merge and test, with updated text for RAC

* dev: (55 commits)
  web/flows: attempt to fix bitwareden android compatibility (#7455)
  sources/oauth: fix patreon (#7454)
  website: bump the docusaurus group in /website with 3 updates (#7400)
  web/admin: fix chart label on dashboard user page (#7434)
  core: bump github.com/gorilla/sessions from 1.2.1 to 1.2.2 (#7446)
  core: bump github.com/gorilla/mux from 1.8.0 to 1.8.1 (#7443)
  core: bump github.com/spf13/cobra from 1.7.0 to 1.8.0 (#7442)
  core: bump github.com/gorilla/websocket from 1.5.0 to 1.5.1 (#7445)
  core: bump golang.org/x/sync from 0.4.0 to 0.5.0 (#7441)
  core: bump github.com/gorilla/securecookie from 1.1.1 to 1.1.2 (#7440)
  core: bump github.com/gorilla/handlers from 1.5.1 to 1.5.2 (#7444)
  web: bump rollup from 4.2.0 to 4.3.0 in /web (#7448)
  web: bump the eslint group in /web with 2 updates (#7447)
  core: bump uvicorn from 0.23.2 to 0.24.0 (#7450)
  core: bump selenium from 4.15.1 to 4.15.2 (#7449)
  core: bump ruff from 0.1.3 to 0.1.4 (#7451)
  web: bump the eslint group in /tests/wdio with 2 updates (#7452)
  providers/proxy: fix closed redis client (#7385)
  ci: explicitly give write permissions to packages (#7428)
  core: bump selenium from 4.15.0 to 4.15.1 (#7422)
  ...

.bumpversion.cfg

@@ -1,5 +1,5 @@
 [bumpversion]
-current_version = 2023.10.6
+current_version = 2023.10.2
 tag = True
 commit = True
 parse = (?P<major>\d+)\.(?P<minor>\d+)\.(?P<patch>\d+)

.github/actions/setup/action.yml

@@ -2,39 +2,36 @@ name: "Setup authentik testing environment"
 description: "Setup authentik testing environment"
 
 inputs:
-  postgresql_version:
+  postgresql_tag:
     description: "Optional postgresql image tag"
     default: "12"
 
 runs:
   using: "composite"
   steps:
-    - name: Install poetry & deps
+    - name: Install poetry
       shell: bash
       run: |
         pipx install poetry || true
-        sudo apt-get update
-        sudo apt-get install --no-install-recommends -y libpq-dev openssl libxmlsec1-dev pkg-config gettext
+        sudo apt update
+        sudo apt install -y libpq-dev openssl libxmlsec1-dev pkg-config gettext
     - name: Setup python and restore poetry
-      uses: actions/setup-python@v4
+      uses: actions/setup-python@v3
       with:
-        python-version-file: 'pyproject.toml'
+        python-version: "3.11"
         cache: "poetry"
     - name: Setup node
       uses: actions/setup-node@v3
       with:
-        node-version-file: web/package.json
+        node-version: "20"
         cache: "npm"
         cache-dependency-path: web/package-lock.json
-    - name: Setup go
-      uses: actions/setup-go@v4
-      with:
-        go-version-file: "go.mod"
     - name: Setup dependencies
       shell: bash
       run: |
-        export PSQL_TAG=${{ inputs.postgresql_version }}
+        export PSQL_TAG=${{ inputs.postgresql_tag }}
         docker-compose -f .github/actions/setup/docker-compose.yml up -d
+        poetry env use python3.11
         poetry install
         cd web && npm ci
     - name: Generate config

.github/workflows/ci-main.yml

@@ -48,38 +48,25 @@ jobs:
       - name: run migrations
         run: poetry run python -m lifecycle.migrate
   test-migrations-from-stable:
-    name: test-migrations-from-stable - PostgreSQL ${{ matrix.psql }}
     runs-on: ubuntu-latest
-    strategy:
-      fail-fast: false
-      matrix:
-        psql:
-          - 12-alpine
-          - 15-alpine
-          - 16-alpine
+    continue-on-error: true
     steps:
       - uses: actions/checkout@v4
         with:
           fetch-depth: 0
       - name: Setup authentik env
         uses: ./.github/actions/setup
-        with:
-          postgresql_version: ${{ matrix.psql }}
       - name: checkout stable
         run: |
-          # Delete all poetry envs
-          rm -rf /home/runner/.cache/pypoetry
           # Copy current, latest config to local
           cp authentik/lib/default.yml local.env.yml
           cp -R .github ..
           cp -R scripts ..
-          git checkout version/$(python -c "from authentik import __version__; print(__version__)")
+          git checkout $(git describe --tags $(git rev-list --tags --max-count=1))
           rm -rf .github/ scripts/
           mv ../.github ../scripts .
       - name: Setup authentik env (ensure stable deps are installed)
         uses: ./.github/actions/setup
-        with:
-          postgresql_version: ${{ matrix.psql }}
       - name: run migrations to stable
         run: poetry run python -m lifecycle.migrate
       - name: checkout current code
@@ -89,13 +76,9 @@ jobs:
           git reset --hard HEAD
           git clean -d -fx .
           git checkout $GITHUB_SHA
-          # Delete previous poetry env
-          rm -rf $(poetry env info --path)
           poetry install
       - name: Setup authentik env (ensure latest deps are installed)
         uses: ./.github/actions/setup
-        with:
-          postgresql_version: ${{ matrix.psql }}
       - name: migrate to latest
         run: poetry run python -m lifecycle.migrate
   test-unittest:
@@ -114,7 +97,7 @@ jobs:
       - name: Setup authentik env
         uses: ./.github/actions/setup
         with:
-          postgresql_version: ${{ matrix.psql }}
+          postgresql_tag: ${{ matrix.psql }}
       - name: run unittest
         run: |
           poetry run make test
@@ -204,7 +187,6 @@ jobs:
     needs: ci-core-mark
     runs-on: ubuntu-latest
     permissions:
-      # Needed to upload contianer images to ghcr.io
       packages: write
     timeout-minutes: 120
     steps:
@@ -257,7 +239,6 @@ jobs:
     needs: ci-core-mark
     runs-on: ubuntu-latest
     permissions:
-      # Needed to upload contianer images to ghcr.io
       packages: write
     timeout-minutes: 120
     steps:

.github/workflows/ci-outpost.yml

@@ -67,7 +67,6 @@ jobs:
           - radius
     runs-on: ubuntu-latest
     permissions:
-      # Needed to upload contianer images to ghcr.io
       packages: write
     steps:
       - uses: actions/checkout@v4
@@ -130,7 +129,7 @@ jobs:
           go-version-file: "go.mod"
       - uses: actions/setup-node@v4
         with:
-          node-version-file: web/package.json
+          node-version: "20"
           cache: "npm"
           cache-dependency-path: web/package-lock.json
       - name: Generate API

.github/workflows/ci-web.yml

@@ -24,7 +24,7 @@ jobs:
       - uses: actions/checkout@v4
       - uses: actions/setup-node@v4
         with:
-          node-version-file: ${{ matrix.project }}/package.json
+          node-version: "20"
           cache: "npm"
           cache-dependency-path: ${{ matrix.project }}/package-lock.json
       - working-directory: ${{ matrix.project }}/
@@ -40,7 +40,7 @@ jobs:
       - uses: actions/checkout@v4
       - uses: actions/setup-node@v4
         with:
-          node-version-file: web/package.json
+          node-version: "20"
           cache: "npm"
           cache-dependency-path: web/package-lock.json
       - working-directory: web/
@@ -62,7 +62,7 @@ jobs:
       - uses: actions/checkout@v4
       - uses: actions/setup-node@v4
         with:
-          node-version-file: ${{ matrix.project }}/package.json
+          node-version: "20"
           cache: "npm"
           cache-dependency-path: ${{ matrix.project }}/package-lock.json
       - working-directory: ${{ matrix.project }}/
@@ -78,7 +78,7 @@ jobs:
       - uses: actions/checkout@v4
       - uses: actions/setup-node@v4
         with:
-          node-version-file: web/package.json
+          node-version: "20"
           cache: "npm"
           cache-dependency-path: web/package-lock.json
       - working-directory: web/
@@ -110,7 +110,7 @@ jobs:
       - uses: actions/checkout@v4
       - uses: actions/setup-node@v4
         with:
-          node-version-file: web/package.json
+          node-version: "20"
           cache: "npm"
           cache-dependency-path: web/package-lock.json
       - working-directory: web/

.github/workflows/ci-website.yml

@@ -18,7 +18,7 @@ jobs:
       - uses: actions/checkout@v4
       - uses: actions/setup-node@v4
         with:
-          node-version-file: website/package.json
+          node-version: "20"
           cache: "npm"
           cache-dependency-path: website/package-lock.json
       - working-directory: website/
@@ -32,7 +32,7 @@ jobs:
       - uses: actions/checkout@v4
       - uses: actions/setup-node@v4
         with:
-          node-version-file: website/package.json
+          node-version: "20"
           cache: "npm"
           cache-dependency-path: website/package-lock.json
       - working-directory: website/
@@ -53,7 +53,7 @@ jobs:
       - uses: actions/checkout@v4
       - uses: actions/setup-node@v4
         with:
-          node-version-file: website/package.json
+          node-version: "20"
           cache: "npm"
           cache-dependency-path: website/package-lock.json
       - working-directory: website/

.github/workflows/release-next-branch.yml

@@ -6,7 +6,6 @@ on:
   workflow_dispatch:
 
 permissions:
-  # Needed to be able to push to the next branch
   contents: write
 
 jobs:

.github/workflows/release-publish.yml

@@ -8,7 +8,6 @@ jobs:
   build-server:
     runs-on: ubuntu-latest
     permissions:
-      # Needed to upload contianer images to ghcr.io
       packages: write
     steps:
       - uses: actions/checkout@v4
@@ -56,7 +55,6 @@ jobs:
   build-outpost:
     runs-on: ubuntu-latest
     permissions:
-      # Needed to upload contianer images to ghcr.io
       packages: write
     strategy:
       fail-fast: false
@@ -112,9 +110,6 @@ jobs:
   build-outpost-binary:
     timeout-minutes: 120
     runs-on: ubuntu-latest
-    permissions:
-      # Needed to upload binaries to the release
-      contents: write
     strategy:
       fail-fast: false
       matrix:
@@ -131,7 +126,7 @@ jobs:
           go-version-file: "go.mod"
       - uses: actions/setup-node@v4
         with:
-          node-version-file: web/package.json
+          node-version: "20"
           cache: "npm"
           cache-dependency-path: web/package-lock.json
       - name: Build web

.github/workflows/repo-stale.yml

@@ -6,8 +6,8 @@ on:
   workflow_dispatch:
 
 permissions:
-  # Needed to update issues and PRs
   issues: write
+  pull-requests: write
 
 jobs:
   stale:

.github/workflows/web-api-publish.yml

@@ -19,7 +19,7 @@ jobs:
           token: ${{ steps.generate_token.outputs.token }}
       - uses: actions/setup-node@v4
         with:
-          node-version-file: web/package.json
+          node-version: "20"
           registry-url: "https://registry.npmjs.org"
       - name: Generate API Client
         run: make gen-client-ts

Dockerfile

@@ -1,5 +1,3 @@
-# syntax=docker/dockerfile:1
-
 # Stage 1: Build website
 FROM --platform=${BUILDPLATFORM} docker.io/node:21 as website-builder
 
@@ -9,7 +7,7 @@ WORKDIR /work/website
 
 RUN --mount=type=bind,target=/work/website/package.json,src=./website/package.json \
     --mount=type=bind,target=/work/website/package-lock.json,src=./website/package-lock.json \
-    --mount=type=cache,id=npm-website,sharing=shared,target=/root/.npm \
+    --mount=type=cache,target=/root/.npm \
     npm ci --include=dev
 
 COPY ./website /work/website/
@@ -27,7 +25,7 @@ WORKDIR /work/web
 
 RUN --mount=type=bind,target=/work/web/package.json,src=./web/package.json \
     --mount=type=bind,target=/work/web/package-lock.json,src=./web/package-lock.json \
-    --mount=type=cache,id=npm-web,sharing=shared,target=/root/.npm \
+    --mount=type=cache,target=/root/.npm \
     npm ci --include=dev
 
 COPY ./web /work/web/
@@ -37,7 +35,7 @@ COPY ./gen-ts-api /work/web/node_modules/@goauthentik/api
 RUN npm run build
 
 # Stage 3: Build go proxy
-FROM --platform=${BUILDPLATFORM} docker.io/golang:1.21.4-bookworm AS go-builder
+FROM --platform=${BUILDPLATFORM} docker.io/golang:1.21.3-bookworm AS go-builder
 
 ARG TARGETOS
 ARG TARGETARCH
@@ -64,8 +62,8 @@ COPY ./go.sum /go/src/goauthentik.io/go.sum
 
 ENV CGO_ENABLED=0
 
-RUN --mount=type=cache,sharing=locked,target=/go/pkg/mod \
-    --mount=type=cache,id=go-build-$TARGETARCH$TARGETVARIANT,sharing=locked,target=/root/.cache/go-build \
+RUN --mount=type=cache,target=/go/pkg/mod \
+    --mount=type=cache,target=/root/.cache/go-build \
     GOARM="${TARGETVARIANT#v}" go build -o /go/authentik ./cmd/server
 
 # Stage 4: MaxMind GeoIP
@@ -91,9 +89,7 @@ ENV VENV_PATH="/ak-root/venv" \
     POETRY_VIRTUALENVS_CREATE=false \
     PATH="/ak-root/venv/bin:$PATH"
 
-RUN rm -f /etc/apt/apt.conf.d/docker-clean; echo 'Binary::apt::APT::Keep-Downloaded-Packages "true";' > /etc/apt/apt.conf.d/keep-cache
-
-RUN --mount=type=cache,id=apt-$TARGETARCH$TARGETVARIANT,sharing=locked,target=/var/cache/apt \
+RUN --mount=type=cache,target=/var/cache/apt \
     apt-get update && \
     # Required for installing pip packages
     apt-get install -y --no-install-recommends build-essential pkg-config libxmlsec1-dev zlib1g-dev libpq-dev

Makefile

@@ -110,6 +110,8 @@ gen-diff:  ## (Release) generate the changelog diff between the current schema a
 		--markdown /local/diff.md \
 		/local/old_schema.yml /local/schema.yml
 	rm old_schema.yml
+	sed -i 's/{/{/g' diff.md
+	sed -i 's/}/}/g' diff.md
 	npx prettier --write diff.md
 
 gen-clean:

authentik/__init__.py

@@ -2,7 +2,7 @@
 from os import environ
 from typing import Optional
 
-__version__ = "2023.10.6"
+__version__ = "2023.10.2"
 ENV_GIT_HASH_KEY = "GIT_BUILD_HASH"
 
 

authentik/api/v3/urls.py

@@ -21,9 +21,7 @@ _other_urls = []
 for _authentik_app in get_apps():
     try:
         api_urls = import_module(f"{_authentik_app.name}.urls")
-    except ModuleNotFoundError:
-        continue
-    except ImportError as exc:
+    except (ModuleNotFoundError, ImportError) as exc:
         LOGGER.warning("Could not import app's URLs", app_name=_authentik_app.name, exc=exc)
         continue
     if not hasattr(api_urls, "api_urlpatterns"):

authentik/blueprints/apps.py

@@ -40,7 +40,7 @@ class ManagedAppConfig(AppConfig):
                 meth()
                 self._logger.debug("Successfully reconciled", name=name)
             except (DatabaseError, ProgrammingError, InternalError) as exc:
-                self._logger.warning("Failed to run reconcile", name=name, exc=exc)
+                self._logger.debug("Failed to run reconcile", name=name, exc=exc)
 
 
 class AuthentikBlueprintsConfig(ManagedAppConfig):

authentik/blueprints/v1/tasks.py

@@ -75,13 +75,13 @@ class BlueprintEventHandler(FileSystemEventHandler):
             return
         if event.is_directory:
             return
-        root = Path(CONFIG.get("blueprints_dir")).absolute()
-        path = Path(event.src_path).absolute()
-        rel_path = str(path.relative_to(root))
         if isinstance(event, FileCreatedEvent):
-            LOGGER.debug("new blueprint file created, starting discovery", path=rel_path)
-            blueprints_discovery.delay(rel_path)
+            LOGGER.debug("new blueprint file created, starting discovery")
+            blueprints_discovery.delay()
         if isinstance(event, FileModifiedEvent):
+            path = Path(event.src_path)
+            root = Path(CONFIG.get("blueprints_dir")).absolute()
+            rel_path = str(path.relative_to(root))
             for instance in BlueprintInstance.objects.filter(path=rel_path, enabled=True):
                 LOGGER.debug("modified blueprint file, starting apply", instance=instance)
                 apply_blueprint.delay(instance.pk.hex)
@@ -98,32 +98,39 @@ def blueprints_find_dict():
     return blueprints
 
 
-def blueprints_find() -> list[BlueprintFile]:
+def blueprints_find():
     """Find blueprints and return valid ones"""
     blueprints = []
     root = Path(CONFIG.get("blueprints_dir"))
     for path in root.rglob("**/*.yaml"):
-        rel_path = path.relative_to(root)
         # Check if any part in the path starts with a dot and assume a hidden file
         if any(part for part in path.parts if part.startswith(".")):
             continue
+        LOGGER.debug("found blueprint", path=str(path))
         with open(path, "r", encoding="utf-8") as blueprint_file:
             try:
                 raw_blueprint = load(blueprint_file.read(), BlueprintLoader)
             except YAMLError as exc:
                 raw_blueprint = None
-                LOGGER.warning("failed to parse blueprint", exc=exc, path=str(rel_path))
+                LOGGER.warning("failed to parse blueprint", exc=exc, path=str(path))
             if not raw_blueprint:
                 continue
             metadata = raw_blueprint.get("metadata", None)
             version = raw_blueprint.get("version", 1)
             if version != 1:
-                LOGGER.warning("invalid blueprint version", version=version, path=str(rel_path))
+                LOGGER.warning("invalid blueprint version", version=version, path=str(path))
                 continue
         file_hash = sha512(path.read_bytes()).hexdigest()
-        blueprint = BlueprintFile(str(rel_path), version, file_hash, int(path.stat().st_mtime))
+        blueprint = BlueprintFile(
+            str(path.relative_to(root)), version, file_hash, int(path.stat().st_mtime)
+        )
         blueprint.meta = from_dict(BlueprintMetadata, metadata) if metadata else None
         blueprints.append(blueprint)
+        LOGGER.debug(
+            "parsed & loaded blueprint",
+            hash=file_hash,
+            path=str(path),
+        )
     return blueprints
 
 
@@ -131,12 +138,10 @@ def blueprints_find() -> list[BlueprintFile]:
     throws=(DatabaseError, ProgrammingError, InternalError), base=MonitoredTask, bind=True
 )
 @prefill_task
-def blueprints_discovery(self: MonitoredTask, path: Optional[str] = None):
+def blueprints_discovery(self: MonitoredTask):
     """Find blueprints and check if they need to be created in the database"""
     count = 0
     for blueprint in blueprints_find():
-        if path and blueprint.path != path:
-            continue
         check_blueprint_v1_file(blueprint)
         count += 1
     self.set_status(
@@ -166,11 +171,7 @@ def check_blueprint_v1_file(blueprint: BlueprintFile):
             metadata={},
         )
         instance.save()
-        LOGGER.info(
-            "Creating new blueprint instance from file", instance=instance, path=instance.path
-        )
     if instance.last_applied_hash != blueprint.hash:
-        LOGGER.info("Applying blueprint due to changed file", instance=instance, path=instance.path)
         apply_blueprint.delay(str(instance.pk))
 
 

authentik/core/api/sources.py

@@ -38,7 +38,7 @@ class SourceSerializer(ModelSerializer, MetaNameSerializer):
 
     managed = ReadOnlyField()
     component = SerializerMethodField()
-    icon = ReadOnlyField(source="icon_url")
+    icon = ReadOnlyField(source="get_icon")
 
     def get_component(self, obj: Source) -> str:
         """Get object component so that we know how to edit the object"""

authentik/core/api/users.py

@@ -171,11 +171,6 @@ class UserSerializer(ModelSerializer):
             raise ValidationError("Setting a user to internal service account is not allowed.")
         return user_type
 
-    def validate(self, attrs: dict) -> dict:
-        if self.instance and self.instance.type == UserTypes.INTERNAL_SERVICE_ACCOUNT:
-            raise ValidationError("Can't modify internal service account users")
-        return super().validate(attrs)
-
     class Meta:
         model = User
         fields = [

authentik/core/expression/evaluator.py

@@ -44,7 +44,6 @@ class PropertyMappingEvaluator(BaseEvaluator):
         if request:
             req.http_request = request
         self._context["request"] = req
-        req.context.update(**kwargs)
         self._context.update(**kwargs)
         self.dry_run = dry_run
 

authentik/core/management/commands/worker.py

@@ -17,15 +17,9 @@ class Command(BaseCommand):
     """Run worker"""
 
     def add_arguments(self, parser):
-        parser.add_argument(
-            "-b",
-            "--beat",
-            action="store_false",
-            help="When set, this worker will _not_ run Beat (scheduled) tasks",
-        )
+        parser.add_argument("-b", "--beat", action="store_true")
 
     def handle(self, **options):
-        LOGGER.debug("Celery options", **options)
         close_old_connections()
         if CONFIG.get_bool("remote_debug"):
             import debugpy

authentik/core/templates/base/skeleton.html

@@ -13,6 +13,7 @@
         {% block head_before %}
         {% endblock %}
         <link rel="stylesheet" type="text/css" href="{% static 'dist/authentik.css' %}">
+        <link rel="stylesheet" type="text/css" href="{% static 'dist/theme-dark.css' %}" media="(prefers-color-scheme: dark)">
         <link rel="stylesheet" type="text/css" href="{% static 'dist/custom.css' %}" data-inject>
         <script src="{% static 'dist/poly.js' %}?version={{ version }}" type="module"></script>
         <script src="{% static 'dist/standalone/loading/index.js' %}?version={{ version }}" type="module"></script>

authentik/core/templates/login/base_full.html

@@ -6,7 +6,6 @@
 {% block head_before %}
 <link rel="prefetch" href="/static/dist/assets/images/flow_background.jpg" />
 <link rel="stylesheet" type="text/css" href="{% static 'dist/patternfly.min.css' %}">
-<link rel="stylesheet" type="text/css" href="{% static 'dist/theme-dark.css' %}" media="(prefers-color-scheme: dark)">
 {% include "base/header_js.html" %}
 {% endblock %}
 

authentik/events/middleware.py

@@ -27,7 +27,6 @@ from authentik.lib.sentry import before_send
 from authentik.lib.utils.errors import exception_to_string
 from authentik.outposts.models import OutpostServiceConnection
 from authentik.policies.models import Policy, PolicyBindingModel
-from authentik.policies.reputation.models import Reputation
 from authentik.providers.oauth2.models import AccessToken, AuthorizationCode, RefreshToken
 from authentik.providers.scim.models import SCIMGroup, SCIMUser
 from authentik.stages.authenticator_static.models import StaticToken
@@ -53,13 +52,11 @@ IGNORED_MODELS = (
     RefreshToken,
     SCIMUser,
     SCIMGroup,
-    Reputation,
 )
 
 
 def should_log_model(model: Model) -> bool:
     """Return true if operation on `model` should be logged"""
-    # Check for silk by string so this comparison doesn't fail when silk isn't installed
     if model.__module__.startswith("silk"):
         return False
     return model.__class__ not in IGNORED_MODELS
@@ -96,30 +93,21 @@ class AuditMiddleware:
     of models"""
 
     get_response: Callable[[HttpRequest], HttpResponse]
-    anonymous_user: User = None
 
     def __init__(self, get_response: Callable[[HttpRequest], HttpResponse]):
         self.get_response = get_response
 
