release: 2023.10.6

* providers/oauth2: fix CVE-2024-21637 (#8104)

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* update changelog

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

---------

Signed-off-by: Jens Langhammer <jens@goauthentik.io>
Co-authored-by: Jens L <jens@goauthentik.io>

.bumpversion.cfg

@@ -1,5 +1,5 @@
 [bumpversion]
-current_version = 2023.10.3
+current_version = 2023.10.6
 tag = True
 commit = True
 parse = (?P<major>\d+)\.(?P<minor>\d+)\.(?P<patch>\d+)

.github/actions/setup/action.yml

@@ -2,36 +2,39 @@ name: "Setup authentik testing environment"
 description: "Setup authentik testing environment"
 
 inputs:
-  postgresql_tag:
+  postgresql_version:
     description: "Optional postgresql image tag"
     default: "12"
 
 runs:
   using: "composite"
   steps:
-    - name: Install poetry
+    - name: Install poetry & deps
       shell: bash
       run: |
         pipx install poetry || true
-        sudo apt update
-        sudo apt install -y libpq-dev openssl libxmlsec1-dev pkg-config gettext
+        sudo apt-get update
+        sudo apt-get install --no-install-recommends -y libpq-dev openssl libxmlsec1-dev pkg-config gettext
     - name: Setup python and restore poetry
-      uses: actions/setup-python@v3
+      uses: actions/setup-python@v4
       with:
-        python-version: "3.11"
+        python-version-file: 'pyproject.toml'
         cache: "poetry"
     - name: Setup node
       uses: actions/setup-node@v3
       with:
-        node-version: "20"
+        node-version-file: web/package.json
         cache: "npm"
         cache-dependency-path: web/package-lock.json
+    - name: Setup go
+      uses: actions/setup-go@v4
+      with:
+        go-version-file: "go.mod"
     - name: Setup dependencies
       shell: bash
       run: |
-        export PSQL_TAG=${{ inputs.postgresql_tag }}
+        export PSQL_TAG=${{ inputs.postgresql_version }}
         docker-compose -f .github/actions/setup/docker-compose.yml up -d
-        poetry env use python3.11
         poetry install
         cd web && npm ci
     - name: Generate config

.github/workflows/ci-main.yml

@@ -48,25 +48,38 @@ jobs:
       - name: run migrations
         run: poetry run python -m lifecycle.migrate
   test-migrations-from-stable:
+    name: test-migrations-from-stable - PostgreSQL ${{ matrix.psql }}
     runs-on: ubuntu-latest
-    continue-on-error: true
+    strategy:
+      fail-fast: false
+      matrix:
+        psql:
+          - 12-alpine
+          - 15-alpine
+          - 16-alpine
     steps:
       - uses: actions/checkout@v4
         with:
           fetch-depth: 0
       - name: Setup authentik env
         uses: ./.github/actions/setup
+        with:
+          postgresql_version: ${{ matrix.psql }}
       - name: checkout stable
         run: |
+          # Delete all poetry envs
+          rm -rf /home/runner/.cache/pypoetry
           # Copy current, latest config to local
           cp authentik/lib/default.yml local.env.yml
           cp -R .github ..
           cp -R scripts ..
-          git checkout $(git describe --tags $(git rev-list --tags --max-count=1))
+          git checkout version/$(python -c "from authentik import __version__; print(__version__)")
           rm -rf .github/ scripts/
           mv ../.github ../scripts .
       - name: Setup authentik env (ensure stable deps are installed)
         uses: ./.github/actions/setup
+        with:
+          postgresql_version: ${{ matrix.psql }}
       - name: run migrations to stable
         run: poetry run python -m lifecycle.migrate
       - name: checkout current code
@@ -76,9 +89,13 @@ jobs:
           git reset --hard HEAD
           git clean -d -fx .
           git checkout $GITHUB_SHA
+          # Delete previous poetry env
+          rm -rf $(poetry env info --path)
           poetry install
       - name: Setup authentik env (ensure latest deps are installed)
         uses: ./.github/actions/setup
+        with:
+          postgresql_version: ${{ matrix.psql }}
       - name: migrate to latest
         run: poetry run python -m lifecycle.migrate
   test-unittest:
@@ -97,7 +114,7 @@ jobs:
       - name: Setup authentik env
         uses: ./.github/actions/setup
         with:
-          postgresql_tag: ${{ matrix.psql }}
+          postgresql_version: ${{ matrix.psql }}
       - name: run unittest
         run: |
           poetry run make test

.github/workflows/ci-outpost.yml

@@ -130,7 +130,7 @@ jobs:
           go-version-file: "go.mod"
       - uses: actions/setup-node@v4
         with:
-          node-version: "20"
+          node-version-file: web/package.json
           cache: "npm"
           cache-dependency-path: web/package-lock.json
       - name: Generate API

.github/workflows/ci-web.yml

@@ -24,7 +24,7 @@ jobs:
       - uses: actions/checkout@v4
       - uses: actions/setup-node@v4
         with:
-          node-version: "20"
+          node-version-file: ${{ matrix.project }}/package.json
           cache: "npm"
           cache-dependency-path: ${{ matrix.project }}/package-lock.json
       - working-directory: ${{ matrix.project }}/
@@ -40,7 +40,7 @@ jobs:
       - uses: actions/checkout@v4
       - uses: actions/setup-node@v4
         with:
-          node-version: "20"
+          node-version-file: web/package.json
           cache: "npm"
           cache-dependency-path: web/package-lock.json
       - working-directory: web/
@@ -62,7 +62,7 @@ jobs:
       - uses: actions/checkout@v4
       - uses: actions/setup-node@v4
         with:
-          node-version: "20"
+          node-version-file: ${{ matrix.project }}/package.json
           cache: "npm"
           cache-dependency-path: ${{ matrix.project }}/package-lock.json
       - working-directory: ${{ matrix.project }}/
@@ -78,7 +78,7 @@ jobs:
       - uses: actions/checkout@v4
       - uses: actions/setup-node@v4
         with:
-          node-version: "20"
+          node-version-file: web/package.json
           cache: "npm"
           cache-dependency-path: web/package-lock.json
       - working-directory: web/
@@ -110,7 +110,7 @@ jobs:
       - uses: actions/checkout@v4
       - uses: actions/setup-node@v4
         with:
-          node-version: "20"
+          node-version-file: web/package.json
           cache: "npm"
           cache-dependency-path: web/package-lock.json
       - working-directory: web/

.github/workflows/ci-website.yml

@@ -18,7 +18,7 @@ jobs:
       - uses: actions/checkout@v4
       - uses: actions/setup-node@v4
         with:
-          node-version: "20"
+          node-version-file: website/package.json
           cache: "npm"
           cache-dependency-path: website/package-lock.json
       - working-directory: website/
@@ -32,7 +32,7 @@ jobs:
       - uses: actions/checkout@v4
       - uses: actions/setup-node@v4
         with:
-          node-version: "20"
+          node-version-file: website/package.json
           cache: "npm"
           cache-dependency-path: website/package-lock.json
       - working-directory: website/
@@ -53,7 +53,7 @@ jobs:
       - uses: actions/checkout@v4
       - uses: actions/setup-node@v4
         with:
-          node-version: "20"
+          node-version-file: website/package.json
           cache: "npm"
           cache-dependency-path: website/package-lock.json
       - working-directory: website/

.github/workflows/release-publish.yml

@@ -131,7 +131,7 @@ jobs:
           go-version-file: "go.mod"
       - uses: actions/setup-node@v4
         with:
-          node-version: "20"
+          node-version-file: web/package.json
           cache: "npm"
           cache-dependency-path: web/package-lock.json
       - name: Build web

.github/workflows/release-tag.yml

@@ -30,7 +30,7 @@ jobs:
           private_key: ${{ secrets.GH_APP_PRIVATE_KEY }}
       - name: Extract version number
         id: get_version
-        uses: actions/github-script@v7
+        uses: actions/github-script@v6
         with:
           github-token: ${{ steps.generate_token.outputs.token }}
           script: |

.github/workflows/translation-advice.yml

@@ -7,8 +7,7 @@ on:
     paths:
       - "!**"
       - "locale/**"
-      - "!locale/en/**"
-      - "web/xliff/**"
+      - "web/src/locales/**"
 
 jobs:
   post-comment:

.github/workflows/web-api-publish.yml

@@ -19,7 +19,7 @@ jobs:
           token: ${{ steps.generate_token.outputs.token }}
       - uses: actions/setup-node@v4
         with:
-          node-version: "20"
+          node-version-file: web/package.json
           registry-url: "https://registry.npmjs.org"
       - name: Generate API Client
         run: make gen-client-ts

Dockerfile

@@ -1,3 +1,5 @@
+# syntax=docker/dockerfile:1
+
 # Stage 1: Build website
 FROM --platform=${BUILDPLATFORM} docker.io/node:21 as website-builder
 
@@ -7,7 +9,7 @@ WORKDIR /work/website
 
 RUN --mount=type=bind,target=/work/website/package.json,src=./website/package.json \
     --mount=type=bind,target=/work/website/package-lock.json,src=./website/package-lock.json \
-    --mount=type=cache,target=/root/.npm \
+    --mount=type=cache,id=npm-website,sharing=shared,target=/root/.npm \
     npm ci --include=dev
 
 COPY ./website /work/website/
@@ -25,7 +27,7 @@ WORKDIR /work/web
 
 RUN --mount=type=bind,target=/work/web/package.json,src=./web/package.json \
     --mount=type=bind,target=/work/web/package-lock.json,src=./web/package-lock.json \
-    --mount=type=cache,target=/root/.npm \
+    --mount=type=cache,id=npm-web,sharing=shared,target=/root/.npm \
     npm ci --include=dev
 
 COPY ./web /work/web/
@@ -62,8 +64,8 @@ COPY ./go.sum /go/src/goauthentik.io/go.sum
 
 ENV CGO_ENABLED=0
 
-RUN --mount=type=cache,target=/go/pkg/mod \
-    --mount=type=cache,target=/root/.cache/go-build \
+RUN --mount=type=cache,sharing=locked,target=/go/pkg/mod \
+    --mount=type=cache,id=go-build-$TARGETARCH$TARGETVARIANT,sharing=locked,target=/root/.cache/go-build \
     GOARM="${TARGETVARIANT#v}" go build -o /go/authentik ./cmd/server
 
 # Stage 4: MaxMind GeoIP
@@ -89,7 +91,9 @@ ENV VENV_PATH="/ak-root/venv" \
     POETRY_VIRTUALENVS_CREATE=false \
     PATH="/ak-root/venv/bin:$PATH"
 
-RUN --mount=type=cache,target=/var/cache/apt \
+RUN rm -f /etc/apt/apt.conf.d/docker-clean; echo 'Binary::apt::APT::Keep-Downloaded-Packages "true";' > /etc/apt/apt.conf.d/keep-cache
+
+RUN --mount=type=cache,id=apt-$TARGETARCH$TARGETVARIANT,sharing=locked,target=/var/cache/apt \
     apt-get update && \
     # Required for installing pip packages
     apt-get install -y --no-install-recommends build-essential pkg-config libxmlsec1-dev zlib1g-dev libpq-dev

Makefile

@@ -110,8 +110,6 @@ gen-diff:  ## (Release) generate the changelog diff between the current schema a
 		--markdown /local/diff.md \
 		/local/old_schema.yml /local/schema.yml
 	rm old_schema.yml
-	sed -i 's/{/{/g' diff.md
-	sed -i 's/}/}/g' diff.md
 	npx prettier --write diff.md
 
 gen-clean:

authentik/__init__.py

@@ -2,7 +2,7 @@
 from os import environ
 from typing import Optional
 
-__version__ = "2023.10.3"
+__version__ = "2023.10.6"
 ENV_GIT_HASH_KEY = "GIT_BUILD_HASH"
 
 

authentik/api/schema.py

@@ -13,8 +13,6 @@ from rest_framework.settings import api_settings
 
 from authentik.api.pagination import PAGINATION_COMPONENT_NAME, PAGINATION_SCHEMA
 
-from authentik.api.apps import AuthentikAPIConfig
-
 
 def build_standard_type(obj, **kwargs):
     """Build a basic type with optional add owns."""
@@ -102,12 +100,3 @@ def postprocess_schema_responses(result, generator: SchemaGenerator, **kwargs):
             comp = result["components"]["schemas"][component]
             comp["additionalProperties"] = {}
     return result
-
-
-def preprocess_schema_exclude_non_api(endpoints, **kwargs):
-    """Filter out all API Views which are not mounted under /api"""
-    return [
-        (path, path_regex, method, callback)
-        for path, path_regex, method, callback in endpoints
-        if path.startswith("/" + AuthentikAPIConfig.mountpoint)
-    ]

authentik/api/v3/config.py

@@ -93,10 +93,10 @@ class ConfigView(APIView):
                     "traces_sample_rate": float(CONFIG.get("error_reporting.sample_rate", 0.4)),
                 },
                 "capabilities": self.get_capabilities(),
-                "cache_timeout": CONFIG.get_int("cache.timeout"),
-                "cache_timeout_flows": CONFIG.get_int("cache.timeout_flows"),
-                "cache_timeout_policies": CONFIG.get_int("cache.timeout_policies"),
-                "cache_timeout_reputation": CONFIG.get_int("cache.timeout_reputation"),
+                "cache_timeout": CONFIG.get_int("redis.cache_timeout"),
+                "cache_timeout_flows": CONFIG.get_int("redis.cache_timeout_flows"),
+                "cache_timeout_policies": CONFIG.get_int("redis.cache_timeout_policies"),
+                "cache_timeout_reputation": CONFIG.get_int("redis.cache_timeout_reputation"),
             }
         )
 

authentik/api/v3/urls.py

@@ -21,7 +21,9 @@ _other_urls = []
 for _authentik_app in get_apps():
     try:
         api_urls = import_module(f"{_authentik_app.name}.urls")
-    except (ModuleNotFoundError, ImportError) as exc:
+    except ModuleNotFoundError:
+        continue
+    except ImportError as exc:
         LOGGER.warning("Could not import app's URLs", app_name=_authentik_app.name, exc=exc)
         continue
     if not hasattr(api_urls, "api_urlpatterns"):

authentik/blueprints/apps.py

@@ -40,7 +40,7 @@ class ManagedAppConfig(AppConfig):
                 meth()
                 self._logger.debug("Successfully reconciled", name=name)
             except (DatabaseError, ProgrammingError, InternalError) as exc:
-                self._logger.debug("Failed to run reconcile", name=name, exc=exc)
+                self._logger.warning("Failed to run reconcile", name=name, exc=exc)
 
 
 class AuthentikBlueprintsConfig(ManagedAppConfig):

authentik/blueprints/v1/tasks.py

@@ -75,13 +75,13 @@ class BlueprintEventHandler(FileSystemEventHandler):
             return
         if event.is_directory:
             return
+        root = Path(CONFIG.get("blueprints_dir")).absolute()
+        path = Path(event.src_path).absolute()
+        rel_path = str(path.relative_to(root))
         if isinstance(event, FileCreatedEvent):
-            LOGGER.debug("new blueprint file created, starting discovery")
-            blueprints_discovery.delay()
+            LOGGER.debug("new blueprint file created, starting discovery", path=rel_path)
+            blueprints_discovery.delay(rel_path)
         if isinstance(event, FileModifiedEvent):
-            path = Path(event.src_path)
-            root = Path(CONFIG.get("blueprints_dir")).absolute()
-            rel_path = str(path.relative_to(root))
             for instance in BlueprintInstance.objects.filter(path=rel_path, enabled=True):
                 LOGGER.debug("modified blueprint file, starting apply", instance=instance)
                 apply_blueprint.delay(instance.pk.hex)
@@ -98,39 +98,32 @@ def blueprints_find_dict():
     return blueprints
 
 
-def blueprints_find():
+def blueprints_find() -> list[BlueprintFile]:
     """Find blueprints and return valid ones"""
     blueprints = []
     root = Path(CONFIG.get("blueprints_dir"))
     for path in root.rglob("**/*.yaml"):
+        rel_path = path.relative_to(root)
         # Check if any part in the path starts with a dot and assume a hidden file
         if any(part for part in path.parts if part.startswith(".")):
             continue
-        LOGGER.debug("found blueprint", path=str(path))
         with open(path, "r", encoding="utf-8") as blueprint_file:
             try:
                 raw_blueprint = load(blueprint_file.read(), BlueprintLoader)
             except YAMLError as exc:
                 raw_blueprint = None
-                LOGGER.warning("failed to parse blueprint", exc=exc, path=str(path))
+                LOGGER.warning("failed to parse blueprint", exc=exc, path=str(rel_path))
             if not raw_blueprint:
                 continue
             metadata = raw_blueprint.get("metadata", None)
             version = raw_blueprint.get("version", 1)
             if version != 1:
-                LOGGER.warning("invalid blueprint version", version=version, path=str(path))
+                LOGGER.warning("invalid blueprint version", version=version, path=str(rel_path))
                 continue
         file_hash = sha512(path.read_bytes()).hexdigest()
-        blueprint = BlueprintFile(
-            str(path.relative_to(root)), version, file_hash, int(path.stat().st_mtime)
-        )
+        blueprint = BlueprintFile(str(rel_path), version, file_hash, int(path.stat().st_mtime))
         blueprint.meta = from_dict(BlueprintMetadata, metadata) if metadata else None
         blueprints.append(blueprint)
-        LOGGER.debug(
-            "parsed & loaded blueprint",
-            hash=file_hash,
-            path=str(path),
-        )
     return blueprints
 
 
@@ -138,10 +131,12 @@ def blueprints_find():
     throws=(DatabaseError, ProgrammingError, InternalError), base=MonitoredTask, bind=True
 )
 @prefill_task
-def blueprints_discovery(self: MonitoredTask):
+def blueprints_discovery(self: MonitoredTask, path: Optional[str] = None):
     """Find blueprints and check if they need to be created in the database"""
     count = 0
     for blueprint in blueprints_find():
+        if path and blueprint.path != path:
+            continue
         check_blueprint_v1_file(blueprint)
         count += 1
     self.set_status(
@@ -171,7 +166,11 @@ def check_blueprint_v1_file(blueprint: BlueprintFile):
             metadata={},
         )
         instance.save()
+        LOGGER.info(
+            "Creating new blueprint instance from file", instance=instance, path=instance.path
+        )
     if instance.last_applied_hash != blueprint.hash:
+        LOGGER.info("Applying blueprint due to changed file", instance=instance, path=instance.path)
         apply_blueprint.delay(str(instance.pk))
 
