update

Signed-off-by: Jens Langhammer <jens@goauthentik.io>
antlr for scim filter parsing, why
2024-05-31 · 2023-11-16 11:52:31 +01:00 · 2023-11-16 11:52:31 +01:00 · 2023-11-16 11:52:14 +01:00 · 2023-11-16 11:52:14 +01:00 · 2023-11-16 11:52:14 +01:00
200 changed files with 22810 additions and 19250 deletions
--- a/.bumpversion.cfg
+++ b/.bumpversion.cfg
@ -1,5 +1,5 @@
 [bumpversion]
-current_version = 2023.10.2
+current_version = 2023.10.3
 tag = True
 commit = True
 parse = (?P<major>\d+)\.(?P<minor>\d+)\.(?P<patch>\d+)
--- a/.github/workflows/ci-main.yml
+++ b/.github/workflows/ci-main.yml
@ -11,6 +11,7 @@ on:
  pull_request:
    branches:
      - main
      - version-*
 env:
  POSTGRES_DB: authentik
@ -185,6 +186,9 @@ jobs:
  build:
    needs: ci-core-mark
    runs-on: ubuntu-latest
    permissions:
      # Needed to upload contianer images to ghcr.io
      packages: write
    timeout-minutes: 120
    steps:
      - uses: actions/checkout@v4
@ -235,6 +239,9 @@ jobs:
  build-arm64:
    needs: ci-core-mark
    runs-on: ubuntu-latest
    permissions:
      # Needed to upload contianer images to ghcr.io
      packages: write
    timeout-minutes: 120
    steps:
      - uses: actions/checkout@v4
--- a/.github/workflows/ci-outpost.yml
+++ b/.github/workflows/ci-outpost.yml
@ -9,6 +9,7 @@ on:
  pull_request:
    branches:
      - main
      - version-*
 jobs:
  lint-golint:
@ -65,6 +66,9 @@ jobs:
          - ldap
          - radius
    runs-on: ubuntu-latest
    permissions:
      # Needed to upload contianer images to ghcr.io
      packages: write
    steps:
      - uses: actions/checkout@v4
        with:
--- a/.github/workflows/ci-web.yml
+++ b/.github/workflows/ci-web.yml
@ -9,6 +9,7 @@ on:
  pull_request:
    branches:
      - main
      - version-*
 jobs:
  lint-eslint:
--- a/.github/workflows/ci-website.yml
+++ b/.github/workflows/ci-website.yml
@ -9,6 +9,7 @@ on:
  pull_request:
    branches:
      - main
      - version-*
 jobs:
  lint-prettier:
--- a/.github/workflows/release-next-branch.yml
+++ b/.github/workflows/release-next-branch.yml
@ -6,6 +6,7 @@ on:
  workflow_dispatch:
 permissions:
  # Needed to be able to push to the next branch
  contents: write
 jobs:
--- a/.github/workflows/release-publish.yml
+++ b/.github/workflows/release-publish.yml
@ -7,6 +7,9 @@ on:
 jobs:
  build-server:
    runs-on: ubuntu-latest
    permissions:
      # Needed to upload contianer images to ghcr.io
      packages: write
    steps:
      - uses: actions/checkout@v4
      - name: Set up QEMU
@ -52,6 +55,9 @@ jobs:
            VERSION_FAMILY=${{ steps.ev.outputs.versionFamily }}
  build-outpost:
    runs-on: ubuntu-latest
    permissions:
      # Needed to upload contianer images to ghcr.io
      packages: write
    strategy:
      fail-fast: false
      matrix:
@ -106,6 +112,9 @@ jobs:
  build-outpost-binary:
    timeout-minutes: 120
    runs-on: ubuntu-latest
    permissions:
      # Needed to upload binaries to the release
      contents: write
    strategy:
      fail-fast: false
      matrix:
--- a/.github/workflows/release-tag.yml
+++ b/.github/workflows/release-tag.yml
@ -30,7 +30,7 @@ jobs:
          private_key: ${{ secrets.GH_APP_PRIVATE_KEY }}
      - name: Extract version number
        id: get_version
-        uses: actions/github-script@v6
+        uses: actions/github-script@v7
        with:
          github-token: ${{ steps.generate_token.outputs.token }}
          script: |
--- a/.github/workflows/repo-stale.yml
+++ b/.github/workflows/repo-stale.yml
@ -6,8 +6,8 @@ on:
  workflow_dispatch:
 permissions:
  # Needed to update issues and PRs
  issues: write
  pull-requests: write
 jobs:
  stale:
--- a/.github/workflows/translation-advice.yml
+++ b/.github/workflows/translation-advice.yml
@ -7,7 +7,8 @@ on:
    paths:
      - "!**"
      - "locale/**"
-      - "web/src/locales/**"
+      - "!locale/en/**"
      - "web/xliff/**"
 jobs:
  post-comment:
--- a/13
+++ b/13
@ -35,7 +35,14 @@ COPY ./gen-ts-api /work/web/node_modules/@goauthentik/api
 RUN npm run build
 # Stage 3: Build go proxy
-FROM docker.io/golang:1.21.3-bookworm AS go-builder
+FROM --platform=${BUILDPLATFORM} docker.io/golang:1.21.4-bookworm AS go-builder
 ARG TARGETOS
 ARG TARGETARCH
 ARG TARGETVARIANT
 ARG GOOS=$TARGETOS
 ARG GOARCH=$TARGETARCH
 WORKDIR /go/src/goauthentik.io
@ -57,10 +64,10 @@ ENV CGO_ENABLED=0
 RUN --mount=type=cache,target=/go/pkg/mod \
    --mount=type=cache,target=/root/.cache/go-build \
-    go build -o /go/authentik ./cmd/server
+    GOARM="${TARGETVARIANT#v}" go build -o /go/authentik ./cmd/server
 # Stage 4: MaxMind GeoIP
-FROM ghcr.io/maxmind/geoipupdate:v6.0 as geoip
+FROM --platform=${BUILDPLATFORM} ghcr.io/maxmind/geoipupdate:v6.0 as geoip
 ENV GEOIPUPDATE_EDITION_IDS="GeoLite2-City"
 ENV GEOIPUPDATE_VERBOSE="true"
--- a/2
+++ b/2
@ -110,6 +110,8 @@ gen-diff:  ## (Release) generate the changelog diff between the current schema a
 		--markdown /local/diff.md \
 		/local/old_schema.yml /local/schema.yml
 	rm old_schema.yml
 	sed -i 's/{/&#123;/g' diff.md
 	sed -i 's/}/&#125;/g' diff.md
 	npx prettier --write diff.md
 gen-clean:
--- a/authentik/init.py
+++ b/authentik/init.py
@ -2,7 +2,7 @@
 from os import environ
 from typing import Optional
-__version__ = "2023.10.2"
+__version__ = "2023.10.3"
 ENV_GIT_HASH_KEY = "GIT_BUILD_HASH"
--- a/authentik/api/schema.py
+++ b/authentik/api/schema.py
@ -13,6 +13,8 @@ from rest_framework.settings import api_settings
 from authentik.api.pagination import PAGINATION_COMPONENT_NAME, PAGINATION_SCHEMA
 from authentik.api.apps import AuthentikAPIConfig
 def build_standard_type(obj, **kwargs):
    """Build a basic type with optional add owns."""
@ -100,3 +102,12 @@ def postprocess_schema_responses(result, generator: SchemaGenerator, **kwargs):
            comp = result["components"]["schemas"][component]
            comp["additionalProperties"] = {}
    return result
 def preprocess_schema_exclude_non_api(endpoints, **kwargs):
    """Filter out all API Views which are not mounted under /api"""
    return [
        (path, path_regex, method, callback)
        for path, path_regex, method, callback in endpoints
        if path.startswith("/" + AuthentikAPIConfig.mountpoint)
    ]
--- a/authentik/api/v3/config.py
+++ b/authentik/api/v3/config.py
@ -93,10 +93,10 @@ class ConfigView(APIView):
                    "traces_sample_rate": float(CONFIG.get("error_reporting.sample_rate", 0.4)),
                },
                "capabilities": self.get_capabilities(),
-                "cache_timeout": CONFIG.get_int("redis.cache_timeout"),
+                "cache_timeout": CONFIG.get_int("cache.timeout"),
-                "cache_timeout_flows": CONFIG.get_int("redis.cache_timeout_flows"),
+                "cache_timeout_flows": CONFIG.get_int("cache.timeout_flows"),
-                "cache_timeout_policies": CONFIG.get_int("redis.cache_timeout_policies"),
+                "cache_timeout_policies": CONFIG.get_int("cache.timeout_policies"),
-                "cache_timeout_reputation": CONFIG.get_int("redis.cache_timeout_reputation"),
+                "cache_timeout_reputation": CONFIG.get_int("cache.timeout_reputation"),
            }
        )
--- a/authentik/core/management/commands/worker.py
+++ b/authentik/core/management/commands/worker.py
@ -17,9 +17,15 @@ class Command(BaseCommand):
    """Run worker"""
    def add_arguments(self, parser):
-        parser.add_argument("-b", "--beat", action="store_true")
+        parser.add_argument(
            "-b",
            "--beat",
            action="store_false",
            help="When set, this worker will _not_ run Beat (scheduled) tasks",
        )
    def handle(self, **options):
        LOGGER.debug("Celery options", **options)
        close_old_connections()
        if CONFIG.get_bool("remote_debug"):
            import debugpy
--- a/authentik/events/signals.py
+++ b/authentik/events/signals.py
@ -13,6 +13,7 @@ from authentik.events.tasks import event_notification_handler, gdpr_cleanup
 from authentik.flows.models import Stage
 from authentik.flows.planner import PLAN_CONTEXT_SOURCE, FlowPlan
 from authentik.flows.views.executor import SESSION_KEY_PLAN
 from authentik.lib.config import CONFIG
 from authentik.stages.invitation.models import Invitation
 from authentik.stages.invitation.signals import invitation_used
 from authentik.stages.password.stage import PLAN_CONTEXT_METHOD, PLAN_CONTEXT_METHOD_ARGS
@ -92,4 +93,5 @@ def event_post_save_notification(sender, instance: Event, **_):
@receiver(pre_delete, sender=User)
 def event_user_pre_delete_cleanup(sender, instance: User, **_):
    """If gdpr_compliance is enabled, remove all the user's events"""
-    gdpr_cleanup.delay(instance.pk)
+    if CONFIG.get_bool("gdpr_compliance", True):
        gdpr_cleanup.delay(instance.pk)
--- a/authentik/events/utils.py
+++ b/authentik/events/utils.py
@ -153,6 +153,12 @@ def sanitize_item(value: Any) -> Any:
        return value.isoformat()
    if isinstance(value, timedelta):
        return str(value.total_seconds())
    if callable(value):
        return {
            "type": "callable",
            "name": value.__name__,
            "module": value.__module__,
        }
    return value
--- a/authentik/flows/planner.py
+++ b/authentik/flows/planner.py
@ -33,7 +33,7 @@ PLAN_CONTEXT_SOURCE = "source"
 # Is set by the Flow Planner when a FlowToken was used, and the currently active flow plan
 # was restored.
 PLAN_CONTEXT_IS_RESTORED = "is_restored"
-CACHE_TIMEOUT = CONFIG.get_int("redis.cache_timeout_flows")
+CACHE_TIMEOUT = CONFIG.get_int("cache.timeout_flows")
 CACHE_PREFIX = "goauthentik.io/flows/planner/"
--- a/authentik/lib/config.py
+++ b/authentik/lib/config.py
@ -1,4 +1,6 @@
 """authentik core config loader"""
 import base64
 import json
 import os
 from collections.abc import Mapping
 from contextlib import contextmanager
@ -22,6 +24,25 @@ SEARCH_PATHS = ["authentik/lib/default.yml", "/etc/authentik/config.yml", ""] +
 ENV_PREFIX = "AUTHENTIK"
 ENVIRONMENT = os.getenv(f"{ENV_PREFIX}_ENV", "local")
 REDIS_ENV_KEYS = [
    f"{ENV_PREFIX}_REDIS__HOST",
    f"{ENV_PREFIX}_REDIS__PORT",
    f"{ENV_PREFIX}_REDIS__DB",
    f"{ENV_PREFIX}_REDIS__USERNAME",
    f"{ENV_PREFIX}_REDIS__PASSWORD",
    f"{ENV_PREFIX}_REDIS__TLS",
    f"{ENV_PREFIX}_REDIS__TLS_REQS",
 ]
 DEPRECATIONS = {
    "redis.broker_url": "broker.url",
    "redis.broker_transport_options": "broker.transport_options",
    "redis.cache_timeout": "cache.timeout",
    "redis.cache_timeout_flows": "cache.timeout_flows",
    "redis.cache_timeout_policies": "cache.timeout_policies",
    "redis.cache_timeout_reputation": "cache.timeout_reputation",
 }
 def get_path_from_dict(root: dict, path: str, sep=".", default=None) -> Any:
    """Recursively walk through `root`, checking each part of `path` separated by `sep`.
@ -81,6 +102,10 @@ class AttrEncoder(JSONEncoder):
        return super().default(o)
 class UNSET:
    """Used to test whether configuration key has not been set."""
 class ConfigLoader:
    """Search through SEARCH_PATHS and load configuration. Environment variables starting with
    `ENV_PREFIX` are also applied.
@ -113,6 +138,40 @@ class ConfigLoader:
                        self.update_from_file(env_file)
        self.update_from_env()
        self.update(self.__config, kwargs)
        self.check_deprecations()
    def check_deprecations(self):
        """Warn if any deprecated configuration options are used"""
        def _pop_deprecated_key(current_obj, dot_parts, index):
            """Recursive function to remove deprecated keys in configuration"""
            dot_part = dot_parts[index]
            if index == len(dot_parts) - 1:
                return current_obj.pop(dot_part)
            value = _pop_deprecated_key(current_obj[dot_part], dot_parts, index + 1)
            if not current_obj[dot_part]:
                current_obj.pop(dot_part)
            return value
        for deprecation, replacement in DEPRECATIONS.items():
            if self.get(deprecation, default=UNSET) is not UNSET:
                message = (
                    f"'{deprecation}' has been deprecated in favor of '{replacement}'! "
                    + "Please update your configuration."
                )
                self.log(
                    "warning",
                    message,
                )
                try:
                    from authentik.events.models import Event, EventAction
                    Event.new(EventAction.CONFIGURATION_ERROR, message=message).save()
                except ImportError:
                    continue
                deprecated_attr = _pop_deprecated_key(self.__config, deprecation.split("."), 0)
                self.set(replacement, deprecated_attr.value)
    def log(self, level: str, message: str, **kwargs):
        """Custom Log method, we want to ensure ConfigLoader always logs JSON even when
@ -180,6 +239,10 @@ class ConfigLoader:
                error=str(exc),
            )
    def update_from_dict(self, update: dict):
        """Update config from dict"""
        self.__config.update(update)
    def update_from_env(self):
        """Check environment variables"""
        outer = {}
@ -188,19 +251,13 @@ class ConfigLoader:
            if not key.startswith(ENV_PREFIX):
                continue
            relative_key = key.replace(f"{ENV_PREFIX}_", "", 1).replace("__", ".").lower()
            # Recursively convert path from a.b.c into outer[a][b][c]
            current_obj = outer
            dot_parts = relative_key.split(".")
