release: 2023.10.6

* providers/oauth2: fix CVE-2024-21637 (#8104)

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* update changelog

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

---------

Signed-off-by: Jens Langhammer <jens@goauthentik.io>
Co-authored-by: Jens L <jens@goauthentik.io>

.bumpversion.cfg

@@ -1,5 +1,5 @@
 [bumpversion]
-current_version = 2023.8.3
+current_version = 2023.10.6
 tag = True
 commit = True
 parse = (?P<major>\d+)\.(?P<minor>\d+)\.(?P<patch>\d+)

.github/actions/setup/action.yml

@@ -2,36 +2,39 @@ name: "Setup authentik testing environment"
 description: "Setup authentik testing environment"
 
 inputs:
-  postgresql_tag:
+  postgresql_version:
     description: "Optional postgresql image tag"
     default: "12"
 
 runs:
   using: "composite"
   steps:
-    - name: Install poetry
+    - name: Install poetry & deps
       shell: bash
       run: |
         pipx install poetry || true
-        sudo apt update
+        sudo apt-get update
-        sudo apt install -y libpq-dev openssl libxmlsec1-dev pkg-config gettext
+        sudo apt-get install --no-install-recommends -y libpq-dev openssl libxmlsec1-dev pkg-config gettext
     - name: Setup python and restore poetry
-      uses: actions/setup-python@v3
+      uses: actions/setup-python@v4
       with:
-        python-version: "3.11"
+        python-version-file: 'pyproject.toml'
         cache: "poetry"
     - name: Setup node
       uses: actions/setup-node@v3
       with:
-        node-version: "20"
+        node-version-file: web/package.json
         cache: "npm"
         cache-dependency-path: web/package-lock.json
+    - name: Setup go
+      uses: actions/setup-go@v4
+      with:
+        go-version-file: "go.mod"
     - name: Setup dependencies
       shell: bash
       run: |
-        export PSQL_TAG=${{ inputs.postgresql_tag }}
+        export PSQL_TAG=${{ inputs.postgresql_version }}
         docker-compose -f .github/actions/setup/docker-compose.yml up -d
-        poetry env use python3.11
         poetry install
         cd web && npm ci
     - name: Generate config

.github/workflows/ci-main.yml

@@ -11,6 +11,7 @@ on:
   pull_request:
     branches:
       - main
+      - version-*
 
 env:
   POSTGRES_DB: authentik
@@ -47,25 +48,38 @@ jobs:
       - name: run migrations
         run: poetry run python -m lifecycle.migrate
   test-migrations-from-stable:
+    name: test-migrations-from-stable - PostgreSQL ${{ matrix.psql }}
     runs-on: ubuntu-latest
-    continue-on-error: true
+    strategy:
+      fail-fast: false
+      matrix:
+        psql:
+          - 12-alpine
+          - 15-alpine
+          - 16-alpine
     steps:
       - uses: actions/checkout@v4
         with:
           fetch-depth: 0
       - name: Setup authentik env
         uses: ./.github/actions/setup
+        with:
+          postgresql_version: ${{ matrix.psql }}
       - name: checkout stable
         run: |
+          # Delete all poetry envs
+          rm -rf /home/runner/.cache/pypoetry
           # Copy current, latest config to local
           cp authentik/lib/default.yml local.env.yml
           cp -R .github ..
           cp -R scripts ..
-          git checkout $(git describe --tags $(git rev-list --tags --max-count=1))
+          git checkout version/$(python -c "from authentik import __version__; print(__version__)")
           rm -rf .github/ scripts/
           mv ../.github ../scripts .
       - name: Setup authentik env (ensure stable deps are installed)
         uses: ./.github/actions/setup
+        with:
+          postgresql_version: ${{ matrix.psql }}
       - name: run migrations to stable
         run: poetry run python -m lifecycle.migrate
       - name: checkout current code
@@ -75,9 +89,13 @@ jobs:
           git reset --hard HEAD
           git clean -d -fx .
           git checkout $GITHUB_SHA
+          # Delete previous poetry env
+          rm -rf $(poetry env info --path)
           poetry install
       - name: Setup authentik env (ensure latest deps are installed)
         uses: ./.github/actions/setup
+        with:
+          postgresql_version: ${{ matrix.psql }}
       - name: migrate to latest
         run: poetry run python -m lifecycle.migrate
   test-unittest:
@@ -96,7 +114,7 @@ jobs:
       - name: Setup authentik env
         uses: ./.github/actions/setup
         with:
-          postgresql_tag: ${{ matrix.psql }}
+          postgresql_version: ${{ matrix.psql }}
       - name: run unittest
         run: |
           poetry run make test
@@ -185,6 +203,9 @@ jobs:
   build:
     needs: ci-core-mark
     runs-on: ubuntu-latest
+    permissions:
+      # Needed to upload contianer images to ghcr.io
+      packages: write
     timeout-minutes: 120
     steps:
       - uses: actions/checkout@v4
@@ -235,6 +256,9 @@ jobs:
   build-arm64:
     needs: ci-core-mark
     runs-on: ubuntu-latest
+    permissions:
+      # Needed to upload contianer images to ghcr.io
+      packages: write
     timeout-minutes: 120
     steps:
       - uses: actions/checkout@v4

.github/workflows/ci-outpost.yml

@@ -9,6 +9,7 @@ on:
   pull_request:
     branches:
       - main
+      - version-*
 
 jobs:
   lint-golint:
@@ -65,6 +66,9 @@ jobs:
           - ldap
           - radius
     runs-on: ubuntu-latest
+    permissions:
+      # Needed to upload contianer images to ghcr.io
+      packages: write
     steps:
       - uses: actions/checkout@v4
         with:
@@ -124,9 +128,9 @@ jobs:
       - uses: actions/setup-go@v4
         with:
           go-version-file: "go.mod"
-      - uses: actions/setup-node@v3
+      - uses: actions/setup-node@v4
         with:
-          node-version: "20"
+          node-version-file: web/package.json
           cache: "npm"
           cache-dependency-path: web/package-lock.json
       - name: Generate API

.github/workflows/ci-web.yml

@@ -9,6 +9,7 @@ on:
   pull_request:
     branches:
       - main
+      - version-*
 
 jobs:
   lint-eslint:
@@ -21,9 +22,9 @@ jobs:
           - tests/wdio
     steps:
       - uses: actions/checkout@v4
-      - uses: actions/setup-node@v3
+      - uses: actions/setup-node@v4
         with:
-          node-version: "20"
+          node-version-file: ${{ matrix.project }}/package.json
           cache: "npm"
           cache-dependency-path: ${{ matrix.project }}/package-lock.json
       - working-directory: ${{ matrix.project }}/
@@ -37,9 +38,9 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
-      - uses: actions/setup-node@v3
+      - uses: actions/setup-node@v4
         with:
-          node-version: "20"
+          node-version-file: web/package.json
           cache: "npm"
           cache-dependency-path: web/package-lock.json
       - working-directory: web/
@@ -59,9 +60,9 @@ jobs:
           - tests/wdio
     steps:
       - uses: actions/checkout@v4
-      - uses: actions/setup-node@v3
+      - uses: actions/setup-node@v4
         with:
-          node-version: "20"
+          node-version-file: ${{ matrix.project }}/package.json
           cache: "npm"
           cache-dependency-path: ${{ matrix.project }}/package-lock.json
       - working-directory: ${{ matrix.project }}/
@@ -75,9 +76,9 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
-      - uses: actions/setup-node@v3
+      - uses: actions/setup-node@v4
         with:
-          node-version: "20"
+          node-version-file: web/package.json
           cache: "npm"
           cache-dependency-path: web/package-lock.json
       - working-directory: web/
@@ -107,9 +108,9 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
-      - uses: actions/setup-node@v3
+      - uses: actions/setup-node@v4
         with:
-          node-version: "20"
+          node-version-file: web/package.json
           cache: "npm"
           cache-dependency-path: web/package-lock.json
       - working-directory: web/

.github/workflows/ci-website.yml

@@ -9,15 +9,16 @@ on:
   pull_request:
     branches:
       - main
+      - version-*
 
 jobs:
   lint-prettier:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
-      - uses: actions/setup-node@v3
+      - uses: actions/setup-node@v4
         with:
-          node-version: "20"
+          node-version-file: website/package.json
           cache: "npm"
           cache-dependency-path: website/package-lock.json
       - working-directory: website/
@@ -29,9 +30,9 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
-      - uses: actions/setup-node@v3
+      - uses: actions/setup-node@v4
         with:
-          node-version: "20"
+          node-version-file: website/package.json
           cache: "npm"
           cache-dependency-path: website/package-lock.json
       - working-directory: website/
@@ -50,9 +51,9 @@ jobs:
           - build-docs-only
     steps:
       - uses: actions/checkout@v4
-      - uses: actions/setup-node@v3
+      - uses: actions/setup-node@v4
         with:
-          node-version: "20"
+          node-version-file: website/package.json
           cache: "npm"
           cache-dependency-path: website/package-lock.json
       - working-directory: website/

.github/workflows/release-next-branch.yml

@@ -6,6 +6,7 @@ on:
   workflow_dispatch:
 
 permissions:
+  # Needed to be able to push to the next branch
   contents: write
 
 jobs:

.github/workflows/release-publish.yml

@@ -7,6 +7,9 @@ on:
 jobs:
   build-server:
     runs-on: ubuntu-latest
+    permissions:
+      # Needed to upload contianer images to ghcr.io
+      packages: write
     steps:
       - uses: actions/checkout@v4
       - name: Set up QEMU
@@ -27,8 +30,10 @@ jobs:
           registry: ghcr.io
           username: ${{ github.repository_owner }}
           password: ${{ secrets.GITHUB_TOKEN }}
-      - name: make empty ts client
+      - name: make empty clients
-        run: mkdir -p ./gen-ts-client
+        run: |
+          mkdir -p ./gen-ts-api
+          mkdir -p ./gen-go-api
       - name: Build Docker Image
         uses: docker/build-push-action@v5
         with:
@@ -50,6 +55,9 @@ jobs:
             VERSION_FAMILY=${{ steps.ev.outputs.versionFamily }}
   build-outpost:
     runs-on: ubuntu-latest
+    permissions:
+      # Needed to upload contianer images to ghcr.io
+      packages: write
     strategy:
       fail-fast: false
       matrix:
@@ -69,6 +77,10 @@ jobs:
       - name: prepare variables
         uses: ./.github/actions/docker-push-variables
         id: ev
+      - name: make empty clients
+        run: |
+          mkdir -p ./gen-ts-api
+          mkdir -p ./gen-go-api
       - name: Docker Login Registry
         uses: docker/login-action@v3
         with:
@@ -93,12 +105,16 @@ jobs:
             ghcr.io/goauthentik/${{ matrix.type }}:latest
           file: ${{ matrix.type }}.Dockerfile
           platforms: linux/amd64,linux/arm64
+          context: .
           build-args: |
             VERSION=${{ steps.ev.outputs.version }}
             VERSION_FAMILY=${{ steps.ev.outputs.versionFamily }}
   build-outpost-binary:
     timeout-minutes: 120
     runs-on: ubuntu-latest
+    permissions:
+      # Needed to upload binaries to the release
+      contents: write
     strategy:
       fail-fast: false
       matrix:
@@ -113,9 +129,9 @@ jobs:
       - uses: actions/setup-go@v4
         with:
           go-version-file: "go.mod"
-      - uses: actions/setup-node@v3
+      - uses: actions/setup-node@v4
         with:
-          node-version: "20"
+          node-version-file: web/package.json
           cache: "npm"
           cache-dependency-path: web/package-lock.json
       - name: Build web

.github/workflows/release-tag.yml

@@ -16,6 +16,7 @@ jobs:
           echo "PG_PASS=$(openssl rand -base64 32)" >> .env
           echo "AUTHENTIK_SECRET_KEY=$(openssl rand -base64 32)" >> .env
           docker buildx install
+          mkdir -p ./gen-ts-api
           docker build -t testing:latest .
           echo "AUTHENTIK_IMAGE=testing" >> .env
           echo "AUTHENTIK_TAG=latest" >> .env

.github/workflows/repo-stale.yml

@@ -6,8 +6,8 @@ on:
   workflow_dispatch:
 
 permissions:
+  # Needed to update issues and PRs
   issues: write
-  pull-requests: write
 
 jobs:
   stale:

.github/workflows/web-api-publish.yml

@@ -17,9 +17,9 @@ jobs:
       - uses: actions/checkout@v4
         with:
           token: ${{ steps.generate_token.outputs.token }}
-      - uses: actions/setup-node@v3
+      - uses: actions/setup-node@v4
         with:
-          node-version: "20"
+          node-version-file: web/package.json
           registry-url: "https://registry.npmjs.org"
       - name: Generate API Client
         run: make gen-client-ts

Dockerfile

@@ -1,5 +1,7 @@
+# syntax=docker/dockerfile:1
+
 # Stage 1: Build website
-FROM --platform=${BUILDPLATFORM} docker.io/node:20 as website-builder
+FROM --platform=${BUILDPLATFORM} docker.io/node:21 as website-builder
 
 ENV NODE_ENV=production
 
@@ -7,7 +9,7 @@ WORKDIR /work/website
 
 RUN --mount=type=bind,target=/work/website/package.json,src=./website/package.json \
     --mount=type=bind,target=/work/website/package-lock.json,src=./website/package-lock.json \
-    --mount=type=cache,target=/root/.npm \
+    --mount=type=cache,id=npm-website,sharing=shared,target=/root/.npm \
     npm ci --include=dev
 
 COPY ./website /work/website/
@@ -17,7 +19,7 @@ COPY ./SECURITY.md /work/
 RUN npm run build-docs-only
 
 # Stage 2: Build webui
-FROM --platform=${BUILDPLATFORM} docker.io/node:20 as web-builder
+FROM --platform=${BUILDPLATFORM} docker.io/node:21 as web-builder
 
 ENV NODE_ENV=production
 
@@ -25,7 +27,7 @@ WORKDIR /work/web
 
 RUN --mount=type=bind,target=/work/web/package.json,src=./web/package.json \
     --mount=type=bind,target=/work/web/package-lock.json,src=./web/package-lock.json \
-    --mount=type=cache,target=/root/.npm \
+    --mount=type=cache,id=npm-web,sharing=shared,target=/root/.npm \
     npm ci --include=dev
 
 COPY ./web /work/web/
@@ -35,7 +37,14 @@ COPY ./gen-ts-api /work/web/node_modules/@goauthentik/api
 RUN npm run build
 
 # Stage 3: Build go proxy
-FROM docker.io/golang:1.21.3-bookworm AS go-builder
+FROM --platform=${BUILDPLATFORM} docker.io/golang:1.21.4-bookworm AS go-builder
+
+ARG TARGETOS
+ARG TARGETARCH
+ARG TARGETVARIANT
+
+ARG GOOS=$TARGETOS
+ARG GOARCH=$TARGETARCH
 
 WORKDIR /go/src/goauthentik.io
 
@@ -55,12 +64,12 @@ COPY ./go.sum /go/src/goauthentik.io/go.sum
 
 ENV CGO_ENABLED=0
 
-RUN --mount=type=cache,target=/go/pkg/mod \
+RUN --mount=type=cache,sharing=locked,target=/go/pkg/mod \
-    --mount=type=cache,target=/root/.cache/go-build \
+    --mount=type=cache,id=go-build-$TARGETARCH$TARGETVARIANT,sharing=locked,target=/root/.cache/go-build \
-    go build -o /go/authentik ./cmd/server
+    GOARM="${TARGETVARIANT#v}" go build -o /go/authentik ./cmd/server
 
 # Stage 4: MaxMind GeoIP
-FROM ghcr.io/maxmind/geoipupdate:v6.0 as geoip
+FROM --platform=${BUILDPLATFORM} ghcr.io/maxmind/geoipupdate:v6.0 as geoip
 