 

authentik/core/api/sources.py

@@ -38,7 +38,7 @@ class SourceSerializer(ModelSerializer, MetaNameSerializer):
 
     managed = ReadOnlyField()
     component = SerializerMethodField()
-    icon = ReadOnlyField(source="get_icon")
+    icon = ReadOnlyField(source="icon_url")
 
     def get_component(self, obj: Source) -> str:
         """Get object component so that we know how to edit the object"""

authentik/core/api/users.py

@@ -171,6 +171,11 @@ class UserSerializer(ModelSerializer):
             raise ValidationError("Setting a user to internal service account is not allowed.")
         return user_type
 
+    def validate(self, attrs: dict) -> dict:
+        if self.instance and self.instance.type == UserTypes.INTERNAL_SERVICE_ACCOUNT:
+            raise ValidationError("Can't modify internal service account users")
+        return super().validate(attrs)
+
     class Meta:
         model = User
         fields = [

authentik/core/expression/evaluator.py

@@ -44,6 +44,7 @@ class PropertyMappingEvaluator(BaseEvaluator):
         if request:
             req.http_request = request
         self._context["request"] = req
+        req.context.update(**kwargs)
         self._context.update(**kwargs)
         self.dry_run = dry_run
 

authentik/core/templates/base/skeleton.html

@@ -13,7 +13,6 @@
         {% block head_before %}
         {% endblock %}
         <link rel="stylesheet" type="text/css" href="{% static 'dist/authentik.css' %}">
-        <link rel="stylesheet" type="text/css" href="{% static 'dist/theme-dark.css' %}" media="(prefers-color-scheme: dark)">
         <link rel="stylesheet" type="text/css" href="{% static 'dist/custom.css' %}" data-inject>
         <script src="{% static 'dist/poly.js' %}?version={{ version }}" type="module"></script>
         <script src="{% static 'dist/standalone/loading/index.js' %}?version={{ version }}" type="module"></script>

authentik/core/templates/login/base_full.html

@@ -6,6 +6,7 @@
 {% block head_before %}
 <link rel="prefetch" href="/static/dist/assets/images/flow_background.jpg" />
 <link rel="stylesheet" type="text/css" href="{% static 'dist/patternfly.min.css' %}">
+<link rel="stylesheet" type="text/css" href="{% static 'dist/theme-dark.css' %}" media="(prefers-color-scheme: dark)">
 {% include "base/header_js.html" %}
 {% endblock %}
 

authentik/events/middleware.py

@@ -27,6 +27,7 @@ from authentik.lib.sentry import before_send
 from authentik.lib.utils.errors import exception_to_string
 from authentik.outposts.models import OutpostServiceConnection
 from authentik.policies.models import Policy, PolicyBindingModel
+from authentik.policies.reputation.models import Reputation
 from authentik.providers.oauth2.models import AccessToken, AuthorizationCode, RefreshToken
 from authentik.providers.scim.models import SCIMGroup, SCIMUser
 from authentik.stages.authenticator_static.models import StaticToken
@@ -52,11 +53,13 @@ IGNORED_MODELS = (
     RefreshToken,
     SCIMUser,
     SCIMGroup,
+    Reputation,
 )
 
 
 def should_log_model(model: Model) -> bool:
     """Return true if operation on `model` should be logged"""
+    # Check for silk by string so this comparison doesn't fail when silk isn't installed
     if model.__module__.startswith("silk"):
         return False
     return model.__class__ not in IGNORED_MODELS
@@ -93,21 +96,30 @@ class AuditMiddleware:
     of models"""
 
     get_response: Callable[[HttpRequest], HttpResponse]
+    anonymous_user: User = None
 
     def __init__(self, get_response: Callable[[HttpRequest], HttpResponse]):
         self.get_response = get_response
 
+    def _ensure_fallback_user(self):
+        """Defer fetching anonymous user until we have to"""
+        if self.anonymous_user:
+            return
+        from guardian.shortcuts import get_anonymous_user
+
+        self.anonymous_user = get_anonymous_user()
+
     def connect(self, request: HttpRequest):
         """Connect signal for automatic logging"""
-        if not hasattr(request, "user"):
-            return
-        if not getattr(request.user, "is_authenticated", False):
-            return
+        self._ensure_fallback_user()
+        user = getattr(request, "user", self.anonymous_user)
+        if not user.is_authenticated:
+            user = self.anonymous_user
         if not hasattr(request, "request_id"):
             return
-        post_save_handler = partial(self.post_save_handler, user=request.user, request=request)
-        pre_delete_handler = partial(self.pre_delete_handler, user=request.user, request=request)
-        m2m_changed_handler = partial(self.m2m_changed_handler, user=request.user, request=request)
+        post_save_handler = partial(self.post_save_handler, user=user, request=request)
+        pre_delete_handler = partial(self.pre_delete_handler, user=user, request=request)
+        m2m_changed_handler = partial(self.m2m_changed_handler, user=user, request=request)
         post_save.connect(
             post_save_handler,
             dispatch_uid=request.request_id,

authentik/events/models.py

@@ -217,6 +217,7 @@ class Event(SerializerModel, ExpiringModel):
                 "path": request.path,
                 "method": request.method,
                 "args": cleanse_dict(QueryDict(request.META.get("QUERY_STRING", ""))),
+                "user_agent": request.META.get("HTTP_USER_AGENT", ""),
             }
             # Special case for events created during flow execution
             # since they keep the http query within a wrapped query

authentik/events/tests/test_event.py

@@ -53,7 +53,15 @@ class TestEvents(TestCase):
         """Test plain from_http"""
         event = Event.new("unittest").from_http(self.factory.get("/"))
         self.assertEqual(
-            event.context, {"http_request": {"args": {}, "method": "GET", "path": "/"}}
+            event.context,
+            {
+                "http_request": {
+                    "args": {},
+                    "method": "GET",
+                    "path": "/",
+                    "user_agent": "",
+                }
+            },
         )
 
     def test_from_http_clean_querystring(self):
@@ -67,6 +75,7 @@ class TestEvents(TestCase):
                     "args": {"token": SafeExceptionReporterFilter.cleansed_substitute},
                     "method": "GET",
                     "path": "/",
+                    "user_agent": "",
                 }
             },
         )
@@ -83,6 +92,7 @@ class TestEvents(TestCase):
                     "args": {"token": SafeExceptionReporterFilter.cleansed_substitute},
                     "method": "GET",
                     "path": "/",
+                    "user_agent": "",
                 }
             },
         )

authentik/events/utils.py

@@ -5,12 +5,13 @@ from dataclasses import asdict, is_dataclass
 from datetime import date, datetime, time, timedelta
 from enum import Enum
 from pathlib import Path
-from types import GeneratorType
+from types import GeneratorType, NoneType
 from typing import Any, Optional
 from uuid import UUID
 
 from django.contrib.auth.models import AnonymousUser
 from django.core.handlers.wsgi import WSGIRequest
+from django.core.serializers.json import DjangoJSONEncoder
 from django.db import models
 from django.db.models.base import Model
 from django.http.request import HttpRequest
@@ -159,7 +160,14 @@ def sanitize_item(value: Any) -> Any:
             "name": value.__name__,
             "module": value.__module__,
         }
-    return value
+    # List taken from the stdlib's JSON encoder (_make_iterencode, encoder.py:415)
+    if isinstance(value, (bool, int, float, NoneType, list, tuple, dict)):
+        return value
+    try:
+        return DjangoJSONEncoder().default(value)
+    except TypeError:
+        return str(value)
+    return str(value)
 
 
 def sanitize_dict(source: dict[Any, Any]) -> dict[Any, Any]:

authentik/flows/planner.py

@@ -33,7 +33,7 @@ PLAN_CONTEXT_SOURCE = "source"
 # Is set by the Flow Planner when a FlowToken was used, and the currently active flow plan
 # was restored.
 PLAN_CONTEXT_IS_RESTORED = "is_restored"
-CACHE_TIMEOUT = CONFIG.get_int("cache.timeout_flows")
+CACHE_TIMEOUT = CONFIG.get_int("redis.cache_timeout_flows")
 CACHE_PREFIX = "goauthentik.io/flows/planner/"
 
 

authentik/flows/stage.py

@@ -167,7 +167,11 @@ class ChallengeStageView(StageView):
                 stage_type=self.__class__.__name__, method="get_challenge"
             ).time(),
         ):
-            challenge = self.get_challenge(*args, **kwargs)
+            try:
+                challenge = self.get_challenge(*args, **kwargs)
+            except StageInvalidException as exc:
+                self.logger.debug("Got StageInvalidException", exc=exc)
+                return self.executor.stage_invalid()
         with Hub.current.start_span(
             op="authentik.flow.stage._get_challenge",
             description=self.__class__.__name__,

authentik/lib/config.py

@@ -1,6 +1,4 @@
 """authentik core config loader"""
-import base64
-import json
 import os
 from collections.abc import Mapping
 from contextlib import contextmanager
@@ -24,25 +22,6 @@ SEARCH_PATHS = ["authentik/lib/default.yml", "/etc/authentik/config.yml", ""] +
 ENV_PREFIX = "AUTHENTIK"
 ENVIRONMENT = os.getenv(f"{ENV_PREFIX}_ENV", "local")
 
-REDIS_ENV_KEYS = [
-    f"{ENV_PREFIX}_REDIS__HOST",
-    f"{ENV_PREFIX}_REDIS__PORT",
-    f"{ENV_PREFIX}_REDIS__DB",
-    f"{ENV_PREFIX}_REDIS__USERNAME",
-    f"{ENV_PREFIX}_REDIS__PASSWORD",
-    f"{ENV_PREFIX}_REDIS__TLS",
-    f"{ENV_PREFIX}_REDIS__TLS_REQS",
-]
-
-DEPRECATIONS = {
-    "redis.broker_url": "broker.url",
-    "redis.broker_transport_options": "broker.transport_options",
-    "redis.cache_timeout": "cache.timeout",
-    "redis.cache_timeout_flows": "cache.timeout_flows",
-    "redis.cache_timeout_policies": "cache.timeout_policies",
-    "redis.cache_timeout_reputation": "cache.timeout_reputation",
-}
-
 
 def get_path_from_dict(root: dict, path: str, sep=".", default=None) -> Any:
     """Recursively walk through `root`, checking each part of `path` separated by `sep`.
@@ -102,10 +81,6 @@ class AttrEncoder(JSONEncoder):
         return super().default(o)
 
 
-class UNSET:
-    """Used to test whether configuration key has not been set."""
-
-
 class ConfigLoader:
     """Search through SEARCH_PATHS and load configuration. Environment variables starting with
     `ENV_PREFIX` are also applied.
@@ -138,40 +113,6 @@ class ConfigLoader:
                         self.update_from_file(env_file)
         self.update_from_env()
         self.update(self.__config, kwargs)
-        self.check_deprecations()
-
-    def check_deprecations(self):
-        """Warn if any deprecated configuration options are used"""
-
-        def _pop_deprecated_key(current_obj, dot_parts, index):
-            """Recursive function to remove deprecated keys in configuration"""
-            dot_part = dot_parts[index]
-            if index == len(dot_parts) - 1:
-                return current_obj.pop(dot_part)
-            value = _pop_deprecated_key(current_obj[dot_part], dot_parts, index + 1)
-            if not current_obj[dot_part]:
-                current_obj.pop(dot_part)
-            return value
-
-        for deprecation, replacement in DEPRECATIONS.items():
-            if self.get(deprecation, default=UNSET) is not UNSET:
-                message = (
-                    f"'{deprecation}' has been deprecated in favor of '{replacement}'! "
-                    + "Please update your configuration."
-                )
-                self.log(
-                    "warning",
-                    message,
-                )
-                try:
-                    from authentik.events.models import Event, EventAction
-
-                    Event.new(EventAction.CONFIGURATION_ERROR, message=message).save()
-                except ImportError:
-                    continue
-
-                deprecated_attr = _pop_deprecated_key(self.__config, deprecation.split("."), 0)
-                self.set(replacement, deprecated_attr.value)
 
     def log(self, level: str, message: str, **kwargs):
         """Custom Log method, we want to ensure ConfigLoader always logs JSON even when
@@ -239,10 +180,6 @@ class ConfigLoader:
                 error=str(exc),
             )
 
-    def update_from_dict(self, update: dict):
-        """Update config from dict"""
-        self.__config.update(update)
-
     def update_from_env(self):
         """Check environment variables"""
         outer = {}
@@ -251,13 +188,19 @@ class ConfigLoader:
             if not key.startswith(ENV_PREFIX):
                 continue
             relative_key = key.replace(f"{ENV_PREFIX}_", "", 1).replace("__", ".").lower()
+            # Recursively convert path from a.b.c into outer[a][b][c]
+            current_obj = outer
+            dot_parts = relative_key.split(".")
+            for dot_part in dot_parts[:-1]:
+                if dot_part not in current_obj:
+                    current_obj[dot_part] = {}
+                current_obj = current_obj[dot_part]
             # Check if the value is json, and try to load it
             try:
                 value = loads(value)
             except JSONDecodeError:
                 pass
-            attr_value = Attr(value, Attr.Source.ENV, relative_key)
-            set_path_in_dict(outer, relative_key, attr_value)
+            current_obj[dot_parts[-1]] = Attr(value, Attr.Source.ENV, key)
             idx += 1
         if idx > 0:
             self.log("debug", "Loaded environment variables", count=idx)
@@ -298,23 +241,6 @@ class ConfigLoader:
         """Wrapper for get that converts value into boolean"""
         return str(self.get(path, default)).lower() == "true"
 
-    def get_dict_from_b64_json(self, path: str, default=None) -> dict:
-        """Wrapper for get that converts value from Base64 encoded string into dictionary"""
-        config_value = self.get(path)
-        if config_value is None:
-            return {}
-        try:
-            b64decoded_str = base64.b64decode(config_value).decode("utf-8")
-            b64decoded_str = b64decoded_str.strip().lstrip("{").rstrip("}")
-            b64decoded_str = "{" + b64decoded_str + "}"
-            return json.loads(b64decoded_str)
-        except (JSONDecodeError, TypeError, ValueError) as exc:
-            self.log(
-                "warning",
-                f"Ignored invalid configuration for '{path}' due to exception: {str(exc)}",
-            )
-            return default if isinstance(default, dict) else {}
-
     def set(self, path: str, value: Any, sep="."):
         """Set value using same syntax as get()"""
         set_path_in_dict(self.raw, path, Attr(value), sep=sep)

authentik/lib/default.yml

@@ -28,28 +28,14 @@ listen:
 redis:
   host: localhost
   port: 6379
-  db: 0
-  username: ""
   password: ""
   tls: false
   tls_reqs: "none"
-
-# broker:
-  # url: ""
-  # transport_options: ""
-
-cache:
-  # url: ""
-  timeout: 300
-  timeout_flows: 300
-  timeout_policies: 300
-  timeout_reputation: 300
-
-# channel:
-  # url: ""
-
-# result_backend:
-  # url: ""
+  db: 0
+  cache_timeout: 300
+  cache_timeout_flows: 300
+  cache_timeout_policies: 300
+  cache_timeout_reputation: 300
 
 paths:
   media: ./media

authentik/lib/tests/test_config.py

@@ -1,32 +1,20 @@
 """Test config loader"""
-import base64
-from json import dumps
 from os import chmod, environ, unlink, write
 from tempfile import mkstemp
-from unittest import mock
 
 from django.conf import ImproperlyConfigured
 from django.test import TestCase
 
-from authentik.lib.config import ENV_PREFIX, UNSET, Attr, AttrEncoder, ConfigLoader
+from authentik.lib.config import ENV_PREFIX, ConfigLoader
 
 
 class TestConfig(TestCase):
     """Test config loader"""
 
-    check_deprecations_env_vars = {
-        ENV_PREFIX + "_REDIS__BROKER_URL": "redis://myredis:8327/43",
-        ENV_PREFIX + "_REDIS__BROKER_TRANSPORT_OPTIONS": "bWFzdGVybmFtZT1teW1hc3Rlcg==",
-        ENV_PREFIX + "_REDIS__CACHE_TIMEOUT": "124s",
-        ENV_PREFIX + "_REDIS__CACHE_TIMEOUT_FLOWS": "32m",
-        ENV_PREFIX + "_REDIS__CACHE_TIMEOUT_POLICIES": "3920ns",
-        ENV_PREFIX + "_REDIS__CACHE_TIMEOUT_REPUTATION": "298382us",
-    }
-
-    @mock.patch.dict(environ, {ENV_PREFIX + "_test__test": "bar"})
     def test_env(self):
         """Test simple instance"""
         config = ConfigLoader()
+        environ[ENV_PREFIX + "_test__test"] = "bar"
         config.update_from_env()
         self.assertEqual(config.get("test.test"), "bar")
 
@@ -39,20 +27,12 @@ class TestConfig(TestCase):
             self.assertEqual(config.get("foo.bar"), "baz")
         self.assertEqual(config.get("foo.bar"), "bar")
 