-    def _ensure_fallback_user(self):
-        """Defer fetching anonymous user until we have to"""
-        if self.anonymous_user:
-            return
-        from guardian.shortcuts import get_anonymous_user
-
-        self.anonymous_user = get_anonymous_user()
-
     def connect(self, request: HttpRequest):
         """Connect signal for automatic logging"""
-        self._ensure_fallback_user()
-        user = getattr(request, "user", self.anonymous_user)
-        if not user.is_authenticated:
-            user = self.anonymous_user
+        if not hasattr(request, "user"):
+            return
+        if not getattr(request.user, "is_authenticated", False):
+            return
         if not hasattr(request, "request_id"):
             return
-        post_save_handler = partial(self.post_save_handler, user=user, request=request)
-        pre_delete_handler = partial(self.pre_delete_handler, user=user, request=request)
-        m2m_changed_handler = partial(self.m2m_changed_handler, user=user, request=request)
+        post_save_handler = partial(self.post_save_handler, user=request.user, request=request)
+        pre_delete_handler = partial(self.pre_delete_handler, user=request.user, request=request)
+        m2m_changed_handler = partial(self.m2m_changed_handler, user=request.user, request=request)
         post_save.connect(
             post_save_handler,
             dispatch_uid=request.request_id,

authentik/events/models.py

@@ -217,7 +217,6 @@ class Event(SerializerModel, ExpiringModel):
                 "path": request.path,
                 "method": request.method,
                 "args": cleanse_dict(QueryDict(request.META.get("QUERY_STRING", ""))),
-                "user_agent": request.META.get("HTTP_USER_AGENT", ""),
             }
             # Special case for events created during flow execution
             # since they keep the http query within a wrapped query

authentik/events/signals.py

@@ -13,7 +13,6 @@ from authentik.events.tasks import event_notification_handler, gdpr_cleanup
 from authentik.flows.models import Stage
 from authentik.flows.planner import PLAN_CONTEXT_SOURCE, FlowPlan
 from authentik.flows.views.executor import SESSION_KEY_PLAN
-from authentik.lib.config import CONFIG
 from authentik.stages.invitation.models import Invitation
 from authentik.stages.invitation.signals import invitation_used
 from authentik.stages.password.stage import PLAN_CONTEXT_METHOD, PLAN_CONTEXT_METHOD_ARGS
@@ -93,5 +92,4 @@ def event_post_save_notification(sender, instance: Event, **_):
 @receiver(pre_delete, sender=User)
 def event_user_pre_delete_cleanup(sender, instance: User, **_):
     """If gdpr_compliance is enabled, remove all the user's events"""
-    if CONFIG.get_bool("gdpr_compliance", True):
-        gdpr_cleanup.delay(instance.pk)
+    gdpr_cleanup.delay(instance.pk)

authentik/events/tests/test_event.py

@@ -53,15 +53,7 @@ class TestEvents(TestCase):
         """Test plain from_http"""
         event = Event.new("unittest").from_http(self.factory.get("/"))
         self.assertEqual(
-            event.context,
-            {
-                "http_request": {
-                    "args": {},
-                    "method": "GET",
-                    "path": "/",
-                    "user_agent": "",
-                }
-            },
+            event.context, {"http_request": {"args": {}, "method": "GET", "path": "/"}}
         )
 
     def test_from_http_clean_querystring(self):
@@ -75,7 +67,6 @@ class TestEvents(TestCase):
                     "args": {"token": SafeExceptionReporterFilter.cleansed_substitute},
                     "method": "GET",
                     "path": "/",
-                    "user_agent": "",
                 }
             },
         )
@@ -92,7 +83,6 @@ class TestEvents(TestCase):
                     "args": {"token": SafeExceptionReporterFilter.cleansed_substitute},
                     "method": "GET",
                     "path": "/",
-                    "user_agent": "",
                 }
             },
         )

authentik/events/utils.py

@@ -5,13 +5,12 @@ from dataclasses import asdict, is_dataclass
 from datetime import date, datetime, time, timedelta
 from enum import Enum
 from pathlib import Path
-from types import GeneratorType, NoneType
+from types import GeneratorType
 from typing import Any, Optional
 from uuid import UUID
 
 from django.contrib.auth.models import AnonymousUser
 from django.core.handlers.wsgi import WSGIRequest
-from django.core.serializers.json import DjangoJSONEncoder
 from django.db import models
 from django.db.models.base import Model
 from django.http.request import HttpRequest
@@ -154,20 +153,7 @@ def sanitize_item(value: Any) -> Any:
         return value.isoformat()
     if isinstance(value, timedelta):
         return str(value.total_seconds())
-    if callable(value):
-        return {
-            "type": "callable",
-            "name": value.__name__,
-            "module": value.__module__,
-        }
-    # List taken from the stdlib's JSON encoder (_make_iterencode, encoder.py:415)
-    if isinstance(value, (bool, int, float, NoneType, list, tuple, dict)):
-        return value
-    try:
-        return DjangoJSONEncoder().default(value)
-    except TypeError:
-        return str(value)
-    return str(value)
+    return value
 
 
 def sanitize_dict(source: dict[Any, Any]) -> dict[Any, Any]:

authentik/flows/stage.py

@@ -167,11 +167,7 @@ class ChallengeStageView(StageView):
                 stage_type=self.__class__.__name__, method="get_challenge"
             ).time(),
         ):
-            try:
-                challenge = self.get_challenge(*args, **kwargs)
-            except StageInvalidException as exc:
-                self.logger.debug("Got StageInvalidException", exc=exc)
-                return self.executor.stage_invalid()
+            challenge = self.get_challenge(*args, **kwargs)
         with Hub.current.start_span(
             op="authentik.flow.stage._get_challenge",
             description=self.__class__.__name__,

authentik/outposts/api/outposts.py

@@ -18,7 +18,7 @@ from authentik.core.api.used_by import UsedByMixin
 from authentik.core.api.utils import PassiveSerializer, is_dict
 from authentik.core.models import Provider
 from authentik.outposts.api.service_connections import ServiceConnectionSerializer
-from authentik.outposts.apps import MANAGED_OUTPOST, MANAGED_OUTPOST_NAME
+from authentik.outposts.apps import MANAGED_OUTPOST
 from authentik.outposts.models import (
     Outpost,
     OutpostConfig,
@@ -47,16 +47,6 @@ class OutpostSerializer(ModelSerializer):
         source="service_connection", read_only=True
     )
 
-    def validate_name(self, name: str) -> str:
-        """Validate name (especially for embedded outpost)"""
-        if not self.instance:
-            return name
-        if self.instance.managed == MANAGED_OUTPOST and name != MANAGED_OUTPOST_NAME:
-            raise ValidationError("Embedded outpost's name cannot be changed")
-        if self.instance.name == MANAGED_OUTPOST_NAME:
-            self.instance.managed = MANAGED_OUTPOST
-        return name
-
     def validate_providers(self, providers: list[Provider]) -> list[Provider]:
         """Check that all providers match the type of the outpost"""
         type_map = {

authentik/outposts/apps.py

@@ -15,7 +15,6 @@ GAUGE_OUTPOSTS_LAST_UPDATE = Gauge(
     ["outpost", "uid", "version"],
 )
 MANAGED_OUTPOST = "goauthentik.io/outposts/embedded"
-MANAGED_OUTPOST_NAME = "authentik Embedded Outpost"
 
 
 class AuthentikOutpostConfig(ManagedAppConfig):
@@ -36,17 +35,14 @@ class AuthentikOutpostConfig(ManagedAppConfig):
             DockerServiceConnection,
             KubernetesServiceConnection,
             Outpost,
+            OutpostConfig,
             OutpostType,
         )
 
-        if outpost := Outpost.objects.filter(name=MANAGED_OUTPOST_NAME, managed="").first():
-            outpost.managed = MANAGED_OUTPOST
-            outpost.save()
-            return
         outpost, updated = Outpost.objects.update_or_create(
             defaults={
+                "name": "authentik Embedded Outpost",
                 "type": OutpostType.PROXY,
-                "name": MANAGED_OUTPOST_NAME,
             },
             managed=MANAGED_OUTPOST,
         )
@@ -55,4 +51,10 @@ class AuthentikOutpostConfig(ManagedAppConfig):
                 outpost.service_connection = KubernetesServiceConnection.objects.first()
             elif DockerServiceConnection.objects.exists():
                 outpost.service_connection = DockerServiceConnection.objects.first()
+            outpost.config = OutpostConfig(
+                kubernetes_disabled_components=[
+                    "deployment",
+                    "secret",
+                ]
+            )
             outpost.save()

authentik/outposts/controllers/k8s/deployment.py

@@ -43,10 +43,6 @@ class DeploymentReconciler(KubernetesObjectReconciler[V1Deployment]):
         self.api = AppsV1Api(controller.client)
         self.outpost = self.controller.outpost
 
-    @property
-    def noop(self) -> bool:
-        return self.is_embedded
-
     @staticmethod
     def reconciler_name() -> str:
         return "deployment"

authentik/outposts/controllers/k8s/secret.py

@@ -24,10 +24,6 @@ class SecretReconciler(KubernetesObjectReconciler[V1Secret]):
         super().__init__(controller)
         self.api = CoreV1Api(controller.client)
 
-    @property
-    def noop(self) -> bool:
-        return self.is_embedded
-
     @staticmethod
     def reconciler_name() -> str:
         return "secret"

authentik/outposts/controllers/k8s/service_monitor.py

@@ -77,10 +77,7 @@ class PrometheusServiceMonitorReconciler(KubernetesObjectReconciler[PrometheusSe
 
     @property
     def noop(self) -> bool:
-        if not self._crd_exists():
-            self.logger.debug("CRD doesn't exist")
-            return True
-        return self.is_embedded
+        return (not self._crd_exists()) or (self.is_embedded)
 
     def _crd_exists(self) -> bool:
         """Check if the Prometheus ServiceMonitor exists"""

authentik/outposts/models.py

@@ -344,22 +344,12 @@ class Outpost(SerializerModel, ManagedModel):
         user_created = False
         if not user:
             user: User = User.objects.create(username=self.user_identifier)
-            user_created = True
-        attrs = {
-            "type": UserTypes.INTERNAL_SERVICE_ACCOUNT,
-            "name": f"Outpost {self.name} Service-Account",
-            "path": USER_PATH_OUTPOSTS,
-        }
-        dirty = False
-        for key, value in attrs.items():
-            if getattr(user, key) != value:
-                dirty = True
-                setattr(user, key, value)
-        if user.has_usable_password():
             user.set_unusable_password()
-            dirty = True
-        if dirty:
-            user.save()
+            user_created = True
+        user.type = UserTypes.INTERNAL_SERVICE_ACCOUNT
+        user.name = f"Outpost {self.name} Service-Account"
+        user.path = USER_PATH_OUTPOSTS
+        user.save()
         if user_created:
             self.build_user_permissions(user)
         return user

authentik/outposts/tests/test_api.py

@@ -2,13 +2,11 @@
 from django.urls import reverse
 from rest_framework.test import APITestCase
 
-from authentik.blueprints.tests import reconcile_app
 from authentik.core.models import PropertyMapping
 from authentik.core.tests.utils import create_test_admin_user, create_test_flow
 from authentik.lib.generators import generate_id
 from authentik.outposts.api.outposts import OutpostSerializer
-from authentik.outposts.apps import MANAGED_OUTPOST
-from authentik.outposts.models import Outpost, OutpostType, default_outpost_config
+from authentik.outposts.models import OutpostType, default_outpost_config
 from authentik.providers.ldap.models import LDAPProvider
 from authentik.providers.proxy.models import ProxyProvider
 
@@ -24,36 +22,7 @@ class TestOutpostServiceConnectionsAPI(APITestCase):
         self.user = create_test_admin_user()
         self.client.force_login(self.user)
 
-    @reconcile_app("authentik_outposts")
-    def test_managed_name_change(self):
-        """Test name change for embedded outpost"""
-        embedded_outpost = Outpost.objects.filter(managed=MANAGED_OUTPOST).first()
-        self.assertIsNotNone(embedded_outpost)
-        response = self.client.patch(
-            reverse("authentik_api:outpost-detail", kwargs={"pk": embedded_outpost.pk}),
-            {"name": "foo"},
-        )
-        self.assertEqual(response.status_code, 400)
-        self.assertJSONEqual(
-            response.content, {"name": ["Embedded outpost's name cannot be changed"]}
-        )
-
-    @reconcile_app("authentik_outposts")
-    def test_managed_without_managed(self):
-        """Test name change for embedded outpost"""
-        embedded_outpost = Outpost.objects.filter(managed=MANAGED_OUTPOST).first()
-        self.assertIsNotNone(embedded_outpost)
-        embedded_outpost.managed = ""
-        embedded_outpost.save()
-        response = self.client.patch(
-            reverse("authentik_api:outpost-detail", kwargs={"pk": embedded_outpost.pk}),
-            {"name": "foo"},
-        )
-        self.assertEqual(response.status_code, 200)
-        embedded_outpost.refresh_from_db()
-        self.assertEqual(embedded_outpost.managed, MANAGED_OUTPOST)
-
-    def test_outpost_validation(self):
+    def test_outpost_validaton(self):
         """Test Outpost validation"""
         valid = OutpostSerializer(
             data={

authentik/providers/oauth2/migrations/0017_accesstoken_session_id_authorizationcode_session_id_and_more.py

@@ -1,27 +0,0 @@
-# Generated by Django 5.0 on 2023-12-22 23:20
-
-from django.db import migrations, models
-
-
-class Migration(migrations.Migration):
-    dependencies = [
-        ("authentik_providers_oauth2", "0016_alter_refreshtoken_token"),
-    ]
-
-    operations = [
-        migrations.AddField(
-            model_name="accesstoken",
-            name="session_id",
-            field=models.CharField(blank=True, default=""),
-        ),
-        migrations.AddField(
-            model_name="authorizationcode",
-            name="session_id",
-            field=models.CharField(blank=True, default=""),
-        ),
-        migrations.AddField(
-            model_name="refreshtoken",
-            name="session_id",
-            field=models.CharField(blank=True, default=""),
-        ),
-    ]

authentik/providers/oauth2/models.py

@@ -296,7 +296,6 @@ class BaseGrantModel(models.Model):
     revoked = models.BooleanField(default=False)
     _scope = models.TextField(default="", verbose_name=_("Scopes"))
     auth_time = models.DateTimeField(verbose_name="Authentication time")
-    session_id = models.CharField(default="", blank=True)
 
     @property
     def scope(self) -> list[str]:

authentik/providers/oauth2/tests/test_authorize.py

@@ -85,25 +85,6 @@ class TestAuthorize(OAuthTestCase):
             )
             OAuthAuthorizationParams.from_request(request)
 
-    def test_blocked_redirect_uri(self):
-        """test missing/invalid redirect URI"""
-        OAuth2Provider.objects.create(
-            name=generate_id(),
-            client_id="test",
-            authorization_flow=create_test_flow(),
-            redirect_uris="data:local.invalid",
-        )
-        with self.assertRaises(RedirectUriError):
-            request = self.factory.get(
-                "/",
-                data={
-                    "response_type": "code",
-                    "client_id": "test",
-                    "redirect_uri": "data:localhost",
-                },
-            )
-            OAuthAuthorizationParams.from_request(request)
-
     def test_invalid_redirect_uri_empty(self):
         """test missing/invalid redirect URI"""
         provider = OAuth2Provider.objects.create(

authentik/providers/oauth2/tests/test_token_pkce.py

@@ -1,187 +0,0 @@
-"""Test token view"""
-from base64 import b64encode, urlsafe_b64encode
-from hashlib import sha256
-
-from django.test import RequestFactory
-from django.urls import reverse
-
-from authentik.core.models import Application
-from authentik.core.tests.utils import create_test_admin_user, create_test_flow
-from authentik.flows.challenge import ChallengeTypes
-from authentik.lib.generators import generate_id
-from authentik.providers.oauth2.constants import GRANT_TYPE_AUTHORIZATION_CODE
-from authentik.providers.oauth2.models import AuthorizationCode, OAuth2Provider
-from authentik.providers.oauth2.tests.utils import OAuthTestCase
-
-
-class TestTokenPKCE(OAuthTestCase):
-    """Test token view"""
-
-    def setUp(self) -> None:
-        super().setUp()
-        self.factory = RequestFactory()
-        self.app = Application.objects.create(name=generate_id(), slug="test")
-
-    def test_pkce_missing_in_token(self):
-        """Test full with pkce"""
-        flow = create_test_flow()
-        provider = OAuth2Provider.objects.create(
-            name=generate_id(),
-            client_id="test",
-            authorization_flow=flow,
-            redirect_uris="foo://localhost",
-            access_code_validity="seconds=100",
-        )
-        Application.objects.create(name="app", slug="app", provider=provider)
-        state = generate_id()
-        user = create_test_admin_user()
-        self.client.force_login(user)
-        challenge = generate_id()
-        header = b64encode(f"{provider.client_id}:{provider.client_secret}".encode()).decode()
-        # Step 1, initiate params and get redirect to flow
-        self.client.get(
-            reverse("authentik_providers_oauth2:authorize"),
-            data={
-                "response_type": "code",
-                "client_id": "test",
-                "state": state,
-                "redirect_uri": "foo://localhost",
-                "code_challenge": challenge,
-                "code_challenge_method": "S256",
-            },
-        )
-        response = self.client.get(
-            reverse("authentik_api:flow-executor", kwargs={"flow_slug": flow.slug}),
-        )
-        code: AuthorizationCode = AuthorizationCode.objects.filter(user=user).first()
-        self.assertJSONEqual(
-            response.content.decode(),
-            {
-                "component": "xak-flow-redirect",
-                "type": ChallengeTypes.REDIRECT.value,
-                "to": f"foo://localhost?code={code.code}&state={state}",
-            },
-        )
-        response = self.client.post(
-            reverse("authentik_providers_oauth2:token"),
-            data={
-                "grant_type": GRANT_TYPE_AUTHORIZATION_CODE,
-                "code": code.code,
-                # Missing the code_verifier here
-                "redirect_uri": "foo://localhost",
-            },
-            HTTP_AUTHORIZATION=f"Basic {header}",
-        )
-        self.assertJSONEqual(
-            response.content,
-            {"error": "invalid_request", "error_description": "The request is otherwise malformed"},
-        )
-        self.assertEqual(response.status_code, 400)
-
-    def test_pkce_correct_s256(self):
-        """Test full with pkce"""
-        flow = create_test_flow()
-        provider = OAuth2Provider.objects.create(
-            name=generate_id(),
-            client_id="test",
-            authorization_flow=flow,
-            redirect_uris="foo://localhost",
-            access_code_validity="seconds=100",
-        )
-        Application.objects.create(name="app", slug="app", provider=provider)
-        state = generate_id()
-        user = create_test_admin_user()
-        self.client.force_login(user)
-        verifier = generate_id()
-        challenge = (
-            urlsafe_b64encode(sha256(verifier.encode("ascii")).digest())
-            .decode("utf-8")
-            .replace("=", "")
-        )
-        header = b64encode(f"{provider.client_id}:{provider.client_secret}".encode()).decode()
-        # Step 1, initiate params and get redirect to flow
-        self.client.get(
-            reverse("authentik_providers_oauth2:authorize"),
-            data={
-                "response_type": "code",
-                "client_id": "test",
-                "state": state,
-                "redirect_uri": "foo://localhost",
-                "code_challenge": challenge,
-                "code_challenge_method": "S256",
-            },
-        )
-        response = self.client.get(
-            reverse("authentik_api:flow-executor", kwargs={"flow_slug": flow.slug}),
-        )
-        code: AuthorizationCode = AuthorizationCode.objects.filter(user=user).first()
-        self.assertJSONEqual(
-            response.content.decode(),
-            {
-                "component": "xak-flow-redirect",
-                "type": ChallengeTypes.REDIRECT.value,
-                "to": f"foo://localhost?code={code.code}&state={state}",
-            },
-        )
-        response = self.client.post(
-            reverse("authentik_providers_oauth2:token"),
-            data={
-                "grant_type": GRANT_TYPE_AUTHORIZATION_CODE,
-                "code": code.code,
-                "code_verifier": verifier,
-                "redirect_uri": "foo://localhost",
-            },
-            HTTP_AUTHORIZATION=f"Basic {header}",
-        )
-        self.assertEqual(response.status_code, 200)
-
-    def test_pkce_correct_plain(self):
-        """Test full with pkce"""
-        flow = create_test_flow()
-        provider = OAuth2Provider.objects.create(
-            name=generate_id(),
-            client_id="test",
-            authorization_flow=flow,
-            redirect_uris="foo://localhost",
-            access_code_validity="seconds=100",
-        )
-        Application.objects.create(name="app", slug="app", provider=provider)
-        state = generate_id()
-        user = create_test_admin_user()
-        self.client.force_login(user)
-        verifier = generate_id()
-        header = b64encode(f"{provider.client_id}:{provider.client_secret}".encode()).decode()
-        # Step 1, initiate params and get redirect to flow
-        self.client.get(
-            reverse("authentik_providers_oauth2:authorize"),
-            data={
-                "response_type": "code",
-                "client_id": "test",
-                "state": state,
-                "redirect_uri": "foo://localhost",
-                "code_challenge": verifier,
-            },
-        )
-        response = self.client.get(
-            reverse("authentik_api:flow-executor", kwargs={"flow_slug": flow.slug}),
-        )
-        code: AuthorizationCode = AuthorizationCode.objects.filter(user=user).first()
-        self.assertJSONEqual(
-            response.content.decode(),
-            {
-                "component": "xak-flow-redirect",
-                "type": ChallengeTypes.REDIRECT.value,
-                "to": f"foo://localhost?code={code.code}&state={state}",
-            },
-        )
-        response = self.client.post(
-            reverse("authentik_providers_oauth2:token"),
-            data={
-                "grant_type": GRANT_TYPE_AUTHORIZATION_CODE,
-                "code": code.code,
-                "code_verifier": verifier,
-                "redirect_uri": "foo://localhost",
-            },
-            HTTP_AUTHORIZATION=f"Basic {header}",
-        )
-        self.assertEqual(response.status_code, 200)

authentik/providers/oauth2/views/authorize.py

@@ -1,7 +1,6 @@
 """authentik OAuth2 Authorization views"""
 from dataclasses import dataclass, field
 from datetime import timedelta
-from hashlib import sha256
 from json import dumps
 from re import error as RegexError
 from re import fullmatch
@@ -75,7 +74,6 @@ PLAN_CONTEXT_PARAMS = "goauthentik.io/providers/oauth2/params"
 SESSION_KEY_LAST_LOGIN_UID = "authentik/providers/oauth2/last_login_uid"
 
 ALLOWED_PROMPT_PARAMS = {PROMPT_NONE, PROMPT_CONSENT, PROMPT_LOGIN}
-FORBIDDEN_URI_SCHEMES = {"javascript", "data", "vbscript"}
 
 
 @dataclass(slots=True)
@@ -176,10 +174,6 @@ class OAuthAuthorizationParams:
         self.check_scope()
         self.check_nonce()
         self.check_code_challenge()
-        if self.request:
-            raise AuthorizeError(
-                self.redirect_uri, "request_not_supported", self.grant_type, self.state
-            )
 
     def check_redirect_uri(self):
         """Redirect URI validation."""
@@ -217,9 +211,10 @@ class OAuthAuthorizationParams:
                     expected=allowed_redirect_urls,
                 )
                 raise RedirectUriError(self.redirect_uri, allowed_redirect_urls)
-        # Check against forbidden schemes
-        if urlparse(self.redirect_uri).scheme in FORBIDDEN_URI_SCHEMES:
-            raise RedirectUriError(self.redirect_uri, allowed_redirect_urls)
+        if self.request:
+            raise AuthorizeError(
+                self.redirect_uri, "request_not_supported", self.grant_type, self.state
+            )
 
     def check_scope(self):
         """Ensure openid scope is set in Hybrid flows, or when requesting an id_token"""
@@ -287,7 +282,6 @@ class OAuthAuthorizationParams:
             expires=now + timedelta_from_string(self.provider.access_code_validity),
             scope=self.scope,
             nonce=self.nonce,
-            session_id=sha256(request.session.session_key.encode("ascii")).hexdigest(),
         )
 
         if self.code_challenge and self.code_challenge_method:
@@ -575,7 +569,6 @@ class OAuthFulfillmentStage(StageView):
             expires=access_token_expiry,
             provider=self.provider,
             auth_time=auth_event.created if auth_event else now,
-            session_id=sha256(self.request.session.session_key.encode("ascii")).hexdigest(),
         )
 
         id_token = IDToken.new(self.provider, token, self.request)

authentik/providers/oauth2/views/token.py

@@ -6,7 +6,6 @@ from hashlib import sha256
 from re import error as RegexError
 from re import fullmatch
 from typing import Any, Optional
-from urllib.parse import urlparse
 
 from django.http import HttpRequest, HttpResponse
 from django.utils import timezone
@@ -55,7 +54,6 @@ from authentik.providers.oauth2.models import (
     RefreshToken,
 )
 from authentik.providers.oauth2.utils import TokenResponse, cors_allow, extract_client_auth
-from authentik.providers.oauth2.views.authorize import FORBIDDEN_URI_SCHEMES
 from authentik.sources.oauth.models import OAuthSource
 from authentik.stages.password.stage import PLAN_CONTEXT_METHOD, PLAN_CONTEXT_METHOD_ARGS
 