 ENV GEOIPUPDATE_EDITION_IDS="GeoLite2-City"
 ENV GEOIPUPDATE_VERBOSE="true"
@@ -82,7 +91,9 @@ ENV VENV_PATH="/ak-root/venv" \
     POETRY_VIRTUALENVS_CREATE=false \
     PATH="/ak-root/venv/bin:$PATH"
 
-RUN --mount=type=cache,target=/var/cache/apt \
+RUN rm -f /etc/apt/apt.conf.d/docker-clean; echo 'Binary::apt::APT::Keep-Downloaded-Packages "true";' > /etc/apt/apt.conf.d/keep-cache
+
+RUN --mount=type=cache,id=apt-$TARGETARCH$TARGETVARIANT,sharing=locked,target=/var/cache/apt \
     apt-get update && \
     # Required for installing pip packages
     apt-get install -y --no-install-recommends build-essential pkg-config libxmlsec1-dev zlib1g-dev libpq-dev

Makefile

@@ -56,9 +56,9 @@ test: ## Run the server tests and produce a coverage report (locally)
 	coverage report
 
 lint-fix:  ## Lint and automatically fix errors in the python source code. Reports spelling errors.
-	isort authentik $(PY_SOURCES)
+	isort $(PY_SOURCES)
-	black authentik $(PY_SOURCES)
+	black $(PY_SOURCES)
-	ruff authentik $(PY_SOURCES)
+	ruff $(PY_SOURCES)
 	codespell -w $(CODESPELL_ARGS)
 
 lint: ## Lint the python and golang sources

authentik/__init__.py

@@ -2,7 +2,7 @@
 from os import environ
 from typing import Optional
 
-__version__ = "2023.8.3"
+__version__ = "2023.10.6"
 ENV_GIT_HASH_KEY = "GIT_BUILD_HASH"
 
 

authentik/api/v3/urls.py

@@ -21,7 +21,9 @@ _other_urls = []
 for _authentik_app in get_apps():
     try:
         api_urls = import_module(f"{_authentik_app.name}.urls")
-    except (ModuleNotFoundError, ImportError) as exc:
+    except ModuleNotFoundError:
+        continue
+    except ImportError as exc:
         LOGGER.warning("Could not import app's URLs", app_name=_authentik_app.name, exc=exc)
         continue
     if not hasattr(api_urls, "api_urlpatterns"):

authentik/blueprints/apps.py

@@ -40,7 +40,7 @@ class ManagedAppConfig(AppConfig):
                 meth()
                 self._logger.debug("Successfully reconciled", name=name)
             except (DatabaseError, ProgrammingError, InternalError) as exc:
-                self._logger.debug("Failed to run reconcile", name=name, exc=exc)
+                self._logger.warning("Failed to run reconcile", name=name, exc=exc)
 
 
 class AuthentikBlueprintsConfig(ManagedAppConfig):

authentik/blueprints/v1/common.py

@@ -584,12 +584,17 @@ class EntryInvalidError(SentryIgnoredException):
     entry_model: Optional[str]
     entry_id: Optional[str]
     validation_error: Optional[ValidationError]
+    serializer: Optional[Serializer] = None
 
-    def __init__(self, *args: object, validation_error: Optional[ValidationError] = None) -> None:
+    def __init__(
+        self, *args: object, validation_error: Optional[ValidationError] = None, **kwargs
+    ) -> None:
         super().__init__(*args)
         self.entry_model = None
         self.entry_id = None
         self.validation_error = validation_error
+        for key, value in kwargs.items():
+            setattr(self, key, value)
 
     @staticmethod
     def from_entry(

authentik/blueprints/v1/importer.py

@@ -255,7 +255,10 @@ class Importer:
         try:
             full_data = self.__update_pks_for_attrs(entry.get_attrs(self._import))
         except ValueError as exc:
-            raise EntryInvalidError.from_entry(exc, entry) from exc
+            raise EntryInvalidError.from_entry(
+                exc,
+                entry,
+            ) from exc
         always_merger.merge(full_data, updated_identifiers)
         serializer_kwargs["data"] = full_data
 
@@ -272,6 +275,7 @@ class Importer:
                 f"Serializer errors {serializer.errors}",
                 validation_error=exc,
                 entry=entry,
+                serializer=serializer,
             ) from exc
         return serializer
 
@@ -300,12 +304,14 @@ class Importer:
                 )
                 return False
             # Validate each single entry
+            serializer = None
             try:
                 serializer = self._validate_single(entry)
             except EntryInvalidError as exc:
                 # For deleting objects we don't need the serializer to be valid
                 if entry.get_state(self._import) == BlueprintEntryDesiredState.ABSENT:
-                    continue
+                    serializer = exc.serializer
+                else:
                     self.logger.warning(f"entry invalid: {exc}", entry=entry, error=exc)
                     if raise_errors:
                         raise exc

authentik/blueprints/v1/tasks.py

@@ -75,14 +75,14 @@ class BlueprintEventHandler(FileSystemEventHandler):
             return
         if event.is_directory:
             return
-        if isinstance(event, FileCreatedEvent):
-            LOGGER.debug("new blueprint file created, starting discovery")
-            blueprints_discovery.delay()
-        if isinstance(event, FileModifiedEvent):
-            path = Path(event.src_path)
         root = Path(CONFIG.get("blueprints_dir")).absolute()
+        path = Path(event.src_path).absolute()
         rel_path = str(path.relative_to(root))
-            for instance in BlueprintInstance.objects.filter(path=rel_path):
+        if isinstance(event, FileCreatedEvent):
+            LOGGER.debug("new blueprint file created, starting discovery", path=rel_path)
+            blueprints_discovery.delay(rel_path)
+        if isinstance(event, FileModifiedEvent):
+            for instance in BlueprintInstance.objects.filter(path=rel_path, enabled=True):
                 LOGGER.debug("modified blueprint file, starting apply", instance=instance)
                 apply_blueprint.delay(instance.pk.hex)
 
@@ -98,39 +98,32 @@ def blueprints_find_dict():
     return blueprints
 
 
-def blueprints_find():
+def blueprints_find() -> list[BlueprintFile]:
     """Find blueprints and return valid ones"""
     blueprints = []
     root = Path(CONFIG.get("blueprints_dir"))
     for path in root.rglob("**/*.yaml"):
+        rel_path = path.relative_to(root)
         # Check if any part in the path starts with a dot and assume a hidden file
         if any(part for part in path.parts if part.startswith(".")):
             continue
-        LOGGER.debug("found blueprint", path=str(path))
         with open(path, "r", encoding="utf-8") as blueprint_file:
             try:
                 raw_blueprint = load(blueprint_file.read(), BlueprintLoader)
             except YAMLError as exc:
                 raw_blueprint = None
-                LOGGER.warning("failed to parse blueprint", exc=exc, path=str(path))
+                LOGGER.warning("failed to parse blueprint", exc=exc, path=str(rel_path))
             if not raw_blueprint:
                 continue
             metadata = raw_blueprint.get("metadata", None)
             version = raw_blueprint.get("version", 1)
             if version != 1:
-                LOGGER.warning("invalid blueprint version", version=version, path=str(path))
+                LOGGER.warning("invalid blueprint version", version=version, path=str(rel_path))
                 continue
         file_hash = sha512(path.read_bytes()).hexdigest()
-        blueprint = BlueprintFile(
+        blueprint = BlueprintFile(str(rel_path), version, file_hash, int(path.stat().st_mtime))
-            str(path.relative_to(root)), version, file_hash, int(path.stat().st_mtime)
-        )
         blueprint.meta = from_dict(BlueprintMetadata, metadata) if metadata else None
         blueprints.append(blueprint)
-        LOGGER.debug(
-            "parsed & loaded blueprint",
-            hash=file_hash,
-            path=str(path),
-        )
     return blueprints
 
 
@@ -138,10 +131,12 @@ def blueprints_find():
     throws=(DatabaseError, ProgrammingError, InternalError), base=MonitoredTask, bind=True
 )
 @prefill_task
-def blueprints_discovery(self: MonitoredTask):
+def blueprints_discovery(self: MonitoredTask, path: Optional[str] = None):
     """Find blueprints and check if they need to be created in the database"""
     count = 0
     for blueprint in blueprints_find():
+        if path and blueprint.path != path:
+            continue
         check_blueprint_v1_file(blueprint)
         count += 1
     self.set_status(
@@ -171,7 +166,11 @@ def check_blueprint_v1_file(blueprint: BlueprintFile):
             metadata={},
         )
         instance.save()
+        LOGGER.info(
+            "Creating new blueprint instance from file", instance=instance, path=instance.path
+        )
     if instance.last_applied_hash != blueprint.hash:
+        LOGGER.info("Applying blueprint due to changed file", instance=instance, path=instance.path)
         apply_blueprint.delay(str(instance.pk))
 
 

authentik/core/api/applications.py

@@ -98,6 +98,7 @@ class ApplicationSerializer(ModelSerializer):
 class ApplicationViewSet(UsedByMixin, ModelViewSet):
     """Application Viewset"""
 
+    # pylint: disable=no-member
     queryset = Application.objects.all().prefetch_related("provider")
     serializer_class = ApplicationSerializer
     search_fields = [

authentik/core/api/groups.py

@@ -139,6 +139,7 @@ class UserAccountSerializer(PassiveSerializer):
 class GroupViewSet(UsedByMixin, ModelViewSet):
     """Group Viewset"""
 
+    # pylint: disable=no-member
     queryset = Group.objects.all().select_related("parent").prefetch_related("users")
     serializer_class = GroupSerializer
     search_fields = ["name", "is_superuser"]

authentik/core/api/sources.py

@@ -38,7 +38,7 @@ class SourceSerializer(ModelSerializer, MetaNameSerializer):
 
     managed = ReadOnlyField()
     component = SerializerMethodField()
-    icon = ReadOnlyField(source="get_icon")
+    icon = ReadOnlyField(source="icon_url")
 
     def get_component(self, obj: Source) -> str:
         """Get object component so that we know how to edit the object"""

authentik/core/api/users.py

@@ -171,6 +171,11 @@ class UserSerializer(ModelSerializer):
             raise ValidationError("Setting a user to internal service account is not allowed.")
         return user_type
 
+    def validate(self, attrs: dict) -> dict:
+        if self.instance and self.instance.type == UserTypes.INTERNAL_SERVICE_ACCOUNT:
+            raise ValidationError("Can't modify internal service account users")
+        return super().validate(attrs)
+
     class Meta:
         model = User
         fields = [

authentik/core/expression/evaluator.py

@@ -44,6 +44,7 @@ class PropertyMappingEvaluator(BaseEvaluator):
         if request:
             req.http_request = request
         self._context["request"] = req
+        req.context.update(**kwargs)
         self._context.update(**kwargs)
         self.dry_run = dry_run
 

authentik/core/management/commands/worker.py

@@ -17,9 +17,15 @@ class Command(BaseCommand):
     """Run worker"""
 
     def add_arguments(self, parser):
-        parser.add_argument("-b", "--beat", action="store_true")
+        parser.add_argument(
+            "-b",
+            "--beat",
+            action="store_false",
+            help="When set, this worker will _not_ run Beat (scheduled) tasks",
+        )
 
     def handle(self, **options):
+        LOGGER.debug("Celery options", **options)
         close_old_connections()
         if CONFIG.get_bool("remote_debug"):
             import debugpy

authentik/core/sources/flow_manager.py

@@ -97,6 +97,7 @@ class SourceFlowManager:
         if self.request.user.is_authenticated:
             new_connection.user = self.request.user
             new_connection = self.update_connection(new_connection, **kwargs)
+            # pylint: disable=no-member
             new_connection.save()
             return Action.LINK, new_connection
 

authentik/core/templates/base/skeleton.html

@@ -13,7 +13,6 @@
         {% block head_before %}
         {% endblock %}
         <link rel="stylesheet" type="text/css" href="{% static 'dist/authentik.css' %}">
-        <link rel="stylesheet" type="text/css" href="{% static 'dist/theme-dark.css' %}" media="(prefers-color-scheme: dark)">
         <link rel="stylesheet" type="text/css" href="{% static 'dist/custom.css' %}" data-inject>
         <script src="{% static 'dist/poly.js' %}?version={{ version }}" type="module"></script>
         <script src="{% static 'dist/standalone/loading/index.js' %}?version={{ version }}" type="module"></script>

authentik/core/templates/if/end_session.html

@@ -16,8 +16,8 @@ You've logged out of {{ application }}.
 {% block card %}
 <form method="POST" class="pf-c-form">
     <p>
-        {% blocktrans with application=application.name %}
+        {% blocktrans with application=application.name branding_title=tenant.branding_title %}
-            You've logged out of {{ application }}. You can go back to the overview to launch another application, or log out of your authentik account.
+            You've logged out of {{ application }}. You can go back to the overview to launch another application, or log out of your {{ branding_title }} account.
         {% endblocktrans %}
     </p>
 

authentik/core/templates/login/base_full.html

@@ -6,6 +6,7 @@
 {% block head_before %}
 <link rel="prefetch" href="/static/dist/assets/images/flow_background.jpg" />
 <link rel="stylesheet" type="text/css" href="{% static 'dist/patternfly.min.css' %}">
+<link rel="stylesheet" type="text/css" href="{% static 'dist/theme-dark.css' %}" media="(prefers-color-scheme: dark)">
 {% include "base/header_js.html" %}
 {% endblock %}
 

authentik/crypto/apps.py

@@ -1,13 +1,10 @@
 """authentik crypto app config"""
 from datetime import datetime
-from typing import TYPE_CHECKING, Optional
+from typing import Optional
 
 from authentik.blueprints.apps import ManagedAppConfig
 from authentik.lib.generators import generate_id
 
-if TYPE_CHECKING:
-    from authentik.crypto.models import CertificateKeyPair
-
 MANAGED_KEY = "goauthentik.io/crypto/jwt-managed"
 
 
@@ -23,33 +20,37 @@ class AuthentikCryptoConfig(ManagedAppConfig):
         """Load crypto tasks"""
         self.import_module("authentik.crypto.tasks")
 
-    def _create_update_cert(self, cert: Optional["CertificateKeyPair"] = None):
+    def _create_update_cert(self):
         from authentik.crypto.builder import CertificateBuilder
         from authentik.crypto.models import CertificateKeyPair
 
-        builder = CertificateBuilder("authentik Internal JWT Certificate")
+        common_name = "authentik Internal JWT Certificate"
+        builder = CertificateBuilder(common_name)
         builder.build(
             subject_alt_names=["goauthentik.io"],
             validity_days=360,
         )
-        if not cert:
+        CertificateKeyPair.objects.update_or_create(
-            cert = CertificateKeyPair()
+            managed=MANAGED_KEY,
-        builder.cert = cert
+            defaults={
-        builder.cert.managed = MANAGED_KEY
+                "name": common_name,
-        builder.save()
+                "certificate_data": builder.certificate,
+                "key_data": builder.private_key,
+            },
+        )
 
     def reconcile_managed_jwt_cert(self):
         """Ensure managed JWT certificate"""
         from authentik.crypto.models import CertificateKeyPair
 
