update

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

.bumpversion.cfg

@@ -1,5 +1,5 @@
 [bumpversion]
-current_version = 2023.10.6
+current_version = 2023.10.3
 tag = True
 commit = True
 parse = (?P<major>\d+)\.(?P<minor>\d+)\.(?P<patch>\d+)

.github/actions/setup/action.yml

@@ -2,39 +2,36 @@ name: "Setup authentik testing environment"
 description: "Setup authentik testing environment"
 
 inputs:
-  postgresql_version:
+  postgresql_tag:
     description: "Optional postgresql image tag"
     default: "12"
 
 runs:
   using: "composite"
   steps:
-    - name: Install poetry & deps
+    - name: Install poetry
       shell: bash
       run: |
         pipx install poetry || true
-        sudo apt-get update
-        sudo apt-get install --no-install-recommends -y libpq-dev openssl libxmlsec1-dev pkg-config gettext
+        sudo apt update
+        sudo apt install -y libpq-dev openssl libxmlsec1-dev pkg-config gettext
     - name: Setup python and restore poetry
-      uses: actions/setup-python@v4
+      uses: actions/setup-python@v3
       with:
-        python-version-file: 'pyproject.toml'
+        python-version: "3.11"
         cache: "poetry"
     - name: Setup node
       uses: actions/setup-node@v3
       with:
-        node-version-file: web/package.json
+        node-version: "20"
         cache: "npm"
         cache-dependency-path: web/package-lock.json
-    - name: Setup go
-      uses: actions/setup-go@v4
-      with:
-        go-version-file: "go.mod"
     - name: Setup dependencies
       shell: bash
       run: |
-        export PSQL_TAG=${{ inputs.postgresql_version }}
+        export PSQL_TAG=${{ inputs.postgresql_tag }}
         docker-compose -f .github/actions/setup/docker-compose.yml up -d
+        poetry env use python3.11
         poetry install
         cd web && npm ci
     - name: Generate config

.github/workflows/ci-main.yml

@@ -48,38 +48,25 @@ jobs:
       - name: run migrations
         run: poetry run python -m lifecycle.migrate
   test-migrations-from-stable:
-    name: test-migrations-from-stable - PostgreSQL ${{ matrix.psql }}
     runs-on: ubuntu-latest
-    strategy:
-      fail-fast: false
-      matrix:
-        psql:
-          - 12-alpine
-          - 15-alpine
-          - 16-alpine
+    continue-on-error: true
     steps:
       - uses: actions/checkout@v4
         with:
           fetch-depth: 0
       - name: Setup authentik env
         uses: ./.github/actions/setup
-        with:
-          postgresql_version: ${{ matrix.psql }}
       - name: checkout stable
         run: |
-          # Delete all poetry envs
-          rm -rf /home/runner/.cache/pypoetry
           # Copy current, latest config to local
           cp authentik/lib/default.yml local.env.yml
           cp -R .github ..
           cp -R scripts ..
-          git checkout version/$(python -c "from authentik import __version__; print(__version__)")
+          git checkout $(git describe --tags $(git rev-list --tags --max-count=1))
           rm -rf .github/ scripts/
           mv ../.github ../scripts .
       - name: Setup authentik env (ensure stable deps are installed)
         uses: ./.github/actions/setup
-        with:
-          postgresql_version: ${{ matrix.psql }}
       - name: run migrations to stable
         run: poetry run python -m lifecycle.migrate
       - name: checkout current code
@@ -89,13 +76,9 @@ jobs:
           git reset --hard HEAD
           git clean -d -fx .
           git checkout $GITHUB_SHA
-          # Delete previous poetry env
-          rm -rf $(poetry env info --path)
           poetry install
       - name: Setup authentik env (ensure latest deps are installed)
         uses: ./.github/actions/setup
-        with:
-          postgresql_version: ${{ matrix.psql }}
       - name: migrate to latest
         run: poetry run python -m lifecycle.migrate
   test-unittest:
@@ -114,7 +97,7 @@ jobs:
       - name: Setup authentik env
         uses: ./.github/actions/setup
         with:
-          postgresql_version: ${{ matrix.psql }}
+          postgresql_tag: ${{ matrix.psql }}
       - name: run unittest
         run: |
           poetry run make test

.github/workflows/ci-outpost.yml

@@ -130,7 +130,7 @@ jobs:
           go-version-file: "go.mod"
       - uses: actions/setup-node@v4
         with:
-          node-version-file: web/package.json
+          node-version: "20"
           cache: "npm"
           cache-dependency-path: web/package-lock.json
       - name: Generate API

.github/workflows/ci-web.yml

@@ -24,7 +24,7 @@ jobs:
       - uses: actions/checkout@v4
       - uses: actions/setup-node@v4
         with:
-          node-version-file: ${{ matrix.project }}/package.json
+          node-version: "20"
           cache: "npm"
           cache-dependency-path: ${{ matrix.project }}/package-lock.json
       - working-directory: ${{ matrix.project }}/
@@ -40,7 +40,7 @@ jobs:
       - uses: actions/checkout@v4
       - uses: actions/setup-node@v4
         with:
-          node-version-file: web/package.json
+          node-version: "20"
           cache: "npm"
           cache-dependency-path: web/package-lock.json
       - working-directory: web/
@@ -62,7 +62,7 @@ jobs:
       - uses: actions/checkout@v4
       - uses: actions/setup-node@v4
         with:
-          node-version-file: ${{ matrix.project }}/package.json
+          node-version: "20"
           cache: "npm"
           cache-dependency-path: ${{ matrix.project }}/package-lock.json
       - working-directory: ${{ matrix.project }}/
@@ -78,7 +78,7 @@ jobs:
       - uses: actions/checkout@v4
       - uses: actions/setup-node@v4
         with:
-          node-version-file: web/package.json
+          node-version: "20"
           cache: "npm"
           cache-dependency-path: web/package-lock.json
       - working-directory: web/
@@ -110,7 +110,7 @@ jobs:
       - uses: actions/checkout@v4
       - uses: actions/setup-node@v4
         with:
-          node-version-file: web/package.json
+          node-version: "20"
           cache: "npm"
           cache-dependency-path: web/package-lock.json
       - working-directory: web/

.github/workflows/ci-website.yml

@@ -18,7 +18,7 @@ jobs:
       - uses: actions/checkout@v4
       - uses: actions/setup-node@v4
         with:
-          node-version-file: website/package.json
+          node-version: "20"
           cache: "npm"
           cache-dependency-path: website/package-lock.json
       - working-directory: website/
@@ -32,7 +32,7 @@ jobs:
       - uses: actions/checkout@v4
       - uses: actions/setup-node@v4
         with:
-          node-version-file: website/package.json
+          node-version: "20"
           cache: "npm"
           cache-dependency-path: website/package-lock.json
       - working-directory: website/
@@ -53,7 +53,7 @@ jobs:
       - uses: actions/checkout@v4
       - uses: actions/setup-node@v4
         with:
-          node-version-file: website/package.json
+          node-version: "20"
           cache: "npm"
           cache-dependency-path: website/package-lock.json
       - working-directory: website/

.github/workflows/release-publish.yml

@@ -131,7 +131,7 @@ jobs:
           go-version-file: "go.mod"
       - uses: actions/setup-node@v4
         with:
-          node-version-file: web/package.json
+          node-version: "20"
           cache: "npm"
           cache-dependency-path: web/package-lock.json
       - name: Build web

.github/workflows/release-tag.yml

@@ -30,7 +30,7 @@ jobs:
           private_key: ${{ secrets.GH_APP_PRIVATE_KEY }}
       - name: Extract version number
         id: get_version
-        uses: actions/github-script@v6
+        uses: actions/github-script@v7
         with:
           github-token: ${{ steps.generate_token.outputs.token }}
           script: |

.github/workflows/translation-advice.yml

@@ -7,7 +7,8 @@ on:
     paths:
       - "!**"
       - "locale/**"
-      - "web/src/locales/**"
+      - "!locale/en/**"
+      - "web/xliff/**"
 
 jobs:
   post-comment:

.github/workflows/web-api-publish.yml

@@ -19,7 +19,7 @@ jobs:
           token: ${{ steps.generate_token.outputs.token }}
       - uses: actions/setup-node@v4
         with:
-          node-version-file: web/package.json
+          node-version: "20"
           registry-url: "https://registry.npmjs.org"
       - name: Generate API Client
         run: make gen-client-ts

Dockerfile

@@ -1,5 +1,3 @@
-# syntax=docker/dockerfile:1
-
 # Stage 1: Build website
 FROM --platform=${BUILDPLATFORM} docker.io/node:21 as website-builder
 
@@ -9,7 +7,7 @@ WORKDIR /work/website
 
 RUN --mount=type=bind,target=/work/website/package.json,src=./website/package.json \
     --mount=type=bind,target=/work/website/package-lock.json,src=./website/package-lock.json \
-    --mount=type=cache,id=npm-website,sharing=shared,target=/root/.npm \
+    --mount=type=cache,target=/root/.npm \
     npm ci --include=dev
 
 COPY ./website /work/website/
@@ -27,7 +25,7 @@ WORKDIR /work/web
 
 RUN --mount=type=bind,target=/work/web/package.json,src=./web/package.json \
     --mount=type=bind,target=/work/web/package-lock.json,src=./web/package-lock.json \
-    --mount=type=cache,id=npm-web,sharing=shared,target=/root/.npm \
+    --mount=type=cache,target=/root/.npm \
     npm ci --include=dev
 
 COPY ./web /work/web/
@@ -64,8 +62,8 @@ COPY ./go.sum /go/src/goauthentik.io/go.sum
 
 ENV CGO_ENABLED=0
 
-RUN --mount=type=cache,sharing=locked,target=/go/pkg/mod \
-    --mount=type=cache,id=go-build-$TARGETARCH$TARGETVARIANT,sharing=locked,target=/root/.cache/go-build \
+RUN --mount=type=cache,target=/go/pkg/mod \
+    --mount=type=cache,target=/root/.cache/go-build \
     GOARM="${TARGETVARIANT#v}" go build -o /go/authentik ./cmd/server
 
 # Stage 4: MaxMind GeoIP
@@ -91,9 +89,7 @@ ENV VENV_PATH="/ak-root/venv" \
     POETRY_VIRTUALENVS_CREATE=false \
     PATH="/ak-root/venv/bin:$PATH"
 
-RUN rm -f /etc/apt/apt.conf.d/docker-clean; echo 'Binary::apt::APT::Keep-Downloaded-Packages "true";' > /etc/apt/apt.conf.d/keep-cache
-
-RUN --mount=type=cache,id=apt-$TARGETARCH$TARGETVARIANT,sharing=locked,target=/var/cache/apt \
+RUN --mount=type=cache,target=/var/cache/apt \
     apt-get update && \
     # Required for installing pip packages
     apt-get install -y --no-install-recommends build-essential pkg-config libxmlsec1-dev zlib1g-dev libpq-dev

Makefile

@@ -110,6 +110,8 @@ gen-diff:  ## (Release) generate the changelog diff between the current schema a
 		--markdown /local/diff.md \
 		/local/old_schema.yml /local/schema.yml
 	rm old_schema.yml
+	sed -i 's/{/{/g' diff.md
+	sed -i 's/}/}/g' diff.md
 	npx prettier --write diff.md
 
 gen-clean:

authentik/__init__.py

@@ -2,7 +2,7 @@
 from os import environ
 from typing import Optional
 
-__version__ = "2023.10.6"
+__version__ = "2023.10.3"
 ENV_GIT_HASH_KEY = "GIT_BUILD_HASH"
 
 

authentik/api/schema.py

@@ -13,6 +13,8 @@ from rest_framework.settings import api_settings
 
 from authentik.api.pagination import PAGINATION_COMPONENT_NAME, PAGINATION_SCHEMA
 
+from authentik.api.apps import AuthentikAPIConfig
+
 
 def build_standard_type(obj, **kwargs):
     """Build a basic type with optional add owns."""
@@ -100,3 +102,12 @@ def postprocess_schema_responses(result, generator: SchemaGenerator, **kwargs):
             comp = result["components"]["schemas"][component]
             comp["additionalProperties"] = {}
     return result
+
+
+def preprocess_schema_exclude_non_api(endpoints, **kwargs):
+    """Filter out all API Views which are not mounted under /api"""
+    return [
+        (path, path_regex, method, callback)
+        for path, path_regex, method, callback in endpoints
+        if path.startswith("/" + AuthentikAPIConfig.mountpoint)
+    ]

authentik/api/v3/config.py

@@ -93,10 +93,10 @@ class ConfigView(APIView):
                     "traces_sample_rate": float(CONFIG.get("error_reporting.sample_rate", 0.4)),
                 },
                 "capabilities": self.get_capabilities(),
-                "cache_timeout": CONFIG.get_int("redis.cache_timeout"),
-                "cache_timeout_flows": CONFIG.get_int("redis.cache_timeout_flows"),
-                "cache_timeout_policies": CONFIG.get_int("redis.cache_timeout_policies"),
-                "cache_timeout_reputation": CONFIG.get_int("redis.cache_timeout_reputation"),
+                "cache_timeout": CONFIG.get_int("cache.timeout"),
+                "cache_timeout_flows": CONFIG.get_int("cache.timeout_flows"),
+                "cache_timeout_policies": CONFIG.get_int("cache.timeout_policies"),
+                "cache_timeout_reputation": CONFIG.get_int("cache.timeout_reputation"),
             }
         )
 

authentik/api/v3/urls.py

@@ -21,9 +21,7 @@ _other_urls = []
 for _authentik_app in get_apps():
     try:
         api_urls = import_module(f"{_authentik_app.name}.urls")
-    except ModuleNotFoundError:
-        continue
-    except ImportError as exc:
+    except (ModuleNotFoundError, ImportError) as exc:
         LOGGER.warning("Could not import app's URLs", app_name=_authentik_app.name, exc=exc)
         continue
     if not hasattr(api_urls, "api_urlpatterns"):

authentik/blueprints/apps.py

@@ -40,7 +40,7 @@ class ManagedAppConfig(AppConfig):
                 meth()
                 self._logger.debug("Successfully reconciled", name=name)
             except (DatabaseError, ProgrammingError, InternalError) as exc:
-                self._logger.warning("Failed to run reconcile", name=name, exc=exc)
+                self._logger.debug("Failed to run reconcile", name=name, exc=exc)
 
 
 class AuthentikBlueprintsConfig(ManagedAppConfig):

authentik/blueprints/v1/tasks.py

@@ -75,13 +75,13 @@ class BlueprintEventHandler(FileSystemEventHandler):
             return
         if event.is_directory:
             return
-        root = Path(CONFIG.get("blueprints_dir")).absolute()
-        path = Path(event.src_path).absolute()
-        rel_path = str(path.relative_to(root))
         if isinstance(event, FileCreatedEvent):
-            LOGGER.debug("new blueprint file created, starting discovery", path=rel_path)
-            blueprints_discovery.delay(rel_path)
+            LOGGER.debug("new blueprint file created, starting discovery")
+            blueprints_discovery.delay()
         if isinstance(event, FileModifiedEvent):
+            path = Path(event.src_path)
+            root = Path(CONFIG.get("blueprints_dir")).absolute()
+            rel_path = str(path.relative_to(root))
             for instance in BlueprintInstance.objects.filter(path=rel_path, enabled=True):
                 LOGGER.debug("modified blueprint file, starting apply", instance=instance)
                 apply_blueprint.delay(instance.pk.hex)
@@ -98,32 +98,39 @@ def blueprints_find_dict():
     return blueprints
 