-    @mock.patch.dict(environ, {"foo": "bar"})
     def test_uri_env(self):
         """Test URI parsing (environment)"""
         config = ConfigLoader()
-        foo_uri = "env://foo"
-        foo_parsed = config.parse_uri(foo_uri)
-        self.assertEqual(foo_parsed.value, "bar")
-        self.assertEqual(foo_parsed.source_type, Attr.Source.URI)
-        self.assertEqual(foo_parsed.source, foo_uri)
-        foo_bar_uri = "env://foo?bar"
-        foo_bar_parsed = config.parse_uri(foo_bar_uri)
-        self.assertEqual(foo_bar_parsed.value, "bar")
-        self.assertEqual(foo_bar_parsed.source_type, Attr.Source.URI)
-        self.assertEqual(foo_bar_parsed.source, foo_bar_uri)
+        environ["foo"] = "bar"
+        self.assertEqual(config.parse_uri("env://foo").value, "bar")
+        self.assertEqual(config.parse_uri("env://foo?bar").value, "bar")
 
     def test_uri_file(self):
         """Test URI parsing (file load)"""
@@ -111,60 +91,3 @@ class TestConfig(TestCase):
         config = ConfigLoader()
         config.set("foo", "bar")
         self.assertEqual(config.get_int("foo", 1234), 1234)
-
-    def test_get_dict_from_b64_json(self):
-        """Test get_dict_from_b64_json"""
-        config = ConfigLoader()
-        test_value = '  { "foo": "bar"   }   '.encode("utf-8")
-        b64_value = base64.b64encode(test_value)
-        config.set("foo", b64_value)
-        self.assertEqual(config.get_dict_from_b64_json("foo"), {"foo": "bar"})
-
-    def test_get_dict_from_b64_json_missing_brackets(self):
-        """Test get_dict_from_b64_json with missing brackets"""
-        config = ConfigLoader()
-        test_value = ' "foo": "bar"     '.encode("utf-8")
-        b64_value = base64.b64encode(test_value)
-        config.set("foo", b64_value)
-        self.assertEqual(config.get_dict_from_b64_json("foo"), {"foo": "bar"})
-
-    def test_get_dict_from_b64_json_invalid(self):
-        """Test get_dict_from_b64_json with invalid value"""
-        config = ConfigLoader()
-        config.set("foo", "bar")
-        self.assertEqual(config.get_dict_from_b64_json("foo"), {})
-
-    def test_attr_json_encoder(self):
-        """Test AttrEncoder"""
-        test_attr = Attr("foo", Attr.Source.ENV, "AUTHENTIK_REDIS__USERNAME")
-        json_attr = dumps(test_attr, indent=4, cls=AttrEncoder)
-        self.assertEqual(json_attr, '"foo"')
-
-    def test_attr_json_encoder_no_attr(self):
-        """Test AttrEncoder if no Attr is passed"""
-
-        class Test:
-            """Non Attr class"""
-
-        with self.assertRaises(TypeError):
-            test_obj = Test()
-            dumps(test_obj, indent=4, cls=AttrEncoder)
-
-    @mock.patch.dict(environ, check_deprecations_env_vars)
-    def test_check_deprecations(self):
-        """Test config key re-write for deprecated env vars"""
-        config = ConfigLoader()
-        config.update_from_env()
-        config.check_deprecations()
-        self.assertEqual(config.get("redis.broker_url", UNSET), UNSET)
-        self.assertEqual(config.get("redis.broker_transport_options", UNSET), UNSET)
-        self.assertEqual(config.get("redis.cache_timeout", UNSET), UNSET)
-        self.assertEqual(config.get("redis.cache_timeout_flows", UNSET), UNSET)
-        self.assertEqual(config.get("redis.cache_timeout_policies", UNSET), UNSET)
-        self.assertEqual(config.get("redis.cache_timeout_reputation", UNSET), UNSET)
-        self.assertEqual(config.get("broker.url"), "redis://myredis:8327/43")
-        self.assertEqual(config.get("broker.transport_options"), "bWFzdGVybmFtZT1teW1hc3Rlcg==")
-        self.assertEqual(config.get("cache.timeout"), "124s")
-        self.assertEqual(config.get("cache.timeout_flows"), "32m")
-        self.assertEqual(config.get("cache.timeout_policies"), "3920ns")
-        self.assertEqual(config.get("cache.timeout_reputation"), "298382us")

authentik/outposts/api/outposts.py

@@ -18,7 +18,7 @@ from authentik.core.api.used_by import UsedByMixin
 from authentik.core.api.utils import PassiveSerializer, is_dict
 from authentik.core.models import Provider
 from authentik.outposts.api.service_connections import ServiceConnectionSerializer
-from authentik.outposts.apps import MANAGED_OUTPOST
+from authentik.outposts.apps import MANAGED_OUTPOST, MANAGED_OUTPOST_NAME
 from authentik.outposts.models import (
     Outpost,
     OutpostConfig,
@@ -47,6 +47,16 @@ class OutpostSerializer(ModelSerializer):
         source="service_connection", read_only=True
     )
 
+    def validate_name(self, name: str) -> str:
+        """Validate name (especially for embedded outpost)"""
+        if not self.instance:
+            return name
+        if self.instance.managed == MANAGED_OUTPOST and name != MANAGED_OUTPOST_NAME:
+            raise ValidationError("Embedded outpost's name cannot be changed")
+        if self.instance.name == MANAGED_OUTPOST_NAME:
+            self.instance.managed = MANAGED_OUTPOST
+        return name
+
     def validate_providers(self, providers: list[Provider]) -> list[Provider]:
         """Check that all providers match the type of the outpost"""
         type_map = {

authentik/outposts/apps.py

@@ -15,6 +15,7 @@ GAUGE_OUTPOSTS_LAST_UPDATE = Gauge(
     ["outpost", "uid", "version"],
 )
 MANAGED_OUTPOST = "goauthentik.io/outposts/embedded"
+MANAGED_OUTPOST_NAME = "authentik Embedded Outpost"
 
 
 class AuthentikOutpostConfig(ManagedAppConfig):
@@ -35,14 +36,17 @@ class AuthentikOutpostConfig(ManagedAppConfig):
             DockerServiceConnection,
             KubernetesServiceConnection,
             Outpost,
-            OutpostConfig,
             OutpostType,
         )
 
+        if outpost := Outpost.objects.filter(name=MANAGED_OUTPOST_NAME, managed="").first():
+            outpost.managed = MANAGED_OUTPOST
+            outpost.save()
+            return
         outpost, updated = Outpost.objects.update_or_create(
             defaults={
-                "name": "authentik Embedded Outpost",
                 "type": OutpostType.PROXY,
+                "name": MANAGED_OUTPOST_NAME,
             },
             managed=MANAGED_OUTPOST,
         )
@@ -51,10 +55,4 @@ class AuthentikOutpostConfig(ManagedAppConfig):
                 outpost.service_connection = KubernetesServiceConnection.objects.first()
             elif DockerServiceConnection.objects.exists():
                 outpost.service_connection = DockerServiceConnection.objects.first()
-            outpost.config = OutpostConfig(
-                kubernetes_disabled_components=[
-                    "deployment",
-                    "secret",
-                ]
-            )
             outpost.save()

authentik/outposts/consumer.py

@@ -93,7 +93,7 @@ class OutpostConsumer(AuthJsonConsumer):
                 expected=self.outpost.config.kubernetes_replicas,
             ).dec()
 
-    def receive_json(self, content: Data, **kwargs):
+    def receive_json(self, content: Data):
         msg = from_dict(WebsocketMessage, content)
         uid = msg.args.get("uuid", self.channel_name)
         self.last_uid = uid

authentik/outposts/controllers/k8s/deployment.py

@@ -43,6 +43,10 @@ class DeploymentReconciler(KubernetesObjectReconciler[V1Deployment]):
         self.api = AppsV1Api(controller.client)
         self.outpost = self.controller.outpost
 
+    @property
+    def noop(self) -> bool:
+        return self.is_embedded
+
     @staticmethod
     def reconciler_name() -> str:
         return "deployment"

authentik/outposts/controllers/k8s/secret.py

@@ -24,6 +24,10 @@ class SecretReconciler(KubernetesObjectReconciler[V1Secret]):
         super().__init__(controller)
         self.api = CoreV1Api(controller.client)
 
+    @property
+    def noop(self) -> bool:
+        return self.is_embedded
+
     @staticmethod
     def reconciler_name() -> str:
         return "secret"

authentik/outposts/controllers/k8s/service_monitor.py

@@ -77,7 +77,10 @@ class PrometheusServiceMonitorReconciler(KubernetesObjectReconciler[PrometheusSe
 
     @property
     def noop(self) -> bool:
-        return (not self._crd_exists()) or (self.is_embedded)
+        if not self._crd_exists():
+            self.logger.debug("CRD doesn't exist")
+            return True
+        return self.is_embedded
 
     def _crd_exists(self) -> bool:
         """Check if the Prometheus ServiceMonitor exists"""

authentik/outposts/models.py

@@ -344,12 +344,22 @@ class Outpost(SerializerModel, ManagedModel):
         user_created = False
         if not user:
             user: User = User.objects.create(username=self.user_identifier)
-            user.set_unusable_password()
             user_created = True
-        user.type = UserTypes.INTERNAL_SERVICE_ACCOUNT
-        user.name = f"Outpost {self.name} Service-Account"
-        user.path = USER_PATH_OUTPOSTS
-        user.save()
+        attrs = {
+            "type": UserTypes.INTERNAL_SERVICE_ACCOUNT,
+            "name": f"Outpost {self.name} Service-Account",
+            "path": USER_PATH_OUTPOSTS,
+        }
+        dirty = False
+        for key, value in attrs.items():
+            if getattr(user, key) != value:
+                dirty = True
+                setattr(user, key, value)
+        if user.has_usable_password():
+            user.set_unusable_password()
+            dirty = True
+        if dirty:
+            user.save()
         if user_created:
             self.build_user_permissions(user)
         return user

authentik/outposts/tests/test_api.py

@@ -2,11 +2,13 @@
 from django.urls import reverse
 from rest_framework.test import APITestCase
 
+from authentik.blueprints.tests import reconcile_app
 from authentik.core.models import PropertyMapping
 from authentik.core.tests.utils import create_test_admin_user, create_test_flow
 from authentik.lib.generators import generate_id
 from authentik.outposts.api.outposts import OutpostSerializer
-from authentik.outposts.models import OutpostType, default_outpost_config
+from authentik.outposts.apps import MANAGED_OUTPOST
+from authentik.outposts.models import Outpost, OutpostType, default_outpost_config
 from authentik.providers.ldap.models import LDAPProvider
 from authentik.providers.proxy.models import ProxyProvider
 
@@ -22,7 +24,36 @@ class TestOutpostServiceConnectionsAPI(APITestCase):
         self.user = create_test_admin_user()
         self.client.force_login(self.user)
 
-    def test_outpost_validaton(self):
+    @reconcile_app("authentik_outposts")
+    def test_managed_name_change(self):
+        """Test name change for embedded outpost"""
+        embedded_outpost = Outpost.objects.filter(managed=MANAGED_OUTPOST).first()
+        self.assertIsNotNone(embedded_outpost)
+        response = self.client.patch(
+            reverse("authentik_api:outpost-detail", kwargs={"pk": embedded_outpost.pk}),
+            {"name": "foo"},
+        )
+        self.assertEqual(response.status_code, 400)
+        self.assertJSONEqual(
+            response.content, {"name": ["Embedded outpost's name cannot be changed"]}
+        )
+
+    @reconcile_app("authentik_outposts")
+    def test_managed_without_managed(self):
+        """Test name change for embedded outpost"""
+        embedded_outpost = Outpost.objects.filter(managed=MANAGED_OUTPOST).first()
+        self.assertIsNotNone(embedded_outpost)
+        embedded_outpost.managed = ""
+        embedded_outpost.save()
+        response = self.client.patch(
+            reverse("authentik_api:outpost-detail", kwargs={"pk": embedded_outpost.pk}),
+            {"name": "foo"},
+        )
+        self.assertEqual(response.status_code, 200)
+        embedded_outpost.refresh_from_db()
+        self.assertEqual(embedded_outpost.managed, MANAGED_OUTPOST)
+
+    def test_outpost_validation(self):
         """Test Outpost validation"""
         valid = OutpostSerializer(
             data={

authentik/policies/event_matcher/migrations/0019_alter_eventmatcherpolicy_app.py

@@ -39,7 +39,6 @@ class Migration(migrations.Migration):
                     ("authentik.sources.oauth", "authentik Sources.OAuth"),
                     ("authentik.sources.plex", "authentik Sources.Plex"),
                     ("authentik.sources.saml", "authentik Sources.SAML"),
-                    ("authentik.sources.scim", "authentik Sources.SCIM"),
                     ("authentik.stages.authenticator_duo", "authentik Stages.Authenticator.Duo"),
                     ("authentik.stages.authenticator_sms", "authentik Stages.Authenticator.SMS"),
                     (

authentik/policies/process.py

@@ -20,7 +20,7 @@ from authentik.policies.types import CACHE_PREFIX, PolicyRequest, PolicyResult
 LOGGER = get_logger()
 
 FORK_CTX = get_context("fork")
-CACHE_TIMEOUT = CONFIG.get_int("cache.timeout_policies")
+CACHE_TIMEOUT = CONFIG.get_int("redis.cache_timeout_policies")
 PROCESS_CLASS = FORK_CTX.Process
 
 

authentik/policies/reputation/signals.py

@@ -13,7 +13,7 @@ from authentik.policies.reputation.tasks import save_reputation
 from authentik.stages.identification.signals import identification_failed
 
 LOGGER = get_logger()
-CACHE_TIMEOUT = CONFIG.get_int("cache.timeout_reputation")
+CACHE_TIMEOUT = CONFIG.get_int("redis.cache_timeout_reputation")
 
 
 def update_score(request: HttpRequest, identifier: str, amount: int):

authentik/providers/oauth2/migrations/0017_accesstoken_session_id_authorizationcode_session_id_and_more.py

@@ -0,0 +1,27 @@
+# Generated by Django 5.0 on 2023-12-22 23:20
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+    dependencies = [
+        ("authentik_providers_oauth2", "0016_alter_refreshtoken_token"),
+    ]
+
+    operations = [
+        migrations.AddField(
+            model_name="accesstoken",
+            name="session_id",
+            field=models.CharField(blank=True, default=""),
+        ),
+        migrations.AddField(
+            model_name="authorizationcode",
+            name="session_id",
+            field=models.CharField(blank=True, default=""),
+        ),
+        migrations.AddField(
+            model_name="refreshtoken",
+            name="session_id",
+            field=models.CharField(blank=True, default=""),
+        ),
+    ]

authentik/providers/oauth2/models.py

@@ -296,6 +296,7 @@ class BaseGrantModel(models.Model):
     revoked = models.BooleanField(default=False)
     _scope = models.TextField(default="", verbose_name=_("Scopes"))
     auth_time = models.DateTimeField(verbose_name="Authentication time")
+    session_id = models.CharField(default="", blank=True)
 
     @property
     def scope(self) -> list[str]:

authentik/providers/oauth2/tests/test_authorize.py

@@ -85,6 +85,25 @@ class TestAuthorize(OAuthTestCase):
             )
             OAuthAuthorizationParams.from_request(request)
 
+    def test_blocked_redirect_uri(self):
+        """test missing/invalid redirect URI"""
+        OAuth2Provider.objects.create(
+            name=generate_id(),
+            client_id="test",
+            authorization_flow=create_test_flow(),
+            redirect_uris="data:local.invalid",
+        )
+        with self.assertRaises(RedirectUriError):
+            request = self.factory.get(
+                "/",
+                data={
+                    "response_type": "code",
+                    "client_id": "test",
+                    "redirect_uri": "data:localhost",
+                },
+            )
+            OAuthAuthorizationParams.from_request(request)
+
     def test_invalid_redirect_uri_empty(self):
         """test missing/invalid redirect URI"""
         provider = OAuth2Provider.objects.create(

authentik/providers/oauth2/tests/test_token_pkce.py

@@ -0,0 +1,187 @@
+"""Test token view"""
+from base64 import b64encode, urlsafe_b64encode
+from hashlib import sha256
+
+from django.test import RequestFactory
+from django.urls import reverse
+
+from authentik.core.models import Application
+from authentik.core.tests.utils import create_test_admin_user, create_test_flow
+from authentik.flows.challenge import ChallengeTypes
+from authentik.lib.generators import generate_id
+from authentik.providers.oauth2.constants import GRANT_TYPE_AUTHORIZATION_CODE
+from authentik.providers.oauth2.models import AuthorizationCode, OAuth2Provider
+from authentik.providers.oauth2.tests.utils import OAuthTestCase
+
+
+class TestTokenPKCE(OAuthTestCase):
+    """Test token view"""
+
+    def setUp(self) -> None:
+        super().setUp()
+        self.factory = RequestFactory()
+        self.app = Application.objects.create(name=generate_id(), slug="test")
+
+    def test_pkce_missing_in_token(self):
+        """Test full with pkce"""
+        flow = create_test_flow()
+        provider = OAuth2Provider.objects.create(
+            name=generate_id(),
+            client_id="test",
+            authorization_flow=flow,
+            redirect_uris="foo://localhost",
+            access_code_validity="seconds=100",
+        )
+        Application.objects.create(name="app", slug="app", provider=provider)
+        state = generate_id()
+        user = create_test_admin_user()
+        self.client.force_login(user)
+        challenge = generate_id()
+        header = b64encode(f"{provider.client_id}:{provider.client_secret}".encode()).decode()
+        # Step 1, initiate params and get redirect to flow
+        self.client.get(
+            reverse("authentik_providers_oauth2:authorize"),
+            data={
+                "response_type": "code",
+                "client_id": "test",
+                "state": state,
+                "redirect_uri": "foo://localhost",
+                "code_challenge": challenge,
+                "code_challenge_method": "S256",
+            },
+        )
+        response = self.client.get(
+            reverse("authentik_api:flow-executor", kwargs={"flow_slug": flow.slug}),
+        )
+        code: AuthorizationCode = AuthorizationCode.objects.filter(user=user).first()
+        self.assertJSONEqual(
+            response.content.decode(),
+            {
+                "component": "xak-flow-redirect",
+                "type": ChallengeTypes.REDIRECT.value,
+                "to": f"foo://localhost?code={code.code}&state={state}",
+            },
+        )
+        response = self.client.post(
+            reverse("authentik_providers_oauth2:token"),
+            data={
+                "grant_type": GRANT_TYPE_AUTHORIZATION_CODE,
+                "code": code.code,
+                # Missing the code_verifier here
+                "redirect_uri": "foo://localhost",
+            },
+            HTTP_AUTHORIZATION=f"Basic {header}",
+        )
+        self.assertJSONEqual(
+            response.content,
+            {"error": "invalid_request", "error_description": "The request is otherwise malformed"},
+        )
+        self.assertEqual(response.status_code, 400)
+
+    def test_pkce_correct_s256(self):
+        """Test full with pkce"""
+        flow = create_test_flow()
+        provider = OAuth2Provider.objects.create(
+            name=generate_id(),
+            client_id="test",
+            authorization_flow=flow,
+            redirect_uris="foo://localhost",
+            access_code_validity="seconds=100",
+        )
+        Application.objects.create(name="app", slug="app", provider=provider)
+        state = generate_id()
+        user = create_test_admin_user()
+        self.client.force_login(user)
+        verifier = generate_id()
+        challenge = (
+            urlsafe_b64encode(sha256(verifier.encode("ascii")).digest())
+            .decode("utf-8")
+            .replace("=", "")
+        )
+        header = b64encode(f"{provider.client_id}:{provider.client_secret}".encode()).decode()
+        # Step 1, initiate params and get redirect to flow
+        self.client.get(
+            reverse("authentik_providers_oauth2:authorize"),
+            data={
+                "response_type": "code",
+                "client_id": "test",
+                "state": state,
+                "redirect_uri": "foo://localhost",
+                "code_challenge": challenge,
+                "code_challenge_method": "S256",
+            },
+        )
+        response = self.client.get(
+            reverse("authentik_api:flow-executor", kwargs={"flow_slug": flow.slug}),
+        )
+        code: AuthorizationCode = AuthorizationCode.objects.filter(user=user).first()
+        self.assertJSONEqual(
+            response.content.decode(),
+            {
+                "component": "xak-flow-redirect",
+                "type": ChallengeTypes.REDIRECT.value,
+                "to": f"foo://localhost?code={code.code}&state={state}",
+            },
+        )
+        response = self.client.post(
+            reverse("authentik_providers_oauth2:token"),
+            data={
+                "grant_type": GRANT_TYPE_AUTHORIZATION_CODE,
+                "code": code.code,
+                "code_verifier": verifier,
+                "redirect_uri": "foo://localhost",
+            },
+            HTTP_AUTHORIZATION=f"Basic {header}",
+        )
+        self.assertEqual(response.status_code, 200)
+
+    def test_pkce_correct_plain(self):
+        """Test full with pkce"""
+        flow = create_test_flow()
+        provider = OAuth2Provider.objects.create(
+            name=generate_id(),
+            client_id="test",
+            authorization_flow=flow,
+            redirect_uris="foo://localhost",
+            access_code_validity="seconds=100",
+        )
+        Application.objects.create(name="app", slug="app", provider=provider)
+        state = generate_id()
+        user = create_test_admin_user()
+        self.client.force_login(user)
+        verifier = generate_id()
+        header = b64encode(f"{provider.client_id}:{provider.client_secret}".encode()).decode()
+        # Step 1, initiate params and get redirect to flow
+        self.client.get(
+            reverse("authentik_providers_oauth2:authorize"),
+            data={
+                "response_type": "code",
+                "client_id": "test",
+                "state": state,
+                "redirect_uri": "foo://localhost",
+                "code_challenge": verifier,
+            },
+        )
+        response = self.client.get(
+            reverse("authentik_api:flow-executor", kwargs={"flow_slug": flow.slug}),
+        )
+        code: AuthorizationCode = AuthorizationCode.objects.filter(user=user).first()
+        self.assertJSONEqual(
+            response.content.decode(),
+            {
+                "component": "xak-flow-redirect",
+                "type": ChallengeTypes.REDIRECT.value,
+                "to": f"foo://localhost?code={code.code}&state={state}",
+            },
+        )
+        response = self.client.post(
+            reverse("authentik_providers_oauth2:token"),
+            data={
+                "grant_type": GRANT_TYPE_AUTHORIZATION_CODE,
+                "code": code.code,
+                "code_verifier": verifier,
+                "redirect_uri": "foo://localhost",
+            },
+            HTTP_AUTHORIZATION=f"Basic {header}",
+        )
+        self.assertEqual(response.status_code, 200)