-        certs = CertificateKeyPair.objects.filter(managed=MANAGED_KEY)
+        cert: Optional[CertificateKeyPair] = CertificateKeyPair.objects.filter(
-        if not certs.exists():
+            managed=MANAGED_KEY
-            self._create_update_cert()
+        ).first()
-            return
-        cert: CertificateKeyPair = certs.first()
         now = datetime.now()
-        if now < cert.certificate.not_valid_before or now > cert.certificate.not_valid_after:
+        if not cert or (
-            self._create_update_cert(cert)
+            now < cert.certificate.not_valid_before or now > cert.certificate.not_valid_after
+        ):
+            self._create_update_cert()
 
     def reconcile_self_signed(self):
         """Create self-signed keypair"""
@@ -61,4 +62,10 @@ class AuthentikCryptoConfig(ManagedAppConfig):
             return
         builder = CertificateBuilder(name)
         builder.build(subject_alt_names=[f"{generate_id()}.self-signed.goauthentik.io"])
-        builder.save()
+        CertificateKeyPair.objects.get_or_create(
+            name=name,
+            defaults={
+                "certificate_data": builder.certificate,
+                "key_data": builder.private_key,
+            },
+        )

authentik/enterprise/models.py

@@ -136,6 +136,9 @@ class LicenseKey:
 
     def record_usage(self):
         """Capture the current validity status and metrics and save them"""
+        threshold = now() - timedelta(hours=8)
+        if LicenseUsage.objects.filter(record_date__gte=threshold).exists():
+            return
         LicenseUsage.objects.create(
             user_count=self.get_default_user_count(),
             external_user_count=self.get_external_user_count(),

authentik/enterprise/settings.py

@@ -6,7 +6,7 @@ from authentik.lib.utils.time import fqdn_rand
 CELERY_BEAT_SCHEDULE = {
     "enterprise_calculate_license": {
         "task": "authentik.enterprise.tasks.calculate_license",
-        "schedule": crontab(minute=fqdn_rand("calculate_license"), hour="*/8"),
+        "schedule": crontab(minute=fqdn_rand("calculate_license"), hour="*/2"),
         "options": {"queue": "authentik_scheduled"},
     }
 }

authentik/enterprise/tasks.py

@@ -6,5 +6,4 @@ from authentik.root.celery import CELERY_APP
 @CELERY_APP.task()
 def calculate_license():
     """Calculate licensing status"""
-    total = LicenseKey.get_total()
+    LicenseKey.get_total().record_usage()
-    total.record_usage()

authentik/events/middleware.py

@@ -27,6 +27,7 @@ from authentik.lib.sentry import before_send
 from authentik.lib.utils.errors import exception_to_string
 from authentik.outposts.models import OutpostServiceConnection
 from authentik.policies.models import Policy, PolicyBindingModel
+from authentik.policies.reputation.models import Reputation
 from authentik.providers.oauth2.models import AccessToken, AuthorizationCode, RefreshToken
 from authentik.providers.scim.models import SCIMGroup, SCIMUser
 from authentik.stages.authenticator_static.models import StaticToken
@@ -52,11 +53,13 @@ IGNORED_MODELS = (
     RefreshToken,
     SCIMUser,
     SCIMGroup,
+    Reputation,
 )
 
 
 def should_log_model(model: Model) -> bool:
     """Return true if operation on `model` should be logged"""
+    # Check for silk by string so this comparison doesn't fail when silk isn't installed
     if model.__module__.startswith("silk"):
         return False
     return model.__class__ not in IGNORED_MODELS
@@ -93,21 +96,30 @@ class AuditMiddleware:
     of models"""
 
     get_response: Callable[[HttpRequest], HttpResponse]
+    anonymous_user: User = None
 
     def __init__(self, get_response: Callable[[HttpRequest], HttpResponse]):
         self.get_response = get_response
 
+    def _ensure_fallback_user(self):
+        """Defer fetching anonymous user until we have to"""
+        if self.anonymous_user:
+            return
+        from guardian.shortcuts import get_anonymous_user
+
+        self.anonymous_user = get_anonymous_user()
+
     def connect(self, request: HttpRequest):
         """Connect signal for automatic logging"""
-        if not hasattr(request, "user"):
+        self._ensure_fallback_user()
-            return
+        user = getattr(request, "user", self.anonymous_user)
-        if not getattr(request.user, "is_authenticated", False):
+        if not user.is_authenticated:
-            return
+            user = self.anonymous_user
         if not hasattr(request, "request_id"):
             return
-        post_save_handler = partial(self.post_save_handler, user=request.user, request=request)
+        post_save_handler = partial(self.post_save_handler, user=user, request=request)
-        pre_delete_handler = partial(self.pre_delete_handler, user=request.user, request=request)
+        pre_delete_handler = partial(self.pre_delete_handler, user=user, request=request)
-        m2m_changed_handler = partial(self.m2m_changed_handler, user=request.user, request=request)
+        m2m_changed_handler = partial(self.m2m_changed_handler, user=user, request=request)
         post_save.connect(
             post_save_handler,
             dispatch_uid=request.request_id,

authentik/events/models.py

@@ -217,6 +217,7 @@ class Event(SerializerModel, ExpiringModel):
                 "path": request.path,
                 "method": request.method,
                 "args": cleanse_dict(QueryDict(request.META.get("QUERY_STRING", ""))),
+                "user_agent": request.META.get("HTTP_USER_AGENT", ""),
             }
             # Special case for events created during flow execution
             # since they keep the http query within a wrapped query

authentik/events/signals.py

@@ -13,6 +13,7 @@ from authentik.events.tasks import event_notification_handler, gdpr_cleanup
 from authentik.flows.models import Stage
 from authentik.flows.planner import PLAN_CONTEXT_SOURCE, FlowPlan
 from authentik.flows.views.executor import SESSION_KEY_PLAN
+from authentik.lib.config import CONFIG
 from authentik.stages.invitation.models import Invitation
 from authentik.stages.invitation.signals import invitation_used
 from authentik.stages.password.stage import PLAN_CONTEXT_METHOD, PLAN_CONTEXT_METHOD_ARGS
@@ -92,4 +93,5 @@ def event_post_save_notification(sender, instance: Event, **_):
 @receiver(pre_delete, sender=User)
 def event_user_pre_delete_cleanup(sender, instance: User, **_):
     """If gdpr_compliance is enabled, remove all the user's events"""
+    if CONFIG.get_bool("gdpr_compliance", True):
         gdpr_cleanup.delay(instance.pk)

authentik/events/tests/test_event.py

@@ -53,7 +53,15 @@ class TestEvents(TestCase):
         """Test plain from_http"""
         event = Event.new("unittest").from_http(self.factory.get("/"))
         self.assertEqual(
-            event.context, {"http_request": {"args": {}, "method": "GET", "path": "/"}}
+            event.context,
+            {
+                "http_request": {
+                    "args": {},
+                    "method": "GET",
+                    "path": "/",
+                    "user_agent": "",
+                }
+            },
         )
 
     def test_from_http_clean_querystring(self):
@@ -67,6 +75,7 @@ class TestEvents(TestCase):
                     "args": {"token": SafeExceptionReporterFilter.cleansed_substitute},
                     "method": "GET",
                     "path": "/",
+                    "user_agent": "",
                 }
             },
         )
@@ -83,6 +92,7 @@ class TestEvents(TestCase):
                     "args": {"token": SafeExceptionReporterFilter.cleansed_substitute},
                     "method": "GET",
                     "path": "/",
+                    "user_agent": "",
                 }
             },
         )

authentik/events/utils.py

@@ -5,12 +5,13 @@ from dataclasses import asdict, is_dataclass
 from datetime import date, datetime, time, timedelta
 from enum import Enum
 from pathlib import Path
-from types import GeneratorType
+from types import GeneratorType, NoneType
 from typing import Any, Optional
 from uuid import UUID
 
 from django.contrib.auth.models import AnonymousUser
 from django.core.handlers.wsgi import WSGIRequest
+from django.core.serializers.json import DjangoJSONEncoder
 from django.db import models
 from django.db.models.base import Model
 from django.http.request import HttpRequest
@@ -153,7 +154,20 @@ def sanitize_item(value: Any) -> Any:
         return value.isoformat()
     if isinstance(value, timedelta):
         return str(value.total_seconds())
+    if callable(value):
+        return {
+            "type": "callable",
+            "name": value.__name__,
+            "module": value.__module__,
+        }
+    # List taken from the stdlib's JSON encoder (_make_iterencode, encoder.py:415)
+    if isinstance(value, (bool, int, float, NoneType, list, tuple, dict)):
         return value
+    try:
+        return DjangoJSONEncoder().default(value)
+    except TypeError:
+        return str(value)
+    return str(value)
 
 
 def sanitize_dict(source: dict[Any, Any]) -> dict[Any, Any]:

authentik/flows/migrations/0027_auto_20231028_1424.py

@@ -0,0 +1,34 @@
+# Generated by Django 4.2.6 on 2023-10-28 14:24
+
+from django.apps.registry import Apps
+from django.db import migrations
+from django.db.backends.base.schema import BaseDatabaseSchemaEditor
+
+
+def set_oobe_flow_authentication(apps: Apps, schema_editor: BaseDatabaseSchemaEditor):
+    from guardian.shortcuts import get_anonymous_user
+
+    Flow = apps.get_model("authentik_flows", "Flow")
+    User = apps.get_model("authentik_core", "User")
+
+    db_alias = schema_editor.connection.alias
+
+    users = User.objects.using(db_alias).exclude(username="akadmin")
+    try:
+        users = users.exclude(pk=get_anonymous_user().pk)
+    # pylint: disable=broad-except
+    except Exception:  # nosec
+        pass
+
+    if users.exists():
+        Flow.objects.filter(slug="initial-setup").update(authentication="require_superuser")
+
+
+class Migration(migrations.Migration):
+    dependencies = [
+        ("authentik_flows", "0026_alter_flow_options"),
+    ]
+
+    operations = [
+        migrations.RunPython(set_oobe_flow_authentication),
+    ]

authentik/flows/stage.py

@@ -167,7 +167,11 @@ class ChallengeStageView(StageView):
                 stage_type=self.__class__.__name__, method="get_challenge"
             ).time(),
         ):
+            try:
                 challenge = self.get_challenge(*args, **kwargs)
+            except StageInvalidException as exc:
+                self.logger.debug("Got StageInvalidException", exc=exc)
+                return self.executor.stage_invalid()
         with Hub.current.start_span(
             op="authentik.flow.stage._get_challenge",
             description=self.__class__.__name__,

authentik/outposts/api/outposts.py

@@ -18,7 +18,7 @@ from authentik.core.api.used_by import UsedByMixin
 from authentik.core.api.utils import PassiveSerializer, is_dict
 from authentik.core.models import Provider
 from authentik.outposts.api.service_connections import ServiceConnectionSerializer
-from authentik.outposts.apps import MANAGED_OUTPOST
+from authentik.outposts.apps import MANAGED_OUTPOST, MANAGED_OUTPOST_NAME
 from authentik.outposts.models import (
     Outpost,
     OutpostConfig,
@@ -47,6 +47,16 @@ class OutpostSerializer(ModelSerializer):
         source="service_connection", read_only=True
     )
 
+    def validate_name(self, name: str) -> str:
+        """Validate name (especially for embedded outpost)"""
+        if not self.instance:
+            return name
+        if self.instance.managed == MANAGED_OUTPOST and name != MANAGED_OUTPOST_NAME:
+            raise ValidationError("Embedded outpost's name cannot be changed")
+        if self.instance.name == MANAGED_OUTPOST_NAME:
+            self.instance.managed = MANAGED_OUTPOST
+        return name
+
     def validate_providers(self, providers: list[Provider]) -> list[Provider]:
         """Check that all providers match the type of the outpost"""
         type_map = {

authentik/outposts/apps.py

@@ -15,6 +15,7 @@ GAUGE_OUTPOSTS_LAST_UPDATE = Gauge(
     ["outpost", "uid", "version"],
 )
 MANAGED_OUTPOST = "goauthentik.io/outposts/embedded"
+MANAGED_OUTPOST_NAME = "authentik Embedded Outpost"
 
 
 class AuthentikOutpostConfig(ManagedAppConfig):
@@ -35,14 +36,17 @@ class AuthentikOutpostConfig(ManagedAppConfig):
             DockerServiceConnection,
             KubernetesServiceConnection,
             Outpost,
-            OutpostConfig,
             OutpostType,
         )
 
+        if outpost := Outpost.objects.filter(name=MANAGED_OUTPOST_NAME, managed="").first():
+            outpost.managed = MANAGED_OUTPOST
+            outpost.save()
+            return
         outpost, updated = Outpost.objects.update_or_create(
             defaults={
-                "name": "authentik Embedded Outpost",
                 "type": OutpostType.PROXY,
+                "name": MANAGED_OUTPOST_NAME,
             },
             managed=MANAGED_OUTPOST,
         )
@@ -51,10 +55,4 @@ class AuthentikOutpostConfig(ManagedAppConfig):
                 outpost.service_connection = KubernetesServiceConnection.objects.first()
             elif DockerServiceConnection.objects.exists():
                 outpost.service_connection = DockerServiceConnection.objects.first()
-            outpost.config = OutpostConfig(
-                kubernetes_disabled_components=[
-                    "deployment",
-                    "secret",
-                ]
-            )
             outpost.save()

authentik/outposts/controllers/k8s/deployment.py

@@ -43,6 +43,10 @@ class DeploymentReconciler(KubernetesObjectReconciler[V1Deployment]):
         self.api = AppsV1Api(controller.client)
         self.outpost = self.controller.outpost
 
+    @property
+    def noop(self) -> bool:
+        return self.is_embedded
+
     @staticmethod
     def reconciler_name() -> str:
         return "deployment"

authentik/outposts/controllers/k8s/secret.py

@@ -24,6 +24,10 @@ class SecretReconciler(KubernetesObjectReconciler[V1Secret]):
         super().__init__(controller)
         self.api = CoreV1Api(controller.client)
 
+    @property
+    def noop(self) -> bool:
+        return self.is_embedded
+
     @staticmethod
     def reconciler_name() -> str:
         return "secret"

authentik/outposts/controllers/k8s/service_monitor.py

@@ -77,7 +77,10 @@ class PrometheusServiceMonitorReconciler(KubernetesObjectReconciler[PrometheusSe
 
     @property
     def noop(self) -> bool:
-        return (not self._crd_exists()) or (self.is_embedded)
+        if not self._crd_exists():
+            self.logger.debug("CRD doesn't exist")
+            return True
+        return self.is_embedded
 
     def _crd_exists(self) -> bool:
         """Check if the Prometheus ServiceMonitor exists"""

authentik/outposts/models.py

@@ -344,11 +344,21 @@ class Outpost(SerializerModel, ManagedModel):
         user_created = False
         if not user:
             user: User = User.objects.create(username=self.user_identifier)
-            user.set_unusable_password()
             user_created = True
-        user.type = UserTypes.INTERNAL_SERVICE_ACCOUNT
+        attrs = {
-        user.name = f"Outpost {self.name} Service-Account"
+            "type": UserTypes.INTERNAL_SERVICE_ACCOUNT,
-        user.path = USER_PATH_OUTPOSTS
+            "name": f"Outpost {self.name} Service-Account",
+            "path": USER_PATH_OUTPOSTS,
+        }
+        dirty = False
+        for key, value in attrs.items():
+            if getattr(user, key) != value:
+                dirty = True
+                setattr(user, key, value)
+        if user.has_usable_password():
+            user.set_unusable_password()
+            dirty = True
+        if dirty:
             user.save()
         if user_created:
             self.build_user_permissions(user)

authentik/outposts/tests/test_api.py

@@ -2,11 +2,13 @@
 from django.urls import reverse
 from rest_framework.test import APITestCase
 
+from authentik.blueprints.tests import reconcile_app
 from authentik.core.models import PropertyMapping
 from authentik.core.tests.utils import create_test_admin_user, create_test_flow
 from authentik.lib.generators import generate_id
 from authentik.outposts.api.outposts import OutpostSerializer
-from authentik.outposts.models import OutpostType, default_outpost_config
+from authentik.outposts.apps import MANAGED_OUTPOST
+from authentik.outposts.models import Outpost, OutpostType, default_outpost_config
 from authentik.providers.ldap.models import LDAPProvider
 from authentik.providers.proxy.models import ProxyProvider
 
@@ -22,7 +24,36 @@ class TestOutpostServiceConnectionsAPI(APITestCase):
         self.user = create_test_admin_user()
         self.client.force_login(self.user)
 