 
-def blueprints_find() -> list[BlueprintFile]:
+def blueprints_find():
     """Find blueprints and return valid ones"""
     blueprints = []
     root = Path(CONFIG.get("blueprints_dir"))
     for path in root.rglob("**/*.yaml"):
-        rel_path = path.relative_to(root)
         # Check if any part in the path starts with a dot and assume a hidden file
         if any(part for part in path.parts if part.startswith(".")):
             continue
+        LOGGER.debug("found blueprint", path=str(path))
         with open(path, "r", encoding="utf-8") as blueprint_file:
             try:
                 raw_blueprint = load(blueprint_file.read(), BlueprintLoader)
             except YAMLError as exc:
                 raw_blueprint = None
-                LOGGER.warning("failed to parse blueprint", exc=exc, path=str(rel_path))
+                LOGGER.warning("failed to parse blueprint", exc=exc, path=str(path))
             if not raw_blueprint:
                 continue
             metadata = raw_blueprint.get("metadata", None)
             version = raw_blueprint.get("version", 1)
             if version != 1:
-                LOGGER.warning("invalid blueprint version", version=version, path=str(rel_path))
+                LOGGER.warning("invalid blueprint version", version=version, path=str(path))
                 continue
         file_hash = sha512(path.read_bytes()).hexdigest()
-        blueprint = BlueprintFile(str(rel_path), version, file_hash, int(path.stat().st_mtime))
+        blueprint = BlueprintFile(
+            str(path.relative_to(root)), version, file_hash, int(path.stat().st_mtime)
+        )
         blueprint.meta = from_dict(BlueprintMetadata, metadata) if metadata else None
         blueprints.append(blueprint)
+        LOGGER.debug(
+            "parsed & loaded blueprint",
+            hash=file_hash,
+            path=str(path),
+        )
     return blueprints
 
 
@@ -131,12 +138,10 @@ def blueprints_find() -> list[BlueprintFile]:
     throws=(DatabaseError, ProgrammingError, InternalError), base=MonitoredTask, bind=True
 )
 @prefill_task
-def blueprints_discovery(self: MonitoredTask, path: Optional[str] = None):
+def blueprints_discovery(self: MonitoredTask):
     """Find blueprints and check if they need to be created in the database"""
     count = 0
     for blueprint in blueprints_find():
-        if path and blueprint.path != path:
-            continue
         check_blueprint_v1_file(blueprint)
         count += 1
     self.set_status(
@@ -166,11 +171,7 @@ def check_blueprint_v1_file(blueprint: BlueprintFile):
             metadata={},
         )
         instance.save()
-        LOGGER.info(
-            "Creating new blueprint instance from file", instance=instance, path=instance.path
-        )
     if instance.last_applied_hash != blueprint.hash:
-        LOGGER.info("Applying blueprint due to changed file", instance=instance, path=instance.path)
         apply_blueprint.delay(str(instance.pk))
 
 

authentik/core/api/sources.py

@@ -38,7 +38,7 @@ class SourceSerializer(ModelSerializer, MetaNameSerializer):
 
     managed = ReadOnlyField()
     component = SerializerMethodField()
-    icon = ReadOnlyField(source="icon_url")
+    icon = ReadOnlyField(source="get_icon")
 
     def get_component(self, obj: Source) -> str:
         """Get object component so that we know how to edit the object"""

authentik/core/api/users.py

@@ -171,11 +171,6 @@ class UserSerializer(ModelSerializer):
             raise ValidationError("Setting a user to internal service account is not allowed.")
         return user_type
 
-    def validate(self, attrs: dict) -> dict:
-        if self.instance and self.instance.type == UserTypes.INTERNAL_SERVICE_ACCOUNT:
-            raise ValidationError("Can't modify internal service account users")
-        return super().validate(attrs)
-
     class Meta:
         model = User
         fields = [

authentik/core/expression/evaluator.py

@@ -44,7 +44,6 @@ class PropertyMappingEvaluator(BaseEvaluator):
         if request:
             req.http_request = request
         self._context["request"] = req
-        req.context.update(**kwargs)
         self._context.update(**kwargs)
         self.dry_run = dry_run
 

authentik/core/templates/base/skeleton.html

@@ -13,6 +13,7 @@
         {% block head_before %}
         {% endblock %}
         <link rel="stylesheet" type="text/css" href="{% static 'dist/authentik.css' %}">
+        <link rel="stylesheet" type="text/css" href="{% static 'dist/theme-dark.css' %}" media="(prefers-color-scheme: dark)">
         <link rel="stylesheet" type="text/css" href="{% static 'dist/custom.css' %}" data-inject>
         <script src="{% static 'dist/poly.js' %}?version={{ version }}" type="module"></script>
         <script src="{% static 'dist/standalone/loading/index.js' %}?version={{ version }}" type="module"></script>

authentik/core/templates/login/base_full.html

@@ -6,7 +6,6 @@
 {% block head_before %}
 <link rel="prefetch" href="/static/dist/assets/images/flow_background.jpg" />
 <link rel="stylesheet" type="text/css" href="{% static 'dist/patternfly.min.css' %}">
-<link rel="stylesheet" type="text/css" href="{% static 'dist/theme-dark.css' %}" media="(prefers-color-scheme: dark)">
 {% include "base/header_js.html" %}
 {% endblock %}
 

authentik/events/middleware.py

@@ -27,7 +27,6 @@ from authentik.lib.sentry import before_send
 from authentik.lib.utils.errors import exception_to_string
 from authentik.outposts.models import OutpostServiceConnection
 from authentik.policies.models import Policy, PolicyBindingModel
-from authentik.policies.reputation.models import Reputation
 from authentik.providers.oauth2.models import AccessToken, AuthorizationCode, RefreshToken
 from authentik.providers.scim.models import SCIMGroup, SCIMUser
 from authentik.stages.authenticator_static.models import StaticToken
@@ -53,13 +52,11 @@ IGNORED_MODELS = (
     RefreshToken,
     SCIMUser,
     SCIMGroup,
-    Reputation,
 )
 
 
 def should_log_model(model: Model) -> bool:
     """Return true if operation on `model` should be logged"""
-    # Check for silk by string so this comparison doesn't fail when silk isn't installed
     if model.__module__.startswith("silk"):
         return False
     return model.__class__ not in IGNORED_MODELS
@@ -96,30 +93,21 @@ class AuditMiddleware:
     of models"""
 
     get_response: Callable[[HttpRequest], HttpResponse]
-    anonymous_user: User = None
 
     def __init__(self, get_response: Callable[[HttpRequest], HttpResponse]):
         self.get_response = get_response
 
-    def _ensure_fallback_user(self):
-        """Defer fetching anonymous user until we have to"""
-        if self.anonymous_user:
-            return
-        from guardian.shortcuts import get_anonymous_user
-
-        self.anonymous_user = get_anonymous_user()
-
     def connect(self, request: HttpRequest):
         """Connect signal for automatic logging"""
-        self._ensure_fallback_user()
-        user = getattr(request, "user", self.anonymous_user)
-        if not user.is_authenticated:
-            user = self.anonymous_user
+        if not hasattr(request, "user"):
+            return
+        if not getattr(request.user, "is_authenticated", False):
+            return
         if not hasattr(request, "request_id"):
             return
-        post_save_handler = partial(self.post_save_handler, user=user, request=request)
-        pre_delete_handler = partial(self.pre_delete_handler, user=user, request=request)
-        m2m_changed_handler = partial(self.m2m_changed_handler, user=user, request=request)
+        post_save_handler = partial(self.post_save_handler, user=request.user, request=request)
+        pre_delete_handler = partial(self.pre_delete_handler, user=request.user, request=request)
+        m2m_changed_handler = partial(self.m2m_changed_handler, user=request.user, request=request)
         post_save.connect(
             post_save_handler,
             dispatch_uid=request.request_id,

authentik/events/models.py

@@ -217,7 +217,6 @@ class Event(SerializerModel, ExpiringModel):
                 "path": request.path,
                 "method": request.method,
                 "args": cleanse_dict(QueryDict(request.META.get("QUERY_STRING", ""))),
-                "user_agent": request.META.get("HTTP_USER_AGENT", ""),
             }
             # Special case for events created during flow execution
             # since they keep the http query within a wrapped query

authentik/events/tests/test_event.py

@@ -53,15 +53,7 @@ class TestEvents(TestCase):
         """Test plain from_http"""
         event = Event.new("unittest").from_http(self.factory.get("/"))
         self.assertEqual(
-            event.context,
-            {
-                "http_request": {
-                    "args": {},
-                    "method": "GET",
-                    "path": "/",
-                    "user_agent": "",
-                }
-            },
+            event.context, {"http_request": {"args": {}, "method": "GET", "path": "/"}}
         )
 
     def test_from_http_clean_querystring(self):
@@ -75,7 +67,6 @@ class TestEvents(TestCase):
                     "args": {"token": SafeExceptionReporterFilter.cleansed_substitute},
                     "method": "GET",
                     "path": "/",
-                    "user_agent": "",
                 }
             },
         )
@@ -92,7 +83,6 @@ class TestEvents(TestCase):
                     "args": {"token": SafeExceptionReporterFilter.cleansed_substitute},
                     "method": "GET",
                     "path": "/",
-                    "user_agent": "",
                 }
             },
         )

authentik/events/utils.py

@@ -5,13 +5,12 @@ from dataclasses import asdict, is_dataclass
 from datetime import date, datetime, time, timedelta
 from enum import Enum
 from pathlib import Path
-from types import GeneratorType, NoneType
+from types import GeneratorType
 from typing import Any, Optional
 from uuid import UUID
 
 from django.contrib.auth.models import AnonymousUser
 from django.core.handlers.wsgi import WSGIRequest
-from django.core.serializers.json import DjangoJSONEncoder
 from django.db import models
 from django.db.models.base import Model
 from django.http.request import HttpRequest
@@ -160,14 +159,7 @@ def sanitize_item(value: Any) -> Any:
             "name": value.__name__,
             "module": value.__module__,
         }
-    # List taken from the stdlib's JSON encoder (_make_iterencode, encoder.py:415)
-    if isinstance(value, (bool, int, float, NoneType, list, tuple, dict)):
-        return value
-    try:
-        return DjangoJSONEncoder().default(value)
-    except TypeError:
-        return str(value)
-    return str(value)
+    return value
 
 
 def sanitize_dict(source: dict[Any, Any]) -> dict[Any, Any]:

authentik/flows/planner.py

@@ -33,7 +33,7 @@ PLAN_CONTEXT_SOURCE = "source"
 # Is set by the Flow Planner when a FlowToken was used, and the currently active flow plan
 # was restored.
 PLAN_CONTEXT_IS_RESTORED = "is_restored"
-CACHE_TIMEOUT = CONFIG.get_int("redis.cache_timeout_flows")
+CACHE_TIMEOUT = CONFIG.get_int("cache.timeout_flows")
 CACHE_PREFIX = "goauthentik.io/flows/planner/"
 
 

authentik/flows/stage.py

@@ -167,11 +167,7 @@ class ChallengeStageView(StageView):
                 stage_type=self.__class__.__name__, method="get_challenge"
             ).time(),
         ):
-            try:
-                challenge = self.get_challenge(*args, **kwargs)
-            except StageInvalidException as exc:
-                self.logger.debug("Got StageInvalidException", exc=exc)
-                return self.executor.stage_invalid()
+            challenge = self.get_challenge(*args, **kwargs)
         with Hub.current.start_span(
             op="authentik.flow.stage._get_challenge",
             description=self.__class__.__name__,

authentik/lib/config.py

@@ -1,4 +1,6 @@
 """authentik core config loader"""
+import base64
+import json
 import os
 from collections.abc import Mapping
 from contextlib import contextmanager
@@ -22,6 +24,25 @@ SEARCH_PATHS = ["authentik/lib/default.yml", "/etc/authentik/config.yml", ""] +
 ENV_PREFIX = "AUTHENTIK"
 ENVIRONMENT = os.getenv(f"{ENV_PREFIX}_ENV", "local")
 
+REDIS_ENV_KEYS = [
+    f"{ENV_PREFIX}_REDIS__HOST",
+    f"{ENV_PREFIX}_REDIS__PORT",
+    f"{ENV_PREFIX}_REDIS__DB",
+    f"{ENV_PREFIX}_REDIS__USERNAME",
+    f"{ENV_PREFIX}_REDIS__PASSWORD",
+    f"{ENV_PREFIX}_REDIS__TLS",
+    f"{ENV_PREFIX}_REDIS__TLS_REQS",
+]
+
+DEPRECATIONS = {
+    "redis.broker_url": "broker.url",
+    "redis.broker_transport_options": "broker.transport_options",
+    "redis.cache_timeout": "cache.timeout",
+    "redis.cache_timeout_flows": "cache.timeout_flows",
+    "redis.cache_timeout_policies": "cache.timeout_policies",
+    "redis.cache_timeout_reputation": "cache.timeout_reputation",
+}
+
 
 def get_path_from_dict(root: dict, path: str, sep=".", default=None) -> Any:
     """Recursively walk through `root`, checking each part of `path` separated by `sep`.
@@ -81,6 +102,10 @@ class AttrEncoder(JSONEncoder):
         return super().default(o)
 