            for dot_part in dot_parts[:-1]:
                if dot_part not in current_obj:
                    current_obj[dot_part] = {}
                current_obj = current_obj[dot_part]
            # Check if the value is json, and try to load it
            try:
                value = loads(value)
            except JSONDecodeError:
                pass
-            current_obj[dot_parts[-1]] = Attr(value, Attr.Source.ENV, key)
+            attr_value = Attr(value, Attr.Source.ENV, relative_key)
            set_path_in_dict(outer, relative_key, attr_value)
            idx += 1
        if idx > 0:
            self.log("debug", "Loaded environment variables", count=idx)
@ -241,6 +298,23 @@ class ConfigLoader:
        """Wrapper for get that converts value into boolean"""
        return str(self.get(path, default)).lower() == "true"
    def get_dict_from_b64_json(self, path: str, default=None) -> dict:
        """Wrapper for get that converts value from Base64 encoded string into dictionary"""
        config_value = self.get(path)
        if config_value is None:
            return {}
        try:
            b64decoded_str = base64.b64decode(config_value).decode("utf-8")
            b64decoded_str = b64decoded_str.strip().lstrip("{").rstrip("}")
            b64decoded_str = "{" + b64decoded_str + "}"
            return json.loads(b64decoded_str)
        except (JSONDecodeError, TypeError, ValueError) as exc:
            self.log(
                "warning",
                f"Ignored invalid configuration for '{path}' due to exception: {str(exc)}",
            )
            return default if isinstance(default, dict) else {}
    def set(self, path: str, value: Any, sep="."):
        """Set value using same syntax as get()"""
        set_path_in_dict(self.raw, path, Attr(value), sep=sep)
--- a/authentik/lib/default.yml
+++ b/authentik/lib/default.yml
@ -28,14 +28,28 @@ listen:
 redis:
  host: localhost
  port: 6379
  db: 0
  username: ""
  password: ""
  tls: false
  tls_reqs: "none"
-  db: 0
+
-  cache_timeout: 300
+# broker:
-  cache_timeout_flows: 300
+  # url: ""
-  cache_timeout_policies: 300
+  # transport_options: ""
-  cache_timeout_reputation: 300
+
 cache:
  # url: ""
  timeout: 300
  timeout_flows: 300
  timeout_policies: 300
  timeout_reputation: 300
 # channel:
  # url: ""
 # result_backend:
  # url: ""
 paths:
  media: ./media
--- a/authentik/lib/tests/test_config.py
+++ b/authentik/lib/tests/test_config.py
@ -1,20 +1,32 @@
 """Test config loader"""
 import base64
 from json import dumps
 from os import chmod, environ, unlink, write
 from tempfile import mkstemp
 from unittest import mock
 from django.conf import ImproperlyConfigured
 from django.test import TestCase
-from authentik.lib.config import ENV_PREFIX, ConfigLoader
+from authentik.lib.config import ENV_PREFIX, UNSET, Attr, AttrEncoder, ConfigLoader
 class TestConfig(TestCase):
    """Test config loader"""
    check_deprecations_env_vars = {
        ENV_PREFIX + "_REDIS__BROKER_URL": "redis://myredis:8327/43",
        ENV_PREFIX + "_REDIS__BROKER_TRANSPORT_OPTIONS": "bWFzdGVybmFtZT1teW1hc3Rlcg==",
        ENV_PREFIX + "_REDIS__CACHE_TIMEOUT": "124s",
        ENV_PREFIX + "_REDIS__CACHE_TIMEOUT_FLOWS": "32m",
        ENV_PREFIX + "_REDIS__CACHE_TIMEOUT_POLICIES": "3920ns",
        ENV_PREFIX + "_REDIS__CACHE_TIMEOUT_REPUTATION": "298382us",
    }
    @mock.patch.dict(environ, {ENV_PREFIX + "_test__test": "bar"})
    def test_env(self):
        """Test simple instance"""
        config = ConfigLoader()
        environ[ENV_PREFIX + "_test__test"] = "bar"
        config.update_from_env()
        self.assertEqual(config.get("test.test"), "bar")
@ -27,12 +39,20 @@ class TestConfig(TestCase):
            self.assertEqual(config.get("foo.bar"), "baz")
        self.assertEqual(config.get("foo.bar"), "bar")
    @mock.patch.dict(environ, {"foo": "bar"})
    def test_uri_env(self):
        """Test URI parsing (environment)"""
        config = ConfigLoader()
-        environ["foo"] = "bar"
+        foo_uri = "env://foo"
-        self.assertEqual(config.parse_uri("env://foo").value, "bar")
+        foo_parsed = config.parse_uri(foo_uri)
-        self.assertEqual(config.parse_uri("env://foo?bar").value, "bar")
+        self.assertEqual(foo_parsed.value, "bar")
        self.assertEqual(foo_parsed.source_type, Attr.Source.URI)
        self.assertEqual(foo_parsed.source, foo_uri)
        foo_bar_uri = "env://foo?bar"
        foo_bar_parsed = config.parse_uri(foo_bar_uri)
        self.assertEqual(foo_bar_parsed.value, "bar")
        self.assertEqual(foo_bar_parsed.source_type, Attr.Source.URI)
        self.assertEqual(foo_bar_parsed.source, foo_bar_uri)
    def test_uri_file(self):
        """Test URI parsing (file load)"""
@ -91,3 +111,60 @@ class TestConfig(TestCase):
        config = ConfigLoader()
        config.set("foo", "bar")
        self.assertEqual(config.get_int("foo", 1234), 1234)
    def test_get_dict_from_b64_json(self):
        """Test get_dict_from_b64_json"""
        config = ConfigLoader()
        test_value = '  { "foo": "bar"   }   '.encode("utf-8")
        b64_value = base64.b64encode(test_value)
        config.set("foo", b64_value)
        self.assertEqual(config.get_dict_from_b64_json("foo"), {"foo": "bar"})
    def test_get_dict_from_b64_json_missing_brackets(self):
        """Test get_dict_from_b64_json with missing brackets"""
        config = ConfigLoader()
        test_value = ' "foo": "bar"     '.encode("utf-8")
        b64_value = base64.b64encode(test_value)
        config.set("foo", b64_value)
        self.assertEqual(config.get_dict_from_b64_json("foo"), {"foo": "bar"})
    def test_get_dict_from_b64_json_invalid(self):
        """Test get_dict_from_b64_json with invalid value"""
        config = ConfigLoader()
        config.set("foo", "bar")
        self.assertEqual(config.get_dict_from_b64_json("foo"), {})
    def test_attr_json_encoder(self):
        """Test AttrEncoder"""
        test_attr = Attr("foo", Attr.Source.ENV, "AUTHENTIK_REDIS__USERNAME")
        json_attr = dumps(test_attr, indent=4, cls=AttrEncoder)
        self.assertEqual(json_attr, '"foo"')
    def test_attr_json_encoder_no_attr(self):
        """Test AttrEncoder if no Attr is passed"""
        class Test:
            """Non Attr class"""
        with self.assertRaises(TypeError):
            test_obj = Test()
            dumps(test_obj, indent=4, cls=AttrEncoder)
    @mock.patch.dict(environ, check_deprecations_env_vars)
    def test_check_deprecations(self):
        """Test config key re-write for deprecated env vars"""
        config = ConfigLoader()
        config.update_from_env()
        config.check_deprecations()
        self.assertEqual(config.get("redis.broker_url", UNSET), UNSET)
        self.assertEqual(config.get("redis.broker_transport_options", UNSET), UNSET)
        self.assertEqual(config.get("redis.cache_timeout", UNSET), UNSET)
        self.assertEqual(config.get("redis.cache_timeout_flows", UNSET), UNSET)
        self.assertEqual(config.get("redis.cache_timeout_policies", UNSET), UNSET)
        self.assertEqual(config.get("redis.cache_timeout_reputation", UNSET), UNSET)
        self.assertEqual(config.get("broker.url"), "redis://myredis:8327/43")
        self.assertEqual(config.get("broker.transport_options"), "bWFzdGVybmFtZT1teW1hc3Rlcg==")
        self.assertEqual(config.get("cache.timeout"), "124s")
        self.assertEqual(config.get("cache.timeout_flows"), "32m")
        self.assertEqual(config.get("cache.timeout_policies"), "3920ns")
        self.assertEqual(config.get("cache.timeout_reputation"), "298382us")
--- a/authentik/outposts/consumer.py
+++ b/authentik/outposts/consumer.py
@ -93,7 +93,7 @@ class OutpostConsumer(AuthJsonConsumer):
                expected=self.outpost.config.kubernetes_replicas,
            ).dec()
-    def receive_json(self, content: Data):
+    def receive_json(self, content: Data, **kwargs):
        msg = from_dict(WebsocketMessage, content)
        uid = msg.args.get("uuid", self.channel_name)
        self.last_uid = uid
--- a/authentik/policies/event_matcher/migrations/0019_alter_eventmatcherpolicy_app.py
+++ b/authentik/policies/event_matcher/migrations/0019_alter_eventmatcherpolicy_app.py
@ -39,6 +39,7 @@ class Migration(migrations.Migration):
                    ("authentik.sources.oauth", "authentik Sources.OAuth"),
                    ("authentik.sources.plex", "authentik Sources.Plex"),
                    ("authentik.sources.saml", "authentik Sources.SAML"),
                    ("authentik.sources.scim", "authentik Sources.SCIM"),
                    ("authentik.stages.authenticator_duo", "authentik Stages.Authenticator.Duo"),
                    ("authentik.stages.authenticator_sms", "authentik Stages.Authenticator.SMS"),
                    (
--- a/authentik/policies/process.py
+++ b/authentik/policies/process.py
@ -20,7 +20,7 @@ from authentik.policies.types import CACHE_PREFIX, PolicyRequest, PolicyResult
 LOGGER = get_logger()
 FORK_CTX = get_context("fork")
-CACHE_TIMEOUT = CONFIG.get_int("redis.cache_timeout_policies")
+CACHE_TIMEOUT = CONFIG.get_int("cache.timeout_policies")
 PROCESS_CLASS = FORK_CTX.Process
--- a/authentik/policies/reputation/signals.py
+++ b/authentik/policies/reputation/signals.py
@ -13,7 +13,7 @@ from authentik.policies.reputation.tasks import save_reputation
 from authentik.stages.identification.signals import identification_failed
 LOGGER = get_logger()
-CACHE_TIMEOUT = CONFIG.get_int("redis.cache_timeout_reputation")
+CACHE_TIMEOUT = CONFIG.get_int("cache.timeout_reputation")
 def update_score(request: HttpRequest, identifier: str, amount: int):
--- a/authentik/providers/oauth2/utils.py
+++ b/authentik/providers/oauth2/utils.py
@ -188,6 +188,7 @@ def authenticate_provider(request: HttpRequest) -> Optional[OAuth2Provider]:
    if client_id != provider.client_id or client_secret != provider.client_secret:
        LOGGER.debug("(basic) Provider for basic auth does not exist")
        return None
    CTX_AUTH_VIA.set("oauth_client_secret")
    return provider
--- a/authentik/providers/oauth2/views/token.py
+++ b/authentik/providers/oauth2/views/token.py
@ -17,6 +17,7 @@ from jwt import PyJWK, PyJWT, PyJWTError, decode
 from sentry_sdk.hub import Hub
 from structlog.stdlib import get_logger
 from authentik.core.middleware import CTX_AUTH_VIA
 from authentik.core.models import (
    USER_ATTRIBUTE_EXPIRES,
    USER_ATTRIBUTE_GENERATED,
@ -448,6 +449,7 @@ class TokenView(View):
                if not self.provider:
                    LOGGER.warning("OAuth2Provider does not exist", client_id=client_id)
                    raise TokenError("invalid_client")
                CTX_AUTH_VIA.set("oauth_client_secret")
                self.params = TokenParams.parse(request, self.provider, client_id, client_secret)
            with Hub.current.start_span(
--- a/authentik/providers/scim/clients/group.py
+++ b/authentik/providers/scim/clients/group.py
@ -46,7 +46,9 @@ class SCIMGroupClient(SCIMClient[Group, SCIMGroupSchema]):
    def to_scim(self, obj: Group) -> SCIMGroupSchema:
        """Convert authentik user into SCIM"""
-        raw_scim_group = {}
+        raw_scim_group = {
            "schemas": ("urn:ietf:params:scim:schemas:core:2.0:Group",),
        }
        for mapping in (
            self.provider.property_mappings_group.all().order_by("name").select_subclasses()
        ):
--- a/authentik/providers/scim/clients/schema.py
+++ b/authentik/providers/scim/clients/schema.py
@ -15,12 +15,14 @@ from pydanticscim.user import User as BaseUser
 class User(BaseUser):
    """Modified User schema with added externalId field"""
    schemas: tuple[str] = ("urn:ietf:params:scim:schemas:core:2.0:User",)
    externalId: Optional[str] = None
 class Group(BaseGroup):
    """Modified Group schema with added externalId field"""
    schemas: tuple[str] = ("urn:ietf:params:scim:schemas:core:2.0:Group",)
    externalId: Optional[str] = None
--- a/authentik/providers/scim/clients/user.py
+++ b/authentik/providers/scim/clients/user.py
@ -39,7 +39,9 @@ class SCIMUserClient(SCIMClient[User, SCIMUserSchema]):
    def to_scim(self, obj: User) -> SCIMUserSchema:
        """Convert authentik user into SCIM"""
-        raw_scim_user = {}
+        raw_scim_user = {
            "schemas": ("urn:ietf:params:scim:schemas:core:2.0:User",),
        }
        for mapping in self.provider.property_mappings.all().order_by("name").select_subclasses():
            if not isinstance(mapping, SCIMMapping):
                continue
--- a/authentik/providers/scim/tests/test_group.py
+++ b/authentik/providers/scim/tests/test_group.py
@ -61,7 +61,11 @@ class SCIMGroupTests(TestCase):
        self.assertEqual(mock.request_history[1].method, "POST")
        self.assertJSONEqual(
            mock.request_history[1].body,
-            {"externalId": str(group.pk), "displayName": group.name},
+            {
                "schemas": ["urn:ietf:params:scim:schemas:core:2.0:Group"],
                "externalId": str(group.pk),
                "displayName": group.name,
            },
        )
    @Mocker()
@ -96,7 +100,11 @@ class SCIMGroupTests(TestCase):
            validate(body, loads(schema.read()))
        self.assertEqual(
            body,
-            {"externalId": str(group.pk), "displayName": group.name},
+            {
                "schemas": ["urn:ietf:params:scim:schemas:core:2.0:Group"],
                "externalId": str(group.pk),
                "displayName": group.name,
            },
        )
        group.save()
        self.assertEqual(mock.call_count, 4)
@ -129,7 +137,11 @@ class SCIMGroupTests(TestCase):
        self.assertEqual(mock.request_history[1].method, "POST")
        self.assertJSONEqual(
            mock.request_history[1].body,
-            {"externalId": str(group.pk), "displayName": group.name},
+            {
                "schemas": ["urn:ietf:params:scim:schemas:core:2.0:Group"],
                "externalId": str(group.pk),
                "displayName": group.name,
            },
        )
        group.delete()
        self.assertEqual(mock.call_count, 4)
--- a/authentik/providers/scim/tests/test_membership.py
+++ b/authentik/providers/scim/tests/test_membership.py
@ -89,6 +89,7 @@ class SCIMMembershipTests(TestCase):
            self.assertJSONEqual(
                mocker.request_history[3].body,
                {
                    "schemas": ["urn:ietf:params:scim:schemas:core:2.0:User"],
                    "emails": [],
                    "active": True,
                    "externalId": user.uid,
@ -99,7 +100,11 @@ class SCIMMembershipTests(TestCase):
            )
            self.assertJSONEqual(
                mocker.request_history[5].body,
-                {"externalId": str(group.pk), "displayName": group.name},
+                {
                    "schemas": ["urn:ietf:params:scim:schemas:core:2.0:Group"],
                    "externalId": str(group.pk),
                    "displayName": group.name,
                },
            )
        with Mocker() as mocker:
@ -118,6 +123,7 @@ class SCIMMembershipTests(TestCase):
            self.assertJSONEqual(
                mocker.request_history[1].body,
                {
                    "schemas": ["urn:ietf:params:scim:api:messages:2.0:PatchOp"],
                    "Operations": [
                        {
                            "op": "add",
@ -125,7 +131,6 @@ class SCIMMembershipTests(TestCase):
                            "value": [{"value": user_scim_id}],
                        }
                    ],
                    "schemas": ["urn:ietf:params:scim:api:messages:2.0:PatchOp"],
                },
            )
@ -174,6 +179,7 @@ class SCIMMembershipTests(TestCase):
            self.assertJSONEqual(
                mocker.request_history[3].body,
                {
                    "schemas": ["urn:ietf:params:scim:schemas:core:2.0:User"],
                    "active": True,
                    "displayName": "",
                    "emails": [],
@ -184,7 +190,11 @@ class SCIMMembershipTests(TestCase):
            )
            self.assertJSONEqual(
                mocker.request_history[5].body,
-                {"externalId": str(group.pk), "displayName": group.name},
+                {
                    "schemas": ["urn:ietf:params:scim:schemas:core:2.0:Group"],
                    "externalId": str(group.pk),
                    "displayName": group.name,
                },
            )
        with Mocker() as mocker:
@ -203,6 +213,7 @@ class SCIMMembershipTests(TestCase):
            self.assertJSONEqual(
                mocker.request_history[1].body,
                {
                    "schemas": ["urn:ietf:params:scim:api:messages:2.0:PatchOp"],
                    "Operations": [
                        {
                            "op": "add",
@ -210,7 +221,6 @@ class SCIMMembershipTests(TestCase):
                            "value": [{"value": user_scim_id}],
                        }
                    ],
                    "schemas": ["urn:ietf:params:scim:api:messages:2.0:PatchOp"],
                },
            )
@ -230,6 +240,7 @@ class SCIMMembershipTests(TestCase):
            self.assertJSONEqual(
                mocker.request_history[1].body,
                {
                    "schemas": ["urn:ietf:params:scim:api:messages:2.0:PatchOp"],
                    "Operations": [
                        {
                            "op": "remove",
@ -237,6 +248,5 @@ class SCIMMembershipTests(TestCase):
                            "value": [{"value": user_scim_id}],
                        }
                    ],
                    "schemas": ["urn:ietf:params:scim:api:messages:2.0:PatchOp"],
                },
            )
--- a/authentik/providers/scim/tests/test_user.py
+++ b/authentik/providers/scim/tests/test_user.py
@ -66,6 +66,7 @@ class SCIMUserTests(TestCase):
        self.assertJSONEqual(
            mock.request_history[1].body,
            {
                "schemas": ["urn:ietf:params:scim:schemas:core:2.0:User"],
                "active": True,
                "emails": [
                    {
@ -121,6 +122,7 @@ class SCIMUserTests(TestCase):
        self.assertEqual(
            body,
            {
                "schemas": ["urn:ietf:params:scim:schemas:core:2.0:User"],
                "active": True,
                "emails": [
                    {
@ -173,6 +175,7 @@ class SCIMUserTests(TestCase):
        self.assertJSONEqual(
            mock.request_history[1].body,
            {
                "schemas": ["urn:ietf:params:scim:schemas:core:2.0:User"],
                "active": True,
                "emails": [
                    {
@ -240,6 +243,7 @@ class SCIMUserTests(TestCase):
        self.assertJSONEqual(
            mock.request_history[1].body,
            {
                "schemas": ["urn:ietf:params:scim:schemas:core:2.0:User"],
                "active": True,
                "emails": [
                    {
--- a/authentik/root/settings.py
+++ b/authentik/root/settings.py
@ -1,5 +1,4 @@
 """root settings for authentik"""
 import importlib
 import os
 from hashlib import sha512
@ -83,6 +82,7 @@ INSTALLED_APPS = [
    "authentik.sources.oauth",
    "authentik.sources.plex",
    "authentik.sources.saml",
    "authentik.sources.scim",
    "authentik.stages.authenticator",
    "authentik.stages.authenticator_duo",
    "authentik.stages.authenticator_sms",
@ -147,6 +147,9 @@ SPECTACULAR_SETTINGS = {
        "UserTypeEnum": "authentik.core.models.UserTypes",
    },
    "ENUM_ADD_EXPLICIT_BLANK_NULL_CHOICE": False,
    "PREPROCESSING_HOOKS": [
        "authentik.api.schema.preprocess_schema_exclude_non_api",
    ],
    "POSTPROCESSING_HOOKS": [
        "authentik.api.schema.postprocess_schema_responses",
        "drf_spectacular.hooks.postprocess_schema_enums",
@ -195,8 +198,8 @@ _redis_url = (
 CACHES = {
    "default": {
        "BACKEND": "django_redis.cache.RedisCache",
-        "LOCATION": f"{_redis_url}/{CONFIG.get('redis.db')}",
+        "LOCATION": CONFIG.get("cache.url") or f"{_redis_url}/{CONFIG.get('redis.db')}",
-        "TIMEOUT": CONFIG.get_int("redis.cache_timeout", 300),
+        "TIMEOUT": CONFIG.get_int("cache.timeout", 300),
        "OPTIONS": {"CLIENT_CLASS": "django_redis.client.DefaultClient"},
        "KEY_PREFIX": "authentik_cache",
    }
@ -256,7 +259,7 @@ CHANNEL_LAYERS = {
    "default": {
        "BACKEND": "channels_redis.pubsub.RedisPubSubChannelLayer",
        "CONFIG": {
-            "hosts": [f"{_redis_url}/{CONFIG.get('redis.db')}"],
+            "hosts": [CONFIG.get("channel.url", f"{_redis_url}/{CONFIG.get('redis.db')}")],
            "prefix": "authentik_channels_",
        },
    },
@ -349,8 +352,11 @@ CELERY = {
    },
    "task_create_missing_queues": True,
    "task_default_queue": "authentik",
-    "broker_url": f"{_redis_url}/{CONFIG.get('redis.db')}{_redis_celery_tls_requirements}",
+    "broker_url": CONFIG.get("broker.url")
-    "result_backend": f"{_redis_url}/{CONFIG.get('redis.db')}{_redis_celery_tls_requirements}",
+    or f"{_redis_url}/{CONFIG.get('redis.db')}{_redis_celery_tls_requirements}",
    "broker_transport_options": CONFIG.get_dict_from_b64_json("broker.transport_options"),
    "result_backend": CONFIG.get("result_backend.url")
    or f"{_redis_url}/{CONFIG.get('redis.db')}{_redis_celery_tls_requirements}",
 }
 # Sentry integration
--- a/authentik/sources/ldap/api.py
+++ b/authentik/sources/ldap/api.py
@ -1,13 +1,14 @@
 """Source API Views"""
-from typing import Any
+from typing import Any, Optional
 from django.core.cache import cache
 from django_filters.filters import AllValuesMultipleFilter
 from django_filters.filterset import FilterSet
 from drf_spectacular.types import OpenApiTypes
 from drf_spectacular.utils import extend_schema, extend_schema_field, inline_serializer
 from rest_framework.decorators import action
 from rest_framework.exceptions import ValidationError
-from rest_framework.fields import DictField, ListField
+from rest_framework.fields import BooleanField, DictField, ListField, SerializerMethodField
 from rest_framework.relations import PrimaryKeyRelatedField
 from rest_framework.request import Request
 from rest_framework.response import Response
@ -17,15 +18,17 @@ from authentik.admin.api.tasks import TaskSerializer
 from authentik.core.api.propertymappings import PropertyMappingSerializer
