter
+valPathFilter
+attrPath
+
+
+atn:
+[4, 1, 25, 106, 2, 0, 7, 0, 2, 1, 7, 1, 2, 2, 7, 2, 2, 3, 7, 3, 1, 0, 1, 0, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 3, 1, 23, 8, 1, 1, 1, 5, 1, 26, 8, 1, 10, 1, 12, 1, 29, 9, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 3, 1, 40, 8, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 5, 1, 52, 8, 1, 10, 1, 12, 1, 55, 9, 1, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 3, 2, 69, 8, 2, 1, 2, 5, 2, 72, 8, 2, 10, 2, 12, 2, 75, 9, 2, 1, 2, 1, 2, 1, 2, 1, 2, 3, 2, 81, 8, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 5, 2, 93, 8, 2, 10, 2, 12, 2, 96, 9, 2, 1, 3, 3, 3, 99, 8, 3, 1, 3, 1, 3, 1, 3, 3, 3, 104, 8, 3, 1, 3, 0, 2, 2, 4, 4, 0, 2, 4, 6, 0, 0, 116, 0, 8, 1, 0, 0, 0, 2, 39, 1, 0, 0, 0, 4, 80, 1, 0, 0, 0, 6, 98, 1, 0, 0, 0, 8, 9, 3, 2, 1, 0, 9, 1, 1, 0, 0, 0, 10, 11, 6, 1, -1, 0, 11, 12, 3, 6, 3, 0, 12, 13, 5, 20, 0, 0, 13, 14, 5, 12, 0, 0, 14, 40, 1, 0, 0, 0, 15, 16, 3, 6, 3, 0, 16, 17, 5, 20, 0, 0, 17, 18, 5, 6, 0, 0, 18, 19, 5, 20, 0, 0, 19, 20, 5, 24, 0, 0, 20, 40, 1, 0, 0, 0, 21, 23, 5, 17, 0, 0, 22, 21, 1, 0, 0, 0, 22, 23, 1, 0, 0, 0, 23, 27, 1, 0, 0, 0, 24, 26, 5, 20, 0, 0, 25, 24, 1, 0, 0, 0, 26, 29, 1, 0, 0, 0, 27, 25, 1, 0, 0, 0, 27, 28, 1, 0, 0, 0, 28, 30, 1, 0, 0, 0, 29, 27, 1, 0, 0, 0, 30, 31, 5, 1, 0, 0, 31, 32, 3, 2, 1, 0, 32, 33, 5, 2, 0, 0, 33, 40, 1, 0, 0, 0, 34, 35, 3, 6, 3, 0, 35, 36, 5, 3, 0, 0, 36, 37, 3, 4, 2, 0, 37, 38, 5, 4, 0, 0, 38, 40, 1, 0, 0, 0, 39, 10, 1, 0, 0, 0, 39, 15, 1, 0, 0, 0, 39, 22, 1, 0, 0, 0, 39, 34, 1, 0, 0, 0, 40, 53, 1, 0, 0, 0, 41, 42, 10, 2, 0, 0, 42, 43, 5, 20, 0, 0, 43, 44, 5, 18, 0, 0, 44, 45, 5, 20, 0, 0, 45, 52, 3, 2, 1, 3, 46, 47, 10, 1, 0, 0, 47, 48, 5, 20, 0, 0, 48, 49, 5, 19, 0, 0, 49, 50, 5, 20, 0, 0, 50, 52, 3, 2, 1, 2, 51, 41, 1, 0, 0, 0, 51, 46, 1, 0, 0, 0, 52, 55, 1, 0, 0, 0, 53, 51, 1, 0, 0, 0, 53, 54, 1, 0, 0, 0, 54, 3, 1, 0, 0, 0, 55, 53, 1, 0, 0, 0, 56, 57, 6, 2, -1, 0, 57, 58, 3, 6, 3, 0, 58, 59, 5, 20, 0, 0, 59, 60, 5, 12, 0, 0, 60, 81, 1, 0, 0, 0, 61, 62, 3, 6, 3, 0, 62, 63, 5, 20, 0, 0, 63, 64, 5, 6, 0, 0, 64, 65, 5, 20, 0, 0, 65, 66, 5, 24, 0, 0, 66, 81, 1, 0, 0, 0, 67, 69, 5, 17, 0, 0, 68, 67, 1, 0, 0, 0, 68, 69, 1, 0, 0, 0, 69, 73, 1, 0, 0, 0, 70, 72, 5, 20, 0, 0, 71, 70, 1, 0, 0, 0, 72, 75, 1, 0, 0, 0, 73, 71, 1, 0, 0, 0, 73, 74, 1, 0, 0, 0, 74, 76, 1, 0, 0, 0, 75, 73, 1, 0, 0, 0, 76, 77, 5, 1, 0, 0, 77, 78, 3, 4, 2, 0, 78, 79, 5, 2, 0, 0, 79, 81, 1, 0, 0, 0, 80, 56, 1, 0, 0, 0, 80, 61, 1, 0, 0, 0, 80, 68, 1, 0, 0, 0, 81, 94, 1, 0, 0, 0, 82, 83, 10, 2, 0, 0, 83, 84, 5, 20, 0, 0, 84, 85, 5, 18, 0, 0, 85, 86, 5, 20, 0, 0, 86, 93, 3, 4, 2, 3, 87, 88, 10, 1, 0, 0, 88, 89, 5, 20, 0, 0, 89, 90, 5, 19, 0, 0, 90, 91, 5, 20, 0, 0, 91, 93, 3, 4, 2, 2, 92, 82, 1, 0, 0, 0, 92, 87, 1, 0, 0, 0, 93, 96, 1, 0, 0, 0, 94, 92, 1, 0, 0, 0, 94, 95, 1, 0, 0, 0, 95, 5, 1, 0, 0, 0, 96, 94, 1, 0, 0, 0, 97, 99, 5, 21, 0, 0, 98, 97, 1, 0, 0, 0, 98, 99, 1, 0, 0, 0, 99, 100, 1, 0, 0, 0, 100, 103, 5, 22, 0, 0, 101, 102, 5, 5, 0, 0, 102, 104, 5, 22, 0, 0, 103, 101, 1, 0, 0, 0, 103, 104, 1, 0, 0, 0, 104, 7, 1, 0, 0, 0, 12, 22, 27, 39, 51, 53, 68, 73, 80, 92, 94, 98, 103]
--- a/authentik/sources/scim/filters/ScimFilter.tokens
+++ b/authentik/sources/scim/filters/ScimFilter.tokens
@ -0,0 +1,32 @@
+T__0=1
+T__1=2
+T__2=3
+T__3=4
+T__4=5
+COMPAREOPERATOR=6
+EQ=7
+NE=8
+CO=9
+SW=10
+EW=11
+PR=12
+GT=13
+GE=14
+LT=15
+LE=16
+NOT=17
+AND=18
+OR=19
+SP=20
+SCHEMA=21
+ATTRNAME=22
+ESCAPED_QUOTE=23
+VALUE=24
+EXCLUDE=25
+'('=1
+')'=2
+'['=3
+']'=4
+'.'=5
+' '=20
+'\\"'=23
--- a/authentik/sources/scim/filters/ScimFilterLexer.interp
+++ b/authentik/sources/scim/filters/ScimFilterLexer.interp
--- a/authentik/sources/scim/filters/ScimFilterLexer.py
+++ b/authentik/sources/scim/filters/ScimFilterLexer.py
--- a/authentik/sources/scim/filters/ScimFilterLexer.tokens
+++ b/authentik/sources/scim/filters/ScimFilterLexer.tokens
@ -0,0 +1,32 @@
+T__0=1
+T__1=2
+T__2=3
+T__3=4
+T__4=5
+COMPAREOPERATOR=6
+EQ=7
+NE=8
+CO=9
+SW=10
+EW=11
+PR=12
+GT=13
+GE=14
+LT=15
+LE=16
+NOT=17
+AND=18
+OR=19
+SP=20
+SCHEMA=21
+ATTRNAME=22
+ESCAPED_QUOTE=23
+VALUE=24
+EXCLUDE=25
+'('=1
+')'=2
+'['=3
+']'=4
+'.'=5
+' '=20
+'\\"'=23
--- a/authentik/sources/scim/filters/ScimFilterListener.py
+++ b/authentik/sources/scim/filters/ScimFilterListener.py
@ -0,0 +1,118 @@
+# pylint: skip-file
+# Generated from ScimFilter.g4 by ANTLR 4.10.1
+from antlr4 import *
+
+if __name__ is not None and "." in __name__:
+    from .ScimFilterParser import ScimFilterParser
+else:
+    from ScimFilterParser import ScimFilterParser
+
+# This class defines a complete listener for a parse tree produced by ScimFilterParser.
+class ScimFilterListener(ParseTreeListener):
+
+    # Enter a parse tree produced by ScimFilterParser#parse.
+    def enterParse(self, ctx: ScimFilterParser.ParseContext):
+        pass
+
+    # Exit a parse tree produced by ScimFilterParser#parse.
+    def exitParse(self, ctx: ScimFilterParser.ParseContext):
+        pass
+
+    # Enter a parse tree produced by ScimFilterParser#andExp.
+    def enterAndExp(self, ctx: ScimFilterParser.AndExpContext):
+        pass
+
+    # Exit a parse tree produced by ScimFilterParser#andExp.
+    def exitAndExp(self, ctx: ScimFilterParser.AndExpContext):
+        pass
+
+    # Enter a parse tree produced by ScimFilterParser#valPathExp.
+    def enterValPathExp(self, ctx: ScimFilterParser.ValPathExpContext):
+        pass
+
+    # Exit a parse tree produced by ScimFilterParser#valPathExp.
+    def exitValPathExp(self, ctx: ScimFilterParser.ValPathExpContext):
+        pass
+
+    # Enter a parse tree produced by ScimFilterParser#presentExp.
+    def enterPresentExp(self, ctx: ScimFilterParser.PresentExpContext):
+        pass
+
+    # Exit a parse tree produced by ScimFilterParser#presentExp.
+    def exitPresentExp(self, ctx: ScimFilterParser.PresentExpContext):
+        pass
+
+    # Enter a parse tree produced by ScimFilterParser#operatorExp.
+    def enterOperatorExp(self, ctx: ScimFilterParser.OperatorExpContext):
+        pass
+
+    # Exit a parse tree produced by ScimFilterParser#operatorExp.
+    def exitOperatorExp(self, ctx: ScimFilterParser.OperatorExpContext):
+        pass
+
+    # Enter a parse tree produced by ScimFilterParser#braceExp.
+    def enterBraceExp(self, ctx: ScimFilterParser.BraceExpContext):
+        pass
+
+    # Exit a parse tree produced by ScimFilterParser#braceExp.
+    def exitBraceExp(self, ctx: ScimFilterParser.BraceExpContext):
+        pass
+
+    # Enter a parse tree produced by ScimFilterParser#orExp.
+    def enterOrExp(self, ctx: ScimFilterParser.OrExpContext):
+        pass
+
+    # Exit a parse tree produced by ScimFilterParser#orExp.
+    def exitOrExp(self, ctx: ScimFilterParser.OrExpContext):
+        pass
+
+    # Enter a parse tree produced by ScimFilterParser#valPathOperatorExp.
+    def enterValPathOperatorExp(self, ctx: ScimFilterParser.ValPathOperatorExpContext):
+        pass
+
+    # Exit a parse tree produced by ScimFilterParser#valPathOperatorExp.
+    def exitValPathOperatorExp(self, ctx: ScimFilterParser.ValPathOperatorExpContext):
+        pass
+
+    # Enter a parse tree produced by ScimFilterParser#valPathPresentExp.
+    def enterValPathPresentExp(self, ctx: ScimFilterParser.ValPathPresentExpContext):
+        pass
+
+    # Exit a parse tree produced by ScimFilterParser#valPathPresentExp.
+    def exitValPathPresentExp(self, ctx: ScimFilterParser.ValPathPresentExpContext):
+        pass
+
+    # Enter a parse tree produced by ScimFilterParser#valPathAndExp.
+    def enterValPathAndExp(self, ctx: ScimFilterParser.ValPathAndExpContext):
+        pass
+
+    # Exit a parse tree produced by ScimFilterParser#valPathAndExp.
+    def exitValPathAndExp(self, ctx: ScimFilterParser.ValPathAndExpContext):
+        pass
+
+    # Enter a parse tree produced by ScimFilterParser#valPathOrExp.
+    def enterValPathOrExp(self, ctx: ScimFilterParser.ValPathOrExpContext):
+        pass
+
+    # Exit a parse tree produced by ScimFilterParser#valPathOrExp.
+    def exitValPathOrExp(self, ctx: ScimFilterParser.ValPathOrExpContext):
+        pass
+
+    # Enter a parse tree produced by ScimFilterParser#valPathBraceExp.
+    def enterValPathBraceExp(self, ctx: ScimFilterParser.ValPathBraceExpContext):
+        pass
+
+    # Exit a parse tree produced by ScimFilterParser#valPathBraceExp.
+    def exitValPathBraceExp(self, ctx: ScimFilterParser.ValPathBraceExpContext):
+        pass
+
+    # Enter a parse tree produced by ScimFilterParser#attrPath.
+    def enterAttrPath(self, ctx: ScimFilterParser.AttrPathContext):
+        pass
+
+    # Exit a parse tree produced by ScimFilterParser#attrPath.
+    def exitAttrPath(self, ctx: ScimFilterParser.AttrPathContext):
+        pass
+
+
+del ScimFilterParser
--- a/authentik/sources/scim/filters/ScimFilterParser.py
+++ b/authentik/sources/scim/filters/ScimFilterParser.py
--- a/authentik/sources/scim/filters/init.py
+++ b/authentik/sources/scim/filters/init.py
--- a/authentik/sources/scim/filters/django.py
+++ b/authentik/sources/scim/filters/django.py
@ -0,0 +1,101 @@
+"""Django listener"""
+from django.db.models import Q
+from django.utils.tree import Node
+
+from authentik.sources.scim.filters.ScimFilterListener import ScimFilterListener
+from authentik.sources.scim.filters.ScimFilterParser import ScimFilterParser
+
+
+class DjangoQueryListener(ScimFilterListener):
+    """SCIM filter listener that converts it to a query"""
+
+    _query: Node
+    _last_node: Node
+
+    def __init__(self) -> None:
+        super().__init__()
+        self._query = Q()
+        self._last_node = Q()
+
+    @property
+    def query(self) -> Node:
+        return self._query
+
+    def enterParse(self, ctx: ScimFilterParser.ParseContext):
+        print("enterParse", ctx)
+
+    def exitParse(self, ctx: ScimFilterParser.ParseContext):
+        print("exitParse", ctx)
+
+    def enterAndExp(self, ctx: ScimFilterParser.AndExpContext):
+        print("enterAndExp", ctx)
+
+    def exitAndExp(self, ctx: ScimFilterParser.AndExpContext):
+        print("exitAndExp", ctx)
+
+    def enterValPathExp(self, ctx: ScimFilterParser.ValPathExpContext):
+        print("enterValPathExp", ctx.getText())
+
+    def exitValPathExp(self, ctx: ScimFilterParser.ValPathExpContext):
+        print("exitValPathExp", ctx)
+
+    def enterPresentExp(self, ctx: ScimFilterParser.PresentExpContext):
+        print("enterPresentExp", ctx)
+
+    def exitPresentExp(self, ctx: ScimFilterParser.PresentExpContext):
+        print("exitPresentExp", ctx)
+
+    def enterOperatorExp(self, ctx: ScimFilterParser.OperatorExpContext):
+        print("enterOperatorExp", ctx)
+
+    def exitOperatorExp(self, ctx: ScimFilterParser.OperatorExpContext):
+        print("exitOperatorExp", ctx)
+
+    def enterBraceExp(self, ctx: ScimFilterParser.BraceExpContext):
+        print("enterBraceExp", ctx)
+
+    def exitBraceExp(self, ctx: ScimFilterParser.BraceExpContext):
+        print("exitBraceExp", ctx)
+
+    def enterOrExp(self, ctx: ScimFilterParser.OrExpContext):
+        print("enterOrExp", ctx)
+
+    def exitOrExp(self, ctx: ScimFilterParser.OrExpContext):
+        print("exitOrExp", ctx)
+
+    def enterValPathOperatorExp(self, ctx: ScimFilterParser.ValPathOperatorExpContext):
+        print("enterValPathOperatorExp", ctx)
+
+    def exitValPathOperatorExp(self, ctx: ScimFilterParser.ValPathOperatorExpContext):
+        print("exitValPathOperatorExp", ctx)
+
+    def enterValPathPresentExp(self, ctx: ScimFilterParser.ValPathPresentExpContext):
+        print("enterValPathPresentExp", ctx)
+
+    def exitValPathPresentExp(self, ctx: ScimFilterParser.ValPathPresentExpContext):
+        print("exitValPathPresentExp", ctx)
+
+    def enterValPathAndExp(self, ctx: ScimFilterParser.ValPathAndExpContext):
+        print("enterValPathAndExp", ctx.getText())
+
+    def exitValPathAndExp(self, ctx: ScimFilterParser.ValPathAndExpContext):
+        print("exitValPathAndExp", ctx)
+
+    def enterValPathOrExp(self, ctx: ScimFilterParser.ValPathOrExpContext):
+        print("enterValPathOrExp", ctx)
+
+    def exitValPathOrExp(self, ctx: ScimFilterParser.ValPathOrExpContext):
+        print("exitValPathOrExp", ctx)
+
+    def enterValPathBraceExp(self, ctx: ScimFilterParser.ValPathBraceExpContext):
+        print("enterValPathBraceExp", ctx)
+
+    def exitValPathBraceExp(self, ctx: ScimFilterParser.ValPathBraceExpContext):
+        print("exitValPathBraceExp", ctx)
+
+    def enterAttrPath(self, ctx: ScimFilterParser.AttrPathContext):
+        self._last_node = Q(ctx.getText())
+
+    def exitAttrPath(self, ctx: ScimFilterParser.AttrPathContext):
+        self._query = self._last_node
+        self._last_node = Q()
--- a/authentik/sources/scim/migrations/0001_initial.py
+++ b/authentik/sources/scim/migrations/0001_initial.py
@ -0,0 +1,46 @@
+# Generated by Django 4.0.5 on 2022-06-06 21:37
+
+import django.db.models.deletion
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    initial = True
+
+    dependencies = [
+        ("authentik_core", "0020_application_open_in_new_tab"),
+    ]
+
+    operations = [
+        migrations.CreateModel(
+            name="SCIMSource",
+            fields=[
+                (
+                    "source_ptr",
+                    models.OneToOneField(
+                        auto_created=True,
+                        on_delete=django.db.models.deletion.CASCADE,
+                        parent_link=True,
+                        primary_key=True,
+                        serialize=False,
+                        to="authentik_core.source",
+                    ),
+                ),
+                (
+                    "token",
+                    models.ForeignKey(
+                        default=None,
+                        null=True,
+                        on_delete=django.db.models.deletion.CASCADE,
+                        to="authentik_core.token",
+                    ),
+                ),
+            ],
+            options={
+                "verbose_name": "SCIM Source",
+                "verbose_name_plural": "SCIM Sources",
+            },
+            bases=("authentik_core.source",),
+        ),
+    ]
--- a/authentik/sources/scim/migrations/init.py
+++ b/authentik/sources/scim/migrations/init.py
--- a/authentik/sources/scim/models.py
+++ b/authentik/sources/scim/models.py
@ -0,0 +1,36 @@
+"""SCIM Source"""
+from django.db import models
+from django.utils.translation import gettext_lazy as _
+from rest_framework.serializers import BaseSerializer
+
+from authentik.core.models import Source, Token
+
+USER_ATTRIBUTE_SCIM_ID = "goauthentik.io/sources/scim/id"
+USER_ATTRIBUTE_SCIM_ADDRESS = "goauthentik.io/sources/scim/address"
+USER_ATTRIBUTE_SCIM_ENTERPRISE = "goauthentik.io/sources/scim/enterprise"
+
+
+class SCIMSource(Source):
+    """System for Cross-domain Identity Management Source, allows for
+    cross-system user provisioning"""
+
+    token = models.ForeignKey(Token, on_delete=models.CASCADE, null=True, default=None)
+
+    @property
+    def component(self) -> str:
+        """Return component used to edit this object"""
+        return "ak-source-scim-form"
+
+    @property
+    def serializer(self) -> BaseSerializer:
+        from authentik.sources.scim.api import SCIMSourceSerializer
+
+        return SCIMSourceSerializer
+
+    def __str__(self) -> str:
+        return f"SCIM Source {self.name}"
+
+    class Meta:
+
+        verbose_name = _("SCIM Source")
+        verbose_name_plural = _("SCIM Sources")
--- a/authentik/sources/scim/schemas/schema.json
+++ b/authentik/sources/scim/schemas/schema.json
--- a/authentik/sources/scim/tests/init.py
+++ b/authentik/sources/scim/tests/init.py
--- a/authentik/sources/scim/tests/test_auth.py
+++ b/authentik/sources/scim/tests/test_auth.py
@ -0,0 +1,86 @@
+"""Test SCIM Auth"""
+from django.urls import reverse
+from rest_framework.test import APITestCase
+
+from authentik.core.models import Token, TokenIntents
+from authentik.core.tests.utils import create_test_admin_user
+from authentik.lib.generators import generate_id
+from authentik.sources.scim.models import SCIMSource
+
+
+class TestSCIMAuth(APITestCase):
+    """Test SCIM Auth view"""
+
+    def setUp(self) -> None:
+        self.user = create_test_admin_user()
+        self.token = Token.objects.create(
+            user=self.user,
+            identifier=generate_id(),
+            intent=TokenIntents.INTENT_API,
+        )
+        self.token2 = Token.objects.create(
+            user=self.user,
+            identifier=generate_id(),
+            intent=TokenIntents.INTENT_API,
+        )
+        self.token3 = Token.objects.create(
+            user=self.user,
+            identifier=generate_id(),
+            intent=TokenIntents.INTENT_API,
+        )
+        self.source = SCIMSource.objects.create(
+            name=generate_id(), slug=generate_id(), token=self.token
+        )
+        self.source2 = SCIMSource.objects.create(
+            name=generate_id(), slug=generate_id(), token=self.token2
+        )
+
+    def test_auth_ok(self):
+        """Test successful auth"""
+        response = self.client.get(
+            reverse(
+                "authentik_sources_scim:v2-schema",
+                kwargs={
+                    "source_slug": self.source.slug,
+                },
+            ),
+            HTTP_AUTHORIZATION=f"Bearer {self.token.key}",
+        )
+        self.assertEqual(response.status_code, 200)
+
+    def test_auth_missing(self):
+        """Test without header"""
+        response = self.client.get(
+            reverse(
+                "authentik_sources_scim:v2-schema",
+                kwargs={
+                    "source_slug": self.source.slug,
+                },
+            ),
+        )
+        self.assertEqual(response.status_code, 403)
+
+    def test_auth_wrong_token(self):
+        """Test with wrong token"""
+        # Token for wrong source
+        response = self.client.get(
+            reverse(
+                "authentik_sources_scim:v2-schema",
+                kwargs={
+                    "source_slug": self.source.slug,
+                },
+            ),
+            HTTP_AUTHORIZATION=f"Bearer {self.token2.key}",
+        )
+        self.assertEqual(response.status_code, 403)
+        # Token for no source
+        response = self.client.get(
+            reverse(
+                "authentik_sources_scim:v2-schema",
+                kwargs={
+                    "source_slug": self.source.slug,
+                },
+            ),
+            HTTP_AUTHORIZATION=f"Bearer {self.token3.key}",