 
+class UNSET:
+    """Used to test whether configuration key has not been set."""
+
+
 class ConfigLoader:
     """Search through SEARCH_PATHS and load configuration. Environment variables starting with
     `ENV_PREFIX` are also applied.
@@ -113,6 +138,40 @@ class ConfigLoader:
                         self.update_from_file(env_file)
         self.update_from_env()
         self.update(self.__config, kwargs)
+        self.check_deprecations()
+
+    def check_deprecations(self):
+        """Warn if any deprecated configuration options are used"""
+
+        def _pop_deprecated_key(current_obj, dot_parts, index):
+            """Recursive function to remove deprecated keys in configuration"""
+            dot_part = dot_parts[index]
+            if index == len(dot_parts) - 1:
+                return current_obj.pop(dot_part)
+            value = _pop_deprecated_key(current_obj[dot_part], dot_parts, index + 1)
+            if not current_obj[dot_part]:
+                current_obj.pop(dot_part)
+            return value
+
+        for deprecation, replacement in DEPRECATIONS.items():
+            if self.get(deprecation, default=UNSET) is not UNSET:
+                message = (
+                    f"'{deprecation}' has been deprecated in favor of '{replacement}'! "
+                    + "Please update your configuration."
+                )
+                self.log(
+                    "warning",
+                    message,
+                )
+                try:
+                    from authentik.events.models import Event, EventAction
+
+                    Event.new(EventAction.CONFIGURATION_ERROR, message=message).save()
+                except ImportError:
+                    continue
+
+                deprecated_attr = _pop_deprecated_key(self.__config, deprecation.split("."), 0)
+                self.set(replacement, deprecated_attr.value)
 
     def log(self, level: str, message: str, **kwargs):
         """Custom Log method, we want to ensure ConfigLoader always logs JSON even when
@@ -180,6 +239,10 @@ class ConfigLoader:
                 error=str(exc),
             )
 
+    def update_from_dict(self, update: dict):
+        """Update config from dict"""
+        self.__config.update(update)
+
     def update_from_env(self):
         """Check environment variables"""
         outer = {}
@@ -188,19 +251,13 @@ class ConfigLoader:
             if not key.startswith(ENV_PREFIX):
                 continue
             relative_key = key.replace(f"{ENV_PREFIX}_", "", 1).replace("__", ".").lower()
-            # Recursively convert path from a.b.c into outer[a][b][c]
-            current_obj = outer
-            dot_parts = relative_key.split(".")
-            for dot_part in dot_parts[:-1]:
-                if dot_part not in current_obj:
-                    current_obj[dot_part] = {}
-                current_obj = current_obj[dot_part]
             # Check if the value is json, and try to load it
             try:
                 value = loads(value)
             except JSONDecodeError:
                 pass
-            current_obj[dot_parts[-1]] = Attr(value, Attr.Source.ENV, key)
+            attr_value = Attr(value, Attr.Source.ENV, relative_key)
+            set_path_in_dict(outer, relative_key, attr_value)
             idx += 1
         if idx > 0:
             self.log("debug", "Loaded environment variables", count=idx)
@@ -241,6 +298,23 @@ class ConfigLoader:
         """Wrapper for get that converts value into boolean"""
         return str(self.get(path, default)).lower() == "true"
 
+    def get_dict_from_b64_json(self, path: str, default=None) -> dict:
+        """Wrapper for get that converts value from Base64 encoded string into dictionary"""
+        config_value = self.get(path)
+        if config_value is None:
+            return {}
+        try:
+            b64decoded_str = base64.b64decode(config_value).decode("utf-8")
+            b64decoded_str = b64decoded_str.strip().lstrip("{").rstrip("}")
+            b64decoded_str = "{" + b64decoded_str + "}"
+            return json.loads(b64decoded_str)
+        except (JSONDecodeError, TypeError, ValueError) as exc:
+            self.log(
+                "warning",
+                f"Ignored invalid configuration for '{path}' due to exception: {str(exc)}",
+            )
+            return default if isinstance(default, dict) else {}
+
     def set(self, path: str, value: Any, sep="."):
         """Set value using same syntax as get()"""
         set_path_in_dict(self.raw, path, Attr(value), sep=sep)

authentik/lib/default.yml

@@ -28,14 +28,28 @@ listen:
 redis:
   host: localhost
   port: 6379
+  db: 0
+  username: ""
   password: ""
   tls: false
   tls_reqs: "none"
-  db: 0
-  cache_timeout: 300
-  cache_timeout_flows: 300
-  cache_timeout_policies: 300
-  cache_timeout_reputation: 300
+
+# broker:
+  # url: ""
+  # transport_options: ""
+
+cache:
+  # url: ""
+  timeout: 300
+  timeout_flows: 300
+  timeout_policies: 300
+  timeout_reputation: 300
+
+# channel:
+  # url: ""
+
+# result_backend:
+  # url: ""
 
 paths:
   media: ./media

authentik/lib/tests/test_config.py

@@ -1,20 +1,32 @@
 """Test config loader"""
+import base64
+from json import dumps
 from os import chmod, environ, unlink, write
 from tempfile import mkstemp
+from unittest import mock
 
 from django.conf import ImproperlyConfigured
 from django.test import TestCase
 
-from authentik.lib.config import ENV_PREFIX, ConfigLoader
+from authentik.lib.config import ENV_PREFIX, UNSET, Attr, AttrEncoder, ConfigLoader
 
 
 class TestConfig(TestCase):
     """Test config loader"""
 
+    check_deprecations_env_vars = {
+        ENV_PREFIX + "_REDIS__BROKER_URL": "redis://myredis:8327/43",
+        ENV_PREFIX + "_REDIS__BROKER_TRANSPORT_OPTIONS": "bWFzdGVybmFtZT1teW1hc3Rlcg==",
+        ENV_PREFIX + "_REDIS__CACHE_TIMEOUT": "124s",
+        ENV_PREFIX + "_REDIS__CACHE_TIMEOUT_FLOWS": "32m",
+        ENV_PREFIX + "_REDIS__CACHE_TIMEOUT_POLICIES": "3920ns",
+        ENV_PREFIX + "_REDIS__CACHE_TIMEOUT_REPUTATION": "298382us",
+    }
+
+    @mock.patch.dict(environ, {ENV_PREFIX + "_test__test": "bar"})
     def test_env(self):
         """Test simple instance"""
         config = ConfigLoader()
-        environ[ENV_PREFIX + "_test__test"] = "bar"
         config.update_from_env()
         self.assertEqual(config.get("test.test"), "bar")
 
@@ -27,12 +39,20 @@ class TestConfig(TestCase):
             self.assertEqual(config.get("foo.bar"), "baz")
         self.assertEqual(config.get("foo.bar"), "bar")
 
+    @mock.patch.dict(environ, {"foo": "bar"})
     def test_uri_env(self):
         """Test URI parsing (environment)"""
         config = ConfigLoader()
-        environ["foo"] = "bar"
-        self.assertEqual(config.parse_uri("env://foo").value, "bar")
-        self.assertEqual(config.parse_uri("env://foo?bar").value, "bar")
+        foo_uri = "env://foo"
+        foo_parsed = config.parse_uri(foo_uri)
+        self.assertEqual(foo_parsed.value, "bar")
+        self.assertEqual(foo_parsed.source_type, Attr.Source.URI)
+        self.assertEqual(foo_parsed.source, foo_uri)
+        foo_bar_uri = "env://foo?bar"
+        foo_bar_parsed = config.parse_uri(foo_bar_uri)
+        self.assertEqual(foo_bar_parsed.value, "bar")
+        self.assertEqual(foo_bar_parsed.source_type, Attr.Source.URI)
+        self.assertEqual(foo_bar_parsed.source, foo_bar_uri)
 
     def test_uri_file(self):
         """Test URI parsing (file load)"""
@@ -91,3 +111,60 @@ class TestConfig(TestCase):
         config = ConfigLoader()
         config.set("foo", "bar")
         self.assertEqual(config.get_int("foo", 1234), 1234)
+
+    def test_get_dict_from_b64_json(self):
+        """Test get_dict_from_b64_json"""
+        config = ConfigLoader()
+        test_value = '  { "foo": "bar"   }   '.encode("utf-8")
+        b64_value = base64.b64encode(test_value)
+        config.set("foo", b64_value)
+        self.assertEqual(config.get_dict_from_b64_json("foo"), {"foo": "bar"})
+
+    def test_get_dict_from_b64_json_missing_brackets(self):
+        """Test get_dict_from_b64_json with missing brackets"""
+        config = ConfigLoader()
+        test_value = ' "foo": "bar"     '.encode("utf-8")
+        b64_value = base64.b64encode(test_value)
+        config.set("foo", b64_value)
+        self.assertEqual(config.get_dict_from_b64_json("foo"), {"foo": "bar"})
+
+    def test_get_dict_from_b64_json_invalid(self):
+        """Test get_dict_from_b64_json with invalid value"""
+        config = ConfigLoader()
+        config.set("foo", "bar")
+        self.assertEqual(config.get_dict_from_b64_json("foo"), {})
+
+    def test_attr_json_encoder(self):
+        """Test AttrEncoder"""
+        test_attr = Attr("foo", Attr.Source.ENV, "AUTHENTIK_REDIS__USERNAME")
+        json_attr = dumps(test_attr, indent=4, cls=AttrEncoder)
+        self.assertEqual(json_attr, '"foo"')
+
+    def test_attr_json_encoder_no_attr(self):
+        """Test AttrEncoder if no Attr is passed"""
+
+        class Test:
+            """Non Attr class"""
+
+        with self.assertRaises(TypeError):
+            test_obj = Test()
+            dumps(test_obj, indent=4, cls=AttrEncoder)
+
+    @mock.patch.dict(environ, check_deprecations_env_vars)
+    def test_check_deprecations(self):
+        """Test config key re-write for deprecated env vars"""
+        config = ConfigLoader()
+        config.update_from_env()
+        config.check_deprecations()
+        self.assertEqual(config.get("redis.broker_url", UNSET), UNSET)
+        self.assertEqual(config.get("redis.broker_transport_options", UNSET), UNSET)
+        self.assertEqual(config.get("redis.cache_timeout", UNSET), UNSET)
+        self.assertEqual(config.get("redis.cache_timeout_flows", UNSET), UNSET)
+        self.assertEqual(config.get("redis.cache_timeout_policies", UNSET), UNSET)
+        self.assertEqual(config.get("redis.cache_timeout_reputation", UNSET), UNSET)
+        self.assertEqual(config.get("broker.url"), "redis://myredis:8327/43")
+        self.assertEqual(config.get("broker.transport_options"), "bWFzdGVybmFtZT1teW1hc3Rlcg==")
+        self.assertEqual(config.get("cache.timeout"), "124s")
+        self.assertEqual(config.get("cache.timeout_flows"), "32m")
+        self.assertEqual(config.get("cache.timeout_policies"), "3920ns")
+        self.assertEqual(config.get("cache.timeout_reputation"), "298382us")

authentik/outposts/api/outposts.py

@@ -18,7 +18,7 @@ from authentik.core.api.used_by import UsedByMixin
 from authentik.core.api.utils import PassiveSerializer, is_dict
 from authentik.core.models import Provider
 from authentik.outposts.api.service_connections import ServiceConnectionSerializer
-from authentik.outposts.apps import MANAGED_OUTPOST, MANAGED_OUTPOST_NAME
+from authentik.outposts.apps import MANAGED_OUTPOST
 from authentik.outposts.models import (
     Outpost,
     OutpostConfig,
@@ -47,16 +47,6 @@ class OutpostSerializer(ModelSerializer):
         source="service_connection", read_only=True
     )
 
-    def validate_name(self, name: str) -> str:
-        """Validate name (especially for embedded outpost)"""
-        if not self.instance:
-            return name
-        if self.instance.managed == MANAGED_OUTPOST and name != MANAGED_OUTPOST_NAME:
-            raise ValidationError("Embedded outpost's name cannot be changed")
-        if self.instance.name == MANAGED_OUTPOST_NAME:
-            self.instance.managed = MANAGED_OUTPOST
-        return name
-
     def validate_providers(self, providers: list[Provider]) -> list[Provider]:
         """Check that all providers match the type of the outpost"""
         type_map = {

authentik/outposts/apps.py

@@ -15,7 +15,6 @@ GAUGE_OUTPOSTS_LAST_UPDATE = Gauge(
     ["outpost", "uid", "version"],
 )
 MANAGED_OUTPOST = "goauthentik.io/outposts/embedded"
-MANAGED_OUTPOST_NAME = "authentik Embedded Outpost"
 
 
 class AuthentikOutpostConfig(ManagedAppConfig):
@@ -36,17 +35,14 @@ class AuthentikOutpostConfig(ManagedAppConfig):
             DockerServiceConnection,
             KubernetesServiceConnection,
             Outpost,
+            OutpostConfig,
             OutpostType,
         )
 
-        if outpost := Outpost.objects.filter(name=MANAGED_OUTPOST_NAME, managed="").first():
-            outpost.managed = MANAGED_OUTPOST
-            outpost.save()
-            return
         outpost, updated = Outpost.objects.update_or_create(
             defaults={
+                "name": "authentik Embedded Outpost",
                 "type": OutpostType.PROXY,
-                "name": MANAGED_OUTPOST_NAME,
             },
             managed=MANAGED_OUTPOST,
         )
@@ -55,4 +51,10 @@ class AuthentikOutpostConfig(ManagedAppConfig):
                 outpost.service_connection = KubernetesServiceConnection.objects.first()
             elif DockerServiceConnection.objects.exists():
                 outpost.service_connection = DockerServiceConnection.objects.first()
+            outpost.config = OutpostConfig(
+                kubernetes_disabled_components=[
+                    "deployment",
+                    "secret",
+                ]
+            )
             outpost.save()

authentik/outposts/consumer.py

@@ -93,7 +93,7 @@ class OutpostConsumer(AuthJsonConsumer):
                 expected=self.outpost.config.kubernetes_replicas,
             ).dec()
 
-    def receive_json(self, content: Data):
+    def receive_json(self, content: Data, **kwargs):
         msg = from_dict(WebsocketMessage, content)
         uid = msg.args.get("uuid", self.channel_name)
         self.last_uid = uid

authentik/outposts/controllers/k8s/deployment.py

@@ -43,10 +43,6 @@ class DeploymentReconciler(KubernetesObjectReconciler[V1Deployment]):
         self.api = AppsV1Api(controller.client)
         self.outpost = self.controller.outpost
 
-    @property
-    def noop(self) -> bool:
-        return self.is_embedded
-
     @staticmethod
     def reconciler_name() -> str:
         return "deployment"

authentik/outposts/controllers/k8s/secret.py

@@ -24,10 +24,6 @@ class SecretReconciler(KubernetesObjectReconciler[V1Secret]):
         super().__init__(controller)
         self.api = CoreV1Api(controller.client)
 