authentik/providers/oauth2/views/authorize.py

@@ -1,6 +1,7 @@
 """authentik OAuth2 Authorization views"""
 from dataclasses import dataclass, field
 from datetime import timedelta
+from hashlib import sha256
 from json import dumps
 from re import error as RegexError
 from re import fullmatch
@@ -74,6 +75,7 @@ PLAN_CONTEXT_PARAMS = "goauthentik.io/providers/oauth2/params"
 SESSION_KEY_LAST_LOGIN_UID = "authentik/providers/oauth2/last_login_uid"
 
 ALLOWED_PROMPT_PARAMS = {PROMPT_NONE, PROMPT_CONSENT, PROMPT_LOGIN}
+FORBIDDEN_URI_SCHEMES = {"javascript", "data", "vbscript"}
 
 
 @dataclass(slots=True)
@@ -174,6 +176,10 @@ class OAuthAuthorizationParams:
         self.check_scope()
         self.check_nonce()
         self.check_code_challenge()
+        if self.request:
+            raise AuthorizeError(
+                self.redirect_uri, "request_not_supported", self.grant_type, self.state
+            )
 
     def check_redirect_uri(self):
         """Redirect URI validation."""
@@ -211,10 +217,9 @@ class OAuthAuthorizationParams:
                     expected=allowed_redirect_urls,
                 )
                 raise RedirectUriError(self.redirect_uri, allowed_redirect_urls)
-        if self.request:
-            raise AuthorizeError(
-                self.redirect_uri, "request_not_supported", self.grant_type, self.state
-            )
+        # Check against forbidden schemes
+        if urlparse(self.redirect_uri).scheme in FORBIDDEN_URI_SCHEMES:
+            raise RedirectUriError(self.redirect_uri, allowed_redirect_urls)
 
     def check_scope(self):
         """Ensure openid scope is set in Hybrid flows, or when requesting an id_token"""
@@ -282,6 +287,7 @@ class OAuthAuthorizationParams:
             expires=now + timedelta_from_string(self.provider.access_code_validity),
             scope=self.scope,
             nonce=self.nonce,
+            session_id=sha256(request.session.session_key.encode("ascii")).hexdigest(),
         )
 
         if self.code_challenge and self.code_challenge_method:
@@ -569,6 +575,7 @@ class OAuthFulfillmentStage(StageView):
             expires=access_token_expiry,
             provider=self.provider,
             auth_time=auth_event.created if auth_event else now,
+            session_id=sha256(self.request.session.session_key.encode("ascii")).hexdigest(),
         )
 
         id_token = IDToken.new(self.provider, token, self.request)

authentik/providers/oauth2/views/token.py

@@ -6,6 +6,7 @@ from hashlib import sha256
 from re import error as RegexError
 from re import fullmatch
 from typing import Any, Optional
+from urllib.parse import urlparse
 
 from django.http import HttpRequest, HttpResponse
 from django.utils import timezone
@@ -54,6 +55,7 @@ from authentik.providers.oauth2.models import (
     RefreshToken,
 )
 from authentik.providers.oauth2.utils import TokenResponse, cors_allow, extract_client_auth
+from authentik.providers.oauth2.views.authorize import FORBIDDEN_URI_SCHEMES
 from authentik.sources.oauth.models import OAuthSource
 from authentik.stages.password.stage import PLAN_CONTEXT_METHOD, PLAN_CONTEXT_METHOD_ARGS
 
@@ -205,6 +207,10 @@ class TokenParams:
                 ).from_http(request)
                 raise TokenError("invalid_client")
 
+        # Check against forbidden schemes
+        if urlparse(self.redirect_uri).scheme in FORBIDDEN_URI_SCHEMES:
+            raise TokenError("invalid_request")
+
         self.authorization_code = AuthorizationCode.objects.filter(code=raw_code).first()
         if not self.authorization_code:
             LOGGER.warning("Code does not exist", code=raw_code)
@@ -222,7 +228,10 @@ class TokenParams:
             raise TokenError("invalid_grant")
 
         # Validate PKCE parameters.
-        if self.code_verifier:
+        if self.authorization_code.code_challenge:
+            # Authorization code had PKCE but we didn't get one
+            if not self.code_verifier:
+                raise TokenError("invalid_request")
             if self.authorization_code.code_challenge_method == PKCE_METHOD_S256:
                 new_code_challenge = (
                     urlsafe_b64encode(sha256(self.code_verifier.encode("ascii")).digest())
@@ -484,6 +493,7 @@ class TokenView(View):
             # Keep same scopes as previous token
             scope=self.params.authorization_code.scope,
             auth_time=self.params.authorization_code.auth_time,
+            session_id=self.params.authorization_code.session_id,
         )
         access_token.id_token = IDToken.new(
             self.provider,
@@ -499,6 +509,7 @@ class TokenView(View):
             expires=refresh_token_expiry,
             provider=self.provider,
             auth_time=self.params.authorization_code.auth_time,
+            session_id=self.params.authorization_code.session_id,
         )
         id_token = IDToken.new(
             self.provider,
@@ -536,6 +547,7 @@ class TokenView(View):
             # Keep same scopes as previous token
             scope=self.params.refresh_token.scope,
             auth_time=self.params.refresh_token.auth_time,
+            session_id=self.params.refresh_token.session_id,
         )
         access_token.id_token = IDToken.new(
             self.provider,
@@ -551,6 +563,7 @@ class TokenView(View):
             expires=refresh_token_expiry,
             provider=self.provider,
             auth_time=self.params.refresh_token.auth_time,
+            session_id=self.params.refresh_token.session_id,
         )
         id_token = IDToken.new(
             self.provider,

authentik/providers/proxy/tasks.py

@@ -1,4 +1,6 @@
 """proxy provider tasks"""
+from hashlib import sha256
+
 from asgiref.sync import async_to_sync
 from channels.layers import get_channel_layer
 from django.db import DatabaseError, InternalError, ProgrammingError
@@ -23,6 +25,7 @@ def proxy_set_defaults():
 def proxy_on_logout(session_id: str):
     """Update outpost instances connected to a single outpost"""
     layer = get_channel_layer()
+    hashed_session_id = sha256(session_id.encode("ascii")).hexdigest()
     for outpost in Outpost.objects.filter(type=OutpostType.PROXY):
         group = OUTPOST_GROUP % {"outpost_pk": str(outpost.pk)}
         async_to_sync(layer.group_send)(
@@ -30,6 +33,6 @@ def proxy_on_logout(session_id: str):
             {
                 "type": "event.provider.specific",
                 "sub_type": "logout",
-                "session_id": session_id,
+                "session_id": hashed_session_id,
             },
         )

authentik/providers/scim/tests/test_membership.py

@@ -93,7 +93,7 @@ class SCIMMembershipTests(TestCase):
                     "emails": [],
                     "active": True,
                     "externalId": user.uid,
-                    "name": {"familyName": "", "formatted": "", "givenName": ""},
+                    "name": {"familyName": " ", "formatted": " ", "givenName": ""},
                     "displayName": "",
                     "userName": user.username,
                 },
@@ -184,7 +184,7 @@ class SCIMMembershipTests(TestCase):
                     "displayName": "",
                     "emails": [],
                     "externalId": user.uid,
-                    "name": {"familyName": "", "formatted": "", "givenName": ""},
+                    "name": {"familyName": " ", "formatted": " ", "givenName": ""},
                     "userName": user.username,
                 },
             )

authentik/providers/scim/tests/test_user.py

@@ -57,7 +57,7 @@ class SCIMUserTests(TestCase):
         uid = generate_id()
         user = User.objects.create(
             username=uid,
-            name=uid,
+            name=f"{uid} {uid}",
             email=f"{uid}@goauthentik.io",
         )
         self.assertEqual(mock.call_count, 2)
@@ -77,11 +77,11 @@ class SCIMUserTests(TestCase):
                 ],
                 "externalId": user.uid,
                 "name": {
-                    "familyName": "",
-                    "formatted": uid,
+                    "familyName": uid,
+                    "formatted": f"{uid} {uid}",
                     "givenName": uid,
                 },
-                "displayName": uid,
+                "displayName": f"{uid} {uid}",
                 "userName": uid,
             },
         )
@@ -110,7 +110,7 @@ class SCIMUserTests(TestCase):
         uid = generate_id()
         user = User.objects.create(
             username=uid,
-            name=uid,
+            name=f"{uid} {uid}",
             email=f"{uid}@goauthentik.io",
         )
         self.assertEqual(mock.call_count, 2)
@@ -131,11 +131,11 @@ class SCIMUserTests(TestCase):
                         "value": f"{uid}@goauthentik.io",
                     }
                 ],
-                "displayName": uid,
+                "displayName": f"{uid} {uid}",
                 "externalId": user.uid,
                 "name": {
-                    "familyName": "",
-                    "formatted": uid,
+                    "familyName": uid,
+                    "formatted": f"{uid} {uid}",
                     "givenName": uid,
                 },
                 "userName": uid,
@@ -166,7 +166,7 @@ class SCIMUserTests(TestCase):
         uid = generate_id()
         user = User.objects.create(
             username=uid,
-            name=uid,
+            name=f"{uid} {uid}",
             email=f"{uid}@goauthentik.io",
         )
         self.assertEqual(mock.call_count, 2)
@@ -186,11 +186,11 @@ class SCIMUserTests(TestCase):
                 ],
                 "externalId": user.uid,
                 "name": {
-                    "familyName": "",
-                    "formatted": uid,
+                    "familyName": uid,
+                    "formatted": f"{uid} {uid}",
                     "givenName": uid,
                 },
-                "displayName": uid,
+                "displayName": f"{uid} {uid}",
                 "userName": uid,
             },
         )
@@ -230,7 +230,7 @@ class SCIMUserTests(TestCase):
         )
         user = User.objects.create(
             username=uid,
-            name=uid,
+            name=f"{uid} {uid}",
             email=f"{uid}@goauthentik.io",
         )
 
@@ -254,11 +254,11 @@ class SCIMUserTests(TestCase):
                 ],
                 "externalId": user.uid,
                 "name": {
-                    "familyName": "",
-                    "formatted": uid,
+                    "familyName": uid,
+                    "formatted": f"{uid} {uid}",
                     "givenName": uid,
                 },
-                "displayName": uid,
+                "displayName": f"{uid} {uid}",
                 "userName": uid,
             },
         )

authentik/rbac/api/rbac_roles.py

@@ -24,7 +24,10 @@ class ExtraRoleObjectPermissionSerializer(RoleObjectPermissionSerializer):
 
     def get_app_label_verbose(self, instance: GroupObjectPermission) -> str:
         """Get app label from permission's model"""
-        return apps.get_app_config(instance.content_type.app_label).verbose_name
+        try:
+            return apps.get_app_config(instance.content_type.app_label).verbose_name
+        except LookupError:
+            return instance.content_type.app_label
 
     def get_model_verbose(self, instance: GroupObjectPermission) -> str:
         """Get model label from permission's model"""

authentik/rbac/api/rbac_users.py

@@ -24,7 +24,10 @@ class ExtraUserObjectPermissionSerializer(UserObjectPermissionSerializer):
 
     def get_app_label_verbose(self, instance: UserObjectPermission) -> str:
         """Get app label from permission's model"""
-        return apps.get_app_config(instance.content_type.app_label).verbose_name
+        try:
+            return apps.get_app_config(instance.content_type.app_label).verbose_name
+        except LookupError:
+            return instance.content_type.app_label
 
     def get_model_verbose(self, instance: UserObjectPermission) -> str:
         """Get model label from permission's model"""

authentik/root/settings.py

@@ -1,4 +1,5 @@
 """root settings for authentik"""
+
 import importlib
 import os
 from hashlib import sha512
@@ -82,7 +83,6 @@ INSTALLED_APPS = [
     "authentik.sources.oauth",
     "authentik.sources.plex",
     "authentik.sources.saml",
-    "authentik.sources.scim",
     "authentik.stages.authenticator",
     "authentik.stages.authenticator_duo",
     "authentik.stages.authenticator_sms",
@@ -147,9 +147,6 @@ SPECTACULAR_SETTINGS = {
         "UserTypeEnum": "authentik.core.models.UserTypes",
     },
     "ENUM_ADD_EXPLICIT_BLANK_NULL_CHOICE": False,
-    "PREPROCESSING_HOOKS": [
-        "authentik.api.schema.preprocess_schema_exclude_non_api",
-    ],
     "POSTPROCESSING_HOOKS": [
         "authentik.api.schema.postprocess_schema_responses",
         "drf_spectacular.hooks.postprocess_schema_enums",
@@ -198,8 +195,8 @@ _redis_url = (
 CACHES = {
     "default": {
         "BACKEND": "django_redis.cache.RedisCache",
-        "LOCATION": CONFIG.get("cache.url") or f"{_redis_url}/{CONFIG.get('redis.db')}",
-        "TIMEOUT": CONFIG.get_int("cache.timeout", 300),
+        "LOCATION": f"{_redis_url}/{CONFIG.get('redis.db')}",
+        "TIMEOUT": CONFIG.get_int("redis.cache_timeout", 300),
         "OPTIONS": {"CLIENT_CLASS": "django_redis.client.DefaultClient"},
         "KEY_PREFIX": "authentik_cache",
     }
@@ -259,7 +256,7 @@ CHANNEL_LAYERS = {
     "default": {
         "BACKEND": "channels_redis.pubsub.RedisPubSubChannelLayer",
         "CONFIG": {
-            "hosts": [CONFIG.get("channel.url", f"{_redis_url}/{CONFIG.get('redis.db')}")],
+            "hosts": [f"{_redis_url}/{CONFIG.get('redis.db')}"],
             "prefix": "authentik_channels_",
         },
     },
@@ -352,11 +349,8 @@ CELERY = {
     },
     "task_create_missing_queues": True,
     "task_default_queue": "authentik",
-    "broker_url": CONFIG.get("broker.url")
-    or f"{_redis_url}/{CONFIG.get('redis.db')}{_redis_celery_tls_requirements}",
-    "broker_transport_options": CONFIG.get_dict_from_b64_json("broker.transport_options"),
-    "result_backend": CONFIG.get("result_backend.url")
-    or f"{_redis_url}/{CONFIG.get('redis.db')}{_redis_celery_tls_requirements}",
+    "broker_url": f"{_redis_url}/{CONFIG.get('redis.db')}{_redis_celery_tls_requirements}",
+    "result_backend": f"{_redis_url}/{CONFIG.get('redis.db')}{_redis_celery_tls_requirements}",
 }
 
 # Sentry integration

authentik/sources/ldap/api.py

@@ -1,14 +1,13 @@
 """Source API Views"""
-from typing import Any, Optional
+from typing import Any
 
-from django.core.cache import cache
 from django_filters.filters import AllValuesMultipleFilter
 from django_filters.filterset import FilterSet
 from drf_spectacular.types import OpenApiTypes
 from drf_spectacular.utils import extend_schema, extend_schema_field, inline_serializer
 from rest_framework.decorators import action
 from rest_framework.exceptions import ValidationError
-from rest_framework.fields import BooleanField, DictField, ListField, SerializerMethodField
+from rest_framework.fields import DictField, ListField
 from rest_framework.relations import PrimaryKeyRelatedField
 from rest_framework.request import Request
 from rest_framework.response import Response
@@ -18,17 +17,15 @@ from authentik.admin.api.tasks import TaskSerializer
 from authentik.core.api.propertymappings import PropertyMappingSerializer
 from authentik.core.api.sources import SourceSerializer
 from authentik.core.api.used_by import UsedByMixin
-from authentik.core.api.utils import PassiveSerializer
 from authentik.crypto.models import CertificateKeyPair
 from authentik.events.monitored_tasks import TaskInfo
 from authentik.sources.ldap.models import LDAPPropertyMapping, LDAPSource
-from authentik.sources.ldap.tasks import CACHE_KEY_STATUS, SYNC_CLASSES
+from authentik.sources.ldap.tasks import SYNC_CLASSES
 
 
 class LDAPSourceSerializer(SourceSerializer):
     """LDAP Source Serializer"""
 