@@ -207,10 +205,6 @@ class TokenParams:
                 ).from_http(request)
                 raise TokenError("invalid_client")
 
-        # Check against forbidden schemes
-        if urlparse(self.redirect_uri).scheme in FORBIDDEN_URI_SCHEMES:
-            raise TokenError("invalid_request")
-
         self.authorization_code = AuthorizationCode.objects.filter(code=raw_code).first()
         if not self.authorization_code:
             LOGGER.warning("Code does not exist", code=raw_code)
@@ -228,10 +222,7 @@ class TokenParams:
             raise TokenError("invalid_grant")
 
         # Validate PKCE parameters.
-        if self.authorization_code.code_challenge:
-            # Authorization code had PKCE but we didn't get one
-            if not self.code_verifier:
-                raise TokenError("invalid_request")
+        if self.code_verifier:
             if self.authorization_code.code_challenge_method == PKCE_METHOD_S256:
                 new_code_challenge = (
                     urlsafe_b64encode(sha256(self.code_verifier.encode("ascii")).digest())
@@ -493,7 +484,6 @@ class TokenView(View):
             # Keep same scopes as previous token
             scope=self.params.authorization_code.scope,
             auth_time=self.params.authorization_code.auth_time,
-            session_id=self.params.authorization_code.session_id,
         )
         access_token.id_token = IDToken.new(
             self.provider,
@@ -509,7 +499,6 @@ class TokenView(View):
             expires=refresh_token_expiry,
             provider=self.provider,
             auth_time=self.params.authorization_code.auth_time,
-            session_id=self.params.authorization_code.session_id,
         )
         id_token = IDToken.new(
             self.provider,
@@ -547,7 +536,6 @@ class TokenView(View):
             # Keep same scopes as previous token
             scope=self.params.refresh_token.scope,
             auth_time=self.params.refresh_token.auth_time,
-            session_id=self.params.refresh_token.session_id,
         )
         access_token.id_token = IDToken.new(
             self.provider,
@@ -563,7 +551,6 @@ class TokenView(View):
             expires=refresh_token_expiry,
             provider=self.provider,
             auth_time=self.params.refresh_token.auth_time,
-            session_id=self.params.refresh_token.session_id,
         )
         id_token = IDToken.new(
             self.provider,

authentik/providers/proxy/tasks.py

@@ -1,6 +1,4 @@
 """proxy provider tasks"""
-from hashlib import sha256
-
 from asgiref.sync import async_to_sync
 from channels.layers import get_channel_layer
 from django.db import DatabaseError, InternalError, ProgrammingError
@@ -25,7 +23,6 @@ def proxy_set_defaults():
 def proxy_on_logout(session_id: str):
     """Update outpost instances connected to a single outpost"""
     layer = get_channel_layer()
-    hashed_session_id = sha256(session_id.encode("ascii")).hexdigest()
     for outpost in Outpost.objects.filter(type=OutpostType.PROXY):
         group = OUTPOST_GROUP % {"outpost_pk": str(outpost.pk)}
         async_to_sync(layer.group_send)(
@@ -33,6 +30,6 @@ def proxy_on_logout(session_id: str):
             {
                 "type": "event.provider.specific",
                 "sub_type": "logout",
-                "session_id": hashed_session_id,
+                "session_id": session_id,
             },
         )

authentik/providers/scim/clients/group.py

@@ -46,9 +46,7 @@ class SCIMGroupClient(SCIMClient[Group, SCIMGroupSchema]):
 
     def to_scim(self, obj: Group) -> SCIMGroupSchema:
         """Convert authentik user into SCIM"""
-        raw_scim_group = {
-            "schemas": ("urn:ietf:params:scim:schemas:core:2.0:Group",),
-        }
+        raw_scim_group = {}
         for mapping in (
             self.provider.property_mappings_group.all().order_by("name").select_subclasses()
         ):

authentik/providers/scim/clients/schema.py

@@ -15,14 +15,12 @@ from pydanticscim.user import User as BaseUser
 class User(BaseUser):
     """Modified User schema with added externalId field"""
 
-    schemas: tuple[str] = ("urn:ietf:params:scim:schemas:core:2.0:User",)
     externalId: Optional[str] = None
 
 
 class Group(BaseGroup):
     """Modified Group schema with added externalId field"""
 
-    schemas: tuple[str] = ("urn:ietf:params:scim:schemas:core:2.0:Group",)
     externalId: Optional[str] = None
 
 

authentik/providers/scim/clients/user.py

@@ -39,9 +39,7 @@ class SCIMUserClient(SCIMClient[User, SCIMUserSchema]):
 
     def to_scim(self, obj: User) -> SCIMUserSchema:
         """Convert authentik user into SCIM"""
-        raw_scim_user = {
-            "schemas": ("urn:ietf:params:scim:schemas:core:2.0:User",),
-        }
+        raw_scim_user = {}
         for mapping in self.provider.property_mappings.all().order_by("name").select_subclasses():
             if not isinstance(mapping, SCIMMapping):
                 continue

authentik/providers/scim/tests/test_group.py

@@ -61,11 +61,7 @@ class SCIMGroupTests(TestCase):
         self.assertEqual(mock.request_history[1].method, "POST")
         self.assertJSONEqual(
             mock.request_history[1].body,
-            {
-                "schemas": ["urn:ietf:params:scim:schemas:core:2.0:Group"],
-                "externalId": str(group.pk),
-                "displayName": group.name,
-            },
+            {"externalId": str(group.pk), "displayName": group.name},
         )
 
     @Mocker()
@@ -100,11 +96,7 @@ class SCIMGroupTests(TestCase):
             validate(body, loads(schema.read()))
         self.assertEqual(
             body,
-            {
-                "schemas": ["urn:ietf:params:scim:schemas:core:2.0:Group"],
-                "externalId": str(group.pk),
-                "displayName": group.name,
-            },
+            {"externalId": str(group.pk), "displayName": group.name},
         )
         group.save()
         self.assertEqual(mock.call_count, 4)
@@ -137,11 +129,7 @@ class SCIMGroupTests(TestCase):
         self.assertEqual(mock.request_history[1].method, "POST")
         self.assertJSONEqual(
             mock.request_history[1].body,
-            {
-                "schemas": ["urn:ietf:params:scim:schemas:core:2.0:Group"],
-                "externalId": str(group.pk),
-                "displayName": group.name,
-            },
+            {"externalId": str(group.pk), "displayName": group.name},
         )
         group.delete()
         self.assertEqual(mock.call_count, 4)

authentik/providers/scim/tests/test_membership.py

@@ -89,22 +89,17 @@ class SCIMMembershipTests(TestCase):
             self.assertJSONEqual(
                 mocker.request_history[3].body,
                 {
-                    "schemas": ["urn:ietf:params:scim:schemas:core:2.0:User"],
                     "emails": [],
                     "active": True,
                     "externalId": user.uid,
-                    "name": {"familyName": " ", "formatted": " ", "givenName": ""},
+                    "name": {"familyName": "", "formatted": "", "givenName": ""},
                     "displayName": "",
                     "userName": user.username,
                 },
             )
             self.assertJSONEqual(
                 mocker.request_history[5].body,
-                {
-                    "schemas": ["urn:ietf:params:scim:schemas:core:2.0:Group"],
-                    "externalId": str(group.pk),
-                    "displayName": group.name,
-                },
+                {"externalId": str(group.pk), "displayName": group.name},
             )
 
         with Mocker() as mocker:
@@ -123,7 +118,6 @@ class SCIMMembershipTests(TestCase):
             self.assertJSONEqual(
                 mocker.request_history[1].body,
                 {
-                    "schemas": ["urn:ietf:params:scim:api:messages:2.0:PatchOp"],
                     "Operations": [
                         {
                             "op": "add",
@@ -131,6 +125,7 @@ class SCIMMembershipTests(TestCase):
                             "value": [{"value": user_scim_id}],
                         }
                     ],
+                    "schemas": ["urn:ietf:params:scim:api:messages:2.0:PatchOp"],
                 },
             )
 
@@ -179,22 +174,17 @@ class SCIMMembershipTests(TestCase):
             self.assertJSONEqual(
                 mocker.request_history[3].body,
                 {
-                    "schemas": ["urn:ietf:params:scim:schemas:core:2.0:User"],
                     "active": True,
                     "displayName": "",
                     "emails": [],
                     "externalId": user.uid,
-                    "name": {"familyName": " ", "formatted": " ", "givenName": ""},
+                    "name": {"familyName": "", "formatted": "", "givenName": ""},
                     "userName": user.username,
                 },
             )
             self.assertJSONEqual(
                 mocker.request_history[5].body,
-                {
-                    "schemas": ["urn:ietf:params:scim:schemas:core:2.0:Group"],
-                    "externalId": str(group.pk),
-                    "displayName": group.name,
-                },
+                {"externalId": str(group.pk), "displayName": group.name},
             )
 
         with Mocker() as mocker:
@@ -213,7 +203,6 @@ class SCIMMembershipTests(TestCase):
             self.assertJSONEqual(
                 mocker.request_history[1].body,
                 {
-                    "schemas": ["urn:ietf:params:scim:api:messages:2.0:PatchOp"],
                     "Operations": [
                         {
                             "op": "add",
@@ -221,6 +210,7 @@ class SCIMMembershipTests(TestCase):
                             "value": [{"value": user_scim_id}],
                         }
                     ],
+                    "schemas": ["urn:ietf:params:scim:api:messages:2.0:PatchOp"],
                 },
             )
 
@@ -240,7 +230,6 @@ class SCIMMembershipTests(TestCase):
             self.assertJSONEqual(
                 mocker.request_history[1].body,
                 {
-                    "schemas": ["urn:ietf:params:scim:api:messages:2.0:PatchOp"],
                     "Operations": [
                         {
                             "op": "remove",
@@ -248,5 +237,6 @@ class SCIMMembershipTests(TestCase):
                             "value": [{"value": user_scim_id}],
                         }
                     ],
+                    "schemas": ["urn:ietf:params:scim:api:messages:2.0:PatchOp"],
                 },
             )

authentik/providers/scim/tests/test_user.py

@@ -57,7 +57,7 @@ class SCIMUserTests(TestCase):
         uid = generate_id()
         user = User.objects.create(
             username=uid,
-            name=f"{uid} {uid}",
+            name=uid,
             email=f"{uid}@goauthentik.io",
         )
         self.assertEqual(mock.call_count, 2)
@@ -66,7 +66,6 @@ class SCIMUserTests(TestCase):
         self.assertJSONEqual(
             mock.request_history[1].body,
             {
-                "schemas": ["urn:ietf:params:scim:schemas:core:2.0:User"],
                 "active": True,
                 "emails": [
                     {
@@ -77,11 +76,11 @@ class SCIMUserTests(TestCase):
                 ],
                 "externalId": user.uid,
                 "name": {
-                    "familyName": uid,
-                    "formatted": f"{uid} {uid}",
+                    "familyName": "",
+                    "formatted": uid,
                     "givenName": uid,
                 },
-                "displayName": f"{uid} {uid}",
+                "displayName": uid,
                 "userName": uid,
             },
         )
@@ -110,7 +109,7 @@ class SCIMUserTests(TestCase):
         uid = generate_id()
         user = User.objects.create(
             username=uid,
-            name=f"{uid} {uid}",
+            name=uid,
             email=f"{uid}@goauthentik.io",
         )
         self.assertEqual(mock.call_count, 2)
@@ -122,7 +121,6 @@ class SCIMUserTests(TestCase):
         self.assertEqual(
             body,
             {
-                "schemas": ["urn:ietf:params:scim:schemas:core:2.0:User"],
                 "active": True,
                 "emails": [
                     {
@@ -131,11 +129,11 @@ class SCIMUserTests(TestCase):
                         "value": f"{uid}@goauthentik.io",
                     }
                 ],
-                "displayName": f"{uid} {uid}",
+                "displayName": uid,
                 "externalId": user.uid,
                 "name": {
-                    "familyName": uid,
-                    "formatted": f"{uid} {uid}",
+                    "familyName": "",
+                    "formatted": uid,
                     "givenName": uid,
                 },
                 "userName": uid,
@@ -166,7 +164,7 @@ class SCIMUserTests(TestCase):
         uid = generate_id()
         user = User.objects.create(
             username=uid,
-            name=f"{uid} {uid}",
+            name=uid,
             email=f"{uid}@goauthentik.io",
         )
         self.assertEqual(mock.call_count, 2)
@@ -175,7 +173,6 @@ class SCIMUserTests(TestCase):
         self.assertJSONEqual(
             mock.request_history[1].body,
             {
-                "schemas": ["urn:ietf:params:scim:schemas:core:2.0:User"],
                 "active": True,
                 "emails": [
                     {
@@ -186,11 +183,11 @@ class SCIMUserTests(TestCase):
                 ],
                 "externalId": user.uid,
                 "name": {
-                    "familyName": uid,
-                    "formatted": f"{uid} {uid}",
+                    "familyName": "",
+                    "formatted": uid,
                     "givenName": uid,
                 },
-                "displayName": f"{uid} {uid}",
+                "displayName": uid,
                 "userName": uid,
             },
         )
@@ -230,7 +227,7 @@ class SCIMUserTests(TestCase):
         )
         user = User.objects.create(
             username=uid,
-            name=f"{uid} {uid}",
+            name=uid,
             email=f"{uid}@goauthentik.io",
         )
 
@@ -243,7 +240,6 @@ class SCIMUserTests(TestCase):
         self.assertJSONEqual(
             mock.request_history[1].body,
             {
-                "schemas": ["urn:ietf:params:scim:schemas:core:2.0:User"],
                 "active": True,
                 "emails": [
                     {
@@ -254,11 +250,11 @@ class SCIMUserTests(TestCase):
                 ],
                 "externalId": user.uid,
                 "name": {
-                    "familyName": uid,
-                    "formatted": f"{uid} {uid}",
+                    "familyName": "",
+                    "formatted": uid,
                     "givenName": uid,
                 },
-                "displayName": f"{uid} {uid}",
+                "displayName": uid,
                 "userName": uid,
             },
         )

authentik/rbac/api/rbac_roles.py

@@ -24,10 +24,7 @@ class ExtraRoleObjectPermissionSerializer(RoleObjectPermissionSerializer):
 
     def get_app_label_verbose(self, instance: GroupObjectPermission) -> str:
         """Get app label from permission's model"""
-        try:
-            return apps.get_app_config(instance.content_type.app_label).verbose_name
-        except LookupError:
-            return instance.content_type.app_label
+        return apps.get_app_config(instance.content_type.app_label).verbose_name
 
     def get_model_verbose(self, instance: GroupObjectPermission) -> str:
         """Get model label from permission's model"""

authentik/rbac/api/rbac_users.py

@@ -24,10 +24,7 @@ class ExtraUserObjectPermissionSerializer(UserObjectPermissionSerializer):
 
     def get_app_label_verbose(self, instance: UserObjectPermission) -> str:
         """Get app label from permission's model"""
-        try:
-            return apps.get_app_config(instance.content_type.app_label).verbose_name
-        except LookupError:
-            return instance.content_type.app_label
+        return apps.get_app_config(instance.content_type.app_label).verbose_name
 
     def get_model_verbose(self, instance: UserObjectPermission) -> str:
         """Get model label from permission's model"""

authentik/sources/oauth/types/azure_ad.py

@@ -4,8 +4,8 @@ from typing import Any
 from structlog.stdlib import get_logger
 
 from authentik.sources.oauth.clients.oauth2 import UserprofileHeaderAuthClient
-from authentik.sources.oauth.types.oidc import OpenIDConnectOAuth2Callback
 from authentik.sources.oauth.types.registry import SourceType, registry
+from authentik.sources.oauth.views.callback import OAuthCallback
 from authentik.sources.oauth.views.redirect import OAuthRedirect
 
 LOGGER = get_logger()
@@ -20,7 +20,7 @@ class AzureADOAuthRedirect(OAuthRedirect):
         }
 
 
-class AzureADOAuthCallback(OpenIDConnectOAuth2Callback):
+class AzureADOAuthCallback(OAuthCallback):
     """AzureAD OAuth2 Callback"""
 
     client_class = UserprofileHeaderAuthClient
@@ -50,7 +50,7 @@ class AzureADType(SourceType):
 
     authorization_url = "https://login.microsoftonline.com/common/oauth2/v2.0/authorize"
     access_token_url = "https://login.microsoftonline.com/common/oauth2/v2.0/token"  # nosec
-    profile_url = "https://login.microsoftonline.com/common/openid/userinfo"
+    profile_url = "https://graph.microsoft.com/v1.0/me"
     oidc_well_known_url = (
         "https://login.microsoftonline.com/common/.well-known/openid-configuration"
     )

authentik/sources/oauth/types/oidc.py

@@ -23,7 +23,7 @@ class OpenIDConnectOAuth2Callback(OAuthCallback):
     client_class = UserprofileHeaderAuthClient
 
     def get_user_id(self, info: dict[str, str]) -> str:
-        return info.get("sub", None)
+        return info.get("sub", "")
 
     def get_user_enroll_context(
         self,

authentik/sources/oauth/types/okta.py

@@ -3,8 +3,8 @@ from typing import Any
 
 from authentik.sources.oauth.clients.oauth2 import UserprofileHeaderAuthClient
 from authentik.sources.oauth.models import OAuthSource
-from authentik.sources.oauth.types.oidc import OpenIDConnectOAuth2Callback
 from authentik.sources.oauth.types.registry import SourceType, registry
+from authentik.sources.oauth.views.callback import OAuthCallback
 from authentik.sources.oauth.views.redirect import OAuthRedirect
 
 
@@ -17,7 +17,7 @@ class OktaOAuthRedirect(OAuthRedirect):
         }
 
 
-class OktaOAuth2Callback(OpenIDConnectOAuth2Callback):
+class OktaOAuth2Callback(OAuthCallback):
     """Okta OAuth2 Callback"""
 
     # Okta has the same quirk as azure and throws an error if the access token
@@ -25,6 +25,9 @@ class OktaOAuth2Callback(OpenIDConnectOAuth2Callback):
     # see https://github.com/goauthentik/authentik/issues/1910
     client_class = UserprofileHeaderAuthClient
 
+    def get_user_id(self, info: dict[str, str]) -> str:
+        return info.get("sub", "")
+
     def get_user_enroll_context(
         self,
         info: dict[str, Any],

authentik/sources/oauth/types/twitch.py

@@ -3,8 +3,8 @@ from json import dumps
 from typing import Any, Optional
 
 from authentik.sources.oauth.clients.oauth2 import UserprofileHeaderAuthClient
-from authentik.sources.oauth.types.oidc import OpenIDConnectOAuth2Callback
 from authentik.sources.oauth.types.registry import SourceType, registry
+from authentik.sources.oauth.views.callback import OAuthCallback
 from authentik.sources.oauth.views.redirect import OAuthRedirect
 
 
@@ -27,11 +27,14 @@ class TwitchOAuthRedirect(OAuthRedirect):
         }
 
 
-class TwitchOAuth2Callback(OpenIDConnectOAuth2Callback):
+class TwitchOAuth2Callback(OAuthCallback):
     """Twitch OAuth2 Callback"""
 
     client_class = TwitchClient
 
+    def get_user_id(self, info: dict[str, str]) -> str:
+        return info.get("sub", "")
+
     def get_user_enroll_context(
         self,
         info: dict[str, Any],

authentik/stages/authenticator_sms/stage.py

@@ -69,6 +69,7 @@ class AuthenticatorSMSStageView(ChallengeStageView):
         stage: AuthenticatorSMSStage = self.executor.current_stage
         hashed_number = hash_phone_number(phone_number)
         query = Q(phone_number=hashed_number) | Q(phone_number=phone_number)
+        print(SMSDevice.objects.filter(query, stage=stage.pk))
         if SMSDevice.objects.filter(query, stage=stage.pk).exists():
             raise ValidationError(_("Invalid phone number"))
         # No code yet, but we have a phone number, so send a verification message

authentik/stages/authenticator_sms/tests.py

@@ -199,9 +199,11 @@ class AuthenticatorSMSStageTests(FlowTestCase):
                 sms_send_mock,
             ),
         ):
+            print(self.client.session[SESSION_KEY_PLAN])
             response = self.client.get(
                 reverse("authentik_api:flow-executor", kwargs={"flow_slug": self.flow.slug}),
             )
+        print(response.content.decode())
         self.assertStageResponse(
             response,
             self.flow,

authentik/stages/authenticator_validate/tests/test_duo.py

@@ -184,7 +184,6 @@ class AuthenticatorValidateStageDuoTests(FlowTestCase):
                     "args": {},
                     "method": "GET",
                     "path": f"/api/v3/flows/executor/{flow.slug}/",
-                    "user_agent": "",
                 },
             },
         )

authentik/stages/email/stage.py

@@ -1,11 +1,9 @@
 """authentik multi-stage authentication engine"""
 from datetime import timedelta
-from uuid import uuid4
 
 from django.contrib import messages
 from django.http import HttpRequest, HttpResponse
 from django.http.request import QueryDict
-from django.template.exceptions import TemplateSyntaxError
 from django.urls import reverse
 from django.utils.text import slugify
 from django.utils.timezone import now
@@ -13,14 +11,11 @@ from django.utils.translation import gettext as _
 from rest_framework.fields import CharField
 from rest_framework.serializers import ValidationError
 
-from authentik.events.models import Event, EventAction
 from authentik.flows.challenge import Challenge, ChallengeResponse, ChallengeTypes
-from authentik.flows.exceptions import StageInvalidException
 from authentik.flows.models import FlowDesignation, FlowToken
 from authentik.flows.planner import PLAN_CONTEXT_IS_RESTORED, PLAN_CONTEXT_PENDING_USER
 from authentik.flows.stage import ChallengeStageView
 from authentik.flows.views.executor import QS_KEY_TOKEN, QS_QUERY
-from authentik.lib.utils.errors import exception_to_string
 from authentik.stages.email.models import EmailStage
 from authentik.stages.email.tasks import send_mails
 from authentik.stages.email.utils import TemplateEmailMessage
@@ -63,6 +58,7 @@ class EmailStageView(ChallengeStageView):
         query_params = QueryDict(self.request.GET.get(QS_QUERY), mutable=True)
         query_params.pop(QS_KEY_TOKEN, None)
         query_params.update(kwargs)
+        print(query_params)
         full_url = base_url
         if len(query_params) > 0:
             full_url = f"{full_url}?{query_params.urlencode()}"
@@ -75,7 +71,7 @@ class EmailStageView(ChallengeStageView):
         valid_delta = timedelta(
             minutes=current_stage.token_expiry + 1
         )  # + 1 because django timesince always rounds down
-        identifier = slugify(f"ak-email-stage-{current_stage.name}-{str(uuid4())}")
+        identifier = slugify(f"ak-email-stage-{current_stage.name}-{pending_user}")
         # Don't check for validity here, we only care if the token exists
         tokens = FlowToken.objects.filter(identifier=identifier)
         if not tokens.exists():
@@ -107,27 +103,18 @@ class EmailStageView(ChallengeStageView):
         current_stage: EmailStage = self.executor.current_stage
         token = self.get_token()
         # Send mail to user
-        try:
-            message = TemplateEmailMessage(
-                subject=_(current_stage.subject),
-                to=[email],
-                language=pending_user.locale(self.request),
-                template_name=current_stage.template,
-                template_context={
-                    "url": self.get_full_url(**{QS_KEY_TOKEN: token.key}),
-                    "user": pending_user,
-                    "expires": token.expires,
-                },
-            )
-            send_mails(current_stage, message)
-        except TemplateSyntaxError as exc:
-            Event.new(
-                EventAction.CONFIGURATION_ERROR,
-                message=_("Exception occurred while rendering E-mail template"),
-                error=exception_to_string(exc),
-                template=current_stage.template,
-            ).from_http(self.request)
-            raise StageInvalidException from exc
+        message = TemplateEmailMessage(
+            subject=_(current_stage.subject),
+            to=[email],
+            language=pending_user.locale(self.request),
+            template_name=current_stage.template,
+            template_context={
+                "url": self.get_full_url(**{QS_KEY_TOKEN: token.key}),
+                "user": pending_user,
+                "expires": token.expires,
+            },
+        )
+        send_mails(current_stage, message)
 
     def get(self, request: HttpRequest, *args, **kwargs) -> HttpResponse:
         # Check if the user came back from the email link to verify
@@ -148,11 +135,7 @@ class EmailStageView(ChallengeStageView):
             return self.executor.stage_invalid()
         # Check if we've already sent the initial e-mail
         if PLAN_CONTEXT_EMAIL_SENT not in self.executor.plan.context:
-            try:
-                self.send_email()
-            except StageInvalidException as exc:
-                self.logger.debug("Got StageInvalidException", exc=exc)
-                return self.executor.stage_invalid()
+            self.send_email()
             self.executor.plan.context[PLAN_CONTEXT_EMAIL_SENT] = True
         return super().get(request, *args, **kwargs)
 

authentik/stages/email/tests/test_templates.py

@@ -4,20 +4,11 @@ from pathlib import Path
 from shutil import rmtree
 from tempfile import mkdtemp, mkstemp
 from typing import Any
-from unittest.mock import PropertyMock, patch
 
 from django.conf import settings
-from django.core.mail.backends.locmem import EmailBackend
-from django.urls import reverse
+from django.test import TestCase
 