-    def test_outpost_validaton(self):
+    @reconcile_app("authentik_outposts")
+    def test_managed_name_change(self):
+        """Test name change for embedded outpost"""
+        embedded_outpost = Outpost.objects.filter(managed=MANAGED_OUTPOST).first()
+        self.assertIsNotNone(embedded_outpost)
+        response = self.client.patch(
+            reverse("authentik_api:outpost-detail", kwargs={"pk": embedded_outpost.pk}),
+            {"name": "foo"},
+        )
+        self.assertEqual(response.status_code, 400)
+        self.assertJSONEqual(
+            response.content, {"name": ["Embedded outpost's name cannot be changed"]}
+        )
+
+    @reconcile_app("authentik_outposts")
+    def test_managed_without_managed(self):
+        """Test name change for embedded outpost"""
+        embedded_outpost = Outpost.objects.filter(managed=MANAGED_OUTPOST).first()
+        self.assertIsNotNone(embedded_outpost)
+        embedded_outpost.managed = ""
+        embedded_outpost.save()
+        response = self.client.patch(
+            reverse("authentik_api:outpost-detail", kwargs={"pk": embedded_outpost.pk}),
+            {"name": "foo"},
+        )
+        self.assertEqual(response.status_code, 200)
+        embedded_outpost.refresh_from_db()
+        self.assertEqual(embedded_outpost.managed, MANAGED_OUTPOST)
+
+    def test_outpost_validation(self):
         """Test Outpost validation"""
         valid = OutpostSerializer(
             data={

authentik/providers/oauth2/migrations/0017_accesstoken_session_id_authorizationcode_session_id_and_more.py

@@ -0,0 +1,27 @@
+# Generated by Django 5.0 on 2023-12-22 23:20
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+    dependencies = [
+        ("authentik_providers_oauth2", "0016_alter_refreshtoken_token"),
+    ]
+
+    operations = [
+        migrations.AddField(
+            model_name="accesstoken",
+            name="session_id",
+            field=models.CharField(blank=True, default=""),
+        ),
+        migrations.AddField(
+            model_name="authorizationcode",
+            name="session_id",
+            field=models.CharField(blank=True, default=""),
+        ),
+        migrations.AddField(
+            model_name="refreshtoken",
+            name="session_id",
+            field=models.CharField(blank=True, default=""),
+        ),
+    ]

authentik/providers/oauth2/models.py

@@ -296,6 +296,7 @@ class BaseGrantModel(models.Model):
     revoked = models.BooleanField(default=False)
     _scope = models.TextField(default="", verbose_name=_("Scopes"))
     auth_time = models.DateTimeField(verbose_name="Authentication time")
+    session_id = models.CharField(default="", blank=True)
 
     @property
     def scope(self) -> list[str]:

authentik/providers/oauth2/tests/test_authorize.py

@@ -85,6 +85,25 @@ class TestAuthorize(OAuthTestCase):
             )
             OAuthAuthorizationParams.from_request(request)
 
+    def test_blocked_redirect_uri(self):
+        """test missing/invalid redirect URI"""
+        OAuth2Provider.objects.create(
+            name=generate_id(),
+            client_id="test",
+            authorization_flow=create_test_flow(),
+            redirect_uris="data:local.invalid",
+        )
+        with self.assertRaises(RedirectUriError):
+            request = self.factory.get(
+                "/",
+                data={
+                    "response_type": "code",
+                    "client_id": "test",
+                    "redirect_uri": "data:localhost",
+                },
+            )
+            OAuthAuthorizationParams.from_request(request)
+
     def test_invalid_redirect_uri_empty(self):
         """test missing/invalid redirect URI"""
         provider = OAuth2Provider.objects.create(

authentik/providers/oauth2/tests/test_token_pkce.py

@@ -0,0 +1,187 @@
+"""Test token view"""
+from base64 import b64encode, urlsafe_b64encode
+from hashlib import sha256
+
+from django.test import RequestFactory
+from django.urls import reverse
+
+from authentik.core.models import Application
+from authentik.core.tests.utils import create_test_admin_user, create_test_flow
+from authentik.flows.challenge import ChallengeTypes
+from authentik.lib.generators import generate_id
+from authentik.providers.oauth2.constants import GRANT_TYPE_AUTHORIZATION_CODE
+from authentik.providers.oauth2.models import AuthorizationCode, OAuth2Provider
+from authentik.providers.oauth2.tests.utils import OAuthTestCase
+
+
+class TestTokenPKCE(OAuthTestCase):
+    """Test token view"""
+
+    def setUp(self) -> None:
+        super().setUp()
+        self.factory = RequestFactory()
+        self.app = Application.objects.create(name=generate_id(), slug="test")
+
+    def test_pkce_missing_in_token(self):
+        """Test full with pkce"""
+        flow = create_test_flow()
+        provider = OAuth2Provider.objects.create(
+            name=generate_id(),
+            client_id="test",
+            authorization_flow=flow,
+            redirect_uris="foo://localhost",
+            access_code_validity="seconds=100",
+        )
+        Application.objects.create(name="app", slug="app", provider=provider)
+        state = generate_id()
+        user = create_test_admin_user()
+        self.client.force_login(user)
+        challenge = generate_id()
+        header = b64encode(f"{provider.client_id}:{provider.client_secret}".encode()).decode()
+        # Step 1, initiate params and get redirect to flow
+        self.client.get(
+            reverse("authentik_providers_oauth2:authorize"),
+            data={
+                "response_type": "code",
+                "client_id": "test",
+                "state": state,
+                "redirect_uri": "foo://localhost",
+                "code_challenge": challenge,
+                "code_challenge_method": "S256",
+            },
+        )
+        response = self.client.get(
+            reverse("authentik_api:flow-executor", kwargs={"flow_slug": flow.slug}),
+        )
+        code: AuthorizationCode = AuthorizationCode.objects.filter(user=user).first()
+        self.assertJSONEqual(
+            response.content.decode(),
+            {
+                "component": "xak-flow-redirect",
+                "type": ChallengeTypes.REDIRECT.value,
+                "to": f"foo://localhost?code={code.code}&state={state}",
+            },
+        )
+        response = self.client.post(
+            reverse("authentik_providers_oauth2:token"),
+            data={
+                "grant_type": GRANT_TYPE_AUTHORIZATION_CODE,
+                "code": code.code,
+                # Missing the code_verifier here
+                "redirect_uri": "foo://localhost",
+            },
+            HTTP_AUTHORIZATION=f"Basic {header}",
+        )
+        self.assertJSONEqual(
+            response.content,
+            {"error": "invalid_request", "error_description": "The request is otherwise malformed"},
+        )
+        self.assertEqual(response.status_code, 400)
+
+    def test_pkce_correct_s256(self):
+        """Test full with pkce"""
+        flow = create_test_flow()
+        provider = OAuth2Provider.objects.create(
+            name=generate_id(),
+            client_id="test",
+            authorization_flow=flow,
+            redirect_uris="foo://localhost",
+            access_code_validity="seconds=100",
+        )
+        Application.objects.create(name="app", slug="app", provider=provider)
+        state = generate_id()
+        user = create_test_admin_user()
+        self.client.force_login(user)
+        verifier = generate_id()
+        challenge = (
+            urlsafe_b64encode(sha256(verifier.encode("ascii")).digest())
+            .decode("utf-8")
+            .replace("=", "")
+        )
+        header = b64encode(f"{provider.client_id}:{provider.client_secret}".encode()).decode()
+        # Step 1, initiate params and get redirect to flow
+        self.client.get(
+            reverse("authentik_providers_oauth2:authorize"),
+            data={
+                "response_type": "code",
+                "client_id": "test",
+                "state": state,
+                "redirect_uri": "foo://localhost",
+                "code_challenge": challenge,
+                "code_challenge_method": "S256",
+            },
+        )
+        response = self.client.get(
+            reverse("authentik_api:flow-executor", kwargs={"flow_slug": flow.slug}),
+        )
+        code: AuthorizationCode = AuthorizationCode.objects.filter(user=user).first()
+        self.assertJSONEqual(
+            response.content.decode(),
+            {
+                "component": "xak-flow-redirect",
+                "type": ChallengeTypes.REDIRECT.value,
+                "to": f"foo://localhost?code={code.code}&state={state}",
+            },
+        )
+        response = self.client.post(
+            reverse("authentik_providers_oauth2:token"),
+            data={
+                "grant_type": GRANT_TYPE_AUTHORIZATION_CODE,
+                "code": code.code,
+                "code_verifier": verifier,
+                "redirect_uri": "foo://localhost",
+            },
+            HTTP_AUTHORIZATION=f"Basic {header}",
+        )
+        self.assertEqual(response.status_code, 200)
+
+    def test_pkce_correct_plain(self):
+        """Test full with pkce"""
+        flow = create_test_flow()
+        provider = OAuth2Provider.objects.create(
+            name=generate_id(),
+            client_id="test",
+            authorization_flow=flow,
+            redirect_uris="foo://localhost",
+            access_code_validity="seconds=100",
+        )
+        Application.objects.create(name="app", slug="app", provider=provider)
+        state = generate_id()
+        user = create_test_admin_user()
+        self.client.force_login(user)
+        verifier = generate_id()
+        header = b64encode(f"{provider.client_id}:{provider.client_secret}".encode()).decode()
+        # Step 1, initiate params and get redirect to flow
+        self.client.get(
+            reverse("authentik_providers_oauth2:authorize"),
+            data={
+                "response_type": "code",
+                "client_id": "test",
+                "state": state,
+                "redirect_uri": "foo://localhost",
+                "code_challenge": verifier,
+            },
+        )
+        response = self.client.get(
+            reverse("authentik_api:flow-executor", kwargs={"flow_slug": flow.slug}),
+        )
+        code: AuthorizationCode = AuthorizationCode.objects.filter(user=user).first()
+        self.assertJSONEqual(
+            response.content.decode(),
+            {
+                "component": "xak-flow-redirect",
+                "type": ChallengeTypes.REDIRECT.value,
+                "to": f"foo://localhost?code={code.code}&state={state}",
+            },
+        )
+        response = self.client.post(
+            reverse("authentik_providers_oauth2:token"),
+            data={
+                "grant_type": GRANT_TYPE_AUTHORIZATION_CODE,
+                "code": code.code,
+                "code_verifier": verifier,
+                "redirect_uri": "foo://localhost",
+            },
+            HTTP_AUTHORIZATION=f"Basic {header}",
+        )
+        self.assertEqual(response.status_code, 200)

authentik/providers/oauth2/utils.py

@@ -188,6 +188,7 @@ def authenticate_provider(request: HttpRequest) -> Optional[OAuth2Provider]:
     if client_id != provider.client_id or client_secret != provider.client_secret:
         LOGGER.debug("(basic) Provider for basic auth does not exist")
         return None
+    CTX_AUTH_VIA.set("oauth_client_secret")
     return provider
 
 

authentik/providers/oauth2/views/authorize.py

@@ -1,6 +1,7 @@
 """authentik OAuth2 Authorization views"""
 from dataclasses import dataclass, field
 from datetime import timedelta
+from hashlib import sha256
 from json import dumps
 from re import error as RegexError
 from re import fullmatch
@@ -74,6 +75,7 @@ PLAN_CONTEXT_PARAMS = "goauthentik.io/providers/oauth2/params"
 SESSION_KEY_LAST_LOGIN_UID = "authentik/providers/oauth2/last_login_uid"
 
 ALLOWED_PROMPT_PARAMS = {PROMPT_NONE, PROMPT_CONSENT, PROMPT_LOGIN}
+FORBIDDEN_URI_SCHEMES = {"javascript", "data", "vbscript"}
 
 
 @dataclass(slots=True)
@@ -174,6 +176,10 @@ class OAuthAuthorizationParams:
         self.check_scope()
         self.check_nonce()
         self.check_code_challenge()
+        if self.request:
+            raise AuthorizeError(
+                self.redirect_uri, "request_not_supported", self.grant_type, self.state
+            )
 
     def check_redirect_uri(self):
         """Redirect URI validation."""
@@ -211,10 +217,9 @@ class OAuthAuthorizationParams:
                     expected=allowed_redirect_urls,
                 )
                 raise RedirectUriError(self.redirect_uri, allowed_redirect_urls)
-        if self.request:
+        # Check against forbidden schemes
-            raise AuthorizeError(
+        if urlparse(self.redirect_uri).scheme in FORBIDDEN_URI_SCHEMES:
-                self.redirect_uri, "request_not_supported", self.grant_type, self.state
+            raise RedirectUriError(self.redirect_uri, allowed_redirect_urls)
-            )
 
     def check_scope(self):
         """Ensure openid scope is set in Hybrid flows, or when requesting an id_token"""
@@ -282,6 +287,7 @@ class OAuthAuthorizationParams:
             expires=now + timedelta_from_string(self.provider.access_code_validity),
             scope=self.scope,
             nonce=self.nonce,
+            session_id=sha256(request.session.session_key.encode("ascii")).hexdigest(),
         )
 
         if self.code_challenge and self.code_challenge_method:
@@ -569,6 +575,7 @@ class OAuthFulfillmentStage(StageView):
             expires=access_token_expiry,
             provider=self.provider,
             auth_time=auth_event.created if auth_event else now,
+            session_id=sha256(self.request.session.session_key.encode("ascii")).hexdigest(),
         )
 
         id_token = IDToken.new(self.provider, token, self.request)

authentik/providers/oauth2/views/token.py

@@ -6,6 +6,7 @@ from hashlib import sha256
 from re import error as RegexError
 from re import fullmatch
 from typing import Any, Optional
+from urllib.parse import urlparse
 
 from django.http import HttpRequest, HttpResponse
 from django.utils import timezone
@@ -17,6 +18,7 @@ from jwt import PyJWK, PyJWT, PyJWTError, decode
 from sentry_sdk.hub import Hub
 from structlog.stdlib import get_logger
 
+from authentik.core.middleware import CTX_AUTH_VIA
 from authentik.core.models import (
     USER_ATTRIBUTE_EXPIRES,
     USER_ATTRIBUTE_GENERATED,
@@ -53,6 +55,7 @@ from authentik.providers.oauth2.models import (
     RefreshToken,
 )
 from authentik.providers.oauth2.utils import TokenResponse, cors_allow, extract_client_auth
+from authentik.providers.oauth2.views.authorize import FORBIDDEN_URI_SCHEMES
 from authentik.sources.oauth.models import OAuthSource
 from authentik.stages.password.stage import PLAN_CONTEXT_METHOD, PLAN_CONTEXT_METHOD_ARGS
 
@@ -204,6 +207,10 @@ class TokenParams:
                 ).from_http(request)
                 raise TokenError("invalid_client")
 
+        # Check against forbidden schemes
+        if urlparse(self.redirect_uri).scheme in FORBIDDEN_URI_SCHEMES:
+            raise TokenError("invalid_request")
+
         self.authorization_code = AuthorizationCode.objects.filter(code=raw_code).first()
         if not self.authorization_code:
             LOGGER.warning("Code does not exist", code=raw_code)
@@ -221,7 +228,10 @@ class TokenParams:
             raise TokenError("invalid_grant")
 