-    connectivity = SerializerMethodField()
     client_certificate = PrimaryKeyRelatedField(
         allow_null=True,
         help_text="Client certificate to authenticate against the LDAP Server's Certificate.",
@@ -38,10 +35,6 @@ class LDAPSourceSerializer(SourceSerializer):
         required=False,
     )
 
-    def get_connectivity(self, source: LDAPSource) -> Optional[dict[str, dict[str, str]]]:
-        """Get cached source connectivity"""
-        return cache.get(CACHE_KEY_STATUS + source.slug, None)
-
     def validate(self, attrs: dict[str, Any]) -> dict[str, Any]:
         """Check that only a single source has password_sync on"""
         sync_users_password = attrs.get("sync_users_password", True)
@@ -82,18 +75,10 @@ class LDAPSourceSerializer(SourceSerializer):
             "sync_parent_group",
             "property_mappings",
             "property_mappings_group",
-            "connectivity",
         ]
         extra_kwargs = {"bind_password": {"write_only": True}}
 
 
-class LDAPSyncStatusSerializer(PassiveSerializer):
-    """LDAP Source sync status"""
-
-    is_running = BooleanField(read_only=True)
-    tasks = TaskSerializer(many=True, read_only=True)
-
-
 class LDAPSourceViewSet(UsedByMixin, ModelViewSet):
     """LDAP Source Viewset"""
 
@@ -129,19 +114,19 @@ class LDAPSourceViewSet(UsedByMixin, ModelViewSet):
 
     @extend_schema(
         responses={
-            200: LDAPSyncStatusSerializer(),
+            200: TaskSerializer(many=True),
         }
     )
     @action(methods=["GET"], detail=True, pagination_class=None, filter_backends=[])
     def sync_status(self, request: Request, slug: str) -> Response:
         """Get source's sync status"""
-        source: LDAPSource = self.get_object()
-        tasks = TaskInfo.by_name(f"ldap_sync:{source.slug}:*") or []
-        status = {
-            "tasks": tasks,
-            "is_running": source.sync_lock.locked(),
-        }
-        return Response(LDAPSyncStatusSerializer(status).data)
+        source = self.get_object()
+        results = []
+        tasks = TaskInfo.by_name(f"ldap_sync:{source.slug}:*")
+        if tasks:
+            for task in tasks:
+                results.append(task)
+        return Response(TaskSerializer(results, many=True).data)
 
     @extend_schema(
         responses={

authentik/sources/ldap/management/commands/ldap_check_connection.py

@@ -1,24 +0,0 @@
-"""LDAP Connection check"""
-from json import dumps
-
-from django.core.management.base import BaseCommand
-from structlog.stdlib import get_logger
-
-from authentik.sources.ldap.models import LDAPSource
-
-LOGGER = get_logger()
-
-
-class Command(BaseCommand):
-    """Check connectivity to LDAP servers for a source"""
-
-    def add_arguments(self, parser):
-        parser.add_argument("source_slugs", nargs="?", type=str)
-
-    def handle(self, **options):
-        sources = LDAPSource.objects.filter(enabled=True)
-        if options["source_slugs"]:
-            sources = LDAPSource.objects.filter(slug__in=options["source_slugs"])
-        for source in sources.order_by("slug"):
-            status = source.check_connection()
-            self.stdout.write(dumps(status, indent=4))

authentik/sources/ldap/models.py

@@ -4,12 +4,10 @@ from ssl import CERT_REQUIRED
 from tempfile import NamedTemporaryFile, mkdtemp
 from typing import Optional
 
-from django.core.cache import cache
 from django.db import models
 from django.utils.translation import gettext_lazy as _
 from ldap3 import ALL, NONE, RANDOM, Connection, Server, ServerPool, Tls
-from ldap3.core.exceptions import LDAPException, LDAPInsufficientAccessRightsResult, LDAPSchemaError
-from redis.lock import Lock
+from ldap3.core.exceptions import LDAPInsufficientAccessRightsResult, LDAPSchemaError
 from rest_framework.serializers import Serializer
 
 from authentik.core.models import Group, PropertyMapping, Source
@@ -119,7 +117,7 @@ class LDAPSource(Source):
 
         return LDAPSourceSerializer
 
-    def server(self, **kwargs) -> ServerPool:
+    def server(self, **kwargs) -> Server:
         """Get LDAP Server/ServerPool"""
         servers = []
         tls_kwargs = {}
@@ -156,10 +154,7 @@ class LDAPSource(Source):
         return ServerPool(servers, RANDOM, active=5, exhaust=True)
 
     def connection(
-        self,
-        server: Optional[Server] = None,
-        server_kwargs: Optional[dict] = None,
-        connection_kwargs: Optional[dict] = None,
+        self, server_kwargs: Optional[dict] = None, connection_kwargs: Optional[dict] = None
     ) -> Connection:
         """Get a fully connected and bound LDAP Connection"""
         server_kwargs = server_kwargs or {}
@@ -169,7 +164,7 @@ class LDAPSource(Source):
         if self.bind_password is not None:
             connection_kwargs.setdefault("password", self.bind_password)
         connection = Connection(
-            server or self.server(**server_kwargs),
+            self.server(**server_kwargs),
             raise_exceptions=True,
             receive_timeout=LDAP_TIMEOUT,
             **connection_kwargs,
@@ -188,55 +183,9 @@ class LDAPSource(Source):
             if server_kwargs.get("get_info", ALL) == NONE:
                 raise exc
             server_kwargs["get_info"] = NONE
-            return self.connection(server, server_kwargs, connection_kwargs)
+            return self.connection(server_kwargs, connection_kwargs)
         return RuntimeError("Failed to bind")
 
-    @property
-    def sync_lock(self) -> Lock:
-        """Redis lock for syncing LDAP to prevent multiple parallel syncs happening"""
-        return Lock(
-            cache.client.get_client(),
-            name=f"goauthentik.io/sources/ldap/sync-{self.slug}",
-            # Convert task timeout hours to seconds, and multiply times 3
-            # (see authentik/sources/ldap/tasks.py:54)
-            # multiply by 3 to add even more leeway
-            timeout=(60 * 60 * CONFIG.get_int("ldap.task_timeout_hours")) * 3,
-        )
-
-    def check_connection(self) -> dict[str, dict[str, str]]:
-        """Check LDAP Connection"""
-        from authentik.sources.ldap.sync.base import flatten
-
-        servers = self.server()
-        server_info = {}
-        # Check each individual server
-        for server in servers.servers:
-            server: Server
-            try:
-                connection = self.connection(server=server)
-                server_info[server.host] = {
-                    "vendor": str(flatten(connection.server.info.vendor_name)),
-                    "version": str(flatten(connection.server.info.vendor_version)),
-                    "status": "ok",
-                }
-            except LDAPException as exc:
-                server_info[server.host] = {
-                    "status": str(exc),
-                }
-        # Check server pool
-        try:
-            connection = self.connection()
-            server_info["__all__"] = {
-                "vendor": str(flatten(connection.server.info.vendor_name)),
-                "version": str(flatten(connection.server.info.vendor_version)),
-                "status": "ok",
-            }
-        except LDAPException as exc:
-            server_info["__all__"] = {
-                "status": str(exc),
-            }
-        return server_info
-
     class Meta:
         verbose_name = _("LDAP Source")
         verbose_name_plural = _("LDAP Sources")

authentik/sources/ldap/settings.py

@@ -8,10 +8,5 @@ CELERY_BEAT_SCHEDULE = {
         "task": "authentik.sources.ldap.tasks.ldap_sync_all",
         "schedule": crontab(minute=fqdn_rand("sources_ldap_sync"), hour="*/2"),
         "options": {"queue": "authentik_scheduled"},
-    },
-    "sources_ldap_connectivity_check": {
-        "task": "authentik.sources.ldap.tasks.ldap_connectivity_check",
-        "schedule": crontab(minute=fqdn_rand("sources_ldap_connectivity_check"), hour="*"),
-        "options": {"queue": "authentik_scheduled"},
-    },
+    }
 }

authentik/sources/ldap/signals.py

@@ -14,7 +14,7 @@ from authentik.events.models import Event, EventAction
 from authentik.flows.planner import PLAN_CONTEXT_PENDING_USER
 from authentik.sources.ldap.models import LDAPSource
 from authentik.sources.ldap.password import LDAPPasswordChanger
-from authentik.sources.ldap.tasks import ldap_connectivity_check, ldap_sync_single
+from authentik.sources.ldap.tasks import ldap_sync_single
 from authentik.stages.prompt.signals import password_validate
 
 LOGGER = get_logger()
@@ -32,7 +32,6 @@ def sync_ldap_source_on_save(sender, instance: LDAPSource, **_):
     if not instance.property_mappings.exists() or not instance.property_mappings_group.exists():
         return
     ldap_sync_single.delay(instance.pk)
-    ldap_connectivity_check.delay(instance.pk)
 
 
 @receiver(password_validate)

authentik/sources/ldap/sync/base.py

@@ -17,15 +17,6 @@ from authentik.sources.ldap.models import LDAPPropertyMapping, LDAPSource
 LDAP_UNIQUENESS = "ldap_uniq"
 
 
-def flatten(value: Any) -> Any:
-    """Flatten `value` if its a list"""
-    if isinstance(value, list):
-        if len(value) < 1:
-            return None
-        return value[0]
-    return value
-
-
 class BaseLDAPSynchronizer:
     """Sync LDAP Users and groups into authentik"""
 
@@ -131,6 +122,14 @@ class BaseLDAPSynchronizer:
                 cookie = None
             yield self._connection.response
 
+    def _flatten(self, value: Any) -> Any:
+        """Flatten `value` if its a list"""
+        if isinstance(value, list):
+            if len(value) < 1:
+                return None
+            return value[0]
+        return value
+
     def build_user_properties(self, user_dn: str, **kwargs) -> dict[str, Any]:
         """Build attributes for User object based on property mappings."""
         props = self._build_object_properties(user_dn, self._source.property_mappings, **kwargs)
@@ -164,10 +163,10 @@ class BaseLDAPSynchronizer:
                 object_field = mapping.object_field
                 if object_field.startswith("attributes."):
                     # Because returning a list might desired, we can't
-                    # rely on flatten here. Instead, just save the result as-is
+                    # rely on self._flatten here. Instead, just save the result as-is
                     set_path_in_dict(properties, object_field, value)
                 else:
-                    properties[object_field] = flatten(value)
+                    properties[object_field] = self._flatten(value)
             except PropertyMappingExpressionException as exc:
                 Event.new(
                     EventAction.CONFIGURATION_ERROR,
@@ -178,7 +177,7 @@ class BaseLDAPSynchronizer:
                 self._logger.warning("Mapping failed to evaluate", exc=exc, mapping=mapping)
                 continue
         if self._source.object_uniqueness_field in kwargs:
-            properties["attributes"][LDAP_UNIQUENESS] = flatten(
+            properties["attributes"][LDAP_UNIQUENESS] = self._flatten(
                 kwargs.get(self._source.object_uniqueness_field)
             )
         properties["attributes"][LDAP_DISTINGUISHED_NAME] = object_dn

authentik/sources/ldap/sync/groups.py

@@ -7,7 +7,7 @@ from ldap3 import ALL_ATTRIBUTES, ALL_OPERATIONAL_ATTRIBUTES, SUBTREE
 
 from authentik.core.models import Group
 from authentik.events.models import Event, EventAction
-from authentik.sources.ldap.sync.base import LDAP_UNIQUENESS, BaseLDAPSynchronizer, flatten
+from authentik.sources.ldap.sync.base import LDAP_UNIQUENESS, BaseLDAPSynchronizer
 
 
 class GroupLDAPSynchronizer(BaseLDAPSynchronizer):
@@ -39,7 +39,7 @@ class GroupLDAPSynchronizer(BaseLDAPSynchronizer):
             if "attributes" not in group:
                 continue
             attributes = group.get("attributes", {})
-            group_dn = flatten(flatten(group.get("entryDN", group.get("dn"))))
+            group_dn = self._flatten(self._flatten(group.get("entryDN", group.get("dn"))))
             if self._source.object_uniqueness_field not in attributes:
                 self.message(
                     f"Cannot find uniqueness field in attributes: '{group_dn}'",
@@ -47,7 +47,7 @@ class GroupLDAPSynchronizer(BaseLDAPSynchronizer):
                     dn=group_dn,
                 )
                 continue
-            uniq = flatten(attributes[self._source.object_uniqueness_field])
+            uniq = self._flatten(attributes[self._source.object_uniqueness_field])
             try:
                 defaults = self.build_group_properties(group_dn, **attributes)
                 defaults["parent"] = self._source.sync_parent_group

authentik/sources/ldap/sync/users.py

@@ -7,7 +7,7 @@ from ldap3 import ALL_ATTRIBUTES, ALL_OPERATIONAL_ATTRIBUTES, SUBTREE
 
 from authentik.core.models import User
 from authentik.events.models import Event, EventAction
-from authentik.sources.ldap.sync.base import LDAP_UNIQUENESS, BaseLDAPSynchronizer, flatten
+from authentik.sources.ldap.sync.base import LDAP_UNIQUENESS, BaseLDAPSynchronizer
 from authentik.sources.ldap.sync.vendor.freeipa import FreeIPA
 from authentik.sources.ldap.sync.vendor.ms_ad import MicrosoftActiveDirectory
 
@@ -41,7 +41,7 @@ class UserLDAPSynchronizer(BaseLDAPSynchronizer):
             if "attributes" not in user:
                 continue
             attributes = user.get("attributes", {})
-            user_dn = flatten(user.get("entryDN", user.get("dn")))
+            user_dn = self._flatten(user.get("entryDN", user.get("dn")))
             if self._source.object_uniqueness_field not in attributes:
                 self.message(
                     f"Cannot find uniqueness field in attributes: '{user_dn}'",
@@ -49,7 +49,7 @@ class UserLDAPSynchronizer(BaseLDAPSynchronizer):
                     dn=user_dn,
                 )
                 continue
-            uniq = flatten(attributes[self._source.object_uniqueness_field])
+            uniq = self._flatten(attributes[self._source.object_uniqueness_field])
             try:
                 defaults = self.build_user_properties(user_dn, **attributes)
                 self._logger.debug("Writing user with attributes", **defaults)

authentik/sources/ldap/sync/vendor/freeipa.py

@@ -5,7 +5,7 @@ from typing import Any, Generator
 from pytz import UTC
 
 from authentik.core.models import User
-from authentik.sources.ldap.sync.base import BaseLDAPSynchronizer, flatten
+from authentik.sources.ldap.sync.base import BaseLDAPSynchronizer
 
 
 class FreeIPA(BaseLDAPSynchronizer):
@@ -47,7 +47,7 @@ class FreeIPA(BaseLDAPSynchronizer):
             return
         # For some reason, nsaccountlock is not defined properly in the schema as bool
         # hence we get it as a list of strings
-        _is_locked = str(flatten(attributes.get("nsaccountlock", ["FALSE"])))
+        _is_locked = str(self._flatten(attributes.get("nsaccountlock", ["FALSE"])))
         # So we have to attempt to convert it to a bool
         is_locked = _is_locked.lower() == "true"
         # And then invert it since freeipa saves locked and we save active

authentik/sources/ldap/tasks.py

@@ -1,14 +1,13 @@
 """LDAP Sync tasks"""
-from typing import Optional
 from uuid import uuid4
 
 from celery import chain, group
 from django.core.cache import cache
 from ldap3.core.exceptions import LDAPException
 from redis.exceptions import LockError
+from redis.lock import Lock
 from structlog.stdlib import get_logger
 
-from authentik.events.monitored_tasks import CACHE_KEY_PREFIX as CACHE_KEY_PREFIX_TASKS
 from authentik.events.monitored_tasks import MonitoredTask, TaskResult, TaskResultStatus
 from authentik.lib.config import CONFIG
 from authentik.lib.utils.errors import exception_to_string
@@ -27,7 +26,6 @@ SYNC_CLASSES = [
     MembershipLDAPSynchronizer,
 ]
 CACHE_KEY_PREFIX = "goauthentik.io/sources/ldap/page/"
-CACHE_KEY_STATUS = "goauthentik.io/sources/ldap/status/"
 
 
 @CELERY_APP.task()
@@ -37,19 +35,6 @@ def ldap_sync_all():
         ldap_sync_single.apply_async(args=[source.pk])
 
 
-@CELERY_APP.task()
-def ldap_connectivity_check(pk: Optional[str] = None):
-    """Check connectivity for LDAP Sources"""
-    # 2 hour timeout, this task should run every hour
-    timeout = 60 * 60 * 2
-    sources = LDAPSource.objects.filter(enabled=True)
-    if pk:
-        sources = sources.filter(pk=pk)
-    for source in sources:
-        status = source.check_connection()
-        cache.set(CACHE_KEY_STATUS + source.slug, status, timeout=timeout)
-
-
 @CELERY_APP.task(
     # We take the configured hours timeout time by 2.5 as we run user and
     # group in parallel and then membership, so 2x is to cover the serial tasks,
@@ -62,15 +47,12 @@ def ldap_sync_single(source_pk: str):
     source: LDAPSource = LDAPSource.objects.filter(pk=source_pk).first()
     if not source:
         return
-    lock = source.sync_lock
+    lock = Lock(cache.client.get_client(), name=f"goauthentik.io/sources/ldap/sync-{source.slug}")
     if lock.locked():
         LOGGER.debug("LDAP sync locked, skipping task", source=source.slug)
         return
     try:
         with lock:
-            # Delete all sync tasks from the cache
-            keys = cache.keys(f"{CACHE_KEY_PREFIX_TASKS}ldap_sync:{source.slug}*")
-            cache.delete_many(keys)
             task = chain(
                 # User and group sync can happen at once, they have no dependencies on each other
                 group(

authentik/sources/oauth/types/azure_ad.py

@@ -4,8 +4,8 @@ from typing import Any
 from structlog.stdlib import get_logger
 
 from authentik.sources.oauth.clients.oauth2 import UserprofileHeaderAuthClient
+from authentik.sources.oauth.types.oidc import OpenIDConnectOAuth2Callback
 from authentik.sources.oauth.types.registry import SourceType, registry
-from authentik.sources.oauth.views.callback import OAuthCallback
 from authentik.sources.oauth.views.redirect import OAuthRedirect
 
 LOGGER = get_logger()
@@ -20,7 +20,7 @@ class AzureADOAuthRedirect(OAuthRedirect):
         }
 