-    @property
-    def noop(self) -> bool:
-        return self.is_embedded
-
     @staticmethod
     def reconciler_name() -> str:
         return "secret"

authentik/outposts/controllers/k8s/service_monitor.py

@@ -77,10 +77,7 @@ class PrometheusServiceMonitorReconciler(KubernetesObjectReconciler[PrometheusSe
 
     @property
     def noop(self) -> bool:
-        if not self._crd_exists():
-            self.logger.debug("CRD doesn't exist")
-            return True
-        return self.is_embedded
+        return (not self._crd_exists()) or (self.is_embedded)
 
     def _crd_exists(self) -> bool:
         """Check if the Prometheus ServiceMonitor exists"""

authentik/outposts/models.py

@@ -344,22 +344,12 @@ class Outpost(SerializerModel, ManagedModel):
         user_created = False
         if not user:
             user: User = User.objects.create(username=self.user_identifier)
-            user_created = True
-        attrs = {
-            "type": UserTypes.INTERNAL_SERVICE_ACCOUNT,
-            "name": f"Outpost {self.name} Service-Account",
-            "path": USER_PATH_OUTPOSTS,
-        }
-        dirty = False
-        for key, value in attrs.items():
-            if getattr(user, key) != value:
-                dirty = True
-                setattr(user, key, value)
-        if user.has_usable_password():
             user.set_unusable_password()
-            dirty = True
-        if dirty:
-            user.save()
+            user_created = True
+        user.type = UserTypes.INTERNAL_SERVICE_ACCOUNT
+        user.name = f"Outpost {self.name} Service-Account"
+        user.path = USER_PATH_OUTPOSTS
+        user.save()
         if user_created:
             self.build_user_permissions(user)
         return user

authentik/outposts/tests/test_api.py

@@ -2,13 +2,11 @@
 from django.urls import reverse
 from rest_framework.test import APITestCase
 
-from authentik.blueprints.tests import reconcile_app
 from authentik.core.models import PropertyMapping
 from authentik.core.tests.utils import create_test_admin_user, create_test_flow
 from authentik.lib.generators import generate_id
 from authentik.outposts.api.outposts import OutpostSerializer
-from authentik.outposts.apps import MANAGED_OUTPOST
-from authentik.outposts.models import Outpost, OutpostType, default_outpost_config
+from authentik.outposts.models import OutpostType, default_outpost_config
 from authentik.providers.ldap.models import LDAPProvider
 from authentik.providers.proxy.models import ProxyProvider
 
@@ -24,36 +22,7 @@ class TestOutpostServiceConnectionsAPI(APITestCase):
         self.user = create_test_admin_user()
         self.client.force_login(self.user)
 
-    @reconcile_app("authentik_outposts")
-    def test_managed_name_change(self):
-        """Test name change for embedded outpost"""
-        embedded_outpost = Outpost.objects.filter(managed=MANAGED_OUTPOST).first()
-        self.assertIsNotNone(embedded_outpost)
-        response = self.client.patch(
-            reverse("authentik_api:outpost-detail", kwargs={"pk": embedded_outpost.pk}),
-            {"name": "foo"},
-        )
-        self.assertEqual(response.status_code, 400)
-        self.assertJSONEqual(
-            response.content, {"name": ["Embedded outpost's name cannot be changed"]}
-        )
-
-    @reconcile_app("authentik_outposts")
-    def test_managed_without_managed(self):
-        """Test name change for embedded outpost"""
-        embedded_outpost = Outpost.objects.filter(managed=MANAGED_OUTPOST).first()
-        self.assertIsNotNone(embedded_outpost)
-        embedded_outpost.managed = ""
-        embedded_outpost.save()
-        response = self.client.patch(
-            reverse("authentik_api:outpost-detail", kwargs={"pk": embedded_outpost.pk}),
-            {"name": "foo"},
-        )
-        self.assertEqual(response.status_code, 200)
-        embedded_outpost.refresh_from_db()
-        self.assertEqual(embedded_outpost.managed, MANAGED_OUTPOST)
-
-    def test_outpost_validation(self):
+    def test_outpost_validaton(self):
         """Test Outpost validation"""
         valid = OutpostSerializer(
             data={

authentik/policies/event_matcher/migrations/0019_alter_eventmatcherpolicy_app.py

@@ -39,6 +39,7 @@ class Migration(migrations.Migration):
                     ("authentik.sources.oauth", "authentik Sources.OAuth"),
                     ("authentik.sources.plex", "authentik Sources.Plex"),
                     ("authentik.sources.saml", "authentik Sources.SAML"),
+                    ("authentik.sources.scim", "authentik Sources.SCIM"),
                     ("authentik.stages.authenticator_duo", "authentik Stages.Authenticator.Duo"),
                     ("authentik.stages.authenticator_sms", "authentik Stages.Authenticator.SMS"),
                     (

authentik/policies/process.py

@@ -20,7 +20,7 @@ from authentik.policies.types import CACHE_PREFIX, PolicyRequest, PolicyResult
 LOGGER = get_logger()
 
 FORK_CTX = get_context("fork")
-CACHE_TIMEOUT = CONFIG.get_int("redis.cache_timeout_policies")
+CACHE_TIMEOUT = CONFIG.get_int("cache.timeout_policies")
 PROCESS_CLASS = FORK_CTX.Process
 
 

authentik/policies/reputation/signals.py

@@ -13,7 +13,7 @@ from authentik.policies.reputation.tasks import save_reputation
 from authentik.stages.identification.signals import identification_failed
 
 LOGGER = get_logger()
-CACHE_TIMEOUT = CONFIG.get_int("redis.cache_timeout_reputation")
+CACHE_TIMEOUT = CONFIG.get_int("cache.timeout_reputation")
 
 
 def update_score(request: HttpRequest, identifier: str, amount: int):

authentik/providers/oauth2/migrations/0017_accesstoken_session_id_authorizationcode_session_id_and_more.py

@@ -1,27 +0,0 @@
-# Generated by Django 5.0 on 2023-12-22 23:20
-
-from django.db import migrations, models
-
-
-class Migration(migrations.Migration):
-    dependencies = [
-        ("authentik_providers_oauth2", "0016_alter_refreshtoken_token"),
-    ]
-
-    operations = [
-        migrations.AddField(
-            model_name="accesstoken",
-            name="session_id",
-            field=models.CharField(blank=True, default=""),
-        ),
-        migrations.AddField(
-            model_name="authorizationcode",
-            name="session_id",
-            field=models.CharField(blank=True, default=""),
-        ),
-        migrations.AddField(
-            model_name="refreshtoken",
-            name="session_id",
-            field=models.CharField(blank=True, default=""),
-        ),
-    ]

authentik/providers/oauth2/models.py

@@ -296,7 +296,6 @@ class BaseGrantModel(models.Model):
     revoked = models.BooleanField(default=False)
     _scope = models.TextField(default="", verbose_name=_("Scopes"))
     auth_time = models.DateTimeField(verbose_name="Authentication time")
-    session_id = models.CharField(default="", blank=True)
 
     @property
     def scope(self) -> list[str]:

authentik/providers/oauth2/tests/test_authorize.py

@@ -85,25 +85,6 @@ class TestAuthorize(OAuthTestCase):
             )
             OAuthAuthorizationParams.from_request(request)
 
-    def test_blocked_redirect_uri(self):
-        """test missing/invalid redirect URI"""
-        OAuth2Provider.objects.create(
-            name=generate_id(),
-            client_id="test",
-            authorization_flow=create_test_flow(),
-            redirect_uris="data:local.invalid",
-        )
-        with self.assertRaises(RedirectUriError):
-            request = self.factory.get(
-                "/",
-                data={
-                    "response_type": "code",
-                    "client_id": "test",
-                    "redirect_uri": "data:localhost",
-                },
-            )
-            OAuthAuthorizationParams.from_request(request)
-
     def test_invalid_redirect_uri_empty(self):
         """test missing/invalid redirect URI"""
         provider = OAuth2Provider.objects.create(

authentik/providers/oauth2/tests/test_token_pkce.py

@@ -1,187 +0,0 @@
-"""Test token view"""
-from base64 import b64encode, urlsafe_b64encode
-from hashlib import sha256
-
-from django.test import RequestFactory
-from django.urls import reverse
-
-from authentik.core.models import Application
-from authentik.core.tests.utils import create_test_admin_user, create_test_flow
-from authentik.flows.challenge import ChallengeTypes
-from authentik.lib.generators import generate_id
-from authentik.providers.oauth2.constants import GRANT_TYPE_AUTHORIZATION_CODE
-from authentik.providers.oauth2.models import AuthorizationCode, OAuth2Provider
-from authentik.providers.oauth2.tests.utils import OAuthTestCase
-
-
-class TestTokenPKCE(OAuthTestCase):
-    """Test token view"""
-
-    def setUp(self) -> None:
-        super().setUp()
-        self.factory = RequestFactory()
-        self.app = Application.objects.create(name=generate_id(), slug="test")
-
-    def test_pkce_missing_in_token(self):
-        """Test full with pkce"""
-        flow = create_test_flow()
-        provider = OAuth2Provider.objects.create(
-            name=generate_id(),
-            client_id="test",
-            authorization_flow=flow,
-            redirect_uris="foo://localhost",
-            access_code_validity="seconds=100",
-        )
-        Application.objects.create(name="app", slug="app", provider=provider)
-        state = generate_id()
-        user = create_test_admin_user()
-        self.client.force_login(user)
-        challenge = generate_id()
-        header = b64encode(f"{provider.client_id}:{provider.client_secret}".encode()).decode()
-        # Step 1, initiate params and get redirect to flow
-        self.client.get(
-            reverse("authentik_providers_oauth2:authorize"),
-            data={
-                "response_type": "code",
-                "client_id": "test",
-                "state": state,
-                "redirect_uri": "foo://localhost",
-                "code_challenge": challenge,
-                "code_challenge_method": "S256",
-            },
-        )
-        response = self.client.get(
-            reverse("authentik_api:flow-executor", kwargs={"flow_slug": flow.slug}),
-        )
-        code: AuthorizationCode = AuthorizationCode.objects.filter(user=user).first()
-        self.assertJSONEqual(
-            response.content.decode(),
-            {
-                "component": "xak-flow-redirect",
-                "type": ChallengeTypes.REDIRECT.value,
-                "to": f"foo://localhost?code={code.code}&state={state}",
-            },
-        )
-        response = self.client.post(
-            reverse("authentik_providers_oauth2:token"),
-            data={
-                "grant_type": GRANT_TYPE_AUTHORIZATION_CODE,
-                "code": code.code,
-                # Missing the code_verifier here
-                "redirect_uri": "foo://localhost",
-            },
-            HTTP_AUTHORIZATION=f"Basic {header}",
-        )
-        self.assertJSONEqual(
-            response.content,
-            {"error": "invalid_request", "error_description": "The request is otherwise malformed"},
-        )
-        self.assertEqual(response.status_code, 400)
-
-    def test_pkce_correct_s256(self):
-        """Test full with pkce"""
-        flow = create_test_flow()
-        provider = OAuth2Provider.objects.create(
-            name=generate_id(),
-            client_id="test",
-            authorization_flow=flow,
-            redirect_uris="foo://localhost",
-            access_code_validity="seconds=100",
-        )
-        Application.objects.create(name="app", slug="app", provider=provider)
-        state = generate_id()
-        user = create_test_admin_user()
-        self.client.force_login(user)
-        verifier = generate_id()
-        challenge = (
-            urlsafe_b64encode(sha256(verifier.encode("ascii")).digest())
-            .decode("utf-8")
-            .replace("=", "")
-        )
-        header = b64encode(f"{provider.client_id}:{provider.client_secret}".encode()).decode()
-        # Step 1, initiate params and get redirect to flow
-        self.client.get(
-            reverse("authentik_providers_oauth2:authorize"),
-            data={
-                "response_type": "code",
-                "client_id": "test",
-                "state": state,
-                "redirect_uri": "foo://localhost",
-                "code_challenge": challenge,
-                "code_challenge_method": "S256",
-            },
-        )
-        response = self.client.get(
-            reverse("authentik_api:flow-executor", kwargs={"flow_slug": flow.slug}),
-        )
-        code: AuthorizationCode = AuthorizationCode.objects.filter(user=user).first()
-        self.assertJSONEqual(
-            response.content.decode(),
-            {
-                "component": "xak-flow-redirect",
-                "type": ChallengeTypes.REDIRECT.value,
-                "to": f"foo://localhost?code={code.code}&state={state}",
-            },
-        )
-        response = self.client.post(
-            reverse("authentik_providers_oauth2:token"),
-            data={
-                "grant_type": GRANT_TYPE_AUTHORIZATION_CODE,
-                "code": code.code,
-                "code_verifier": verifier,
-                "redirect_uri": "foo://localhost",
-            },
-            HTTP_AUTHORIZATION=f"Basic {header}",
-        )
-        self.assertEqual(response.status_code, 200)
-
-    def test_pkce_correct_plain(self):
-        """Test full with pkce"""
-        flow = create_test_flow()
-        provider = OAuth2Provider.objects.create(
-            name=generate_id(),
-            client_id="test",
-            authorization_flow=flow,
-            redirect_uris="foo://localhost",
-            access_code_validity="seconds=100",
-        )
-        Application.objects.create(name="app", slug="app", provider=provider)
-        state = generate_id()
-        user = create_test_admin_user()
-        self.client.force_login(user)
-        verifier = generate_id()
-        header = b64encode(f"{provider.client_id}:{provider.client_secret}".encode()).decode()
-        # Step 1, initiate params and get redirect to flow
-        self.client.get(
-            reverse("authentik_providers_oauth2:authorize"),
-            data={
-                "response_type": "code",
-                "client_id": "test",
-                "state": state,
-                "redirect_uri": "foo://localhost",
-                "code_challenge": verifier,
-            },
-        )
-        response = self.client.get(
-            reverse("authentik_api:flow-executor", kwargs={"flow_slug": flow.slug}),
-        )
-        code: AuthorizationCode = AuthorizationCode.objects.filter(user=user).first()
-        self.assertJSONEqual(
-            response.content.decode(),
-            {
-                "component": "xak-flow-redirect",
-                "type": ChallengeTypes.REDIRECT.value,
-                "to": f"foo://localhost?code={code.code}&state={state}",
-            },
-        )
-        response = self.client.post(
-            reverse("authentik_providers_oauth2:token"),
-            data={
-                "grant_type": GRANT_TYPE_AUTHORIZATION_CODE,
-                "code": code.code,
-                "code_verifier": verifier,
-                "redirect_uri": "foo://localhost",
-            },
-            HTTP_AUTHORIZATION=f"Basic {header}",
-        )
-        self.assertEqual(response.status_code, 200)

authentik/providers/oauth2/views/authorize.py

@@ -1,7 +1,6 @@
 """authentik OAuth2 Authorization views"""
 from dataclasses import dataclass, field
 from datetime import timedelta
-from hashlib import sha256
 from json import dumps
 from re import error as RegexError
 from re import fullmatch
@@ -75,7 +74,6 @@ PLAN_CONTEXT_PARAMS = "goauthentik.io/providers/oauth2/params"
 SESSION_KEY_LAST_LOGIN_UID = "authentik/providers/oauth2/last_login_uid"
 