 from authentik.core.api.sources import SourceSerializer
 from authentik.core.api.used_by import UsedByMixin
 from authentik.core.api.utils import PassiveSerializer
 from authentik.crypto.models import CertificateKeyPair
 from authentik.events.monitored_tasks import TaskInfo
 from authentik.sources.ldap.models import LDAPPropertyMapping, LDAPSource
-from authentik.sources.ldap.tasks import SYNC_CLASSES
+from authentik.sources.ldap.tasks import CACHE_KEY_STATUS, SYNC_CLASSES
 class LDAPSourceSerializer(SourceSerializer):
    """LDAP Source Serializer"""
    connectivity = SerializerMethodField()
    client_certificate = PrimaryKeyRelatedField(
        allow_null=True,
        help_text="Client certificate to authenticate against the LDAP Server's Certificate.",
@ -35,6 +38,10 @@ class LDAPSourceSerializer(SourceSerializer):
        required=False,
    )
    def get_connectivity(self, source: LDAPSource) -> Optional[dict[str, dict[str, str]]]:
        """Get cached source connectivity"""
        return cache.get(CACHE_KEY_STATUS + source.slug, None)
    def validate(self, attrs: dict[str, Any]) -> dict[str, Any]:
        """Check that only a single source has password_sync on"""
        sync_users_password = attrs.get("sync_users_password", True)
@ -75,10 +82,18 @@ class LDAPSourceSerializer(SourceSerializer):
            "sync_parent_group",
            "property_mappings",
            "property_mappings_group",
            "connectivity",
        ]
        extra_kwargs = {"bind_password": {"write_only": True}}
 class LDAPSyncStatusSerializer(PassiveSerializer):
    """LDAP Source sync status"""
    is_running = BooleanField(read_only=True)
    tasks = TaskSerializer(many=True, read_only=True)
 class LDAPSourceViewSet(UsedByMixin, ModelViewSet):
    """LDAP Source Viewset"""
@ -114,19 +129,19 @@ class LDAPSourceViewSet(UsedByMixin, ModelViewSet):
    @extend_schema(
        responses={
-            200: TaskSerializer(many=True),
+            200: LDAPSyncStatusSerializer(),
        }
    )
    @action(methods=["GET"], detail=True, pagination_class=None, filter_backends=[])
    def sync_status(self, request: Request, slug: str) -> Response:
        """Get source's sync status"""
-        source = self.get_object()
+        source: LDAPSource = self.get_object()
-        results = []
+        tasks = TaskInfo.by_name(f"ldap_sync:{source.slug}:*") or []
-        tasks = TaskInfo.by_name(f"ldap_sync:{source.slug}:*")
+        status = {
-        if tasks:
+            "tasks": tasks,
-            for task in tasks:
+            "is_running": source.sync_lock.locked(),
-                results.append(task)
+        }
-        return Response(TaskSerializer(results, many=True).data)
+        return Response(LDAPSyncStatusSerializer(status).data)
    @extend_schema(
        responses={
--- a/authentik/sources/ldap/management/commands/ldap_check_connection.py
+++ b/authentik/sources/ldap/management/commands/ldap_check_connection.py
@ -0,0 +1,24 @@
 """LDAP Connection check"""
 from json import dumps
 from django.core.management.base import BaseCommand
 from structlog.stdlib import get_logger
 from authentik.sources.ldap.models import LDAPSource
 LOGGER = get_logger()
 class Command(BaseCommand):
    """Check connectivity to LDAP servers for a source"""
    def add_arguments(self, parser):
        parser.add_argument("source_slugs", nargs="?", type=str)
    def handle(self, **options):
        sources = LDAPSource.objects.filter(enabled=True)
        if options["source_slugs"]:
            sources = LDAPSource.objects.filter(slug__in=options["source_slugs"])
        for source in sources.order_by("slug"):
            status = source.check_connection()
            self.stdout.write(dumps(status, indent=4))
--- a/authentik/sources/ldap/models.py
+++ b/authentik/sources/ldap/models.py
@ -4,10 +4,12 @@ from ssl import CERT_REQUIRED
 from tempfile import NamedTemporaryFile, mkdtemp
 from typing import Optional
 from django.core.cache import cache
 from django.db import models
 from django.utils.translation import gettext_lazy as _
 from ldap3 import ALL, NONE, RANDOM, Connection, Server, ServerPool, Tls
-from ldap3.core.exceptions import LDAPInsufficientAccessRightsResult, LDAPSchemaError
+from ldap3.core.exceptions import LDAPException, LDAPInsufficientAccessRightsResult, LDAPSchemaError
 from redis.lock import Lock
 from rest_framework.serializers import Serializer
 from authentik.core.models import Group, PropertyMapping, Source
@ -117,7 +119,7 @@ class LDAPSource(Source):
        return LDAPSourceSerializer
-    def server(self, **kwargs) -> Server:
+    def server(self, **kwargs) -> ServerPool:
        """Get LDAP Server/ServerPool"""
        servers = []
        tls_kwargs = {}
@ -154,7 +156,10 @@ class LDAPSource(Source):
        return ServerPool(servers, RANDOM, active=5, exhaust=True)
    def connection(
-        self, server_kwargs: Optional[dict] = None, connection_kwargs: Optional[dict] = None
+        self,
        server: Optional[Server] = None,
        server_kwargs: Optional[dict] = None,
        connection_kwargs: Optional[dict] = None,
    ) -> Connection:
        """Get a fully connected and bound LDAP Connection"""
        server_kwargs = server_kwargs or {}
@ -164,7 +169,7 @@ class LDAPSource(Source):
        if self.bind_password is not None:
            connection_kwargs.setdefault("password", self.bind_password)
        connection = Connection(
-            self.server(**server_kwargs),
+            server or self.server(**server_kwargs),
            raise_exceptions=True,
            receive_timeout=LDAP_TIMEOUT,
            **connection_kwargs,
@ -183,9 +188,55 @@ class LDAPSource(Source):
            if server_kwargs.get("get_info", ALL) == NONE:
                raise exc
            server_kwargs["get_info"] = NONE
-            return self.connection(server_kwargs, connection_kwargs)
+            return self.connection(server, server_kwargs, connection_kwargs)
        return RuntimeError("Failed to bind")
    @property
    def sync_lock(self) -> Lock:
        """Redis lock for syncing LDAP to prevent multiple parallel syncs happening"""
        return Lock(
            cache.client.get_client(),
            name=f"goauthentik.io/sources/ldap/sync-{self.slug}",
            # Convert task timeout hours to seconds, and multiply times 3
            # (see authentik/sources/ldap/tasks.py:54)
            # multiply by 3 to add even more leeway
            timeout=(60 * 60 * CONFIG.get_int("ldap.task_timeout_hours")) * 3,
        )
    def check_connection(self) -> dict[str, dict[str, str]]:
        """Check LDAP Connection"""
        from authentik.sources.ldap.sync.base import flatten
        servers = self.server()
        server_info = {}
        # Check each individual server
        for server in servers.servers:
            server: Server
            try:
                connection = self.connection(server=server)
                server_info[server.host] = {
                    "vendor": str(flatten(connection.server.info.vendor_name)),
                    "version": str(flatten(connection.server.info.vendor_version)),
                    "status": "ok",
                }
            except LDAPException as exc:
                server_info[server.host] = {
                    "status": str(exc),
                }
        # Check server pool
        try:
            connection = self.connection()
            server_info["__all__"] = {
                "vendor": str(flatten(connection.server.info.vendor_name)),
                "version": str(flatten(connection.server.info.vendor_version)),
                "status": "ok",
            }
        except LDAPException as exc:
            server_info["__all__"] = {
                "status": str(exc),
            }
        return server_info
    class Meta:
        verbose_name = _("LDAP Source")
        verbose_name_plural = _("LDAP Sources")
--- a/authentik/sources/ldap/settings.py
+++ b/authentik/sources/ldap/settings.py
@ -8,5 +8,10 @@ CELERY_BEAT_SCHEDULE = {
        "task": "authentik.sources.ldap.tasks.ldap_sync_all",
        "schedule": crontab(minute=fqdn_rand("sources_ldap_sync"), hour="*/2"),
        "options": {"queue": "authentik_scheduled"},
-    }
+    },
    "sources_ldap_connectivity_check": {
        "task": "authentik.sources.ldap.tasks.ldap_connectivity_check",
        "schedule": crontab(minute=fqdn_rand("sources_ldap_connectivity_check"), hour="*"),
        "options": {"queue": "authentik_scheduled"},
    },
 }
--- a/authentik/sources/ldap/signals.py
+++ b/authentik/sources/ldap/signals.py
@ -14,7 +14,7 @@ from authentik.events.models import Event, EventAction
 from authentik.flows.planner import PLAN_CONTEXT_PENDING_USER
 from authentik.sources.ldap.models import LDAPSource
 from authentik.sources.ldap.password import LDAPPasswordChanger
-from authentik.sources.ldap.tasks import ldap_sync_single
+from authentik.sources.ldap.tasks import ldap_connectivity_check, ldap_sync_single
 from authentik.stages.prompt.signals import password_validate
 LOGGER = get_logger()
@ -32,6 +32,7 @@ def sync_ldap_source_on_save(sender, instance: LDAPSource, **_):
    if not instance.property_mappings.exists() or not instance.property_mappings_group.exists():
        return
    ldap_sync_single.delay(instance.pk)
    ldap_connectivity_check.delay(instance.pk)
@receiver(password_validate)
--- a/authentik/sources/ldap/sync/base.py
+++ b/authentik/sources/ldap/sync/base.py
@ -17,6 +17,15 @@ from authentik.sources.ldap.models import LDAPPropertyMapping, LDAPSource
 LDAP_UNIQUENESS = "ldap_uniq"
 def flatten(value: Any) -> Any:
    """Flatten `value` if its a list"""
    if isinstance(value, list):
        if len(value) < 1:
            return None
        return value[0]
    return value
 class BaseLDAPSynchronizer:
    """Sync LDAP Users and groups into authentik"""
@ -122,14 +131,6 @@ class BaseLDAPSynchronizer:
                cookie = None
            yield self._connection.response
    def _flatten(self, value: Any) -> Any:
        """Flatten `value` if its a list"""
        if isinstance(value, list):
            if len(value) < 1:
                return None
            return value[0]
        return value
    def build_user_properties(self, user_dn: str, **kwargs) -> dict[str, Any]:
        """Build attributes for User object based on property mappings."""
        props = self._build_object_properties(user_dn, self._source.property_mappings, **kwargs)
@ -163,10 +164,10 @@ class BaseLDAPSynchronizer:
                object_field = mapping.object_field
                if object_field.startswith("attributes."):
                    # Because returning a list might desired, we can't
-                    # rely on self._flatten here. Instead, just save the result as-is
+                    # rely on flatten here. Instead, just save the result as-is
                    set_path_in_dict(properties, object_field, value)
                else:
-                    properties[object_field] = self._flatten(value)
+                    properties[object_field] = flatten(value)
            except PropertyMappingExpressionException as exc:
                Event.new(
                    EventAction.CONFIGURATION_ERROR,
@ -177,7 +178,7 @@ class BaseLDAPSynchronizer:
                self._logger.warning("Mapping failed to evaluate", exc=exc, mapping=mapping)
                continue
        if self._source.object_uniqueness_field in kwargs:
-            properties["attributes"][LDAP_UNIQUENESS] = self._flatten(
+            properties["attributes"][LDAP_UNIQUENESS] = flatten(
                kwargs.get(self._source.object_uniqueness_field)
            )
        properties["attributes"][LDAP_DISTINGUISHED_NAME] = object_dn
--- a/authentik/sources/ldap/sync/groups.py
+++ b/authentik/sources/ldap/sync/groups.py
@ -7,7 +7,7 @@ from ldap3 import ALL_ATTRIBUTES, ALL_OPERATIONAL_ATTRIBUTES, SUBTREE
 from authentik.core.models import Group
 from authentik.events.models import Event, EventAction
-from authentik.sources.ldap.sync.base import LDAP_UNIQUENESS, BaseLDAPSynchronizer
+from authentik.sources.ldap.sync.base import LDAP_UNIQUENESS, BaseLDAPSynchronizer, flatten
 class GroupLDAPSynchronizer(BaseLDAPSynchronizer):
@ -39,7 +39,7 @@ class GroupLDAPSynchronizer(BaseLDAPSynchronizer):
            if "attributes" not in group:
                continue
            attributes = group.get("attributes", {})
-            group_dn = self._flatten(self._flatten(group.get("entryDN", group.get("dn"))))
+            group_dn = flatten(flatten(group.get("entryDN", group.get("dn"))))
            if self._source.object_uniqueness_field not in attributes:
                self.message(
                    f"Cannot find uniqueness field in attributes: '{group_dn}'",
@ -47,7 +47,7 @@ class GroupLDAPSynchronizer(BaseLDAPSynchronizer):
                    dn=group_dn,
                )
                continue
-            uniq = self._flatten(attributes[self._source.object_uniqueness_field])
+            uniq = flatten(attributes[self._source.object_uniqueness_field])
            try:
                defaults = self.build_group_properties(group_dn, **attributes)
                defaults["parent"] = self._source.sync_parent_group
--- a/authentik/sources/ldap/sync/users.py
+++ b/authentik/sources/ldap/sync/users.py
@ -7,7 +7,7 @@ from ldap3 import ALL_ATTRIBUTES, ALL_OPERATIONAL_ATTRIBUTES, SUBTREE
 from authentik.core.models import User
 from authentik.events.models import Event, EventAction
-from authentik.sources.ldap.sync.base import LDAP_UNIQUENESS, BaseLDAPSynchronizer
+from authentik.sources.ldap.sync.base import LDAP_UNIQUENESS, BaseLDAPSynchronizer, flatten
 from authentik.sources.ldap.sync.vendor.freeipa import FreeIPA
 from authentik.sources.ldap.sync.vendor.ms_ad import MicrosoftActiveDirectory
@ -41,7 +41,7 @@ class UserLDAPSynchronizer(BaseLDAPSynchronizer):
            if "attributes" not in user:
                continue
            attributes = user.get("attributes", {})
-            user_dn = self._flatten(user.get("entryDN", user.get("dn")))
+            user_dn = flatten(user.get("entryDN", user.get("dn")))
            if self._source.object_uniqueness_field not in attributes:
                self.message(
                    f"Cannot find uniqueness field in attributes: '{user_dn}'",
@ -49,7 +49,7 @@ class UserLDAPSynchronizer(BaseLDAPSynchronizer):
                    dn=user_dn,
                )
                continue
-            uniq = self._flatten(attributes[self._source.object_uniqueness_field])
+            uniq = flatten(attributes[self._source.object_uniqueness_field])
            try:
                defaults = self.build_user_properties(user_dn, **attributes)
                self._logger.debug("Writing user with attributes", **defaults)
--- a/authentik/sources/ldap/sync/vendor/freeipa.py
+++ b/authentik/sources/ldap/sync/vendor/freeipa.py
@ -5,7 +5,7 @@ from typing import Any, Generator
 from pytz import UTC
 from authentik.core.models import User
-from authentik.sources.ldap.sync.base import BaseLDAPSynchronizer
+from authentik.sources.ldap.sync.base import BaseLDAPSynchronizer, flatten
 class FreeIPA(BaseLDAPSynchronizer):
@ -47,7 +47,7 @@ class FreeIPA(BaseLDAPSynchronizer):
            return
        # For some reason, nsaccountlock is not defined properly in the schema as bool
        # hence we get it as a list of strings
-        _is_locked = str(self._flatten(attributes.get("nsaccountlock", ["FALSE"])))
+        _is_locked = str(flatten(attributes.get("nsaccountlock", ["FALSE"])))
        # So we have to attempt to convert it to a bool
        is_locked = _is_locked.lower() == "true"
        # And then invert it since freeipa saves locked and we save active
--- a/authentik/sources/ldap/tasks.py
+++ b/authentik/sources/ldap/tasks.py
@ -1,13 +1,14 @@
 """LDAP Sync tasks"""
 from typing import Optional
 from uuid import uuid4
 from celery import chain, group
 from django.core.cache import cache
 from ldap3.core.exceptions import LDAPException
 from redis.exceptions import LockError
 from redis.lock import Lock
 from structlog.stdlib import get_logger
 from authentik.events.monitored_tasks import CACHE_KEY_PREFIX as CACHE_KEY_PREFIX_TASKS
 from authentik.events.monitored_tasks import MonitoredTask, TaskResult, TaskResultStatus
 from authentik.lib.config import CONFIG
 from authentik.lib.utils.errors import exception_to_string
@ -26,6 +27,7 @@ SYNC_CLASSES = [
    MembershipLDAPSynchronizer,
 ]
 CACHE_KEY_PREFIX = "goauthentik.io/sources/ldap/page/"
 CACHE_KEY_STATUS = "goauthentik.io/sources/ldap/status/"
@CELERY_APP.task()
@ -35,6 +37,19 @@ def ldap_sync_all():
        ldap_sync_single.apply_async(args=[source.pk])
@CELERY_APP.task()
 def ldap_connectivity_check(pk: Optional[str] = None):
    """Check connectivity for LDAP Sources"""
    # 2 hour timeout, this task should run every hour
    timeout = 60 * 60 * 2
    sources = LDAPSource.objects.filter(enabled=True)
    if pk:
        sources = sources.filter(pk=pk)
    for source in sources:
        status = source.check_connection()
        cache.set(CACHE_KEY_STATUS + source.slug, status, timeout=timeout)
@CELERY_APP.task(
    # We take the configured hours timeout time by 2.5 as we run user and
    # group in parallel and then membership, so 2x is to cover the serial tasks,
@ -47,12 +62,15 @@ def ldap_sync_single(source_pk: str):
    source: LDAPSource = LDAPSource.objects.filter(pk=source_pk).first()
    if not source:
        return
-    lock = Lock(cache.client.get_client(), name=f"goauthentik.io/sources/ldap/sync-{source.slug}")
+    lock = source.sync_lock
    if lock.locked():
        LOGGER.debug("LDAP sync locked, skipping task", source=source.slug)
        return
    try:
        with lock:
            # Delete all sync tasks from the cache
            keys = cache.keys(f"{CACHE_KEY_PREFIX_TASKS}ldap_sync:{source.slug}*")
            cache.delete_many(keys)
            task = chain(
                # User and group sync can happen at once, they have no dependencies on each other
                group(
--- a/authentik/sources/oauth/types/patreon.py
+++ b/authentik/sources/oauth/types/patreon.py
@ -12,8 +12,9 @@ class PatreonOAuthRedirect(OAuthRedirect):
    """Patreon OAuth2 Redirect"""
    def get_additional_parameters(self, source: OAuthSource):  # pragma: no cover
        # https://docs.patreon.com/#scopes
        return {
-            "scope": ["openid", "email", "profile"],
+            "scope": ["identity", "identity[email]"],
        }
--- a/authentik/sources/scim/init.py
+++ b/authentik/sources/scim/init.py
--- a/authentik/sources/scim/api.py
+++ b/authentik/sources/scim/api.py
@ -0,0 +1,62 @@
 """SCIMSource API Views"""
 from django.urls import reverse_lazy
 from rest_framework.fields import SerializerMethodField
 from rest_framework.viewsets import ModelViewSet
 from authentik.core.api.sources import SourceSerializer
 from authentik.core.api.tokens import TokenSerializer
 from authentik.core.api.used_by import UsedByMixin
 from authentik.core.models import Token, TokenIntents, User, UserTypes
 from authentik.sources.scim.models import SCIMSource
 class SCIMSourceSerializer(SourceSerializer):
    """SCIMSource Serializer"""
    root_url = SerializerMethodField()
    token_obj = TokenSerializer(source="token", required=False, read_only=True)
    def get_root_url(self, instance: SCIMSource) -> str:
        """Get Root URL"""
        relative_url = reverse_lazy(
            "authentik_sources_scim:v2-root",
            kwargs={"source_slug": instance.slug},
        )
        if "request" not in self.context:
            return relative_url
        return self.context["request"].build_absolute_uri(relative_url)
    def create(self, validated_data):
        instance: SCIMSource = super().create(validated_data)
        identifier = f"ak-source-scim-{instance.pk}"
        user = User.objects.create(
            username=identifier,
            name=f"SCIM Source {instance.name} Service-Account",
            type=UserTypes.SERVICE_ACCOUNT,
        )
        token = Token.objects.create(
            user=user,
            identifier=identifier,
            intent=TokenIntents.INTENT_API,
            expiring=False,
            managed=f"goauthentik.io/sources/scim/{instance.pk}",
        )
        instance.token = token
        instance.save()
        return instance
    class Meta:
        model = SCIMSource
        fields = SourceSerializer.Meta.fields + ["token", "root_url", "token_obj"]
 class SCIMSourceViewSet(UsedByMixin, ModelViewSet):
    """SCIMSource Viewset"""
    queryset = SCIMSource.objects.all()
    serializer_class = SCIMSourceSerializer
    lookup_field = "slug"
    filterset_fields = ["name", "slug"]
    search_fields = ["name", "slug", "token__identifier", "token__user__username"]
    ordering = ["name"]
--- a/authentik/sources/scim/apps.py
+++ b/authentik/sources/scim/apps.py
@ -0,0 +1,11 @@
 """Authentik SCIM app config"""
 from django.apps import AppConfig
 class AuthentikSourceSCIMConfig(AppConfig):
    """authentik SCIM Source app config"""
    name = "authentik.sources.scim"
    label = "authentik_sources_scim"
    verbose_name = "authentik Sources.SCIM"
--- a/authentik/sources/scim/errors.py
+++ b/authentik/sources/scim/errors.py
@ -0,0 +1,8 @@
 """SCIM Errors"""
 from authentik.lib.sentry import SentryIgnoredException
 class PatchError(SentryIgnoredException):
    """Error raised within an atomic block when an error happened
    so nothing is saved"""
--- a/authentik/sources/scim/filters/ScimFilter.g4
+++ b/authentik/sources/scim/filters/ScimFilter.g4
@ -0,0 +1,61 @@
 grammar ScimFilter;
 parse
    : filter
    ;
 filter
 	: attrPath SP PR                             #presentExp
 	| attrPath SP COMPAREOPERATOR SP VALUE       #operatorExp
 	| NOT? SP* '(' filter ')'                    #braceExp
 	| attrPath '[' valPathFilter ']'             #valPathExp
 	| filter SP AND SP filter                    #andExp
 	| filter SP OR SP filter                     #orExp
 	;										     
 valPathFilter								     
 	: attrPath SP PR                             #valPathPresentExp
 	| attrPath SP COMPAREOPERATOR SP VALUE       #valPathOperatorExp
 	| NOT? SP* '(' valPathFilter ')'             #valPathBraceExp
 	| valPathFilter SP AND SP valPathFilter      #valPathAndExp
 	| valPathFilter SP OR SP valPathFilter       #valPathOrExp
 	;
 attrPath 
 	: (SCHEMA)? ATTRNAME ('.' ATTRNAME)?