 
-class AzureADOAuthCallback(OAuthCallback):
+class AzureADOAuthCallback(OpenIDConnectOAuth2Callback):
     """AzureAD OAuth2 Callback"""
 
     client_class = UserprofileHeaderAuthClient
@@ -50,7 +50,7 @@ class AzureADType(SourceType):
 
     authorization_url = "https://login.microsoftonline.com/common/oauth2/v2.0/authorize"
     access_token_url = "https://login.microsoftonline.com/common/oauth2/v2.0/token"  # nosec
-    profile_url = "https://graph.microsoft.com/v1.0/me"
+    profile_url = "https://login.microsoftonline.com/common/openid/userinfo"
     oidc_well_known_url = (
         "https://login.microsoftonline.com/common/.well-known/openid-configuration"
     )

authentik/sources/oauth/types/oidc.py

@@ -23,7 +23,7 @@ class OpenIDConnectOAuth2Callback(OAuthCallback):
     client_class = UserprofileHeaderAuthClient
 
     def get_user_id(self, info: dict[str, str]) -> str:
-        return info.get("sub", "")
+        return info.get("sub", None)
 
     def get_user_enroll_context(
         self,

authentik/sources/oauth/types/okta.py

@@ -3,8 +3,8 @@ from typing import Any
 
 from authentik.sources.oauth.clients.oauth2 import UserprofileHeaderAuthClient
 from authentik.sources.oauth.models import OAuthSource
+from authentik.sources.oauth.types.oidc import OpenIDConnectOAuth2Callback
 from authentik.sources.oauth.types.registry import SourceType, registry
-from authentik.sources.oauth.views.callback import OAuthCallback
 from authentik.sources.oauth.views.redirect import OAuthRedirect
 
 
@@ -17,7 +17,7 @@ class OktaOAuthRedirect(OAuthRedirect):
         }
 
 
-class OktaOAuth2Callback(OAuthCallback):
+class OktaOAuth2Callback(OpenIDConnectOAuth2Callback):
     """Okta OAuth2 Callback"""
 
     # Okta has the same quirk as azure and throws an error if the access token
@@ -25,9 +25,6 @@ class OktaOAuth2Callback(OAuthCallback):
     # see https://github.com/goauthentik/authentik/issues/1910
     client_class = UserprofileHeaderAuthClient
 
-    def get_user_id(self, info: dict[str, str]) -> str:
-        return info.get("sub", "")
-
     def get_user_enroll_context(
         self,
         info: dict[str, Any],

authentik/sources/oauth/types/twitch.py

@@ -3,8 +3,8 @@ from json import dumps
 from typing import Any, Optional
 
 from authentik.sources.oauth.clients.oauth2 import UserprofileHeaderAuthClient
+from authentik.sources.oauth.types.oidc import OpenIDConnectOAuth2Callback
 from authentik.sources.oauth.types.registry import SourceType, registry
-from authentik.sources.oauth.views.callback import OAuthCallback
 from authentik.sources.oauth.views.redirect import OAuthRedirect
 
 
@@ -27,14 +27,11 @@ class TwitchOAuthRedirect(OAuthRedirect):
         }
 
 
-class TwitchOAuth2Callback(OAuthCallback):
+class TwitchOAuth2Callback(OpenIDConnectOAuth2Callback):
     """Twitch OAuth2 Callback"""
 
     client_class = TwitchClient
 
-    def get_user_id(self, info: dict[str, str]) -> str:
-        return info.get("sub", "")
-
     def get_user_enroll_context(
         self,
         info: dict[str, Any],

authentik/sources/scim/api.py

@@ -1,62 +0,0 @@
-"""SCIMSource API Views"""
-from django.urls import reverse_lazy
-from rest_framework.fields import SerializerMethodField
-from rest_framework.viewsets import ModelViewSet
-
-from authentik.core.api.sources import SourceSerializer
-from authentik.core.api.tokens import TokenSerializer
-from authentik.core.api.used_by import UsedByMixin
-from authentik.core.models import Token, TokenIntents, User, UserTypes
-from authentik.sources.scim.models import SCIMSource
-
-
-class SCIMSourceSerializer(SourceSerializer):
-    """SCIMSource Serializer"""
-
-    root_url = SerializerMethodField()
-    token_obj = TokenSerializer(source="token", required=False, read_only=True)
-
-    def get_root_url(self, instance: SCIMSource) -> str:
-        """Get Root URL"""
-        relative_url = reverse_lazy(
-            "authentik_sources_scim:v2-root",
-            kwargs={"source_slug": instance.slug},
-        )
-        if "request" not in self.context:
-            return relative_url
-        return self.context["request"].build_absolute_uri(relative_url)
-
-    def create(self, validated_data):
-        instance: SCIMSource = super().create(validated_data)
-        identifier = f"ak-source-scim-{instance.pk}"
-        user = User.objects.create(
-            username=identifier,
-            name=f"SCIM Source {instance.name} Service-Account",
-            type=UserTypes.SERVICE_ACCOUNT,
-        )
-        token = Token.objects.create(
-            user=user,
-            identifier=identifier,
-            intent=TokenIntents.INTENT_API,
-            expiring=False,
-            managed=f"goauthentik.io/sources/scim/{instance.pk}",
-        )
-        instance.token = token
-        instance.save()
-        return instance
-
-    class Meta:
-
-        model = SCIMSource
-        fields = SourceSerializer.Meta.fields + ["token", "root_url", "token_obj"]
-
-
-class SCIMSourceViewSet(UsedByMixin, ModelViewSet):
-    """SCIMSource Viewset"""
-
-    queryset = SCIMSource.objects.all()
-    serializer_class = SCIMSourceSerializer
-    lookup_field = "slug"
-    filterset_fields = ["name", "slug"]
-    search_fields = ["name", "slug", "token__identifier", "token__user__username"]
-    ordering = ["name"]

authentik/sources/scim/apps.py

@@ -1,11 +0,0 @@
-"""Authentik SCIM app config"""
-
-from django.apps import AppConfig
-
-
-class AuthentikSourceSCIMConfig(AppConfig):
-    """authentik SCIM Source app config"""
-
-    name = "authentik.sources.scim"
-    label = "authentik_sources_scim"
-    verbose_name = "authentik Sources.SCIM"

authentik/sources/scim/errors.py

@@ -1,8 +0,0 @@
-"""SCIM Errors"""
-
-from authentik.lib.sentry import SentryIgnoredException
-
-
-class PatchError(SentryIgnoredException):
-    """Error raised within an atomic block when an error happened
-    so nothing is saved"""

authentik/sources/scim/filters/ScimFilter.g4

@@ -1,61 +0,0 @@
-grammar ScimFilter;
-
-parse
-    : filter
-    ;
-
-filter
-	: attrPath SP PR                             #presentExp
-	| attrPath SP COMPAREOPERATOR SP VALUE       #operatorExp
-	| NOT? SP* '(' filter ')'                    #braceExp
-	| attrPath '[' valPathFilter ']'             #valPathExp
-	| filter SP AND SP filter                    #andExp
-	| filter SP OR SP filter                     #orExp
-	;										     
-											     
-valPathFilter								     
-	: attrPath SP PR                             #valPathPresentExp
-	| attrPath SP COMPAREOPERATOR SP VALUE       #valPathOperatorExp
-	| NOT? SP* '(' valPathFilter ')'             #valPathBraceExp
-	| valPathFilter SP AND SP valPathFilter      #valPathAndExp
-	| valPathFilter SP OR SP valPathFilter       #valPathOrExp
-	;
-	
-attrPath 
-	: (SCHEMA)? ATTRNAME ('.' ATTRNAME)?
-	;
-
-COMPAREOPERATOR : EQ | NE | CO | SW | EW | GT | GE | LT | LE;
-
-EQ : [eE][qQ];
-NE : [nN][eE];
-CO : [cC][oO];
-SW : [sS][wW];
-EW : [eE][wW];
-PR : [pP][rR];
-GT : [gG][tT];
-GE : [gG][eE];
-LT : [lL][tT];
-LE : [lL][eE];
-
-NOT : [nN][oO][tT];
-AND : [aA][nN][dD];
-OR  : [oO][rR];
-
-SP : ' ';
-
-SCHEMA : 'urn:' (SEGMENT ':')+;
-
-ATTRNAME : ALPHA (ALPHA | DIGIT | '_' | '-')+;
-
-fragment SEGMENT : (ALPHA | DIGIT | '_' | '-' | '.')+;
-
-fragment DIGIT : [0-9];
-
-fragment ALPHA : [a-z] | [A-Z];
-
-ESCAPED_QUOTE : '\\"';
-
-VALUE : '"'(ESCAPED_QUOTE | ~'"')*'"' | 'true' | 'false' | 'null' | DIGIT+('.'DIGIT+)?;
-
-EXCLUDE : [\b | \t | \r | \n]+ -> skip;

authentik/sources/scim/filters/ScimFilter.interp

@@ -1,65 +0,0 @@
-token literal names:
-null
-'('
-')'
-'['
-']'
-'.'
-null
-null
-null
-null
-null
-null
-null
-null
-null
-null
-null
-null
-null
-null
-' '
-null
-null
-'\\"'
-null
-null
-
-token symbolic names:
-null
-null
-null
-null
-null
-null
-COMPAREOPERATOR
-EQ
-NE
-CO
-SW
-EW
-PR
-GT
-GE
-LT
-LE
-NOT
-AND
-OR
-SP
-SCHEMA
-ATTRNAME
-ESCAPED_QUOTE
-VALUE
-EXCLUDE
-
-rule names:
-parse
-filter
-valPathFilter
-attrPath
-
-
-atn:
-[4, 1, 25, 106, 2, 0, 7, 0, 2, 1, 7, 1, 2, 2, 7, 2, 2, 3, 7, 3, 1, 0, 1, 0, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 3, 1, 23, 8, 1, 1, 1, 5, 1, 26, 8, 1, 10, 1, 12, 1, 29, 9, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 3, 1, 40, 8, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 5, 1, 52, 8, 1, 10, 1, 12, 1, 55, 9, 1, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 3, 2, 69, 8, 2, 1, 2, 5, 2, 72, 8, 2, 10, 2, 12, 2, 75, 9, 2, 1, 2, 1, 2, 1, 2, 1, 2, 3, 2, 81, 8, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 5, 2, 93, 8, 2, 10, 2, 12, 2, 96, 9, 2, 1, 3, 3, 3, 99, 8, 3, 1, 3, 1, 3, 1, 3, 3, 3, 104, 8, 3, 1, 3, 0, 2, 2, 4, 4, 0, 2, 4, 6, 0, 0, 116, 0, 8, 1, 0, 0, 0, 2, 39, 1, 0, 0, 0, 4, 80, 1, 0, 0, 0, 6, 98, 1, 0, 0, 0, 8, 9, 3, 2, 1, 0, 9, 1, 1, 0, 0, 0, 10, 11, 6, 1, -1, 0, 11, 12, 3, 6, 3, 0, 12, 13, 5, 20, 0, 0, 13, 14, 5, 12, 0, 0, 14, 40, 1, 0, 0, 0, 15, 16, 3, 6, 3, 0, 16, 17, 5, 20, 0, 0, 17, 18, 5, 6, 0, 0, 18, 19, 5, 20, 0, 0, 19, 20, 5, 24, 0, 0, 20, 40, 1, 0, 0, 0, 21, 23, 5, 17, 0, 0, 22, 21, 1, 0, 0, 0, 22, 23, 1, 0, 0, 0, 23, 27, 1, 0, 0, 0, 24, 26, 5, 20, 0, 0, 25, 24, 1, 0, 0, 0, 26, 29, 1, 0, 0, 0, 27, 25, 1, 0, 0, 0, 27, 28, 1, 0, 0, 0, 28, 30, 1, 0, 0, 0, 29, 27, 1, 0, 0, 0, 30, 31, 5, 1, 0, 0, 31, 32, 3, 2, 1, 0, 32, 33, 5, 2, 0, 0, 33, 40, 1, 0, 0, 0, 34, 35, 3, 6, 3, 0, 35, 36, 5, 3, 0, 0, 36, 37, 3, 4, 2, 0, 37, 38, 5, 4, 0, 0, 38, 40, 1, 0, 0, 0, 39, 10, 1, 0, 0, 0, 39, 15, 1, 0, 0, 0, 39, 22, 1, 0, 0, 0, 39, 34, 1, 0, 0, 0, 40, 53, 1, 0, 0, 0, 41, 42, 10, 2, 0, 0, 42, 43, 5, 20, 0, 0, 43, 44, 5, 18, 0, 0, 44, 45, 5, 20, 0, 0, 45, 52, 3, 2, 1, 3, 46, 47, 10, 1, 0, 0, 47, 48, 5, 20, 0, 0, 48, 49, 5, 19, 0, 0, 49, 50, 5, 20, 0, 0, 50, 52, 3, 2, 1, 2, 51, 41, 1, 0, 0, 0, 51, 46, 1, 0, 0, 0, 52, 55, 1, 0, 0, 0, 53, 51, 1, 0, 0, 0, 53, 54, 1, 0, 0, 0, 54, 3, 1, 0, 0, 0, 55, 53, 1, 0, 0, 0, 56, 57, 6, 2, -1, 0, 57, 58, 3, 6, 3, 0, 58, 59, 5, 20, 0, 0, 59, 60, 5, 12, 0, 0, 60, 81, 1, 0, 0, 0, 61, 62, 3, 6, 3, 0, 62, 63, 5, 20, 0, 0, 63, 64, 5, 6, 0, 0, 64, 65, 5, 20, 0, 0, 65, 66, 5, 24, 0, 0, 66, 81, 1, 0, 0, 0, 67, 69, 5, 17, 0, 0, 68, 67, 1, 0, 0, 0, 68, 69, 1, 0, 0, 0, 69, 73, 1, 0, 0, 0, 70, 72, 5, 20, 0, 0, 71, 70, 1, 0, 0, 0, 72, 75, 1, 0, 0, 0, 73, 71, 1, 0, 0, 0, 73, 74, 1, 0, 0, 0, 74, 76, 1, 0, 0, 0, 75, 73, 1, 0, 0, 0, 76, 77, 5, 1, 0, 0, 77, 78, 3, 4, 2, 0, 78, 79, 5, 2, 0, 0, 79, 81, 1, 0, 0, 0, 80, 56, 1, 0, 0, 0, 80, 61, 1, 0, 0, 0, 80, 68, 1, 0, 0, 0, 81, 94, 1, 0, 0, 0, 82, 83, 10, 2, 0, 0, 83, 84, 5, 20, 0, 0, 84, 85, 5, 18, 0, 0, 85, 86, 5, 20, 0, 0, 86, 93, 3, 4, 2, 3, 87, 88, 10, 1, 0, 0, 88, 89, 5, 20, 0, 0, 89, 90, 5, 19, 0, 0, 90, 91, 5, 20, 0, 0, 91, 93, 3, 4, 2, 2, 92, 82, 1, 0, 0, 0, 92, 87, 1, 0, 0, 0, 93, 96, 1, 0, 0, 0, 94, 92, 1, 0, 0, 0, 94, 95, 1, 0, 0, 0, 95, 5, 1, 0, 0, 0, 96, 94, 1, 0, 0, 0, 97, 99, 5, 21, 0, 0, 98, 97, 1, 0, 0, 0, 98, 99, 1, 0, 0, 0, 99, 100, 1, 0, 0, 0, 100, 103, 5, 22, 0, 0, 101, 102, 5, 5, 0, 0, 102, 104, 5, 22, 0, 0, 103, 101, 1, 0, 0, 0, 103, 104, 1, 0, 0, 0, 104, 7, 1, 0, 0, 0, 12, 22, 27, 39, 51, 53, 68, 73, 80, 92, 94, 98, 103]

authentik/sources/scim/filters/ScimFilter.tokens

@@ -1,32 +0,0 @@
-T__0=1
-T__1=2
-T__2=3
-T__3=4
-T__4=5
-COMPAREOPERATOR=6
-EQ=7
-NE=8
-CO=9
-SW=10
-EW=11
-PR=12
-GT=13
-GE=14
-LT=15
-LE=16
-NOT=17
-AND=18
-OR=19
-SP=20
-SCHEMA=21
-ATTRNAME=22
-ESCAPED_QUOTE=23
-VALUE=24
-EXCLUDE=25
-'('=1
-')'=2
-'['=3
-']'=4
-'.'=5
-' '=20
-'\\"'=23

authentik/sources/scim/filters/ScimFilterLexer.tokens

@@ -1,32 +0,0 @@
-T__0=1
-T__1=2
-T__2=3
-T__3=4
-T__4=5
-COMPAREOPERATOR=6
-EQ=7
-NE=8
-CO=9
-SW=10
-EW=11
-PR=12
-GT=13
-GE=14
-LT=15
-LE=16
-NOT=17
-AND=18
-OR=19
-SP=20
-SCHEMA=21
-ATTRNAME=22
-ESCAPED_QUOTE=23
-VALUE=24
-EXCLUDE=25
-'('=1
-')'=2
-'['=3
-']'=4
-'.'=5
-' '=20
-'\\"'=23