+        )
+        self.assertEqual(response.status_code, 403)
--- a/authentik/sources/scim/tests/test_resource_types.py
+++ b/authentik/sources/scim/tests/test_resource_types.py
@ -0,0 +1,64 @@
+"""Test SCIM ResourceTypes"""
+from django.urls import reverse
+from rest_framework.test import APITestCase
+
+from authentik.core.models import Token, TokenIntents
+from authentik.core.tests.utils import create_test_admin_user
+from authentik.lib.generators import generate_id
+from authentik.sources.scim.models import SCIMSource
+
+
+class TestSCIMResourceTypes(APITestCase):
+    """Test SCIM ResourceTypes view"""
+
+    def setUp(self) -> None:
+        self.user = create_test_admin_user()
+        self.token = Token.objects.create(
+            user=self.user,
+            identifier=generate_id(),
+            intent=TokenIntents.INTENT_API,
+        )
+        self.source = SCIMSource.objects.create(
+            name=generate_id(), slug=generate_id(), token=self.token
+        )
+
+    def test_resource_type(self):
+        """Test full resource type view"""
+        response = self.client.get(
+            reverse(
+                "authentik_sources_scim:v2-resource-types",
+                kwargs={
+                    "source_slug": self.source.slug,
+                },
+            ),
+            HTTP_AUTHORIZATION=f"Bearer {self.token.key}",
+        )
+        self.assertEqual(response.status_code, 200)
+
+    def test_resource_type_single(self):
+        """Test single resource type"""
+        response = self.client.get(
+            reverse(
+                "authentik_sources_scim:v2-resource-types",
+                kwargs={
+                    "source_slug": self.source.slug,
+                    "resource_type": "ServiceProviderConfig",
+                },
+            ),
+            HTTP_AUTHORIZATION=f"Bearer {self.token.key}",
+        )
+        self.assertEqual(response.status_code, 200)
+
+    def test_resource_type_single_404(self):
+        """Test single resource type (404"""
+        response = self.client.get(
+            reverse(
+                "authentik_sources_scim:v2-resource-types",
+                kwargs={
+                    "source_slug": self.source.slug,
+                    "resource_type": "foo",
+                },
+            ),
+            HTTP_AUTHORIZATION=f"Bearer {self.token.key}",
+        )
+        self.assertEqual(response.status_code, 404)
--- a/authentik/sources/scim/tests/test_schemas.py
+++ b/authentik/sources/scim/tests/test_schemas.py
@ -0,0 +1,64 @@
+"""Test SCIM Schema"""
+from django.urls import reverse
+from rest_framework.test import APITestCase
+
+from authentik.core.models import Token, TokenIntents
+from authentik.core.tests.utils import create_test_admin_user
+from authentik.lib.generators import generate_id
+from authentik.sources.scim.models import SCIMSource
+
+
+class TestSCIMSchemas(APITestCase):
+    """Test SCIM Schema view"""
+
+    def setUp(self) -> None:
+        self.user = create_test_admin_user()
+        self.token = Token.objects.create(
+            user=self.user,
+            identifier=generate_id(),
+            intent=TokenIntents.INTENT_API,
+        )
+        self.source = SCIMSource.objects.create(
+            name=generate_id(), slug=generate_id(), token=self.token
+        )
+
+    def test_schema(self):
+        """Test full schema view"""
+        response = self.client.get(
+            reverse(
+                "authentik_sources_scim:v2-schema",
+                kwargs={
+                    "source_slug": self.source.slug,
+                },
+            ),
+            HTTP_AUTHORIZATION=f"Bearer {self.token.key}",
+        )
+        self.assertEqual(response.status_code, 200)
+
+    def test_schema_single(self):
+        """Test single schema"""
+        response = self.client.get(
+            reverse(
+                "authentik_sources_scim:v2-schema",
+                kwargs={
+                    "source_slug": self.source.slug,
+                    "schema_uri": "urn:ietf:params:scim:schemas:core:2.0:Meta",
+                },
+            ),
+            HTTP_AUTHORIZATION=f"Bearer {self.token.key}",
+        )
+        self.assertEqual(response.status_code, 200)
+
+    def test_schema_single_404(self):
+        """Test single schema (404"""
+        response = self.client.get(
+            reverse(
+                "authentik_sources_scim:v2-schema",
+                kwargs={
+                    "source_slug": self.source.slug,
+                    "schema_uri": "foo",
+                },
+            ),
+            HTTP_AUTHORIZATION=f"Bearer {self.token.key}",
+        )
+        self.assertEqual(response.status_code, 404)
--- a/authentik/sources/scim/tests/test_service_provider_config.py
+++ b/authentik/sources/scim/tests/test_service_provider_config.py
@ -0,0 +1,36 @@
+"""Test SCIM ServiceProviderConfig"""
+from django.urls import reverse
+from rest_framework.test import APITestCase
+
+from authentik.core.models import Token, TokenIntents
+from authentik.core.tests.utils import create_test_admin_user
+from authentik.lib.generators import generate_id
+from authentik.sources.scim.models import SCIMSource
+
+
+class TestSCIMServiceProviderConfig(APITestCase):
+    """Test SCIM ServiceProviderConfig view"""
+
+    def setUp(self) -> None:
+        self.user = create_test_admin_user()
+        self.token = Token.objects.create(
+            user=self.user,
+            identifier=generate_id(),
+            intent=TokenIntents.INTENT_API,
+        )
+        self.source = SCIMSource.objects.create(
+            name=generate_id(), slug=generate_id(), token=self.token
+        )
+
+    def test_config(self):
+        """Test full config view"""
+        response = self.client.get(
+            reverse(
+                "authentik_sources_scim:v2-service-provider-config",
+                kwargs={
+                    "source_slug": self.source.slug,
+                },
+            ),
+            HTTP_AUTHORIZATION=f"Bearer {self.token.key}",
+        )
+        self.assertEqual(response.status_code, 200)
--- a/authentik/sources/scim/tests/test_users.py
+++ b/authentik/sources/scim/tests/test_users.py
@ -0,0 +1,83 @@
+"""Test SCIM User"""
+from json import dumps
+
+from django.urls import reverse
+from rest_framework.test import APITestCase
+
+from authentik.core.models import Token, TokenIntents, User
+from authentik.core.tests.utils import create_test_admin_user
+from authentik.lib.generators import generate_id
+from authentik.sources.scim.models import USER_ATTRIBUTE_SCIM_ID, SCIMSource
+from authentik.sources.scim.views.v2.base import SCIM_CONTENT_TYPE
+
+
+class TestSCIMUsers(APITestCase):
+    """Test SCIM User view"""
+
+    def setUp(self) -> None:
+        self.user = create_test_admin_user()
+        self.token = Token.objects.create(
+            user=self.user,
+            identifier=generate_id(),
+            intent=TokenIntents.INTENT_API,
+        )
+        self.source = SCIMSource.objects.create(
+            name=generate_id(), slug=generate_id(), token=self.token
+        )
+
+    def test_user_list(self):
+        """Test full user list"""
+        response = self.client.get(
+            reverse(
+                "authentik_sources_scim:v2-users",
+                kwargs={
+                    "source_slug": self.source.slug,
+                },
+            ),
+            HTTP_AUTHORIZATION=f"Bearer {self.token.key}",
+        )
+        self.assertEqual(response.status_code, 200)
+
+    def test_user_list_single(self):
+        """Test full user list (single user)"""
+        response = self.client.get(
+            reverse(
+                "authentik_sources_scim:v2-users",
+                kwargs={
+                    "source_slug": self.source.slug,
+                    "user_id": str(self.user.pk),
+                },
+            ),
+            HTTP_AUTHORIZATION=f"Bearer {self.token.key}",
+        )
+        self.assertEqual(response.status_code, 200)
+
+    def test_user_create(self):
+        """Test user create"""
+        ext_id = generate_id()
+        response = self.client.post(
+            reverse(
+                "authentik_sources_scim:v2-users",
+                kwargs={
+                    "source_slug": self.source.slug,
+                },
+            ),
+            data=dumps(
+                {
+                    "userName": generate_id(),
+                    "externalId": ext_id,
+                    "emails": [
+                        {
+                            "primary": True,
+                            "value": self.user.email,
+                        }
+                    ],
+                }
+            ),
+            content_type=SCIM_CONTENT_TYPE,
+            HTTP_AUTHORIZATION=f"Bearer {self.token.key}",
+        )
+        self.assertEqual(response.status_code, 201)
+        self.assertTrue(
+            User.objects.filter(**{f"attributes__{USER_ATTRIBUTE_SCIM_ID}": ext_id}).exists()
+        )
--- a/authentik/sources/scim/urls.py
+++ b/authentik/sources/scim/urls.py
@ -0,0 +1,64 @@
+"""SCIM URLs"""
+from django.urls import path
+
+from authentik.sources.scim.views.v2 import (
+    base,
+    groups,
+    resource_types,
+    schemas,
+    service_provider_config,
+    users,
+)
+
+urlpatterns = [
+    path(
+        "<slug:source_slug>/v2",
+        base.SCIMRootView.as_view(),
+        name="v2-root",
+    ),
+    path(
+        "<slug:source_slug>/v2/Users",
+        users.UsersView.as_view(),
+        name="v2-users",
+    ),
+    path(
+        "<slug:source_slug>/v2/Users/<str:user_id>",
+        users.UsersView.as_view(),
+        name="v2-users",
+    ),
+    path(
+        "<slug:source_slug>/v2/Groups",
+        groups.GroupsView.as_view(),
+        name="v2-groups",
+    ),
+    path(
+        "<slug:source_slug>/v2/Groups/<str:group_id>",
+        groups.GroupsView.as_view(),
+        name="v2-groups",
+    ),
+    path(
+        "<slug:source_slug>/v2/Schemas",
+        schemas.SchemaView.as_view(),
+        name="v2-schema",
+    ),
+    path(
+        "<slug:source_slug>/v2/Schemas/<str:schema_uri>",
+        schemas.SchemaView.as_view(),
+        name="v2-schema",
+    ),
+    path(
+        "<slug:source_slug>/v2/ServiceProviderConfig",
+        service_provider_config.ServiceProviderConfigView.as_view(),
+        name="v2-service-provider-config",
+    ),
+    path(
+        "<slug:source_slug>/v2/ResourceTypes",
+        resource_types.ResourceTypesView.as_view(),
+        name="v2-resource-types",
+    ),
+    path(
+        "<slug:source_slug>/v2/ResourceTypes/<str:resource_type>",
+        resource_types.ResourceTypesView.as_view(),
+        name="v2-resource-types",
+    ),
+]
--- a/authentik/sources/scim/views/init.py
+++ b/authentik/sources/scim/views/init.py
--- a/authentik/sources/scim/views/v2/init.py
+++ b/authentik/sources/scim/views/v2/init.py
--- a/authentik/sources/scim/views/v2/auth.py
+++ b/authentik/sources/scim/views/v2/auth.py
@ -0,0 +1,46 @@
+"""SCIM Token auth"""
+from base64 import b64decode
+from typing import Any, Optional, Union
+
+from django.conf import settings
+from rest_framework.authentication import BaseAuthentication, get_authorization_header
+from rest_framework.request import Request
+
+from authentik.core.models import Token, TokenIntents, User
+
+
+class SCIMTokenAuth(BaseAuthentication):
+    """SCIM Token auth"""
+
+    def legacy(self, key: str, source_slug: str) -> Optional[Token]:  # pragma: no cover
+        """Legacy HTTP-Basic auth for testing"""
+        if not settings.TEST and not settings.DEBUG:
+            return None
+        _username, _, password = b64decode(key.encode()).decode().partition(":")
+        token = self.check_token(password, source_slug)
+        if token:
+            return (token.user, token)
+        return None
+
+    def check_token(self, key: str, source_slug: str) -> Optional[Token]:
+        """Check that a token exists, is not expired, and is assigned to the correct source"""
+        token = Token.filter_not_expired(key=key, intent=TokenIntents.INTENT_API).first()
+        if not token:
+            return None
+        if not token.scimsource_set.exists():
+            return None
+        if token.scimsource_set.first().slug != source_slug:
+            return None
+        return token
+
+    def authenticate(self, request: Request) -> Union[tuple[User, Any], None]:
+        kwargs = request._request.resolver_match.kwargs
+        source_slug = kwargs.get("source_slug", None)
+        auth = get_authorization_header(request).decode()
+        auth_type, _, key = auth.partition(" ")
+        if auth_type != "Bearer":
+            return self.legacy(key, source_slug)
+        token = self.check_token(key, source_slug)
+        if not token:
+            return None
+        return (token.user, token)
--- a/authentik/sources/scim/views/v2/base.py
+++ b/authentik/sources/scim/views/v2/base.py
@ -0,0 +1,81 @@
+"""SCIM Utils"""
+from typing import Optional
+from urllib.parse import urlparse
+
+from antlr4 import CommonTokenStream, InputStream, ParseTreeWalker
+from django.urls import resolve
+from rest_framework.parsers import JSONParser
+from rest_framework.permissions import IsAuthenticated
+from rest_framework.renderers import JSONRenderer
+from rest_framework.request import Request
+from rest_framework.response import Response
+from rest_framework.views import APIView
+
+from authentik.core.models import Group, User
+from authentik.sources.scim.filters.django import DjangoQueryListener
+from authentik.sources.scim.filters.ScimFilterLexer import ScimFilterLexer
+from authentik.sources.scim.filters.ScimFilterParser import ScimFilterParser
+from authentik.sources.scim.views.v2.auth import SCIMTokenAuth
+
+SCIM_CONTENT_TYPE = "application/scim+json"
+
+
+class SCIMParser(JSONParser):
+    """SCIM clients use a custom content type"""
+
+    media_type = SCIM_CONTENT_TYPE
+
+
+class SCIMRenderer(JSONRenderer):
+    """SCIM clients also expect a custom content type"""
+
+    media_type = SCIM_CONTENT_TYPE
+
+
+class SCIMView(APIView):
+    """Base class for SCIM Views"""
+
+    authentication_classes = [SCIMTokenAuth]
+    permission_classes = [IsAuthenticated]
+    parser_classes = [SCIMParser]
+    renderer_classes = [SCIMRenderer]
+
+    def patch_resolve_value(self, raw_value: dict) -> Optional[User | Group]:
+        """Attempt to resolve a raw `value` attribute of a patch operation into
+        a database model"""
+        model = User
+        query = {}
+        if "$ref" in raw_value:
+            url = urlparse(raw_value["$ref"])
+            if match := resolve(url.path):
+                if match.url_name == "v2-users":
+                    model = User
+                    query = {"pk": int(match.kwargs["user_id"])}
+        elif "type" in raw_value:
+            match raw_value["tyoe"]:
+                case "User":
+                    model = User
+                    query = {"pk": int(raw_value["value"])}
+                case "Group":
+                    model = Group
+        else:
+            return None
+        return model.objects.filter(**query).first()
+
+    def patch_parse_path(self, path: str):
+        """Parse the path of a Patch Operation"""
+        lexer = ScimFilterLexer(InputStream(path))
+        stream = CommonTokenStream(lexer)
+        parser = ScimFilterParser(stream)
+        tree = parser.filter_()
+        listener = DjangoQueryListener()
+        walker = ParseTreeWalker()
+        walker.walk(listener, tree)
+        return listener.query
+
+
+class SCIMRootView(SCIMView):
+    """Root SCIM View"""
+
+    def dispatch(self, request: Request, *args, **kwargs) -> Response:
+        return Response({"message": "Use this base-URL with an SCIM-compatible system."})
--- a/authentik/sources/scim/views/v2/groups.py
+++ b/authentik/sources/scim/views/v2/groups.py
@ -0,0 +1,126 @@
+"""SCIM Group Views"""
+from typing import Optional
+
+from django.core.paginator import Paginator
+from django.db.transaction import atomic
+from django.http import Http404, QueryDict
+from django.urls import reverse
+from rest_framework.request import Request
+from rest_framework.response import Response
+from structlog.stdlib import get_logger
+
+from authentik.core.models import Group
+from authentik.sources.scim.errors import PatchError
+from authentik.sources.scim.views.v2.base import SCIM_CONTENT_TYPE, SCIMView
+
+LOGGER = get_logger()
+
+
+class GroupsView(SCIMView):
+    """SCIM Group View"""
+
+    def group_to_scim(self, group: Group) -> dict:
+        """Convert group to SCIM"""
+        return {
+            "id": str(group.pk),
+            "meta": {
+                "resourceType": "Group",
+                "location": self.request.build_absolute_uri(
+                    reverse(
+                        "authentik_sources_scim:v2-groups",
+                        kwargs={
+                            "source_slug": self.kwargs["source_slug"],
+                            "group_id": str(group.pk),
+                        },
+                    )
+                ),
+            },
+            "displayName": group.name,
+            "schemas": ["urn:ietf:params:scim:schemas:core:2.0:Group"],
+        }
+
+    def get(self, request: Request, group_id: Optional[str] = None, **kwargs) -> Response:
+        """List Group handler"""
+        if group_id:
+            group = Group.objects.filter(pk=group_id).first()
+            if not group:
+                raise Http404
+            return Response(self.group_to_scim(group))
+        groups = Group.objects.all().order_by("pk")
+        per_page = 50
+        paginator = Paginator(groups, per_page=per_page)
+        start_index = int(request.query_params.get("startIndex", 1))
+        page = paginator.page(int(max(start_index / per_page, 1)))
+        return Response(
+            {
+                "totalResults": paginator.count,
+                "itemsPerPage": per_page,
+                "startIndex": page.start_index(),
+                "schemas": ["urn:ietf:params:scim:api:messages:2.0:ListResponse"],
+                "Resources": [self.group_to_scim(group) for group in page],
+            }
+        )
+
+    def update_group(self, group: Group, data: QueryDict) -> Group:
+        """Partial update a group"""
+        if "displayName" in data:
+            group.name = data.get("displayName")
+        return group
+
+    def post(self, request: Request, **kwargs) -> Response:
+        """Create group handler"""