 	;
 COMPAREOPERATOR : EQ | NE | CO | SW | EW | GT | GE | LT | LE;
 EQ : [eE][qQ];
 NE : [nN][eE];
 CO : [cC][oO];
 SW : [sS][wW];
 EW : [eE][wW];
 PR : [pP][rR];
 GT : [gG][tT];
 GE : [gG][eE];
 LT : [lL][tT];
 LE : [lL][eE];
 NOT : [nN][oO][tT];
 AND : [aA][nN][dD];
 OR  : [oO][rR];
 SP : ' ';
 SCHEMA : 'urn:' (SEGMENT ':')+;
 ATTRNAME : ALPHA (ALPHA | DIGIT | '_' | '-')+;
 fragment SEGMENT : (ALPHA | DIGIT | '_' | '-' | '.')+;
 fragment DIGIT : [0-9];
 fragment ALPHA : [a-z] | [A-Z];
 ESCAPED_QUOTE : '\\"';
 VALUE : '"'(ESCAPED_QUOTE | ~'"')*'"' | 'true' | 'false' | 'null' | DIGIT+('.'DIGIT+)?;
 EXCLUDE : [\b | \t | \r | \n]+ -> skip;
--- a/authentik/sources/scim/filters/ScimFilter.interp
+++ b/authentik/sources/scim/filters/ScimFilter.interp
@ -0,0 +1,65 @@
 token literal names:
 null
 '('
 ')'
 '['
 ']'
 '.'
 null
 null
 null
 null
 null
 null
 null
 null
 null
 null
 null
 null
 null
 null
 ' '
 null
 null
 '\\"'
 null
 null
 token symbolic names:
 null
 null
 null
 null
 null
 null
 COMPAREOPERATOR
 EQ
 NE
 CO
 SW
 EW
 PR
 GT
 GE
 LT
 LE
 NOT
 AND
 OR
 SP
 SCHEMA
 ATTRNAME
 ESCAPED_QUOTE
 VALUE
 EXCLUDE
 rule names:
 parse
 filter
 valPathFilter
 attrPath
 atn:
 [4, 1, 25, 106, 2, 0, 7, 0, 2, 1, 7, 1, 2, 2, 7, 2, 2, 3, 7, 3, 1, 0, 1, 0, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 3, 1, 23, 8, 1, 1, 1, 5, 1, 26, 8, 1, 10, 1, 12, 1, 29, 9, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 3, 1, 40, 8, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 5, 1, 52, 8, 1, 10, 1, 12, 1, 55, 9, 1, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 3, 2, 69, 8, 2, 1, 2, 5, 2, 72, 8, 2, 10, 2, 12, 2, 75, 9, 2, 1, 2, 1, 2, 1, 2, 1, 2, 3, 2, 81, 8, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 5, 2, 93, 8, 2, 10, 2, 12, 2, 96, 9, 2, 1, 3, 3, 3, 99, 8, 3, 1, 3, 1, 3, 1, 3, 3, 3, 104, 8, 3, 1, 3, 0, 2, 2, 4, 4, 0, 2, 4, 6, 0, 0, 116, 0, 8, 1, 0, 0, 0, 2, 39, 1, 0, 0, 0, 4, 80, 1, 0, 0, 0, 6, 98, 1, 0, 0, 0, 8, 9, 3, 2, 1, 0, 9, 1, 1, 0, 0, 0, 10, 11, 6, 1, -1, 0, 11, 12, 3, 6, 3, 0, 12, 13, 5, 20, 0, 0, 13, 14, 5, 12, 0, 0, 14, 40, 1, 0, 0, 0, 15, 16, 3, 6, 3, 0, 16, 17, 5, 20, 0, 0, 17, 18, 5, 6, 0, 0, 18, 19, 5, 20, 0, 0, 19, 20, 5, 24, 0, 0, 20, 40, 1, 0, 0, 0, 21, 23, 5, 17, 0, 0, 22, 21, 1, 0, 0, 0, 22, 23, 1, 0, 0, 0, 23, 27, 1, 0, 0, 0, 24, 26, 5, 20, 0, 0, 25, 24, 1, 0, 0, 0, 26, 29, 1, 0, 0, 0, 27, 25, 1, 0, 0, 0, 27, 28, 1, 0, 0, 0, 28, 30, 1, 0, 0, 0, 29, 27, 1, 0, 0, 0, 30, 31, 5, 1, 0, 0, 31, 32, 3, 2, 1, 0, 32, 33, 5, 2, 0, 0, 33, 40, 1, 0, 0, 0, 34, 35, 3, 6, 3, 0, 35, 36, 5, 3, 0, 0, 36, 37, 3, 4, 2, 0, 37, 38, 5, 4, 0, 0, 38, 40, 1, 0, 0, 0, 39, 10, 1, 0, 0, 0, 39, 15, 1, 0, 0, 0, 39, 22, 1, 0, 0, 0, 39, 34, 1, 0, 0, 0, 40, 53, 1, 0, 0, 0, 41, 42, 10, 2, 0, 0, 42, 43, 5, 20, 0, 0, 43, 44, 5, 18, 0, 0, 44, 45, 5, 20, 0, 0, 45, 52, 3, 2, 1, 3, 46, 47, 10, 1, 0, 0, 47, 48, 5, 20, 0, 0, 48, 49, 5, 19, 0, 0, 49, 50, 5, 20, 0, 0, 50, 52, 3, 2, 1, 2, 51, 41, 1, 0, 0, 0, 51, 46, 1, 0, 0, 0, 52, 55, 1, 0, 0, 0, 53, 51, 1, 0, 0, 0, 53, 54, 1, 0, 0, 0, 54, 3, 1, 0, 0, 0, 55, 53, 1, 0, 0, 0, 56, 57, 6, 2, -1, 0, 57, 58, 3, 6, 3, 0, 58, 59, 5, 20, 0, 0, 59, 60, 5, 12, 0, 0, 60, 81, 1, 0, 0, 0, 61, 62, 3, 6, 3, 0, 62, 63, 5, 20, 0, 0, 63, 64, 5, 6, 0, 0, 64, 65, 5, 20, 0, 0, 65, 66, 5, 24, 0, 0, 66, 81, 1, 0, 0, 0, 67, 69, 5, 17, 0, 0, 68, 67, 1, 0, 0, 0, 68, 69, 1, 0, 0, 0, 69, 73, 1, 0, 0, 0, 70, 72, 5, 20, 0, 0, 71, 70, 1, 0, 0, 0, 72, 75, 1, 0, 0, 0, 73, 71, 1, 0, 0, 0, 73, 74, 1, 0, 0, 0, 74, 76, 1, 0, 0, 0, 75, 73, 1, 0, 0, 0, 76, 77, 5, 1, 0, 0, 77, 78, 3, 4, 2, 0, 78, 79, 5, 2, 0, 0, 79, 81, 1, 0, 0, 0, 80, 56, 1, 0, 0, 0, 80, 61, 1, 0, 0, 0, 80, 68, 1, 0, 0, 0, 81, 94, 1, 0, 0, 0, 82, 83, 10, 2, 0, 0, 83, 84, 5, 20, 0, 0, 84, 85, 5, 18, 0, 0, 85, 86, 5, 20, 0, 0, 86, 93, 3, 4, 2, 3, 87, 88, 10, 1, 0, 0, 88, 89, 5, 20, 0, 0, 89, 90, 5, 19, 0, 0, 90, 91, 5, 20, 0, 0, 91, 93, 3, 4, 2, 2, 92, 82, 1, 0, 0, 0, 92, 87, 1, 0, 0, 0, 93, 96, 1, 0, 0, 0, 94, 92, 1, 0, 0, 0, 94, 95, 1, 0, 0, 0, 95, 5, 1, 0, 0, 0, 96, 94, 1, 0, 0, 0, 97, 99, 5, 21, 0, 0, 98, 97, 1, 0, 0, 0, 98, 99, 1, 0, 0, 0, 99, 100, 1, 0, 0, 0, 100, 103, 5, 22, 0, 0, 101, 102, 5, 5, 0, 0, 102, 104, 5, 22, 0, 0, 103, 101, 1, 0, 0, 0, 103, 104, 1, 0, 0, 0, 104, 7, 1, 0, 0, 0, 12, 22, 27, 39, 51, 53, 68, 73, 80, 92, 94, 98, 103]
--- a/authentik/sources/scim/filters/ScimFilter.tokens
+++ b/authentik/sources/scim/filters/ScimFilter.tokens
@ -0,0 +1,32 @@
 T__0=1
 T__1=2
 T__2=3
 T__3=4
 T__4=5
 COMPAREOPERATOR=6
 EQ=7
 NE=8
 CO=9
 SW=10
 EW=11
 PR=12
 GT=13
 GE=14
 LT=15
 LE=16
 NOT=17
 AND=18
 OR=19
 SP=20
 SCHEMA=21
 ATTRNAME=22
 ESCAPED_QUOTE=23
 VALUE=24
 EXCLUDE=25
 '('=1
 ')'=2
 '['=3
 ']'=4
 '.'=5
 ' '=20
 '\\"'=23
--- a/authentik/sources/scim/filters/ScimFilterLexer.interp
+++ b/authentik/sources/scim/filters/ScimFilterLexer.interp
--- a/authentik/sources/scim/filters/ScimFilterLexer.py
+++ b/authentik/sources/scim/filters/ScimFilterLexer.py
--- a/authentik/sources/scim/filters/ScimFilterLexer.tokens
+++ b/authentik/sources/scim/filters/ScimFilterLexer.tokens
@ -0,0 +1,32 @@
 T__0=1
 T__1=2
 T__2=3
 T__3=4
 T__4=5
 COMPAREOPERATOR=6
 EQ=7
 NE=8
 CO=9
 SW=10
 EW=11
 PR=12
 GT=13
 GE=14
 LT=15
 LE=16
 NOT=17
 AND=18
 OR=19
 SP=20
 SCHEMA=21
 ATTRNAME=22
 ESCAPED_QUOTE=23
 VALUE=24
 EXCLUDE=25
 '('=1
 ')'=2
 '['=3
 ']'=4
 '.'=5
 ' '=20
 '\\"'=23
--- a/authentik/sources/scim/filters/ScimFilterListener.py
+++ b/authentik/sources/scim/filters/ScimFilterListener.py
@ -0,0 +1,118 @@
 # pylint: skip-file
 # Generated from ScimFilter.g4 by ANTLR 4.10.1
 from antlr4 import *
 if __name__ is not None and "." in __name__:
    from .ScimFilterParser import ScimFilterParser
 else:
    from ScimFilterParser import ScimFilterParser
 # This class defines a complete listener for a parse tree produced by ScimFilterParser.
 class ScimFilterListener(ParseTreeListener):
    # Enter a parse tree produced by ScimFilterParser#parse.
    def enterParse(self, ctx: ScimFilterParser.ParseContext):
        pass
    # Exit a parse tree produced by ScimFilterParser#parse.
    def exitParse(self, ctx: ScimFilterParser.ParseContext):
        pass
    # Enter a parse tree produced by ScimFilterParser#andExp.
    def enterAndExp(self, ctx: ScimFilterParser.AndExpContext):
        pass
    # Exit a parse tree produced by ScimFilterParser#andExp.
    def exitAndExp(self, ctx: ScimFilterParser.AndExpContext):
        pass
    # Enter a parse tree produced by ScimFilterParser#valPathExp.
    def enterValPathExp(self, ctx: ScimFilterParser.ValPathExpContext):
        pass
    # Exit a parse tree produced by ScimFilterParser#valPathExp.
    def exitValPathExp(self, ctx: ScimFilterParser.ValPathExpContext):
        pass
    # Enter a parse tree produced by ScimFilterParser#presentExp.
    def enterPresentExp(self, ctx: ScimFilterParser.PresentExpContext):
        pass
    # Exit a parse tree produced by ScimFilterParser#presentExp.
    def exitPresentExp(self, ctx: ScimFilterParser.PresentExpContext):
        pass
    # Enter a parse tree produced by ScimFilterParser#operatorExp.
    def enterOperatorExp(self, ctx: ScimFilterParser.OperatorExpContext):
        pass
    # Exit a parse tree produced by ScimFilterParser#operatorExp.
    def exitOperatorExp(self, ctx: ScimFilterParser.OperatorExpContext):
        pass
    # Enter a parse tree produced by ScimFilterParser#braceExp.
    def enterBraceExp(self, ctx: ScimFilterParser.BraceExpContext):
        pass
    # Exit a parse tree produced by ScimFilterParser#braceExp.
    def exitBraceExp(self, ctx: ScimFilterParser.BraceExpContext):
        pass
    # Enter a parse tree produced by ScimFilterParser#orExp.
    def enterOrExp(self, ctx: ScimFilterParser.OrExpContext):
        pass
    # Exit a parse tree produced by ScimFilterParser#orExp.
    def exitOrExp(self, ctx: ScimFilterParser.OrExpContext):
        pass
    # Enter a parse tree produced by ScimFilterParser#valPathOperatorExp.
    def enterValPathOperatorExp(self, ctx: ScimFilterParser.ValPathOperatorExpContext):
        pass
    # Exit a parse tree produced by ScimFilterParser#valPathOperatorExp.
    def exitValPathOperatorExp(self, ctx: ScimFilterParser.ValPathOperatorExpContext):
        pass
    # Enter a parse tree produced by ScimFilterParser#valPathPresentExp.
    def enterValPathPresentExp(self, ctx: ScimFilterParser.ValPathPresentExpContext):
        pass
    # Exit a parse tree produced by ScimFilterParser#valPathPresentExp.
    def exitValPathPresentExp(self, ctx: ScimFilterParser.ValPathPresentExpContext):
        pass
    # Enter a parse tree produced by ScimFilterParser#valPathAndExp.
    def enterValPathAndExp(self, ctx: ScimFilterParser.ValPathAndExpContext):
        pass
    # Exit a parse tree produced by ScimFilterParser#valPathAndExp.
    def exitValPathAndExp(self, ctx: ScimFilterParser.ValPathAndExpContext):
        pass
    # Enter a parse tree produced by ScimFilterParser#valPathOrExp.
    def enterValPathOrExp(self, ctx: ScimFilterParser.ValPathOrExpContext):
        pass
    # Exit a parse tree produced by ScimFilterParser#valPathOrExp.
    def exitValPathOrExp(self, ctx: ScimFilterParser.ValPathOrExpContext):
        pass
    # Enter a parse tree produced by ScimFilterParser#valPathBraceExp.
    def enterValPathBraceExp(self, ctx: ScimFilterParser.ValPathBraceExpContext):
        pass
    # Exit a parse tree produced by ScimFilterParser#valPathBraceExp.
    def exitValPathBraceExp(self, ctx: ScimFilterParser.ValPathBraceExpContext):
        pass
    # Enter a parse tree produced by ScimFilterParser#attrPath.
    def enterAttrPath(self, ctx: ScimFilterParser.AttrPathContext):
        pass
    # Exit a parse tree produced by ScimFilterParser#attrPath.
    def exitAttrPath(self, ctx: ScimFilterParser.AttrPathContext):
        pass
 del ScimFilterParser
--- a/authentik/sources/scim/filters/ScimFilterParser.py
+++ b/authentik/sources/scim/filters/ScimFilterParser.py
--- a/authentik/sources/scim/filters/init.py
+++ b/authentik/sources/scim/filters/init.py
--- a/authentik/sources/scim/filters/django.py
+++ b/authentik/sources/scim/filters/django.py
@ -0,0 +1,101 @@
 """Django listener"""
 from django.db.models import Q
 from django.utils.tree import Node
 from authentik.sources.scim.filters.ScimFilterListener import ScimFilterListener
 from authentik.sources.scim.filters.ScimFilterParser import ScimFilterParser
 class DjangoQueryListener(ScimFilterListener):
    """SCIM filter listener that converts it to a query"""
    _query: Node
    _last_node: Node
    def __init__(self) -> None:
        super().__init__()
        self._query = Q()
        self._last_node = Q()
    @property
    def query(self) -> Node:
        return self._query
    def enterParse(self, ctx: ScimFilterParser.ParseContext):
        print("enterParse", ctx)
    def exitParse(self, ctx: ScimFilterParser.ParseContext):
        print("exitParse", ctx)
    def enterAndExp(self, ctx: ScimFilterParser.AndExpContext):
        print("enterAndExp", ctx)
    def exitAndExp(self, ctx: ScimFilterParser.AndExpContext):
        print("exitAndExp", ctx)
    def enterValPathExp(self, ctx: ScimFilterParser.ValPathExpContext):
        print("enterValPathExp", ctx.getText())
    def exitValPathExp(self, ctx: ScimFilterParser.ValPathExpContext):
        print("exitValPathExp", ctx)
    def enterPresentExp(self, ctx: ScimFilterParser.PresentExpContext):
        print("enterPresentExp", ctx)
    def exitPresentExp(self, ctx: ScimFilterParser.PresentExpContext):
        print("exitPresentExp", ctx)
    def enterOperatorExp(self, ctx: ScimFilterParser.OperatorExpContext):
        print("enterOperatorExp", ctx)
    def exitOperatorExp(self, ctx: ScimFilterParser.OperatorExpContext):
        print("exitOperatorExp", ctx)
    def enterBraceExp(self, ctx: ScimFilterParser.BraceExpContext):
        print("enterBraceExp", ctx)
    def exitBraceExp(self, ctx: ScimFilterParser.BraceExpContext):
        print("exitBraceExp", ctx)
    def enterOrExp(self, ctx: ScimFilterParser.OrExpContext):
        print("enterOrExp", ctx)
    def exitOrExp(self, ctx: ScimFilterParser.OrExpContext):
        print("exitOrExp", ctx)
    def enterValPathOperatorExp(self, ctx: ScimFilterParser.ValPathOperatorExpContext):
        print("enterValPathOperatorExp", ctx)
    def exitValPathOperatorExp(self, ctx: ScimFilterParser.ValPathOperatorExpContext):
        print("exitValPathOperatorExp", ctx)
    def enterValPathPresentExp(self, ctx: ScimFilterParser.ValPathPresentExpContext):
        print("enterValPathPresentExp", ctx)
    def exitValPathPresentExp(self, ctx: ScimFilterParser.ValPathPresentExpContext):
        print("exitValPathPresentExp", ctx)
    def enterValPathAndExp(self, ctx: ScimFilterParser.ValPathAndExpContext):
        print("enterValPathAndExp", ctx.getText())
    def exitValPathAndExp(self, ctx: ScimFilterParser.ValPathAndExpContext):
        print("exitValPathAndExp", ctx)
    def enterValPathOrExp(self, ctx: ScimFilterParser.ValPathOrExpContext):
        print("enterValPathOrExp", ctx)
    def exitValPathOrExp(self, ctx: ScimFilterParser.ValPathOrExpContext):
        print("exitValPathOrExp", ctx)
    def enterValPathBraceExp(self, ctx: ScimFilterParser.ValPathBraceExpContext):
        print("enterValPathBraceExp", ctx)
    def exitValPathBraceExp(self, ctx: ScimFilterParser.ValPathBraceExpContext):
        print("exitValPathBraceExp", ctx)
    def enterAttrPath(self, ctx: ScimFilterParser.AttrPathContext):
        self._last_node = Q(ctx.getText())
    def exitAttrPath(self, ctx: ScimFilterParser.AttrPathContext):
        self._query = self._last_node
        self._last_node = Q()
--- a/authentik/sources/scim/migrations/0001_initial.py
+++ b/authentik/sources/scim/migrations/0001_initial.py
@ -0,0 +1,46 @@
 # Generated by Django 4.0.5 on 2022-06-06 21:37
 import django.db.models.deletion
 from django.db import migrations, models
 class Migration(migrations.Migration):
    initial = True
    dependencies = [
        ("authentik_core", "0020_application_open_in_new_tab"),
    ]
    operations = [
        migrations.CreateModel(
            name="SCIMSource",
            fields=[
                (
                    "source_ptr",
                    models.OneToOneField(
                        auto_created=True,
                        on_delete=django.db.models.deletion.CASCADE,
                        parent_link=True,
                        primary_key=True,
                        serialize=False,
                        to="authentik_core.source",
                    ),
                ),
                (
                    "token",
                    models.ForeignKey(
                        default=None,
                        null=True,
                        on_delete=django.db.models.deletion.CASCADE,
                        to="authentik_core.token",
                    ),
                ),
            ],
            options={
                "verbose_name": "SCIM Source",
                "verbose_name_plural": "SCIM Sources",
            },
            bases=("authentik_core.source",),
        ),
    ]
--- a/authentik/sources/scim/migrations/init.py
+++ b/authentik/sources/scim/migrations/init.py
--- a/authentik/sources/scim/models.py
+++ b/authentik/sources/scim/models.py
@ -0,0 +1,36 @@
 """SCIM Source"""
 from django.db import models
 from django.utils.translation import gettext_lazy as _
 from rest_framework.serializers import BaseSerializer
 from authentik.core.models import Source, Token
 USER_ATTRIBUTE_SCIM_ID = "goauthentik.io/sources/scim/id"
 USER_ATTRIBUTE_SCIM_ADDRESS = "goauthentik.io/sources/scim/address"
 USER_ATTRIBUTE_SCIM_ENTERPRISE = "goauthentik.io/sources/scim/enterprise"
 class SCIMSource(Source):
    """System for Cross-domain Identity Management Source, allows for
    cross-system user provisioning"""
    token = models.ForeignKey(Token, on_delete=models.CASCADE, null=True, default=None)
    @property
    def component(self) -> str:
        """Return component used to edit this object"""
        return "ak-source-scim-form"
    @property
    def serializer(self) -> BaseSerializer:
        from authentik.sources.scim.api import SCIMSourceSerializer
        return SCIMSourceSerializer
    def __str__(self) -> str:
        return f"SCIM Source {self.name}"
    class Meta:
        verbose_name = _("SCIM Source")
        verbose_name_plural = _("SCIM Sources")
--- a/authentik/sources/scim/schemas/schema.json
+++ b/authentik/sources/scim/schemas/schema.json
--- a/authentik/sources/scim/tests/init.py
+++ b/authentik/sources/scim/tests/init.py
--- a/authentik/sources/scim/tests/test_auth.py
+++ b/authentik/sources/scim/tests/test_auth.py
@ -0,0 +1,86 @@
 """Test SCIM Auth"""
 from django.urls import reverse
 from rest_framework.test import APITestCase
 from authentik.core.models import Token, TokenIntents
 from authentik.core.tests.utils import create_test_admin_user
 from authentik.lib.generators import generate_id
 from authentik.sources.scim.models import SCIMSource
 class TestSCIMAuth(APITestCase):
    """Test SCIM Auth view"""
    def setUp(self) -> None:
        self.user = create_test_admin_user()
        self.token = Token.objects.create(
            user=self.user,
            identifier=generate_id(),
            intent=TokenIntents.INTENT_API,
        )
        self.token2 = Token.objects.create(
            user=self.user,
            identifier=generate_id(),
            intent=TokenIntents.INTENT_API,
        )
        self.token3 = Token.objects.create(
            user=self.user,
            identifier=generate_id(),
            intent=TokenIntents.INTENT_API,
        )
        self.source = SCIMSource.objects.create(
            name=generate_id(), slug=generate_id(), token=self.token
        )
        self.source2 = SCIMSource.objects.create(
            name=generate_id(), slug=generate_id(), token=self.token2
        )
    def test_auth_ok(self):
        """Test successful auth"""
        response = self.client.get(
            reverse(
                "authentik_sources_scim:v2-schema",
                kwargs={
                    "source_slug": self.source.slug,
                },
            ),
            HTTP_AUTHORIZATION=f"Bearer {self.token.key}",
        )
        self.assertEqual(response.status_code, 200)
    def test_auth_missing(self):
        """Test without header"""
        response = self.client.get(
            reverse(
                "authentik_sources_scim:v2-schema",
                kwargs={
                    "source_slug": self.source.slug,
                },
            ),
        )
        self.assertEqual(response.status_code, 403)
    def test_auth_wrong_token(self):
        """Test with wrong token"""
        # Token for wrong source
        response = self.client.get(
            reverse(
                "authentik_sources_scim:v2-schema",
                kwargs={
                    "source_slug": self.source.slug,
                },
            ),
            HTTP_AUTHORIZATION=f"Bearer {self.token2.key}",
        )
        self.assertEqual(response.status_code, 403)
        # Token for no source
        response = self.client.get(
            reverse(
                "authentik_sources_scim:v2-schema",
                kwargs={
                    "source_slug": self.source.slug,
                },
            ),
            HTTP_AUTHORIZATION=f"Bearer {self.token3.key}",
        )
        self.assertEqual(response.status_code, 403)
--- a/authentik/sources/scim/tests/test_resource_types.py
+++ b/authentik/sources/scim/tests/test_resource_types.py
@ -0,0 +1,64 @@
 """Test SCIM ResourceTypes"""
 from django.urls import reverse
 from rest_framework.test import APITestCase
 from authentik.core.models import Token, TokenIntents
 from authentik.core.tests.utils import create_test_admin_user
 from authentik.lib.generators import generate_id
 from authentik.sources.scim.models import SCIMSource
 class TestSCIMResourceTypes(APITestCase):
    """Test SCIM ResourceTypes view"""
    def setUp(self) -> None:
        self.user = create_test_admin_user()
        self.token = Token.objects.create(
            user=self.user,
            identifier=generate_id(),
            intent=TokenIntents.INTENT_API,
        )
        self.source = SCIMSource.objects.create(
            name=generate_id(), slug=generate_id(), token=self.token
        )
    def test_resource_type(self):
        """Test full resource type view"""
        response = self.client.get(
            reverse(
                "authentik_sources_scim:v2-resource-types",
                kwargs={
                    "source_slug": self.source.slug,
                },
            ),
            HTTP_AUTHORIZATION=f"Bearer {self.token.key}",
        )
        self.assertEqual(response.status_code, 200)
    def test_resource_type_single(self):
        """Test single resource type"""
        response = self.client.get(
            reverse(
                "authentik_sources_scim:v2-resource-types",
                kwargs={
                    "source_slug": self.source.slug,
                    "resource_type": "ServiceProviderConfig",
                },
            ),
            HTTP_AUTHORIZATION=f"Bearer {self.token.key}",
        )
        self.assertEqual(response.status_code, 200)
    def test_resource_type_single_404(self):
        """Test single resource type (404"""