 ALLOWED_PROMPT_PARAMS = {PROMPT_NONE, PROMPT_CONSENT, PROMPT_LOGIN}
-FORBIDDEN_URI_SCHEMES = {"javascript", "data", "vbscript"}
 
 
 @dataclass(slots=True)
@@ -176,10 +174,6 @@ class OAuthAuthorizationParams:
         self.check_scope()
         self.check_nonce()
         self.check_code_challenge()
-        if self.request:
-            raise AuthorizeError(
-                self.redirect_uri, "request_not_supported", self.grant_type, self.state
-            )
 
     def check_redirect_uri(self):
         """Redirect URI validation."""
@@ -217,9 +211,10 @@ class OAuthAuthorizationParams:
                     expected=allowed_redirect_urls,
                 )
                 raise RedirectUriError(self.redirect_uri, allowed_redirect_urls)
-        # Check against forbidden schemes
-        if urlparse(self.redirect_uri).scheme in FORBIDDEN_URI_SCHEMES:
-            raise RedirectUriError(self.redirect_uri, allowed_redirect_urls)
+        if self.request:
+            raise AuthorizeError(
+                self.redirect_uri, "request_not_supported", self.grant_type, self.state
+            )
 
     def check_scope(self):
         """Ensure openid scope is set in Hybrid flows, or when requesting an id_token"""
@@ -287,7 +282,6 @@ class OAuthAuthorizationParams:
             expires=now + timedelta_from_string(self.provider.access_code_validity),
             scope=self.scope,
             nonce=self.nonce,
-            session_id=sha256(request.session.session_key.encode("ascii")).hexdigest(),
         )
 
         if self.code_challenge and self.code_challenge_method:
@@ -575,7 +569,6 @@ class OAuthFulfillmentStage(StageView):
             expires=access_token_expiry,
             provider=self.provider,
             auth_time=auth_event.created if auth_event else now,
-            session_id=sha256(self.request.session.session_key.encode("ascii")).hexdigest(),
         )
 
         id_token = IDToken.new(self.provider, token, self.request)

authentik/providers/oauth2/views/token.py

@@ -6,7 +6,6 @@ from hashlib import sha256
 from re import error as RegexError
 from re import fullmatch
 from typing import Any, Optional
-from urllib.parse import urlparse
 
 from django.http import HttpRequest, HttpResponse
 from django.utils import timezone
@@ -55,7 +54,6 @@ from authentik.providers.oauth2.models import (
     RefreshToken,
 )
 from authentik.providers.oauth2.utils import TokenResponse, cors_allow, extract_client_auth
-from authentik.providers.oauth2.views.authorize import FORBIDDEN_URI_SCHEMES
 from authentik.sources.oauth.models import OAuthSource
 from authentik.stages.password.stage import PLAN_CONTEXT_METHOD, PLAN_CONTEXT_METHOD_ARGS
 
@@ -207,10 +205,6 @@ class TokenParams:
                 ).from_http(request)
                 raise TokenError("invalid_client")
 
-        # Check against forbidden schemes
-        if urlparse(self.redirect_uri).scheme in FORBIDDEN_URI_SCHEMES:
-            raise TokenError("invalid_request")
-
         self.authorization_code = AuthorizationCode.objects.filter(code=raw_code).first()
         if not self.authorization_code:
             LOGGER.warning("Code does not exist", code=raw_code)
@@ -228,10 +222,7 @@ class TokenParams:
             raise TokenError("invalid_grant")
 
         # Validate PKCE parameters.
-        if self.authorization_code.code_challenge:
-            # Authorization code had PKCE but we didn't get one
-            if not self.code_verifier:
-                raise TokenError("invalid_request")
+        if self.code_verifier:
             if self.authorization_code.code_challenge_method == PKCE_METHOD_S256:
                 new_code_challenge = (
                     urlsafe_b64encode(sha256(self.code_verifier.encode("ascii")).digest())
@@ -493,7 +484,6 @@ class TokenView(View):
             # Keep same scopes as previous token
             scope=self.params.authorization_code.scope,
             auth_time=self.params.authorization_code.auth_time,
-            session_id=self.params.authorization_code.session_id,
         )
         access_token.id_token = IDToken.new(
             self.provider,
@@ -509,7 +499,6 @@ class TokenView(View):
             expires=refresh_token_expiry,
             provider=self.provider,
             auth_time=self.params.authorization_code.auth_time,
-            session_id=self.params.authorization_code.session_id,
         )
         id_token = IDToken.new(
             self.provider,
@@ -547,7 +536,6 @@ class TokenView(View):
             # Keep same scopes as previous token
             scope=self.params.refresh_token.scope,
             auth_time=self.params.refresh_token.auth_time,
-            session_id=self.params.refresh_token.session_id,
         )
         access_token.id_token = IDToken.new(
             self.provider,
@@ -563,7 +551,6 @@ class TokenView(View):
             expires=refresh_token_expiry,
             provider=self.provider,
             auth_time=self.params.refresh_token.auth_time,
-            session_id=self.params.refresh_token.session_id,
         )
         id_token = IDToken.new(
             self.provider,

authentik/providers/proxy/tasks.py

@@ -1,6 +1,4 @@
 """proxy provider tasks"""
-from hashlib import sha256
-
 from asgiref.sync import async_to_sync
 from channels.layers import get_channel_layer
 from django.db import DatabaseError, InternalError, ProgrammingError
@@ -25,7 +23,6 @@ def proxy_set_defaults():
 def proxy_on_logout(session_id: str):
     """Update outpost instances connected to a single outpost"""
     layer = get_channel_layer()
-    hashed_session_id = sha256(session_id.encode("ascii")).hexdigest()
     for outpost in Outpost.objects.filter(type=OutpostType.PROXY):
         group = OUTPOST_GROUP % {"outpost_pk": str(outpost.pk)}
         async_to_sync(layer.group_send)(
@@ -33,6 +30,6 @@ def proxy_on_logout(session_id: str):
             {
                 "type": "event.provider.specific",
                 "sub_type": "logout",
-                "session_id": hashed_session_id,
+                "session_id": session_id,
             },
         )

authentik/providers/scim/tests/test_membership.py

@@ -93,7 +93,7 @@ class SCIMMembershipTests(TestCase):
                     "emails": [],
                     "active": True,
                     "externalId": user.uid,
-                    "name": {"familyName": " ", "formatted": " ", "givenName": ""},
+                    "name": {"familyName": "", "formatted": "", "givenName": ""},
                     "displayName": "",
                     "userName": user.username,
                 },
@@ -184,7 +184,7 @@ class SCIMMembershipTests(TestCase):
                     "displayName": "",
                     "emails": [],
                     "externalId": user.uid,
-                    "name": {"familyName": " ", "formatted": " ", "givenName": ""},
+                    "name": {"familyName": "", "formatted": "", "givenName": ""},
                     "userName": user.username,
                 },
             )

authentik/providers/scim/tests/test_user.py

@@ -57,7 +57,7 @@ class SCIMUserTests(TestCase):
         uid = generate_id()
         user = User.objects.create(
             username=uid,
-            name=f"{uid} {uid}",
+            name=uid,
             email=f"{uid}@goauthentik.io",
         )
         self.assertEqual(mock.call_count, 2)
@@ -77,11 +77,11 @@ class SCIMUserTests(TestCase):
                 ],
                 "externalId": user.uid,
                 "name": {
-                    "familyName": uid,
-                    "formatted": f"{uid} {uid}",
+                    "familyName": "",
+                    "formatted": uid,
                     "givenName": uid,
                 },
-                "displayName": f"{uid} {uid}",
+                "displayName": uid,
                 "userName": uid,
             },
         )
@@ -110,7 +110,7 @@ class SCIMUserTests(TestCase):
         uid = generate_id()
         user = User.objects.create(
             username=uid,
-            name=f"{uid} {uid}",
+            name=uid,
             email=f"{uid}@goauthentik.io",
         )
         self.assertEqual(mock.call_count, 2)
@@ -131,11 +131,11 @@ class SCIMUserTests(TestCase):
                         "value": f"{uid}@goauthentik.io",
                     }
                 ],
-                "displayName": f"{uid} {uid}",
+                "displayName": uid,
                 "externalId": user.uid,
                 "name": {
-                    "familyName": uid,
-                    "formatted": f"{uid} {uid}",
+                    "familyName": "",
+                    "formatted": uid,
                     "givenName": uid,
                 },
                 "userName": uid,
@@ -166,7 +166,7 @@ class SCIMUserTests(TestCase):
         uid = generate_id()
         user = User.objects.create(
             username=uid,
-            name=f"{uid} {uid}",
+            name=uid,
             email=f"{uid}@goauthentik.io",
         )
         self.assertEqual(mock.call_count, 2)
@@ -186,11 +186,11 @@ class SCIMUserTests(TestCase):
                 ],
                 "externalId": user.uid,
                 "name": {
-                    "familyName": uid,
-                    "formatted": f"{uid} {uid}",
+                    "familyName": "",
+                    "formatted": uid,
                     "givenName": uid,
                 },
-                "displayName": f"{uid} {uid}",
+                "displayName": uid,
                 "userName": uid,
             },
         )
@@ -230,7 +230,7 @@ class SCIMUserTests(TestCase):
         )
         user = User.objects.create(
             username=uid,
-            name=f"{uid} {uid}",
+            name=uid,
             email=f"{uid}@goauthentik.io",
         )
 
@@ -254,11 +254,11 @@ class SCIMUserTests(TestCase):
                 ],
                 "externalId": user.uid,
                 "name": {
-                    "familyName": uid,
-                    "formatted": f"{uid} {uid}",
+                    "familyName": "",
+                    "formatted": uid,
                     "givenName": uid,
                 },
-                "displayName": f"{uid} {uid}",
+                "displayName": uid,
                 "userName": uid,
             },
         )

authentik/rbac/api/rbac_roles.py

@@ -24,10 +24,7 @@ class ExtraRoleObjectPermissionSerializer(RoleObjectPermissionSerializer):
 
     def get_app_label_verbose(self, instance: GroupObjectPermission) -> str:
         """Get app label from permission's model"""
-        try:
-            return apps.get_app_config(instance.content_type.app_label).verbose_name
-        except LookupError:
-            return instance.content_type.app_label
+        return apps.get_app_config(instance.content_type.app_label).verbose_name
 
     def get_model_verbose(self, instance: GroupObjectPermission) -> str:
         """Get model label from permission's model"""

authentik/rbac/api/rbac_users.py

@@ -24,10 +24,7 @@ class ExtraUserObjectPermissionSerializer(UserObjectPermissionSerializer):
 
     def get_app_label_verbose(self, instance: UserObjectPermission) -> str:
         """Get app label from permission's model"""
-        try:
-            return apps.get_app_config(instance.content_type.app_label).verbose_name
-        except LookupError:
-            return instance.content_type.app_label
+        return apps.get_app_config(instance.content_type.app_label).verbose_name
 
     def get_model_verbose(self, instance: UserObjectPermission) -> str:
         """Get model label from permission's model"""

authentik/root/settings.py

@@ -1,5 +1,4 @@
 """root settings for authentik"""
-
 import importlib
 import os
 from hashlib import sha512
@@ -83,6 +82,7 @@ INSTALLED_APPS = [
     "authentik.sources.oauth",
     "authentik.sources.plex",
     "authentik.sources.saml",
+    "authentik.sources.scim",
     "authentik.stages.authenticator",
     "authentik.stages.authenticator_duo",
     "authentik.stages.authenticator_sms",
@@ -147,6 +147,9 @@ SPECTACULAR_SETTINGS = {
         "UserTypeEnum": "authentik.core.models.UserTypes",
     },
     "ENUM_ADD_EXPLICIT_BLANK_NULL_CHOICE": False,
+    "PREPROCESSING_HOOKS": [
+        "authentik.api.schema.preprocess_schema_exclude_non_api",
+    ],
     "POSTPROCESSING_HOOKS": [
         "authentik.api.schema.postprocess_schema_responses",
         "drf_spectacular.hooks.postprocess_schema_enums",
@@ -195,8 +198,8 @@ _redis_url = (
 CACHES = {
     "default": {
         "BACKEND": "django_redis.cache.RedisCache",
-        "LOCATION": f"{_redis_url}/{CONFIG.get('redis.db')}",
-        "TIMEOUT": CONFIG.get_int("redis.cache_timeout", 300),
+        "LOCATION": CONFIG.get("cache.url") or f"{_redis_url}/{CONFIG.get('redis.db')}",
+        "TIMEOUT": CONFIG.get_int("cache.timeout", 300),
         "OPTIONS": {"CLIENT_CLASS": "django_redis.client.DefaultClient"},
         "KEY_PREFIX": "authentik_cache",
     }
@@ -256,7 +259,7 @@ CHANNEL_LAYERS = {
     "default": {
         "BACKEND": "channels_redis.pubsub.RedisPubSubChannelLayer",
         "CONFIG": {
-            "hosts": [f"{_redis_url}/{CONFIG.get('redis.db')}"],
+            "hosts": [CONFIG.get("channel.url", f"{_redis_url}/{CONFIG.get('redis.db')}")],
             "prefix": "authentik_channels_",
         },
     },
@@ -349,8 +352,11 @@ CELERY = {
     },
     "task_create_missing_queues": True,
     "task_default_queue": "authentik",
-    "broker_url": f"{_redis_url}/{CONFIG.get('redis.db')}{_redis_celery_tls_requirements}",
-    "result_backend": f"{_redis_url}/{CONFIG.get('redis.db')}{_redis_celery_tls_requirements}",
+    "broker_url": CONFIG.get("broker.url")
+    or f"{_redis_url}/{CONFIG.get('redis.db')}{_redis_celery_tls_requirements}",
+    "broker_transport_options": CONFIG.get_dict_from_b64_json("broker.transport_options"),
+    "result_backend": CONFIG.get("result_backend.url")
+    or f"{_redis_url}/{CONFIG.get('redis.db')}{_redis_celery_tls_requirements}",
 }
 