+        group = Group.objects.filter(name=request.data.get("displayName")).first()
+        if group:
+            LOGGER.debug("Found existing group")
+            return Response(status=409)
+        group = self.update_group(Group(), request.data)
+        group.save()
+        return Response(self.group_to_scim(group), status=201)
+
+    def patch(self, request: Request, group_id: str, **kwargs) -> Response:
+        """Update group handler"""
+        group: Optional[Group] = Group.objects.filter(pk=group_id).first()
+        if not group:
+            raise Http404
+        if request.data.get("schemas", []) != ["urn:ietf:params:scim:api:messages:2.0:PatchOp"]:
+            return Response(status=400)
+        try:
+            with atomic():
+                for op in request.data.get("Operations", []):
+                    path = self.patch_parse_path(op["path"])
+                    operation = op["op"]
+                    raw_value = op.get("value", None)
+                    values = []
+                    for value in raw_value:
+                        values.append(self.patch_resolve_value(value))
+                    match operation:
+                        case "add":
+                            group.users.add(*[x.pk for x in values])
+                        case "remove":
+                            pass
+                return Response(self.group_to_scim(group), status=200)
+        except (KeyError, PatchError):
+            return Response(status=400)
+
+    def put(self, request: Request, group_id: str, **kwargs) -> Response:
+        """Update group handler"""
+        group: Optional[Group] = Group.objects.filter(pk=group_id).first()
+        if not group:
+            raise Http404
+        self.update_group(group, request.data)
+        group.save()
+        return Response(self.group_to_scim(group), status=200)
+
+    def delete(self, request: Request, group_id: str, **kwargs) -> Response:
+        """Delete group handler"""
+        group: Optional[Group] = Group.objects.filter(pk=group_id).first()
+        if not group:
+            raise Http404
+        group.delete()
+        return Response(
+            {},
+            status=204,
+            headers={
+                "Content-Type": SCIM_CONTENT_TYPE,
+            },
+        )
--- a/authentik/sources/scim/views/v2/resource_types.py
+++ b/authentik/sources/scim/views/v2/resource_types.py
@ -0,0 +1,153 @@
+"""SCIM Meta views"""
+from typing import Optional
+
+from django.http import Http404
+from django.urls import reverse
+from rest_framework.request import Request
+from rest_framework.response import Response
+
+from authentik.sources.scim.views.v2.base import SCIMView
+
+
+class ResourceTypesView(SCIMView):
+    """https://ldapwiki.com/wiki/SCIM%20ResourceTypes%20endpoint"""
+
+    def get_resource_types(self):
+        """List all resource types"""
+        return [
+            {
+                "id": "ServiceProviderConfig",
+                "name": "ServiceProviderConfig",
+                "description": "the service providers configuration",
+                "endpoint": "/ServiceProviderConfig",
+                "schema": "urn:ietf:params:scim:schemas:core:2.0:ServiceProviderConfig",
+                "schemas": [
+                    "urn:ietf:params:scim:schemas:core:2.0:ResourceType",
+                ],
+                "meta": {
+                    "resourceType": "ResourceType",
+                    "location": self.request.build_absolute_uri(
+                        reverse(
+                            "authentik_sources_scim:v2-resource-types",
+                            kwargs={
+                                "source_slug": self.kwargs["source_slug"],
+                                "resource_type": "ServiceProviderConfig",
+                            },
+                        )
+                    ),
+                },
+            },
+            {
+                "id": "ResourceType",
+                "name": "ResourceType",
+                "description": "ResourceType",
+                "endpoint": "/ResourceTypes",
+                "schema": "urn:ietf:params:scim:schemas:core:2.0:ResourceType",
+                "schemas": [
+                    "urn:ietf:params:scim:schemas:core:2.0:ResourceType",
+                ],
+                "meta": {
+                    "resourceType": "ResourceType",
+                    "location": self.request.build_absolute_uri(
+                        reverse(
+                            "authentik_sources_scim:v2-resource-types",
+                            kwargs={
+                                "source_slug": self.kwargs["source_slug"],
+                                "resource_type": "ResourceType",
+                            },
+                        )
+                    ),
+                },
+            },
+            {
+                "id": "Schema",
+                "name": "Schema",
+                "description": "Schema endpoint description",
+                "endpoint": "/Schemas",
+                "schema": "urn:ietf:params:scim:schemas:core:2.0:Schema",
+                "schemas": [
+                    "urn:ietf:params:scim:schemas:core:2.0:ResourceType",
+                ],
+                "meta": {
+                    "resourceType": "ResourceType",
+                    "location": self.request.build_absolute_uri(
+                        reverse(
+                            "authentik_sources_scim:v2-resource-types",
+                            kwargs={
+                                "source_slug": self.kwargs["source_slug"],
+                                "resource_type": "Schema",
+                            },
+                        )
+                    ),
+                },
+            },
+            {
+                "id": "User",
+                "name": "User",
+                "endpoint": "/Users",
+                "description": "https://tools.ietf.org/html/rfc7643#section-8.7.1",
+                "schemas": ["urn:ietf:params:scim:schemas:core:2.0:ResourceType"],
+                "schema": "urn:ietf:params:scim:schemas:core:2.0:User",
+                "schemaExtensions": [
+                    {
+                        "schema": "urn:ietf:params:scim:schemas:extension:enterprise:2.0:User",
+                        "required": True,
+                    }
+                ],
+                "meta": {
+                    "location": self.request.build_absolute_uri(
+                        reverse(
+                            "authentik_sources_scim:v2-resource-types",
+                            kwargs={
+                                "source_slug": self.kwargs["source_slug"],
+                                "resource_type": "User",
+                            },
+                        )
+                    ),
+                    "resourceType": "ResourceType",
+                },
+            },
+            {
+                "id": "Group",
+                "name": "Group",
+                "description": "Group",
+                "endpoint": "/Groups",
+                "schema": "urn:ietf:params:scim:schemas:core:2.0:Group",
+                "schemas": [
+                    "urn:ietf:params:scim:schemas:core:2.0:ResourceType",
+                ],
+                "meta": {
+                    "resourceType": "ResourceType",
+                    "location": self.request.build_absolute_uri(
+                        reverse(
+                            "authentik_sources_scim:v2-resource-types",
+                            kwargs={
+                                "source_slug": self.kwargs["source_slug"],
+                                "resource_type": "Group",
+                            },
+                        )
+                    ),
+                },
+            },
+        ]
+
+    # pylint: disable=unused-argument
+    def get(
+        self, request: Request, source_slug: str, resource_type: Optional[str] = None
+    ) -> Response:
+        """Get resource types as SCIM response"""
+        resource_types = self.get_resource_types()
+        if resource_type:
+            resource = [x for x in resource_types if x.get("id") == resource_type]
+            if resource:
+                return Response(resource[0])
+            raise Http404
+        return Response(
+            {
+                "schemas": ["urn:ietf:params:scim:api:messages:2.0:ListResponse"],
+                "totalResults": len(resource_types),
+                "itemsPerPage": len(resource_types),
+                "startIndex": 1,
+                "Resources": resource_types,
+            }
+        )
--- a/authentik/sources/scim/views/v2/schemas.py
+++ b/authentik/sources/scim/views/v2/schemas.py
@ -0,0 +1,52 @@
+"""Schema Views"""
+from json import loads
+from typing import Optional
+
+from django.http import Http404
+from django.urls import reverse
+from rest_framework.request import Request
+from rest_framework.response import Response
+
+from authentik.sources.scim.views.v2.base import SCIMView
+
+with open("authentik/sources/scim/schemas/schema.json", "r", encoding="utf-8") as SCHEMA_FILE:
+    _raw_schemas = loads(SCHEMA_FILE.read())
+
+
+class SchemaView(SCIMView):
+    """https://ldapwiki.com/wiki/SCIM%20Schemas%20Attribute"""
+
+    def get_schemas(self):
+        """List of all schemas"""
+        schemas = []
+        for raw_schema in _raw_schemas:
+            raw_schema["meta"]["location"] = self.request.build_absolute_uri(
+                reverse(
+                    "authentik_sources_scim:v2-schema",
+                    kwargs={
+                        "source_slug": self.kwargs["source_slug"],
+                        "schema_uri": raw_schema["id"],
+                    },
+                )
+            )
+            schemas.append(raw_schema)
+        return schemas
+
+    # pylint: disable=unused-argument
+    def get(self, request: Request, source_slug: str, schema_uri: Optional[str] = None) -> Response:
+        """Get schemas as SCIM response"""
+        schemas = self.get_schemas()
+        if schema_uri:
+            schema = [x for x in schemas if x.get("id") == schema_uri]
+            if schema:
+                return Response(schema[0])
+            raise Http404
+        return Response(
+            {
+                "schemas": ["urn:ietf:params:scim:api:messages:2.0:ListResponse"],
+                "totalResults": len(schemas),
+                "itemsPerPage": len(schemas),
+                "startIndex": 1,
+                "Resources": schemas,
+            }
+        )
--- a/authentik/sources/scim/views/v2/service_provider_config.py
+++ b/authentik/sources/scim/views/v2/service_provider_config.py
@ -0,0 +1,35 @@
+"""SCIM Meta views"""
+from rest_framework.request import Request
+from rest_framework.response import Response
+
+from authentik.sources.scim.views.v2.base import SCIMView
+
+
+class ServiceProviderConfigView(SCIMView):
+    """ServiceProviderConfig, https://ldapwiki.com/wiki/SCIM%20ServiceProviderConfig%20endpoint"""
+
+    # pylint: disable=unused-argument
+    def get(self, request: Request, source_slug: str) -> Response:
+        """Get ServiceProviderConfig"""
+        return Response(
+            {
+                "schemas": ["urn:ietf:params:scim:schemas:core:2.0:ServiceProviderConfig"],
+                "authenticationSchemes": [
+                    {
+                        "type": "oauthbearertoken",
+                        "name": "OAuth Bearer Token",
+                        "description": (
+                            "Authentication scheme using the OAuth Bearer Token Standard"
+                        ),
+                        "specUri": "https://www.rfc-editor.org/info/rfc6750",
+                        "primary": True,
+                    },
+                ],
+                "patch": {"supported": True},
+                "bulk": {"supported": False, "maxOperations": 0, "maxPayloadSize": 0},
+                "filter": {"supported": False, "maxResults": 200},
+                "changePassword": {"supported": False},
+                "sort": {"supported": False},
+                "etag": {"supported": False},
+            }
+        )
--- a/authentik/sources/scim/views/v2/users.py
+++ b/authentik/sources/scim/views/v2/users.py
@ -0,0 +1,154 @@
+"""SCIM User Views"""
+from typing import Optional
+
+from django.core.paginator import Paginator
+from django.http import Http404, QueryDict
+from django.urls import reverse
+from guardian.shortcuts import get_anonymous_user
+from rest_framework.exceptions import ValidationError
+from rest_framework.request import Request
+from rest_framework.response import Response
+from structlog.stdlib import get_logger
+
+from authentik.core.models import User
+from authentik.sources.scim.models import (
+    USER_ATTRIBUTE_SCIM_ADDRESS,
+    USER_ATTRIBUTE_SCIM_ENTERPRISE,
+    USER_ATTRIBUTE_SCIM_ID,
+)
+from authentik.sources.scim.views.v2.base import SCIM_CONTENT_TYPE, SCIMView
+
+LOGGER = get_logger()
+
+
+class UsersView(SCIMView):
+    """SCIM User view"""
+
+    def get_email(self, data: list[dict]) -> str:
+        """Wrapper to get primary email or first email"""
+        for email in data:
+            if email.get("primary", False):
+                return email.get("value")
+        return data[0].get("value")
+
+    def user_to_scim(self, user: User) -> dict:
+        """Convert User to SCIM data"""
+        payload = {
+            "id": str(user.pk),
+            "meta": {
+                "resourceType": "User",
+                "created": user.date_joined,
+                # TODO: use events to find last edit?
+                "lastModified": user.date_joined,
+                "location": self.request.build_absolute_uri(
+                    reverse(
+                        "authentik_sources_scim:v2-users",
+                        kwargs={
+                            "source_slug": self.kwargs["source_slug"],
+                            "user_id": str(user.pk),
+                        },
+                    )
+                ),
+            },
+            "urn:ietf:params:scim:schemas:extension:enterprise:2.0:User": user.attributes.get(
+                USER_ATTRIBUTE_SCIM_ENTERPRISE, {}
+            ),
+            "schemas": [
+                "urn:ietf:params:scim:schemas:core:2.0:User",
+                "urn:ietf:params:scim:schemas:extension:enterprise:2.0:User",
+            ],
+            "userName": user.username,
+            "name": {},
+            "displayName": user.name,
+            "active": user.is_active,
+            "emails": [{"value": user.email, "type": "work", "primary": True}],
+        }
+        if USER_ATTRIBUTE_SCIM_ID in user.attributes:
+            payload["externalId"] = user.attributes[USER_ATTRIBUTE_SCIM_ID]
+        return payload
+
+    def get(self, request: Request, user_id: Optional[str] = None, **kwargs) -> Response:
+        """List User handler"""
+        if user_id:
+            user = User.objects.filter(pk=user_id).first()
+            if not user:
+                raise Http404
+            return Response(self.user_to_scim(user))
+        users = User.objects.all().exclude(pk=get_anonymous_user().pk).order_by("pk")
+        per_page = 50
+        paginator = Paginator(users, per_page=per_page)
+        start_index = int(request.query_params.get("startIndex", 1))
+        page = paginator.page(int(max(start_index / per_page, 1)))
+        return Response(
+            {
+                "totalResults": paginator.count,
+                "itemsPerPage": per_page,
+                "startIndex": page.start_index(),
+                "schemas": ["urn:ietf:params:scim:api:messages:2.0:ListResponse"],
+                "Resources": [self.user_to_scim(user) for user in page],
+            }
+        )
+
+    def update_user(self, user: User, data: QueryDict) -> User:
+        """Partial update a user"""
+        if "userName" in data:
+            user.username = data.get("userName")
+        if "name" in data:
+            user.name = data.get("name", {}).get("formatted", data.get("displayName"))
+        if "emails" in data:
+            user.email = self.get_email(data.get("emails"))
+        if "active" in data:
+            user.is_active = data.get("active")
+        if "externalId" in data:
+            user.attributes[USER_ATTRIBUTE_SCIM_ID] = data.get("externalId")
+        if "addresses" in data:
+            user.attributes[USER_ATTRIBUTE_SCIM_ADDRESS] = data.get("addresses")
+        if "urn:ietf:params:scim:schemas:extension:enterprise:2.0:User" in data:
+            user.attributes[USER_ATTRIBUTE_SCIM_ENTERPRISE] = data.get(
+                "urn:ietf:params:scim:schemas:extension:enterprise:2.0:User"
+            )
+        if user.username == "":
+            raise ValidationError("Invalid user")
+        return user
+
+    def post(self, request: Request, **kwargs) -> Response:
+        """Create user handler"""
+        user = User.objects.filter(
+            **{
+                f"attributes__{USER_ATTRIBUTE_SCIM_ID}": request.data.get("externalId"),
+                "username": request.data.get("userName"),
+            }
+        ).first()
+        if user:
+            LOGGER.debug("Found existing user")
+            return Response(status=409)
+        user = self.update_user(User(), request.data)
+        user.save()
+        return Response(self.user_to_scim(user), status=201)
+
+    def patch(self, request: Request, user_id: str, **kwargs) -> Response:
+        """Update user handler"""
+        return self.put(request, user_id, **kwargs)
+
+    def put(self, request: Request, user_id: str, **kwargs) -> Response:
+        """Update user handler"""
+        user: Optional[User] = User.objects.filter(pk=user_id).first()
+        if not user:
+            raise Http404
+        self.update_user(user, request.data)
+        user.save()
+        return Response(self.user_to_scim(user), status=200)
+
+    def delete(self, request: Request, user_id: str, **kwargs) -> Response:
+        """Delete user handler"""
+        user: Optional[User] = User.objects.filter(pk=user_id).first()
+        if not user:
+            raise Http404
+        user.delete()
+        return Response(
+            {},
+            status=204,
+            headers={
+                "Content-Type": SCIM_CONTENT_TYPE,
+            },
+        )
--- a/authentik/stages/email/stage.py
+++ b/authentik/stages/email/stage.py
@ -1,5 +1,6 @@
 """authentik multi-stage authentication engine"""
 from datetime import timedelta
+from uuid import uuid4