authentik/sources/scim/filters/ScimFilterListener.py

@@ -1,118 +0,0 @@
-# pylint: skip-file
-# Generated from ScimFilter.g4 by ANTLR 4.10.1
-from antlr4 import *
-
-if __name__ is not None and "." in __name__:
-    from .ScimFilterParser import ScimFilterParser
-else:
-    from ScimFilterParser import ScimFilterParser
-
-# This class defines a complete listener for a parse tree produced by ScimFilterParser.
-class ScimFilterListener(ParseTreeListener):
-
-    # Enter a parse tree produced by ScimFilterParser#parse.
-    def enterParse(self, ctx: ScimFilterParser.ParseContext):
-        pass
-
-    # Exit a parse tree produced by ScimFilterParser#parse.
-    def exitParse(self, ctx: ScimFilterParser.ParseContext):
-        pass
-
-    # Enter a parse tree produced by ScimFilterParser#andExp.
-    def enterAndExp(self, ctx: ScimFilterParser.AndExpContext):
-        pass
-
-    # Exit a parse tree produced by ScimFilterParser#andExp.
-    def exitAndExp(self, ctx: ScimFilterParser.AndExpContext):
-        pass
-
-    # Enter a parse tree produced by ScimFilterParser#valPathExp.
-    def enterValPathExp(self, ctx: ScimFilterParser.ValPathExpContext):
-        pass
-
-    # Exit a parse tree produced by ScimFilterParser#valPathExp.
-    def exitValPathExp(self, ctx: ScimFilterParser.ValPathExpContext):
-        pass
-
-    # Enter a parse tree produced by ScimFilterParser#presentExp.
-    def enterPresentExp(self, ctx: ScimFilterParser.PresentExpContext):
-        pass
-
-    # Exit a parse tree produced by ScimFilterParser#presentExp.
-    def exitPresentExp(self, ctx: ScimFilterParser.PresentExpContext):
-        pass
-
-    # Enter a parse tree produced by ScimFilterParser#operatorExp.
-    def enterOperatorExp(self, ctx: ScimFilterParser.OperatorExpContext):
-        pass
-
-    # Exit a parse tree produced by ScimFilterParser#operatorExp.
-    def exitOperatorExp(self, ctx: ScimFilterParser.OperatorExpContext):
-        pass
-
-    # Enter a parse tree produced by ScimFilterParser#braceExp.
-    def enterBraceExp(self, ctx: ScimFilterParser.BraceExpContext):
-        pass
-
-    # Exit a parse tree produced by ScimFilterParser#braceExp.
-    def exitBraceExp(self, ctx: ScimFilterParser.BraceExpContext):
-        pass
-
-    # Enter a parse tree produced by ScimFilterParser#orExp.
-    def enterOrExp(self, ctx: ScimFilterParser.OrExpContext):
-        pass
-
-    # Exit a parse tree produced by ScimFilterParser#orExp.
-    def exitOrExp(self, ctx: ScimFilterParser.OrExpContext):
-        pass
-
-    # Enter a parse tree produced by ScimFilterParser#valPathOperatorExp.
-    def enterValPathOperatorExp(self, ctx: ScimFilterParser.ValPathOperatorExpContext):
-        pass
-
-    # Exit a parse tree produced by ScimFilterParser#valPathOperatorExp.
-    def exitValPathOperatorExp(self, ctx: ScimFilterParser.ValPathOperatorExpContext):
-        pass
-
-    # Enter a parse tree produced by ScimFilterParser#valPathPresentExp.
-    def enterValPathPresentExp(self, ctx: ScimFilterParser.ValPathPresentExpContext):
-        pass
-
-    # Exit a parse tree produced by ScimFilterParser#valPathPresentExp.
-    def exitValPathPresentExp(self, ctx: ScimFilterParser.ValPathPresentExpContext):
-        pass
-
-    # Enter a parse tree produced by ScimFilterParser#valPathAndExp.
-    def enterValPathAndExp(self, ctx: ScimFilterParser.ValPathAndExpContext):
-        pass
-
-    # Exit a parse tree produced by ScimFilterParser#valPathAndExp.
-    def exitValPathAndExp(self, ctx: ScimFilterParser.ValPathAndExpContext):
-        pass
-
-    # Enter a parse tree produced by ScimFilterParser#valPathOrExp.
-    def enterValPathOrExp(self, ctx: ScimFilterParser.ValPathOrExpContext):
-        pass
-
-    # Exit a parse tree produced by ScimFilterParser#valPathOrExp.
-    def exitValPathOrExp(self, ctx: ScimFilterParser.ValPathOrExpContext):
-        pass
-
-    # Enter a parse tree produced by ScimFilterParser#valPathBraceExp.
-    def enterValPathBraceExp(self, ctx: ScimFilterParser.ValPathBraceExpContext):
-        pass
-
-    # Exit a parse tree produced by ScimFilterParser#valPathBraceExp.
-    def exitValPathBraceExp(self, ctx: ScimFilterParser.ValPathBraceExpContext):
-        pass
-
-    # Enter a parse tree produced by ScimFilterParser#attrPath.
-    def enterAttrPath(self, ctx: ScimFilterParser.AttrPathContext):
-        pass
-
-    # Exit a parse tree produced by ScimFilterParser#attrPath.
-    def exitAttrPath(self, ctx: ScimFilterParser.AttrPathContext):
-        pass
-
-
-del ScimFilterParser

authentik/sources/scim/filters/django.py

@@ -1,101 +0,0 @@
-"""Django listener"""
-from django.db.models import Q
-from django.utils.tree import Node
-
-from authentik.sources.scim.filters.ScimFilterListener import ScimFilterListener
-from authentik.sources.scim.filters.ScimFilterParser import ScimFilterParser
-
-
-class DjangoQueryListener(ScimFilterListener):
-    """SCIM filter listener that converts it to a query"""
-
-    _query: Node
-    _last_node: Node
-
-    def __init__(self) -> None:
-        super().__init__()
-        self._query = Q()
-        self._last_node = Q()
-
-    @property
-    def query(self) -> Node:
-        return self._query
-
-    def enterParse(self, ctx: ScimFilterParser.ParseContext):
-        print("enterParse", ctx)
-
-    def exitParse(self, ctx: ScimFilterParser.ParseContext):
-        print("exitParse", ctx)
-
-    def enterAndExp(self, ctx: ScimFilterParser.AndExpContext):
-        print("enterAndExp", ctx)
-
-    def exitAndExp(self, ctx: ScimFilterParser.AndExpContext):
-        print("exitAndExp", ctx)
-
-    def enterValPathExp(self, ctx: ScimFilterParser.ValPathExpContext):
-        print("enterValPathExp", ctx.getText())
-
-    def exitValPathExp(self, ctx: ScimFilterParser.ValPathExpContext):
-        print("exitValPathExp", ctx)
-
-    def enterPresentExp(self, ctx: ScimFilterParser.PresentExpContext):
-        print("enterPresentExp", ctx)
-
-    def exitPresentExp(self, ctx: ScimFilterParser.PresentExpContext):
-        print("exitPresentExp", ctx)
-
-    def enterOperatorExp(self, ctx: ScimFilterParser.OperatorExpContext):
-        print("enterOperatorExp", ctx)
-
-    def exitOperatorExp(self, ctx: ScimFilterParser.OperatorExpContext):
-        print("exitOperatorExp", ctx)
-
-    def enterBraceExp(self, ctx: ScimFilterParser.BraceExpContext):
-        print("enterBraceExp", ctx)
-
-    def exitBraceExp(self, ctx: ScimFilterParser.BraceExpContext):
-        print("exitBraceExp", ctx)
-
-    def enterOrExp(self, ctx: ScimFilterParser.OrExpContext):
-        print("enterOrExp", ctx)
-
-    def exitOrExp(self, ctx: ScimFilterParser.OrExpContext):
-        print("exitOrExp", ctx)
-
-    def enterValPathOperatorExp(self, ctx: ScimFilterParser.ValPathOperatorExpContext):
-        print("enterValPathOperatorExp", ctx)
-
-    def exitValPathOperatorExp(self, ctx: ScimFilterParser.ValPathOperatorExpContext):
-        print("exitValPathOperatorExp", ctx)
-
-    def enterValPathPresentExp(self, ctx: ScimFilterParser.ValPathPresentExpContext):
-        print("enterValPathPresentExp", ctx)
-
-    def exitValPathPresentExp(self, ctx: ScimFilterParser.ValPathPresentExpContext):
-        print("exitValPathPresentExp", ctx)
-
-    def enterValPathAndExp(self, ctx: ScimFilterParser.ValPathAndExpContext):
-        print("enterValPathAndExp", ctx.getText())
-
-    def exitValPathAndExp(self, ctx: ScimFilterParser.ValPathAndExpContext):
-        print("exitValPathAndExp", ctx)
-
-    def enterValPathOrExp(self, ctx: ScimFilterParser.ValPathOrExpContext):
-        print("enterValPathOrExp", ctx)
-
-    def exitValPathOrExp(self, ctx: ScimFilterParser.ValPathOrExpContext):
-        print("exitValPathOrExp", ctx)
-
-    def enterValPathBraceExp(self, ctx: ScimFilterParser.ValPathBraceExpContext):
-        print("enterValPathBraceExp", ctx)
-
-    def exitValPathBraceExp(self, ctx: ScimFilterParser.ValPathBraceExpContext):
-        print("exitValPathBraceExp", ctx)
-
-    def enterAttrPath(self, ctx: ScimFilterParser.AttrPathContext):
-        self._last_node = Q(ctx.getText())
-
-    def exitAttrPath(self, ctx: ScimFilterParser.AttrPathContext):
-        self._query = self._last_node
-        self._last_node = Q()

authentik/sources/scim/migrations/0001_initial.py

@@ -1,46 +0,0 @@
-# Generated by Django 4.0.5 on 2022-06-06 21:37
-
-import django.db.models.deletion
-from django.db import migrations, models
-
-
-class Migration(migrations.Migration):
-
-    initial = True
-
-    dependencies = [
-        ("authentik_core", "0020_application_open_in_new_tab"),
-    ]
-
-    operations = [
-        migrations.CreateModel(
-            name="SCIMSource",
-            fields=[
-                (
-                    "source_ptr",
-                    models.OneToOneField(
-                        auto_created=True,
-                        on_delete=django.db.models.deletion.CASCADE,
-                        parent_link=True,
-                        primary_key=True,
-                        serialize=False,
-                        to="authentik_core.source",
-                    ),
-                ),
-                (
-                    "token",
-                    models.ForeignKey(
-                        default=None,
-                        null=True,
-                        on_delete=django.db.models.deletion.CASCADE,
-                        to="authentik_core.token",
-                    ),
-                ),
-            ],
-            options={
-                "verbose_name": "SCIM Source",
-                "verbose_name_plural": "SCIM Sources",
-            },
-            bases=("authentik_core.source",),
-        ),
-    ]

authentik/sources/scim/models.py

@@ -1,36 +0,0 @@
-"""SCIM Source"""
-from django.db import models
-from django.utils.translation import gettext_lazy as _
-from rest_framework.serializers import BaseSerializer
-
-from authentik.core.models import Source, Token
-
-USER_ATTRIBUTE_SCIM_ID = "goauthentik.io/sources/scim/id"
-USER_ATTRIBUTE_SCIM_ADDRESS = "goauthentik.io/sources/scim/address"
-USER_ATTRIBUTE_SCIM_ENTERPRISE = "goauthentik.io/sources/scim/enterprise"
-
-
-class SCIMSource(Source):
-    """System for Cross-domain Identity Management Source, allows for
-    cross-system user provisioning"""
-
-    token = models.ForeignKey(Token, on_delete=models.CASCADE, null=True, default=None)
-
-    @property
-    def component(self) -> str:
-        """Return component used to edit this object"""
-        return "ak-source-scim-form"
-
-    @property
-    def serializer(self) -> BaseSerializer:
-        from authentik.sources.scim.api import SCIMSourceSerializer
-
-        return SCIMSourceSerializer
-
-    def __str__(self) -> str:
-        return f"SCIM Source {self.name}"
-
-    class Meta:
-
-        verbose_name = _("SCIM Source")
-        verbose_name_plural = _("SCIM Sources")

authentik/sources/scim/tests/test_auth.py

@@ -1,86 +0,0 @@
-"""Test SCIM Auth"""
-from django.urls import reverse
-from rest_framework.test import APITestCase
-
-from authentik.core.models import Token, TokenIntents
-from authentik.core.tests.utils import create_test_admin_user
-from authentik.lib.generators import generate_id
-from authentik.sources.scim.models import SCIMSource
-
-
-class TestSCIMAuth(APITestCase):
-    """Test SCIM Auth view"""
-
-    def setUp(self) -> None:
-        self.user = create_test_admin_user()
-        self.token = Token.objects.create(
-            user=self.user,
-            identifier=generate_id(),
-            intent=TokenIntents.INTENT_API,
-        )
-        self.token2 = Token.objects.create(
-            user=self.user,
-            identifier=generate_id(),
-            intent=TokenIntents.INTENT_API,
-        )
-        self.token3 = Token.objects.create(
-            user=self.user,
-            identifier=generate_id(),
-            intent=TokenIntents.INTENT_API,
-        )
-        self.source = SCIMSource.objects.create(
-            name=generate_id(), slug=generate_id(), token=self.token
-        )
-        self.source2 = SCIMSource.objects.create(
-            name=generate_id(), slug=generate_id(), token=self.token2
-        )
-
-    def test_auth_ok(self):
-        """Test successful auth"""
-        response = self.client.get(
-            reverse(
-                "authentik_sources_scim:v2-schema",
-                kwargs={
-                    "source_slug": self.source.slug,
-                },
-            ),
-            HTTP_AUTHORIZATION=f"Bearer {self.token.key}",
-        )
-        self.assertEqual(response.status_code, 200)
-
-    def test_auth_missing(self):
-        """Test without header"""
-        response = self.client.get(
-            reverse(
-                "authentik_sources_scim:v2-schema",
-                kwargs={
-                    "source_slug": self.source.slug,
-                },
-            ),
-        )
-        self.assertEqual(response.status_code, 403)
-
-    def test_auth_wrong_token(self):
-        """Test with wrong token"""
-        # Token for wrong source
-        response = self.client.get(
-            reverse(
-                "authentik_sources_scim:v2-schema",
-                kwargs={
-                    "source_slug": self.source.slug,
-                },
-            ),
-            HTTP_AUTHORIZATION=f"Bearer {self.token2.key}",
-        )
-        self.assertEqual(response.status_code, 403)
-        # Token for no source
-        response = self.client.get(
-            reverse(
-                "authentik_sources_scim:v2-schema",
-                kwargs={
-                    "source_slug": self.source.slug,
-                },
-            ),
-            HTTP_AUTHORIZATION=f"Bearer {self.token3.key}",
-        )
-        self.assertEqual(response.status_code, 403)

authentik/sources/scim/tests/test_resource_types.py

@@ -1,64 +0,0 @@
-"""Test SCIM ResourceTypes"""
-from django.urls import reverse
-from rest_framework.test import APITestCase
-
-from authentik.core.models import Token, TokenIntents
-from authentik.core.tests.utils import create_test_admin_user
-from authentik.lib.generators import generate_id
-from authentik.sources.scim.models import SCIMSource
-
-
-class TestSCIMResourceTypes(APITestCase):
-    """Test SCIM ResourceTypes view"""
-
-    def setUp(self) -> None:
-        self.user = create_test_admin_user()
-        self.token = Token.objects.create(
-            user=self.user,
-            identifier=generate_id(),
-            intent=TokenIntents.INTENT_API,
-        )
-        self.source = SCIMSource.objects.create(
-            name=generate_id(), slug=generate_id(), token=self.token
-        )
-
-    def test_resource_type(self):
-        """Test full resource type view"""
-        response = self.client.get(
-            reverse(
-                "authentik_sources_scim:v2-resource-types",
-                kwargs={
-                    "source_slug": self.source.slug,
-                },
-            ),
-            HTTP_AUTHORIZATION=f"Bearer {self.token.key}",
-        )
-        self.assertEqual(response.status_code, 200)
-
-    def test_resource_type_single(self):
-        """Test single resource type"""
-        response = self.client.get(
-            reverse(
-                "authentik_sources_scim:v2-resource-types",
-                kwargs={
-                    "source_slug": self.source.slug,
-                    "resource_type": "ServiceProviderConfig",
-                },
-            ),
-            HTTP_AUTHORIZATION=f"Bearer {self.token.key}",
-        )
-        self.assertEqual(response.status_code, 200)
-
-    def test_resource_type_single_404(self):
-        """Test single resource type (404"""
-        response = self.client.get(
-            reverse(
-                "authentik_sources_scim:v2-resource-types",
-                kwargs={
-                    "source_slug": self.source.slug,
-                    "resource_type": "foo",
-                },
-            ),
-            HTTP_AUTHORIZATION=f"Bearer {self.token.key}",
-        )
-        self.assertEqual(response.status_code, 404)

authentik/sources/scim/tests/test_schemas.py

@@ -1,64 +0,0 @@
-"""Test SCIM Schema"""
-from django.urls import reverse
-from rest_framework.test import APITestCase
-
-from authentik.core.models import Token, TokenIntents
-from authentik.core.tests.utils import create_test_admin_user
-from authentik.lib.generators import generate_id
-from authentik.sources.scim.models import SCIMSource
-
-
-class TestSCIMSchemas(APITestCase):
-    """Test SCIM Schema view"""
-
-    def setUp(self) -> None:
-        self.user = create_test_admin_user()
-        self.token = Token.objects.create(
-            user=self.user,
-            identifier=generate_id(),
-            intent=TokenIntents.INTENT_API,
-        )
-        self.source = SCIMSource.objects.create(
-            name=generate_id(), slug=generate_id(), token=self.token
-        )
-
-    def test_schema(self):
-        """Test full schema view"""
-        response = self.client.get(
-            reverse(
-                "authentik_sources_scim:v2-schema",
-                kwargs={
-                    "source_slug": self.source.slug,
-                },
-            ),
-            HTTP_AUTHORIZATION=f"Bearer {self.token.key}",
-        )
-        self.assertEqual(response.status_code, 200)
-
-    def test_schema_single(self):
-        """Test single schema"""
-        response = self.client.get(
-            reverse(
-                "authentik_sources_scim:v2-schema",
-                kwargs={
-                    "source_slug": self.source.slug,
-                    "schema_uri": "urn:ietf:params:scim:schemas:core:2.0:Meta",
-                },
-            ),
-            HTTP_AUTHORIZATION=f"Bearer {self.token.key}",
-        )
-        self.assertEqual(response.status_code, 200)
-
-    def test_schema_single_404(self):
-        """Test single schema (404"""
-        response = self.client.get(
-            reverse(
-                "authentik_sources_scim:v2-schema",
-                kwargs={
-                    "source_slug": self.source.slug,
-                    "schema_uri": "foo",
-                },
-            ),
-            HTTP_AUTHORIZATION=f"Bearer {self.token.key}",
-        )
-        self.assertEqual(response.status_code, 404)

authentik/sources/scim/tests/test_service_provider_config.py

@@ -1,36 +0,0 @@
-"""Test SCIM ServiceProviderConfig"""
-from django.urls import reverse
-from rest_framework.test import APITestCase
-
-from authentik.core.models import Token, TokenIntents
-from authentik.core.tests.utils import create_test_admin_user
-from authentik.lib.generators import generate_id
-from authentik.sources.scim.models import SCIMSource
-
-
-class TestSCIMServiceProviderConfig(APITestCase):
-    """Test SCIM ServiceProviderConfig view"""
-
-    def setUp(self) -> None:
-        self.user = create_test_admin_user()
-        self.token = Token.objects.create(
-            user=self.user,
-            identifier=generate_id(),
-            intent=TokenIntents.INTENT_API,
-        )
-        self.source = SCIMSource.objects.create(
-            name=generate_id(), slug=generate_id(), token=self.token
-        )
-
-    def test_config(self):
-        """Test full config view"""
-        response = self.client.get(
-            reverse(
-                "authentik_sources_scim:v2-service-provider-config",
-                kwargs={
-                    "source_slug": self.source.slug,
-                },
-            ),
-            HTTP_AUTHORIZATION=f"Bearer {self.token.key}",
-        )
-        self.assertEqual(response.status_code, 200)