-from authentik.core.tests.utils import create_test_admin_user, create_test_flow
-from authentik.events.models import Event, EventAction
-from authentik.flows.markers import StageMarker
-from authentik.flows.models import FlowDesignation, FlowStageBinding
-from authentik.flows.planner import PLAN_CONTEXT_PENDING_USER, FlowPlan
-from authentik.flows.tests import FlowTestCase
-from authentik.flows.views.executor import SESSION_KEY_PLAN
-from authentik.stages.email.models import EmailStage, get_template_choices
+from authentik.stages.email.models import get_template_choices
 
 
 def get_templates_setting(temp_dir: str) -> dict[str, Any]:
@@ -27,18 +18,11 @@ def get_templates_setting(temp_dir: str) -> dict[str, Any]:
     return templates_setting
 
 
-class TestEmailStageTemplates(FlowTestCase):
+class TestEmailStageTemplates(TestCase):
     """Email tests"""
 
     def setUp(self) -> None:
-        self.dir = Path(mkdtemp())
-        self.user = create_test_admin_user()
-
-        self.flow = create_test_flow(FlowDesignation.AUTHENTICATION)
-        self.stage = EmailStage.objects.create(
-            name="email",
-        )
-        self.binding = FlowStageBinding.objects.create(target=self.flow, stage=self.stage, order=2)
+        self.dir = mkdtemp()
 
     def tearDown(self) -> None:
         rmtree(self.dir)
@@ -54,37 +38,3 @@ class TestEmailStageTemplates(FlowTestCase):
             self.assertEqual(len(choices), 3)
             unlink(file)
             unlink(file2)
-
-    def test_custom_template_invalid_syntax(self):
-        """Test with custom template"""
-        with open(self.dir / Path("invalid.html"), "w+", encoding="utf-8") as _invalid:
-            _invalid.write("{% blocktranslate %}")
-        with self.settings(TEMPLATES=get_templates_setting(self.dir)):
-            self.stage.template = "invalid.html"
-            plan = FlowPlan(
-                flow_pk=self.flow.pk.hex, bindings=[self.binding], markers=[StageMarker()]
-            )
-            plan.context[PLAN_CONTEXT_PENDING_USER] = self.user
-            session = self.client.session
-            session[SESSION_KEY_PLAN] = plan
-            session.save()
-
-            url = reverse("authentik_api:flow-executor", kwargs={"flow_slug": self.flow.slug})
-            with patch(
-                "authentik.stages.email.models.EmailStage.backend_class",
-                PropertyMock(return_value=EmailBackend),
-            ):
-                response = self.client.get(url)
-                self.assertEqual(response.status_code, 200)
-                self.assertStageResponse(
-                    response,
-                    self.flow,
-                    error_message="Unknown error",
-                )
-                events = Event.objects.filter(action=EventAction.CONFIGURATION_ERROR)
-                self.assertEqual(len(events), 1)
-                event = events.first()
-                self.assertEqual(
-                    event.context["message"], "Exception occurred while rendering E-mail template"
-                )
-                self.assertEqual(event.context["template"], "invalid.html")

authentik/stages/user_write/tests.py

@@ -6,7 +6,6 @@ from django.urls import reverse
 from authentik.core.models import USER_ATTRIBUTE_SOURCES, Group, Source, User, UserSourceConnection
 from authentik.core.sources.stage import PLAN_CONTEXT_SOURCES_CONNECTION
 from authentik.core.tests.utils import create_test_admin_user, create_test_flow
-from authentik.events.models import Event, EventAction
 from authentik.flows.markers import StageMarker
 from authentik.flows.models import FlowStageBinding
 from authentik.flows.planner import PLAN_CONTEXT_PENDING_USER, FlowPlan
@@ -59,33 +58,11 @@ class TestUserWriteStage(FlowTestCase):
         self.assertStageRedirects(response, reverse("authentik_core:root-redirect"))
         user_qs = User.objects.filter(username=plan.context[PLAN_CONTEXT_PROMPT]["username"])
         self.assertTrue(user_qs.exists())
-        user = user_qs.first()
-        self.assertTrue(user.check_password(password))
-        self.assertEqual(list(user.ak_groups.order_by("name")), [self.other_group, self.group])
-        self.assertEqual(user.attributes, {USER_ATTRIBUTE_SOURCES: [self.source.name]})
-
-        self.assertTrue(
-            Event.objects.filter(
-                action=EventAction.MODEL_CREATED,
-                context__model={
-                    "app": "authentik_core",
-                    "model_name": "user",
-                    "pk": user.pk,
-                    "name": "name",
-                },
-            )
-        )
-        self.assertTrue(
-            Event.objects.filter(
-                action=EventAction.MODEL_UPDATED,
-                context__model={
-                    "app": "authentik_core",
-                    "model_name": "user",
-                    "pk": user.pk,
-                    "name": "name",
-                },
-            )
+        self.assertTrue(user_qs.first().check_password(password))
+        self.assertEqual(
+            list(user_qs.first().ak_groups.order_by("name")), [self.other_group, self.group]
         )
+        self.assertEqual(user_qs.first().attributes, {USER_ATTRIBUTE_SOURCES: [self.source.name]})
 
     def test_user_update(self):
         """Test update of existing user"""

blueprints/system/providers-proxy.yaml

@@ -14,11 +14,8 @@ entries:
       expression: |
         # This mapping is used by the authentik proxy. It passes extra user attributes,
         # which are used for example for the HTTP-Basic Authentication mapping.
-        session_id = None
-        if "token" in request.context:
-            session_id = request.context.get("token").session_id
         return {
-            "sid": session_id,
+            "sid": request.http_request.session.session_key,
             "ak_proxy": {
                 "user_attributes": request.user.group_attributes(request),
                 "is_superuser": request.user.is_superuser,

blueprints/system/providers-scim.yaml

@@ -11,15 +11,13 @@ entries:
       name: "authentik default SCIM Mapping: User"
       expression: |
         # Some implementations require givenName and familyName to be set
-        givenName, familyName = request.user.name, " "
-        formatted = request.user.name + " "
+        givenName, familyName = request.user.name, ""
         # This default sets givenName to the name before the first space
         # and the remainder as family name
         # if the user's name has no space the givenName is the entire name
         # (this might cause issues with some SCIM implementations)
         if " " in request.user.name:
             givenName, _, familyName = request.user.name.partition(" ")
-            formatted = request.user.name
 
         # photos supports URLs to images, however authentik might return data URIs
         avatar = request.user.avatar
@@ -41,7 +39,7 @@ entries:
         return {
             "userName": request.user.username,
             "name": {
-                "formatted": formatted,
+                "formatted": request.user.name,
                 "givenName": givenName,
                 "familyName": familyName,
             },

docker-compose.yml

@@ -32,7 +32,7 @@ services:
     volumes:
       - redis:/data
   server:
-    image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2023.10.6}
+    image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2023.10.2}
     restart: unless-stopped
     command: server
     environment:
@@ -53,7 +53,7 @@ services:
       - postgresql
       - redis
   worker:
-    image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2023.10.6}
+    image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2023.10.2}
     restart: unless-stopped
     command: worker
     environment:

go.mod

@@ -13,24 +13,24 @@ require (
 	github.com/go-openapi/strfmt v0.21.7
 	github.com/golang-jwt/jwt v3.2.2+incompatible
 	github.com/google/uuid v1.4.0
-	github.com/gorilla/handlers v1.5.1
-	github.com/gorilla/mux v1.8.0
-	github.com/gorilla/securecookie v1.1.1
-	github.com/gorilla/sessions v1.2.1
-	github.com/gorilla/websocket v1.5.0
+	github.com/gorilla/handlers v1.5.2
+	github.com/gorilla/mux v1.8.1
+	github.com/gorilla/securecookie v1.1.2
+	github.com/gorilla/sessions v1.2.2
+	github.com/gorilla/websocket v1.5.1
 	github.com/jellydator/ttlcache/v3 v3.1.0
 	github.com/mitchellh/mapstructure v1.5.0
 	github.com/nmcclain/asn1-ber v0.0.0-20170104154839-2661553a0484
 	github.com/pires/go-proxyproto v0.7.0
 	github.com/prometheus/client_golang v1.17.0
-	github.com/redis/go-redis/v9 v9.2.1
+	github.com/redis/go-redis/v9 v9.3.0
 	github.com/sirupsen/logrus v1.9.3
-	github.com/spf13/cobra v1.7.0
+	github.com/spf13/cobra v1.8.0
 	github.com/stretchr/testify v1.8.4
-	goauthentik.io/api/v3 v3.2023101.1
+	goauthentik.io/api/v3 v3.2023102.1
 	golang.org/x/exp v0.0.0-20230210204819-062eb4c674ab
 	golang.org/x/oauth2 v0.13.0
-	golang.org/x/sync v0.4.0
+	golang.org/x/sync v0.5.0
 	gopkg.in/yaml.v2 v2.4.0
 	layeh.com/radius v0.0.0-20210819152912-ad72663a72ab
 )
@@ -42,7 +42,7 @@ require (
 	github.com/cespare/xxhash/v2 v2.2.0 // indirect
 	github.com/davecgh/go-spew v1.1.1 // indirect
 	github.com/dgryski/go-rendezvous v0.0.0-20200823014737-9f7001d12a5f // indirect
-	github.com/felixge/httpsnoop v1.0.1 // indirect
+	github.com/felixge/httpsnoop v1.0.3 // indirect
 	github.com/go-asn1-ber/asn1-ber v1.5.5 // indirect
 	github.com/go-http-utils/fresh v0.0.0-20161124030543-7231e26a4b27 // indirect
 	github.com/go-http-utils/headers v0.0.0-20181008091004-fed159eddc2a // indirect

go.sum

@@ -62,7 +62,7 @@ github.com/client9/misspell v0.3.4/go.mod h1:qj6jICC3Q7zFZvVWo7KLAzC3yx5G7kyvSDk
 github.com/cncf/udpa/go v0.0.0-20191209042840-269d4d468f6f/go.mod h1:M8M6+tZqaGXZJjfX53e64911xZQV5JYwmTeXPW+k8Sc=
 github.com/coreos/go-oidc v2.2.1+incompatible h1:mh48q/BqXqgjVHpy2ZY7WnWAbenxRjsz9N1i1YxjHAk=
 github.com/coreos/go-oidc v2.2.1+incompatible/go.mod h1:CgnwVTmzoESiwO9qyAFEMiHoZ1nMCKZlZ9V6mm3/LKc=
-github.com/cpuguy83/go-md2man/v2 v2.0.2/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46tRHOmNcaadrF8o=
+github.com/cpuguy83/go-md2man/v2 v2.0.3/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46tRHOmNcaadrF8o=
 github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E=
 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
@@ -73,8 +73,8 @@ github.com/envoyproxy/go-control-plane v0.9.0/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymF
 github.com/envoyproxy/go-control-plane v0.9.1-0.20191026205805-5f8ba28d4473/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4=
 github.com/envoyproxy/go-control-plane v0.9.4/go.mod h1:6rpuAdCZL397s3pYoYcLgu1mIlRU8Am5FuJP05cCM98=
 github.com/envoyproxy/protoc-gen-validate v0.1.0/go.mod h1:iSmxcyjqTsJpI2R4NaDN7+kN2VEUnK/pcBlmesArF7c=
-github.com/felixge/httpsnoop v1.0.1 h1:lvB5Jl89CsZtGIWuTcDM1E/vkVs49/Ml7JJe07l8SPQ=
-github.com/felixge/httpsnoop v1.0.1/go.mod h1:m8KPJKqk1gH5J9DgRY2ASl2lWCfGKXixSwevea8zH2U=
+github.com/felixge/httpsnoop v1.0.3 h1:s/nj+GCswXYzN5v2DpNMuMQYe+0DDwt5WVCU6CWBdXk=
+github.com/felixge/httpsnoop v1.0.3/go.mod h1:m8KPJKqk1gH5J9DgRY2ASl2lWCfGKXixSwevea8zH2U=
 github.com/getsentry/sentry-go v0.25.0 h1:q6Eo+hS+yoJlTO3uu/azhQadsD8V+jQn2D8VvX1eOyI=
 github.com/getsentry/sentry-go v0.25.0/go.mod h1:lc76E2QywIyW8WuBnwl8Lc4bkmQH4+w1gwTf25trprY=
 github.com/go-asn1-ber/asn1-ber v1.5.5 h1:MNHlNMBDgEKD4TcKr36vQN68BA00aDfjIt3/bD50WnA=
@@ -200,6 +200,8 @@ github.com/google/go-cmp v0.5.2/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/
 github.com/google/go-cmp v0.5.5/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
 github.com/google/go-cmp v0.5.9 h1:O2Tfq5qg4qc4AmwVlvv0oLiVAGB7enBSJ2x2DqQFi38=
 github.com/google/go-cmp v0.5.9/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
+github.com/google/gofuzz v1.2.0 h1:xRy4A+RhZaiKjJ1bPfwQ8sedCA+YS2YcCHW6ec7JMi0=
+github.com/google/gofuzz v1.2.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg=
 github.com/google/martian v2.1.0+incompatible/go.mod h1:9I4somxYTbIHy5NJKHRl3wXiIaQGbYVAs8BPL6v8lEs=
 github.com/google/martian/v3 v3.0.0/go.mod h1:y5Zk1BBys9G+gd6Jrk0W3cC1+ELVxBWuIGO+w/tUAp0=
 github.com/google/pprof v0.0.0-20181206194817-3ea8567a2e57/go.mod h1:zfwlbNMJ+OItoe0UupaVj+oy1omPYYDuagoSzA8v9mc=
@@ -216,16 +218,16 @@ github.com/google/uuid v1.4.0 h1:MtMxsa51/r9yyhkyLsVeVt0B+BGQZzpQiTQ4eHZ8bc4=
 github.com/google/uuid v1.4.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
 github.com/googleapis/gax-go/v2 v2.0.4/go.mod h1:0Wqv26UfaUD9n4G6kQubkQ+KchISgw+vpHVxEJEs9eg=
 github.com/googleapis/gax-go/v2 v2.0.5/go.mod h1:DWXyrwAJ9X0FpwwEdw+IPEYBICEFu5mhpdKc/us6bOk=
-github.com/gorilla/handlers v1.5.1 h1:9lRY6j8DEeeBT10CvO9hGW0gmky0BprnvDI5vfhUHH4=
-github.com/gorilla/handlers v1.5.1/go.mod h1:t8XrUpc4KVXb7HGyJ4/cEnwQiaxrX/hz1Zv/4g96P1Q=
-github.com/gorilla/mux v1.8.0 h1:i40aqfkR1h2SlN9hojwV5ZA91wcXFOvkdNIeFDP5koI=
-github.com/gorilla/mux v1.8.0/go.mod h1:DVbg23sWSpFRCP0SfiEN6jmj59UnW/n46BH5rLB71So=
-github.com/gorilla/securecookie v1.1.1 h1:miw7JPhV+b/lAHSXz4qd/nN9jRiAFV5FwjeKyCS8BvQ=
-github.com/gorilla/securecookie v1.1.1/go.mod h1:ra0sb63/xPlUeL+yeDciTfxMRAA+MP+HVt/4epWDjd4=
-github.com/gorilla/sessions v1.2.1 h1:DHd3rPN5lE3Ts3D8rKkQ8x/0kqfeNmBAaiSi+o7FsgI=
-github.com/gorilla/sessions v1.2.1/go.mod h1:dk2InVEVJ0sfLlnXv9EAgkf6ecYs/i80K/zI+bUmuGM=
-github.com/gorilla/websocket v1.5.0 h1:PPwGk2jz7EePpoHN/+ClbZu8SPxiqlu12wZP/3sWmnc=
-github.com/gorilla/websocket v1.5.0/go.mod h1:YR8l580nyteQvAITg2hZ9XVh4b55+EU/adAjf1fMHhE=
+github.com/gorilla/handlers v1.5.2 h1:cLTUSsNkgcwhgRqvCNmdbRWG0A3N4F+M2nWKdScwyEE=
+github.com/gorilla/handlers v1.5.2/go.mod h1:dX+xVpaxdSw+q0Qek8SSsl3dfMk3jNddUkMzo0GtH0w=
+github.com/gorilla/mux v1.8.1 h1:TuBL49tXwgrFYWhqrNgrUNEY92u81SPhu7sTdzQEiWY=
+github.com/gorilla/mux v1.8.1/go.mod h1:AKf9I4AEqPTmMytcMc0KkNouC66V3BtZ4qD5fmWSiMQ=
+github.com/gorilla/securecookie v1.1.2 h1:YCIWL56dvtr73r6715mJs5ZvhtnY73hBvEF8kXD8ePA=
+github.com/gorilla/securecookie v1.1.2/go.mod h1:NfCASbcHqRSY+3a8tlWJwsQap2VX5pwzwo4h3eOamfo=
+github.com/gorilla/sessions v1.2.2 h1:lqzMYz6bOfvn2WriPUjNByzeXIlVzURcPmgMczkmTjY=
+github.com/gorilla/sessions v1.2.2/go.mod h1:ePLdVu+jbEgHH+KWw8I1z2wqd0BAdAQh/8LRvBeoNcQ=
+github.com/gorilla/websocket v1.5.1 h1:gmztn0JnHVt9JZquRuzLw3g4wouNVzKL15iLr/zn/QY=
+github.com/gorilla/websocket v1.5.1/go.mod h1:x3kM2JMyaluk02fnUJpQuwD2dCS5NDG2ZHL0uE0tcaY=
 github.com/hashicorp/golang-lru v0.5.0/go.mod h1:/m3WP610KZHVQ1SGc6re/UDhFvYD7pJ4Ao+sR/qLZy8=
 github.com/hashicorp/golang-lru v0.5.1/go.mod h1:/m3WP610KZHVQ1SGc6re/UDhFvYD7pJ4Ao+sR/qLZy8=
 github.com/ianlancetaylor/demangle v0.0.0-20181102032728-5e5cf60278f6/go.mod h1:aSSvb/t6k1mPoxDqO4vJh6VOCGPwU4O0C2/Eqndh1Sc=
@@ -295,8 +297,8 @@ github.com/prometheus/common v0.44.0 h1:+5BrQJwiBB9xsMygAB3TNvpQKOwlkc25LbISbrdO
 github.com/prometheus/common v0.44.0/go.mod h1:ofAIvZbQ1e/nugmZGz4/qCb9Ap1VoSTIO7x0VV9VvuY=
 github.com/prometheus/procfs v0.11.1 h1:xRC8Iq1yyca5ypa9n1EZnWZkt7dwcoRPQwX/5gwaUuI=
 github.com/prometheus/procfs v0.11.1/go.mod h1:eesXgaPo1q7lBpVMoMy0ZOFTth9hBn4W/y0/p/ScXhY=
-github.com/redis/go-redis/v9 v9.2.1 h1:WlYJg71ODF0dVspZZCpYmoF1+U1Jjk9Rwd7pq6QmlCg=
-github.com/redis/go-redis/v9 v9.2.1/go.mod h1:hdY0cQFCN4fnSYT6TkisLufl/4W5UIXyv0b/CLO2V2M=
+github.com/redis/go-redis/v9 v9.3.0 h1:RiVDjmig62jIWp7Kk4XVLs0hzV6pI3PyTnnL0cnn0u0=
+github.com/redis/go-redis/v9 v9.3.0/go.mod h1:hdY0cQFCN4fnSYT6TkisLufl/4W5UIXyv0b/CLO2V2M=
 github.com/rogpeppe/go-internal v1.1.0/go.mod h1:M8bDsm7K2OlrFYOpmOWEs/qY81heoFRclV5y23lUDJ4=
 github.com/rogpeppe/go-internal v1.2.2/go.mod h1:M8bDsm7K2OlrFYOpmOWEs/qY81heoFRclV5y23lUDJ4=
 github.com/rogpeppe/go-internal v1.3.0/go.mod h1:M8bDsm7K2OlrFYOpmOWEs/qY81heoFRclV5y23lUDJ4=
@@ -309,8 +311,8 @@ github.com/sirupsen/logrus v1.4.2/go.mod h1:tLMulIdttU9McNUspp0xgXVQah82FyeX6Mwd
 github.com/sirupsen/logrus v1.9.3 h1:dueUQJ1C2q9oE3F7wvmSGAaVtTmUizReu6fjN8uqzbQ=
 github.com/sirupsen/logrus v1.9.3/go.mod h1:naHLuLoDiP4jHNo9R0sCBMtWGeIprob74mVsIT4qYEQ=
 github.com/spf13/cobra v0.0.3/go.mod h1:1l0Ry5zgKvJasoi3XT1TypsSe7PqH0Sj9dhYf7v3XqQ=
-github.com/spf13/cobra v1.7.0 h1:hyqWnYt1ZQShIddO5kBpj3vu05/++x6tJ6dg8EC572I=
-github.com/spf13/cobra v1.7.0/go.mod h1:uLxZILRyS/50WlhOIKD7W6V5bgeIt+4sICxh6uRMrb0=
+github.com/spf13/cobra v1.8.0 h1:7aJaZx1B85qltLMc546zn58BxxfZdR/W22ej9CFoEf0=
+github.com/spf13/cobra v1.8.0/go.mod h1:WXLWApfZ71AjXPya3WOlMsY9yMs7YeiHhFVlvLyhcho=
 github.com/spf13/pflag v1.0.3/go.mod h1:DYY7MBk1bdzusC3SYhjObp+wFpr4gzcvqqNjLnInEg4=
 github.com/spf13/pflag v1.0.5 h1:iy+VFUOCP1a+8yFto/drg2CJ5u0yRoB7fZw3DKv/JXA=
 github.com/spf13/pflag v1.0.5/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
@@ -356,8 +358,8 @@ go.opentelemetry.io/otel/trace v1.14.0 h1:wp2Mmvj41tDsyAJXiWDWpfNsOiIyd38fy85pyK
 go.opentelemetry.io/otel/trace v1.14.0/go.mod h1:8avnQLK+CG77yNLUae4ea2JDQ6iT+gozhnZjy/rw9G8=
 go.uber.org/goleak v1.2.1 h1:NBol2c7O1ZokfZ0LEU9K6Whx/KnwvepVetCUhtKja4A=
 go.uber.org/goleak v1.2.1/go.mod h1:qlT2yGI9QafXHhZZLxlSuNsMw3FFLxBr+tBRlmO1xH4=
-goauthentik.io/api/v3 v3.2023101.1 h1:KIQ4wmxjE+geAVB0wBfmxW9Uzo/tA0dbd2hSUJ7YJ3M=
-goauthentik.io/api/v3 v3.2023101.1/go.mod h1:zz+mEZg8rY/7eEjkMGWJ2DnGqk+zqxuybGCGrR2O4Kw=
+goauthentik.io/api/v3 v3.2023102.1 h1:TinB3fzh17iw92Mak0pxVdVSMJbL2CxZkQSvd98C4+U=
+goauthentik.io/api/v3 v3.2023102.1/go.mod h1:zz+mEZg8rY/7eEjkMGWJ2DnGqk+zqxuybGCGrR2O4Kw=
 golang.org/x/crypto v0.0.0-20180904163835-0709b304e793/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4=
 golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
 golang.org/x/crypto v0.0.0-20190422162423-af44ce270edf/go.mod h1:WFFai1msRO1wXaEeE5yQxYXgSfI8pQAWXbQop6sCtWE=
@@ -460,8 +462,8 @@ golang.org/x/sync v0.0.0-20200625203802-6e8e738ad208/go.mod h1:RxMgew5VJxzue5/jJ
 golang.org/x/sync v0.0.0-20210220032951-036812b2e83c/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.1.0/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.4.0 h1:zxkM55ReGkDlKSM+Fu41A+zmbZuaPVbGMzvvdUPznYQ=
-golang.org/x/sync v0.4.0/go.mod h1:FU7BRWz2tNW+3quACPkgCx/L+uEAv1htQ0V83Z9Rj+Y=
+golang.org/x/sync v0.5.0 h1:60k92dhOjHxJkrqnwsfl8KuaHbn/5dl0lUPUklKo3qE=
+golang.org/x/sync v0.5.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
 golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20180905080454-ebe1bf3edb33/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=

internal/constants/constants.go

@@ -29,4 +29,4 @@ func UserAgent() string {
 	return fmt.Sprintf("authentik@%s", FullVersion())
 }
 