 from django.contrib import messages
 from django.http import HttpRequest, HttpResponse
@ -52,17 +53,13 @@ class EmailStageView(ChallengeStageView):
            kwargs={"flow_slug": self.executor.flow.slug},
        )
        # Parse query string from current URL (full query string)
-        query_params = QueryDict(self.request.META.get("QUERY_STRING", ""), mutable=True)
+        # this view is only run within a flow executor, where we need to get the query string
+        # from the query= parameter (double encoded); but for the redirect
+        # we need to expand it since it'll go through the flow interface
+        query_params = QueryDict(self.request.GET.get(QS_QUERY), mutable=True)
        query_params.pop(QS_KEY_TOKEN, None)
-
-        # Check for nested query string used by flow executor, and remove any
-        # kind of flow token from that
-        if QS_QUERY in query_params:
-            inner_query_params = QueryDict(query_params.get(QS_QUERY), mutable=True)
-            inner_query_params.pop(QS_KEY_TOKEN, None)
-            query_params[QS_QUERY] = inner_query_params.urlencode()
-
        query_params.update(kwargs)
+        print(query_params)
        full_url = base_url
        if len(query_params) > 0:
            full_url = f"{full_url}?{query_params.urlencode()}"
@ -75,7 +72,7 @@ class EmailStageView(ChallengeStageView):
        valid_delta = timedelta(
            minutes=current_stage.token_expiry + 1
        )  # + 1 because django timesince always rounds down
-        identifier = slugify(f"ak-email-stage-{current_stage.name}-{pending_user}")
+        identifier = slugify(f"ak-email-stage-{current_stage.name}-{str(uuid4())}")
        # Don't check for validity here, we only care if the token exists
        tokens = FlowToken.objects.filter(identifier=identifier)
        if not tokens.exists():
--- a/authentik/stages/email/tests/test_stage.py
+++ b/authentik/stages/email/tests/test_stage.py
@ -259,7 +259,7 @@ class TestEmailStage(FlowTestCase):
        session.save()