         # Validate PKCE parameters.
-        if self.code_verifier:
+        if self.authorization_code.code_challenge:
+            # Authorization code had PKCE but we didn't get one
+            if not self.code_verifier:
+                raise TokenError("invalid_request")
             if self.authorization_code.code_challenge_method == PKCE_METHOD_S256:
                 new_code_challenge = (
                     urlsafe_b64encode(sha256(self.code_verifier.encode("ascii")).digest())
@@ -448,6 +458,7 @@ class TokenView(View):
                 if not self.provider:
                     LOGGER.warning("OAuth2Provider does not exist", client_id=client_id)
                     raise TokenError("invalid_client")
+                CTX_AUTH_VIA.set("oauth_client_secret")
                 self.params = TokenParams.parse(request, self.provider, client_id, client_secret)
 
             with Hub.current.start_span(
@@ -482,6 +493,7 @@ class TokenView(View):
             # Keep same scopes as previous token
             scope=self.params.authorization_code.scope,
             auth_time=self.params.authorization_code.auth_time,
+            session_id=self.params.authorization_code.session_id,
         )
         access_token.id_token = IDToken.new(
             self.provider,
@@ -497,6 +509,7 @@ class TokenView(View):
             expires=refresh_token_expiry,
             provider=self.provider,
             auth_time=self.params.authorization_code.auth_time,
+            session_id=self.params.authorization_code.session_id,
         )
         id_token = IDToken.new(
             self.provider,
@@ -534,6 +547,7 @@ class TokenView(View):
             # Keep same scopes as previous token
             scope=self.params.refresh_token.scope,
             auth_time=self.params.refresh_token.auth_time,
+            session_id=self.params.refresh_token.session_id,
         )
         access_token.id_token = IDToken.new(
             self.provider,
@@ -549,6 +563,7 @@ class TokenView(View):
             expires=refresh_token_expiry,
             provider=self.provider,
             auth_time=self.params.refresh_token.auth_time,
+            session_id=self.params.refresh_token.session_id,
         )
         id_token = IDToken.new(
             self.provider,

authentik/providers/proxy/tasks.py

@@ -1,4 +1,6 @@
 """proxy provider tasks"""
+from hashlib import sha256
+
 from asgiref.sync import async_to_sync
 from channels.layers import get_channel_layer
 from django.db import DatabaseError, InternalError, ProgrammingError
@@ -23,6 +25,7 @@ def proxy_set_defaults():
 def proxy_on_logout(session_id: str):
     """Update outpost instances connected to a single outpost"""
     layer = get_channel_layer()
+    hashed_session_id = sha256(session_id.encode("ascii")).hexdigest()
     for outpost in Outpost.objects.filter(type=OutpostType.PROXY):
         group = OUTPOST_GROUP % {"outpost_pk": str(outpost.pk)}
         async_to_sync(layer.group_send)(
@@ -30,6 +33,6 @@ def proxy_on_logout(session_id: str):
             {
                 "type": "event.provider.specific",
                 "sub_type": "logout",
-                "session_id": session_id,
+                "session_id": hashed_session_id,
             },
         )

authentik/providers/radius/api.py

@@ -21,6 +21,7 @@ class RadiusProviderSerializer(ProviderSerializer):
             # an admin might have to view it
             "shared_secret",
             "outpost_set",
+            "mfa_support",
         ]
         extra_kwargs = ProviderSerializer.Meta.extra_kwargs
 
@@ -55,6 +56,7 @@ class RadiusOutpostConfigSerializer(ModelSerializer):
             "auth_flow_slug",
             "client_networks",
             "shared_secret",
+            "mfa_support",
         ]
 
 

authentik/providers/radius/migrations/0002_radiusprovider_mfa_support.py

@@ -0,0 +1,21 @@
+# Generated by Django 4.2.6 on 2023-10-18 15:09
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+    dependencies = [
+        ("authentik_providers_radius", "0001_initial"),
+    ]
+
+    operations = [
+        migrations.AddField(
+            model_name="radiusprovider",
+            name="mfa_support",
+            field=models.BooleanField(
+                default=True,
+                help_text="When enabled, code-based multi-factor authentication can be used by appending a semicolon and the TOTP code to the password. This should only be enabled if all users that will bind to this provider have a TOTP device configured, as otherwise a password may incorrectly be rejected if it contains a semicolon.",
+                verbose_name="MFA Support",
+            ),
+        ),
+    ]

authentik/providers/radius/models.py

@@ -27,6 +27,17 @@ class RadiusProvider(OutpostModel, Provider):
         ),
     )
 
+    mfa_support = models.BooleanField(
+        default=True,
+        verbose_name="MFA Support",
+        help_text=_(
+            "When enabled, code-based multi-factor authentication can be used by appending a "
+            "semicolon and the TOTP code to the password. This should only be enabled if all "
+            "users that will bind to this provider have a TOTP device configured, as otherwise "
+            "a password may incorrectly be rejected if it contains a semicolon."
+        ),
+    )
+
     @property
     def launch_url(self) -> Optional[str]:
         """Radius never has a launch URL"""

authentik/providers/scim/clients/group.py

@@ -46,7 +46,9 @@ class SCIMGroupClient(SCIMClient[Group, SCIMGroupSchema]):
 
     def to_scim(self, obj: Group) -> SCIMGroupSchema:
         """Convert authentik user into SCIM"""
-        raw_scim_group = {}
+        raw_scim_group = {
+            "schemas": ("urn:ietf:params:scim:schemas:core:2.0:Group",),
+        }
         for mapping in (
             self.provider.property_mappings_group.all().order_by("name").select_subclasses()
         ):

authentik/providers/scim/clients/schema.py

@@ -15,12 +15,14 @@ from pydanticscim.user import User as BaseUser
 class User(BaseUser):
     """Modified User schema with added externalId field"""
 
+    schemas: tuple[str] = ("urn:ietf:params:scim:schemas:core:2.0:User",)
     externalId: Optional[str] = None
 
 
 class Group(BaseGroup):
     """Modified Group schema with added externalId field"""
 
+    schemas: tuple[str] = ("urn:ietf:params:scim:schemas:core:2.0:Group",)
     externalId: Optional[str] = None
 
 

authentik/providers/scim/clients/user.py

@@ -39,7 +39,9 @@ class SCIMUserClient(SCIMClient[User, SCIMUserSchema]):
 
     def to_scim(self, obj: User) -> SCIMUserSchema:
         """Convert authentik user into SCIM"""
-        raw_scim_user = {}
+        raw_scim_user = {
+            "schemas": ("urn:ietf:params:scim:schemas:core:2.0:User",),
+        }
         for mapping in self.provider.property_mappings.all().order_by("name").select_subclasses():
             if not isinstance(mapping, SCIMMapping):
                 continue

authentik/providers/scim/tests/test_group.py

@@ -61,7 +61,11 @@ class SCIMGroupTests(TestCase):
         self.assertEqual(mock.request_history[1].method, "POST")
         self.assertJSONEqual(
             mock.request_history[1].body,
-            {"externalId": str(group.pk), "displayName": group.name},
+            {
+                "schemas": ["urn:ietf:params:scim:schemas:core:2.0:Group"],
+                "externalId": str(group.pk),
+                "displayName": group.name,
+            },
         )
 
     @Mocker()
@@ -96,7 +100,11 @@ class SCIMGroupTests(TestCase):
             validate(body, loads(schema.read()))
         self.assertEqual(
             body,
-            {"externalId": str(group.pk), "displayName": group.name},
+            {
+                "schemas": ["urn:ietf:params:scim:schemas:core:2.0:Group"],
+                "externalId": str(group.pk),
+                "displayName": group.name,
+            },
         )
         group.save()
         self.assertEqual(mock.call_count, 4)
@@ -129,7 +137,11 @@ class SCIMGroupTests(TestCase):
         self.assertEqual(mock.request_history[1].method, "POST")
         self.assertJSONEqual(
             mock.request_history[1].body,
-            {"externalId": str(group.pk), "displayName": group.name},
+            {
+                "schemas": ["urn:ietf:params:scim:schemas:core:2.0:Group"],
+                "externalId": str(group.pk),
+                "displayName": group.name,
+            },
         )
         group.delete()
         self.assertEqual(mock.call_count, 4)

authentik/providers/scim/tests/test_membership.py

@@ -89,6 +89,7 @@ class SCIMMembershipTests(TestCase):
             self.assertJSONEqual(
                 mocker.request_history[3].body,
                 {
+                    "schemas": ["urn:ietf:params:scim:schemas:core:2.0:User"],
                     "emails": [],
                     "active": True,
                     "externalId": user.uid,
@@ -99,7 +100,11 @@ class SCIMMembershipTests(TestCase):
             )
             self.assertJSONEqual(
                 mocker.request_history[5].body,
-                {"externalId": str(group.pk), "displayName": group.name},
+                {
+                    "schemas": ["urn:ietf:params:scim:schemas:core:2.0:Group"],
+                    "externalId": str(group.pk),
+                    "displayName": group.name,
+                },
             )
 
         with Mocker() as mocker:
@@ -118,6 +123,7 @@ class SCIMMembershipTests(TestCase):
             self.assertJSONEqual(
                 mocker.request_history[1].body,
                 {
+                    "schemas": ["urn:ietf:params:scim:api:messages:2.0:PatchOp"],
                     "Operations": [
                         {
                             "op": "add",
@@ -125,7 +131,6 @@ class SCIMMembershipTests(TestCase):
                             "value": [{"value": user_scim_id}],
                         }
                     ],
-                    "schemas": ["urn:ietf:params:scim:api:messages:2.0:PatchOp"],
                 },
             )
 
@@ -174,6 +179,7 @@ class SCIMMembershipTests(TestCase):
             self.assertJSONEqual(
                 mocker.request_history[3].body,
                 {
+                    "schemas": ["urn:ietf:params:scim:schemas:core:2.0:User"],
                     "active": True,
                     "displayName": "",
                     "emails": [],
@@ -184,7 +190,11 @@ class SCIMMembershipTests(TestCase):
             )
             self.assertJSONEqual(
                 mocker.request_history[5].body,
-                {"externalId": str(group.pk), "displayName": group.name},
+                {
+                    "schemas": ["urn:ietf:params:scim:schemas:core:2.0:Group"],
+                    "externalId": str(group.pk),
+                    "displayName": group.name,
+                },
             )
 
         with Mocker() as mocker:
@@ -203,6 +213,7 @@ class SCIMMembershipTests(TestCase):
             self.assertJSONEqual(
                 mocker.request_history[1].body,
                 {
+                    "schemas": ["urn:ietf:params:scim:api:messages:2.0:PatchOp"],
                     "Operations": [
                         {
                             "op": "add",
@@ -210,7 +221,6 @@ class SCIMMembershipTests(TestCase):
                             "value": [{"value": user_scim_id}],
                         }
                     ],
-                    "schemas": ["urn:ietf:params:scim:api:messages:2.0:PatchOp"],
                 },
             )
 
@@ -230,6 +240,7 @@ class SCIMMembershipTests(TestCase):
             self.assertJSONEqual(
                 mocker.request_history[1].body,
                 {
+                    "schemas": ["urn:ietf:params:scim:api:messages:2.0:PatchOp"],
                     "Operations": [
                         {
                             "op": "remove",
@@ -237,6 +248,5 @@ class SCIMMembershipTests(TestCase):
                             "value": [{"value": user_scim_id}],
                         }
                     ],
-                    "schemas": ["urn:ietf:params:scim:api:messages:2.0:PatchOp"],
                 },
             )

authentik/providers/scim/tests/test_user.py

@@ -57,7 +57,7 @@ class SCIMUserTests(TestCase):
         uid = generate_id()
         user = User.objects.create(
             username=uid,
-            name=uid,
+            name=f"{uid} {uid}",
             email=f"{uid}@goauthentik.io",
         )
         self.assertEqual(mock.call_count, 2)
@@ -66,6 +66,7 @@ class SCIMUserTests(TestCase):
         self.assertJSONEqual(
             mock.request_history[1].body,
             {
+                "schemas": ["urn:ietf:params:scim:schemas:core:2.0:User"],
                 "active": True,
                 "emails": [
                     {
@@ -76,11 +77,11 @@ class SCIMUserTests(TestCase):
                 ],
                 "externalId": user.uid,
                 "name": {
-                    "familyName": "",
+                    "familyName": uid,
-                    "formatted": uid,
+                    "formatted": f"{uid} {uid}",
                     "givenName": uid,
                 },
-                "displayName": uid,
+                "displayName": f"{uid} {uid}",
                 "userName": uid,
             },
         )
@@ -109,7 +110,7 @@ class SCIMUserTests(TestCase):
         uid = generate_id()
         user = User.objects.create(
             username=uid,
-            name=uid,
+            name=f"{uid} {uid}",
             email=f"{uid}@goauthentik.io",
         )
         self.assertEqual(mock.call_count, 2)
@@ -121,6 +122,7 @@ class SCIMUserTests(TestCase):
         self.assertEqual(
             body,
             {
+                "schemas": ["urn:ietf:params:scim:schemas:core:2.0:User"],
                 "active": True,
                 "emails": [
                     {
@@ -129,11 +131,11 @@ class SCIMUserTests(TestCase):
                         "value": f"{uid}@goauthentik.io",
                     }
                 ],
-                "displayName": uid,
+                "displayName": f"{uid} {uid}",
                 "externalId": user.uid,
                 "name": {
-                    "familyName": "",
+                    "familyName": uid,
-                    "formatted": uid,
+                    "formatted": f"{uid} {uid}",
                     "givenName": uid,
                 },
                 "userName": uid,
@@ -164,7 +166,7 @@ class SCIMUserTests(TestCase):
         uid = generate_id()
         user = User.objects.create(
             username=uid,
-            name=uid,
+            name=f"{uid} {uid}",
             email=f"{uid}@goauthentik.io",
         )
         self.assertEqual(mock.call_count, 2)
@@ -173,6 +175,7 @@ class SCIMUserTests(TestCase):
         self.assertJSONEqual(
             mock.request_history[1].body,
             {
+                "schemas": ["urn:ietf:params:scim:schemas:core:2.0:User"],
                 "active": True,
                 "emails": [
                     {
@@ -183,11 +186,11 @@ class SCIMUserTests(TestCase):
                 ],
                 "externalId": user.uid,
                 "name": {
-                    "familyName": "",
+                    "familyName": uid,
-                    "formatted": uid,
+                    "formatted": f"{uid} {uid}",
                     "givenName": uid,
                 },
-                "displayName": uid,
+                "displayName": f"{uid} {uid}",
                 "userName": uid,
             },
         )
@@ -227,7 +230,7 @@ class SCIMUserTests(TestCase):
         )
         user = User.objects.create(
             username=uid,
-            name=uid,
+            name=f"{uid} {uid}",
             email=f"{uid}@goauthentik.io",
         )
 