        response = self.client.get(
            reverse(
                "authentik_sources_scim:v2-resource-types",
                kwargs={
                    "source_slug": self.source.slug,
                    "resource_type": "foo",
                },
            ),
            HTTP_AUTHORIZATION=f"Bearer {self.token.key}",
        )
        self.assertEqual(response.status_code, 404)
--- a/authentik/sources/scim/tests/test_schemas.py
+++ b/authentik/sources/scim/tests/test_schemas.py
@ -0,0 +1,64 @@
 """Test SCIM Schema"""
 from django.urls import reverse
 from rest_framework.test import APITestCase
 from authentik.core.models import Token, TokenIntents
 from authentik.core.tests.utils import create_test_admin_user
 from authentik.lib.generators import generate_id
 from authentik.sources.scim.models import SCIMSource
 class TestSCIMSchemas(APITestCase):
    """Test SCIM Schema view"""
    def setUp(self) -> None:
        self.user = create_test_admin_user()
        self.token = Token.objects.create(
            user=self.user,
            identifier=generate_id(),
            intent=TokenIntents.INTENT_API,
        )
        self.source = SCIMSource.objects.create(
            name=generate_id(), slug=generate_id(), token=self.token
        )
    def test_schema(self):
        """Test full schema view"""
        response = self.client.get(
            reverse(
                "authentik_sources_scim:v2-schema",
                kwargs={
                    "source_slug": self.source.slug,
                },
            ),
            HTTP_AUTHORIZATION=f"Bearer {self.token.key}",
        )
        self.assertEqual(response.status_code, 200)
    def test_schema_single(self):
        """Test single schema"""
        response = self.client.get(
            reverse(
                "authentik_sources_scim:v2-schema",
                kwargs={
                    "source_slug": self.source.slug,
                    "schema_uri": "urn:ietf:params:scim:schemas:core:2.0:Meta",
                },
            ),
            HTTP_AUTHORIZATION=f"Bearer {self.token.key}",
        )
        self.assertEqual(response.status_code, 200)
    def test_schema_single_404(self):
        """Test single schema (404"""
        response = self.client.get(
            reverse(
                "authentik_sources_scim:v2-schema",
                kwargs={
                    "source_slug": self.source.slug,
                    "schema_uri": "foo",
                },
            ),
            HTTP_AUTHORIZATION=f"Bearer {self.token.key}",
        )
        self.assertEqual(response.status_code, 404)
--- a/authentik/sources/scim/tests/test_service_provider_config.py
+++ b/authentik/sources/scim/tests/test_service_provider_config.py
@ -0,0 +1,36 @@
 """Test SCIM ServiceProviderConfig"""
 from django.urls import reverse
 from rest_framework.test import APITestCase
 from authentik.core.models import Token, TokenIntents
 from authentik.core.tests.utils import create_test_admin_user
 from authentik.lib.generators import generate_id
 from authentik.sources.scim.models import SCIMSource
 class TestSCIMServiceProviderConfig(APITestCase):
    """Test SCIM ServiceProviderConfig view"""
    def setUp(self) -> None:
        self.user = create_test_admin_user()
        self.token = Token.objects.create(
            user=self.user,
            identifier=generate_id(),
            intent=TokenIntents.INTENT_API,
        )
        self.source = SCIMSource.objects.create(
            name=generate_id(), slug=generate_id(), token=self.token
        )
    def test_config(self):
        """Test full config view"""
        response = self.client.get(
            reverse(
                "authentik_sources_scim:v2-service-provider-config",
                kwargs={
                    "source_slug": self.source.slug,
                },
            ),
            HTTP_AUTHORIZATION=f"Bearer {self.token.key}",
        )
        self.assertEqual(response.status_code, 200)
--- a/authentik/sources/scim/tests/test_users.py
+++ b/authentik/sources/scim/tests/test_users.py
@ -0,0 +1,83 @@
 """Test SCIM User"""
 from json import dumps
 from django.urls import reverse
 from rest_framework.test import APITestCase
 from authentik.core.models import Token, TokenIntents, User
 from authentik.core.tests.utils import create_test_admin_user
 from authentik.lib.generators import generate_id
 from authentik.sources.scim.models import USER_ATTRIBUTE_SCIM_ID, SCIMSource
 from authentik.sources.scim.views.v2.base import SCIM_CONTENT_TYPE
 class TestSCIMUsers(APITestCase):
    """Test SCIM User view"""
    def setUp(self) -> None:
        self.user = create_test_admin_user()
        self.token = Token.objects.create(
            user=self.user,
            identifier=generate_id(),
            intent=TokenIntents.INTENT_API,
        )
        self.source = SCIMSource.objects.create(
            name=generate_id(), slug=generate_id(), token=self.token
        )
    def test_user_list(self):
        """Test full user list"""
        response = self.client.get(
            reverse(
                "authentik_sources_scim:v2-users",
                kwargs={
                    "source_slug": self.source.slug,
                },
            ),
            HTTP_AUTHORIZATION=f"Bearer {self.token.key}",
        )
        self.assertEqual(response.status_code, 200)
    def test_user_list_single(self):
        """Test full user list (single user)"""
        response = self.client.get(
            reverse(
                "authentik_sources_scim:v2-users",
                kwargs={
                    "source_slug": self.source.slug,
                    "user_id": str(self.user.pk),
                },
            ),
            HTTP_AUTHORIZATION=f"Bearer {self.token.key}",
        )
        self.assertEqual(response.status_code, 200)
    def test_user_create(self):
        """Test user create"""
        ext_id = generate_id()
        response = self.client.post(
            reverse(
                "authentik_sources_scim:v2-users",
                kwargs={
                    "source_slug": self.source.slug,
                },
            ),
            data=dumps(
                {
                    "userName": generate_id(),
                    "externalId": ext_id,
                    "emails": [
                        {
                            "primary": True,
                            "value": self.user.email,
                        }
                    ],
                }
            ),
            content_type=SCIM_CONTENT_TYPE,
            HTTP_AUTHORIZATION=f"Bearer {self.token.key}",
        )
        self.assertEqual(response.status_code, 201)
        self.assertTrue(
            User.objects.filter(**{f"attributes__{USER_ATTRIBUTE_SCIM_ID}": ext_id}).exists()
        )
--- a/authentik/sources/scim/urls.py
+++ b/authentik/sources/scim/urls.py
@ -0,0 +1,64 @@
 """SCIM URLs"""
 from django.urls import path
 from authentik.sources.scim.views.v2 import (
    base,
    groups,
    resource_types,
    schemas,
    service_provider_config,
    users,
 )
 urlpatterns = [
    path(
        "<slug:source_slug>/v2",
        base.SCIMRootView.as_view(),
        name="v2-root",
    ),
    path(
        "<slug:source_slug>/v2/Users",
        users.UsersView.as_view(),
        name="v2-users",
    ),
    path(
        "<slug:source_slug>/v2/Users/<str:user_id>",
        users.UsersView.as_view(),
        name="v2-users",
    ),
    path(
        "<slug:source_slug>/v2/Groups",
        groups.GroupsView.as_view(),
        name="v2-groups",
    ),
    path(
        "<slug:source_slug>/v2/Groups/<str:group_id>",
        groups.GroupsView.as_view(),
        name="v2-groups",
    ),
    path(
        "<slug:source_slug>/v2/Schemas",
        schemas.SchemaView.as_view(),
        name="v2-schema",
    ),
    path(
        "<slug:source_slug>/v2/Schemas/<str:schema_uri>",
        schemas.SchemaView.as_view(),
        name="v2-schema",
    ),
    path(
        "<slug:source_slug>/v2/ServiceProviderConfig",
        service_provider_config.ServiceProviderConfigView.as_view(),
        name="v2-service-provider-config",
    ),
    path(
        "<slug:source_slug>/v2/ResourceTypes",
        resource_types.ResourceTypesView.as_view(),
        name="v2-resource-types",
    ),
    path(
        "<slug:source_slug>/v2/ResourceTypes/<str:resource_type>",
        resource_types.ResourceTypesView.as_view(),
        name="v2-resource-types",
    ),
 ]
--- a/authentik/sources/scim/views/init.py
+++ b/authentik/sources/scim/views/init.py
--- a/authentik/sources/scim/views/v2/init.py
+++ b/authentik/sources/scim/views/v2/init.py
--- a/authentik/sources/scim/views/v2/auth.py
+++ b/authentik/sources/scim/views/v2/auth.py
@ -0,0 +1,46 @@
 """SCIM Token auth"""
 from base64 import b64decode
 from typing import Any, Optional, Union
 from django.conf import settings
 from rest_framework.authentication import BaseAuthentication, get_authorization_header
 from rest_framework.request import Request
 from authentik.core.models import Token, TokenIntents, User
 class SCIMTokenAuth(BaseAuthentication):
    """SCIM Token auth"""
    def legacy(self, key: str, source_slug: str) -> Optional[Token]:  # pragma: no cover
        """Legacy HTTP-Basic auth for testing"""
        if not settings.TEST and not settings.DEBUG:
            return None
        _username, _, password = b64decode(key.encode()).decode().partition(":")
        token = self.check_token(password, source_slug)
        if token:
            return (token.user, token)
        return None
    def check_token(self, key: str, source_slug: str) -> Optional[Token]:
        """Check that a token exists, is not expired, and is assigned to the correct source"""
        token = Token.filter_not_expired(key=key, intent=TokenIntents.INTENT_API).first()
        if not token:
            return None
        if not token.scimsource_set.exists():
            return None
        if token.scimsource_set.first().slug != source_slug:
            return None
        return token
    def authenticate(self, request: Request) -> Union[tuple[User, Any], None]:
        kwargs = request._request.resolver_match.kwargs
        source_slug = kwargs.get("source_slug", None)
        auth = get_authorization_header(request).decode()
        auth_type, _, key = auth.partition(" ")
        if auth_type != "Bearer":
            return self.legacy(key, source_slug)
        token = self.check_token(key, source_slug)
        if not token:
            return None
        return (token.user, token)
--- a/authentik/sources/scim/views/v2/base.py
+++ b/authentik/sources/scim/views/v2/base.py
@ -0,0 +1,81 @@
 """SCIM Utils"""
 from typing import Optional
 from urllib.parse import urlparse
 from antlr4 import CommonTokenStream, InputStream, ParseTreeWalker
 from django.urls import resolve
 from rest_framework.parsers import JSONParser
 from rest_framework.permissions import IsAuthenticated
 from rest_framework.renderers import JSONRenderer
 from rest_framework.request import Request
 from rest_framework.response import Response
 from rest_framework.views import APIView
 from authentik.core.models import Group, User
 from authentik.sources.scim.filters.django import DjangoQueryListener
 from authentik.sources.scim.filters.ScimFilterLexer import ScimFilterLexer
 from authentik.sources.scim.filters.ScimFilterParser import ScimFilterParser
 from authentik.sources.scim.views.v2.auth import SCIMTokenAuth
 SCIM_CONTENT_TYPE = "application/scim+json"
 class SCIMParser(JSONParser):
    """SCIM clients use a custom content type"""
    media_type = SCIM_CONTENT_TYPE
 class SCIMRenderer(JSONRenderer):
    """SCIM clients also expect a custom content type"""
    media_type = SCIM_CONTENT_TYPE
 class SCIMView(APIView):
    """Base class for SCIM Views"""
    authentication_classes = [SCIMTokenAuth]
    permission_classes = [IsAuthenticated]
    parser_classes = [SCIMParser]
    renderer_classes = [SCIMRenderer]
    def patch_resolve_value(self, raw_value: dict) -> Optional[User | Group]:
        """Attempt to resolve a raw `value` attribute of a patch operation into
        a database model"""
        model = User
        query = {}
        if "$ref" in raw_value:
            url = urlparse(raw_value["$ref"])
            if match := resolve(url.path):
                if match.url_name == "v2-users":
                    model = User
                    query = {"pk": int(match.kwargs["user_id"])}
        elif "type" in raw_value:
            match raw_value["tyoe"]:
                case "User":
                    model = User
                    query = {"pk": int(raw_value["value"])}
                case "Group":
                    model = Group
        else:
            return None
        return model.objects.filter(**query).first()
    def patch_parse_path(self, path: str):
        """Parse the path of a Patch Operation"""
        lexer = ScimFilterLexer(InputStream(path))
        stream = CommonTokenStream(lexer)
        parser = ScimFilterParser(stream)
        tree = parser.filter_()
        listener = DjangoQueryListener()
        walker = ParseTreeWalker()
        walker.walk(listener, tree)
        return listener.query
 class SCIMRootView(SCIMView):
    """Root SCIM View"""
    def dispatch(self, request: Request, *args, **kwargs) -> Response:
        return Response({"message": "Use this base-URL with an SCIM-compatible system."})
--- a/authentik/sources/scim/views/v2/groups.py
+++ b/authentik/sources/scim/views/v2/groups.py
@ -0,0 +1,126 @@
 """SCIM Group Views"""
 from typing import Optional
 from django.core.paginator import Paginator
 from django.db.transaction import atomic
 from django.http import Http404, QueryDict
 from django.urls import reverse
 from rest_framework.request import Request
 from rest_framework.response import Response
 from structlog.stdlib import get_logger
 from authentik.core.models import Group
 from authentik.sources.scim.errors import PatchError
 from authentik.sources.scim.views.v2.base import SCIM_CONTENT_TYPE, SCIMView
 LOGGER = get_logger()
 class GroupsView(SCIMView):
    """SCIM Group View"""
    def group_to_scim(self, group: Group) -> dict:
        """Convert group to SCIM"""
        return {
            "id": str(group.pk),
            "meta": {
                "resourceType": "Group",
                "location": self.request.build_absolute_uri(
                    reverse(
                        "authentik_sources_scim:v2-groups",
                        kwargs={
                            "source_slug": self.kwargs["source_slug"],
                            "group_id": str(group.pk),
                        },
                    )
                ),
            },
            "displayName": group.name,
            "schemas": ["urn:ietf:params:scim:schemas:core:2.0:Group"],
        }
    def get(self, request: Request, group_id: Optional[str] = None, **kwargs) -> Response:
        """List Group handler"""
        if group_id:
            group = Group.objects.filter(pk=group_id).first()
            if not group:
                raise Http404
            return Response(self.group_to_scim(group))
        groups = Group.objects.all().order_by("pk")
        per_page = 50
        paginator = Paginator(groups, per_page=per_page)
        start_index = int(request.query_params.get("startIndex", 1))
        page = paginator.page(int(max(start_index / per_page, 1)))
        return Response(
            {
                "totalResults": paginator.count,
                "itemsPerPage": per_page,
                "startIndex": page.start_index(),
                "schemas": ["urn:ietf:params:scim:api:messages:2.0:ListResponse"],
                "Resources": [self.group_to_scim(group) for group in page],
            }
        )
    def update_group(self, group: Group, data: QueryDict) -> Group:
        """Partial update a group"""
        if "displayName" in data:
            group.name = data.get("displayName")
        return group
    def post(self, request: Request, **kwargs) -> Response:
        """Create group handler"""
        group = Group.objects.filter(name=request.data.get("displayName")).first()
        if group:
            LOGGER.debug("Found existing group")
            return Response(status=409)
        group = self.update_group(Group(), request.data)
        group.save()
        return Response(self.group_to_scim(group), status=201)
    def patch(self, request: Request, group_id: str, **kwargs) -> Response:
        """Update group handler"""
        group: Optional[Group] = Group.objects.filter(pk=group_id).first()
        if not group:
            raise Http404
        if request.data.get("schemas", []) != ["urn:ietf:params:scim:api:messages:2.0:PatchOp"]:
            return Response(status=400)
        try:
            with atomic():
                for op in request.data.get("Operations", []):
                    path = self.patch_parse_path(op["path"])
                    operation = op["op"]
                    raw_value = op.get("value", None)
                    values = []
                    for value in raw_value:
                        values.append(self.patch_resolve_value(value))
                    match operation:
                        case "add":
                            group.users.add(*[x.pk for x in values])
                        case "remove":
                            pass
                return Response(self.group_to_scim(group), status=200)
        except (KeyError, PatchError):
            return Response(status=400)
    def put(self, request: Request, group_id: str, **kwargs) -> Response:
        """Update group handler"""
        group: Optional[Group] = Group.objects.filter(pk=group_id).first()
        if not group:
            raise Http404
        self.update_group(group, request.data)
        group.save()
        return Response(self.group_to_scim(group), status=200)
    def delete(self, request: Request, group_id: str, **kwargs) -> Response:
        """Delete group handler"""
        group: Optional[Group] = Group.objects.filter(pk=group_id).first()
        if not group:
            raise Http404
        group.delete()
        return Response(
            {},
            status=204,
            headers={
                "Content-Type": SCIM_CONTENT_TYPE,
            },
        )
--- a/authentik/sources/scim/views/v2/resource_types.py
+++ b/authentik/sources/scim/views/v2/resource_types.py
@ -0,0 +1,153 @@
 """SCIM Meta views"""
 from typing import Optional
 from django.http import Http404
 from django.urls import reverse
 from rest_framework.request import Request
 from rest_framework.response import Response
 from authentik.sources.scim.views.v2.base import SCIMView
 class ResourceTypesView(SCIMView):
    """https://ldapwiki.com/wiki/SCIM%20ResourceTypes%20endpoint"""
    def get_resource_types(self):
        """List all resource types"""
        return [
            {
                "id": "ServiceProviderConfig",
                "name": "ServiceProviderConfig",
                "description": "the service providers configuration",
                "endpoint": "/ServiceProviderConfig",
                "schema": "urn:ietf:params:scim:schemas:core:2.0:ServiceProviderConfig",
                "schemas": [
                    "urn:ietf:params:scim:schemas:core:2.0:ResourceType",
                ],
                "meta": {
                    "resourceType": "ResourceType",
                    "location": self.request.build_absolute_uri(
                        reverse(
                            "authentik_sources_scim:v2-resource-types",
                            kwargs={
                                "source_slug": self.kwargs["source_slug"],
                                "resource_type": "ServiceProviderConfig",
                            },
                        )
                    ),
                },
            },
            {
                "id": "ResourceType",
                "name": "ResourceType",
                "description": "ResourceType",
                "endpoint": "/ResourceTypes",
                "schema": "urn:ietf:params:scim:schemas:core:2.0:ResourceType",
                "schemas": [
                    "urn:ietf:params:scim:schemas:core:2.0:ResourceType",
                ],
                "meta": {
                    "resourceType": "ResourceType",
                    "location": self.request.build_absolute_uri(
                        reverse(
                            "authentik_sources_scim:v2-resource-types",
                            kwargs={
                                "source_slug": self.kwargs["source_slug"],
                                "resource_type": "ResourceType",
                            },
                        )
                    ),
                },
            },
            {
                "id": "Schema",
                "name": "Schema",
                "description": "Schema endpoint description",
                "endpoint": "/Schemas",
                "schema": "urn:ietf:params:scim:schemas:core:2.0:Schema",
                "schemas": [
                    "urn:ietf:params:scim:schemas:core:2.0:ResourceType",
                ],
                "meta": {
                    "resourceType": "ResourceType",
                    "location": self.request.build_absolute_uri(