        url = reverse("authentik_api:flow-executor", kwargs={"flow_slug": self.flow.slug})
-        url += "?foo=bar"
+        url += "?query=" + urlencode({"foo": "bar"})
        request = self.factory.get(url)
        stage_view = EmailStageView(
            FlowExecutorView(
@ -273,31 +273,3 @@ class TestEmailStage(FlowTestCase):
            stage_view.get_full_url(**{QS_KEY_TOKEN: token}),
            f"http://testserver/if/flow/{self.flow.slug}/?foo=bar&flow_token={token}",
        )
-
-    def test_url_existing_params_nested(self):
-        """Test to ensure that URL params are preserved in the URL being sent (including nested)"""
-        plan = FlowPlan(flow_pk=self.flow.pk.hex, bindings=[self.binding], markers=[StageMarker()])
-        plan.context[PLAN_CONTEXT_PENDING_USER] = self.user
-        session = self.client.session
-        session[SESSION_KEY_PLAN] = plan
-        session.save()
-
-        url = reverse("authentik_api:flow-executor", kwargs={"flow_slug": self.flow.slug})
-        url += "?foo=bar&"
-        url += "query=" + urlencode({"nested": "value"})
-        request = self.factory.get(url)
-        stage_view = EmailStageView(
-            FlowExecutorView(
-                request=request,
-                flow=self.flow,
-            ),
-            request=request,
-        )
-        token = generate_id()
-        self.assertEqual(
-            stage_view.get_full_url(**{QS_KEY_TOKEN: token}),
-            (
-                f"http://testserver/if/flow/{self.flow.slug}"
-                f"/?foo=bar&query=nested%3Dvalue&flow_token={token}"
-            ),
-        )
--- a/blueprints/schema.json
+++ b/blueprints/schema.json
@ -1521,6 +1521,43 @@
                            }
                        }
                    },
+                    {
+                        "type": "object",
+                        "required": [
+                            "model",
+                            "identifiers"
+                        ],
+                        "properties": {
+                            "model": {
+                                "const": "authentik_sources_scim.scimsource"
+                            },
+                            "id": {
+                                "type": "string"
+                            },
+                            "state": {
+                                "type": "string",
+                                "enum": [
+                                    "absent",
+                                    "present",
+                                    "created",
+                                    "must_created"
+                                ],
+                                "default": "present"
+                            },
+                            "conditions": {
+                                "type": "array",
+                                "items": {
+                                    "type": "boolean"
+                                }
+                            },
+                            "attrs": {
+                                "$ref": "#/$defs/model_authentik_sources_scim.scimsource"
+                            },
+                            "identifiers": {
+                                "$ref": "#/$defs/model_authentik_sources_scim.scimsource"
+                            }
+                        }
+                    },
                    {
                        "type": "object",
                        "required": [
@ -3452,6 +3489,7 @@
                        "authentik.sources.oauth",
                        "authentik.sources.plex",
                        "authentik.sources.saml",
+                        "authentik.sources.scim",
                        "authentik.stages.authenticator",
                        "authentik.stages.authenticator_duo",
                        "authentik.stages.authenticator_sms",
@ -3527,6 +3565,7 @@
                        "authentik_sources_plex.plexsourceconnection",
                        "authentik_sources_saml.samlsource",
                        "authentik_sources_saml.usersamlsourceconnection",
+                        "authentik_sources_scim.scimsource",
                        "authentik_stages_authenticator_duo.authenticatorduostage",
                        "authentik_stages_authenticator_duo.duodevice",
                        "authentik_stages_authenticator_sms.authenticatorsmsstage",
@ -5700,6 +5739,74 @@
            },
            "required": []
        },
+        "model_authentik_sources_scim.scimsource": {
+            "type": "object",
+            "properties": {
+                "name": {
+                    "type": "string",
+                    "minLength": 1,
+                    "title": "Name",
+                    "description": "Source's display Name."
+                },
+                "slug": {
+                    "type": "string",
+                    "maxLength": 50,
+                    "minLength": 1,
+                    "pattern": "^[-a-zA-Z0-9_]+$",
+                    "title": "Slug",
+                    "description": "Internal source name, used in URLs."
+                },
+                "enabled": {
+                    "type": "boolean",
+                    "title": "Enabled"
+                },
+                "authentication_flow": {
+                    "type": "integer",
+                    "title": "Authentication flow",
+                    "description": "Flow to use when authenticating existing users."
+                },
+                "enrollment_flow": {
+                    "type": "integer",
+                    "title": "Enrollment flow",
+                    "description": "Flow to use when enrolling new users."
+                },
+                "policy_engine_mode": {
+                    "type": "string",
+                    "enum": [
+                        "all",
+                        "any"
+                    ],
+                    "title": "Policy engine mode"
+                },
+                "user_matching_mode": {
+                    "type": "string",
+                    "enum": [
+                        "identifier",
+                        "email_link",
+                        "email_deny",
+                        "username_link",
+                        "username_deny"
+                    ],
+                    "title": "User matching mode",
+                    "description": "How the source determines if an existing user should be authenticated or a new user enrolled."
+                },
+                "user_path_template": {
+                    "type": "string",
+                    "minLength": 1,
+                    "title": "User path template"
+                },
+                "icon": {
+                    "type": "string",
+                    "minLength": 1,
+                    "title": "Icon"
+                },
+                "token": {
+                    "type": "integer",
+                    "title": "Token"
+                }
+            },
+            "required": []
+        },
        "model_authentik_stages_authenticator_duo.authenticatorduostage": {
            "type": "object",
            "properties": {
--- a/docker-compose.yml
+++ b/docker-compose.yml
@ -32,7 +32,7 @@ services:
    volumes:
      - redis:/data
  server:
-    image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2023.10.2}
+    image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2023.10.3}
    restart: unless-stopped
    command: server
    environment:
@ -53,7 +53,7 @@ services:
      - postgresql
      - redis
  worker:
-    image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2023.10.2}
+    image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2023.10.3}
    restart: unless-stopped
    command: worker
    environment:
--- a/go.mod
+++ b/go.mod
@ -13,24 +13,24 @@ require (
 	github.com/go-openapi/strfmt v0.21.7
 	github.com/golang-jwt/jwt v3.2.2+incompatible
 	github.com/google/uuid v1.4.0
-	github.com/gorilla/handlers v1.5.1
-	github.com/gorilla/mux v1.8.0
-	github.com/gorilla/securecookie v1.1.1
-	github.com/gorilla/sessions v1.2.1
-	github.com/gorilla/websocket v1.5.0
+	github.com/gorilla/handlers v1.5.2
+	github.com/gorilla/mux v1.8.1
+	github.com/gorilla/securecookie v1.1.2
+	github.com/gorilla/sessions v1.2.2
+	github.com/gorilla/websocket v1.5.1
 	github.com/jellydator/ttlcache/v3 v3.1.0
 	github.com/mitchellh/mapstructure v1.5.0
 	github.com/nmcclain/asn1-ber v0.0.0-20170104154839-2661553a0484
 	github.com/pires/go-proxyproto v0.7.0
 	github.com/prometheus/client_golang v1.17.0
-	github.com/redis/go-redis/v9 v9.2.1
+	github.com/redis/go-redis/v9 v9.3.0
 	github.com/sirupsen/logrus v1.9.3
-	github.com/spf13/cobra v1.7.0
+	github.com/spf13/cobra v1.8.0
 	github.com/stretchr/testify v1.8.4
-	goauthentik.io/api/v3 v3.2023101.1
+	goauthentik.io/api/v3 v3.2023103.2
 	golang.org/x/exp v0.0.0-20230210204819-062eb4c674ab
-	golang.org/x/oauth2 v0.13.0
-	golang.org/x/sync v0.4.0
+	golang.org/x/oauth2 v0.14.0
+	golang.org/x/sync v0.5.0
 	gopkg.in/yaml.v2 v2.4.0
 	layeh.com/radius v0.0.0-20210819152912-ad72663a72ab
 )
@ -42,7 +42,7 @@ require (
 	github.com/cespare/xxhash/v2 v2.2.0 // indirect
 	github.com/davecgh/go-spew v1.1.1 // indirect
 	github.com/dgryski/go-rendezvous v0.0.0-20200823014737-9f7001d12a5f // indirect
-	github.com/felixge/httpsnoop v1.0.1 // indirect
+	github.com/felixge/httpsnoop v1.0.3 // indirect
 	github.com/go-asn1-ber/asn1-ber v1.5.5 // indirect
 	github.com/go-http-utils/fresh v0.0.0-20161124030543-7231e26a4b27 // indirect
 	github.com/go-http-utils/headers v0.0.0-20181008091004-fed159eddc2a // indirect
@ -72,10 +72,10 @@ require (
 	go.mongodb.org/mongo-driver v1.11.3 // indirect
 	go.opentelemetry.io/otel v1.14.0 // indirect
 	go.opentelemetry.io/otel/trace v1.14.0 // indirect
-	golang.org/x/crypto v0.14.0 // indirect
-	golang.org/x/net v0.17.0 // indirect
-	golang.org/x/sys v0.13.0 // indirect
-	golang.org/x/text v0.13.0 // indirect
+	golang.org/x/crypto v0.15.0 // indirect
+	golang.org/x/net v0.18.0 // indirect
+	golang.org/x/sys v0.14.0 // indirect
+	golang.org/x/text v0.14.0 // indirect
 	google.golang.org/appengine v1.6.7 // indirect
 	google.golang.org/protobuf v1.31.0 // indirect
 	gopkg.in/square/go-jose.v2 v2.5.1 // indirect
--- a/go.sum
+++ b/go.sum
@ -62,7 +62,7 @@ github.com/client9/misspell v0.3.4/go.mod h1:qj6jICC3Q7zFZvVWo7KLAzC3yx5G7kyvSDk
 github.com/cncf/udpa/go v0.0.0-20191209042840-269d4d468f6f/go.mod h1:M8M6+tZqaGXZJjfX53e64911xZQV5JYwmTeXPW+k8Sc=
 github.com/coreos/go-oidc v2.2.1+incompatible h1:mh48q/BqXqgjVHpy2ZY7WnWAbenxRjsz9N1i1YxjHAk=
 github.com/coreos/go-oidc v2.2.1+incompatible/go.mod h1:CgnwVTmzoESiwO9qyAFEMiHoZ1nMCKZlZ9V6mm3/LKc=
-github.com/cpuguy83/go-md2man/v2 v2.0.2/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46tRHOmNcaadrF8o=
+github.com/cpuguy83/go-md2man/v2 v2.0.3/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46tRHOmNcaadrF8o=
 github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E=
 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
@ -73,8 +73,8 @@ github.com/envoyproxy/go-control-plane v0.9.0/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymF
 github.com/envoyproxy/go-control-plane v0.9.1-0.20191026205805-5f8ba28d4473/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4=
 github.com/envoyproxy/go-control-plane v0.9.4/go.mod h1:6rpuAdCZL397s3pYoYcLgu1mIlRU8Am5FuJP05cCM98=
 github.com/envoyproxy/protoc-gen-validate v0.1.0/go.mod h1:iSmxcyjqTsJpI2R4NaDN7+kN2VEUnK/pcBlmesArF7c=
-github.com/felixge/httpsnoop v1.0.1 h1:lvB5Jl89CsZtGIWuTcDM1E/vkVs49/Ml7JJe07l8SPQ=
-github.com/felixge/httpsnoop v1.0.1/go.mod h1:m8KPJKqk1gH5J9DgRY2ASl2lWCfGKXixSwevea8zH2U=
+github.com/felixge/httpsnoop v1.0.3 h1:s/nj+GCswXYzN5v2DpNMuMQYe+0DDwt5WVCU6CWBdXk=
+github.com/felixge/httpsnoop v1.0.3/go.mod h1:m8KPJKqk1gH5J9DgRY2ASl2lWCfGKXixSwevea8zH2U=
 github.com/getsentry/sentry-go v0.25.0 h1:q6Eo+hS+yoJlTO3uu/azhQadsD8V+jQn2D8VvX1eOyI=
 github.com/getsentry/sentry-go v0.25.0/go.mod h1:lc76E2QywIyW8WuBnwl8Lc4bkmQH4+w1gwTf25trprY=
 github.com/go-asn1-ber/asn1-ber v1.5.5 h1:MNHlNMBDgEKD4TcKr36vQN68BA00aDfjIt3/bD50WnA=
@ -200,6 +200,8 @@ github.com/google/go-cmp v0.5.2/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/
 github.com/google/go-cmp v0.5.5/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
 github.com/google/go-cmp v0.5.9 h1:O2Tfq5qg4qc4AmwVlvv0oLiVAGB7enBSJ2x2DqQFi38=
 github.com/google/go-cmp v0.5.9/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
+github.com/google/gofuzz v1.2.0 h1:xRy4A+RhZaiKjJ1bPfwQ8sedCA+YS2YcCHW6ec7JMi0=
+github.com/google/gofuzz v1.2.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg=
 github.com/google/martian v2.1.0+incompatible/go.mod h1:9I4somxYTbIHy5NJKHRl3wXiIaQGbYVAs8BPL6v8lEs=
 github.com/google/martian/v3 v3.0.0/go.mod h1:y5Zk1BBys9G+gd6Jrk0W3cC1+ELVxBWuIGO+w/tUAp0=
 github.com/google/pprof v0.0.0-20181206194817-3ea8567a2e57/go.mod h1:zfwlbNMJ+OItoe0UupaVj+oy1omPYYDuagoSzA8v9mc=
@ -216,16 +218,16 @@ github.com/google/uuid v1.4.0 h1:MtMxsa51/r9yyhkyLsVeVt0B+BGQZzpQiTQ4eHZ8bc4=
 github.com/google/uuid v1.4.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
 github.com/googleapis/gax-go/v2 v2.0.4/go.mod h1:0Wqv26UfaUD9n4G6kQubkQ+KchISgw+vpHVxEJEs9eg=
 github.com/googleapis/gax-go/v2 v2.0.5/go.mod h1:DWXyrwAJ9X0FpwwEdw+IPEYBICEFu5mhpdKc/us6bOk=
-github.com/gorilla/handlers v1.5.1 h1:9lRY6j8DEeeBT10CvO9hGW0gmky0BprnvDI5vfhUHH4=
-github.com/gorilla/handlers v1.5.1/go.mod h1:t8XrUpc4KVXb7HGyJ4/cEnwQiaxrX/hz1Zv/4g96P1Q=
-github.com/gorilla/mux v1.8.0 h1:i40aqfkR1h2SlN9hojwV5ZA91wcXFOvkdNIeFDP5koI=
-github.com/gorilla/mux v1.8.0/go.mod h1:DVbg23sWSpFRCP0SfiEN6jmj59UnW/n46BH5rLB71So=
-github.com/gorilla/securecookie v1.1.1 h1:miw7JPhV+b/lAHSXz4qd/nN9jRiAFV5FwjeKyCS8BvQ=
-github.com/gorilla/securecookie v1.1.1/go.mod h1:ra0sb63/xPlUeL+yeDciTfxMRAA+MP+HVt/4epWDjd4=
-github.com/gorilla/sessions v1.2.1 h1:DHd3rPN5lE3Ts3D8rKkQ8x/0kqfeNmBAaiSi+o7FsgI=
-github.com/gorilla/sessions v1.2.1/go.mod h1:dk2InVEVJ0sfLlnXv9EAgkf6ecYs/i80K/zI+bUmuGM=
-github.com/gorilla/websocket v1.5.0 h1:PPwGk2jz7EePpoHN/+ClbZu8SPxiqlu12wZP/3sWmnc=
-github.com/gorilla/websocket v1.5.0/go.mod h1:YR8l580nyteQvAITg2hZ9XVh4b55+EU/adAjf1fMHhE=
+github.com/gorilla/handlers v1.5.2 h1:cLTUSsNkgcwhgRqvCNmdbRWG0A3N4F+M2nWKdScwyEE=
+github.com/gorilla/handlers v1.5.2/go.mod h1:dX+xVpaxdSw+q0Qek8SSsl3dfMk3jNddUkMzo0GtH0w=
+github.com/gorilla/mux v1.8.1 h1:TuBL49tXwgrFYWhqrNgrUNEY92u81SPhu7sTdzQEiWY=
+github.com/gorilla/mux v1.8.1/go.mod h1:AKf9I4AEqPTmMytcMc0KkNouC66V3BtZ4qD5fmWSiMQ=
+github.com/gorilla/securecookie v1.1.2 h1:YCIWL56dvtr73r6715mJs5ZvhtnY73hBvEF8kXD8ePA=
+github.com/gorilla/securecookie v1.1.2/go.mod h1:NfCASbcHqRSY+3a8tlWJwsQap2VX5pwzwo4h3eOamfo=
+github.com/gorilla/sessions v1.2.2 h1:lqzMYz6bOfvn2WriPUjNByzeXIlVzURcPmgMczkmTjY=
+github.com/gorilla/sessions v1.2.2/go.mod h1:ePLdVu+jbEgHH+KWw8I1z2wqd0BAdAQh/8LRvBeoNcQ=
+github.com/gorilla/websocket v1.5.1 h1:gmztn0JnHVt9JZquRuzLw3g4wouNVzKL15iLr/zn/QY=
+github.com/gorilla/websocket v1.5.1/go.mod h1:x3kM2JMyaluk02fnUJpQuwD2dCS5NDG2ZHL0uE0tcaY=
 github.com/hashicorp/golang-lru v0.5.0/go.mod h1:/m3WP610KZHVQ1SGc6re/UDhFvYD7pJ4Ao+sR/qLZy8=
 github.com/hashicorp/golang-lru v0.5.1/go.mod h1:/m3WP610KZHVQ1SGc6re/UDhFvYD7pJ4Ao+sR/qLZy8=
 github.com/ianlancetaylor/demangle v0.0.0-20181102032728-5e5cf60278f6/go.mod h1:aSSvb/t6k1mPoxDqO4vJh6VOCGPwU4O0C2/Eqndh1Sc=
@ -295,8 +297,8 @@ github.com/prometheus/common v0.44.0 h1:+5BrQJwiBB9xsMygAB3TNvpQKOwlkc25LbISbrdO
 github.com/prometheus/common v0.44.0/go.mod h1:ofAIvZbQ1e/nugmZGz4/qCb9Ap1VoSTIO7x0VV9VvuY=
 github.com/prometheus/procfs v0.11.1 h1:xRC8Iq1yyca5ypa9n1EZnWZkt7dwcoRPQwX/5gwaUuI=
 github.com/prometheus/procfs v0.11.1/go.mod h1:eesXgaPo1q7lBpVMoMy0ZOFTth9hBn4W/y0/p/ScXhY=
-github.com/redis/go-redis/v9 v9.2.1 h1:WlYJg71ODF0dVspZZCpYmoF1+U1Jjk9Rwd7pq6QmlCg=
-github.com/redis/go-redis/v9 v9.2.1/go.mod h1:hdY0cQFCN4fnSYT6TkisLufl/4W5UIXyv0b/CLO2V2M=
+github.com/redis/go-redis/v9 v9.3.0 h1:RiVDjmig62jIWp7Kk4XVLs0hzV6pI3PyTnnL0cnn0u0=
+github.com/redis/go-redis/v9 v9.3.0/go.mod h1:hdY0cQFCN4fnSYT6TkisLufl/4W5UIXyv0b/CLO2V2M=
 github.com/rogpeppe/go-internal v1.1.0/go.mod h1:M8bDsm7K2OlrFYOpmOWEs/qY81heoFRclV5y23lUDJ4=
 github.com/rogpeppe/go-internal v1.2.2/go.mod h1:M8bDsm7K2OlrFYOpmOWEs/qY81heoFRclV5y23lUDJ4=
 github.com/rogpeppe/go-internal v1.3.0/go.mod h1:M8bDsm7K2OlrFYOpmOWEs/qY81heoFRclV5y23lUDJ4=
@ -309,8 +311,8 @@ github.com/sirupsen/logrus v1.4.2/go.mod h1:tLMulIdttU9McNUspp0xgXVQah82FyeX6Mwd
 github.com/sirupsen/logrus v1.9.3 h1:dueUQJ1C2q9oE3F7wvmSGAaVtTmUizReu6fjN8uqzbQ=
 github.com/sirupsen/logrus v1.9.3/go.mod h1:naHLuLoDiP4jHNo9R0sCBMtWGeIprob74mVsIT4qYEQ=
 github.com/spf13/cobra v0.0.3/go.mod h1:1l0Ry5zgKvJasoi3XT1TypsSe7PqH0Sj9dhYf7v3XqQ=
-github.com/spf13/cobra v1.7.0 h1:hyqWnYt1ZQShIddO5kBpj3vu05/++x6tJ6dg8EC572I=
-github.com/spf13/cobra v1.7.0/go.mod h1:uLxZILRyS/50WlhOIKD7W6V5bgeIt+4sICxh6uRMrb0=
+github.com/spf13/cobra v1.8.0 h1:7aJaZx1B85qltLMc546zn58BxxfZdR/W22ej9CFoEf0=
+github.com/spf13/cobra v1.8.0/go.mod h1:WXLWApfZ71AjXPya3WOlMsY9yMs7YeiHhFVlvLyhcho=
 github.com/spf13/pflag v1.0.3/go.mod h1:DYY7MBk1bdzusC3SYhjObp+wFpr4gzcvqqNjLnInEg4=
 github.com/spf13/pflag v1.0.5 h1:iy+VFUOCP1a+8yFto/drg2CJ5u0yRoB7fZw3DKv/JXA=
 github.com/spf13/pflag v1.0.5/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
@ -356,8 +358,8 @@ go.opentelemetry.io/otel/trace v1.14.0 h1:wp2Mmvj41tDsyAJXiWDWpfNsOiIyd38fy85pyK
 go.opentelemetry.io/otel/trace v1.14.0/go.mod h1:8avnQLK+CG77yNLUae4ea2JDQ6iT+gozhnZjy/rw9G8=
 go.uber.org/goleak v1.2.1 h1:NBol2c7O1ZokfZ0LEU9K6Whx/KnwvepVetCUhtKja4A=
 go.uber.org/goleak v1.2.1/go.mod h1:qlT2yGI9QafXHhZZLxlSuNsMw3FFLxBr+tBRlmO1xH4=
-goauthentik.io/api/v3 v3.2023101.1 h1:KIQ4wmxjE+geAVB0wBfmxW9Uzo/tA0dbd2hSUJ7YJ3M=
-goauthentik.io/api/v3 v3.2023101.1/go.mod h1:zz+mEZg8rY/7eEjkMGWJ2DnGqk+zqxuybGCGrR2O4Kw=
+goauthentik.io/api/v3 v3.2023103.2 h1:k3GOGc5vVfxkS8+a8KjQaqAOPfpCqDYLEIjKEewrxwo=
+goauthentik.io/api/v3 v3.2023103.2/go.mod h1:zz+mEZg8rY/7eEjkMGWJ2DnGqk+zqxuybGCGrR2O4Kw=
 golang.org/x/crypto v0.0.0-20180904163835-0709b304e793/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4=
 golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
 golang.org/x/crypto v0.0.0-20190422162423-af44ce270edf/go.mod h1:WFFai1msRO1wXaEeE5yQxYXgSfI8pQAWXbQop6sCtWE=
@ -370,8 +372,8 @@ golang.org/x/crypto v0.0.0-20200709230013-948cd5f35899/go.mod h1:LzIPMQfyMNhhGPh
 golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=
 golang.org/x/crypto v0.0.0-20220622213112-05595931fe9d/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4=
 golang.org/x/crypto v0.13.0/go.mod h1:y6Z2r+Rw4iayiXXAIxJIDAJ1zMW4yaTpebo8fPOliYc=
-golang.org/x/crypto v0.14.0 h1:wBqGXzWJW6m1XrIKlAH0Hs1JJ7+9KBwnIO8v66Q9cHc=
-golang.org/x/crypto v0.14.0/go.mod h1:MVFd36DqK4CsrnJYDkBA3VC4m2GkXAM0PvzMCn4JQf4=
+golang.org/x/crypto v0.15.0 h1:frVn1TEaCEaZcn3Tmd7Y2b5KKPaZ+I32Q2OA3kYp5TA=
+golang.org/x/crypto v0.15.0/go.mod h1:4ChreQoLWfG3xLDer1WdlH5NdlQ3+mwnQq1YTKY+72g=
 golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
 golang.org/x/exp v0.0.0-20190306152737-a1d7652674e8/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
 golang.org/x/exp v0.0.0-20190510132918-efd6b22b2522/go.mod h1:ZjyILWgesfNpC6sMxTJOJm9Kp84zZh5NQWvqDGG3Qr8=
@ -438,16 +440,16 @@ golang.org/x/net v0.0.0-20211112202133-69e39bad7dc2/go.mod h1:9nx3DQGgdP8bBQD5qx
 golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c=
 golang.org/x/net v0.6.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs=
 golang.org/x/net v0.10.0/go.mod h1:0qNGK6F8kojg2nk9dLZ2mShWaEBan6FAoqfSigmmuDg=
-golang.org/x/net v0.17.0 h1:pVaXccu2ozPjCXewfr1S7xza/zcXTity9cCdXQYSjIM=
-golang.org/x/net v0.17.0/go.mod h1:NxSsAGuq816PNPmqtQdLE42eU2Fs7NoRIZrHJAlaCOE=
+golang.org/x/net v0.18.0 h1:mIYleuAkSbHh0tCv7RvjL3F6ZVbLjq4+R7zbOn3Kokg=
+golang.org/x/net v0.18.0/go.mod h1:/czyP5RqHAH4odGYxBJ1qz0+CE5WZ+2j1YgoEo8F2jQ=
 golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
 golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
 golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
 golang.org/x/oauth2 v0.0.0-20191202225959-858c2ad4c8b6/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
 golang.org/x/oauth2 v0.0.0-20200107190931-bf48bf16ab8d/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
 golang.org/x/oauth2 v0.0.0-20210218202405-ba52d332ba99/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A=
-golang.org/x/oauth2 v0.13.0 h1:jDDenyj+WgFtmV3zYVoi8aE2BwtXFLWOA67ZfNWftiY=
-golang.org/x/oauth2 v0.13.0/go.mod h1:/JMhi4ZRXAf4HG9LiNmxvk+45+96RUlVThiH8FzNBn0=
+golang.org/x/oauth2 v0.14.0 h1:P0Vrf/2538nmC0H+pEQ3MNFRRnVR7RlqyVw+bvm26z0=
+golang.org/x/oauth2 v0.14.0/go.mod h1:lAtNWgaWfL4cm7j2OV8TxGi9Qb7ECORx8DktCY74OwM=
 golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20181221193216-37e7f081c4d4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
@ -460,8 +462,8 @@ golang.org/x/sync v0.0.0-20200625203802-6e8e738ad208/go.mod h1:RxMgew5VJxzue5/jJ
 golang.org/x/sync v0.0.0-20210220032951-036812b2e83c/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.1.0/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.4.0 h1:zxkM55ReGkDlKSM+Fu41A+zmbZuaPVbGMzvvdUPznYQ=
-golang.org/x/sync v0.4.0/go.mod h1:FU7BRWz2tNW+3quACPkgCx/L+uEAv1htQ0V83Z9Rj+Y=
+golang.org/x/sync v0.5.0 h1:60k92dhOjHxJkrqnwsfl8KuaHbn/5dl0lUPUklKo3qE=
+golang.org/x/sync v0.5.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
 golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20180905080454-ebe1bf3edb33/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
@ -502,8 +504,8 @@ golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f/go.mod h1:oPkhp1MJrh7nUepCBc
 golang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.8.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.12.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.13.0 h1:Af8nKPmuFypiUBjVoU9V20FiaFXOcuZI21p0ycVYYGE=
-golang.org/x/sys v0.13.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.14.0 h1:Vz7Qs629MkJkGyHxUlRHizWJRG2j8fbQKjELVSNhy7Q=
+golang.org/x/sys v0.14.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
 golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
 golang.org/x/term v0.5.0/go.mod h1:jMB1sMXY+tzblOD4FWmEbocvup2/aLOaQEp7JmGp78k=
@ -519,8 +521,9 @@ golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ=
 golang.org/x/text v0.7.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8=
 golang.org/x/text v0.9.0/go.mod h1:e1OnstbJyHTd6l/uOt8jFFHp6TRDWZR/bV3emEE/zU8=
-golang.org/x/text v0.13.0 h1:ablQoSUd0tRdKxZewP80B+BaqeKJuVhuRxj/dkrun3k=
 golang.org/x/text v0.13.0/go.mod h1:TvPlkZtksWOMsz7fbANvkp4WM8x/WCo/om8BMLbz+aE=
+golang.org/x/text v0.14.0 h1:ScX5w1eTa3QqT8oi6+ziP7dTV1S2+ALU0bI+0zXKWiQ=
+golang.org/x/text v0.14.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU=
 golang.org/x/time v0.0.0-20181108054448-85acf8d2951c/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/time v0.0.0-20190308202827-9d24e82272b4/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/time v0.0.0-20191024005414-555d28b269f0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
--- a/internal/config/struct.go
+++ b/internal/config/struct.go
@ -27,14 +27,11 @@ type Config struct {
 type RedisConfig struct {
 	Host                   string `yaml:"host" env:"AUTHENTIK_REDIS__HOST"`
 	Port                   int    `yaml:"port" env:"AUTHENTIK_REDIS__PORT"`
+	DB                     int    `yaml:"db" env:"AUTHENTIK_REDIS__DB"`
+	Username               string `yaml:"username" env:"AUTHENTIK_REDIS__USERNAME"`
 	Password               string `yaml:"password" env:"AUTHENTIK_REDIS__PASSWORD"`
 	TLS                    bool   `yaml:"tls" env:"AUTHENTIK_REDIS__TLS"`
 	TLSReqs                string `yaml:"tls_reqs" env:"AUTHENTIK_REDIS__TLS_REQS"`
-	DB                     int    `yaml:"cache_db" env:"AUTHENTIK_REDIS__DB"`
-	CacheTimeout           int    `yaml:"cache_timeout" env:"AUTHENTIK_REDIS__CACHE_TIMEOUT"`
-	CacheTimeoutFlows      int    `yaml:"cache_timeout_flows" env:"AUTHENTIK_REDIS__CACHE_TIMEOUT_FLOWS"`
-	CacheTimeoutPolicies   int    `yaml:"cache_timeout_policies" env:"AUTHENTIK_REDIS__CACHE_TIMEOUT_POLICIES"`
-	CacheTimeoutReputation int    `yaml:"cache_timeout_reputation" env:"AUTHENTIK_REDIS__CACHE_TIMEOUT_REPUTATION"`
 }