@@ -240,6 +243,7 @@ class SCIMUserTests(TestCase):
         self.assertJSONEqual(
             mock.request_history[1].body,
             {
+                "schemas": ["urn:ietf:params:scim:schemas:core:2.0:User"],
                 "active": True,
                 "emails": [
                     {
@@ -250,11 +254,11 @@ class SCIMUserTests(TestCase):
                 ],
                 "externalId": user.uid,
                 "name": {
-                    "familyName": "",
+                    "familyName": uid,
-                    "formatted": uid,
+                    "formatted": f"{uid} {uid}",
                     "givenName": uid,
                 },
-                "displayName": uid,
+                "displayName": f"{uid} {uid}",
                 "userName": uid,
             },
         )

authentik/rbac/api/rbac.py

@@ -32,13 +32,19 @@ class PermissionSerializer(ModelSerializer):
 
     def get_app_label_verbose(self, instance: Permission) -> str:
         """Human-readable app label"""
+        try:
             return apps.get_app_config(instance.content_type.app_label).verbose_name
+        except LookupError:
+            return f"{instance.content_type.app_label}.{instance.content_type.model}"
 
     def get_model_verbose(self, instance: Permission) -> str:
         """Human-readable model name"""
+        try:
             return apps.get_model(
                 instance.content_type.app_label, instance.content_type.model
             )._meta.verbose_name
+        except LookupError:
+            return f"{instance.content_type.app_label}.{instance.content_type.model}"
 
     class Meta:
         model = Permission

authentik/rbac/api/rbac_roles.py

@@ -24,13 +24,19 @@ class ExtraRoleObjectPermissionSerializer(RoleObjectPermissionSerializer):
 
     def get_app_label_verbose(self, instance: GroupObjectPermission) -> str:
         """Get app label from permission's model"""
+        try:
             return apps.get_app_config(instance.content_type.app_label).verbose_name
+        except LookupError:
+            return instance.content_type.app_label
 
     def get_model_verbose(self, instance: GroupObjectPermission) -> str:
         """Get model label from permission's model"""
+        try:
             return apps.get_model(
                 instance.content_type.app_label, instance.content_type.model
             )._meta.verbose_name
+        except LookupError:
+            return f"{instance.content_type.app_label}.{instance.content_type.model}"
 
     def get_object_description(self, instance: GroupObjectPermission) -> Optional[str]:
         """Get model description from attached model. This operation takes at least
@@ -38,7 +44,10 @@ class ExtraRoleObjectPermissionSerializer(RoleObjectPermissionSerializer):
         view_ permission on the object"""
         app_label = instance.content_type.app_label
         model = instance.content_type.model
+        try:
             model_class = apps.get_model(app_label, model)
+        except LookupError:
+            return None
         objects = get_objects_for_group(instance.group, f"{app_label}.view_{model}", model_class)
         obj = objects.first()
         if not obj:

authentik/rbac/api/rbac_users.py

@@ -24,13 +24,19 @@ class ExtraUserObjectPermissionSerializer(UserObjectPermissionSerializer):
 
     def get_app_label_verbose(self, instance: UserObjectPermission) -> str:
         """Get app label from permission's model"""
+        try:
             return apps.get_app_config(instance.content_type.app_label).verbose_name
+        except LookupError:
+            return instance.content_type.app_label
 
     def get_model_verbose(self, instance: UserObjectPermission) -> str:
         """Get model label from permission's model"""
+        try:
             return apps.get_model(
                 instance.content_type.app_label, instance.content_type.model
             )._meta.verbose_name
+        except LookupError:
+            return f"{instance.content_type.app_label}.{instance.content_type.model}"
 
     def get_object_description(self, instance: UserObjectPermission) -> Optional[str]:
         """Get model description from attached model. This operation takes at least
@@ -38,7 +44,10 @@ class ExtraUserObjectPermissionSerializer(UserObjectPermissionSerializer):
         view_ permission on the object"""
         app_label = instance.content_type.app_label
         model = instance.content_type.model
+        try:
             model_class = apps.get_model(app_label, model)
+        except LookupError:
+            return None
         objects = get_objects_for_user(instance.user, f"{app_label}.view_{model}", model_class)
         obj = objects.first()
         if not obj:

authentik/sources/oauth/api/source.py

@@ -30,6 +30,8 @@ class SourceTypeSerializer(PassiveSerializer):
     authorization_url = CharField(read_only=True, allow_null=True)
     access_token_url = CharField(read_only=True, allow_null=True)
     profile_url = CharField(read_only=True, allow_null=True)
+    oidc_well_known_url = CharField(read_only=True, allow_null=True)
+    oidc_jwks_url = CharField(read_only=True, allow_null=True)
 
 
 class OAuthSourceSerializer(SourceSerializer):
@@ -52,11 +54,15 @@ class OAuthSourceSerializer(SourceSerializer):
     @extend_schema_field(SourceTypeSerializer)
     def get_type(self, instance: OAuthSource) -> SourceTypeSerializer:
         """Get source's type configuration"""
-        return SourceTypeSerializer(instance.type).data
+        return SourceTypeSerializer(instance.source_type).data
 
     def validate(self, attrs: dict) -> dict:
         session = get_http_session()
-        well_known = attrs.get("oidc_well_known_url")
+        source_type = registry.find_type(attrs["provider_type"])
+
+        well_known = attrs.get("oidc_well_known_url") or source_type.oidc_well_known_url
+        inferred_oidc_jwks_url = None
+
         if well_known and well_known != "":
             try:
                 well_known_config = session.get(well_known)
@@ -65,24 +71,23 @@ class OAuthSourceSerializer(SourceSerializer):
                 text = exc.response.text if exc.response else str(exc)
                 raise ValidationError({"oidc_well_known_url": text})
             config = well_known_config.json()
-            try:
+            if "issuer" not in config:
-                attrs["authorization_url"] = config["authorization_endpoint"]
+                raise ValidationError({"oidc_well_known_url": "Invalid well-known configuration"})
-                attrs["access_token_url"] = config["token_endpoint"]
+            attrs["authorization_url"] = config.get("authorization_endpoint", "")
-                attrs["profile_url"] = config["userinfo_endpoint"]
+            attrs["access_token_url"] = config.get("token_endpoint", "")
-                attrs["oidc_jwks_url"] = config["jwks_uri"]
+            attrs["profile_url"] = config.get("userinfo_endpoint", "")
-            except (IndexError, KeyError) as exc:
+            inferred_oidc_jwks_url = config.get("jwks_uri", "")
-                raise ValidationError(
-                    {"oidc_well_known_url": f"Invalid well-known configuration: {exc}"}
-                )
 
-        jwks_url = attrs.get("oidc_jwks_url")
+        # Prefer user-entered URL to inferred URL to default URL
+        jwks_url = attrs.get("oidc_jwks_url") or inferred_oidc_jwks_url or source_type.oidc_jwks_url
         if jwks_url and jwks_url != "":
+            attrs["oidc_jwks_url"] = jwks_url
             try:
                 jwks_config = session.get(jwks_url)
                 jwks_config.raise_for_status()
             except RequestException as exc:
                 text = exc.response.text if exc.response else str(exc)
-                raise ValidationError({"jwks_url": text})
+                raise ValidationError({"oidc_jwks_url": text})
             config = jwks_config.json()
             attrs["oidc_jwks"] = config
 

authentik/sources/oauth/clients/base.py

@@ -36,8 +36,8 @@ class BaseOAuthClient:
 
     def get_profile_info(self, token: dict[str, str]) -> Optional[dict[str, Any]]:
         """Fetch user profile information."""
-        profile_url = self.source.type.profile_url or ""
+        profile_url = self.source.source_type.profile_url or ""
-        if self.source.type.urls_customizable and self.source.profile_url:
+        if self.source.source_type.urls_customizable and self.source.profile_url:
             profile_url = self.source.profile_url
         response = self.do_request("get", profile_url, token=token)
         try:
@@ -57,8 +57,8 @@ class BaseOAuthClient:
 
     def get_redirect_url(self, parameters=None):
         """Build authentication redirect url."""
-        authorization_url = self.source.type.authorization_url or ""
+        authorization_url = self.source.source_type.authorization_url or ""
-        if self.source.type.urls_customizable and self.source.authorization_url:
+        if self.source.source_type.urls_customizable and self.source.authorization_url:
             authorization_url = self.source.authorization_url
         if authorization_url == "":
             Event.new(

authentik/sources/oauth/clients/oauth1.py

@@ -28,8 +28,8 @@ class OAuthClient(BaseOAuthClient):
         if raw_token is not None and verifier is not None:
             token = self.parse_raw_token(raw_token)
             try:
-                access_token_url = self.source.type.access_token_url or ""
+                access_token_url = self.source.source_type.access_token_url or ""
-                if self.source.type.urls_customizable and self.source.access_token_url:
+                if self.source.source_type.urls_customizable and self.source.access_token_url:
                     access_token_url = self.source.access_token_url
                 response = self.do_request(
                     "post",
@@ -54,8 +54,8 @@ class OAuthClient(BaseOAuthClient):
         """Fetch the OAuth request token. Only required for OAuth 1.0."""
         callback = self.request.build_absolute_uri(self.callback)
         try:
-            request_token_url = self.source.type.request_token_url or ""
+            request_token_url = self.source.source_type.request_token_url or ""
-            if self.source.type.urls_customizable and self.source.request_token_url:
+            if self.source.source_type.urls_customizable and self.source.request_token_url:
                 request_token_url = self.source.request_token_url
             response = self.do_request(
                 "post",

authentik/sources/oauth/clients/oauth2.py

@@ -76,8 +76,8 @@ class OAuth2Client(BaseOAuthClient):
         if SESSION_KEY_OAUTH_PKCE in self.request.session:
             args["code_verifier"] = self.request.session[SESSION_KEY_OAUTH_PKCE]
         try:
-            access_token_url = self.source.type.access_token_url or ""
+            access_token_url = self.source.source_type.access_token_url or ""
-            if self.source.type.urls_customizable and self.source.access_token_url:
+            if self.source.source_type.urls_customizable and self.source.access_token_url:
                 access_token_url = self.source.access_token_url
             response = self.session.request(
                 "post", access_token_url, data=args, headers=self._default_headers, **request_kwargs
@@ -140,8 +140,8 @@ class UserprofileHeaderAuthClient(OAuth2Client):
 
     def get_profile_info(self, token: dict[str, str]) -> Optional[dict[str, Any]]:
         "Fetch user profile information."
-        profile_url = self.source.type.profile_url or ""
+        profile_url = self.source.source_type.profile_url or ""
-        if self.source.type.urls_customizable and self.source.profile_url:
+        if self.source.source_type.urls_customizable and self.source.profile_url:
             profile_url = self.source.profile_url
         response = self.session.request(
             "get",

authentik/sources/oauth/models.py

@@ -1,5 +1,5 @@
 """OAuth Client models"""
-from typing import TYPE_CHECKING, Optional, Type
+from typing import TYPE_CHECKING, Optional
 
 from django.db import models
 from django.http.request import HttpRequest
@@ -55,7 +55,7 @@ class OAuthSource(Source):
     oidc_jwks = models.JSONField(default=dict, blank=True)
 
     @property
-    def type(self) -> type["SourceType"]:
+    def source_type(self) -> type["SourceType"]:
         """Return the provider instance for this source"""
         from authentik.sources.oauth.types.registry import registry
 
@@ -65,15 +65,14 @@ class OAuthSource(Source):
     def component(self) -> str:
         return "ak-source-oauth-form"
 
-    # we're using Type[] instead of type[] here since type[] interferes with the property above
     @property
-    def serializer(self) -> Type[Serializer]:
+    def serializer(self) -> type[Serializer]:
         from authentik.sources.oauth.api.source import OAuthSourceSerializer
 
         return OAuthSourceSerializer
 
     def ui_login_button(self, request: HttpRequest) -> UILoginButton:
-        provider_type = self.type
+        provider_type = self.source_type
         provider = provider_type()
         icon = self.get_icon
         if not icon:
@@ -85,7 +84,7 @@ class OAuthSource(Source):
         )
 
     def ui_user_settings(self) -> Optional[UserSettingSerializer]:
-        provider_type = self.type
+        provider_type = self.source_type
         icon = self.get_icon
         if not icon:
             icon = provider_type().icon_url()

authentik/sources/oauth/settings.py

@@ -0,0 +1,12 @@
+"""OAuth source settings"""
+from celery.schedules import crontab
+
+from authentik.lib.utils.time import fqdn_rand
+
+CELERY_BEAT_SCHEDULE = {
+    "update_oauth_source_oidc_well_known": {
+        "task": "authentik.sources.oauth.tasks.update_well_known_jwks",
+        "schedule": crontab(minute=fqdn_rand("update_well_known_jwks"), hour="*/3"),
+        "options": {"queue": "authentik_scheduled"},
+    },
+}

authentik/sources/oauth/tasks.py

@@ -0,0 +1,70 @@
+"""OAuth Source tasks"""
+from json import dumps
+
+from requests import RequestException
+from structlog.stdlib import get_logger
+
+from authentik.events.monitored_tasks import MonitoredTask, TaskResult, TaskResultStatus
+from authentik.lib.utils.http import get_http_session
+from authentik.root.celery import CELERY_APP
+from authentik.sources.oauth.models import OAuthSource
+
+LOGGER = get_logger()
+
+
+@CELERY_APP.task(bind=True, base=MonitoredTask)
+def update_well_known_jwks(self: MonitoredTask):
+    """Update OAuth sources' config from well_known, and JWKS info from the configured URL"""
+    session = get_http_session()
+    result = TaskResult(TaskResultStatus.SUCCESSFUL, [])
+    for source in OAuthSource.objects.all().exclude(oidc_well_known_url=""):
+        try:
+            well_known_config = session.get(source.oidc_well_known_url)
+            well_known_config.raise_for_status()
+        except RequestException as exc:
+            text = exc.response.text if exc.response else str(exc)
+            LOGGER.warning("Failed to update well_known", source=source, exc=exc, text=text)
+            result.messages.append(f"Failed to update OIDC configuration for {source.slug}")
+            continue
+        config = well_known_config.json()
+        try:
+            dirty = False
+            source_attr_key = (
+                ("authorization_url", "authorization_endpoint"),
+                ("access_token_url", "token_endpoint"),
+                ("profile_url", "userinfo_endpoint"),
+                ("oidc_jwks_url", "jwks_uri"),
+            )
+            for source_attr, config_key in source_attr_key:
+                # Check if we're actually changing anything to only
+                # save when something has changed
+                if getattr(source, source_attr, "") != config[config_key]:
+                    dirty = True
+                setattr(source, source_attr, config[config_key])
+        except (IndexError, KeyError) as exc:
+            LOGGER.warning(
+                "Failed to update well_known",
+                source=source,
+                exc=exc,
+            )
+            result.messages.append(f"Failed to update OIDC configuration for {source.slug}")
+            continue
+        if dirty:
+            LOGGER.info("Updating sources' OpenID Configuration", source=source)
+            source.save()
+
+    for source in OAuthSource.objects.all().exclude(oidc_jwks_url=""):
+        try:
+            jwks_config = session.get(source.oidc_jwks_url)
+            jwks_config.raise_for_status()
+        except RequestException as exc:
+            text = exc.response.text if exc.response else str(exc)
+            LOGGER.warning("Failed to update JWKS", source=source, exc=exc, text=text)
+            result.messages.append(f"Failed to update JWKS for {source.slug}")
+            continue
+        config = jwks_config.json()
+        if dumps(source.oidc_jwks, sort_keys=True) != dumps(config, sort_keys=True):
+            source.oidc_jwks = config
+            LOGGER.info("Updating sources' JWKS", source=source)
+            source.save()
+    self.set_status(result)

authentik/sources/oauth/tests/test_tasks.py

@@ -0,0 +1,48 @@
+"""Test OAuth Source tasks"""
+from django.test import TestCase
+from requests_mock import Mocker
+
+from authentik.sources.oauth.models import OAuthSource
+from authentik.sources.oauth.tasks import update_well_known_jwks
+
+
+class TestOAuthSourceTasks(TestCase):
+    """Test OAuth Source tasks"""
+
+    def setUp(self) -> None:
+        self.source = OAuthSource.objects.create(
+            name="test",
+            slug="test",
+            provider_type="openidconnect",
+            authorization_url="",
+            profile_url="",
+            consumer_key="",
+        )
+
+    @Mocker()
+    def test_well_known_jwks(self, mock: Mocker):
+        """Test well_known update"""
+        self.source.oidc_well_known_url = "http://foo/.well-known/openid-configuration"
+        self.source.save()
+        mock.get(
+            self.source.oidc_well_known_url,
+            json={
+                "authorization_endpoint": "foo",
+                "token_endpoint": "foo",
+                "userinfo_endpoint": "foo",
+                "jwks_uri": "http://foo/jwks",
+            },
+        )
+        mock.get("http://foo/jwks", json={"foo": "bar"})
+        update_well_known_jwks()  # pylint: disable=no-value-for-parameter
+        self.source.refresh_from_db()
+        self.assertEqual(self.source.authorization_url, "foo")
+        self.assertEqual(self.source.access_token_url, "foo")
+        self.assertEqual(self.source.profile_url, "foo")
+        self.assertEqual(self.source.oidc_jwks_url, "http://foo/jwks")
+        self.assertEqual(
+            self.source.oidc_jwks,
+            {
+                "foo": "bar",
+            },
+        )

authentik/sources/oauth/tests/test_views.py

@@ -50,6 +50,7 @@ class TestOAuthSource(TestCase):
     def test_api_validate_openid_connect(self):
         """Test API validation (with OIDC endpoints)"""
         openid_config = {
+            "issuer": "foo",
             "authorization_endpoint": "http://mock/oauth/authorize",
             "token_endpoint": "http://mock/oauth/token",
             "userinfo_endpoint": "http://mock/oauth/userinfo",

authentik/sources/oauth/types/azure_ad.py

@@ -4,8 +4,8 @@ from typing import Any
 from structlog.stdlib import get_logger
 
 from authentik.sources.oauth.clients.oauth2 import UserprofileHeaderAuthClient
+from authentik.sources.oauth.types.oidc import OpenIDConnectOAuth2Callback
 from authentik.sources.oauth.types.registry import SourceType, registry
-from authentik.sources.oauth.views.callback import OAuthCallback
 from authentik.sources.oauth.views.redirect import OAuthRedirect
 