                        reverse(
                            "authentik_sources_scim:v2-resource-types",
                            kwargs={
                                "source_slug": self.kwargs["source_slug"],
                                "resource_type": "Schema",
                            },
                        )
                    ),
                },
            },
            {
                "id": "User",
                "name": "User",
                "endpoint": "/Users",
                "description": "https://tools.ietf.org/html/rfc7643#section-8.7.1",
                "schemas": ["urn:ietf:params:scim:schemas:core:2.0:ResourceType"],
                "schema": "urn:ietf:params:scim:schemas:core:2.0:User",
                "schemaExtensions": [
                    {
                        "schema": "urn:ietf:params:scim:schemas:extension:enterprise:2.0:User",
                        "required": True,
                    }
                ],
                "meta": {
                    "location": self.request.build_absolute_uri(
                        reverse(
                            "authentik_sources_scim:v2-resource-types",
                            kwargs={
                                "source_slug": self.kwargs["source_slug"],
                                "resource_type": "User",
                            },
                        )
                    ),
                    "resourceType": "ResourceType",
                },
            },
            {
                "id": "Group",
                "name": "Group",
                "description": "Group",
                "endpoint": "/Groups",
                "schema": "urn:ietf:params:scim:schemas:core:2.0:Group",
                "schemas": [
                    "urn:ietf:params:scim:schemas:core:2.0:ResourceType",
                ],
                "meta": {
                    "resourceType": "ResourceType",
                    "location": self.request.build_absolute_uri(
                        reverse(
                            "authentik_sources_scim:v2-resource-types",
                            kwargs={
                                "source_slug": self.kwargs["source_slug"],
                                "resource_type": "Group",
                            },
                        )
                    ),
                },
            },
        ]
    # pylint: disable=unused-argument
    def get(
        self, request: Request, source_slug: str, resource_type: Optional[str] = None
    ) -> Response:
        """Get resource types as SCIM response"""
        resource_types = self.get_resource_types()
        if resource_type:
            resource = [x for x in resource_types if x.get("id") == resource_type]
            if resource:
                return Response(resource[0])
            raise Http404
        return Response(
            {
                "schemas": ["urn:ietf:params:scim:api:messages:2.0:ListResponse"],
                "totalResults": len(resource_types),
                "itemsPerPage": len(resource_types),
                "startIndex": 1,
                "Resources": resource_types,
            }
        )
--- a/authentik/sources/scim/views/v2/schemas.py
+++ b/authentik/sources/scim/views/v2/schemas.py
@ -0,0 +1,52 @@
 """Schema Views"""
 from json import loads
 from typing import Optional
 from django.http import Http404
 from django.urls import reverse
 from rest_framework.request import Request
 from rest_framework.response import Response
 from authentik.sources.scim.views.v2.base import SCIMView
 with open("authentik/sources/scim/schemas/schema.json", "r", encoding="utf-8") as SCHEMA_FILE:
    _raw_schemas = loads(SCHEMA_FILE.read())
 class SchemaView(SCIMView):
    """https://ldapwiki.com/wiki/SCIM%20Schemas%20Attribute"""
    def get_schemas(self):
        """List of all schemas"""
        schemas = []
        for raw_schema in _raw_schemas:
            raw_schema["meta"]["location"] = self.request.build_absolute_uri(
                reverse(
                    "authentik_sources_scim:v2-schema",
                    kwargs={
                        "source_slug": self.kwargs["source_slug"],
                        "schema_uri": raw_schema["id"],
                    },
                )
            )
            schemas.append(raw_schema)
        return schemas
    # pylint: disable=unused-argument
    def get(self, request: Request, source_slug: str, schema_uri: Optional[str] = None) -> Response:
        """Get schemas as SCIM response"""
        schemas = self.get_schemas()
        if schema_uri:
            schema = [x for x in schemas if x.get("id") == schema_uri]
            if schema:
                return Response(schema[0])
            raise Http404
        return Response(
            {
                "schemas": ["urn:ietf:params:scim:api:messages:2.0:ListResponse"],
                "totalResults": len(schemas),
                "itemsPerPage": len(schemas),
                "startIndex": 1,
                "Resources": schemas,
            }
        )
--- a/authentik/sources/scim/views/v2/service_provider_config.py
+++ b/authentik/sources/scim/views/v2/service_provider_config.py
@ -0,0 +1,35 @@
 """SCIM Meta views"""
 from rest_framework.request import Request
 from rest_framework.response import Response
 from authentik.sources.scim.views.v2.base import SCIMView
 class ServiceProviderConfigView(SCIMView):
    """ServiceProviderConfig, https://ldapwiki.com/wiki/SCIM%20ServiceProviderConfig%20endpoint"""
    # pylint: disable=unused-argument
    def get(self, request: Request, source_slug: str) -> Response:
        """Get ServiceProviderConfig"""
        return Response(
            {
                "schemas": ["urn:ietf:params:scim:schemas:core:2.0:ServiceProviderConfig"],
                "authenticationSchemes": [
                    {
                        "type": "oauthbearertoken",
                        "name": "OAuth Bearer Token",
                        "description": (
                            "Authentication scheme using the OAuth Bearer Token Standard"
                        ),
                        "specUri": "https://www.rfc-editor.org/info/rfc6750",
                        "primary": True,
                    },
                ],
                "patch": {"supported": True},
                "bulk": {"supported": False, "maxOperations": 0, "maxPayloadSize": 0},
                "filter": {"supported": False, "maxResults": 200},
                "changePassword": {"supported": False},
                "sort": {"supported": False},
                "etag": {"supported": False},
            }
        )
--- a/authentik/sources/scim/views/v2/users.py
+++ b/authentik/sources/scim/views/v2/users.py
@ -0,0 +1,154 @@
 """SCIM User Views"""
 from typing import Optional
 from django.core.paginator import Paginator
 from django.http import Http404, QueryDict
 from django.urls import reverse
 from guardian.shortcuts import get_anonymous_user
 from rest_framework.exceptions import ValidationError
 from rest_framework.request import Request
 from rest_framework.response import Response
 from structlog.stdlib import get_logger
 from authentik.core.models import User
 from authentik.sources.scim.models import (
    USER_ATTRIBUTE_SCIM_ADDRESS,
    USER_ATTRIBUTE_SCIM_ENTERPRISE,
    USER_ATTRIBUTE_SCIM_ID,
 )
 from authentik.sources.scim.views.v2.base import SCIM_CONTENT_TYPE, SCIMView
 LOGGER = get_logger()
 class UsersView(SCIMView):
    """SCIM User view"""
    def get_email(self, data: list[dict]) -> str:
        """Wrapper to get primary email or first email"""
        for email in data:
            if email.get("primary", False):
                return email.get("value")
        return data[0].get("value")
    def user_to_scim(self, user: User) -> dict:
        """Convert User to SCIM data"""
        payload = {
            "id": str(user.pk),
            "meta": {
                "resourceType": "User",
                "created": user.date_joined,
                # TODO: use events to find last edit?
                "lastModified": user.date_joined,
                "location": self.request.build_absolute_uri(
                    reverse(
                        "authentik_sources_scim:v2-users",
                        kwargs={
                            "source_slug": self.kwargs["source_slug"],
                            "user_id": str(user.pk),
                        },
                    )
                ),
            },
            "urn:ietf:params:scim:schemas:extension:enterprise:2.0:User": user.attributes.get(
                USER_ATTRIBUTE_SCIM_ENTERPRISE, {}
            ),
            "schemas": [
                "urn:ietf:params:scim:schemas:core:2.0:User",
                "urn:ietf:params:scim:schemas:extension:enterprise:2.0:User",
            ],
            "userName": user.username,
            "name": {},
            "displayName": user.name,
            "active": user.is_active,
            "emails": [{"value": user.email, "type": "work", "primary": True}],
        }
        if USER_ATTRIBUTE_SCIM_ID in user.attributes:
            payload["externalId"] = user.attributes[USER_ATTRIBUTE_SCIM_ID]
        return payload
    def get(self, request: Request, user_id: Optional[str] = None, **kwargs) -> Response:
        """List User handler"""
        if user_id:
            user = User.objects.filter(pk=user_id).first()
            if not user:
                raise Http404
            return Response(self.user_to_scim(user))
        users = User.objects.all().exclude(pk=get_anonymous_user().pk).order_by("pk")
        per_page = 50
        paginator = Paginator(users, per_page=per_page)
        start_index = int(request.query_params.get("startIndex", 1))
        page = paginator.page(int(max(start_index / per_page, 1)))
        return Response(
            {
                "totalResults": paginator.count,
                "itemsPerPage": per_page,
                "startIndex": page.start_index(),
                "schemas": ["urn:ietf:params:scim:api:messages:2.0:ListResponse"],
                "Resources": [self.user_to_scim(user) for user in page],
            }
        )
    def update_user(self, user: User, data: QueryDict) -> User:
        """Partial update a user"""
        if "userName" in data:
            user.username = data.get("userName")
        if "name" in data:
            user.name = data.get("name", {}).get("formatted", data.get("displayName"))
        if "emails" in data:
            user.email = self.get_email(data.get("emails"))
        if "active" in data:
            user.is_active = data.get("active")
        if "externalId" in data:
            user.attributes[USER_ATTRIBUTE_SCIM_ID] = data.get("externalId")
        if "addresses" in data:
            user.attributes[USER_ATTRIBUTE_SCIM_ADDRESS] = data.get("addresses")
        if "urn:ietf:params:scim:schemas:extension:enterprise:2.0:User" in data:
            user.attributes[USER_ATTRIBUTE_SCIM_ENTERPRISE] = data.get(
                "urn:ietf:params:scim:schemas:extension:enterprise:2.0:User"
            )
        if user.username == "":
            raise ValidationError("Invalid user")
        return user
    def post(self, request: Request, **kwargs) -> Response:
        """Create user handler"""
        user = User.objects.filter(
            **{
                f"attributes__{USER_ATTRIBUTE_SCIM_ID}": request.data.get("externalId"),
                "username": request.data.get("userName"),
            }
        ).first()
        if user:
            LOGGER.debug("Found existing user")
            return Response(status=409)
        user = self.update_user(User(), request.data)
        user.save()
        return Response(self.user_to_scim(user), status=201)
    def patch(self, request: Request, user_id: str, **kwargs) -> Response:
        """Update user handler"""
        return self.put(request, user_id, **kwargs)
    def put(self, request: Request, user_id: str, **kwargs) -> Response:
        """Update user handler"""
        user: Optional[User] = User.objects.filter(pk=user_id).first()
        if not user:
            raise Http404
        self.update_user(user, request.data)
        user.save()
        return Response(self.user_to_scim(user), status=200)
    def delete(self, request: Request, user_id: str, **kwargs) -> Response:
        """Delete user handler"""
        user: Optional[User] = User.objects.filter(pk=user_id).first()
        if not user:
            raise Http404
        user.delete()
        return Response(
            {},
            status=204,
            headers={
                "Content-Type": SCIM_CONTENT_TYPE,
            },
        )
--- a/authentik/stages/email/stage.py
+++ b/authentik/stages/email/stage.py
@ -1,5 +1,6 @@
 """authentik multi-stage authentication engine"""
 from datetime import timedelta
 from uuid import uuid4
 from django.contrib import messages
 from django.http import HttpRequest, HttpResponse
@ -52,17 +53,13 @@ class EmailStageView(ChallengeStageView):
            kwargs={"flow_slug": self.executor.flow.slug},
        )
        # Parse query string from current URL (full query string)
-        query_params = QueryDict(self.request.META.get("QUERY_STRING", ""), mutable=True)
+        # this view is only run within a flow executor, where we need to get the query string
        # from the query= parameter (double encoded); but for the redirect
        # we need to expand it since it'll go through the flow interface
        query_params = QueryDict(self.request.GET.get(QS_QUERY), mutable=True)
        query_params.pop(QS_KEY_TOKEN, None)
        # Check for nested query string used by flow executor, and remove any
        # kind of flow token from that
        if QS_QUERY in query_params:
            inner_query_params = QueryDict(query_params.get(QS_QUERY), mutable=True)
            inner_query_params.pop(QS_KEY_TOKEN, None)
            query_params[QS_QUERY] = inner_query_params.urlencode()
        query_params.update(kwargs)
        print(query_params)
        full_url = base_url
        if len(query_params) > 0:
            full_url = f"{full_url}?{query_params.urlencode()}"
@ -75,7 +72,7 @@ class EmailStageView(ChallengeStageView):
        valid_delta = timedelta(
            minutes=current_stage.token_expiry + 1
        )  # + 1 because django timesince always rounds down
-        identifier = slugify(f"ak-email-stage-{current_stage.name}-{pending_user}")
+        identifier = slugify(f"ak-email-stage-{current_stage.name}-{str(uuid4())}")
        # Don't check for validity here, we only care if the token exists
        tokens = FlowToken.objects.filter(identifier=identifier)
        if not tokens.exists():
--- a/authentik/stages/email/tests/test_stage.py
+++ b/authentik/stages/email/tests/test_stage.py
@ -259,7 +259,7 @@ class TestEmailStage(FlowTestCase):
        session.save()
        url = reverse("authentik_api:flow-executor", kwargs={"flow_slug": self.flow.slug})
-        url += "?foo=bar"
+        url += "?query=" + urlencode({"foo": "bar"})
        request = self.factory.get(url)
        stage_view = EmailStageView(
            FlowExecutorView(
@ -273,31 +273,3 @@ class TestEmailStage(FlowTestCase):
            stage_view.get_full_url(**{QS_KEY_TOKEN: token}),
            f"http://testserver/if/flow/{self.flow.slug}/?foo=bar&flow_token={token}",
        )
    def test_url_existing_params_nested(self):
        """Test to ensure that URL params are preserved in the URL being sent (including nested)"""
        plan = FlowPlan(flow_pk=self.flow.pk.hex, bindings=[self.binding], markers=[StageMarker()])
        plan.context[PLAN_CONTEXT_PENDING_USER] = self.user
        session = self.client.session
        session[SESSION_KEY_PLAN] = plan
        session.save()
        url = reverse("authentik_api:flow-executor", kwargs={"flow_slug": self.flow.slug})
        url += "?foo=bar&"
        url += "query=" + urlencode({"nested": "value"})
        request = self.factory.get(url)
        stage_view = EmailStageView(
            FlowExecutorView(
                request=request,
                flow=self.flow,
            ),
            request=request,
        )
        token = generate_id()
        self.assertEqual(
            stage_view.get_full_url(**{QS_KEY_TOKEN: token}),
            (
                f"http://testserver/if/flow/{self.flow.slug}"
                f"/?foo=bar&query=nested%3Dvalue&flow_token={token}"
            ),
        )
--- a/blueprints/schema.json
+++ b/blueprints/schema.json
@ -1521,6 +1521,43 @@
                            }
                        }
                    },
                    {
                        "type": "object",
                        "required": [
                            "model",
                            "identifiers"
                        ],
                        "properties": {
                            "model": {
                                "const": "authentik_sources_scim.scimsource"
                            },
                            "id": {
                                "type": "string"
                            },
                            "state": {
                                "type": "string",
                                "enum": [
                                    "absent",
                                    "present",
                                    "created",
                                    "must_created"
                                ],
                                "default": "present"
                            },
                            "conditions": {
                                "type": "array",
                                "items": {
                                    "type": "boolean"
                                }
                            },
                            "attrs": {
                                "$ref": "#/$defs/model_authentik_sources_scim.scimsource"
                            },
                            "identifiers": {
                                "$ref": "#/$defs/model_authentik_sources_scim.scimsource"
                            }
                        }
                    },
                    {
                        "type": "object",
                        "required": [
@ -3452,6 +3489,7 @@
                        "authentik.sources.oauth",
                        "authentik.sources.plex",
                        "authentik.sources.saml",
                        "authentik.sources.scim",
                        "authentik.stages.authenticator",
                        "authentik.stages.authenticator_duo",
                        "authentik.stages.authenticator_sms",
@ -3527,6 +3565,7 @@
                        "authentik_sources_plex.plexsourceconnection",
                        "authentik_sources_saml.samlsource",
                        "authentik_sources_saml.usersamlsourceconnection",
                        "authentik_sources_scim.scimsource",
                        "authentik_stages_authenticator_duo.authenticatorduostage",
                        "authentik_stages_authenticator_duo.duodevice",
                        "authentik_stages_authenticator_sms.authenticatorsmsstage",
@ -5700,6 +5739,74 @@
            },
            "required": []
        },
        "model_authentik_sources_scim.scimsource": {
            "type": "object",
            "properties": {
                "name": {
                    "type": "string",
                    "minLength": 1,
                    "title": "Name",
                    "description": "Source's display Name."
                },
                "slug": {
                    "type": "string",
                    "maxLength": 50,
                    "minLength": 1,
                    "pattern": "^[-a-zA-Z0-9_]+$",
                    "title": "Slug",
                    "description": "Internal source name, used in URLs."
                },
                "enabled": {
                    "type": "boolean",
                    "title": "Enabled"
                },
                "authentication_flow": {
                    "type": "integer",
                    "title": "Authentication flow",
                    "description": "Flow to use when authenticating existing users."
                },
                "enrollment_flow": {
                    "type": "integer",
                    "title": "Enrollment flow",
                    "description": "Flow to use when enrolling new users."
                },
                "policy_engine_mode": {
                    "type": "string",
                    "enum": [
                        "all",
                        "any"
                    ],
                    "title": "Policy engine mode"
                },
                "user_matching_mode": {
                    "type": "string",
                    "enum": [
                        "identifier",
                        "email_link",
                        "email_deny",
                        "username_link",
                        "username_deny"
                    ],
                    "title": "User matching mode",
                    "description": "How the source determines if an existing user should be authenticated or a new user enrolled."