 type ListenConfig struct {
--- a/internal/constants/constants.go
+++ b/internal/constants/constants.go
@ -29,4 +29,4 @@ func UserAgent() string {
 	return fmt.Sprintf("authentik@%s", FullVersion())
 }

-const VERSION = "2023.10.2"
+const VERSION = "2023.10.3"
--- a/internal/outpost/flow/executor.go
+++ b/internal/outpost/flow/executor.go
@ -29,16 +29,6 @@ var (
 		Name: "authentik_outpost_flow_timing_post_seconds",
 		Help: "Duration it took to send a challenge in seconds",
 	}, []string{"stage", "flow"})
-
-	// NOTE: the following metrics are kept for compatibility purpose
-	FlowTimingGetLegacy = promauto.NewHistogramVec(prometheus.HistogramOpts{
-		Name: "authentik_outpost_flow_timing_get",
-		Help: "Duration it took to get a challenge",
-	}, []string{"stage", "flow"})
-	FlowTimingPostLegacy = promauto.NewHistogramVec(prometheus.HistogramOpts{
-		Name: "authentik_outpost_flow_timing_post",
-		Help: "Duration it took to send a challenge",
-	}, []string{"stage", "flow"})
 )

 type SolverFunction func(*api.ChallengeTypes, api.ApiFlowsExecutorSolveRequest) (api.FlowChallengeResponseRequest, error)
@ -198,10 +188,6 @@ func (fe *FlowExecutor) getInitialChallenge() (*api.ChallengeTypes, error) {
 		"stage": ch.GetComponent(),
 		"flow":  fe.flowSlug,
 	}).Observe(float64(gcsp.EndTime.Sub(gcsp.StartTime)) / float64(time.Second))
-	FlowTimingGetLegacy.With(prometheus.Labels{
-		"stage": ch.GetComponent(),
-		"flow":  fe.flowSlug,
-	}).Observe(float64(gcsp.EndTime.Sub(gcsp.StartTime)))
 	return challenge, nil
 }