 # Sentry integration

authentik/sources/ldap/api.py

@@ -1,13 +1,14 @@
 """Source API Views"""
-from typing import Any
+from typing import Any, Optional
 
+from django.core.cache import cache
 from django_filters.filters import AllValuesMultipleFilter
 from django_filters.filterset import FilterSet
 from drf_spectacular.types import OpenApiTypes
 from drf_spectacular.utils import extend_schema, extend_schema_field, inline_serializer
 from rest_framework.decorators import action
 from rest_framework.exceptions import ValidationError
-from rest_framework.fields import DictField, ListField
+from rest_framework.fields import BooleanField, DictField, ListField, SerializerMethodField
 from rest_framework.relations import PrimaryKeyRelatedField
 from rest_framework.request import Request
 from rest_framework.response import Response
@@ -17,15 +18,17 @@ from authentik.admin.api.tasks import TaskSerializer
 from authentik.core.api.propertymappings import PropertyMappingSerializer
 from authentik.core.api.sources import SourceSerializer
 from authentik.core.api.used_by import UsedByMixin
+from authentik.core.api.utils import PassiveSerializer
 from authentik.crypto.models import CertificateKeyPair
 from authentik.events.monitored_tasks import TaskInfo
 from authentik.sources.ldap.models import LDAPPropertyMapping, LDAPSource
-from authentik.sources.ldap.tasks import SYNC_CLASSES
+from authentik.sources.ldap.tasks import CACHE_KEY_STATUS, SYNC_CLASSES
 
 
 class LDAPSourceSerializer(SourceSerializer):
     """LDAP Source Serializer"""
 
+    connectivity = SerializerMethodField()
     client_certificate = PrimaryKeyRelatedField(
         allow_null=True,
         help_text="Client certificate to authenticate against the LDAP Server's Certificate.",
@@ -35,6 +38,10 @@ class LDAPSourceSerializer(SourceSerializer):
         required=False,
     )
 
+    def get_connectivity(self, source: LDAPSource) -> Optional[dict[str, dict[str, str]]]:
+        """Get cached source connectivity"""
+        return cache.get(CACHE_KEY_STATUS + source.slug, None)
+
     def validate(self, attrs: dict[str, Any]) -> dict[str, Any]:
         """Check that only a single source has password_sync on"""
         sync_users_password = attrs.get("sync_users_password", True)
@@ -75,10 +82,18 @@ class LDAPSourceSerializer(SourceSerializer):
             "sync_parent_group",
             "property_mappings",
             "property_mappings_group",
+            "connectivity",
         ]
         extra_kwargs = {"bind_password": {"write_only": True}}
 
 
+class LDAPSyncStatusSerializer(PassiveSerializer):
+    """LDAP Source sync status"""
+
+    is_running = BooleanField(read_only=True)
+    tasks = TaskSerializer(many=True, read_only=True)
+
+
 class LDAPSourceViewSet(UsedByMixin, ModelViewSet):
     """LDAP Source Viewset"""
 
@@ -114,19 +129,19 @@ class LDAPSourceViewSet(UsedByMixin, ModelViewSet):
 
     @extend_schema(
         responses={
-            200: TaskSerializer(many=True),
+            200: LDAPSyncStatusSerializer(),
         }
     )
     @action(methods=["GET"], detail=True, pagination_class=None, filter_backends=[])
     def sync_status(self, request: Request, slug: str) -> Response:
         """Get source's sync status"""
-        source = self.get_object()
-        results = []
-        tasks = TaskInfo.by_name(f"ldap_sync:{source.slug}:*")
-        if tasks:
-            for task in tasks:
-                results.append(task)
-        return Response(TaskSerializer(results, many=True).data)
+        source: LDAPSource = self.get_object()
+        tasks = TaskInfo.by_name(f"ldap_sync:{source.slug}:*") or []
+        status = {
+            "tasks": tasks,
+            "is_running": source.sync_lock.locked(),
+        }
+        return Response(LDAPSyncStatusSerializer(status).data)
 
     @extend_schema(
         responses={

authentik/sources/ldap/management/commands/ldap_check_connection.py

@@ -0,0 +1,24 @@
+"""LDAP Connection check"""
+from json import dumps
+
+from django.core.management.base import BaseCommand
+from structlog.stdlib import get_logger
+
+from authentik.sources.ldap.models import LDAPSource
+
+LOGGER = get_logger()
+
+
+class Command(BaseCommand):
+    """Check connectivity to LDAP servers for a source"""
+
+    def add_arguments(self, parser):
+        parser.add_argument("source_slugs", nargs="?", type=str)
+
+    def handle(self, **options):
+        sources = LDAPSource.objects.filter(enabled=True)
+        if options["source_slugs"]:
+            sources = LDAPSource.objects.filter(slug__in=options["source_slugs"])
+        for source in sources.order_by("slug"):
+            status = source.check_connection()
+            self.stdout.write(dumps(status, indent=4))

authentik/sources/ldap/models.py

@@ -4,10 +4,12 @@ from ssl import CERT_REQUIRED
 from tempfile import NamedTemporaryFile, mkdtemp
 from typing import Optional
 
+from django.core.cache import cache
 from django.db import models
 from django.utils.translation import gettext_lazy as _
 from ldap3 import ALL, NONE, RANDOM, Connection, Server, ServerPool, Tls
-from ldap3.core.exceptions import LDAPInsufficientAccessRightsResult, LDAPSchemaError
+from ldap3.core.exceptions import LDAPException, LDAPInsufficientAccessRightsResult, LDAPSchemaError
+from redis.lock import Lock
 from rest_framework.serializers import Serializer
 
 from authentik.core.models import Group, PropertyMapping, Source
@@ -117,7 +119,7 @@ class LDAPSource(Source):
 
         return LDAPSourceSerializer
 
-    def server(self, **kwargs) -> Server:
+    def server(self, **kwargs) -> ServerPool:
         """Get LDAP Server/ServerPool"""
         servers = []
         tls_kwargs = {}
@@ -154,7 +156,10 @@ class LDAPSource(Source):
         return ServerPool(servers, RANDOM, active=5, exhaust=True)
 
     def connection(
-        self, server_kwargs: Optional[dict] = None, connection_kwargs: Optional[dict] = None
+        self,
+        server: Optional[Server] = None,
+        server_kwargs: Optional[dict] = None,
+        connection_kwargs: Optional[dict] = None,
     ) -> Connection:
         """Get a fully connected and bound LDAP Connection"""
         server_kwargs = server_kwargs or {}
@@ -164,7 +169,7 @@ class LDAPSource(Source):
         if self.bind_password is not None:
             connection_kwargs.setdefault("password", self.bind_password)
         connection = Connection(
-            self.server(**server_kwargs),
+            server or self.server(**server_kwargs),
             raise_exceptions=True,
             receive_timeout=LDAP_TIMEOUT,
             **connection_kwargs,
@@ -183,9 +188,55 @@ class LDAPSource(Source):
             if server_kwargs.get("get_info", ALL) == NONE:
                 raise exc
             server_kwargs["get_info"] = NONE
-            return self.connection(server_kwargs, connection_kwargs)
+            return self.connection(server, server_kwargs, connection_kwargs)
         return RuntimeError("Failed to bind")
 
+    @property
+    def sync_lock(self) -> Lock:
+        """Redis lock for syncing LDAP to prevent multiple parallel syncs happening"""
+        return Lock(
+            cache.client.get_client(),
+            name=f"goauthentik.io/sources/ldap/sync-{self.slug}",
+            # Convert task timeout hours to seconds, and multiply times 3
+            # (see authentik/sources/ldap/tasks.py:54)
+            # multiply by 3 to add even more leeway
+            timeout=(60 * 60 * CONFIG.get_int("ldap.task_timeout_hours")) * 3,
+        )
+
+    def check_connection(self) -> dict[str, dict[str, str]]:
+        """Check LDAP Connection"""
+        from authentik.sources.ldap.sync.base import flatten
+
+        servers = self.server()
+        server_info = {}
+        # Check each individual server
+        for server in servers.servers:
+            server: Server
+            try:
+                connection = self.connection(server=server)
+                server_info[server.host] = {
+                    "vendor": str(flatten(connection.server.info.vendor_name)),
+                    "version": str(flatten(connection.server.info.vendor_version)),
+                    "status": "ok",
+                }
+            except LDAPException as exc:
+                server_info[server.host] = {
+                    "status": str(exc),
+                }
+        # Check server pool
+        try:
+            connection = self.connection()
+            server_info["__all__"] = {
+                "vendor": str(flatten(connection.server.info.vendor_name)),
+                "version": str(flatten(connection.server.info.vendor_version)),
+                "status": "ok",
+            }
+        except LDAPException as exc:
+            server_info["__all__"] = {
+                "status": str(exc),
+            }
+        return server_info
+
     class Meta:
         verbose_name = _("LDAP Source")
         verbose_name_plural = _("LDAP Sources")

authentik/sources/ldap/settings.py

@@ -8,5 +8,10 @@ CELERY_BEAT_SCHEDULE = {
         "task": "authentik.sources.ldap.tasks.ldap_sync_all",
         "schedule": crontab(minute=fqdn_rand("sources_ldap_sync"), hour="*/2"),
         "options": {"queue": "authentik_scheduled"},
-    }
+    },
+    "sources_ldap_connectivity_check": {
+        "task": "authentik.sources.ldap.tasks.ldap_connectivity_check",
+        "schedule": crontab(minute=fqdn_rand("sources_ldap_connectivity_check"), hour="*"),
+        "options": {"queue": "authentik_scheduled"},
+    },
 }

authentik/sources/ldap/signals.py

@@ -14,7 +14,7 @@ from authentik.events.models import Event, EventAction
 from authentik.flows.planner import PLAN_CONTEXT_PENDING_USER
 from authentik.sources.ldap.models import LDAPSource
 from authentik.sources.ldap.password import LDAPPasswordChanger
-from authentik.sources.ldap.tasks import ldap_sync_single
+from authentik.sources.ldap.tasks import ldap_connectivity_check, ldap_sync_single
 from authentik.stages.prompt.signals import password_validate
 
 LOGGER = get_logger()
@@ -32,6 +32,7 @@ def sync_ldap_source_on_save(sender, instance: LDAPSource, **_):
     if not instance.property_mappings.exists() or not instance.property_mappings_group.exists():
         return
     ldap_sync_single.delay(instance.pk)
+    ldap_connectivity_check.delay(instance.pk)
 
 
 @receiver(password_validate)

authentik/sources/ldap/sync/base.py

@@ -17,6 +17,15 @@ from authentik.sources.ldap.models import LDAPPropertyMapping, LDAPSource
 LDAP_UNIQUENESS = "ldap_uniq"
 
 
+def flatten(value: Any) -> Any:
+    """Flatten `value` if its a list"""
+    if isinstance(value, list):
+        if len(value) < 1:
+            return None
+        return value[0]
+    return value
+
+
 class BaseLDAPSynchronizer:
     """Sync LDAP Users and groups into authentik"""
 
@@ -122,14 +131,6 @@ class BaseLDAPSynchronizer:
                 cookie = None
             yield self._connection.response
 
-    def _flatten(self, value: Any) -> Any:
-        """Flatten `value` if its a list"""
-        if isinstance(value, list):
-            if len(value) < 1:
-                return None
-            return value[0]
-        return value
-
     def build_user_properties(self, user_dn: str, **kwargs) -> dict[str, Any]:
         """Build attributes for User object based on property mappings."""
         props = self._build_object_properties(user_dn, self._source.property_mappings, **kwargs)
@@ -163,10 +164,10 @@ class BaseLDAPSynchronizer:
                 object_field = mapping.object_field
                 if object_field.startswith("attributes."):
                     # Because returning a list might desired, we can't
-                    # rely on self._flatten here. Instead, just save the result as-is
+                    # rely on flatten here. Instead, just save the result as-is
                     set_path_in_dict(properties, object_field, value)
                 else:
-                    properties[object_field] = self._flatten(value)
+                    properties[object_field] = flatten(value)
             except PropertyMappingExpressionException as exc:
                 Event.new(
                     EventAction.CONFIGURATION_ERROR,
@@ -177,7 +178,7 @@ class BaseLDAPSynchronizer:
                 self._logger.warning("Mapping failed to evaluate", exc=exc, mapping=mapping)
                 continue
         if self._source.object_uniqueness_field in kwargs:
-            properties["attributes"][LDAP_UNIQUENESS] = self._flatten(
+            properties["attributes"][LDAP_UNIQUENESS] = flatten(
                 kwargs.get(self._source.object_uniqueness_field)
             )
         properties["attributes"][LDAP_DISTINGUISHED_NAME] = object_dn

authentik/sources/ldap/sync/groups.py

@@ -7,7 +7,7 @@ from ldap3 import ALL_ATTRIBUTES, ALL_OPERATIONAL_ATTRIBUTES, SUBTREE
 
 from authentik.core.models import Group
 from authentik.events.models import Event, EventAction
-from authentik.sources.ldap.sync.base import LDAP_UNIQUENESS, BaseLDAPSynchronizer
+from authentik.sources.ldap.sync.base import LDAP_UNIQUENESS, BaseLDAPSynchronizer, flatten
 
 
 class GroupLDAPSynchronizer(BaseLDAPSynchronizer):
@@ -39,7 +39,7 @@ class GroupLDAPSynchronizer(BaseLDAPSynchronizer):
             if "attributes" not in group:
                 continue
             attributes = group.get("attributes", {})
-            group_dn = self._flatten(self._flatten(group.get("entryDN", group.get("dn"))))
+            group_dn = flatten(flatten(group.get("entryDN", group.get("dn"))))
             if self._source.object_uniqueness_field not in attributes:
                 self.message(
                     f"Cannot find uniqueness field in attributes: '{group_dn}'",
@@ -47,7 +47,7 @@ class GroupLDAPSynchronizer(BaseLDAPSynchronizer):
                     dn=group_dn,
                 )
                 continue
-            uniq = self._flatten(attributes[self._source.object_uniqueness_field])
+            uniq = flatten(attributes[self._source.object_uniqueness_field])
             try:
                 defaults = self.build_group_properties(group_dn, **attributes)
                 defaults["parent"] = self._source.sync_parent_group

authentik/sources/ldap/sync/users.py

@@ -7,7 +7,7 @@ from ldap3 import ALL_ATTRIBUTES, ALL_OPERATIONAL_ATTRIBUTES, SUBTREE
 
 from authentik.core.models import User
 from authentik.events.models import Event, EventAction
-from authentik.sources.ldap.sync.base import LDAP_UNIQUENESS, BaseLDAPSynchronizer
+from authentik.sources.ldap.sync.base import LDAP_UNIQUENESS, BaseLDAPSynchronizer, flatten
 from authentik.sources.ldap.sync.vendor.freeipa import FreeIPA
 from authentik.sources.ldap.sync.vendor.ms_ad import MicrosoftActiveDirectory
 