authentik/sources/scim/tests/test_users.py

@@ -1,83 +0,0 @@
-"""Test SCIM User"""
-from json import dumps
-
-from django.urls import reverse
-from rest_framework.test import APITestCase
-
-from authentik.core.models import Token, TokenIntents, User
-from authentik.core.tests.utils import create_test_admin_user
-from authentik.lib.generators import generate_id
-from authentik.sources.scim.models import USER_ATTRIBUTE_SCIM_ID, SCIMSource
-from authentik.sources.scim.views.v2.base import SCIM_CONTENT_TYPE
-
-
-class TestSCIMUsers(APITestCase):
-    """Test SCIM User view"""
-
-    def setUp(self) -> None:
-        self.user = create_test_admin_user()
-        self.token = Token.objects.create(
-            user=self.user,
-            identifier=generate_id(),
-            intent=TokenIntents.INTENT_API,
-        )
-        self.source = SCIMSource.objects.create(
-            name=generate_id(), slug=generate_id(), token=self.token
-        )
-
-    def test_user_list(self):
-        """Test full user list"""
-        response = self.client.get(
-            reverse(
-                "authentik_sources_scim:v2-users",
-                kwargs={
-                    "source_slug": self.source.slug,
-                },
-            ),
-            HTTP_AUTHORIZATION=f"Bearer {self.token.key}",
-        )
-        self.assertEqual(response.status_code, 200)
-
-    def test_user_list_single(self):
-        """Test full user list (single user)"""
-        response = self.client.get(
-            reverse(
-                "authentik_sources_scim:v2-users",
-                kwargs={
-                    "source_slug": self.source.slug,
-                    "user_id": str(self.user.pk),
-                },
-            ),
-            HTTP_AUTHORIZATION=f"Bearer {self.token.key}",
-        )
-        self.assertEqual(response.status_code, 200)
-
-    def test_user_create(self):
-        """Test user create"""
-        ext_id = generate_id()
-        response = self.client.post(
-            reverse(
-                "authentik_sources_scim:v2-users",
-                kwargs={
-                    "source_slug": self.source.slug,
-                },
-            ),
-            data=dumps(
-                {
-                    "userName": generate_id(),
-                    "externalId": ext_id,
-                    "emails": [
-                        {
-                            "primary": True,
-                            "value": self.user.email,
-                        }
-                    ],
-                }
-            ),
-            content_type=SCIM_CONTENT_TYPE,
-            HTTP_AUTHORIZATION=f"Bearer {self.token.key}",
-        )
-        self.assertEqual(response.status_code, 201)
-        self.assertTrue(
-            User.objects.filter(**{f"attributes__{USER_ATTRIBUTE_SCIM_ID}": ext_id}).exists()
-        )

authentik/sources/scim/urls.py

@@ -1,64 +0,0 @@
-"""SCIM URLs"""
-from django.urls import path
-
-from authentik.sources.scim.views.v2 import (
-    base,
-    groups,
-    resource_types,
-    schemas,
-    service_provider_config,
-    users,
-)
-
-urlpatterns = [
-    path(
-        "<slug:source_slug>/v2",
-        base.SCIMRootView.as_view(),
-        name="v2-root",
-    ),
-    path(
-        "<slug:source_slug>/v2/Users",
-        users.UsersView.as_view(),
-        name="v2-users",
-    ),
-    path(
-        "<slug:source_slug>/v2/Users/<str:user_id>",
-        users.UsersView.as_view(),
-        name="v2-users",
-    ),
-    path(
-        "<slug:source_slug>/v2/Groups",
-        groups.GroupsView.as_view(),
-        name="v2-groups",
-    ),
-    path(
-        "<slug:source_slug>/v2/Groups/<str:group_id>",
-        groups.GroupsView.as_view(),
-        name="v2-groups",
-    ),
-    path(
-        "<slug:source_slug>/v2/Schemas",
-        schemas.SchemaView.as_view(),
-        name="v2-schema",
-    ),
-    path(
-        "<slug:source_slug>/v2/Schemas/<str:schema_uri>",
-        schemas.SchemaView.as_view(),
-        name="v2-schema",
-    ),
-    path(
-        "<slug:source_slug>/v2/ServiceProviderConfig",
-        service_provider_config.ServiceProviderConfigView.as_view(),
-        name="v2-service-provider-config",
-    ),
-    path(
-        "<slug:source_slug>/v2/ResourceTypes",
-        resource_types.ResourceTypesView.as_view(),
-        name="v2-resource-types",
-    ),
-    path(
-        "<slug:source_slug>/v2/ResourceTypes/<str:resource_type>",
-        resource_types.ResourceTypesView.as_view(),
-        name="v2-resource-types",
-    ),
-]

authentik/sources/scim/views/v2/auth.py

@@ -1,46 +0,0 @@
-"""SCIM Token auth"""
-from base64 import b64decode
-from typing import Any, Optional, Union
-
-from django.conf import settings
-from rest_framework.authentication import BaseAuthentication, get_authorization_header
-from rest_framework.request import Request
-
-from authentik.core.models import Token, TokenIntents, User
-
-
-class SCIMTokenAuth(BaseAuthentication):
-    """SCIM Token auth"""
-
-    def legacy(self, key: str, source_slug: str) -> Optional[Token]:  # pragma: no cover
-        """Legacy HTTP-Basic auth for testing"""
-        if not settings.TEST and not settings.DEBUG:
-            return None
-        _username, _, password = b64decode(key.encode()).decode().partition(":")
-        token = self.check_token(password, source_slug)
-        if token:
-            return (token.user, token)
-        return None
-
-    def check_token(self, key: str, source_slug: str) -> Optional[Token]:
-        """Check that a token exists, is not expired, and is assigned to the correct source"""
-        token = Token.filter_not_expired(key=key, intent=TokenIntents.INTENT_API).first()
-        if not token:
-            return None
-        if not token.scimsource_set.exists():
-            return None
-        if token.scimsource_set.first().slug != source_slug:
-            return None
-        return token
-
-    def authenticate(self, request: Request) -> Union[tuple[User, Any], None]:
-        kwargs = request._request.resolver_match.kwargs
-        source_slug = kwargs.get("source_slug", None)
-        auth = get_authorization_header(request).decode()
-        auth_type, _, key = auth.partition(" ")
-        if auth_type != "Bearer":
-            return self.legacy(key, source_slug)
-        token = self.check_token(key, source_slug)
-        if not token:
-            return None
-        return (token.user, token)

authentik/sources/scim/views/v2/base.py

@@ -1,81 +0,0 @@
-"""SCIM Utils"""
-from typing import Optional
-from urllib.parse import urlparse
-
-from antlr4 import CommonTokenStream, InputStream, ParseTreeWalker
-from django.urls import resolve
-from rest_framework.parsers import JSONParser
-from rest_framework.permissions import IsAuthenticated
-from rest_framework.renderers import JSONRenderer
-from rest_framework.request import Request
-from rest_framework.response import Response
-from rest_framework.views import APIView
-
-from authentik.core.models import Group, User
-from authentik.sources.scim.filters.django import DjangoQueryListener
-from authentik.sources.scim.filters.ScimFilterLexer import ScimFilterLexer
-from authentik.sources.scim.filters.ScimFilterParser import ScimFilterParser
-from authentik.sources.scim.views.v2.auth import SCIMTokenAuth
-
-SCIM_CONTENT_TYPE = "application/scim+json"
-
-
-class SCIMParser(JSONParser):
-    """SCIM clients use a custom content type"""
-
-    media_type = SCIM_CONTENT_TYPE
-
-
-class SCIMRenderer(JSONRenderer):
-    """SCIM clients also expect a custom content type"""
-
-    media_type = SCIM_CONTENT_TYPE
-
-
-class SCIMView(APIView):
-    """Base class for SCIM Views"""
-
-    authentication_classes = [SCIMTokenAuth]
-    permission_classes = [IsAuthenticated]
-    parser_classes = [SCIMParser]
-    renderer_classes = [SCIMRenderer]
-
-    def patch_resolve_value(self, raw_value: dict) -> Optional[User | Group]:
-        """Attempt to resolve a raw `value` attribute of a patch operation into
-        a database model"""
-        model = User
-        query = {}
-        if "$ref" in raw_value:
-            url = urlparse(raw_value["$ref"])
-            if match := resolve(url.path):
-                if match.url_name == "v2-users":
-                    model = User
-                    query = {"pk": int(match.kwargs["user_id"])}
-        elif "type" in raw_value:
-            match raw_value["tyoe"]:
-                case "User":
-                    model = User
-                    query = {"pk": int(raw_value["value"])}
-                case "Group":
-                    model = Group
-        else:
-            return None
-        return model.objects.filter(**query).first()
-
-    def patch_parse_path(self, path: str):
-        """Parse the path of a Patch Operation"""
-        lexer = ScimFilterLexer(InputStream(path))
-        stream = CommonTokenStream(lexer)
-        parser = ScimFilterParser(stream)
-        tree = parser.filter_()
-        listener = DjangoQueryListener()
-        walker = ParseTreeWalker()
-        walker.walk(listener, tree)
-        return listener.query
-
-
-class SCIMRootView(SCIMView):
-    """Root SCIM View"""
-
-    def dispatch(self, request: Request, *args, **kwargs) -> Response:
-        return Response({"message": "Use this base-URL with an SCIM-compatible system."})

authentik/sources/scim/views/v2/groups.py

@@ -1,126 +0,0 @@
-"""SCIM Group Views"""
-from typing import Optional
-
-from django.core.paginator import Paginator
-from django.db.transaction import atomic
-from django.http import Http404, QueryDict
-from django.urls import reverse
-from rest_framework.request import Request
-from rest_framework.response import Response
-from structlog.stdlib import get_logger
-
-from authentik.core.models import Group
-from authentik.sources.scim.errors import PatchError
-from authentik.sources.scim.views.v2.base import SCIM_CONTENT_TYPE, SCIMView
-
-LOGGER = get_logger()
-
-
-class GroupsView(SCIMView):
-    """SCIM Group View"""
-
-    def group_to_scim(self, group: Group) -> dict:
-        """Convert group to SCIM"""
-        return {
-            "id": str(group.pk),
-            "meta": {
-                "resourceType": "Group",
-                "location": self.request.build_absolute_uri(
-                    reverse(
-                        "authentik_sources_scim:v2-groups",
-                        kwargs={
-                            "source_slug": self.kwargs["source_slug"],
-                            "group_id": str(group.pk),
-                        },
-                    )
-                ),
-            },
-            "displayName": group.name,
-            "schemas": ["urn:ietf:params:scim:schemas:core:2.0:Group"],
-        }
-
-    def get(self, request: Request, group_id: Optional[str] = None, **kwargs) -> Response:
-        """List Group handler"""
-        if group_id:
-            group = Group.objects.filter(pk=group_id).first()
-            if not group:
-                raise Http404
-            return Response(self.group_to_scim(group))
-        groups = Group.objects.all().order_by("pk")
-        per_page = 50
-        paginator = Paginator(groups, per_page=per_page)
-        start_index = int(request.query_params.get("startIndex", 1))
-        page = paginator.page(int(max(start_index / per_page, 1)))
-        return Response(
-            {
-                "totalResults": paginator.count,
-                "itemsPerPage": per_page,
-                "startIndex": page.start_index(),
-                "schemas": ["urn:ietf:params:scim:api:messages:2.0:ListResponse"],
-                "Resources": [self.group_to_scim(group) for group in page],
-            }
-        )
-
-    def update_group(self, group: Group, data: QueryDict) -> Group:
-        """Partial update a group"""
-        if "displayName" in data:
-            group.name = data.get("displayName")
-        return group
-
-    def post(self, request: Request, **kwargs) -> Response:
-        """Create group handler"""
-        group = Group.objects.filter(name=request.data.get("displayName")).first()
-        if group:
-            LOGGER.debug("Found existing group")
-            return Response(status=409)
-        group = self.update_group(Group(), request.data)
-        group.save()
-        return Response(self.group_to_scim(group), status=201)
-
-    def patch(self, request: Request, group_id: str, **kwargs) -> Response:
-        """Update group handler"""
-        group: Optional[Group] = Group.objects.filter(pk=group_id).first()
-        if not group:
-            raise Http404
-        if request.data.get("schemas", []) != ["urn:ietf:params:scim:api:messages:2.0:PatchOp"]:
-            return Response(status=400)
-        try:
-            with atomic():
-                for op in request.data.get("Operations", []):
-                    path = self.patch_parse_path(op["path"])
-                    operation = op["op"]
-                    raw_value = op.get("value", None)
-                    values = []
-                    for value in raw_value:
-                        values.append(self.patch_resolve_value(value))
-                    match operation:
-                        case "add":
-                            group.users.add(*[x.pk for x in values])
-                        case "remove":
-                            pass
-                return Response(self.group_to_scim(group), status=200)
-        except (KeyError, PatchError):
-            return Response(status=400)
-
-    def put(self, request: Request, group_id: str, **kwargs) -> Response:
-        """Update group handler"""
-        group: Optional[Group] = Group.objects.filter(pk=group_id).first()
-        if not group:
-            raise Http404
-        self.update_group(group, request.data)
-        group.save()
-        return Response(self.group_to_scim(group), status=200)
-
-    def delete(self, request: Request, group_id: str, **kwargs) -> Response:
-        """Delete group handler"""
-        group: Optional[Group] = Group.objects.filter(pk=group_id).first()
-        if not group:
-            raise Http404
-        group.delete()
-        return Response(
-            {},
-            status=204,
-            headers={
-                "Content-Type": SCIM_CONTENT_TYPE,
-            },
-        )

authentik/sources/scim/views/v2/resource_types.py

@@ -1,153 +0,0 @@
-"""SCIM Meta views"""
-from typing import Optional
-
-from django.http import Http404
-from django.urls import reverse
-from rest_framework.request import Request
-from rest_framework.response import Response
-
-from authentik.sources.scim.views.v2.base import SCIMView
-
-
-class ResourceTypesView(SCIMView):
-    """https://ldapwiki.com/wiki/SCIM%20ResourceTypes%20endpoint"""
-
-    def get_resource_types(self):
-        """List all resource types"""
-        return [
-            {
-                "id": "ServiceProviderConfig",
-                "name": "ServiceProviderConfig",
-                "description": "the service providers configuration",
-                "endpoint": "/ServiceProviderConfig",
-                "schema": "urn:ietf:params:scim:schemas:core:2.0:ServiceProviderConfig",
-                "schemas": [
-                    "urn:ietf:params:scim:schemas:core:2.0:ResourceType",
-                ],
-                "meta": {
-                    "resourceType": "ResourceType",
-                    "location": self.request.build_absolute_uri(
-                        reverse(
-                            "authentik_sources_scim:v2-resource-types",
-                            kwargs={
-                                "source_slug": self.kwargs["source_slug"],
-                                "resource_type": "ServiceProviderConfig",
-                            },
-                        )
-                    ),
-                },
-            },
-            {
-                "id": "ResourceType",
-                "name": "ResourceType",
-                "description": "ResourceType",
-                "endpoint": "/ResourceTypes",
-                "schema": "urn:ietf:params:scim:schemas:core:2.0:ResourceType",
-                "schemas": [
-                    "urn:ietf:params:scim:schemas:core:2.0:ResourceType",
-                ],
-                "meta": {
-                    "resourceType": "ResourceType",
-                    "location": self.request.build_absolute_uri(
-                        reverse(
-                            "authentik_sources_scim:v2-resource-types",
-                            kwargs={
-                                "source_slug": self.kwargs["source_slug"],
-                                "resource_type": "ResourceType",
-                            },
-                        )
-                    ),
-                },
-            },
-            {
-                "id": "Schema",
-                "name": "Schema",
-                "description": "Schema endpoint description",
-                "endpoint": "/Schemas",
-                "schema": "urn:ietf:params:scim:schemas:core:2.0:Schema",
-                "schemas": [
-                    "urn:ietf:params:scim:schemas:core:2.0:ResourceType",
-                ],
-                "meta": {
-                    "resourceType": "ResourceType",
-                    "location": self.request.build_absolute_uri(
-                        reverse(
-                            "authentik_sources_scim:v2-resource-types",
-                            kwargs={
-                                "source_slug": self.kwargs["source_slug"],
-                                "resource_type": "Schema",
-                            },
-                        )
-                    ),
-                },
-            },
-            {
-                "id": "User",
-                "name": "User",
-                "endpoint": "/Users",
-                "description": "https://tools.ietf.org/html/rfc7643#section-8.7.1",
-                "schemas": ["urn:ietf:params:scim:schemas:core:2.0:ResourceType"],
-                "schema": "urn:ietf:params:scim:schemas:core:2.0:User",
-                "schemaExtensions": [
-                    {
-                        "schema": "urn:ietf:params:scim:schemas:extension:enterprise:2.0:User",
-                        "required": True,
-                    }
-                ],
-                "meta": {
-                    "location": self.request.build_absolute_uri(
-                        reverse(
-                            "authentik_sources_scim:v2-resource-types",
-                            kwargs={
-                                "source_slug": self.kwargs["source_slug"],
-                                "resource_type": "User",
-                            },
-                        )
-                    ),
-                    "resourceType": "ResourceType",
-                },
-            },
-            {
-                "id": "Group",
-                "name": "Group",
-                "description": "Group",
-                "endpoint": "/Groups",
-                "schema": "urn:ietf:params:scim:schemas:core:2.0:Group",
-                "schemas": [
-                    "urn:ietf:params:scim:schemas:core:2.0:ResourceType",
-                ],
-                "meta": {
-                    "resourceType": "ResourceType",
-                    "location": self.request.build_absolute_uri(
-                        reverse(
-                            "authentik_sources_scim:v2-resource-types",
-                            kwargs={
-                                "source_slug": self.kwargs["source_slug"],
-                                "resource_type": "Group",
-                            },
-                        )
-                    ),
-                },
-            },
-        ]
-
-    # pylint: disable=unused-argument
-    def get(
-        self, request: Request, source_slug: str, resource_type: Optional[str] = None
-    ) -> Response:
-        """Get resource types as SCIM response"""
-        resource_types = self.get_resource_types()
-        if resource_type:
-            resource = [x for x in resource_types if x.get("id") == resource_type]
-            if resource:
-                return Response(resource[0])
-            raise Http404
-        return Response(
-            {
-                "schemas": ["urn:ietf:params:scim:api:messages:2.0:ListResponse"],
-                "totalResults": len(resource_types),
-                "itemsPerPage": len(resource_types),
-                "startIndex": 1,
-                "Resources": resource_types,
-            }
-        )