@ -259,10 +245,6 @@ func (fe *FlowExecutor) solveFlowChallenge(challenge *api.ChallengeTypes, depth
 		"stage": ch.GetComponent(),
 		"flow":  fe.flowSlug,
 	}).Observe(float64(scsp.EndTime.Sub(scsp.StartTime)) / float64(time.Second))
-	FlowTimingPostLegacy.With(prometheus.Labels{
-		"stage": ch.GetComponent(),
-		"flow":  fe.flowSlug,
-	}).Observe(float64(scsp.EndTime.Sub(scsp.StartTime)))

 	if depth >= 10 {
 		return false, errors.New("exceeded stage recursion depth")
--- a/internal/outpost/ldap/bind.go
+++ b/internal/outpost/ldap/bind.go
@ -22,11 +22,6 @@ func (ls *LDAPServer) Bind(bindDN string, bindPW string, conn net.Conn) (ldap.LD
 			"type":         "bind",
 			"app":          selectedApp,
 		}).Observe(float64(span.EndTime.Sub(span.StartTime)) / float64(time.Second))
-		metrics.RequestsLegacy.With(prometheus.Labels{
-			"outpost_name": ls.ac.Outpost.Name,
-			"type":         "bind",
-			"app":          selectedApp,
-		}).Observe(float64(span.EndTime.Sub(span.StartTime)))
 		req.Log().WithField("took-ms", span.EndTime.Sub(span.StartTime).Milliseconds()).Info("Bind request")
 	}()

@ -55,12 +50,6 @@ func (ls *LDAPServer) Bind(bindDN string, bindPW string, conn net.Conn) (ldap.LD
 		"reason":       "no_provider",
 		"app":          "",
 	}).Inc()
-	metrics.RequestsRejectedLegacy.With(prometheus.Labels{
-		"outpost_name": ls.ac.Outpost.Name,
-		"type":         "bind",
-		"reason":       "no_provider",
-		"app":          "",
-	}).Inc()

 	return ldap.LDAPResultInsufficientAccessRights, nil
 }
--- a/internal/outpost/ldap/bind/direct/bind.go
+++ b/internal/outpost/ldap/bind/direct/bind.go
@ -47,12 +47,6 @@ func (db *DirectBinder) Bind(username string, req *bind.Request) (ldap.LDAPResul
 			"reason":       "flow_error",
 			"app":          db.si.GetAppSlug(),
 		}).Inc()
-		metrics.RequestsRejectedLegacy.With(prometheus.Labels{
-			"outpost_name": db.si.GetOutpostName(),
-			"type":         "bind",
-			"reason":       "flow_error",
-			"app":          db.si.GetAppSlug(),
-		}).Inc()
 		req.Log().WithError(err).Warning("failed to execute flow")
 		return ldap.LDAPResultInvalidCredentials, nil
 	}
@ -63,12 +57,6 @@ func (db *DirectBinder) Bind(username string, req *bind.Request) (ldap.LDAPResul
 			"reason":       "invalid_credentials",
 			"app":          db.si.GetAppSlug(),
 		}).Inc()
-		metrics.RequestsRejectedLegacy.With(prometheus.Labels{
-			"outpost_name": db.si.GetOutpostName(),
-			"type":         "bind",
-			"reason":       "invalid_credentials",
-			"app":          db.si.GetAppSlug(),
-		}).Inc()
 		req.Log().Info("Invalid credentials")
 		return ldap.LDAPResultInvalidCredentials, nil
 	}
@ -82,12 +70,6 @@ func (db *DirectBinder) Bind(username string, req *bind.Request) (ldap.LDAPResul
 			"reason":       "access_denied",
 			"app":          db.si.GetAppSlug(),
 		}).Inc()
-		metrics.RequestsRejectedLegacy.With(prometheus.Labels{
-			"outpost_name": db.si.GetOutpostName(),
-			"type":         "bind",
-			"reason":       "access_denied",
-			"app":          db.si.GetAppSlug(),
-		}).Inc()
 		return ldap.LDAPResultInsufficientAccessRights, nil
 	}
 	if err != nil {
@ -97,12 +79,6 @@ func (db *DirectBinder) Bind(username string, req *bind.Request) (ldap.LDAPResul
 			"reason":       "access_check_fail",
 			"app":          db.si.GetAppSlug(),
 		}).Inc()
-		metrics.RequestsRejectedLegacy.With(prometheus.Labels{
-			"outpost_name": db.si.GetOutpostName(),
-			"type":         "bind",
-			"reason":       "access_check_fail",
-			"app":          db.si.GetAppSlug(),
-		}).Inc()
 		req.Log().WithError(err).Warning("failed to check access")
 		return ldap.LDAPResultOperationsError, nil
 	}
@ -117,12 +93,6 @@ func (db *DirectBinder) Bind(username string, req *bind.Request) (ldap.LDAPResul
 			"reason":       "user_info_fail",
 			"app":          db.si.GetAppSlug(),
 		}).Inc()
-		metrics.RequestsRejectedLegacy.With(prometheus.Labels{
-			"outpost_name": db.si.GetOutpostName(),
-			"type":         "bind",
-			"reason":       "user_info_fail",
-			"app":          db.si.GetAppSlug(),
-		}).Inc()
 		req.Log().WithError(err).Warning("failed to get user info")
 		return ldap.LDAPResultOperationsError, nil
 	}
--- a/internal/outpost/ldap/metrics/metrics.go
+++ b/internal/outpost/ldap/metrics/metrics.go
@ -22,16 +22,6 @@ var (
 		Name: "authentik_outpost_ldap_requests_rejected_total",
 		Help: "Total number of rejected requests",
 	}, []string{"outpost_name", "type", "reason", "app"})
-
-	// NOTE: the following metrics are kept for compatibility purpose
-	RequestsLegacy = promauto.NewHistogramVec(prometheus.HistogramOpts{
-		Name: "authentik_outpost_ldap_requests",
-		Help: "The total number of configured providers",
-	}, []string{"outpost_name", "type", "app"})
-	RequestsRejectedLegacy = promauto.NewCounterVec(prometheus.CounterOpts{
-		Name: "authentik_outpost_ldap_requests_rejected",
-		Help: "Total number of rejected requests",
-	}, []string{"outpost_name", "type", "reason", "app"})
 )