 LOGGER = get_logger()
@@ -20,7 +20,7 @@ class AzureADOAuthRedirect(OAuthRedirect):
         }
 
 
-class AzureADOAuthCallback(OAuthCallback):
+class AzureADOAuthCallback(OpenIDConnectOAuth2Callback):
     """AzureAD OAuth2 Callback"""
 
     client_class = UserprofileHeaderAuthClient
@@ -50,4 +50,8 @@ class AzureADType(SourceType):
 
     authorization_url = "https://login.microsoftonline.com/common/oauth2/v2.0/authorize"
     access_token_url = "https://login.microsoftonline.com/common/oauth2/v2.0/token"  # nosec
-    profile_url = "https://graph.microsoft.com/v1.0/me"
+    profile_url = "https://login.microsoftonline.com/common/openid/userinfo"
+    oidc_well_known_url = (
+        "https://login.microsoftonline.com/common/.well-known/openid-configuration"
+    )
+    oidc_jwks_url = "https://login.microsoftonline.com/common/discovery/keys"

authentik/sources/oauth/types/github.py

@@ -23,8 +23,8 @@ class GitHubOAuth2Client(OAuth2Client):
 
     def get_github_emails(self, token: dict[str, str]) -> list[dict[str, Any]]:
         """Get Emails from the GitHub API"""
-        profile_url = self.source.type.profile_url or ""
+        profile_url = self.source.source_type.profile_url or ""
-        if self.source.type.urls_customizable and self.source.profile_url:
+        if self.source.source_type.urls_customizable and self.source.profile_url:
             profile_url = self.source.profile_url
         profile_url += "/emails"
         response = self.do_request("get", profile_url, token=token)
@@ -76,3 +76,7 @@ class GitHubType(SourceType):
     authorization_url = "https://github.com/login/oauth/authorize"
     access_token_url = "https://github.com/login/oauth/access_token"  # nosec
     profile_url = "https://api.github.com/user"
+    oidc_well_known_url = (
+        "https://token.actions.githubusercontent.com/.well-known/openid-configuration"
+    )
+    oidc_jwks_url = "https://token.actions.githubusercontent.com/.well-known/jwks"

authentik/sources/oauth/types/google.py

@@ -40,3 +40,5 @@ class GoogleType(SourceType):
     authorization_url = "https://accounts.google.com/o/oauth2/auth"
     access_token_url = "https://oauth2.googleapis.com/token"  # nosec
     profile_url = "https://www.googleapis.com/oauth2/v1/userinfo"
+    oidc_well_known_url = "https://accounts.google.com/.well-known/openid-configuration"
+    oidc_jwks_url = "https://www.googleapis.com/oauth2/v3/certs"

authentik/sources/oauth/types/mailcow.py

@@ -26,8 +26,8 @@ class MailcowOAuth2Client(OAuth2Client):
 
     def get_profile_info(self, token: dict[str, str]) -> Optional[dict[str, Any]]:
         "Fetch user profile information."
-        profile_url = self.source.type.profile_url or ""
+        profile_url = self.source.source_type.profile_url or ""
-        if self.source.type.urls_customizable and self.source.profile_url:
+        if self.source.source_type.urls_customizable and self.source.profile_url:
             profile_url = self.source.profile_url
         response = self.session.request(
             "get",

authentik/sources/oauth/types/oidc.py

@@ -23,7 +23,7 @@ class OpenIDConnectOAuth2Callback(OAuthCallback):
     client_class = UserprofileHeaderAuthClient
 
     def get_user_id(self, info: dict[str, str]) -> str:
-        return info.get("sub", "")
+        return info.get("sub", None)
 
     def get_user_enroll_context(
         self,

authentik/sources/oauth/types/okta.py

@@ -3,8 +3,8 @@ from typing import Any
 
 from authentik.sources.oauth.clients.oauth2 import UserprofileHeaderAuthClient
 from authentik.sources.oauth.models import OAuthSource
+from authentik.sources.oauth.types.oidc import OpenIDConnectOAuth2Callback
 from authentik.sources.oauth.types.registry import SourceType, registry
-from authentik.sources.oauth.views.callback import OAuthCallback
 from authentik.sources.oauth.views.redirect import OAuthRedirect
 
 
@@ -17,7 +17,7 @@ class OktaOAuthRedirect(OAuthRedirect):
         }
 
 
-class OktaOAuth2Callback(OAuthCallback):
+class OktaOAuth2Callback(OpenIDConnectOAuth2Callback):
     """Okta OAuth2 Callback"""
 
     # Okta has the same quirk as azure and throws an error if the access token
@@ -25,9 +25,6 @@ class OktaOAuth2Callback(OAuthCallback):
     # see https://github.com/goauthentik/authentik/issues/1910
     client_class = UserprofileHeaderAuthClient
 
-    def get_user_id(self, info: dict[str, str]) -> str:
-        return info.get("sub", "")
-
     def get_user_enroll_context(
         self,
         info: dict[str, Any],

authentik/sources/oauth/types/patreon.py

@@ -12,8 +12,9 @@ class PatreonOAuthRedirect(OAuthRedirect):
     """Patreon OAuth2 Redirect"""
 
     def get_additional_parameters(self, source: OAuthSource):  # pragma: no cover
+        # https://docs.patreon.com/#scopes
         return {
-            "scope": ["openid", "email", "profile"],
+            "scope": ["identity", "identity[email]"],
         }
 
 

authentik/sources/oauth/types/registry.py

@@ -36,6 +36,8 @@ class SourceType:
     authorization_url: Optional[str] = None
     access_token_url: Optional[str] = None
     profile_url: Optional[str] = None
+    oidc_well_known_url: Optional[str] = None
+    oidc_jwks_url: Optional[str] = None
 
     def icon_url(self) -> str:
         """Get Icon URL for login"""

authentik/sources/oauth/types/twitch.py

@@ -3,8 +3,8 @@ from json import dumps
 from typing import Any, Optional
 
 from authentik.sources.oauth.clients.oauth2 import UserprofileHeaderAuthClient
+from authentik.sources.oauth.types.oidc import OpenIDConnectOAuth2Callback
 from authentik.sources.oauth.types.registry import SourceType, registry
-from authentik.sources.oauth.views.callback import OAuthCallback
 from authentik.sources.oauth.views.redirect import OAuthRedirect
 
 
@@ -27,14 +27,11 @@ class TwitchOAuthRedirect(OAuthRedirect):
         }
 
 
-class TwitchOAuth2Callback(OAuthCallback):
+class TwitchOAuth2Callback(OpenIDConnectOAuth2Callback):
     """Twitch OAuth2 Callback"""
 
     client_class = TwitchClient
 
-    def get_user_id(self, info: dict[str, str]) -> str:
-        return info.get("sub", "")
-
     def get_user_enroll_context(
         self,
         info: dict[str, Any],

authentik/sources/oauth/views/base.py

@@ -25,7 +25,7 @@ class OAuthClientMixin:
         if self.client_class is not None:
             # pylint: disable=not-callable
             return self.client_class(source, self.request, **kwargs)
-        if source.type.request_token_url or source.request_token_url:
+        if source.source_type.request_token_url or source.request_token_url:
             client = OAuthClient(source, self.request, **kwargs)
         else:
             client = OAuth2Client(source, self.request, **kwargs)

authentik/stages/authenticator_sms/stage.py

@@ -12,7 +12,6 @@ from authentik.flows.challenge import (
     Challenge,
     ChallengeResponse,
     ChallengeTypes,
-    ErrorDetailSerializer,
     WithUserInfoChallenge,
 )
 from authentik.flows.stage import ChallengeStageView
@@ -24,6 +23,7 @@ from authentik.stages.authenticator_sms.models import (
 from authentik.stages.prompt.stage import PLAN_CONTEXT_PROMPT
 
 SESSION_KEY_SMS_DEVICE = "authentik/stages/authenticator_sms/sms_device"
+PLAN_CONTEXT_PHONE = "phone"
 
 
 class AuthenticatorSMSChallenge(WithUserInfoChallenge):
@@ -48,6 +48,8 @@ class AuthenticatorSMSChallengeResponse(ChallengeResponse):
     def validate(self, attrs: dict) -> dict:
         """Check"""
         if "code" not in attrs:
+            if "phone_number" not in attrs:
+                raise ValidationError("phone_number required")
             self.device.phone_number = attrs["phone_number"]
             self.stage.validate_and_send(attrs["phone_number"])
             return super().validate(attrs)
@@ -75,9 +77,9 @@ class AuthenticatorSMSStageView(ChallengeStageView):
 
     def _has_phone_number(self) -> Optional[str]:
         context = self.executor.plan.context
-        if "phone" in context.get(PLAN_CONTEXT_PROMPT, {}):
+        if PLAN_CONTEXT_PHONE in context.get(PLAN_CONTEXT_PROMPT, {}):
             self.logger.debug("got phone number from plan context")
-            return context.get(PLAN_CONTEXT_PROMPT, {}).get("phone")
+            return context.get(PLAN_CONTEXT_PROMPT, {}).get(PLAN_CONTEXT_PHONE)
         if SESSION_KEY_SMS_DEVICE in self.request.session:
             self.logger.debug("got phone number from device in session")
             device: SMSDevice = self.request.session[SESSION_KEY_SMS_DEVICE]
@@ -113,10 +115,17 @@ class AuthenticatorSMSStageView(ChallengeStageView):
                 try:
                     self.validate_and_send(phone_number)
                 except ValidationError as exc:
-                    response = AuthenticatorSMSChallengeResponse()
+                    # We had a phone number given already (at this point only possible from flow
-                    response._errors.setdefault("phone_number", [])
+                    # context), but an error occurred while sending a number (most likely)
-                    response._errors["phone_number"].append(ErrorDetailSerializer(exc.detail))
+                    # due to a duplicate device, so delete the number we got given, reset the state
-                    return self.challenge_invalid(response)
+                    # (ish) and retry
+                    device.phone_number = ""
+                    self.executor.plan.context.get(PLAN_CONTEXT_PROMPT, {}).pop(
+                        PLAN_CONTEXT_PHONE, None
+                    )
+                    self.request.session.pop(SESSION_KEY_SMS_DEVICE, None)
+                    self.logger.warning("failed to send SMS message to pre-set number", exc=exc)
+                    return self.get(request, *args, **kwargs)
         return super().get(request, *args, **kwargs)
 
     def challenge_valid(self, response: ChallengeResponse) -> HttpResponse:

authentik/stages/authenticator_sms/tests.py

@@ -7,7 +7,9 @@ from requests_mock import Mocker
 
 from authentik.core.tests.utils import create_test_admin_user, create_test_flow
 from authentik.flows.models import FlowStageBinding
+from authentik.flows.planner import FlowPlan
 from authentik.flows.tests import FlowTestCase
+from authentik.flows.views.executor import SESSION_KEY_PLAN
 from authentik.lib.generators import generate_id
 from authentik.stages.authenticator_sms.models import (
     AuthenticatorSMSStage,
@@ -15,7 +17,8 @@ from authentik.stages.authenticator_sms.models import (
     SMSProviders,
     hash_phone_number,
 )
-from authentik.stages.authenticator_sms.stage import SESSION_KEY_SMS_DEVICE
+from authentik.stages.authenticator_sms.stage import PLAN_CONTEXT_PHONE, SESSION_KEY_SMS_DEVICE
+from authentik.stages.prompt.stage import PLAN_CONTEXT_PROMPT
 
 
 class AuthenticatorSMSStageTests(FlowTestCase):
@@ -172,6 +175,43 @@ class AuthenticatorSMSStageTests(FlowTestCase):
             phone_number_required=False,
         )
 
+    def test_stage_context_data_duplicate(self):
+        """test stage context data (phone number exists already)"""
+        self.client.get(
+            reverse("authentik_flows:configure", kwargs={"stage_uuid": self.stage.stage_uuid}),
+        )
+        plan: FlowPlan = self.client.session[SESSION_KEY_PLAN]
+        plan.context[PLAN_CONTEXT_PROMPT] = {
+            PLAN_CONTEXT_PHONE: "1234",
+        }
+        session = self.client.session
+        session[SESSION_KEY_PLAN] = plan
+        session.save()
+        SMSDevice.objects.create(
+            phone_number="1234",
+            user=self.user,
+            stage=self.stage,
+        )
+        sms_send_mock = MagicMock()
+        with (
+            patch(
+                "authentik.stages.authenticator_sms.models.AuthenticatorSMSStage.send",
+                sms_send_mock,
+            ),
+        ):
+            response = self.client.get(
+                reverse("authentik_api:flow-executor", kwargs={"flow_slug": self.flow.slug}),
+            )
+        self.assertStageResponse(
+            response,
+            self.flow,
+            self.user,
+            component="ak-stage-authenticator-sms",
+            phone_number_required=True,
+        )
+        plan: FlowPlan = self.client.session[SESSION_KEY_PLAN]
+        self.assertEqual(plan.context[PLAN_CONTEXT_PROMPT], {})
+
     def test_stage_submit_full(self):
         """test stage (submit)"""
         self.client.get(

authentik/stages/authenticator_validate/tests/test_duo.py

@@ -184,6 +184,7 @@ class AuthenticatorValidateStageDuoTests(FlowTestCase):
                     "args": {},
                     "method": "GET",
                     "path": f"/api/v3/flows/executor/{flow.slug}/",
+                    "user_agent": "",
                 },
             },
         )

authentik/stages/deny/api.py

@@ -11,7 +11,7 @@ class DenyStageSerializer(StageSerializer):
 
     class Meta:
         model = DenyStage
-        fields = StageSerializer.Meta.fields
+        fields = StageSerializer.Meta.fields + ["deny_message"]
 
 
 class DenyStageViewSet(UsedByMixin, ModelViewSet):

authentik/stages/deny/migrations/0002_denystage_deny_message.py

@@ -0,0 +1,17 @@
+# Generated by Django 4.2.6 on 2023-10-18 09:11
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+    dependencies = [
+        ("authentik_stages_deny", "0001_initial"),
+    ]
+
+    operations = [
+        migrations.AddField(
+            model_name="denystage",
+            name="deny_message",
+            field=models.TextField(blank=True, default=""),
+        ),
+    ]

authentik/stages/deny/models.py

@@ -1,5 +1,5 @@
 """deny stage models"""
-
+from django.db import models
 from django.utils.translation import gettext_lazy as _
 from django.views import View
 from rest_framework.serializers import BaseSerializer
@@ -10,6 +10,8 @@ from authentik.flows.models import Stage
 class DenyStage(Stage):
     """Cancels the current flow."""
 