-const VERSION = "2023.10.6"
+const VERSION = "2023.10.2"

internal/outpost/proxyv2/application/oauth_callback.go

@@ -31,11 +31,16 @@ func (a *Application) redeemCallback(savedState string, u *url.URL, c context.Co
 		return nil, err
 	}
 
-	jwt := oauth2Token.AccessToken
-	a.log.WithField("jwt", jwt).Trace("access_token")
+	// Extract the ID Token from OAuth2 token.
+	rawIDToken, ok := oauth2Token.Extra("id_token").(string)
+	if !ok {
+		return nil, fmt.Errorf("missing id_token")
+	}
+
+	a.log.WithField("id_token", rawIDToken).Trace("id_token")
 
 	// Parse and verify ID Token payload.
-	idToken, err := a.tokenVerifier.Verify(ctx, jwt)
+	idToken, err := a.tokenVerifier.Verify(ctx, rawIDToken)
 	if err != nil {
 		return nil, err
 	}
@@ -48,6 +53,6 @@ func (a *Application) redeemCallback(savedState string, u *url.URL, c context.Co
 	if claims.Proxy == nil {
 		claims.Proxy = &ProxyClaims{}
 	}
-	claims.RawToken = jwt
+	claims.RawToken = rawIDToken
 	return claims, nil
 }

internal/outpost/proxyv2/application/session.go

@@ -62,7 +62,7 @@ func (a *Application) getStore(p api.ProxyOutpostConfig, externalHost *url.URL)
 	// https://github.com/markbates/goth/commit/7276be0fdf719ddff753f3574ef0f967e4a5a5f7
 	// set the maxLength of the cookies stored on the disk to a larger number to prevent issues with:
 	// securecookie: the value is too long
-	// when using OpenID Connect, since this can contain a large amount of extra information in the id_token
+	// when using OpenID Connect , since this can contain a large amount of extra information in the id_token
 
 	// Note, when using the FilesystemStore only the session.ID is written to a browser cookie, so this is explicit for the storage on disk
 	cs.MaxLength(math.MaxInt)
@@ -71,7 +71,7 @@ func (a *Application) getStore(p api.ProxyOutpostConfig, externalHost *url.URL)
 	cs.Options.Domain = *p.CookieDomain
 	cs.Options.SameSite = http.SameSiteLaxMode
 	cs.Options.MaxAge = maxAge
-	cs.Options.Path = "/"
+	cs.Options.Path = externalHost.Path
 	a.log.WithField("dir", dir).Trace("using filesystem session backend")
 	return cs
 }

internal/outpost/proxyv2/ws.go

@@ -36,7 +36,6 @@ func (ps *ProxyServer) handleWSMessage(ctx context.Context, args map[string]inte
 	switch msg.SubType {
 	case WSProviderSubTypeLogout:
 		for _, p := range ps.apps {
-			ps.log.WithField("provider", p.Host).Debug("Logging out")
 			err := p.Logout(ctx, func(c application.Claims) bool {
 				return c.Sid == msg.SessionID
 			})

ldap.Dockerfile

@@ -1,7 +1,5 @@
-# syntax=docker/dockerfile:1
-
 # Stage 1: Build
-FROM --platform=${BUILDPLATFORM} docker.io/golang:1.21.4-bookworm AS builder
+FROM --platform=${BUILDPLATFORM} docker.io/golang:1.21.3-bookworm AS builder
 
 ARG TARGETOS
 ARG TARGETARCH
@@ -20,8 +18,8 @@ RUN --mount=type=bind,target=/go/src/goauthentik.io/go.mod,src=./go.mod \
 
 ENV CGO_ENABLED=0
 COPY . .
-RUN --mount=type=cache,sharing=locked,target=/go/pkg/mod \
-    --mount=type=cache,id=go-build-$TARGETARCH$TARGETVARIANT,sharing=locked,target=/root/.cache/go-build \
+RUN --mount=type=cache,target=/go/pkg/mod \
+    --mount=type=cache,target=/root/.cache/go-build \
     GOARM="${TARGETVARIANT#v}" go build -o /go/ldap ./cmd/ldap
 
 # Stage 2: Run

poetry.lock

@@ -1,4 +1,4 @@
-# This file is automatically @generated by Poetry 1.7.0 and should not be changed by hand.
+# This file is automatically @generated by Poetry 1.6.1 and should not be changed by hand.
 
 [[package]]
 name = "aiohttp"
@@ -1117,13 +1117,13 @@ graph = ["objgraph (>=1.7.2)"]
 
 [[package]]
 name = "django"
-version = "4.2.6"
+version = "4.2.7"
 description = "A high-level Python web framework that encourages rapid development and clean, pragmatic design."
 optional = false
 python-versions = ">=3.8"
 files = [
-    {file = "Django-4.2.6-py3-none-any.whl", hash = "sha256:a64d2487cdb00ad7461434320ccc38e60af9c404773a2f95ab0093b4453a3215"},
-    {file = "Django-4.2.6.tar.gz", hash = "sha256:08f41f468b63335aea0d904c5729e0250300f6a1907bf293a65499496cdbc68f"},
+    {file = "Django-4.2.7-py3-none-any.whl", hash = "sha256:e1d37c51ad26186de355cbcec16613ebdabfa9689bbade9c538835205a8abbe9"},
+    {file = "Django-4.2.7.tar.gz", hash = "sha256:8e0f1c2c2786b5c0e39fe1afce24c926040fad47c8ea8ad30aaf1188df29fc41"},
 ]
 
 [package.dependencies]
@@ -2096,6 +2096,16 @@ files = [
     {file = "MarkupSafe-2.1.3-cp311-cp311-musllinux_1_1_x86_64.whl", hash = "sha256:5bbe06f8eeafd38e5d0a4894ffec89378b6c6a625ff57e3028921f8ff59318ac"},
     {file = "MarkupSafe-2.1.3-cp311-cp311-win32.whl", hash = "sha256:dd15ff04ffd7e05ffcb7fe79f1b98041b8ea30ae9234aed2a9168b5797c3effb"},
     {file = "MarkupSafe-2.1.3-cp311-cp311-win_amd64.whl", hash = "sha256:134da1eca9ec0ae528110ccc9e48041e0828d79f24121a1a146161103c76e686"},
+    {file = "MarkupSafe-2.1.3-cp312-cp312-macosx_10_9_universal2.whl", hash = "sha256:f698de3fd0c4e6972b92290a45bd9b1536bffe8c6759c62471efaa8acb4c37bc"},
+    {file = "MarkupSafe-2.1.3-cp312-cp312-macosx_10_9_x86_64.whl", hash = "sha256:aa57bd9cf8ae831a362185ee444e15a93ecb2e344c8e52e4d721ea3ab6ef1823"},
+    {file = "MarkupSafe-2.1.3-cp312-cp312-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:ffcc3f7c66b5f5b7931a5aa68fc9cecc51e685ef90282f4a82f0f5e9b704ad11"},
+    {file = "MarkupSafe-2.1.3-cp312-cp312-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:47d4f1c5f80fc62fdd7777d0d40a2e9dda0a05883ab11374334f6c4de38adffd"},
+    {file = "MarkupSafe-2.1.3-cp312-cp312-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:1f67c7038d560d92149c060157d623c542173016c4babc0c1913cca0564b9939"},
+    {file = "MarkupSafe-2.1.3-cp312-cp312-musllinux_1_1_aarch64.whl", hash = "sha256:9aad3c1755095ce347e26488214ef77e0485a3c34a50c5a5e2471dff60b9dd9c"},
+    {file = "MarkupSafe-2.1.3-cp312-cp312-musllinux_1_1_i686.whl", hash = "sha256:14ff806850827afd6b07a5f32bd917fb7f45b046ba40c57abdb636674a8b559c"},
+    {file = "MarkupSafe-2.1.3-cp312-cp312-musllinux_1_1_x86_64.whl", hash = "sha256:8f9293864fe09b8149f0cc42ce56e3f0e54de883a9de90cd427f191c346eb2e1"},
+    {file = "MarkupSafe-2.1.3-cp312-cp312-win32.whl", hash = "sha256:715d3562f79d540f251b99ebd6d8baa547118974341db04f5ad06d5ea3eb8007"},
+    {file = "MarkupSafe-2.1.3-cp312-cp312-win_amd64.whl", hash = "sha256:1b8dd8c3fd14349433c79fa8abeb573a55fc0fdd769133baac1f5e07abf54aeb"},
     {file = "MarkupSafe-2.1.3-cp37-cp37m-macosx_10_9_x86_64.whl", hash = "sha256:8e254ae696c88d98da6555f5ace2279cf7cd5b3f52be2b5cf97feafe883b58d2"},
     {file = "MarkupSafe-2.1.3-cp37-cp37m-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:cb0932dc158471523c9637e807d9bfb93e06a95cbf010f1a38b98623b929ef2b"},
     {file = "MarkupSafe-2.1.3-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:9402b03f1a1b4dc4c19845e5c749e3ab82d5078d16a2a4c2cd2df62d57bb0707"},
@@ -2830,7 +2840,10 @@ files = [
 [package.dependencies]
 astroid = ">=3.0.1,<=3.1.0-dev0"
 colorama = {version = ">=0.4.5", markers = "sys_platform == \"win32\""}
-dill = {version = ">=0.3.6", markers = "python_version >= \"3.11\""}
+dill = [
+    {version = ">=0.3.7", markers = "python_version >= \"3.12\""},
+    {version = ">=0.3.6", markers = "python_version >= \"3.11\" and python_version < \"3.12\""},
+]
 isort = ">=4.2.5,<6"
 mccabe = ">=0.6,<0.8"
 platformdirs = ">=2.2.0"
@@ -2965,17 +2978,17 @@ testing = ["argcomplete", "attrs (>=19.2.0)", "hypothesis (>=3.56)", "mock", "no
 
 [[package]]
 name = "pytest-django"
-version = "4.5.2"
+version = "4.6.0"
 description = "A Django plugin for pytest."
 optional = false
-python-versions = ">=3.5"
+python-versions = ">=3.8"
 files = [
-    {file = "pytest-django-4.5.2.tar.gz", hash = "sha256:d9076f759bb7c36939dbdd5ae6633c18edfc2902d1a69fdbefd2426b970ce6c2"},
-    {file = "pytest_django-4.5.2-py3-none-any.whl", hash = "sha256:c60834861933773109334fe5a53e83d1ef4828f2203a1d6a0fa9972f4f75ab3e"},
+    {file = "pytest-django-4.6.0.tar.gz", hash = "sha256:ebc12a64f822a1284a281caf434d693f96bff69a9b09c677f538ecaa2f470b37"},
+    {file = "pytest_django-4.6.0-py3-none-any.whl", hash = "sha256:7e90a183dec8c715714864e5dc8da99bb219502d437a9769a3c9e524af57e43a"},
 ]
 
 [package.dependencies]
-pytest = ">=5.4.0"
+pytest = ">=7.0.0"
 
 [package.extras]
 docs = ["sphinx", "sphinx-rtd-theme"]
@@ -3083,6 +3096,7 @@ files = [
     {file = "PyYAML-6.0.1-cp310-cp310-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:69b023b2b4daa7548bcfbd4aa3da05b3a74b772db9e23b982788168117739938"},
     {file = "PyYAML-6.0.1-cp310-cp310-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:81e0b275a9ecc9c0c0c07b4b90ba548307583c125f54d5b6946cfee6360c733d"},
     {file = "PyYAML-6.0.1-cp310-cp310-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:ba336e390cd8e4d1739f42dfe9bb83a3cc2e80f567d8805e11b46f4a943f5515"},
+    {file = "PyYAML-6.0.1-cp310-cp310-musllinux_1_1_x86_64.whl", hash = "sha256:326c013efe8048858a6d312ddd31d56e468118ad4cdeda36c719bf5bb6192290"},
     {file = "PyYAML-6.0.1-cp310-cp310-win32.whl", hash = "sha256:bd4af7373a854424dabd882decdc5579653d7868b8fb26dc7d0e99f823aa5924"},
     {file = "PyYAML-6.0.1-cp310-cp310-win_amd64.whl", hash = "sha256:fd1592b3fdf65fff2ad0004b5e363300ef59ced41c2e6b3a99d4089fa8c5435d"},
     {file = "PyYAML-6.0.1-cp311-cp311-macosx_10_9_x86_64.whl", hash = "sha256:6965a7bc3cf88e5a1c3bd2e0b5c22f8d677dc88a455344035f03399034eb3007"},
@@ -3090,8 +3104,15 @@ files = [
     {file = "PyYAML-6.0.1-cp311-cp311-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:42f8152b8dbc4fe7d96729ec2b99c7097d656dc1213a3229ca5383f973a5ed6d"},
     {file = "PyYAML-6.0.1-cp311-cp311-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:062582fca9fabdd2c8b54a3ef1c978d786e0f6b3a1510e0ac93ef59e0ddae2bc"},
     {file = "PyYAML-6.0.1-cp311-cp311-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:d2b04aac4d386b172d5b9692e2d2da8de7bfb6c387fa4f801fbf6fb2e6ba4673"},
+    {file = "PyYAML-6.0.1-cp311-cp311-musllinux_1_1_x86_64.whl", hash = "sha256:e7d73685e87afe9f3b36c799222440d6cf362062f78be1013661b00c5c6f678b"},
     {file = "PyYAML-6.0.1-cp311-cp311-win32.whl", hash = "sha256:1635fd110e8d85d55237ab316b5b011de701ea0f29d07611174a1b42f1444741"},
     {file = "PyYAML-6.0.1-cp311-cp311-win_amd64.whl", hash = "sha256:bf07ee2fef7014951eeb99f56f39c9bb4af143d8aa3c21b1677805985307da34"},
+    {file = "PyYAML-6.0.1-cp312-cp312-macosx_10_9_x86_64.whl", hash = "sha256:855fb52b0dc35af121542a76b9a84f8d1cd886ea97c84703eaa6d88e37a2ad28"},
+    {file = "PyYAML-6.0.1-cp312-cp312-macosx_11_0_arm64.whl", hash = "sha256:40df9b996c2b73138957fe23a16a4f0ba614f4c0efce1e9406a184b6d07fa3a9"},
+    {file = "PyYAML-6.0.1-cp312-cp312-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:6c22bec3fbe2524cde73d7ada88f6566758a8f7227bfbf93a408a9d86bcc12a0"},
+    {file = "PyYAML-6.0.1-cp312-cp312-musllinux_1_1_x86_64.whl", hash = "sha256:8d4e9c88387b0f5c7d5f281e55304de64cf7f9c0021a3525bd3b1c542da3b0e4"},
+    {file = "PyYAML-6.0.1-cp312-cp312-win32.whl", hash = "sha256:d483d2cdf104e7c9fa60c544d92981f12ad66a457afae824d146093b8c294c54"},
+    {file = "PyYAML-6.0.1-cp312-cp312-win_amd64.whl", hash = "sha256:0d3304d8c0adc42be59c5f8a4d9e3d7379e6955ad754aa9d6ab7a398b59dd1df"},
     {file = "PyYAML-6.0.1-cp36-cp36m-macosx_10_9_x86_64.whl", hash = "sha256:50550eb667afee136e9a77d6dc71ae76a44df8b3e51e41b77f6de2932bfe0f47"},
     {file = "PyYAML-6.0.1-cp36-cp36m-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:1fe35611261b29bd1de0070f0b2f47cb6ff71fa6595c077e42bd0c419fa27b98"},
     {file = "PyYAML-6.0.1-cp36-cp36m-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:704219a11b772aea0d8ecd7058d0082713c3562b4e271b849ad7dc4a5c90c13c"},
@@ -3108,6 +3129,7 @@ files = [
     {file = "PyYAML-6.0.1-cp38-cp38-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:a0cd17c15d3bb3fa06978b4e8958dcdc6e0174ccea823003a106c7d4d7899ac5"},
     {file = "PyYAML-6.0.1-cp38-cp38-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:28c119d996beec18c05208a8bd78cbe4007878c6dd15091efb73a30e90539696"},
     {file = "PyYAML-6.0.1-cp38-cp38-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:7e07cbde391ba96ab58e532ff4803f79c4129397514e1413a7dc761ccd755735"},
+    {file = "PyYAML-6.0.1-cp38-cp38-musllinux_1_1_x86_64.whl", hash = "sha256:49a183be227561de579b4a36efbb21b3eab9651dd81b1858589f796549873dd6"},
     {file = "PyYAML-6.0.1-cp38-cp38-win32.whl", hash = "sha256:184c5108a2aca3c5b3d3bf9395d50893a7ab82a38004c8f61c258d4428e80206"},
     {file = "PyYAML-6.0.1-cp38-cp38-win_amd64.whl", hash = "sha256:1e2722cc9fbb45d9b87631ac70924c11d3a401b2d7f410cc0e3bbf249f2dca62"},
     {file = "PyYAML-6.0.1-cp39-cp39-macosx_10_9_x86_64.whl", hash = "sha256:9eb6caa9a297fc2c2fb8862bc5370d0303ddba53ba97e71f08023b6cd73d16a8"},
@@ -3115,6 +3137,7 @@ files = [
     {file = "PyYAML-6.0.1-cp39-cp39-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:5773183b6446b2c99bb77e77595dd486303b4faab2b086e7b17bc6bef28865f6"},
     {file = "PyYAML-6.0.1-cp39-cp39-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:b786eecbdf8499b9ca1d697215862083bd6d2a99965554781d0d8d1ad31e13a0"},
     {file = "PyYAML-6.0.1-cp39-cp39-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:bc1bf2925a1ecd43da378f4db9e4f799775d6367bdb94671027b73b393a7c42c"},
+    {file = "PyYAML-6.0.1-cp39-cp39-musllinux_1_1_x86_64.whl", hash = "sha256:04ac92ad1925b2cff1db0cfebffb6ffc43457495c9b3c39d3fcae417d7125dc5"},
     {file = "PyYAML-6.0.1-cp39-cp39-win32.whl", hash = "sha256:faca3bdcf85b2fc05d06ff3fbc1f83e1391b3e724afa3feba7d13eeab355484c"},
     {file = "PyYAML-6.0.1-cp39-cp39-win_amd64.whl", hash = "sha256:510c9deebc5c0225e8c96813043e62b680ba2f9c50a08d3724c7f28a747d1486"},
     {file = "PyYAML-6.0.1.tar.gz", hash = "sha256:bfdf460b1736c775f2ba9f6a92bca30bc2095067b8a9d77876d1fad6cc3b4a43"},
@@ -3351,39 +3374,39 @@ pyasn1 = ">=0.1.3"
 
 [[package]]
 name = "ruff"
-version = "0.1.3"
-description = "An extremely fast Python linter, written in Rust."
+version = "0.1.4"
+description = "An extremely fast Python linter and code formatter, written in Rust."
 optional = false
 python-versions = ">=3.7"
 files = [
-    {file = "ruff-0.1.3-py3-none-macosx_10_7_x86_64.whl", hash = "sha256:b46d43d51f7061652eeadb426a9e3caa1e0002470229ab2fc19de8a7b0766901"},
-    {file = "ruff-0.1.3-py3-none-macosx_10_9_x86_64.macosx_11_0_arm64.macosx_10_9_universal2.whl", hash = "sha256:b8afeb9abd26b4029c72adc9921b8363374f4e7edb78385ffaa80278313a15f9"},
-    {file = "ruff-0.1.3-py3-none-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:ca3cf365bf32e9ba7e6db3f48a4d3e2c446cd19ebee04f05338bc3910114528b"},
-    {file = "ruff-0.1.3-py3-none-manylinux_2_17_armv7l.manylinux2014_armv7l.whl", hash = "sha256:4874c165f96c14a00590dcc727a04dca0cfd110334c24b039458c06cf78a672e"},
-    {file = "ruff-0.1.3-py3-none-manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:eec2dd31eed114e48ea42dbffc443e9b7221976554a504767ceaee3dd38edeb8"},
-    {file = "ruff-0.1.3-py3-none-manylinux_2_17_ppc64.manylinux2014_ppc64.whl", hash = "sha256:dc3ec4edb3b73f21b4aa51337e16674c752f1d76a4a543af56d7d04e97769613"},
-    {file = "ruff-0.1.3-py3-none-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:2e3de9ed2e39160800281848ff4670e1698037ca039bda7b9274f849258d26ce"},
-    {file = "ruff-0.1.3-py3-none-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:1c595193881922cc0556a90f3af99b1c5681f0c552e7a2a189956141d8666fe8"},
-    {file = "ruff-0.1.3-py3-none-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:0f75e670d529aa2288cd00fc0e9b9287603d95e1536d7a7e0cafe00f75e0dd9d"},
-    {file = "ruff-0.1.3-py3-none-musllinux_1_2_aarch64.whl", hash = "sha256:76dd49f6cd945d82d9d4a9a6622c54a994689d8d7b22fa1322983389b4892e20"},
-    {file = "ruff-0.1.3-py3-none-musllinux_1_2_armv7l.whl", hash = "sha256:918b454bc4f8874a616f0d725590277c42949431ceb303950e87fef7a7d94cb3"},
-    {file = "ruff-0.1.3-py3-none-musllinux_1_2_i686.whl", hash = "sha256:d8859605e729cd5e53aa38275568dbbdb4fe882d2ea2714c5453b678dca83784"},
-    {file = "ruff-0.1.3-py3-none-musllinux_1_2_x86_64.whl", hash = "sha256:0b6c55f5ef8d9dd05b230bb6ab80bc4381ecb60ae56db0330f660ea240cb0d4a"},
-    {file = "ruff-0.1.3-py3-none-win32.whl", hash = "sha256:3e7afcbdcfbe3399c34e0f6370c30f6e529193c731b885316c5a09c9e4317eef"},
-    {file = "ruff-0.1.3-py3-none-win_amd64.whl", hash = "sha256:7a18df6638cec4a5bd75350639b2bb2a2366e01222825562c7346674bdceb7ea"},
-    {file = "ruff-0.1.3-py3-none-win_arm64.whl", hash = "sha256:12fd53696c83a194a2db7f9a46337ce06445fb9aa7d25ea6f293cf75b21aca9f"},
-    {file = "ruff-0.1.3.tar.gz", hash = "sha256:3ba6145369a151401d5db79f0a47d50e470384d0d89d0d6f7fab0b589ad07c34"},
+    {file = "ruff-0.1.4-py3-none-macosx_10_7_x86_64.whl", hash = "sha256:864958706b669cce31d629902175138ad8a069d99ca53514611521f532d91495"},
+    {file = "ruff-0.1.4-py3-none-macosx_10_9_x86_64.macosx_11_0_arm64.macosx_10_9_universal2.whl", hash = "sha256:9fdd61883bb34317c788af87f4cd75dfee3a73f5ded714b77ba928e418d6e39e"},
+    {file = "ruff-0.1.4-py3-none-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:b4eaca8c9cc39aa7f0f0d7b8fe24ecb51232d1bb620fc4441a61161be4a17539"},
+    {file = "ruff-0.1.4-py3-none-manylinux_2_17_armv7l.manylinux2014_armv7l.whl", hash = "sha256:a9a1301dc43cbf633fb603242bccd0aaa34834750a14a4c1817e2e5c8d60de17"},
+    {file = "ruff-0.1.4-py3-none-manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:78e8db8ab6f100f02e28b3d713270c857d370b8d61871d5c7d1702ae411df683"},
+    {file = "ruff-0.1.4-py3-none-manylinux_2_17_ppc64.manylinux2014_ppc64.whl", hash = "sha256:80fea754eaae06335784b8ea053d6eb8e9aac75359ebddd6fee0858e87c8d510"},
+    {file = "ruff-0.1.4-py3-none-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:6bc02a480d4bfffd163a723698da15d1a9aec2fced4c06f2a753f87f4ce6969c"},
+    {file = "ruff-0.1.4-py3-none-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:9862811b403063765b03e716dac0fda8fdbe78b675cd947ed5873506448acea4"},
+    {file = "ruff-0.1.4-py3-none-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:58826efb8b3efbb59bb306f4b19640b7e366967a31c049d49311d9eb3a4c60cb"},
+    {file = "ruff-0.1.4-py3-none-musllinux_1_2_aarch64.whl", hash = "sha256:fdfd453fc91d9d86d6aaa33b1bafa69d114cf7421057868f0b79104079d3e66e"},
+    {file = "ruff-0.1.4-py3-none-musllinux_1_2_armv7l.whl", hash = "sha256:e8791482d508bd0b36c76481ad3117987301b86072158bdb69d796503e1c84a8"},
+    {file = "ruff-0.1.4-py3-none-musllinux_1_2_i686.whl", hash = "sha256:01206e361021426e3c1b7fba06ddcb20dbc5037d64f6841e5f2b21084dc51800"},
+    {file = "ruff-0.1.4-py3-none-musllinux_1_2_x86_64.whl", hash = "sha256:645591a613a42cb7e5c2b667cbefd3877b21e0252b59272ba7212c3d35a5819f"},
+    {file = "ruff-0.1.4-py3-none-win32.whl", hash = "sha256:99908ca2b3b85bffe7e1414275d004917d1e0dfc99d497ccd2ecd19ad115fd0d"},
+    {file = "ruff-0.1.4-py3-none-win_amd64.whl", hash = "sha256:1dfd6bf8f6ad0a4ac99333f437e0ec168989adc5d837ecd38ddb2cc4a2e3db8a"},
+    {file = "ruff-0.1.4-py3-none-win_arm64.whl", hash = "sha256:d98ae9ebf56444e18a3e3652b3383204748f73e247dea6caaf8b52d37e6b32da"},
+    {file = "ruff-0.1.4.tar.gz", hash = "sha256:21520ecca4cc555162068d87c747b8f95e1e95f8ecfcbbe59e8dd00710586315"},
 ]
 