                },
                "user_path_template": {
                    "type": "string",
                    "minLength": 1,
                    "title": "User path template"
                },
                "icon": {
                    "type": "string",
                    "minLength": 1,
                    "title": "Icon"
                },
                "token": {
                    "type": "integer",
                    "title": "Token"
                }
            },
            "required": []
        },
        "model_authentik_stages_authenticator_duo.authenticatorduostage": {
            "type": "object",
            "properties": {
--- a/docker-compose.yml
+++ b/docker-compose.yml
@ -32,7 +32,7 @@ services:
    volumes:
      - redis:/data
  server:
-    image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2023.10.2}
+    image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2023.10.3}
    restart: unless-stopped
    command: server
    environment:
@ -53,7 +53,7 @@ services:
      - postgresql
      - redis
  worker:
-    image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2023.10.2}
+    image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2023.10.3}
    restart: unless-stopped
    command: worker
    environment:
--- a/go.mod
+++ b/go.mod
@ -13,24 +13,24 @@ require (
 	github.com/go-openapi/strfmt v0.21.7
 	github.com/golang-jwt/jwt v3.2.2+incompatible
 	github.com/google/uuid v1.4.0
-	github.com/gorilla/handlers v1.5.1
+	github.com/gorilla/handlers v1.5.2
-	github.com/gorilla/mux v1.8.0
+	github.com/gorilla/mux v1.8.1
-	github.com/gorilla/securecookie v1.1.1
+	github.com/gorilla/securecookie v1.1.2
-	github.com/gorilla/sessions v1.2.1
+	github.com/gorilla/sessions v1.2.2
-	github.com/gorilla/websocket v1.5.0
+	github.com/gorilla/websocket v1.5.1
 	github.com/jellydator/ttlcache/v3 v3.1.0
 	github.com/mitchellh/mapstructure v1.5.0
 	github.com/nmcclain/asn1-ber v0.0.0-20170104154839-2661553a0484
 	github.com/pires/go-proxyproto v0.7.0
 	github.com/prometheus/client_golang v1.17.0
-	github.com/redis/go-redis/v9 v9.2.1
+	github.com/redis/go-redis/v9 v9.3.0
 	github.com/sirupsen/logrus v1.9.3
-	github.com/spf13/cobra v1.7.0
+	github.com/spf13/cobra v1.8.0
 	github.com/stretchr/testify v1.8.4
-	goauthentik.io/api/v3 v3.2023101.1
+	goauthentik.io/api/v3 v3.2023103.2
 	golang.org/x/exp v0.0.0-20230210204819-062eb4c674ab
-	golang.org/x/oauth2 v0.13.0
+	golang.org/x/oauth2 v0.14.0
-	golang.org/x/sync v0.4.0
+	golang.org/x/sync v0.5.0
 	gopkg.in/yaml.v2 v2.4.0
 	layeh.com/radius v0.0.0-20210819152912-ad72663a72ab
 )
@ -42,7 +42,7 @@ require (
 	github.com/cespare/xxhash/v2 v2.2.0 // indirect
 	github.com/davecgh/go-spew v1.1.1 // indirect
 	github.com/dgryski/go-rendezvous v0.0.0-20200823014737-9f7001d12a5f // indirect
-	github.com/felixge/httpsnoop v1.0.1 // indirect
+	github.com/felixge/httpsnoop v1.0.3 // indirect
 	github.com/go-asn1-ber/asn1-ber v1.5.5 // indirect
 	github.com/go-http-utils/fresh v0.0.0-20161124030543-7231e26a4b27 // indirect
 	github.com/go-http-utils/headers v0.0.0-20181008091004-fed159eddc2a // indirect
@ -72,10 +72,10 @@ require (
 	go.mongodb.org/mongo-driver v1.11.3 // indirect
 	go.opentelemetry.io/otel v1.14.0 // indirect
 	go.opentelemetry.io/otel/trace v1.14.0 // indirect
-	golang.org/x/crypto v0.14.0 // indirect
+	golang.org/x/crypto v0.15.0 // indirect
-	golang.org/x/net v0.17.0 // indirect
+	golang.org/x/net v0.18.0 // indirect
-	golang.org/x/sys v0.13.0 // indirect
+	golang.org/x/sys v0.14.0 // indirect
-	golang.org/x/text v0.13.0 // indirect
+	golang.org/x/text v0.14.0 // indirect
 	google.golang.org/appengine v1.6.7 // indirect
 	google.golang.org/protobuf v1.31.0 // indirect
 	gopkg.in/square/go-jose.v2 v2.5.1 // indirect
--- a/go.sum
+++ b/go.sum
@ -62,7 +62,7 @@ github.com/client9/misspell v0.3.4/go.mod h1:qj6jICC3Q7zFZvVWo7KLAzC3yx5G7kyvSDk
 github.com/cncf/udpa/go v0.0.0-20191209042840-269d4d468f6f/go.mod h1:M8M6+tZqaGXZJjfX53e64911xZQV5JYwmTeXPW+k8Sc=
 github.com/coreos/go-oidc v2.2.1+incompatible h1:mh48q/BqXqgjVHpy2ZY7WnWAbenxRjsz9N1i1YxjHAk=
 github.com/coreos/go-oidc v2.2.1+incompatible/go.mod h1:CgnwVTmzoESiwO9qyAFEMiHoZ1nMCKZlZ9V6mm3/LKc=
-github.com/cpuguy83/go-md2man/v2 v2.0.2/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46tRHOmNcaadrF8o=
+github.com/cpuguy83/go-md2man/v2 v2.0.3/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46tRHOmNcaadrF8o=
 github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E=
 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
@ -73,8 +73,8 @@ github.com/envoyproxy/go-control-plane v0.9.0/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymF
 github.com/envoyproxy/go-control-plane v0.9.1-0.20191026205805-5f8ba28d4473/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4=
 github.com/envoyproxy/go-control-plane v0.9.4/go.mod h1:6rpuAdCZL397s3pYoYcLgu1mIlRU8Am5FuJP05cCM98=
 github.com/envoyproxy/protoc-gen-validate v0.1.0/go.mod h1:iSmxcyjqTsJpI2R4NaDN7+kN2VEUnK/pcBlmesArF7c=
-github.com/felixge/httpsnoop v1.0.1 h1:lvB5Jl89CsZtGIWuTcDM1E/vkVs49/Ml7JJe07l8SPQ=
+github.com/felixge/httpsnoop v1.0.3 h1:s/nj+GCswXYzN5v2DpNMuMQYe+0DDwt5WVCU6CWBdXk=
-github.com/felixge/httpsnoop v1.0.1/go.mod h1:m8KPJKqk1gH5J9DgRY2ASl2lWCfGKXixSwevea8zH2U=
+github.com/felixge/httpsnoop v1.0.3/go.mod h1:m8KPJKqk1gH5J9DgRY2ASl2lWCfGKXixSwevea8zH2U=
 github.com/getsentry/sentry-go v0.25.0 h1:q6Eo+hS+yoJlTO3uu/azhQadsD8V+jQn2D8VvX1eOyI=
 github.com/getsentry/sentry-go v0.25.0/go.mod h1:lc76E2QywIyW8WuBnwl8Lc4bkmQH4+w1gwTf25trprY=
 github.com/go-asn1-ber/asn1-ber v1.5.5 h1:MNHlNMBDgEKD4TcKr36vQN68BA00aDfjIt3/bD50WnA=
@ -200,6 +200,8 @@ github.com/google/go-cmp v0.5.2/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/
 github.com/google/go-cmp v0.5.5/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
 github.com/google/go-cmp v0.5.9 h1:O2Tfq5qg4qc4AmwVlvv0oLiVAGB7enBSJ2x2DqQFi38=
 github.com/google/go-cmp v0.5.9/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
 github.com/google/gofuzz v1.2.0 h1:xRy4A+RhZaiKjJ1bPfwQ8sedCA+YS2YcCHW6ec7JMi0=
 github.com/google/gofuzz v1.2.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg=
 github.com/google/martian v2.1.0+incompatible/go.mod h1:9I4somxYTbIHy5NJKHRl3wXiIaQGbYVAs8BPL6v8lEs=
 github.com/google/martian/v3 v3.0.0/go.mod h1:y5Zk1BBys9G+gd6Jrk0W3cC1+ELVxBWuIGO+w/tUAp0=
 github.com/google/pprof v0.0.0-20181206194817-3ea8567a2e57/go.mod h1:zfwlbNMJ+OItoe0UupaVj+oy1omPYYDuagoSzA8v9mc=
@ -216,16 +218,16 @@ github.com/google/uuid v1.4.0 h1:MtMxsa51/r9yyhkyLsVeVt0B+BGQZzpQiTQ4eHZ8bc4=
 github.com/google/uuid v1.4.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
 github.com/googleapis/gax-go/v2 v2.0.4/go.mod h1:0Wqv26UfaUD9n4G6kQubkQ+KchISgw+vpHVxEJEs9eg=
 github.com/googleapis/gax-go/v2 v2.0.5/go.mod h1:DWXyrwAJ9X0FpwwEdw+IPEYBICEFu5mhpdKc/us6bOk=
-github.com/gorilla/handlers v1.5.1 h1:9lRY6j8DEeeBT10CvO9hGW0gmky0BprnvDI5vfhUHH4=
+github.com/gorilla/handlers v1.5.2 h1:cLTUSsNkgcwhgRqvCNmdbRWG0A3N4F+M2nWKdScwyEE=
-github.com/gorilla/handlers v1.5.1/go.mod h1:t8XrUpc4KVXb7HGyJ4/cEnwQiaxrX/hz1Zv/4g96P1Q=
+github.com/gorilla/handlers v1.5.2/go.mod h1:dX+xVpaxdSw+q0Qek8SSsl3dfMk3jNddUkMzo0GtH0w=
-github.com/gorilla/mux v1.8.0 h1:i40aqfkR1h2SlN9hojwV5ZA91wcXFOvkdNIeFDP5koI=
+github.com/gorilla/mux v1.8.1 h1:TuBL49tXwgrFYWhqrNgrUNEY92u81SPhu7sTdzQEiWY=
-github.com/gorilla/mux v1.8.0/go.mod h1:DVbg23sWSpFRCP0SfiEN6jmj59UnW/n46BH5rLB71So=
+github.com/gorilla/mux v1.8.1/go.mod h1:AKf9I4AEqPTmMytcMc0KkNouC66V3BtZ4qD5fmWSiMQ=
-github.com/gorilla/securecookie v1.1.1 h1:miw7JPhV+b/lAHSXz4qd/nN9jRiAFV5FwjeKyCS8BvQ=
+github.com/gorilla/securecookie v1.1.2 h1:YCIWL56dvtr73r6715mJs5ZvhtnY73hBvEF8kXD8ePA=
-github.com/gorilla/securecookie v1.1.1/go.mod h1:ra0sb63/xPlUeL+yeDciTfxMRAA+MP+HVt/4epWDjd4=
+github.com/gorilla/securecookie v1.1.2/go.mod h1:NfCASbcHqRSY+3a8tlWJwsQap2VX5pwzwo4h3eOamfo=
-github.com/gorilla/sessions v1.2.1 h1:DHd3rPN5lE3Ts3D8rKkQ8x/0kqfeNmBAaiSi+o7FsgI=
+github.com/gorilla/sessions v1.2.2 h1:lqzMYz6bOfvn2WriPUjNByzeXIlVzURcPmgMczkmTjY=
-github.com/gorilla/sessions v1.2.1/go.mod h1:dk2InVEVJ0sfLlnXv9EAgkf6ecYs/i80K/zI+bUmuGM=
+github.com/gorilla/sessions v1.2.2/go.mod h1:ePLdVu+jbEgHH+KWw8I1z2wqd0BAdAQh/8LRvBeoNcQ=
-github.com/gorilla/websocket v1.5.0 h1:PPwGk2jz7EePpoHN/+ClbZu8SPxiqlu12wZP/3sWmnc=
+github.com/gorilla/websocket v1.5.1 h1:gmztn0JnHVt9JZquRuzLw3g4wouNVzKL15iLr/zn/QY=
-github.com/gorilla/websocket v1.5.0/go.mod h1:YR8l580nyteQvAITg2hZ9XVh4b55+EU/adAjf1fMHhE=
+github.com/gorilla/websocket v1.5.1/go.mod h1:x3kM2JMyaluk02fnUJpQuwD2dCS5NDG2ZHL0uE0tcaY=
 github.com/hashicorp/golang-lru v0.5.0/go.mod h1:/m3WP610KZHVQ1SGc6re/UDhFvYD7pJ4Ao+sR/qLZy8=
 github.com/hashicorp/golang-lru v0.5.1/go.mod h1:/m3WP610KZHVQ1SGc6re/UDhFvYD7pJ4Ao+sR/qLZy8=
 github.com/ianlancetaylor/demangle v0.0.0-20181102032728-5e5cf60278f6/go.mod h1:aSSvb/t6k1mPoxDqO4vJh6VOCGPwU4O0C2/Eqndh1Sc=
@ -295,8 +297,8 @@ github.com/prometheus/common v0.44.0 h1:+5BrQJwiBB9xsMygAB3TNvpQKOwlkc25LbISbrdO
 github.com/prometheus/common v0.44.0/go.mod h1:ofAIvZbQ1e/nugmZGz4/qCb9Ap1VoSTIO7x0VV9VvuY=
 github.com/prometheus/procfs v0.11.1 h1:xRC8Iq1yyca5ypa9n1EZnWZkt7dwcoRPQwX/5gwaUuI=
 github.com/prometheus/procfs v0.11.1/go.mod h1:eesXgaPo1q7lBpVMoMy0ZOFTth9hBn4W/y0/p/ScXhY=
-github.com/redis/go-redis/v9 v9.2.1 h1:WlYJg71ODF0dVspZZCpYmoF1+U1Jjk9Rwd7pq6QmlCg=
+github.com/redis/go-redis/v9 v9.3.0 h1:RiVDjmig62jIWp7Kk4XVLs0hzV6pI3PyTnnL0cnn0u0=
-github.com/redis/go-redis/v9 v9.2.1/go.mod h1:hdY0cQFCN4fnSYT6TkisLufl/4W5UIXyv0b/CLO2V2M=
+github.com/redis/go-redis/v9 v9.3.0/go.mod h1:hdY0cQFCN4fnSYT6TkisLufl/4W5UIXyv0b/CLO2V2M=
 github.com/rogpeppe/go-internal v1.1.0/go.mod h1:M8bDsm7K2OlrFYOpmOWEs/qY81heoFRclV5y23lUDJ4=
 github.com/rogpeppe/go-internal v1.2.2/go.mod h1:M8bDsm7K2OlrFYOpmOWEs/qY81heoFRclV5y23lUDJ4=
 github.com/rogpeppe/go-internal v1.3.0/go.mod h1:M8bDsm7K2OlrFYOpmOWEs/qY81heoFRclV5y23lUDJ4=
@ -309,8 +311,8 @@ github.com/sirupsen/logrus v1.4.2/go.mod h1:tLMulIdttU9McNUspp0xgXVQah82FyeX6Mwd
 github.com/sirupsen/logrus v1.9.3 h1:dueUQJ1C2q9oE3F7wvmSGAaVtTmUizReu6fjN8uqzbQ=
 github.com/sirupsen/logrus v1.9.3/go.mod h1:naHLuLoDiP4jHNo9R0sCBMtWGeIprob74mVsIT4qYEQ=
 github.com/spf13/cobra v0.0.3/go.mod h1:1l0Ry5zgKvJasoi3XT1TypsSe7PqH0Sj9dhYf7v3XqQ=
-github.com/spf13/cobra v1.7.0 h1:hyqWnYt1ZQShIddO5kBpj3vu05/++x6tJ6dg8EC572I=
+github.com/spf13/cobra v1.8.0 h1:7aJaZx1B85qltLMc546zn58BxxfZdR/W22ej9CFoEf0=
-github.com/spf13/cobra v1.7.0/go.mod h1:uLxZILRyS/50WlhOIKD7W6V5bgeIt+4sICxh6uRMrb0=
+github.com/spf13/cobra v1.8.0/go.mod h1:WXLWApfZ71AjXPya3WOlMsY9yMs7YeiHhFVlvLyhcho=
 github.com/spf13/pflag v1.0.3/go.mod h1:DYY7MBk1bdzusC3SYhjObp+wFpr4gzcvqqNjLnInEg4=
 github.com/spf13/pflag v1.0.5 h1:iy+VFUOCP1a+8yFto/drg2CJ5u0yRoB7fZw3DKv/JXA=
 github.com/spf13/pflag v1.0.5/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
@ -356,8 +358,8 @@ go.opentelemetry.io/otel/trace v1.14.0 h1:wp2Mmvj41tDsyAJXiWDWpfNsOiIyd38fy85pyK
 go.opentelemetry.io/otel/trace v1.14.0/go.mod h1:8avnQLK+CG77yNLUae4ea2JDQ6iT+gozhnZjy/rw9G8=
 go.uber.org/goleak v1.2.1 h1:NBol2c7O1ZokfZ0LEU9K6Whx/KnwvepVetCUhtKja4A=
 go.uber.org/goleak v1.2.1/go.mod h1:qlT2yGI9QafXHhZZLxlSuNsMw3FFLxBr+tBRlmO1xH4=
-goauthentik.io/api/v3 v3.2023101.1 h1:KIQ4wmxjE+geAVB0wBfmxW9Uzo/tA0dbd2hSUJ7YJ3M=
+goauthentik.io/api/v3 v3.2023103.2 h1:k3GOGc5vVfxkS8+a8KjQaqAOPfpCqDYLEIjKEewrxwo=
-goauthentik.io/api/v3 v3.2023101.1/go.mod h1:zz+mEZg8rY/7eEjkMGWJ2DnGqk+zqxuybGCGrR2O4Kw=
+goauthentik.io/api/v3 v3.2023103.2/go.mod h1:zz+mEZg8rY/7eEjkMGWJ2DnGqk+zqxuybGCGrR2O4Kw=
 golang.org/x/crypto v0.0.0-20180904163835-0709b304e793/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4=
 golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
 golang.org/x/crypto v0.0.0-20190422162423-af44ce270edf/go.mod h1:WFFai1msRO1wXaEeE5yQxYXgSfI8pQAWXbQop6sCtWE=
@ -370,8 +372,8 @@ golang.org/x/crypto v0.0.0-20200709230013-948cd5f35899/go.mod h1:LzIPMQfyMNhhGPh
 golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=
 golang.org/x/crypto v0.0.0-20220622213112-05595931fe9d/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4=
 golang.org/x/crypto v0.13.0/go.mod h1:y6Z2r+Rw4iayiXXAIxJIDAJ1zMW4yaTpebo8fPOliYc=
-golang.org/x/crypto v0.14.0 h1:wBqGXzWJW6m1XrIKlAH0Hs1JJ7+9KBwnIO8v66Q9cHc=
+golang.org/x/crypto v0.15.0 h1:frVn1TEaCEaZcn3Tmd7Y2b5KKPaZ+I32Q2OA3kYp5TA=
-golang.org/x/crypto v0.14.0/go.mod h1:MVFd36DqK4CsrnJYDkBA3VC4m2GkXAM0PvzMCn4JQf4=
+golang.org/x/crypto v0.15.0/go.mod h1:4ChreQoLWfG3xLDer1WdlH5NdlQ3+mwnQq1YTKY+72g=
 golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
 golang.org/x/exp v0.0.0-20190306152737-a1d7652674e8/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
 golang.org/x/exp v0.0.0-20190510132918-efd6b22b2522/go.mod h1:ZjyILWgesfNpC6sMxTJOJm9Kp84zZh5NQWvqDGG3Qr8=
@ -438,16 +440,16 @@ golang.org/x/net v0.0.0-20211112202133-69e39bad7dc2/go.mod h1:9nx3DQGgdP8bBQD5qx
 golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c=
 golang.org/x/net v0.6.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs=
 golang.org/x/net v0.10.0/go.mod h1:0qNGK6F8kojg2nk9dLZ2mShWaEBan6FAoqfSigmmuDg=
-golang.org/x/net v0.17.0 h1:pVaXccu2ozPjCXewfr1S7xza/zcXTity9cCdXQYSjIM=
+golang.org/x/net v0.18.0 h1:mIYleuAkSbHh0tCv7RvjL3F6ZVbLjq4+R7zbOn3Kokg=
-golang.org/x/net v0.17.0/go.mod h1:NxSsAGuq816PNPmqtQdLE42eU2Fs7NoRIZrHJAlaCOE=
+golang.org/x/net v0.18.0/go.mod h1:/czyP5RqHAH4odGYxBJ1qz0+CE5WZ+2j1YgoEo8F2jQ=
 golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
 golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
 golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
 golang.org/x/oauth2 v0.0.0-20191202225959-858c2ad4c8b6/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
 golang.org/x/oauth2 v0.0.0-20200107190931-bf48bf16ab8d/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
 golang.org/x/oauth2 v0.0.0-20210218202405-ba52d332ba99/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A=
-golang.org/x/oauth2 v0.13.0 h1:jDDenyj+WgFtmV3zYVoi8aE2BwtXFLWOA67ZfNWftiY=
+golang.org/x/oauth2 v0.14.0 h1:P0Vrf/2538nmC0H+pEQ3MNFRRnVR7RlqyVw+bvm26z0=
-golang.org/x/oauth2 v0.13.0/go.mod h1:/JMhi4ZRXAf4HG9LiNmxvk+45+96RUlVThiH8FzNBn0=
+golang.org/x/oauth2 v0.14.0/go.mod h1:lAtNWgaWfL4cm7j2OV8TxGi9Qb7ECORx8DktCY74OwM=
 golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20181221193216-37e7f081c4d4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
@ -460,8 +462,8 @@ golang.org/x/sync v0.0.0-20200625203802-6e8e738ad208/go.mod h1:RxMgew5VJxzue5/jJ
 golang.org/x/sync v0.0.0-20210220032951-036812b2e83c/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.1.0/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.4.0 h1:zxkM55ReGkDlKSM+Fu41A+zmbZuaPVbGMzvvdUPznYQ=
+golang.org/x/sync v0.5.0 h1:60k92dhOjHxJkrqnwsfl8KuaHbn/5dl0lUPUklKo3qE=
-golang.org/x/sync v0.4.0/go.mod h1:FU7BRWz2tNW+3quACPkgCx/L+uEAv1htQ0V83Z9Rj+Y=
+golang.org/x/sync v0.5.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
 golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20180905080454-ebe1bf3edb33/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
@ -502,8 +504,8 @@ golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f/go.mod h1:oPkhp1MJrh7nUepCBc
 golang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.8.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.12.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.13.0 h1:Af8nKPmuFypiUBjVoU9V20FiaFXOcuZI21p0ycVYYGE=
+golang.org/x/sys v0.14.0 h1:Vz7Qs629MkJkGyHxUlRHizWJRG2j8fbQKjELVSNhy7Q=
-golang.org/x/sys v0.13.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.14.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
 golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
 golang.org/x/term v0.5.0/go.mod h1:jMB1sMXY+tzblOD4FWmEbocvup2/aLOaQEp7JmGp78k=
@ -519,8 +521,9 @@ golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ=
 golang.org/x/text v0.7.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8=
 golang.org/x/text v0.9.0/go.mod h1:e1OnstbJyHTd6l/uOt8jFFHp6TRDWZR/bV3emEE/zU8=
 golang.org/x/text v0.13.0 h1:ablQoSUd0tRdKxZewP80B+BaqeKJuVhuRxj/dkrun3k=
 golang.org/x/text v0.13.0/go.mod h1:TvPlkZtksWOMsz7fbANvkp4WM8x/WCo/om8BMLbz+aE=
 golang.org/x/text v0.14.0 h1:ScX5w1eTa3QqT8oi6+ziP7dTV1S2+ALU0bI+0zXKWiQ=
 golang.org/x/text v0.14.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU=
 golang.org/x/time v0.0.0-20181108054448-85acf8d2951c/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/time v0.0.0-20190308202827-9d24e82272b4/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/time v0.0.0-20191024005414-555d28b269f0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
--- a/internal/config/struct.go
+++ b/internal/config/struct.go
@ -27,14 +27,11 @@ type Config struct {
 type RedisConfig struct {
 	Host                   string `yaml:"host" env:"AUTHENTIK_REDIS__HOST"`
 	Port                   int    `yaml:"port" env:"AUTHENTIK_REDIS__PORT"`
 	DB                     int    `yaml:"db" env:"AUTHENTIK_REDIS__DB"`
