core: add User.uid for globally unique user ID

authentik/admin/views/flows.py

@@ -6,17 +6,11 @@ from django.contrib.auth.mixins import (
 )
 from django.contrib.messages.views import SuccessMessageMixin
 from django.http import HttpRequest, HttpResponse, JsonResponse
-from django.urls import reverse_lazy
 from django.utils.translation import gettext as _
-from django.views.generic import DetailView, FormView, ListView, UpdateView
+from django.views.generic import DetailView, FormView, UpdateView
-from guardian.mixins import PermissionListMixin, PermissionRequiredMixin
+from guardian.mixins import PermissionRequiredMixin
 
-from authentik.admin.views.utils import (
+from authentik.admin.views.utils import BackSuccessUrlMixin, DeleteMessageView
-    BackSuccessUrlMixin,
-    DeleteMessageView,
-    SearchListMixin,
-    UserPaginateListMixin,
-)
 from authentik.flows.exceptions import FlowNonApplicableException
 from authentik.flows.forms import FlowForm, FlowImportForm
 from authentik.flows.models import Flow

authentik/core/models.py

@@ -1,8 +1,10 @@
 """authentik core models"""
 from datetime import timedelta
+from hashlib import sha256
 from typing import Any, Dict, Optional, Type
 from uuid import uuid4
 
+from django.conf import settings
 from django.contrib.auth.models import AbstractUser
 from django.contrib.auth.models import UserManager as DjangoUserManager
 from django.db import models
@@ -119,6 +121,11 @@ class User(GuardianUserMixin, AbstractUser):
         self.password_change_date = now()
         return super().set_password(password)
 
+    @property
+    def uid(self) -> str:
+        """Generate a globall unique UID, based on the user ID and the hashed secret key"""
+        return sha256(f"{self.id}-{settings.SECRET_KEY}".encode("ascii")).hexdigest()
+
     class Meta:
 
         permissions = (

authentik/providers/saml/processors/assertion.py

@@ -3,7 +3,6 @@ from hashlib import sha256
 from types import GeneratorType
 
 import xmlsec
-from django.conf import settings
 from django.http import HttpRequest
 from lxml import etree  # nosec
 from lxml.etree import Element, SubElement  # nosec
@@ -147,9 +146,7 @@ class AssertionProcessor:
         name_id = Element(f"{{{NS_SAML_ASSERTION}}}NameID")
         name_id.attrib["Format"] = self.auth_n_request.name_id_policy
         # persistent is used as a fallback, so always generate it
-        persistent = sha256(
+        persistent = self.http_request.user.uid
-            f"{self.http_request.user.id}-{settings.SECRET_KEY}".encode("ascii")
-        ).hexdigest()
         name_id.text = persistent
         # If name_id_mapping is set, we override the value, regardless of what the SP asks for
         if self.provider.name_id_mapping:

authentik/stages/identification/templates/stages/identification/recovery.html

@@ -1,5 +1,4 @@
 {% load i18n %}
-{% load static %}
 
 <header class="pf-c-login__main-header">
     <h1 class="pf-c-title pf-m-3xl">