@@ -41,7 +41,7 @@ class UserLDAPSynchronizer(BaseLDAPSynchronizer):
             if "attributes" not in user:
                 continue
             attributes = user.get("attributes", {})
-            user_dn = self._flatten(user.get("entryDN", user.get("dn")))
+            user_dn = flatten(user.get("entryDN", user.get("dn")))
             if self._source.object_uniqueness_field not in attributes:
                 self.message(
                     f"Cannot find uniqueness field in attributes: '{user_dn}'",
@@ -49,7 +49,7 @@ class UserLDAPSynchronizer(BaseLDAPSynchronizer):
                     dn=user_dn,
                 )
                 continue
-            uniq = self._flatten(attributes[self._source.object_uniqueness_field])
+            uniq = flatten(attributes[self._source.object_uniqueness_field])
             try:
                 defaults = self.build_user_properties(user_dn, **attributes)
                 self._logger.debug("Writing user with attributes", **defaults)

authentik/sources/ldap/sync/vendor/freeipa.py

@@ -5,7 +5,7 @@ from typing import Any, Generator
 from pytz import UTC
 
 from authentik.core.models import User
-from authentik.sources.ldap.sync.base import BaseLDAPSynchronizer
+from authentik.sources.ldap.sync.base import BaseLDAPSynchronizer, flatten
 
 
 class FreeIPA(BaseLDAPSynchronizer):
@@ -47,7 +47,7 @@ class FreeIPA(BaseLDAPSynchronizer):
             return
         # For some reason, nsaccountlock is not defined properly in the schema as bool
         # hence we get it as a list of strings
-        _is_locked = str(self._flatten(attributes.get("nsaccountlock", ["FALSE"])))
+        _is_locked = str(flatten(attributes.get("nsaccountlock", ["FALSE"])))
         # So we have to attempt to convert it to a bool
         is_locked = _is_locked.lower() == "true"
         # And then invert it since freeipa saves locked and we save active

authentik/sources/ldap/tasks.py

@@ -1,13 +1,14 @@
 """LDAP Sync tasks"""
+from typing import Optional
 from uuid import uuid4
 
 from celery import chain, group
 from django.core.cache import cache
 from ldap3.core.exceptions import LDAPException
 from redis.exceptions import LockError
-from redis.lock import Lock
 from structlog.stdlib import get_logger
 
+from authentik.events.monitored_tasks import CACHE_KEY_PREFIX as CACHE_KEY_PREFIX_TASKS
 from authentik.events.monitored_tasks import MonitoredTask, TaskResult, TaskResultStatus
 from authentik.lib.config import CONFIG
 from authentik.lib.utils.errors import exception_to_string
@@ -26,6 +27,7 @@ SYNC_CLASSES = [
     MembershipLDAPSynchronizer,
 ]
 CACHE_KEY_PREFIX = "goauthentik.io/sources/ldap/page/"
+CACHE_KEY_STATUS = "goauthentik.io/sources/ldap/status/"
 
 
 @CELERY_APP.task()
@@ -35,6 +37,19 @@ def ldap_sync_all():
         ldap_sync_single.apply_async(args=[source.pk])
 
 
+@CELERY_APP.task()
+def ldap_connectivity_check(pk: Optional[str] = None):
+    """Check connectivity for LDAP Sources"""
+    # 2 hour timeout, this task should run every hour
+    timeout = 60 * 60 * 2
+    sources = LDAPSource.objects.filter(enabled=True)
+    if pk:
+        sources = sources.filter(pk=pk)
+    for source in sources:
+        status = source.check_connection()
+        cache.set(CACHE_KEY_STATUS + source.slug, status, timeout=timeout)
+
+
 @CELERY_APP.task(
     # We take the configured hours timeout time by 2.5 as we run user and
     # group in parallel and then membership, so 2x is to cover the serial tasks,
@@ -47,12 +62,15 @@ def ldap_sync_single(source_pk: str):
     source: LDAPSource = LDAPSource.objects.filter(pk=source_pk).first()
     if not source:
         return
-    lock = Lock(cache.client.get_client(), name=f"goauthentik.io/sources/ldap/sync-{source.slug}")
+    lock = source.sync_lock
     if lock.locked():
         LOGGER.debug("LDAP sync locked, skipping task", source=source.slug)
         return
     try:
         with lock:
+            # Delete all sync tasks from the cache
+            keys = cache.keys(f"{CACHE_KEY_PREFIX_TASKS}ldap_sync:{source.slug}*")
+            cache.delete_many(keys)
             task = chain(
                 # User and group sync can happen at once, they have no dependencies on each other
                 group(

authentik/sources/oauth/types/azure_ad.py

@@ -4,8 +4,8 @@ from typing import Any
 from structlog.stdlib import get_logger
 
 from authentik.sources.oauth.clients.oauth2 import UserprofileHeaderAuthClient
-from authentik.sources.oauth.types.oidc import OpenIDConnectOAuth2Callback
 from authentik.sources.oauth.types.registry import SourceType, registry
+from authentik.sources.oauth.views.callback import OAuthCallback
 from authentik.sources.oauth.views.redirect import OAuthRedirect
 
 LOGGER = get_logger()
@@ -20,7 +20,7 @@ class AzureADOAuthRedirect(OAuthRedirect):
         }
 
 
-class AzureADOAuthCallback(OpenIDConnectOAuth2Callback):
+class AzureADOAuthCallback(OAuthCallback):
     """AzureAD OAuth2 Callback"""
 
     client_class = UserprofileHeaderAuthClient
@@ -50,7 +50,7 @@ class AzureADType(SourceType):
 
     authorization_url = "https://login.microsoftonline.com/common/oauth2/v2.0/authorize"
     access_token_url = "https://login.microsoftonline.com/common/oauth2/v2.0/token"  # nosec
-    profile_url = "https://login.microsoftonline.com/common/openid/userinfo"
+    profile_url = "https://graph.microsoft.com/v1.0/me"
     oidc_well_known_url = (
         "https://login.microsoftonline.com/common/.well-known/openid-configuration"
     )

authentik/sources/oauth/types/oidc.py

@@ -23,7 +23,7 @@ class OpenIDConnectOAuth2Callback(OAuthCallback):
     client_class = UserprofileHeaderAuthClient
 
     def get_user_id(self, info: dict[str, str]) -> str:
-        return info.get("sub", None)
+        return info.get("sub", "")
 
     def get_user_enroll_context(
         self,

authentik/sources/oauth/types/okta.py

@@ -3,8 +3,8 @@ from typing import Any
 
 from authentik.sources.oauth.clients.oauth2 import UserprofileHeaderAuthClient
 from authentik.sources.oauth.models import OAuthSource
-from authentik.sources.oauth.types.oidc import OpenIDConnectOAuth2Callback
 from authentik.sources.oauth.types.registry import SourceType, registry
+from authentik.sources.oauth.views.callback import OAuthCallback
 from authentik.sources.oauth.views.redirect import OAuthRedirect
 
 
@@ -17,7 +17,7 @@ class OktaOAuthRedirect(OAuthRedirect):
         }
 
 
-class OktaOAuth2Callback(OpenIDConnectOAuth2Callback):
+class OktaOAuth2Callback(OAuthCallback):
     """Okta OAuth2 Callback"""
 
     # Okta has the same quirk as azure and throws an error if the access token
@@ -25,6 +25,9 @@ class OktaOAuth2Callback(OpenIDConnectOAuth2Callback):
     # see https://github.com/goauthentik/authentik/issues/1910
     client_class = UserprofileHeaderAuthClient
 
+    def get_user_id(self, info: dict[str, str]) -> str:
+        return info.get("sub", "")
+
     def get_user_enroll_context(
         self,
         info: dict[str, Any],

authentik/sources/oauth/types/twitch.py

@@ -3,8 +3,8 @@ from json import dumps
 from typing import Any, Optional
 
 from authentik.sources.oauth.clients.oauth2 import UserprofileHeaderAuthClient
-from authentik.sources.oauth.types.oidc import OpenIDConnectOAuth2Callback
 from authentik.sources.oauth.types.registry import SourceType, registry
+from authentik.sources.oauth.views.callback import OAuthCallback
 from authentik.sources.oauth.views.redirect import OAuthRedirect
 
 
@@ -27,11 +27,14 @@ class TwitchOAuthRedirect(OAuthRedirect):
         }
 
 
-class TwitchOAuth2Callback(OpenIDConnectOAuth2Callback):
+class TwitchOAuth2Callback(OAuthCallback):
     """Twitch OAuth2 Callback"""
 
     client_class = TwitchClient
 
+    def get_user_id(self, info: dict[str, str]) -> str:
+        return info.get("sub", "")
+
     def get_user_enroll_context(
         self,
         info: dict[str, Any],

authentik/sources/scim/api.py

@@ -0,0 +1,62 @@
+"""SCIMSource API Views"""
+from django.urls import reverse_lazy
+from rest_framework.fields import SerializerMethodField
+from rest_framework.viewsets import ModelViewSet
+
+from authentik.core.api.sources import SourceSerializer
+from authentik.core.api.tokens import TokenSerializer
+from authentik.core.api.used_by import UsedByMixin
+from authentik.core.models import Token, TokenIntents, User, UserTypes
+from authentik.sources.scim.models import SCIMSource
+
+
+class SCIMSourceSerializer(SourceSerializer):
+    """SCIMSource Serializer"""
+
+    root_url = SerializerMethodField()
+    token_obj = TokenSerializer(source="token", required=False, read_only=True)
+
+    def get_root_url(self, instance: SCIMSource) -> str:
+        """Get Root URL"""
+        relative_url = reverse_lazy(
+            "authentik_sources_scim:v2-root",
+            kwargs={"source_slug": instance.slug},
+        )
+        if "request" not in self.context:
+            return relative_url
+        return self.context["request"].build_absolute_uri(relative_url)
+
+    def create(self, validated_data):
+        instance: SCIMSource = super().create(validated_data)
+        identifier = f"ak-source-scim-{instance.pk}"
+        user = User.objects.create(
+            username=identifier,
+            name=f"SCIM Source {instance.name} Service-Account",
+            type=UserTypes.SERVICE_ACCOUNT,
+        )
+        token = Token.objects.create(
+            user=user,
+            identifier=identifier,
+            intent=TokenIntents.INTENT_API,
+            expiring=False,
+            managed=f"goauthentik.io/sources/scim/{instance.pk}",
+        )
+        instance.token = token
+        instance.save()
+        return instance
+
+    class Meta:
+
+        model = SCIMSource
+        fields = SourceSerializer.Meta.fields + ["token", "root_url", "token_obj"]
+
+
+class SCIMSourceViewSet(UsedByMixin, ModelViewSet):
+    """SCIMSource Viewset"""
+
+    queryset = SCIMSource.objects.all()
+    serializer_class = SCIMSourceSerializer
+    lookup_field = "slug"
+    filterset_fields = ["name", "slug"]
+    search_fields = ["name", "slug", "token__identifier", "token__user__username"]
+    ordering = ["name"]

authentik/sources/scim/apps.py

@@ -0,0 +1,11 @@
+"""Authentik SCIM app config"""
+
+from django.apps import AppConfig
+
+
+class AuthentikSourceSCIMConfig(AppConfig):
+    """authentik SCIM Source app config"""
+
+    name = "authentik.sources.scim"
+    label = "authentik_sources_scim"
+    verbose_name = "authentik Sources.SCIM"

authentik/sources/scim/errors.py

@@ -0,0 +1,8 @@
+"""SCIM Errors"""
+
+from authentik.lib.sentry import SentryIgnoredException
+
+
+class PatchError(SentryIgnoredException):
+    """Error raised within an atomic block when an error happened
+    so nothing is saved"""

authentik/sources/scim/filters/ScimFilter.g4

@@ -0,0 +1,61 @@
+grammar ScimFilter;
+
+parse
+    : filter
+    ;
+
+filter
+	: attrPath SP PR                             #presentExp
+	| attrPath SP COMPAREOPERATOR SP VALUE       #operatorExp
+	| NOT? SP* '(' filter ')'                    #braceExp
+	| attrPath '[' valPathFilter ']'             #valPathExp
+	| filter SP AND SP filter                    #andExp
+	| filter SP OR SP filter                     #orExp
+	;										     
+											     
+valPathFilter								     
+	: attrPath SP PR                             #valPathPresentExp
+	| attrPath SP COMPAREOPERATOR SP VALUE       #valPathOperatorExp
+	| NOT? SP* '(' valPathFilter ')'             #valPathBraceExp
+	| valPathFilter SP AND SP valPathFilter      #valPathAndExp
+	| valPathFilter SP OR SP valPathFilter       #valPathOrExp
+	;
+	
+attrPath 
+	: (SCHEMA)? ATTRNAME ('.' ATTRNAME)?
+	;
+
+COMPAREOPERATOR : EQ | NE | CO | SW | EW | GT | GE | LT | LE;
+
+EQ : [eE][qQ];
+NE : [nN][eE];
+CO : [cC][oO];
+SW : [sS][wW];
+EW : [eE][wW];
+PR : [pP][rR];
+GT : [gG][tT];
+GE : [gG][eE];
+LT : [lL][tT];
+LE : [lL][eE];
+
+NOT : [nN][oO][tT];
+AND : [aA][nN][dD];
+OR  : [oO][rR];
+
+SP : ' ';
+
+SCHEMA : 'urn:' (SEGMENT ':')+;
+
+ATTRNAME : ALPHA (ALPHA | DIGIT | '_' | '-')+;
+
+fragment SEGMENT : (ALPHA | DIGIT | '_' | '-' | '.')+;
+
+fragment DIGIT : [0-9];
+
+fragment ALPHA : [a-z] | [A-Z];
+
+ESCAPED_QUOTE : '\\"';
+
+VALUE : '"'(ESCAPED_QUOTE | ~'"')*'"' | 'true' | 'false' | 'null' | DIGIT+('.'DIGIT+)?;
+
+EXCLUDE : [\b | \t | \r | \n]+ -> skip;