 [[package]]
 name = "selenium"
-version = "4.14.0"
+version = "4.15.2"
 description = ""
 optional = false
 python-versions = ">=3.8"
 files = [
-    {file = "selenium-4.14.0-py3-none-any.whl", hash = "sha256:be9824a9354a7fe288e3fad9ceb6a9c65ddc7c44545d23ad0ebf4ce202b19893"},
-    {file = "selenium-4.14.0.tar.gz", hash = "sha256:0d14b0d9842366f38fb5f8f842cf7c042bcfa062affc6a0a86e4d634bdd0fe54"},
+    {file = "selenium-4.15.2-py3-none-any.whl", hash = "sha256:9e82cd1ac647fb73cf0d4a6e280284102aaa3c9d94f0fa6e6cc4b5db6a30afbf"},
+    {file = "selenium-4.15.2.tar.gz", hash = "sha256:22eab5a1724c73d51b240a69ca702997b717eee4ba1f6065bf5d6b44dba01d48"},
 ]
 
 [package.dependencies]
@@ -3394,13 +3417,13 @@ urllib3 = {version = ">=1.26,<3", extras = ["socks"]}
 
 [[package]]
 name = "sentry-sdk"
-version = "1.32.0"
+version = "1.34.0"
 description = "Python client for Sentry (https://sentry.io)"
 optional = false
 python-versions = "*"
 files = [
-    {file = "sentry-sdk-1.32.0.tar.gz", hash = "sha256:935e8fbd7787a3702457393b74b13d89a5afb67185bc0af85c00cb27cbd42e7c"},
-    {file = "sentry_sdk-1.32.0-py2.py3-none-any.whl", hash = "sha256:eeb0b3550536f3bbc05bb1c7e0feb3a78d74acb43b607159a606ed2ec0a33a4d"},
+    {file = "sentry-sdk-1.34.0.tar.gz", hash = "sha256:e5d0d2b25931d88fa10986da59d941ac6037f742ab6ff2fce4143a27981d60c3"},
+    {file = "sentry_sdk-1.34.0-py2.py3-none-any.whl", hash = "sha256:76dd087f38062ac6c1e30ed6feb533ee0037ff9e709974802db7b5dbf2e5db21"},
 ]
 
 [package.dependencies]
@@ -3669,13 +3692,13 @@ requests = ">=2.0.0"
 
 [[package]]
 name = "twisted"
-version = "23.8.0"
+version = "23.10.0"
 description = "An asynchronous networking framework written in Python"
 optional = false
-python-versions = ">=3.7.1"
+python-versions = ">=3.8.0"
 files = [
-    {file = "twisted-23.8.0-py3-none-any.whl", hash = "sha256:b8bdba145de120ffb36c20e6e071cce984e89fba798611ed0704216fb7f884cd"},
-    {file = "twisted-23.8.0.tar.gz", hash = "sha256:3c73360add17336a622c0d811c2a2ce29866b6e59b1125fd6509b17252098a24"},
+    {file = "twisted-23.10.0-py3-none-any.whl", hash = "sha256:4ae8bce12999a35f7fe6443e7f1893e6fe09588c8d2bed9c35cdce8ff2d5b444"},
+    {file = "twisted-23.10.0.tar.gz", hash = "sha256:987847a0790a2c597197613686e2784fd54167df3a55d0fb17c8412305d76ce5"},
 ]
 
 [package.dependencies]
@@ -3688,19 +3711,18 @@ incremental = ">=22.10.0"
 pyopenssl = {version = ">=21.0.0", optional = true, markers = "extra == \"tls\""}
 service-identity = {version = ">=18.1.0", optional = true, markers = "extra == \"tls\""}
 twisted-iocpsupport = {version = ">=1.0.2,<2", markers = "platform_system == \"Windows\""}
-typing-extensions = ">=3.10.0"
+typing-extensions = ">=4.2.0"
 zope-interface = ">=5"
 
 [package.extras]
-all-non-platform = ["twisted[conch,contextvars,http2,serial,test,tls]", "twisted[conch,contextvars,http2,serial,test,tls]"]
+all-non-platform = ["twisted[conch,http2,serial,test,tls]", "twisted[conch,http2,serial,test,tls]"]
 conch = ["appdirs (>=1.4.0)", "bcrypt (>=3.1.3)", "cryptography (>=3.3)"]
-contextvars = ["contextvars (>=2.4,<3)"]
 dev = ["coverage (>=6b1,<7)", "pyflakes (>=2.2,<3.0)", "python-subunit (>=1.4,<2.0)", "twisted[dev-release]", "twistedchecker (>=0.7,<1.0)"]
-dev-release = ["pydoctor (>=23.4.0,<23.5.0)", "pydoctor (>=23.4.0,<23.5.0)", "readthedocs-sphinx-ext (>=2.2,<3.0)", "readthedocs-sphinx-ext (>=2.2,<3.0)", "sphinx (>=5,<7)", "sphinx (>=5,<7)", "sphinx-rtd-theme (>=1.2,<2.0)", "sphinx-rtd-theme (>=1.2,<2.0)", "towncrier (>=22.12,<23.0)", "towncrier (>=22.12,<23.0)", "urllib3 (<2)", "urllib3 (<2)"]
+dev-release = ["pydoctor (>=23.9.0,<23.10.0)", "pydoctor (>=23.9.0,<23.10.0)", "sphinx (>=6,<7)", "sphinx (>=6,<7)", "sphinx-rtd-theme (>=1.3,<2.0)", "sphinx-rtd-theme (>=1.3,<2.0)", "towncrier (>=23.6,<24.0)", "towncrier (>=23.6,<24.0)"]
 gtk-platform = ["pygobject", "pygobject", "twisted[all-non-platform]", "twisted[all-non-platform]"]
 http2 = ["h2 (>=3.0,<5.0)", "priority (>=1.1.0,<2.0)"]
 macos-platform = ["pyobjc-core", "pyobjc-core", "pyobjc-framework-cfnetwork", "pyobjc-framework-cfnetwork", "pyobjc-framework-cocoa", "pyobjc-framework-cocoa", "twisted[all-non-platform]", "twisted[all-non-platform]"]
-mypy = ["mypy (==0.981)", "mypy-extensions (==0.4.3)", "mypy-zope (==0.3.11)", "twisted[all-non-platform,dev]", "types-pyopenssl", "types-setuptools"]
+mypy = ["mypy (>=1.5.1,<1.6.0)", "mypy-zope (>=1.0.1,<1.1.0)", "twisted[all-non-platform,dev]", "types-pyopenssl", "types-setuptools"]
 osx-platform = ["twisted[macos-platform]", "twisted[macos-platform]"]
 serial = ["pyserial (>=3.0)", "pywin32 (!=226)"]
 test = ["cython-test-exception-raiser (>=1.0.2,<2)", "hypothesis (>=6.56)", "pyhamcrest (>=2)"]
@@ -3833,13 +3855,13 @@ files = [
 
 [[package]]
 name = "uvicorn"
-version = "0.23.2"
+version = "0.24.0"
 description = "The lightning-fast ASGI server."
 optional = false
 python-versions = ">=3.8"
 files = [
-    {file = "uvicorn-0.23.2-py3-none-any.whl", hash = "sha256:1f9be6558f01239d4fdf22ef8126c39cb1ad0addf76c40e760549d2c2f43ab53"},
-    {file = "uvicorn-0.23.2.tar.gz", hash = "sha256:4d3cc12d7727ba72b64d12d3cc7743124074c0a69f7b201512fc50c3e3f1569a"},
+    {file = "uvicorn-0.24.0-py3-none-any.whl", hash = "sha256:3d19f13dfd2c2af1bfe34dd0f7155118ce689425fdf931177abe832ca44b8a04"},
+    {file = "uvicorn-0.24.0.tar.gz", hash = "sha256:368d5d81520a51be96431845169c225d771c9dd22a58613e1a181e6c4512ac33"},
 ]
 
 [package.dependencies]
@@ -3997,13 +4019,13 @@ files = [
 
 [[package]]
 name = "webauthn"
-version = "1.11.0"
+version = "1.11.1"
 description = "Pythonic WebAuthn"
 optional = false
 python-versions = "*"
 files = [
-    {file = "webauthn-1.11.0-py3-none-any.whl", hash = "sha256:9c8a81f7e310aee022a038ae2c76711bcf0a94521a471225e05c36871f83eeda"},
-    {file = "webauthn-1.11.0.tar.gz", hash = "sha256:1e808de1e3625a4b361e249e1bbb254d2a3a5c6b206e6f7260c4febe51f45276"},
+    {file = "webauthn-1.11.1-py3-none-any.whl", hash = "sha256:13592ee71489b571cb6e4a5d8b3c34f7b040cd3539a9d94b6b7d23fa88df5dfb"},
+    {file = "webauthn-1.11.1.tar.gz", hash = "sha256:24eda57903897369797f52a377f8c470e7057e79da5525779d0720a9fcc11926"},
 ]
 
 [package.dependencies]
@@ -4308,5 +4330,5 @@ files = [
 
 [metadata]
 lock-version = "2.0"
-python-versions = "~3.11"
-content-hash = "5a57dede617d149e0f307fc42580dcfd0d4b76161009dc447d6f10b048426c98"
+python-versions = "^3.11"
+content-hash = "2fc746976187f4674f04575cffd6a367744723bf78c356b6951c2370bc47ceae"

proxy.Dockerfile

@@ -1,5 +1,3 @@
-# syntax=docker/dockerfile:1
-
 # Stage 1: Build website
 FROM --platform=${BUILDPLATFORM} docker.io/node:21 as web-builder
 
@@ -17,7 +15,7 @@ COPY web .
 RUN npm run build-proxy
 
 # Stage 2: Build
-FROM --platform=${BUILDPLATFORM} docker.io/golang:1.21.4-bookworm AS builder
+FROM --platform=${BUILDPLATFORM} docker.io/golang:1.21.3-bookworm AS builder
 
 ARG TARGETOS
 ARG TARGETARCH
@@ -36,8 +34,8 @@ RUN --mount=type=bind,target=/go/src/goauthentik.io/go.mod,src=./go.mod \
 
 ENV CGO_ENABLED=0
 COPY . .
-RUN --mount=type=cache,sharing=locked,target=/go/pkg/mod \
-    --mount=type=cache,id=go-build-$TARGETARCH$TARGETVARIANT,sharing=locked,target=/root/.cache/go-build \
+RUN --mount=type=cache,target=/go/pkg/mod \
+    --mount=type=cache,target=/root/.cache/go-build \
     GOARM="${TARGETVARIANT#v}" go build -o /go/proxy ./cmd/proxy
 
 # Stage 3: Run

pyproject.toml

@@ -97,7 +97,7 @@ const-rgx = "[a-zA-Z0-9_]{1,40}$"
 
 ignored-modules = ["binascii", "socket", "zlib"]
 generated-members = ["xmlsec.constants.*", "xmlsec.tree.*", "xmlsec.template.*"]
-ignore = ["migrations", "tests"]
+ignore = "migrations"
 max-attributes = 12
 max-branches = 20
 
@@ -113,7 +113,7 @@ filterwarnings = [
 
 [tool.poetry]
 name = "authentik"
-version = "2023.10.6"
+version = "2023.10.2"
 description = ""
 authors = ["authentik Team <hello@goauthentik.io>"]
 
@@ -151,10 +151,10 @@ packaging = "*"
 paramiko = "*"
 psycopg = { extras = ["c"], version = "*" }
 pycryptodome = "*"
-pydantic = "*"
-pydantic-scim = "*"
+pydantic = "<3.0.0"
+pydantic-scim = "^0.0.8"
 pyjwt = "*"
-python = "~3.11"
+python = "^3.11"
 pyyaml = "*"
 requests-oauthlib = "*"
 sentry-sdk = "*"

radius.Dockerfile

@@ -1,7 +1,5 @@
-# syntax=docker/dockerfile:1
-
 # Stage 1: Build
-FROM --platform=${BUILDPLATFORM} docker.io/golang:1.21.4-bookworm AS builder
+FROM --platform=${BUILDPLATFORM} docker.io/golang:1.21.3-bookworm AS builder
 
 ARG TARGETOS
 ARG TARGETARCH
@@ -20,8 +18,8 @@ RUN --mount=type=bind,target=/go/src/goauthentik.io/go.mod,src=./go.mod \
 
 ENV CGO_ENABLED=0
 COPY . .
-RUN --mount=type=cache,sharing=locked,target=/go/pkg/mod \
-    --mount=type=cache,id=go-build-$TARGETARCH$TARGETVARIANT,sharing=locked,target=/root/.cache/go-build \
+RUN --mount=type=cache,target=/go/pkg/mod \
+    --mount=type=cache,target=/root/.cache/go-build \
     GOARM="${TARGETVARIANT#v}" go build -o /go/radius ./cmd/radius
 
 # Stage 2: Run

schema.yml

@@ -1,7 +1,7 @@
 openapi: 3.0.3
 info:
   title: authentik
-  version: 2023.10.6
+  version: 2023.10.2
   description: Making authentication simple.
   contact:
     email: hello@goauthentik.io

tests/e2e/test_provider_oauth2_github.py

@@ -36,8 +36,8 @@ class TestProviderOAuth2Github(SeleniumTestCase):
             "auto_remove": True,
             "healthcheck": Healthcheck(
                 test=["CMD", "wget", "--spider", "http://localhost:3000"],
-                interval=5 * 1_000 * 1_000_000,
-                start_period=1 * 1_000 * 1_000_000,
+                interval=5 * 100 * 1000000,
+                start_period=1 * 100 * 1000000,
             ),
             "environment": {
                 "GF_AUTH_GITHUB_ENABLED": "true",

tests/e2e/test_provider_oauth2_grafana.py

@@ -42,8 +42,8 @@ class TestProviderOAuth2OAuth(SeleniumTestCase):
             "auto_remove": True,
             "healthcheck": Healthcheck(
                 test=["CMD", "wget", "--spider", "http://localhost:3000"],
-                interval=5 * 1_000 * 1_000_000,
-                start_period=1 * 1_000 * 1_000_000,
+                interval=5 * 100 * 1000000,
+                start_period=1 * 100 * 1000000,
             ),
             "environment": {
                 "GF_AUTH_GENERIC_OAUTH_ENABLED": "true",

tests/e2e/test_source_oauth.py

@@ -113,8 +113,8 @@ class TestSourceOAuth2(SeleniumTestCase):
             "command": "dex serve /config.yml",
             "healthcheck": Healthcheck(
                 test=["CMD", "wget", "--spider", "http://localhost:5556/dex/healthz"],
-                interval=5 * 1_000 * 1_000_000,
-                start_period=1 * 1_000 * 1_000_000,
+                interval=5 * 100 * 1000000,
+                start_period=1 * 100 * 1000000,
             ),
             "volumes": {str(Path(CONFIG_PATH).absolute()): {"bind": "/config.yml", "mode": "ro"}},
         }

tests/e2e/test_source_saml.py

@@ -83,8 +83,8 @@ class TestSourceSAML(SeleniumTestCase):
             "auto_remove": True,
             "healthcheck": Healthcheck(
                 test=["CMD", "curl", "http://localhost:8080"],
-                interval=5 * 1_000 * 1_000_000,
-                start_period=1 * 1_000 * 1_000_000,
+                interval=5 * 100 * 1000000,
+                start_period=1 * 100 * 1000000,
             ),
             "environment": {
                 "SIMPLESAMLPHP_SP_ENTITY_ID": "entity-id",

tests/integration/test_outpost_docker.py

@@ -34,8 +34,8 @@ class OutpostDockerTests(DockerTestCase, ChannelsLiveServerTestCase):
             privileged=True,
             healthcheck=Healthcheck(
                 test=["CMD", "docker", "info"],
-                interval=5 * 1_000 * 1_000_000,
-                start_period=5 * 1_000 * 1_000_000,
+                interval=5 * 100 * 1000000,
+                start_period=5 * 100 * 1000000,
             ),
             environment={"DOCKER_TLS_CERTDIR": "/ssl"},
             volumes={

tests/integration/test_proxy_docker.py

@@ -34,8 +34,8 @@ class TestProxyDocker(DockerTestCase, ChannelsLiveServerTestCase):
             privileged=True,
             healthcheck=Healthcheck(
                 test=["CMD", "docker", "info"],
-                interval=5 * 1_000 * 1_000_000,
-                start_period=5 * 1_000 * 1_000_000,
+                interval=5 * 100 * 1000000,
+                start_period=5 * 100 * 1000000,
             ),
             environment={"DOCKER_TLS_CERTDIR": "/ssl"},
             volumes={