 	Username               string `yaml:"username" env:"AUTHENTIK_REDIS__USERNAME"`
 	Password               string `yaml:"password" env:"AUTHENTIK_REDIS__PASSWORD"`
 	TLS                    bool   `yaml:"tls" env:"AUTHENTIK_REDIS__TLS"`
 	TLSReqs                string `yaml:"tls_reqs" env:"AUTHENTIK_REDIS__TLS_REQS"`
 	DB                     int    `yaml:"cache_db" env:"AUTHENTIK_REDIS__DB"`
 	CacheTimeout           int    `yaml:"cache_timeout" env:"AUTHENTIK_REDIS__CACHE_TIMEOUT"`
 	CacheTimeoutFlows      int    `yaml:"cache_timeout_flows" env:"AUTHENTIK_REDIS__CACHE_TIMEOUT_FLOWS"`
 	CacheTimeoutPolicies   int    `yaml:"cache_timeout_policies" env:"AUTHENTIK_REDIS__CACHE_TIMEOUT_POLICIES"`
 	CacheTimeoutReputation int    `yaml:"cache_timeout_reputation" env:"AUTHENTIK_REDIS__CACHE_TIMEOUT_REPUTATION"`
 }
 type ListenConfig struct {
--- a/internal/constants/constants.go
+++ b/internal/constants/constants.go
@ -29,4 +29,4 @@ func UserAgent() string {
 	return fmt.Sprintf("authentik@%s", FullVersion())
 }
-const VERSION = "2023.10.2"
+const VERSION = "2023.10.3"
--- a/internal/outpost/flow/executor.go
+++ b/internal/outpost/flow/executor.go
@ -29,16 +29,6 @@ var (
 		Name: "authentik_outpost_flow_timing_post_seconds",
 		Help: "Duration it took to send a challenge in seconds",
 	}, []string{"stage", "flow"})
 	// NOTE: the following metrics are kept for compatibility purpose
 	FlowTimingGetLegacy = promauto.NewHistogramVec(prometheus.HistogramOpts{
 		Name: "authentik_outpost_flow_timing_get",
 		Help: "Duration it took to get a challenge",
 	}, []string{"stage", "flow"})
 	FlowTimingPostLegacy = promauto.NewHistogramVec(prometheus.HistogramOpts{
 		Name: "authentik_outpost_flow_timing_post",
 		Help: "Duration it took to send a challenge",
 	}, []string{"stage", "flow"})
 )
 type SolverFunction func(*api.ChallengeTypes, api.ApiFlowsExecutorSolveRequest) (api.FlowChallengeResponseRequest, error)
@ -198,10 +188,6 @@ func (fe *FlowExecutor) getInitialChallenge() (*api.ChallengeTypes, error) {
 		"stage": ch.GetComponent(),
 		"flow":  fe.flowSlug,
 	}).Observe(float64(gcsp.EndTime.Sub(gcsp.StartTime)) / float64(time.Second))
 	FlowTimingGetLegacy.With(prometheus.Labels{
 		"stage": ch.GetComponent(),
 		"flow":  fe.flowSlug,
 	}).Observe(float64(gcsp.EndTime.Sub(gcsp.StartTime)))
 	return challenge, nil
 }
@ -259,10 +245,6 @@ func (fe *FlowExecutor) solveFlowChallenge(challenge *api.ChallengeTypes, depth
 		"stage": ch.GetComponent(),
 		"flow":  fe.flowSlug,
 	}).Observe(float64(scsp.EndTime.Sub(scsp.StartTime)) / float64(time.Second))
 	FlowTimingPostLegacy.With(prometheus.Labels{
 		"stage": ch.GetComponent(),
 		"flow":  fe.flowSlug,
 	}).Observe(float64(scsp.EndTime.Sub(scsp.StartTime)))
 	if depth >= 10 {
 		return false, errors.New("exceeded stage recursion depth")
--- a/internal/outpost/ldap/bind.go
+++ b/internal/outpost/ldap/bind.go
@ -22,11 +22,6 @@ func (ls *LDAPServer) Bind(bindDN string, bindPW string, conn net.Conn) (ldap.LD
 			"type":         "bind",
 			"app":          selectedApp,
 		}).Observe(float64(span.EndTime.Sub(span.StartTime)) / float64(time.Second))
 		metrics.RequestsLegacy.With(prometheus.Labels{
 			"outpost_name": ls.ac.Outpost.Name,
 			"type":         "bind",
 			"app":          selectedApp,
 		}).Observe(float64(span.EndTime.Sub(span.StartTime)))
 		req.Log().WithField("took-ms", span.EndTime.Sub(span.StartTime).Milliseconds()).Info("Bind request")
 	}()
@ -55,12 +50,6 @@ func (ls *LDAPServer) Bind(bindDN string, bindPW string, conn net.Conn) (ldap.LD
 		"reason":       "no_provider",
 		"app":          "",
 	}).Inc()
 	metrics.RequestsRejectedLegacy.With(prometheus.Labels{
 		"outpost_name": ls.ac.Outpost.Name,
 		"type":         "bind",
 		"reason":       "no_provider",
 		"app":          "",
 	}).Inc()
 	return ldap.LDAPResultInsufficientAccessRights, nil
 }
--- a/internal/outpost/ldap/bind/direct/bind.go
+++ b/internal/outpost/ldap/bind/direct/bind.go
@ -47,12 +47,6 @@ func (db *DirectBinder) Bind(username string, req *bind.Request) (ldap.LDAPResul
 			"reason":       "flow_error",
 			"app":          db.si.GetAppSlug(),
 		}).Inc()
 		metrics.RequestsRejectedLegacy.With(prometheus.Labels{
 			"outpost_name": db.si.GetOutpostName(),
 			"type":         "bind",
 			"reason":       "flow_error",
 			"app":          db.si.GetAppSlug(),
 		}).Inc()
 		req.Log().WithError(err).Warning("failed to execute flow")
 		return ldap.LDAPResultInvalidCredentials, nil
 	}
@ -63,12 +57,6 @@ func (db *DirectBinder) Bind(username string, req *bind.Request) (ldap.LDAPResul
 			"reason":       "invalid_credentials",
 			"app":          db.si.GetAppSlug(),
 		}).Inc()
 		metrics.RequestsRejectedLegacy.With(prometheus.Labels{
 			"outpost_name": db.si.GetOutpostName(),
 			"type":         "bind",
 			"reason":       "invalid_credentials",
 			"app":          db.si.GetAppSlug(),
 		}).Inc()
 		req.Log().Info("Invalid credentials")
 		return ldap.LDAPResultInvalidCredentials, nil
 	}
@ -82,12 +70,6 @@ func (db *DirectBinder) Bind(username string, req *bind.Request) (ldap.LDAPResul
 			"reason":       "access_denied",
 			"app":          db.si.GetAppSlug(),
 		}).Inc()
 		metrics.RequestsRejectedLegacy.With(prometheus.Labels{
 			"outpost_name": db.si.GetOutpostName(),
 			"type":         "bind",
 			"reason":       "access_denied",
 			"app":          db.si.GetAppSlug(),
 		}).Inc()
 		return ldap.LDAPResultInsufficientAccessRights, nil
 	}
 	if err != nil {
@ -97,12 +79,6 @@ func (db *DirectBinder) Bind(username string, req *bind.Request) (ldap.LDAPResul
 			"reason":       "access_check_fail",
 			"app":          db.si.GetAppSlug(),
 		}).Inc()
 		metrics.RequestsRejectedLegacy.With(prometheus.Labels{
 			"outpost_name": db.si.GetOutpostName(),
 			"type":         "bind",
 			"reason":       "access_check_fail",
 			"app":          db.si.GetAppSlug(),
 		}).Inc()
 		req.Log().WithError(err).Warning("failed to check access")
 		return ldap.LDAPResultOperationsError, nil
 	}
@ -117,12 +93,6 @@ func (db *DirectBinder) Bind(username string, req *bind.Request) (ldap.LDAPResul
 			"reason":       "user_info_fail",
 			"app":          db.si.GetAppSlug(),
 		}).Inc()
 		metrics.RequestsRejectedLegacy.With(prometheus.Labels{
 			"outpost_name": db.si.GetOutpostName(),
 			"type":         "bind",
 			"reason":       "user_info_fail",
 			"app":          db.si.GetAppSlug(),
 		}).Inc()
 		req.Log().WithError(err).Warning("failed to get user info")
 		return ldap.LDAPResultOperationsError, nil
 	}
--- a/internal/outpost/ldap/metrics/metrics.go
+++ b/internal/outpost/ldap/metrics/metrics.go
@ -22,16 +22,6 @@ var (
 		Name: "authentik_outpost_ldap_requests_rejected_total",
 		Help: "Total number of rejected requests",
 	}, []string{"outpost_name", "type", "reason", "app"})
 	// NOTE: the following metrics are kept for compatibility purpose
 	RequestsLegacy = promauto.NewHistogramVec(prometheus.HistogramOpts{
 		Name: "authentik_outpost_ldap_requests",
 		Help: "The total number of configured providers",
 	}, []string{"outpost_name", "type", "app"})
 	RequestsRejectedLegacy = promauto.NewCounterVec(prometheus.CounterOpts{
 		Name: "authentik_outpost_ldap_requests_rejected",
 		Help: "Total number of rejected requests",
 	}, []string{"outpost_name", "type", "reason", "app"})
 )
 func RunServer() {
--- a/internal/outpost/ldap/search.go
+++ b/internal/outpost/ldap/search.go
@ -23,11 +23,6 @@ func (ls *LDAPServer) Search(bindDN string, searchReq ldap.SearchRequest, conn n
 			"type":         "search",
 			"app":          selectedApp,
 		}).Observe(float64(span.EndTime.Sub(span.StartTime)) / float64(time.Second))
 		metrics.RequestsLegacy.With(prometheus.Labels{
 			"outpost_name": ls.ac.Outpost.Name,
 			"type":         "search",
 			"app":          selectedApp,
 		}).Observe(float64(span.EndTime.Sub(span.StartTime)))
 		req.Log().WithField("attributes", searchReq.Attributes).WithField("took-ms", span.EndTime.Sub(span.StartTime).Milliseconds()).Info("Search request")
 	}()
--- a/internal/outpost/ldap/search/direct/direct.go
+++ b/internal/outpost/ldap/search/direct/direct.go
@ -45,12 +45,6 @@ func (ds *DirectSearcher) Search(req *search.Request) (ldap.ServerSearchResult,
 			"reason":       "empty_bind_dn",
 			"app":          ds.si.GetAppSlug(),
 		}).Inc()
 		metrics.RequestsRejectedLegacy.With(prometheus.Labels{
 			"outpost_name": ds.si.GetOutpostName(),
 			"type":         "search",
 			"reason":       "empty_bind_dn",
 			"app":          ds.si.GetAppSlug(),
 		}).Inc()
 		return ldap.ServerSearchResult{ResultCode: ldap.LDAPResultInsufficientAccessRights}, fmt.Errorf("Search Error: Anonymous BindDN not allowed %s", req.BindDN)
 	}
 	if !utils.HasSuffixNoCase(req.BindDN, ","+baseDN) {
@ -60,12 +54,6 @@ func (ds *DirectSearcher) Search(req *search.Request) (ldap.ServerSearchResult,
 			"reason":       "invalid_bind_dn",
 			"app":          ds.si.GetAppSlug(),
 		}).Inc()
 		metrics.RequestsRejectedLegacy.With(prometheus.Labels{
 			"outpost_name": ds.si.GetOutpostName(),
 			"type":         "search",
 			"reason":       "invalid_bind_dn",
 			"app":          ds.si.GetAppSlug(),
 		}).Inc()
 		return ldap.ServerSearchResult{ResultCode: ldap.LDAPResultInsufficientAccessRights}, fmt.Errorf("Search Error: BindDN %s not in our BaseDN %s", req.BindDN, ds.si.GetBaseDN())
 	}
@ -78,12 +66,6 @@ func (ds *DirectSearcher) Search(req *search.Request) (ldap.ServerSearchResult,
 			"reason":       "user_info_not_cached",
 			"app":          ds.si.GetAppSlug(),
 		}).Inc()
 		metrics.RequestsRejectedLegacy.With(prometheus.Labels{
 			"outpost_name": ds.si.GetOutpostName(),
 			"type":         "search",
 			"reason":       "user_info_not_cached",
 			"app":          ds.si.GetAppSlug(),
 		}).Inc()
 		return ldap.ServerSearchResult{ResultCode: ldap.LDAPResultInsufficientAccessRights}, errors.New("access denied")
 	}
 	accsp.Finish()
@ -96,12 +78,6 @@ func (ds *DirectSearcher) Search(req *search.Request) (ldap.ServerSearchResult,
 			"reason":       "filter_parse_fail",
 			"app":          ds.si.GetAppSlug(),
 		}).Inc()
 		metrics.RequestsRejectedLegacy.With(prometheus.Labels{
 			"outpost_name": ds.si.GetOutpostName(),
 			"type":         "search",
 			"reason":       "filter_parse_fail",
 			"app":          ds.si.GetAppSlug(),
 		}).Inc()
 		return ldap.ServerSearchResult{ResultCode: ldap.LDAPResultOperationsError}, fmt.Errorf("Search Error: error parsing filter: %s", req.Filter)
 	}
--- a/internal/outpost/ldap/search/memory/memory.go
+++ b/internal/outpost/ldap/search/memory/memory.go
@ -62,12 +62,6 @@ func (ms *MemorySearcher) Search(req *search.Request) (ldap.ServerSearchResult,
 			"reason":       "empty_bind_dn",
 			"app":          ms.si.GetAppSlug(),
 		}).Inc()
 		metrics.RequestsRejectedLegacy.With(prometheus.Labels{
 			"outpost_name": ms.si.GetOutpostName(),
 			"type":         "search",
 			"reason":       "empty_bind_dn",
 			"app":          ms.si.GetAppSlug(),
 		}).Inc()
 		return ldap.ServerSearchResult{ResultCode: ldap.LDAPResultInsufficientAccessRights}, fmt.Errorf("Search Error: Anonymous BindDN not allowed %s", req.BindDN)
 	}
 	if !utils.HasSuffixNoCase(req.BindDN, ","+baseDN) {
@ -77,12 +71,6 @@ func (ms *MemorySearcher) Search(req *search.Request) (ldap.ServerSearchResult,
 			"reason":       "invalid_bind_dn",
 			"app":          ms.si.GetAppSlug(),
 		}).Inc()
 		metrics.RequestsRejectedLegacy.With(prometheus.Labels{
 			"outpost_name": ms.si.GetOutpostName(),
 			"type":         "search",
 			"reason":       "invalid_bind_dn",
 			"app":          ms.si.GetAppSlug(),
 		}).Inc()
 		return ldap.ServerSearchResult{ResultCode: ldap.LDAPResultInsufficientAccessRights}, fmt.Errorf("Search Error: BindDN %s not in our BaseDN %s", req.BindDN, ms.si.GetBaseDN())
 	}
@ -95,12 +83,6 @@ func (ms *MemorySearcher) Search(req *search.Request) (ldap.ServerSearchResult,
 			"reason":       "user_info_not_cached",
 			"app":          ms.si.GetAppSlug(),
 		}).Inc()
 		metrics.RequestsRejectedLegacy.With(prometheus.Labels{
 			"outpost_name": ms.si.GetOutpostName(),
 			"type":         "search",
 			"reason":       "user_info_not_cached",
 			"app":          ms.si.GetAppSlug(),
 		}).Inc()
 		return ldap.ServerSearchResult{ResultCode: ldap.LDAPResultInsufficientAccessRights}, errors.New("access denied")
 	}
 	accsp.Finish()
--- a/internal/outpost/ldap/unbind.go
+++ b/internal/outpost/ldap/unbind.go
@ -22,11 +22,6 @@ func (ls *LDAPServer) Unbind(boundDN string, conn net.Conn) (ldap.LDAPResultCode
 			"type":         "unbind",
 			"app":          selectedApp,
 		}).Observe(float64(span.EndTime.Sub(span.StartTime)) / float64(time.Second))
 		metrics.RequestsLegacy.With(prometheus.Labels{
 			"outpost_name": ls.ac.Outpost.Name,
 			"type":         "unbind",
 			"app":          selectedApp,
 		}).Observe(float64(span.EndTime.Sub(span.StartTime)))
 		req.Log().WithField("took-ms", span.EndTime.Sub(span.StartTime).Milliseconds()).Info("Unbind request")
 	}()
@ -55,11 +50,5 @@ func (ls *LDAPServer) Unbind(boundDN string, conn net.Conn) (ldap.LDAPResultCode
 		"reason":       "no_provider",
 		"app":          "",
 	}).Inc()
 	metrics.RequestsRejectedLegacy.With(prometheus.Labels{
 		"outpost_name": ls.ac.Outpost.Name,
 		"type":         "unbind",
 		"reason":       "no_provider",
 		"app":          "",
 	}).Inc()
 	return ldap.LDAPResultOperationsError, nil
 }
--- a/internal/outpost/proxyv2/application/application.go
+++ b/internal/outpost/proxyv2/application/application.go
@ -173,12 +173,6 @@ func NewApplication(p api.ProxyOutpostConfig, c *http.Client, server Server) (*A
 				"method":       r.Method,
 				"host":         web.GetHost(r),
 			}).Observe(float64(elapsed) / float64(time.Second))
 			metrics.RequestsLegacy.With(prometheus.Labels{
 				"outpost_name": a.outpostName,
 				"type":         "app",
 				"method":       r.Method,
 				"host":         web.GetHost(r),
 			}).Observe(float64(elapsed))
 		})
 	})
 	if server.API().GlobalConfig.ErrorReporting.Enabled {
@ -241,7 +235,10 @@ func (a *Application) Mode() api.ProxyMode {
 	return *a.proxyConfig.Mode
 }
-func (a *Application) HasQuerySignature(r *http.Request) bool {
+func (a *Application) ShouldHandleURL(r *http.Request) bool {
 	if strings.HasPrefix(r.URL.Path, "/outpost.goauthentik.io") {
 		return true
 	}
 	if strings.EqualFold(r.URL.Query().Get(CallbackSignature), "true") {
 		return true
 	}
--- a/internal/outpost/proxyv2/application/mode_proxy.go
+++ b/internal/outpost/proxyv2/application/mode_proxy.go
@ -64,13 +64,6 @@ func (a *Application) configureProxy() error {
 			"scheme":        r.URL.Scheme,
 			"host":          web.GetHost(r),
 		}).Observe(float64(elapsed) / float64(time.Second))
 		metrics.UpstreamTimingLegacy.With(prometheus.Labels{
 			"outpost_name":  a.outpostName,
 			"upstream_host": r.URL.Host,
 			"method":        r.Method,
 			"scheme":        r.URL.Scheme,
 			"host":          web.GetHost(r),
 		}).Observe(float64(elapsed))
 	})
 	return nil
 }
--- a/internal/outpost/proxyv2/application/session.go
+++ b/internal/outpost/proxyv2/application/session.go
@ -71,7 +71,7 @@ func (a *Application) getStore(p api.ProxyOutpostConfig, externalHost *url.URL)
 	cs.Options.Domain = *p.CookieDomain
 	cs.Options.SameSite = http.SameSiteLaxMode
 	cs.Options.MaxAge = maxAge
-	cs.Options.Path = externalHost.Path
+	cs.Options.Path = "/"
 	a.log.WithField("dir", dir).Trace("using filesystem session backend")
 	return cs
 }
@ -131,7 +131,6 @@ func (a *Application) Logout(ctx context.Context, filter func(c Claims) bool) er
 	}
 	if rs, ok := a.sessions.(*redisstore.RedisStore); ok {
 		client := rs.Client()
 		defer client.Close()
 		keys, err := client.Keys(ctx, fmt.Sprintf("%s*", RedisKeyPrefix)).Result()
 		if err != nil {
 			return err
--- a/internal/outpost/proxyv2/handlers.go
+++ b/internal/outpost/proxyv2/handlers.go
@ -26,12 +26,6 @@ func (ps *ProxyServer) HandlePing(rw http.ResponseWriter, r *http.Request) {
 		"host":         web.GetHost(r),
 		"type":         "ping",
 	}).Observe(float64(elapsed) / float64(time.Second))
 	metrics.RequestsLegacy.With(prometheus.Labels{
 		"outpost_name": ps.akAPI.Outpost.Name,
 		"method":       r.Method,
 		"host":         web.GetHost(r),
 		"type":         "ping",
 	}).Observe(float64(elapsed))
 }
 func (ps *ProxyServer) HandleStatic(rw http.ResponseWriter, r *http.Request) {
@ -44,12 +38,6 @@ func (ps *ProxyServer) HandleStatic(rw http.ResponseWriter, r *http.Request) {
 		"host":         web.GetHost(r),
 		"type":         "static",
 	}).Observe(float64(elapsed) / float64(time.Second))
 	metrics.RequestsLegacy.With(prometheus.Labels{
 		"outpost_name": ps.akAPI.Outpost.Name,
 		"method":       r.Method,
 		"host":         web.GetHost(r),
 		"type":         "static",
 	}).Observe(float64(elapsed))
 }
 func (ps *ProxyServer) lookupApp(r *http.Request) (*application.Application, string) {
--- a/Show More
+++ b/Show More