 func RunServer() {
--- a/internal/outpost/ldap/search.go
+++ b/internal/outpost/ldap/search.go
@ -23,11 +23,6 @@ func (ls *LDAPServer) Search(bindDN string, searchReq ldap.SearchRequest, conn n
 			"type":         "search",
 			"app":          selectedApp,
 		}).Observe(float64(span.EndTime.Sub(span.StartTime)) / float64(time.Second))
-		metrics.RequestsLegacy.With(prometheus.Labels{
-			"outpost_name": ls.ac.Outpost.Name,
-			"type":         "search",
-			"app":          selectedApp,
-		}).Observe(float64(span.EndTime.Sub(span.StartTime)))
 		req.Log().WithField("attributes", searchReq.Attributes).WithField("took-ms", span.EndTime.Sub(span.StartTime).Milliseconds()).Info("Search request")
 	}()

--- a/internal/outpost/ldap/search/direct/direct.go
+++ b/internal/outpost/ldap/search/direct/direct.go
@ -45,12 +45,6 @@ func (ds *DirectSearcher) Search(req *search.Request) (ldap.ServerSearchResult,
 			"reason":       "empty_bind_dn",
 			"app":          ds.si.GetAppSlug(),
 		}).Inc()
-		metrics.RequestsRejectedLegacy.With(prometheus.Labels{
-			"outpost_name": ds.si.GetOutpostName(),
-			"type":         "search",
-			"reason":       "empty_bind_dn",
-			"app":          ds.si.GetAppSlug(),
-		}).Inc()
 		return ldap.ServerSearchResult{ResultCode: ldap.LDAPResultInsufficientAccessRights}, fmt.Errorf("Search Error: Anonymous BindDN not allowed %s", req.BindDN)
 	}
 	if !utils.HasSuffixNoCase(req.BindDN, ","+baseDN) {
@ -60,12 +54,6 @@ func (ds *DirectSearcher) Search(req *search.Request) (ldap.ServerSearchResult,
 			"reason":       "invalid_bind_dn",
 			"app":          ds.si.GetAppSlug(),
 		}).Inc()
-		metrics.RequestsRejectedLegacy.With(prometheus.Labels{
-			"outpost_name": ds.si.GetOutpostName(),
-			"type":         "search",
-			"reason":       "invalid_bind_dn",
-			"app":          ds.si.GetAppSlug(),
-		}).Inc()
 		return ldap.ServerSearchResult{ResultCode: ldap.LDAPResultInsufficientAccessRights}, fmt.Errorf("Search Error: BindDN %s not in our BaseDN %s", req.BindDN, ds.si.GetBaseDN())
 	}

@ -78,12 +66,6 @@ func (ds *DirectSearcher) Search(req *search.Request) (ldap.ServerSearchResult,
 			"reason":       "user_info_not_cached",
 			"app":          ds.si.GetAppSlug(),
 		}).Inc()
-		metrics.RequestsRejectedLegacy.With(prometheus.Labels{
-			"outpost_name": ds.si.GetOutpostName(),
-			"type":         "search",
-			"reason":       "user_info_not_cached",
-			"app":          ds.si.GetAppSlug(),
-		}).Inc()
 		return ldap.ServerSearchResult{ResultCode: ldap.LDAPResultInsufficientAccessRights}, errors.New("access denied")
 	}
 	accsp.Finish()
@ -96,12 +78,6 @@ func (ds *DirectSearcher) Search(req *search.Request) (ldap.ServerSearchResult,
 			"reason":       "filter_parse_fail",
 			"app":          ds.si.GetAppSlug(),
 		}).Inc()
-		metrics.RequestsRejectedLegacy.With(prometheus.Labels{
-			"outpost_name": ds.si.GetOutpostName(),
-			"type":         "search",
-			"reason":       "filter_parse_fail",
-			"app":          ds.si.GetAppSlug(),
-		}).Inc()
 		return ldap.ServerSearchResult{ResultCode: ldap.LDAPResultOperationsError}, fmt.Errorf("Search Error: error parsing filter: %s", req.Filter)
 	}

--- a/internal/outpost/ldap/search/memory/memory.go
+++ b/internal/outpost/ldap/search/memory/memory.go
@ -62,12 +62,6 @@ func (ms *MemorySearcher) Search(req *search.Request) (ldap.ServerSearchResult,
 			"reason":       "empty_bind_dn",
 			"app":          ms.si.GetAppSlug(),
 		}).Inc()
-		metrics.RequestsRejectedLegacy.With(prometheus.Labels{
-			"outpost_name": ms.si.GetOutpostName(),
-			"type":         "search",
-			"reason":       "empty_bind_dn",
-			"app":          ms.si.GetAppSlug(),
-		}).Inc()
 		return ldap.ServerSearchResult{ResultCode: ldap.LDAPResultInsufficientAccessRights}, fmt.Errorf("Search Error: Anonymous BindDN not allowed %s", req.BindDN)
 	}
 	if !utils.HasSuffixNoCase(req.BindDN, ","+baseDN) {
@ -77,12 +71,6 @@ func (ms *MemorySearcher) Search(req *search.Request) (ldap.ServerSearchResult,
 			"reason":       "invalid_bind_dn",
 			"app":          ms.si.GetAppSlug(),
 		}).Inc()
-		metrics.RequestsRejectedLegacy.With(prometheus.Labels{
-			"outpost_name": ms.si.GetOutpostName(),
-			"type":         "search",
-			"reason":       "invalid_bind_dn",
-			"app":          ms.si.GetAppSlug(),
-		}).Inc()
 		return ldap.ServerSearchResult{ResultCode: ldap.LDAPResultInsufficientAccessRights}, fmt.Errorf("Search Error: BindDN %s not in our BaseDN %s", req.BindDN, ms.si.GetBaseDN())
 	}

@ -95,12 +83,6 @@ func (ms *MemorySearcher) Search(req *search.Request) (ldap.ServerSearchResult,
 			"reason":       "user_info_not_cached",
 			"app":          ms.si.GetAppSlug(),
 		}).Inc()
-		metrics.RequestsRejectedLegacy.With(prometheus.Labels{
-			"outpost_name": ms.si.GetOutpostName(),
-			"type":         "search",
-			"reason":       "user_info_not_cached",
-			"app":          ms.si.GetAppSlug(),
-		}).Inc()
 		return ldap.ServerSearchResult{ResultCode: ldap.LDAPResultInsufficientAccessRights}, errors.New("access denied")
 	}
 	accsp.Finish()
--- a/internal/outpost/ldap/unbind.go
+++ b/internal/outpost/ldap/unbind.go
@ -22,11 +22,6 @@ func (ls *LDAPServer) Unbind(boundDN string, conn net.Conn) (ldap.LDAPResultCode
 			"type":         "unbind",
 			"app":          selectedApp,
 		}).Observe(float64(span.EndTime.Sub(span.StartTime)) / float64(time.Second))
-		metrics.RequestsLegacy.With(prometheus.Labels{
-			"outpost_name": ls.ac.Outpost.Name,
-			"type":         "unbind",
-			"app":          selectedApp,
-		}).Observe(float64(span.EndTime.Sub(span.StartTime)))
 		req.Log().WithField("took-ms", span.EndTime.Sub(span.StartTime).Milliseconds()).Info("Unbind request")
 	}()

@ -55,11 +50,5 @@ func (ls *LDAPServer) Unbind(boundDN string, conn net.Conn) (ldap.LDAPResultCode
 		"reason":       "no_provider",
 		"app":          "",
 	}).Inc()
-	metrics.RequestsRejectedLegacy.With(prometheus.Labels{
-		"outpost_name": ls.ac.Outpost.Name,
-		"type":         "unbind",
-		"reason":       "no_provider",
-		"app":          "",
-	}).Inc()
 	return ldap.LDAPResultOperationsError, nil
 }
--- a/internal/outpost/proxyv2/application/application.go
+++ b/internal/outpost/proxyv2/application/application.go
@ -173,12 +173,6 @@ func NewApplication(p api.ProxyOutpostConfig, c *http.Client, server Server) (*A
 				"method":       r.Method,
 				"host":         web.GetHost(r),
 			}).Observe(float64(elapsed) / float64(time.Second))
-			metrics.RequestsLegacy.With(prometheus.Labels{
-				"outpost_name": a.outpostName,
-				"type":         "app",
-				"method":       r.Method,
-				"host":         web.GetHost(r),
-			}).Observe(float64(elapsed))
 		})
 	})
 	if server.API().GlobalConfig.ErrorReporting.Enabled {
@ -241,7 +235,10 @@ func (a *Application) Mode() api.ProxyMode {
 	return *a.proxyConfig.Mode
 }

-func (a *Application) HasQuerySignature(r *http.Request) bool {
+func (a *Application) ShouldHandleURL(r *http.Request) bool {
+	if strings.HasPrefix(r.URL.Path, "/outpost.goauthentik.io") {
+		return true
+	}
 	if strings.EqualFold(r.URL.Query().Get(CallbackSignature), "true") {
 		return true
 	}
--- a/internal/outpost/proxyv2/application/mode_proxy.go
+++ b/internal/outpost/proxyv2/application/mode_proxy.go
@ -64,13 +64,6 @@ func (a *Application) configureProxy() error {
 			"scheme":        r.URL.Scheme,
 			"host":          web.GetHost(r),
 		}).Observe(float64(elapsed) / float64(time.Second))
-		metrics.UpstreamTimingLegacy.With(prometheus.Labels{
-			"outpost_name":  a.outpostName,
-			"upstream_host": r.URL.Host,
-			"method":        r.Method,
-			"scheme":        r.URL.Scheme,
-			"host":          web.GetHost(r),
-		}).Observe(float64(elapsed))
 	})
 	return nil
 }
--- a/internal/outpost/proxyv2/application/session.go
+++ b/internal/outpost/proxyv2/application/session.go
@ -71,7 +71,7 @@ func (a *Application) getStore(p api.ProxyOutpostConfig, externalHost *url.URL)
 	cs.Options.Domain = *p.CookieDomain
 	cs.Options.SameSite = http.SameSiteLaxMode
 	cs.Options.MaxAge = maxAge
-	cs.Options.Path = externalHost.Path
+	cs.Options.Path = "/"
 	a.log.WithField("dir", dir).Trace("using filesystem session backend")
 	return cs
 }
@ -131,7 +131,6 @@ func (a *Application) Logout(ctx context.Context, filter func(c Claims) bool) er
 	}
 	if rs, ok := a.sessions.(*redisstore.RedisStore); ok {
 		client := rs.Client()
-		defer client.Close()
 		keys, err := client.Keys(ctx, fmt.Sprintf("%s*", RedisKeyPrefix)).Result()
 		if err != nil {
 			return err
--- a/internal/outpost/proxyv2/handlers.go
+++ b/internal/outpost/proxyv2/handlers.go
@ -26,12 +26,6 @@ func (ps *ProxyServer) HandlePing(rw http.ResponseWriter, r *http.Request) {
 		"host":         web.GetHost(r),
 		"type":         "ping",
 	}).Observe(float64(elapsed) / float64(time.Second))
-	metrics.RequestsLegacy.With(prometheus.Labels{
-		"outpost_name": ps.akAPI.Outpost.Name,
-		"method":       r.Method,
-		"host":         web.GetHost(r),
-		"type":         "ping",
-	}).Observe(float64(elapsed))
 }

 func (ps *ProxyServer) HandleStatic(rw http.ResponseWriter, r *http.Request) {
@ -44,12 +38,6 @@ func (ps *ProxyServer) HandleStatic(rw http.ResponseWriter, r *http.Request) {
 		"host":         web.GetHost(r),
 		"type":         "static",
 	}).Observe(float64(elapsed) / float64(time.Second))
-	metrics.RequestsLegacy.With(prometheus.Labels{
-		"outpost_name": ps.akAPI.Outpost.Name,
-		"method":       r.Method,
-		"host":         web.GetHost(r),
-		"type":         "static",
-	}).Observe(float64(elapsed))
 }

 func (ps *ProxyServer) lookupApp(r *http.Request) (*application.Application, string) {
--- a/Show More
+++ b/Show More