tests/wdio/package-lock.json

@@ -7,15 +7,15 @@
             "name": "@goauthentik/web-tests",
             "devDependencies": {
                 "@trivago/prettier-plugin-sort-imports": "^4.2.1",
-                "@typescript-eslint/eslint-plugin": "^6.9.0",
-                "@typescript-eslint/parser": "^6.9.0",
-                "@wdio/cli": "^8.20.5",
-                "@wdio/local-runner": "^8.20.5",
-                "@wdio/mocha-framework": "^8.20.3",
-                "@wdio/spec-reporter": "^8.20.0",
-                "eslint": "^8.52.0",
+                "@typescript-eslint/eslint-plugin": "^6.9.1",
+                "@typescript-eslint/parser": "^6.9.1",
+                "@wdio/cli": "^8.21.0",
+                "@wdio/local-runner": "^8.21.0",
+                "@wdio/mocha-framework": "^8.21.0",
+                "@wdio/spec-reporter": "^8.21.0",
+                "eslint": "^8.53.0",
                 "eslint-config-google": "^0.14.0",
-                "eslint-plugin-sonarjs": "^0.21.0",
+                "eslint-plugin-sonarjs": "^0.23.0",
                 "npm-run-all": "^4.1.5",
                 "prettier": "^3.0.3",
                 "ts-node": "^10.9.1",
@@ -329,9 +329,9 @@
             }
         },
         "node_modules/@eslint/eslintrc": {
-            "version": "2.1.2",
-            "resolved": "https://registry.npmjs.org/@eslint/eslintrc/-/eslintrc-2.1.2.tgz",
-            "integrity": "sha512-+wvgpDsrB1YqAMdEUCcnTlpfVBH7Vqn6A/NT3D8WVXFIaKMlErPIZT3oCIAVCOtarRpMtelZLqJeU3t7WY6X6g==",
+            "version": "2.1.3",
+            "resolved": "https://registry.npmjs.org/@eslint/eslintrc/-/eslintrc-2.1.3.tgz",
+            "integrity": "sha512-yZzuIG+jnVu6hNSzFEN07e8BxF3uAzYtQb6uDkaYZLo6oYZDCq454c5kB8zxnzfCYyP4MIuyBn10L0DqwujTmA==",
             "dev": true,
             "dependencies": {
                 "ajv": "^6.12.4",
@@ -352,9 +352,9 @@
             }
         },
         "node_modules/@eslint/eslintrc/node_modules/globals": {
-            "version": "13.22.0",
-            "resolved": "https://registry.npmjs.org/globals/-/globals-13.22.0.tgz",
-            "integrity": "sha512-H1Ddc/PbZHTDVJSnj8kWptIRSD6AM3pK+mKytuIVF4uoBV7rshFlhhvA58ceJ5wp3Er58w6zj7bykMpYXt3ETw==",
+            "version": "13.23.0",
+            "resolved": "https://registry.npmjs.org/globals/-/globals-13.23.0.tgz",
+            "integrity": "sha512-XAmF0RjlrjY23MA51q3HltdlGxUpXPvg0GioKiD9X6HD28iMjo2dKC8Vqwm7lne4GNr78+RHTfliktR6ZH09wA==",
             "dev": true,
             "dependencies": {
                 "type-fest": "^0.20.2"
@@ -379,9 +379,9 @@
             }
         },
         "node_modules/@eslint/js": {
-            "version": "8.52.0",
-            "resolved": "https://registry.npmjs.org/@eslint/js/-/js-8.52.0.tgz",
-            "integrity": "sha512-mjZVbpaeMZludF2fsWLD0Z9gCref1Tk4i9+wddjRvpUNqqcndPkBD09N/Mapey0b3jaXbLm2kICwFv2E64QinA==",
+            "version": "8.53.0",
+            "resolved": "https://registry.npmjs.org/@eslint/js/-/js-8.53.0.tgz",
+            "integrity": "sha512-Kn7K8dx/5U6+cT1yEhpX1w4PCSg0M+XyRILPgvwcEBjerFWCwQj5sbr3/VmxqV0JGHCBCzyd6LxypEuehypY1w==",
             "dev": true,
             "engines": {
                 "node": "^12.22.0 || ^14.17.0 || >=16.0.0"
@@ -940,16 +940,16 @@
             }
         },
         "node_modules/@typescript-eslint/eslint-plugin": {
-            "version": "6.9.0",
-            "resolved": "https://registry.npmjs.org/@typescript-eslint/eslint-plugin/-/eslint-plugin-6.9.0.tgz",
-            "integrity": "sha512-lgX7F0azQwRPB7t7WAyeHWVfW1YJ9NIgd9mvGhfQpRY56X6AVf8mwM8Wol+0z4liE7XX3QOt8MN1rUKCfSjRIA==",
+            "version": "6.9.1",
+            "resolved": "https://registry.npmjs.org/@typescript-eslint/eslint-plugin/-/eslint-plugin-6.9.1.tgz",
+            "integrity": "sha512-w0tiiRc9I4S5XSXXrMHOWgHgxbrBn1Ro+PmiYhSg2ZVdxrAJtQgzU5o2m1BfP6UOn7Vxcc6152vFjQfmZR4xEg==",
             "dev": true,
             "dependencies": {
                 "@eslint-community/regexpp": "^4.5.1",
-                "@typescript-eslint/scope-manager": "6.9.0",
-                "@typescript-eslint/type-utils": "6.9.0",
-                "@typescript-eslint/utils": "6.9.0",
-                "@typescript-eslint/visitor-keys": "6.9.0",
+                "@typescript-eslint/scope-manager": "6.9.1",
+                "@typescript-eslint/type-utils": "6.9.1",
+                "@typescript-eslint/utils": "6.9.1",
+                "@typescript-eslint/visitor-keys": "6.9.1",
                 "debug": "^4.3.4",
                 "graphemer": "^1.4.0",
                 "ignore": "^5.2.4",
@@ -975,15 +975,15 @@
             }
         },
         "node_modules/@typescript-eslint/parser": {
-            "version": "6.9.0",
-            "resolved": "https://registry.npmjs.org/@typescript-eslint/parser/-/parser-6.9.0.tgz",
-            "integrity": "sha512-GZmjMh4AJ/5gaH4XF2eXA8tMnHWP+Pm1mjQR2QN4Iz+j/zO04b9TOvJYOX2sCNIQHtRStKTxRY1FX7LhpJT4Gw==",
+            "version": "6.9.1",
+            "resolved": "https://registry.npmjs.org/@typescript-eslint/parser/-/parser-6.9.1.tgz",
+            "integrity": "sha512-C7AK2wn43GSaCUZ9do6Ksgi2g3mwFkMO3Cis96kzmgudoVaKyt62yNzJOktP0HDLb/iO2O0n2lBOzJgr6Q/cyg==",
             "dev": true,
             "dependencies": {
-                "@typescript-eslint/scope-manager": "6.9.0",
-                "@typescript-eslint/types": "6.9.0",
-                "@typescript-eslint/typescript-estree": "6.9.0",
-                "@typescript-eslint/visitor-keys": "6.9.0",
+                "@typescript-eslint/scope-manager": "6.9.1",
+                "@typescript-eslint/types": "6.9.1",
+                "@typescript-eslint/typescript-estree": "6.9.1",
+                "@typescript-eslint/visitor-keys": "6.9.1",
                 "debug": "^4.3.4"
             },
             "engines": {
@@ -1003,13 +1003,13 @@
             }
         },
         "node_modules/@typescript-eslint/scope-manager": {
-            "version": "6.9.0",
-            "resolved": "https://registry.npmjs.org/@typescript-eslint/scope-manager/-/scope-manager-6.9.0.tgz",
-            "integrity": "sha512-1R8A9Mc39n4pCCz9o79qRO31HGNDvC7UhPhv26TovDsWPBDx+Sg3rOZdCELIA3ZmNoWAuxaMOT7aWtGRSYkQxw==",
+            "version": "6.9.1",
+            "resolved": "https://registry.npmjs.org/@typescript-eslint/scope-manager/-/scope-manager-6.9.1.tgz",
+            "integrity": "sha512-38IxvKB6NAne3g/+MyXMs2Cda/Sz+CEpmm+KLGEM8hx/CvnSRuw51i8ukfwB/B/sESdeTGet1NH1Wj7I0YXswg==",
             "dev": true,
             "dependencies": {
-                "@typescript-eslint/types": "6.9.0",
-                "@typescript-eslint/visitor-keys": "6.9.0"
+                "@typescript-eslint/types": "6.9.1",
+                "@typescript-eslint/visitor-keys": "6.9.1"
             },
             "engines": {
                 "node": "^16.0.0 || >=18.0.0"
@@ -1020,13 +1020,13 @@
             }
         },
         "node_modules/@typescript-eslint/type-utils": {
-            "version": "6.9.0",
-            "resolved": "https://registry.npmjs.org/@typescript-eslint/type-utils/-/type-utils-6.9.0.tgz",
-            "integrity": "sha512-XXeahmfbpuhVbhSOROIzJ+b13krFmgtc4GlEuu1WBT+RpyGPIA4Y/eGnXzjbDj5gZLzpAXO/sj+IF/x2GtTMjQ==",
+            "version": "6.9.1",
+            "resolved": "https://registry.npmjs.org/@typescript-eslint/type-utils/-/type-utils-6.9.1.tgz",
+            "integrity": "sha512-eh2oHaUKCK58qIeYp19F5V5TbpM52680sB4zNSz29VBQPTWIlE/hCj5P5B1AChxECe/fmZlspAWFuRniep1Skg==",
             "dev": true,
             "dependencies": {
-                "@typescript-eslint/typescript-estree": "6.9.0",
-                "@typescript-eslint/utils": "6.9.0",
+                "@typescript-eslint/typescript-estree": "6.9.1",
+                "@typescript-eslint/utils": "6.9.1",
                 "debug": "^4.3.4",
                 "ts-api-utils": "^1.0.1"
             },
@@ -1047,9 +1047,9 @@
             }
         },
         "node_modules/@typescript-eslint/types": {
-            "version": "6.9.0",
-            "resolved": "https://registry.npmjs.org/@typescript-eslint/types/-/types-6.9.0.tgz",
-            "integrity": "sha512-+KB0lbkpxBkBSiVCuQvduqMJy+I1FyDbdwSpM3IoBS7APl4Bu15lStPjgBIdykdRqQNYqYNMa8Kuidax6phaEw==",
+            "version": "6.9.1",
+            "resolved": "https://registry.npmjs.org/@typescript-eslint/types/-/types-6.9.1.tgz",
+            "integrity": "sha512-BUGslGOb14zUHOUmDB2FfT6SI1CcZEJYfF3qFwBeUrU6srJfzANonwRYHDpLBuzbq3HaoF2XL2hcr01c8f8OaQ==",
             "dev": true,
             "engines": {
                 "node": "^16.0.0 || >=18.0.0"
@@ -1060,13 +1060,13 @@
             }
         },
         "node_modules/@typescript-eslint/typescript-estree": {
-            "version": "6.9.0",
-            "resolved": "https://registry.npmjs.org/@typescript-eslint/typescript-estree/-/typescript-estree-6.9.0.tgz",
-            "integrity": "sha512-NJM2BnJFZBEAbCfBP00zONKXvMqihZCrmwCaik0UhLr0vAgb6oguXxLX1k00oQyD+vZZ+CJn3kocvv2yxm4awQ==",
+            "version": "6.9.1",
+            "resolved": "https://registry.npmjs.org/@typescript-eslint/typescript-estree/-/typescript-estree-6.9.1.tgz",
+            "integrity": "sha512-U+mUylTHfcqeO7mLWVQ5W/tMLXqVpRv61wm9ZtfE5egz7gtnmqVIw9ryh0mgIlkKk9rZLY3UHygsBSdB9/ftyw==",
             "dev": true,
             "dependencies": {
-                "@typescript-eslint/types": "6.9.0",
-                "@typescript-eslint/visitor-keys": "6.9.0",
+                "@typescript-eslint/types": "6.9.1",
+                "@typescript-eslint/visitor-keys": "6.9.1",
                 "debug": "^4.3.4",
                 "globby": "^11.1.0",
                 "is-glob": "^4.0.3",
@@ -1087,17 +1087,17 @@
             }
         },
         "node_modules/@typescript-eslint/utils": {
-            "version": "6.9.0",
-            "resolved": "https://registry.npmjs.org/@typescript-eslint/utils/-/utils-6.9.0.tgz",
-            "integrity": "sha512-5Wf+Jsqya7WcCO8me504FBigeQKVLAMPmUzYgDbWchINNh1KJbxCgVya3EQ2MjvJMVeXl3pofRmprqX6mfQkjQ==",
+            "version": "6.9.1",
+            "resolved": "https://registry.npmjs.org/@typescript-eslint/utils/-/utils-6.9.1.tgz",
+            "integrity": "sha512-L1T0A5nFdQrMVunpZgzqPL6y2wVreSyHhKGZryS6jrEN7bD9NplVAyMryUhXsQ4TWLnZmxc2ekar/lSGIlprCA==",
             "dev": true,
             "dependencies": {
                 "@eslint-community/eslint-utils": "^4.4.0",
                 "@types/json-schema": "^7.0.12",
                 "@types/semver": "^7.5.0",
-                "@typescript-eslint/scope-manager": "6.9.0",
-                "@typescript-eslint/types": "6.9.0",
-                "@typescript-eslint/typescript-estree": "6.9.0",
+                "@typescript-eslint/scope-manager": "6.9.1",
+                "@typescript-eslint/types": "6.9.1",
+                "@typescript-eslint/typescript-estree": "6.9.1",
                 "semver": "^7.5.4"
             },
             "engines": {
@@ -1112,12 +1112,12 @@
             }
         },
         "node_modules/@typescript-eslint/visitor-keys": {
-            "version": "6.9.0",
-            "resolved": "https://registry.npmjs.org/@typescript-eslint/visitor-keys/-/visitor-keys-6.9.0.tgz",
-            "integrity": "sha512-dGtAfqjV6RFOtIP8I0B4ZTBRrlTT8NHHlZZSchQx3qReaoDeXhYM++M4So2AgFK9ZB0emRPA6JI1HkafzA2Ibg==",
+            "version": "6.9.1",
+            "resolved": "https://registry.npmjs.org/@typescript-eslint/visitor-keys/-/visitor-keys-6.9.1.tgz",
+            "integrity": "sha512-MUaPUe/QRLEffARsmNfmpghuQkW436DvESW+h+M52w0coICHRfD6Np9/K6PdACwnrq1HmuLl+cSPZaJmeVPkSw==",
             "dev": true,
             "dependencies": {
-                "@typescript-eslint/types": "6.9.0",
+                "@typescript-eslint/types": "6.9.1",
                 "eslint-visitor-keys": "^3.4.1"
             },
             "engines": {
@@ -1135,18 +1135,18 @@
             "dev": true
         },
         "node_modules/@wdio/cli": {
-            "version": "8.20.5",
-            "resolved": "https://registry.npmjs.org/@wdio/cli/-/cli-8.20.5.tgz",
-            "integrity": "sha512-Z5wAf8gJMBZGK15pRVFbX8TOIEk7cOXKb9Gjs9pP3DOgx3+xpGlLmgrbLg/wB+rMXA4eu7bt5ZUItPWAWmq6IQ==",
+            "version": "8.21.0",
+            "resolved": "https://registry.npmjs.org/@wdio/cli/-/cli-8.21.0.tgz",
+            "integrity": "sha512-d5TGKmAPvJUhVIUkhLsjBKPKH4fS3pftzxroTQX9+w8m5obJTx82erjii7SzLbgQQjuSiL/aaxvp4V+eQNaP+A==",
             "dev": true,
             "dependencies": {
                 "@types/node": "^20.1.1",
-                "@wdio/config": "8.20.3",
-                "@wdio/globals": "8.20.5",
+                "@wdio/config": "8.21.0",
+                "@wdio/globals": "8.21.0",
                 "@wdio/logger": "8.16.17",
                 "@wdio/protocols": "8.20.4",
-                "@wdio/types": "8.20.0",
-                "@wdio/utils": "8.20.3",
+                "@wdio/types": "8.21.0",
+                "@wdio/utils": "8.21.0",
                 "async-exit-hook": "^2.0.1",
                 "chalk": "^5.2.0",
                 "chokidar": "^3.5.3",
@@ -1162,7 +1162,7 @@
                 "lodash.union": "^4.6.0",
                 "read-pkg-up": "10.1.0",
                 "recursive-readdir": "^2.2.3",
-                "webdriverio": "8.20.4",
+                "webdriverio": "8.21.0",
                 "yargs": "^17.7.2"
             },
             "bin": {
@@ -1185,14 +1185,14 @@
             }
         },
         "node_modules/@wdio/config": {
-            "version": "8.20.3",
-            "resolved": "https://registry.npmjs.org/@wdio/config/-/config-8.20.3.tgz",
-            "integrity": "sha512-UaPjDjdXztrWgpoodSjZc1/9oXX1WpjhZSW55ZA2PKzCO7QuS/Fory5lMMpJD4v6/9fNUiRp7A4/rd+w7am1vA==",
+            "version": "8.21.0",
+            "resolved": "https://registry.npmjs.org/@wdio/config/-/config-8.21.0.tgz",
+            "integrity": "sha512-ilq880hg+q/MpDqn03bwZruFG0+C5t21XjGbDxdGmpf2aJMFVZdWk6tjlbnwjJ7nDTufIYidp/LWyG7Ro/W7FA==",
             "dev": true,
             "dependencies": {
                 "@wdio/logger": "8.16.17",
-                "@wdio/types": "8.20.0",
-                "@wdio/utils": "8.20.3",
+                "@wdio/types": "8.21.0",
+                "@wdio/utils": "8.21.0",
                 "decamelize": "^6.0.0",
                 "deepmerge-ts": "^5.0.0",
                 "glob": "^10.2.2",
@@ -1204,29 +1204,29 @@
             }
         },
         "node_modules/@wdio/globals": {
-            "version": "8.20.5",
-            "resolved": "https://registry.npmjs.org/@wdio/globals/-/globals-8.20.5.tgz",
-            "integrity": "sha512-79BFF/b+qQ1Td3KfoN/xEf9Bzbb3rKovjyl5BD205pIyWJCeZJDsK693vV8g6z6Q+/pvp/GPfepqSmvrKQokEw==",
+            "version": "8.21.0",
+            "resolved": "https://registry.npmjs.org/@wdio/globals/-/globals-8.21.0.tgz",
+            "integrity": "sha512-0kj1CbcPf+rnoynYsv1j+tUdobVSr/n3AV3a34qteBNoBbYqGHkr3Jo1/6ZnwSZJOgt9eoo8gRtogPS8KwYjBg==",
             "dev": true,
             "engines": {
                 "node": "^16.13 || >=18"
             },
             "optionalDependencies": {
                 "expect-webdriverio": "^4.2.5",
-                "webdriverio": "8.20.4"
+                "webdriverio": "8.21.0"
             }
         },
         "node_modules/@wdio/local-runner": {
-            "version": "8.20.5",
-            "resolved": "https://registry.npmjs.org/@wdio/local-runner/-/local-runner-8.20.5.tgz",
-            "integrity": "sha512-lm5eyirDiSuxLkwe1fkMXjPd54Ortp5i8wfJPlAImyG9fxU5CY8D9V1bkjpDqOkd4RLmUk1z4mp9gJWghrAd0Q==",
+            "version": "8.21.0",
+            "resolved": "https://registry.npmjs.org/@wdio/local-runner/-/local-runner-8.21.0.tgz",
+            "integrity": "sha512-bwNj64l7qwXHYYne/YFGCWAq95k0IzndNpzvIAq3UMKY1NDn0zGGZ/ticYYV2Vd85q6Dif6KT77Zl8Kbkv6qbA==",
             "dev": true,
             "dependencies": {
                 "@types/node": "^20.1.0",
                 "@wdio/logger": "8.16.17",
                 "@wdio/repl": "8.10.1",
-                "@wdio/runner": "8.20.5",
-                "@wdio/types": "8.20.0",
+                "@wdio/runner": "8.21.0",
+                "@wdio/types": "8.21.0",
                 "async-exit-hook": "^2.0.1",
                 "split2": "^4.1.0",
                 "stream-buffers": "^3.0.2"
@@ -1263,16 +1263,16 @@
             }
         },
         "node_modules/@wdio/mocha-framework": {
-            "version": "8.20.3",
-            "resolved": "https://registry.npmjs.org/@wdio/mocha-framework/-/mocha-framework-8.20.3.tgz",
-            "integrity": "sha512-AF27tW2ToQ4+fzuBwI71ABjPhmPoESj+UtJYx4ahZjHQUyCCEhkiYIeh8T6UEFFpbIQeQV1Fz12UEK/18EGbzw==",
+            "version": "8.21.0",
+            "resolved": "https://registry.npmjs.org/@wdio/mocha-framework/-/mocha-framework-8.21.0.tgz",
+            "integrity": "sha512-oYRmL4bGMR8cVBMkOgS5qeBAiSWJOZ/nN53vFBQ9JQo+F1Ez+ZIgZ847wfk+XZ7UP1kTKNUHVPup5bTqR+UmkA==",
             "dev": true,
             "dependencies": {
                 "@types/mocha": "^10.0.0",
                 "@types/node": "^20.1.0",
                 "@wdio/logger": "8.16.17",
-                "@wdio/types": "8.20.0",
-                "@wdio/utils": "8.20.3",
+                "@wdio/types": "8.21.0",
+                "@wdio/utils": "8.21.0",
                 "mocha": "^10.0.0"
             },
             "engines": {
@@ -1298,14 +1298,14 @@
             }
         },
         "node_modules/@wdio/reporter": {
-            "version": "8.20.0",
-            "resolved": "https://registry.npmjs.org/@wdio/reporter/-/reporter-8.20.0.tgz",
-            "integrity": "sha512-9a0cIuwDYwMgBwx/JTRITjlxef63xEt+q+nQBsEwzaPtcTMLzRIGAYO7BKxf9ejYL3tdoPJYJm3GtBKeh+2QIQ==",
+            "version": "8.21.0",
+            "resolved": "https://registry.npmjs.org/@wdio/reporter/-/reporter-8.21.0.tgz",
+            "integrity": "sha512-noZX04lP7WvoaEAwhOTy0C/ddyVTEHQe/AGMTzgKgoQclEM3I2nZ1PjEwe/ACfIm0880EGIDW7ssN2pf/4ZNDQ==",
             "dev": true,
             "dependencies": {
                 "@types/node": "^20.1.0",
                 "@wdio/logger": "8.16.17",
-                "@wdio/types": "8.20.0",
+                "@wdio/types": "8.21.0",
                 "diff": "^5.0.0",
                 "object-inspect": "^1.12.0"
             },
@@ -1314,35 +1314,35 @@
             }
         },
         "node_modules/@wdio/runner": {
-            "version": "8.20.5",
-            "resolved": "https://registry.npmjs.org/@wdio/runner/-/runner-8.20.5.tgz",
-            "integrity": "sha512-JmH9995lI4FB95vQ2/l4oAJ3zoo49PIhZutNcwu98o2DDFWPxSGsOPRKI/B5u5OvJ0OkK0AzcN6XdJAfAPZSfA==",
+            "version": "8.21.0",
+            "resolved": "https://registry.npmjs.org/@wdio/runner/-/runner-8.21.0.tgz",
+            "integrity": "sha512-0hGx1GMzUQUWRQOwSdXQjWatmKjb04EqlDozxIJsTr06A0XhTXenmfgwz9g4wKt2MWV+/WmFh4QZs0KwcjgYgA==",
             "dev": true,
             "dependencies": {
                 "@types/node": "^20.1.0",
-                "@wdio/config": "8.20.3",
-                "@wdio/globals": "8.20.5",
+                "@wdio/config": "8.21.0",
+                "@wdio/globals": "8.21.0",
                 "@wdio/logger": "8.16.17",
-                "@wdio/types": "8.20.0",
-                "@wdio/utils": "8.20.3",
+                "@wdio/types": "8.21.0",
+                "@wdio/utils": "8.21.0",
                 "deepmerge-ts": "^5.0.0",
                 "expect-webdriverio": "^4.2.5",
                 "gaze": "^1.1.2",
-                "webdriver": "8.20.4",
-                "webdriverio": "8.20.4"
+                "webdriver": "8.21.0",
+                "webdriverio": "8.21.0"
             },
             "engines": {
                 "node": "^16.13 || >=18"
             }
         },
         "node_modules/@wdio/spec-reporter": {
-            "version": "8.20.0",
-            "resolved": "https://registry.npmjs.org/@wdio/spec-reporter/-/spec-reporter-8.20.0.tgz",
-            "integrity": "sha512-HpVE/99Kg/no94ETpI4JWoJzqpcsAnJQpbg5HdSyZqXuGj9WnRF/PGXK7VDU+DZwGQgOF9A6s6H0hd+FTHDrHg==",
+            "version": "8.21.0",
+            "resolved": "https://registry.npmjs.org/@wdio/spec-reporter/-/spec-reporter-8.21.0.tgz",
+            "integrity": "sha512-Lb6MTjISlaZJx5/2kjJC/E9FM55BZUy3HPbhYbbWUSWqi9Yk8I7n6e90c8uHwDOK5zMyRof9501lUtLyIHY9Og==",
             "dev": true,
             "dependencies": {
-                "@wdio/reporter": "8.20.0",
-                "@wdio/types": "8.20.0",
+                "@wdio/reporter": "8.21.0",
+                "@wdio/types": "8.21.0",
                 "chalk": "^5.1.2",
                 "easy-table": "^1.2.0",
                 "pretty-ms": "^7.0.0"
@@ -1364,9 +1364,9 @@
             }
         },
         "node_modules/@wdio/types": {
-            "version": "8.20.0",
-            "resolved": "https://registry.npmjs.org/@wdio/types/-/types-8.20.0.tgz",
-            "integrity": "sha512-y0En5V5PPF48IHJMetaNYQobhCr3ddsgp2aX/crLL51UccWqnFpCL8pCh6cP01gRgCchCasa2JCBMB+PucbYmA==",
+            "version": "8.21.0",
+            "resolved": "https://registry.npmjs.org/@wdio/types/-/types-8.21.0.tgz",
+            "integrity": "sha512-mZFOipmu541z0BXBW7mBAUjM4zZWhNnP/w321OSYx082Jy4d0UHMFXYWaOC98DIMBPahJu/yLX2WH5iCrazKSA==",
             "dev": true,
             "dependencies": {
                 "@types/node": "^20.1.0"
@@ -1376,14 +1376,14 @@
             }
         },
         "node_modules/@wdio/utils": {
-            "version": "8.20.3",
-            "resolved": "https://registry.npmjs.org/@wdio/utils/-/utils-8.20.3.tgz",
-            "integrity": "sha512-McGS9TFNfjS3cGJkF8hXyajGE5LKFJnPg/fbdXTIBzYohiAzQ1rUMyllPdxxHslnpQPkflBHI6XSYBxU7yB9Lw==",
+            "version": "8.21.0",
+            "resolved": "https://registry.npmjs.org/@wdio/utils/-/utils-8.21.0.tgz",
+            "integrity": "sha512-bEmOL9wRsDXnHxh/FYH/rHv/3pJdNIZ8SL0vbBFl3m3ZvKWBJ0xZgpW6XUYXK5S0xi20Y2T7zf2URifp+AOlPg==",
             "dev": true,
             "dependencies": {
                 "@puppeteer/browsers": "^1.6.0",
                 "@wdio/logger": "8.16.17",
-                "@wdio/types": "8.20.0",
+                "@wdio/types": "8.21.0",
                 "decamelize": "^6.0.0",
                 "deepmerge-ts": "^5.1.0",
                 "edgedriver": "^5.3.5",
@@ -2572,9 +2572,9 @@
             }
         },
         "node_modules/devtools-protocol": {
-            "version": "0.0.1209236",
-            "resolved": "https://registry.npmjs.org/devtools-protocol/-/devtools-protocol-0.0.1209236.tgz",
-            "integrity": "sha512-z4eehc+fhmptqhxwreLcg9iydszZGU4Q5FzaaElXVGp3KyfXbjtXeUCmo4l8FxBJbyXtCz4VRIJsGW2ekApyUQ==",
+            "version": "0.0.1213968",
+            "resolved": "https://registry.npmjs.org/devtools-protocol/-/devtools-protocol-0.0.1213968.tgz",
+            "integrity": "sha512-o4n/beY+3CcZwFctYapjGelKptR4AuQT5gXS1Kvgbig+ArwkxK7f8wDVuD1wsoswiJWCwV6OK+Qb7vhNzNmABQ==",
             "dev": true
         },
         "node_modules/diff": {
@@ -2922,15 +2922,15 @@
             }
         },
         "node_modules/eslint": {
-            "version": "8.52.0",
-            "resolved": "https://registry.npmjs.org/eslint/-/eslint-8.52.0.tgz",
-            "integrity": "sha512-zh/JHnaixqHZsolRB/w9/02akBk9EPrOs9JwcTP2ek7yL5bVvXuRariiaAjjoJ5DvuwQ1WAE/HsMz+w17YgBCg==",
+            "version": "8.53.0",
+            "resolved": "https://registry.npmjs.org/eslint/-/eslint-8.53.0.tgz",
+            "integrity": "sha512-N4VuiPjXDUa4xVeV/GC/RV3hQW9Nw+Y463lkWaKKXKYMvmRiRDAtfpuPFLN+E1/6ZhyR8J2ig+eVREnYgUsiag==",
             "dev": true,
             "dependencies": {
                 "@eslint-community/eslint-utils": "^4.2.0",
                 "@eslint-community/regexpp": "^4.6.1",
-                "@eslint/eslintrc": "^2.1.2",
-                "@eslint/js": "8.52.0",
+                "@eslint/eslintrc": "^2.1.3",
+                "@eslint/js": "8.53.0",
                 "@humanwhocodes/config-array": "^0.11.13",
                 "@humanwhocodes/module-importer": "^1.0.1",
                 "@nodelib/fs.walk": "^1.2.8",
@@ -2989,9 +2989,9 @@
             }
         },
         "node_modules/eslint-plugin-sonarjs": {
-            "version": "0.21.0",
-            "resolved": "https://registry.npmjs.org/eslint-plugin-sonarjs/-/eslint-plugin-sonarjs-0.21.0.tgz",
-            "integrity": "sha512-oezUDfFT5S6j3rQheZ4DLPrbetPmMS7zHIKWGHr0CM3g5JgyZroz1FpIKa4jV83NsGpmgIeagpokWDKIJzRQmw==",
+            "version": "0.23.0",
+            "resolved": "https://registry.npmjs.org/eslint-plugin-sonarjs/-/eslint-plugin-sonarjs-0.23.0.tgz",
+            "integrity": "sha512-z44T3PBf9W7qQ/aR+NmofOTyg6HLhSEZOPD4zhStqBpLoMp8GYhFksuUBnCxbnf1nfISpKBVkQhiBLFI/F4Wlg==",
             "dev": true,
             "engines": {
                 "node": ">=14"
@@ -6706,9 +6706,9 @@
             }
         },
         "node_modules/punycode": {
-            "version": "2.3.0",
-            "resolved": "https://registry.npmjs.org/punycode/-/punycode-2.3.0.tgz",
-            "integrity": "sha512-rRV+zQD8tVFys26lAGR9WUuS4iUAngJScM+ZRSKtvl5tKeZ2t5bvdNFdNHBW9FWR4guGHlgmsZ1G7BSm2wTbuA==",
+            "version": "2.3.1",
+            "resolved": "https://registry.npmjs.org/punycode/-/punycode-2.3.1.tgz",
+            "integrity": "sha512-vYt7UD1U9Wg6138shLtLOvdAu+8DsC/ilFtEVHcH+wydcSpNE20AfSOduf6MkRFahL5FY7X1oU7nKVZFtfq8Fg==",
             "dev": true,
             "engines": {
                 "node": ">=6"
@@ -8590,18 +8590,18 @@
             }
         },
         "node_modules/webdriver": {
-            "version": "8.20.4",
-            "resolved": "https://registry.npmjs.org/webdriver/-/webdriver-8.20.4.tgz",
-            "integrity": "sha512-X/6l+zGXn1trqA1LRwYETIJgkJQTVZ/xE1SrTlSxk2BE7Tq40voxfbDKUyauaCyRyABhA0ZgK5/1UOqeCKW15w==",
+            "version": "8.21.0",
+            "resolved": "https://registry.npmjs.org/webdriver/-/webdriver-8.21.0.tgz",
+            "integrity": "sha512-jQ3Me9lEAD+rQWg2g+YfTi2rADCfg7sl02jji9eVRJKJ7Vji7ceGJ6xXfj5+gEZZW8EJt7tpXILJi3etMAYwvA==",
             "dev": true,
             "dependencies": {
                 "@types/node": "^20.1.0",
                 "@types/ws": "^8.5.3",
-                "@wdio/config": "8.20.3",
+                "@wdio/config": "8.21.0",
                 "@wdio/logger": "8.16.17",
                 "@wdio/protocols": "8.20.4",
-                "@wdio/types": "8.20.0",
-                "@wdio/utils": "8.20.3",
+                "@wdio/types": "8.21.0",
+                "@wdio/utils": "8.21.0",
                 "deepmerge-ts": "^5.1.0",
                 "got": "^ 12.6.1",
                 "ky": "^0.33.0",
@@ -8649,23 +8649,23 @@
             }
         },
         "node_modules/webdriverio": {
-            "version": "8.20.4",
-            "resolved": "https://registry.npmjs.org/webdriverio/-/webdriverio-8.20.4.tgz",
-            "integrity": "sha512-+iyYK0NTviXv3Lyws07CaX9pLET9l0bh8aPICfCyf7f0NZLUDvUoEKvjviMCfLq4lbDu7CFIEyDZUJeuqlRwlw==",
+            "version": "8.21.0",
+            "resolved": "https://registry.npmjs.org/webdriverio/-/webdriverio-8.21.0.tgz",
+            "integrity": "sha512-vLpQMOQ9eGyrihkVpuFfd4X83MB8RhfAhhSKnEVAzWn/2CRNlwQSQ4vdNXKhv/kmmBdJOckJThbpV905AQSXFA==",
             "dev": true,
             "dependencies": {
                 "@types/node": "^20.1.0",
-                "@wdio/config": "8.20.3",
+                "@wdio/config": "8.21.0",
                 "@wdio/logger": "8.16.17",
                 "@wdio/protocols": "8.20.4",
                 "@wdio/repl": "8.10.1",
-                "@wdio/types": "8.20.0",
-                "@wdio/utils": "8.20.3",
+                "@wdio/types": "8.21.0",
+                "@wdio/utils": "8.21.0",
                 "archiver": "^6.0.0",
                 "aria-query": "^5.0.0",
                 "css-shorthand-properties": "^1.1.1",
                 "css-value": "^0.0.1",
-                "devtools-protocol": "^0.0.1209236",
+                "devtools-protocol": "^0.0.1213968",
                 "grapheme-splitter": "^1.0.2",
                 "import-meta-resolve": "^3.0.0",
                 "is-plain-obj": "^4.1.0",
@@ -8677,7 +8677,7 @@
                 "resq": "^1.9.1",
                 "rgb2hex": "0.2.5",
                 "serialize-error": "^11.0.1",
-                "webdriver": "8.20.4"
+                "webdriver": "8.21.0"
             },
             "engines": {
                 "node": "^16.13 || >=18"