+    deny_message = models.TextField(blank=True, default="")
+
     @property
     def serializer(self) -> type[BaseSerializer]:
         from authentik.stages.deny.api import DenyStageSerializer

authentik/stages/deny/stage.py

@@ -2,6 +2,7 @@
 from django.http import HttpRequest, HttpResponse
 
 from authentik.flows.stage import StageView
+from authentik.stages.deny.models import DenyStage
 
 
 class DenyStageView(StageView):
@@ -9,4 +10,6 @@ class DenyStageView(StageView):
 
     def dispatch(self, request: HttpRequest) -> HttpResponse:
         """Cancels the current flow"""
-        return self.executor.stage_invalid()
+        stage: DenyStage = self.executor.current_stage
+        message = self.executor.plan.context.get("deny_message", stage.deny_message)
+        return self.executor.stage_invalid(message)

authentik/stages/deny/tests.py

@@ -45,3 +45,38 @@ class TestUserDenyStage(FlowTestCase):
         )
 
         self.assertStageResponse(response, self.flow, component="ak-stage-access-denied")
+
+    def test_message_static(self):
+        """Test with a static error message"""
+        self.stage.deny_message = "foo"
+        self.stage.save()
+        plan = FlowPlan(flow_pk=self.flow.pk.hex, bindings=[self.binding], markers=[StageMarker()])
+        session = self.client.session
+        session[SESSION_KEY_PLAN] = plan
+        session.save()
+
+        response = self.client.get(
+            reverse("authentik_api:flow-executor", kwargs={"flow_slug": self.flow.slug})
+        )
+
+        self.assertStageResponse(
+            response, self.flow, component="ak-stage-access-denied", error_message="foo"
+        )
+
+    def test_message_overwrite(self):
+        """Test with an overwritten error message"""
+        self.stage.deny_message = "foo"
+        self.stage.save()
+        plan = FlowPlan(flow_pk=self.flow.pk.hex, bindings=[self.binding], markers=[StageMarker()])
+        plan.context["deny_message"] = "bar"
+        session = self.client.session
+        session[SESSION_KEY_PLAN] = plan
+        session.save()
+
+        response = self.client.get(
+            reverse("authentik_api:flow-executor", kwargs={"flow_slug": self.flow.slug})
+        )
+
+        self.assertStageResponse(
+            response, self.flow, component="ak-stage-access-denied", error_message="bar"
+        )

authentik/stages/email/stage.py

@@ -1,21 +1,26 @@
 """authentik multi-stage authentication engine"""
 from datetime import timedelta
+from uuid import uuid4
 
 from django.contrib import messages
 from django.http import HttpRequest, HttpResponse
+from django.http.request import QueryDict
+from django.template.exceptions import TemplateSyntaxError
 from django.urls import reverse
-from django.utils.http import urlencode
 from django.utils.text import slugify
 from django.utils.timezone import now
 from django.utils.translation import gettext as _
 from rest_framework.fields import CharField
 from rest_framework.serializers import ValidationError
 
+from authentik.events.models import Event, EventAction
 from authentik.flows.challenge import Challenge, ChallengeResponse, ChallengeTypes
+from authentik.flows.exceptions import StageInvalidException
 from authentik.flows.models import FlowDesignation, FlowToken
 from authentik.flows.planner import PLAN_CONTEXT_IS_RESTORED, PLAN_CONTEXT_PENDING_USER
 from authentik.flows.stage import ChallengeStageView
-from authentik.flows.views.executor import QS_KEY_TOKEN
+from authentik.flows.views.executor import QS_KEY_TOKEN, QS_QUERY
+from authentik.lib.utils.errors import exception_to_string
 from authentik.stages.email.models import EmailStage
 from authentik.stages.email.tasks import send_mails
 from authentik.stages.email.utils import TemplateEmailMessage
@@ -51,8 +56,17 @@ class EmailStageView(ChallengeStageView):
             "authentik_core:if-flow",
             kwargs={"flow_slug": self.executor.flow.slug},
         )
-        relative_url = f"{base_url}?{urlencode(kwargs)}"
+        # Parse query string from current URL (full query string)
-        return self.request.build_absolute_uri(relative_url)
+        # this view is only run within a flow executor, where we need to get the query string
+        # from the query= parameter (double encoded); but for the redirect
+        # we need to expand it since it'll go through the flow interface
+        query_params = QueryDict(self.request.GET.get(QS_QUERY), mutable=True)
+        query_params.pop(QS_KEY_TOKEN, None)
+        query_params.update(kwargs)
+        full_url = base_url
+        if len(query_params) > 0:
+            full_url = f"{full_url}?{query_params.urlencode()}"
+        return self.request.build_absolute_uri(full_url)
 
     def get_token(self) -> FlowToken:
         """Get token"""
@@ -61,7 +75,7 @@ class EmailStageView(ChallengeStageView):
         valid_delta = timedelta(
             minutes=current_stage.token_expiry + 1
         )  # + 1 because django timesince always rounds down
-        identifier = slugify(f"ak-email-stage-{current_stage.name}-{pending_user}")
+        identifier = slugify(f"ak-email-stage-{current_stage.name}-{str(uuid4())}")
         # Don't check for validity here, we only care if the token exists
         tokens = FlowToken.objects.filter(identifier=identifier)
         if not tokens.exists():
@@ -93,6 +107,7 @@ class EmailStageView(ChallengeStageView):
         current_stage: EmailStage = self.executor.current_stage
         token = self.get_token()
         # Send mail to user
+        try:
             message = TemplateEmailMessage(
                 subject=_(current_stage.subject),
                 to=[email],
@@ -105,6 +120,14 @@ class EmailStageView(ChallengeStageView):
                 },
             )
             send_mails(current_stage, message)
+        except TemplateSyntaxError as exc:
+            Event.new(
+                EventAction.CONFIGURATION_ERROR,
+                message=_("Exception occurred while rendering E-mail template"),
+                error=exception_to_string(exc),
+                template=current_stage.template,
+            ).from_http(self.request)
+            raise StageInvalidException from exc
 
     def get(self, request: HttpRequest, *args, **kwargs) -> HttpResponse:
         # Check if the user came back from the email link to verify
@@ -125,7 +148,11 @@ class EmailStageView(ChallengeStageView):
             return self.executor.stage_invalid()
         # Check if we've already sent the initial e-mail
         if PLAN_CONTEXT_EMAIL_SENT not in self.executor.plan.context:
+            try:
                 self.send_email()
+            except StageInvalidException as exc:
+                self.logger.debug("Got StageInvalidException", exc=exc)
+                return self.executor.stage_invalid()
             self.executor.plan.context[PLAN_CONTEXT_EMAIL_SENT] = True
         return super().get(request, *args, **kwargs)
 
@@ -146,6 +173,7 @@ class EmailStageView(ChallengeStageView):
             messages.error(self.request, _("No pending user."))
             return super().challenge_invalid(response)
         self.send_email()
+        messages.success(self.request, _("Email Successfully sent."))
         # We can't call stage_ok yet, as we're still waiting
         # for the user to click the link in the email
         return super().challenge_invalid(response)

authentik/stages/email/tasks.py

@@ -13,6 +13,7 @@ from authentik.events.models import Event, EventAction
 from authentik.events.monitored_tasks import MonitoredTask, TaskResult, TaskResultStatus
 from authentik.root.celery import CELERY_APP
 from authentik.stages.email.models import EmailStage
+from authentik.stages.email.utils import logo_data
 
 LOGGER = get_logger()
 
@@ -81,6 +82,10 @@ def send_mail(self: MonitoredTask, message: dict[Any, Any], email_stage_pk: Opti
         # Because we use the Message-ID as UID for the task, manually assign it
         message_object.extra_headers["Message-ID"] = message_id
 
+        # Add the logo (we can't add it in the previous message since MIMEImage
+        # can't be converted to json)
+        message_object.attach(logo_data())
+
         LOGGER.debug("Sending mail", to=message_object.to)
         backend.send_messages([message_object])
         Event.new(

authentik/stages/email/tests/test_stage.py

@@ -4,6 +4,7 @@ from unittest.mock import MagicMock, PropertyMock, patch
 from django.core import mail
 from django.core.mail.backends.locmem import EmailBackend
 from django.core.mail.backends.smtp import EmailBackend as SMTPEmailBackend
+from django.test import RequestFactory
 from django.urls import reverse
 from django.utils.http import urlencode
 
@@ -12,10 +13,11 @@ from authentik.flows.markers import StageMarker
 from authentik.flows.models import FlowDesignation, FlowStageBinding, FlowToken
 from authentik.flows.planner import PLAN_CONTEXT_PENDING_USER, FlowPlan
 from authentik.flows.tests import FlowTestCase
-from authentik.flows.views.executor import QS_KEY_TOKEN, SESSION_KEY_PLAN
+from authentik.flows.views.executor import QS_KEY_TOKEN, SESSION_KEY_PLAN, FlowExecutorView
 from authentik.lib.config import CONFIG
+from authentik.lib.generators import generate_id
 from authentik.stages.email.models import EmailStage
-from authentik.stages.email.stage import PLAN_CONTEXT_EMAIL_OVERRIDE
+from authentik.stages.email.stage import PLAN_CONTEXT_EMAIL_OVERRIDE, EmailStageView
 
 
 class TestEmailStage(FlowTestCase):
@@ -23,8 +25,8 @@ class TestEmailStage(FlowTestCase):
 
     def setUp(self):
         super().setUp()
+        self.factory = RequestFactory()
         self.user = create_test_admin_user()
-
         self.flow = create_test_flow(FlowDesignation.AUTHENTICATION)
         self.stage = EmailStage.objects.create(
             name="email",
@@ -205,3 +207,69 @@ class TestEmailStage(FlowTestCase):
 
             self.assertEqual(response.status_code, 200)
             self.assertStageResponse(response, component="ak-stage-access-denied")
+
+    def test_url_no_params(self):
+        """Test generation of the URL in the EMail"""
+        plan = FlowPlan(flow_pk=self.flow.pk.hex, bindings=[self.binding], markers=[StageMarker()])
+        plan.context[PLAN_CONTEXT_PENDING_USER] = self.user
+        session = self.client.session
+        session[SESSION_KEY_PLAN] = plan
+        session.save()
+
+        url = reverse("authentik_api:flow-executor", kwargs={"flow_slug": self.flow.slug})
+        request = self.factory.get(url)
+        stage_view = EmailStageView(
+            FlowExecutorView(
+                request=request,
+                flow=self.flow,
+            ),
+            request=request,
+        )
+        self.assertEqual(stage_view.get_full_url(), f"http://testserver/if/flow/{self.flow.slug}/")
+
+    def test_url_our_params(self):
+        """Test that all of our parameters are passed to the URL correctly"""
+        plan = FlowPlan(flow_pk=self.flow.pk.hex, bindings=[self.binding], markers=[StageMarker()])
+        plan.context[PLAN_CONTEXT_PENDING_USER] = self.user
+        session = self.client.session
+        session[SESSION_KEY_PLAN] = plan
+        session.save()
+
+        url = reverse("authentik_api:flow-executor", kwargs={"flow_slug": self.flow.slug})
+        request = self.factory.get(url)
+        stage_view = EmailStageView(
+            FlowExecutorView(
+                request=request,
+                flow=self.flow,
+            ),
+            request=request,
+        )
+        token = generate_id()
+        self.assertEqual(
+            stage_view.get_full_url(**{QS_KEY_TOKEN: token}),
+            f"http://testserver/if/flow/{self.flow.slug}/?flow_token={token}",
+        )
+
+    def test_url_existing_params(self):
+        """Test to ensure that URL params are preserved in the URL being sent"""
+        plan = FlowPlan(flow_pk=self.flow.pk.hex, bindings=[self.binding], markers=[StageMarker()])
+        plan.context[PLAN_CONTEXT_PENDING_USER] = self.user
+        session = self.client.session
+        session[SESSION_KEY_PLAN] = plan
+        session.save()
+
+        url = reverse("authentik_api:flow-executor", kwargs={"flow_slug": self.flow.slug})
+        url += "?query=" + urlencode({"foo": "bar"})
+        request = self.factory.get(url)
+        stage_view = EmailStageView(
+            FlowExecutorView(
+                request=request,
+                flow=self.flow,
+            ),
+            request=request,
+        )
+        token = generate_id()
+        self.assertEqual(
+            stage_view.get_full_url(**{QS_KEY_TOKEN: token}),
+            f"http://testserver/if/flow/{self.flow.slug}/?foo=bar&flow_token={token}",
+        )

authentik/stages/email/tests/test_templates.py

@@ -4,11 +4,20 @@ from pathlib import Path
 from shutil import rmtree
 from tempfile import mkdtemp, mkstemp
 from typing import Any
+from unittest.mock import PropertyMock, patch
 
 from django.conf import settings
-from django.test import TestCase
+from django.core.mail.backends.locmem import EmailBackend
+from django.urls import reverse
 
-from authentik.stages.email.models import get_template_choices
+from authentik.core.tests.utils import create_test_admin_user, create_test_flow
+from authentik.events.models import Event, EventAction
+from authentik.flows.markers import StageMarker
+from authentik.flows.models import FlowDesignation, FlowStageBinding
+from authentik.flows.planner import PLAN_CONTEXT_PENDING_USER, FlowPlan
+from authentik.flows.tests import FlowTestCase
+from authentik.flows.views.executor import SESSION_KEY_PLAN
+from authentik.stages.email.models import EmailStage, get_template_choices
 
 
 def get_templates_setting(temp_dir: str) -> dict[str, Any]:
@@ -18,11 +27,18 @@ def get_templates_setting(temp_dir: str) -> dict[str, Any]:
     return templates_setting
 
 
-class TestEmailStageTemplates(TestCase):
+class TestEmailStageTemplates(FlowTestCase):
     """Email tests"""
 
     def setUp(self) -> None:
-        self.dir = mkdtemp()
+        self.dir = Path(mkdtemp())
+        self.user = create_test_admin_user()
+
+        self.flow = create_test_flow(FlowDesignation.AUTHENTICATION)
+        self.stage = EmailStage.objects.create(
+            name="email",
+        )
+        self.binding = FlowStageBinding.objects.create(target=self.flow, stage=self.stage, order=2)
 
     def tearDown(self) -> None:
         rmtree(self.dir)
@@ -38,3 +54,37 @@ class TestEmailStageTemplates(TestCase):
             self.assertEqual(len(choices), 3)
             unlink(file)
             unlink(file2)
+
+    def test_custom_template_invalid_syntax(self):
+        """Test with custom template"""
+        with open(self.dir / Path("invalid.html"), "w+", encoding="utf-8") as _invalid:
+            _invalid.write("{% blocktranslate %}")
+        with self.settings(TEMPLATES=get_templates_setting(self.dir)):
+            self.stage.template = "invalid.html"
+            plan = FlowPlan(
+                flow_pk=self.flow.pk.hex, bindings=[self.binding], markers=[StageMarker()]
+            )
+            plan.context[PLAN_CONTEXT_PENDING_USER] = self.user
+            session = self.client.session
+            session[SESSION_KEY_PLAN] = plan
+            session.save()
+
+            url = reverse("authentik_api:flow-executor", kwargs={"flow_slug": self.flow.slug})
+            with patch(
+                "authentik.stages.email.models.EmailStage.backend_class",
+                PropertyMock(return_value=EmailBackend),
+            ):
+                response = self.client.get(url)
+                self.assertEqual(response.status_code, 200)
+                self.assertStageResponse(
+                    response,
+                    self.flow,
+                    error_message="Unknown error",
+                )
+                events = Event.objects.filter(action=EventAction.CONFIGURATION_ERROR)
+                self.assertEqual(len(events), 1)
+                event = events.first()
+                self.assertEqual(
+                    event.context["message"], "Exception occurred while rendering E-mail template"
+                )
+                self.assertEqual(event.context["template"], "invalid.html")

authentik/stages/email/utils.py

@@ -1,6 +1,7 @@
 """email utils"""
 from email.mime.image import MIMEImage
 from functools import lru_cache
+from pathlib import Path
 
 from django.core.mail import EmailMultiAlternatives
 from django.template.loader import render_to_string
@@ -8,9 +9,12 @@ from django.utils import translation
 
 
 @lru_cache()
-def logo_data():
+def logo_data() -> MIMEImage:
     """Get logo as MIME Image for emails"""
-    with open("web/icons/icon_left_brand.png", "rb") as _logo_file:
+    path = Path("web/icons/icon_left_brand.png")
+    if not path.exists():
+        path = Path("web/dist/assets/icons/icon_left_brand.png")
+    with open(path, "rb") as _logo_file:
         logo = MIMEImage(_logo_file.read())
     logo.add_header("Content-ID", "logo.png")
     return logo
@@ -25,5 +29,4 @@ class TemplateEmailMessage(EmailMultiAlternatives):
         super().__init__(**kwargs)
         self.content_subtype = "html"
         self.mixed_subtype = "related"
-        self.attach(logo_data())
         self.attach_alternative(html_content, "text/html")

authentik/stages/user_write/api.py

@@ -15,6 +15,7 @@ class UserWriteStageSerializer(StageSerializer):
             "user_creation_mode",
             "create_users_as_inactive",
             "create_users_group",
+            "user_type",
             "user_path_template",
         ]