tests/wdio/package.json

@@ -4,15 +4,15 @@
     "type": "module",
     "devDependencies": {
         "@trivago/prettier-plugin-sort-imports": "^4.2.1",
-        "@typescript-eslint/eslint-plugin": "^6.9.0",
-        "@typescript-eslint/parser": "^6.9.0",
-        "@wdio/cli": "^8.20.5",
-        "@wdio/local-runner": "^8.20.5",
-        "@wdio/mocha-framework": "^8.20.3",
-        "@wdio/spec-reporter": "^8.20.0",
-        "eslint": "^8.52.0",
+        "@typescript-eslint/eslint-plugin": "^6.9.1",
+        "@typescript-eslint/parser": "^6.9.1",
+        "@wdio/cli": "^8.21.0",
+        "@wdio/local-runner": "^8.21.0",
+        "@wdio/mocha-framework": "^8.21.0",
+        "@wdio/spec-reporter": "^8.21.0",
+        "eslint": "^8.53.0",
         "eslint-config-google": "^0.14.0",
-        "eslint-plugin-sonarjs": "^0.21.0",
+        "eslint-plugin-sonarjs": "^0.23.0",
         "npm-run-all": "^4.1.5",
         "prettier": "^3.0.3",
         "ts-node": "^10.9.1",
@@ -27,8 +27,5 @@
         "precommit": "run-s lint:precommit lint:spelling prettier",
         "prettier-check": "prettier --check .",
         "prettier": "prettier --write ."
-    },
-    "engines": {
-        "node": ">=20"
     }
 }

web/package.json

@@ -38,22 +38,22 @@
         "@codemirror/theme-one-dark": "^6.1.2",
         "@formatjs/intl-listformat": "^7.5.0",
         "@fortawesome/fontawesome-free": "^6.4.2",
-        "@goauthentik/api": "^2023.10.1-1698348102",
+        "@goauthentik/api": "^2023.10.2-1698526374",
         "@lit-labs/context": "^0.4.1",
         "@lit-labs/task": "^3.1.0",
-        "@lit/localize": "^0.11.4",
+        "@lit/localize": "^0.12.1",
         "@open-wc/lit-helpers": "^0.6.0",
         "@patternfly/elements": "^2.4.0",
         "@patternfly/patternfly": "^4.224.2",
-        "@sentry/browser": "^7.75.1",
-        "@sentry/tracing": "^7.75.1",
+        "@sentry/browser": "^7.77.0",
+        "@sentry/tracing": "^7.77.0",
         "@webcomponents/webcomponentsjs": "^2.8.0",
         "base64-js": "^1.5.1",
         "chart.js": "^4.4.0",
         "chartjs-adapter-moment": "^1.0.1",
         "codemirror": "^6.0.1",
         "construct-style-sheets-polyfill": "^3.1.0",
-        "core-js": "^3.33.1",
+        "core-js": "^3.33.2",
         "country-flag-icons": "^1.5.7",
         "fuse.js": "^7.0.0",
         "lit": "^2.8.0",
@@ -61,7 +61,7 @@
         "rapidoc": "^9.3.4",
         "style-mod": "^4.1.0",
         "webcomponent-qr-code": "^1.2.0",
-        "yaml": "^2.3.3"
+        "yaml": "^2.3.4"
     },
     "devDependencies": {
         "@babel/core": "^7.23.2",
@@ -79,43 +79,43 @@
         "@rollup/plugin-babel": "^6.0.4",
         "@rollup/plugin-commonjs": "^25.0.7",
         "@rollup/plugin-node-resolve": "^15.2.3",
-        "@rollup/plugin-replace": "^5.0.4",
+        "@rollup/plugin-replace": "^5.0.5",
         "@rollup/plugin-terser": "^0.4.4",
         "@rollup/plugin-typescript": "^11.1.5",
-        "@storybook/addon-essentials": "^7.5.1",
-        "@storybook/addon-links": "^7.5.1",
+        "@storybook/addon-essentials": "^7.5.2",
+        "@storybook/addon-links": "^7.5.2",
         "@storybook/blocks": "^7.1.1",
-        "@storybook/web-components": "^7.5.1",
-        "@storybook/web-components-vite": "^7.5.1",
+        "@storybook/web-components": "^7.5.2",
+        "@storybook/web-components-vite": "^7.5.2",
         "@trivago/prettier-plugin-sort-imports": "^4.2.1",
         "@types/chart.js": "^2.9.39",
         "@types/codemirror": "5.60.12",
         "@types/grecaptcha": "^3.0.6",
-        "@typescript-eslint/eslint-plugin": "^6.9.0",
-        "@typescript-eslint/parser": "^6.9.0",
+        "@typescript-eslint/eslint-plugin": "^6.9.1",
+        "@typescript-eslint/parser": "^6.9.1",
         "babel-plugin-macros": "^3.1.0",
         "babel-plugin-tsconfig-paths": "^1.0.3",
         "cross-env": "^7.0.3",
-        "eslint": "^8.52.0",
+        "eslint": "^8.53.0",
         "eslint-config-google": "^0.14.0",
         "eslint-plugin-custom-elements": "0.0.8",
         "eslint-plugin-lit": "^1.10.1",
-        "eslint-plugin-sonarjs": "^0.21.0",
+        "eslint-plugin-sonarjs": "^0.23.0",
         "eslint-plugin-storybook": "^0.6.15",
         "lit-analyzer": "^2.0.1",
         "npm-run-all": "^4.1.5",
         "prettier": "^3.0.3",
         "pseudolocale": "^2.0.0",
-        "pyright": "^1.1.333",
+        "pyright": "^1.1.334",
         "react": "^18.2.0",
         "react-dom": "^18.2.0",
-        "rollup": "^4.1.4",
+        "rollup": "^4.3.0",
         "rollup-plugin-copy": "^3.5.0",
         "rollup-plugin-cssimport": "^1.0.3",
         "rollup-plugin-postcss-lit": "^2.1.0",
-        "storybook": "^7.5.1",
+        "storybook": "^7.5.2",
         "storybook-addon-mock": "^4.3.0",
-        "ts-lit-plugin": "^2.0.0",
+        "ts-lit-plugin": "^2.0.1",
         "tslib": "^2.6.2",
         "turnstile-types": "^1.1.3",
         "typescript": "^5.2.2",
@@ -125,8 +125,5 @@
         "@esbuild/darwin-arm64": "^0.19.5",
         "@esbuild/linux-amd64": "^0.18.11",
         "@esbuild/linux-arm64": "^0.19.5"
-    },
-    "engines": {
-        "node": ">=20"
     }
 }

web/src/admin/admin-overview/DashboardUserPage.ts

@@ -54,6 +54,7 @@ export class DashboardUserPage extends AKElement {
                                     context__model__app: "authentik_core",
                                     context__model__model_name: "user",
                                 }}
+                                label=${msg("Users created")}
                             >
                             </ak-charts-admin-model-per-day>
                         </ak-aggregate-card>
@@ -66,7 +67,10 @@ export class DashboardUserPage extends AKElement {
                         class="pf-l-grid__item pf-m-12-col pf-m-6-col-on-xl pf-m-6-col-on-2xl big-graph-container"
                     >
                         <ak-aggregate-card header=${msg("Logins per day in the last month")}>
-                            <ak-charts-admin-model-per-day action=${EventActions.Login}>
+                            <ak-charts-admin-model-per-day
+                                action=${EventActions.Login}
+                                label=${msg("Logins")}
+                            >
                             </ak-charts-admin-model-per-day>
                         </ak-aggregate-card>
                     </div>
@@ -74,7 +78,10 @@ export class DashboardUserPage extends AKElement {
                         class="pf-l-grid__item pf-m-12-col pf-m-6-col-on-xl pf-m-6-col-on-2xl big-graph-container"
                     >
                         <ak-aggregate-card header=${msg("Failed Logins per day in the last month")}>
-                            <ak-charts-admin-model-per-day action=${EventActions.LoginFailed}>
+                            <ak-charts-admin-model-per-day
+                                action=${EventActions.LoginFailed}
+                                label=${msg("Failed logins")}
+                            >
                             </ak-charts-admin-model-per-day>
                         </ak-aggregate-card>
                     </div>

web/src/admin/admin-overview/charts/AdminModelPerDay.ts

@@ -12,6 +12,9 @@ export class AdminModelPerDay extends AKChart<Coordinate[]> {
     @property()
     action: EventActions = EventActions.ModelCreated;
 
+    @property()
+    label?: string;
+
     @property({ attribute: false })
     query?: { [key: string]: unknown } | undefined;
 
@@ -33,7 +36,7 @@ export class AdminModelPerDay extends AKChart<Coordinate[]> {
         return {
             datasets: [
                 {
-                    label: msg("Objects created"),
+                    label: this.label || msg("Objects created"),
                     backgroundColor: "rgba(189, 229, 184, .5)",
                     spanGaps: true,
                     data:

web/src/admin/applications/ApplicationForm.ts

@@ -116,7 +116,7 @@ export class ApplicationForm extends ModelForm<Application, string> {
         return app;
     }
 
-    handleConfirmBackchannelProviders(items: Provider[]) {
+    handleConfirmBackchannelProviders({ items }: { items: Provider[] }) {
         this.backchannelProviders = items;
         this.requestUpdate();
         return Promise.resolve();

web/src/admin/applications/components/ak-backchannel-input.ts

@@ -63,7 +63,7 @@ export class AkBackchannelProvidersInput extends AKElement {
         return html`
             <ak-form-element-horizontal label=${this.label} name=${name}>
                 <div class="pf-c-input-group">
-                    <ak-provider-select-table ?backchannelOnly=${true} .confirm=${this.confirm}>
+                    <ak-provider-select-table ?backchannelOnly=${true} .confirm=${confirm}>
                         <button slot="trigger" class="pf-c-button pf-m-control" type="button">
                             ${this.tooltip ? this.tooltip : nothing}
                             <i class="fas fa-plus" aria-hidden="true"></i>

web/src/admin/sources/oauth/OAuthSourceForm.ts

@@ -184,31 +184,28 @@ export class OAuthSourceForm extends ModelForm<OAuthSource, string> {
                           </p>
                       </ak-form-element-horizontal> `
                     : html``}
-                ${this.providerType.slug === ProviderTypeEnum.Openidconnect ||
-                this.providerType.oidcWellKnownUrl !== ""
-                    ? html`<ak-form-element-horizontal
-                          label=${msg("OIDC Well-known URL")}
-                          name="oidcWellKnownUrl"
-                      >
-                          <input
-                              type="text"
-                              value="${first(
-                                  this.instance?.oidcWellKnownUrl,
-                                  this.providerType.oidcWellKnownUrl,
-                                  "",
-                              )}"
-                              class="pf-c-form-control"
-                          />
-                          <p class="pf-c-form__helper-text">
-                              ${msg(
-                                  "OIDC well-known configuration URL. Can be used to automatically configure the URLs above.",
-                              )}
-                          </p>
-                      </ak-form-element-horizontal>`
-                    : html``}
-                ${this.providerType.slug === ProviderTypeEnum.Openidconnect ||
-                this.providerType.oidcJwksUrl !== ""
-                    ? html`<ak-form-element-horizontal
+                ${this.providerType.slug === ProviderTypeEnum.Openidconnect
+                    ? html`
+                          <ak-form-element-horizontal
+                              label=${msg("OIDC Well-known URL")}
+                              name="oidcWellKnownUrl"
+                          >
+                              <input
+                                  type="text"
+                                  value="${first(
+                                      this.instance?.oidcWellKnownUrl,
+                                      this.providerType.oidcWellKnownUrl,
+                                      "",
+                                  )}"
+                                  class="pf-c-form-control"
+                              />
+                              <p class="pf-c-form__helper-text">
+                                  ${msg(
+                                      "OIDC well-known configuration URL. Can be used to automatically configure the URLs above.",
+                                  )}
+                              </p>
+                          </ak-form-element-horizontal>
+                          <ak-form-element-horizontal
                               label=${msg("OIDC JWKS URL")}
                               name="oidcJwksUrl"
                           >
@@ -227,6 +224,7 @@ export class OAuthSourceForm extends ModelForm<OAuthSource, string> {
                                   )}
                               </p>
                           </ak-form-element-horizontal>
+
                           <ak-form-element-horizontal label=${msg("OIDC JWKS")} name="oidcJwks">
                               <ak-codemirror
                                   mode=${CodeMirrorMode.JavaScript}
@@ -234,7 +232,8 @@ export class OAuthSourceForm extends ModelForm<OAuthSource, string> {
                               >
                               </ak-codemirror>
                               <p class="pf-c-form__helper-text">${msg("Raw JWKS data.")}</p>
-                          </ak-form-element-horizontal>`
+                          </ak-form-element-horizontal>
+                      `
                     : html``}
             </div>
         </ak-form-group>`;

web/src/admin/users/UserDevicesTable.ts

@@ -15,8 +15,6 @@ export class UserDeviceTable extends Table<Device> {
     @property({ type: Number })
     userId?: number;
 
-    checkbox = true;
-
     async apiEndpoint(): Promise<PaginatedResponse<Device>> {
         return new AuthenticatorsApi(DEFAULT_CONFIG)
             .authenticatorsAdminAllList({
@@ -66,21 +64,6 @@ export class UserDeviceTable extends Table<Device> {
         }
     }
 
-    renderToolbarSelected(): TemplateResult {
-        const disabled = this.selectedElements.length < 1;
-        return html`<ak-forms-delete-bulk
-            objectLabel=${msg("Device(s)")}
-            .objects=${this.selectedElements}
-            .delete=${(item: Device) => {
-                return this.deleteWrapper(item);
-            }}
-        >
-            <button ?disabled=${disabled} slot="trigger" class="pf-c-button pf-m-danger">
-                ${msg("Delete")}
-            </button>
-        </ak-forms-delete-bulk>`;
-    }
-
     renderToolbar(): TemplateResult {
         return html` <ak-spinner-button
             .callAction=${() => {

web/src/common/constants.ts

@@ -3,7 +3,7 @@ export const SUCCESS_CLASS = "pf-m-success";
 export const ERROR_CLASS = "pf-m-danger";
 export const PROGRESS_CLASS = "pf-m-in-progress";
 export const CURRENT_CLASS = "pf-m-current";
-export const VERSION = "2023.10.6";
+export const VERSION = "2023.10.2";
 export const TITLE_DEFAULT = "authentik";
 export const ROUTE_SEPARATOR = ";";
 

web/src/common/styles/theme-dark.css

@@ -310,12 +310,6 @@ select[multiple] option:checked {
     --pf-c-wizard__nav-link--before--BackgroundColor: transparent;
 }
 /* tree view */
-.pf-c-tree-view__node {
-    --pf-c-tree-view__node--Color: var(--ak-dark-foreground);
-}
-.pf-c-tree-view__node-toggle {
-    --pf-c-tree-view__node-toggle--Color: var(--ak-dark-foreground);
-}
 .pf-c-tree-view__node:focus {
     --pf-c-tree-view__node--focus--BackgroundColor: var(--ak-dark-background-light-ish);
 }

web/src/elements/PageHeader.ts

@@ -79,7 +79,6 @@ export class PageHeader extends AKElement {
                 }
                 .pf-c-page__main-section {
                     flex-grow: 1;
-                    flex-shrink: 1;
                     display: flex;
                     flex-direction: column;
                     justify-content: center;

web/src/flow/stages/authenticator_validate/AuthenticatorValidateStage.ts

@@ -89,9 +89,6 @@ export class AuthenticatorValidateStage
                 display: flex;
                 align-items: center;
             }
-            :host([theme="dark"]) .authenticator-button {
-                color: var(--ak-dark-foreground) !important;
-            }
             i {
                 font-size: 1.5rem;
                 padding: 1rem 0;

web/src/user/LibraryApplication/index.ts

@@ -96,7 +96,7 @@ export class LibraryApplication extends AKElement {
             this.application.metaPublisher !== "" ||
             this.application.metaDescription !== "";
 
-        const classes = { "pf-m-selectable": this.selected, "pf-m-selected": this.selected };
+        const classes = { "pf-m-selectable pf-m-selected": this.selected };
         const styles = this.background ? { background: this.background } : {};
 
         return html` <div

web/src/user/LibraryPage/ApplicationSearch.ts

@@ -38,9 +38,7 @@ export class LibraryPageApplicationList extends AKElement {
     ];
 
     @property({ attribute: false })
-    set apps(value: Application[]) {
-        this.fuse.setCollection(value);
-    }
+    apps: Application[] = [];
 
     @property()
     query = getURLParam<string | undefined>("search", undefined);
@@ -65,7 +63,7 @@ export class LibraryPageApplicationList extends AKElement {
             shouldSort: true,
             ignoreFieldNorm: true,
             useExtendedSearch: true,
-            threshold: 0.3,
+            threshold: 0.5,
         });
     }
 
@@ -79,6 +77,7 @@ export class LibraryPageApplicationList extends AKElement {
 
     connectedCallback() {
         super.connectedCallback();
+        this.fuse.setCollection(this.apps);
         if (!this.query) {
             return;
         }

web/src/user/UserInterface.ts

@@ -82,9 +82,9 @@ export class UserInterface extends Interface {
                 :host([theme="dark"]) .pf-c-page__header {
                     color: var(--ak-dark-foreground) !important;
                 }
-                :host([theme="light"]) .pf-c-page__header-tools-item .fas,
-                :host([theme="light"]) .pf-c-notification-badge__count,
-                :host([theme="light"]) .pf-c-page__header-tools-group .pf-c-button {
+                .pf-c-page__header-tools-item .fas,
+                .pf-c-notification-badge__count,
+                .pf-c-page__header-tools-group .pf-c-button {
                     color: var(--ak-global--Color--100) !important;
                 }
                 .pf-c-page {
@@ -183,7 +183,7 @@ export class UserInterface extends Interface {
             <ak-enterprise-status interface="user"></ak-enterprise-status>
             <div class="pf-c-page">
                 <div class="background-wrapper" style="${this.uiConfig.theme.background}">
-                    ${(this.uiConfig.theme.background || "") === ""
+                    ${this.uiConfig.theme.background === ""
                         ? html`<div class="background-default-slant"></div>`
                         : html``}
                 </div>

web/xliff/de.xlf

@@ -6038,6 +6038,12 @@ Bindings to groups/users are checked against the user of the event.</source>
 <trans-unit id="s32babfed740fd3c1">
   <source>User type used for newly created users.</source>
 </trans-unit>
+<trans-unit id="s4a34a6be4c68ec87">
+  <source>Users created</source>
+</trans-unit>
+<trans-unit id="s275c956687e2e656">
+  <source>Failed logins</source>
+</trans-unit>
 <trans-unit id="sb35c08e3a541188f">
   <source>Also known as Client ID.</source>
 </trans-unit>

web/xliff/en.xlf

@@ -6319,6 +6319,12 @@ Bindings to groups/users are checked against the user of the event.</source>
 <trans-unit id="s32babfed740fd3c1">
   <source>User type used for newly created users.</source>
 </trans-unit>
+<trans-unit id="s4a34a6be4c68ec87">
+  <source>Users created</source>
+</trans-unit>
+<trans-unit id="s275c956687e2e656">
+  <source>Failed logins</source>
+</trans-unit>
 <trans-unit id="sb35c08e3a541188f">
   <source>Also known as Client ID.</source>
 </trans-unit>