authentik/sources/scim/filters/ScimFilter.interp

@@ -0,0 +1,65 @@
+token literal names:
+null
+'('
+')'
+'['
+']'
+'.'
+null
+null
+null
+null
+null
+null
+null
+null
+null
+null
+null
+null
+null
+null
+' '
+null
+null
+'\\"'
+null
+null
+
+token symbolic names:
+null
+null
+null
+null
+null
+null
+COMPAREOPERATOR
+EQ
+NE
+CO
+SW
+EW
+PR
+GT
+GE
+LT
+LE
+NOT
+AND
+OR
+SP
+SCHEMA
+ATTRNAME
+ESCAPED_QUOTE
+VALUE
+EXCLUDE
+
+rule names:
+parse
+filter
+valPathFilter
+attrPath
+
+
+atn:
+[4, 1, 25, 106, 2, 0, 7, 0, 2, 1, 7, 1, 2, 2, 7, 2, 2, 3, 7, 3, 1, 0, 1, 0, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 3, 1, 23, 8, 1, 1, 1, 5, 1, 26, 8, 1, 10, 1, 12, 1, 29, 9, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 3, 1, 40, 8, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 5, 1, 52, 8, 1, 10, 1, 12, 1, 55, 9, 1, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 3, 2, 69, 8, 2, 1, 2, 5, 2, 72, 8, 2, 10, 2, 12, 2, 75, 9, 2, 1, 2, 1, 2, 1, 2, 1, 2, 3, 2, 81, 8, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 1, 2, 5, 2, 93, 8, 2, 10, 2, 12, 2, 96, 9, 2, 1, 3, 3, 3, 99, 8, 3, 1, 3, 1, 3, 1, 3, 3, 3, 104, 8, 3, 1, 3, 0, 2, 2, 4, 4, 0, 2, 4, 6, 0, 0, 116, 0, 8, 1, 0, 0, 0, 2, 39, 1, 0, 0, 0, 4, 80, 1, 0, 0, 0, 6, 98, 1, 0, 0, 0, 8, 9, 3, 2, 1, 0, 9, 1, 1, 0, 0, 0, 10, 11, 6, 1, -1, 0, 11, 12, 3, 6, 3, 0, 12, 13, 5, 20, 0, 0, 13, 14, 5, 12, 0, 0, 14, 40, 1, 0, 0, 0, 15, 16, 3, 6, 3, 0, 16, 17, 5, 20, 0, 0, 17, 18, 5, 6, 0, 0, 18, 19, 5, 20, 0, 0, 19, 20, 5, 24, 0, 0, 20, 40, 1, 0, 0, 0, 21, 23, 5, 17, 0, 0, 22, 21, 1, 0, 0, 0, 22, 23, 1, 0, 0, 0, 23, 27, 1, 0, 0, 0, 24, 26, 5, 20, 0, 0, 25, 24, 1, 0, 0, 0, 26, 29, 1, 0, 0, 0, 27, 25, 1, 0, 0, 0, 27, 28, 1, 0, 0, 0, 28, 30, 1, 0, 0, 0, 29, 27, 1, 0, 0, 0, 30, 31, 5, 1, 0, 0, 31, 32, 3, 2, 1, 0, 32, 33, 5, 2, 0, 0, 33, 40, 1, 0, 0, 0, 34, 35, 3, 6, 3, 0, 35, 36, 5, 3, 0, 0, 36, 37, 3, 4, 2, 0, 37, 38, 5, 4, 0, 0, 38, 40, 1, 0, 0, 0, 39, 10, 1, 0, 0, 0, 39, 15, 1, 0, 0, 0, 39, 22, 1, 0, 0, 0, 39, 34, 1, 0, 0, 0, 40, 53, 1, 0, 0, 0, 41, 42, 10, 2, 0, 0, 42, 43, 5, 20, 0, 0, 43, 44, 5, 18, 0, 0, 44, 45, 5, 20, 0, 0, 45, 52, 3, 2, 1, 3, 46, 47, 10, 1, 0, 0, 47, 48, 5, 20, 0, 0, 48, 49, 5, 19, 0, 0, 49, 50, 5, 20, 0, 0, 50, 52, 3, 2, 1, 2, 51, 41, 1, 0, 0, 0, 51, 46, 1, 0, 0, 0, 52, 55, 1, 0, 0, 0, 53, 51, 1, 0, 0, 0, 53, 54, 1, 0, 0, 0, 54, 3, 1, 0, 0, 0, 55, 53, 1, 0, 0, 0, 56, 57, 6, 2, -1, 0, 57, 58, 3, 6, 3, 0, 58, 59, 5, 20, 0, 0, 59, 60, 5, 12, 0, 0, 60, 81, 1, 0, 0, 0, 61, 62, 3, 6, 3, 0, 62, 63, 5, 20, 0, 0, 63, 64, 5, 6, 0, 0, 64, 65, 5, 20, 0, 0, 65, 66, 5, 24, 0, 0, 66, 81, 1, 0, 0, 0, 67, 69, 5, 17, 0, 0, 68, 67, 1, 0, 0, 0, 68, 69, 1, 0, 0, 0, 69, 73, 1, 0, 0, 0, 70, 72, 5, 20, 0, 0, 71, 70, 1, 0, 0, 0, 72, 75, 1, 0, 0, 0, 73, 71, 1, 0, 0, 0, 73, 74, 1, 0, 0, 0, 74, 76, 1, 0, 0, 0, 75, 73, 1, 0, 0, 0, 76, 77, 5, 1, 0, 0, 77, 78, 3, 4, 2, 0, 78, 79, 5, 2, 0, 0, 79, 81, 1, 0, 0, 0, 80, 56, 1, 0, 0, 0, 80, 61, 1, 0, 0, 0, 80, 68, 1, 0, 0, 0, 81, 94, 1, 0, 0, 0, 82, 83, 10, 2, 0, 0, 83, 84, 5, 20, 0, 0, 84, 85, 5, 18, 0, 0, 85, 86, 5, 20, 0, 0, 86, 93, 3, 4, 2, 3, 87, 88, 10, 1, 0, 0, 88, 89, 5, 20, 0, 0, 89, 90, 5, 19, 0, 0, 90, 91, 5, 20, 0, 0, 91, 93, 3, 4, 2, 2, 92, 82, 1, 0, 0, 0, 92, 87, 1, 0, 0, 0, 93, 96, 1, 0, 0, 0, 94, 92, 1, 0, 0, 0, 94, 95, 1, 0, 0, 0, 95, 5, 1, 0, 0, 0, 96, 94, 1, 0, 0, 0, 97, 99, 5, 21, 0, 0, 98, 97, 1, 0, 0, 0, 98, 99, 1, 0, 0, 0, 99, 100, 1, 0, 0, 0, 100, 103, 5, 22, 0, 0, 101, 102, 5, 5, 0, 0, 102, 104, 5, 22, 0, 0, 103, 101, 1, 0, 0, 0, 103, 104, 1, 0, 0, 0, 104, 7, 1, 0, 0, 0, 12, 22, 27, 39, 51, 53, 68, 73, 80, 92, 94, 98, 103]

authentik/sources/scim/filters/ScimFilter.tokens

@@ -0,0 +1,32 @@
+T__0=1
+T__1=2
+T__2=3
+T__3=4
+T__4=5
+COMPAREOPERATOR=6
+EQ=7
+NE=8
+CO=9
+SW=10
+EW=11
+PR=12
+GT=13
+GE=14
+LT=15
+LE=16
+NOT=17
+AND=18
+OR=19
+SP=20
+SCHEMA=21
+ATTRNAME=22
+ESCAPED_QUOTE=23
+VALUE=24
+EXCLUDE=25
+'('=1
+')'=2
+'['=3
+']'=4
+'.'=5
+' '=20
+'\\"'=23

authentik/sources/scim/filters/ScimFilterLexer.tokens

@@ -0,0 +1,32 @@
+T__0=1
+T__1=2
+T__2=3
+T__3=4
+T__4=5
+COMPAREOPERATOR=6
+EQ=7
+NE=8
+CO=9
+SW=10
+EW=11
+PR=12
+GT=13
+GE=14
+LT=15
+LE=16
+NOT=17
+AND=18
+OR=19
+SP=20
+SCHEMA=21
+ATTRNAME=22
+ESCAPED_QUOTE=23
+VALUE=24
+EXCLUDE=25
+'('=1
+')'=2
+'['=3
+']'=4
+'.'=5
+' '=20
+'\\"'=23

authentik/sources/scim/filters/ScimFilterListener.py

@@ -0,0 +1,118 @@
+# pylint: skip-file
+# Generated from ScimFilter.g4 by ANTLR 4.10.1
+from antlr4 import *
+
+if __name__ is not None and "." in __name__:
+    from .ScimFilterParser import ScimFilterParser
+else:
+    from ScimFilterParser import ScimFilterParser
+
+# This class defines a complete listener for a parse tree produced by ScimFilterParser.
+class ScimFilterListener(ParseTreeListener):
+
+    # Enter a parse tree produced by ScimFilterParser#parse.
+    def enterParse(self, ctx: ScimFilterParser.ParseContext):
+        pass
+
+    # Exit a parse tree produced by ScimFilterParser#parse.
+    def exitParse(self, ctx: ScimFilterParser.ParseContext):
+        pass
+
+    # Enter a parse tree produced by ScimFilterParser#andExp.
+    def enterAndExp(self, ctx: ScimFilterParser.AndExpContext):
+        pass
+
+    # Exit a parse tree produced by ScimFilterParser#andExp.
+    def exitAndExp(self, ctx: ScimFilterParser.AndExpContext):
+        pass
+
+    # Enter a parse tree produced by ScimFilterParser#valPathExp.
+    def enterValPathExp(self, ctx: ScimFilterParser.ValPathExpContext):
+        pass
+
+    # Exit a parse tree produced by ScimFilterParser#valPathExp.
+    def exitValPathExp(self, ctx: ScimFilterParser.ValPathExpContext):
+        pass
+
+    # Enter a parse tree produced by ScimFilterParser#presentExp.
+    def enterPresentExp(self, ctx: ScimFilterParser.PresentExpContext):
+        pass
+
+    # Exit a parse tree produced by ScimFilterParser#presentExp.
+    def exitPresentExp(self, ctx: ScimFilterParser.PresentExpContext):
+        pass
+
+    # Enter a parse tree produced by ScimFilterParser#operatorExp.
+    def enterOperatorExp(self, ctx: ScimFilterParser.OperatorExpContext):
+        pass
+
+    # Exit a parse tree produced by ScimFilterParser#operatorExp.
+    def exitOperatorExp(self, ctx: ScimFilterParser.OperatorExpContext):
+        pass
+
+    # Enter a parse tree produced by ScimFilterParser#braceExp.
+    def enterBraceExp(self, ctx: ScimFilterParser.BraceExpContext):
+        pass
+
+    # Exit a parse tree produced by ScimFilterParser#braceExp.
+    def exitBraceExp(self, ctx: ScimFilterParser.BraceExpContext):
+        pass
+
+    # Enter a parse tree produced by ScimFilterParser#orExp.
+    def enterOrExp(self, ctx: ScimFilterParser.OrExpContext):
+        pass
+
+    # Exit a parse tree produced by ScimFilterParser#orExp.
+    def exitOrExp(self, ctx: ScimFilterParser.OrExpContext):
+        pass
+
+    # Enter a parse tree produced by ScimFilterParser#valPathOperatorExp.
+    def enterValPathOperatorExp(self, ctx: ScimFilterParser.ValPathOperatorExpContext):
+        pass
+
+    # Exit a parse tree produced by ScimFilterParser#valPathOperatorExp.
+    def exitValPathOperatorExp(self, ctx: ScimFilterParser.ValPathOperatorExpContext):
+        pass
+
+    # Enter a parse tree produced by ScimFilterParser#valPathPresentExp.
+    def enterValPathPresentExp(self, ctx: ScimFilterParser.ValPathPresentExpContext):
+        pass
+
+    # Exit a parse tree produced by ScimFilterParser#valPathPresentExp.
+    def exitValPathPresentExp(self, ctx: ScimFilterParser.ValPathPresentExpContext):
+        pass
+
+    # Enter a parse tree produced by ScimFilterParser#valPathAndExp.
+    def enterValPathAndExp(self, ctx: ScimFilterParser.ValPathAndExpContext):
+        pass
+
+    # Exit a parse tree produced by ScimFilterParser#valPathAndExp.
+    def exitValPathAndExp(self, ctx: ScimFilterParser.ValPathAndExpContext):
+        pass
+
+    # Enter a parse tree produced by ScimFilterParser#valPathOrExp.
+    def enterValPathOrExp(self, ctx: ScimFilterParser.ValPathOrExpContext):
+        pass
+
+    # Exit a parse tree produced by ScimFilterParser#valPathOrExp.
+    def exitValPathOrExp(self, ctx: ScimFilterParser.ValPathOrExpContext):
+        pass
+
+    # Enter a parse tree produced by ScimFilterParser#valPathBraceExp.
+    def enterValPathBraceExp(self, ctx: ScimFilterParser.ValPathBraceExpContext):
+        pass
+
+    # Exit a parse tree produced by ScimFilterParser#valPathBraceExp.
+    def exitValPathBraceExp(self, ctx: ScimFilterParser.ValPathBraceExpContext):
+        pass
+
+    # Enter a parse tree produced by ScimFilterParser#attrPath.
+    def enterAttrPath(self, ctx: ScimFilterParser.AttrPathContext):
+        pass
+
+    # Exit a parse tree produced by ScimFilterParser#attrPath.
+    def exitAttrPath(self, ctx: ScimFilterParser.AttrPathContext):
+        pass
+
+
+del ScimFilterParser

authentik/sources/scim/filters/django.py

@@ -0,0 +1,101 @@
+"""Django listener"""
+from django.db.models import Q
+from django.utils.tree import Node
+
+from authentik.sources.scim.filters.ScimFilterListener import ScimFilterListener
+from authentik.sources.scim.filters.ScimFilterParser import ScimFilterParser
+
+
+class DjangoQueryListener(ScimFilterListener):
+    """SCIM filter listener that converts it to a query"""
+
+    _query: Node
+    _last_node: Node
+
+    def __init__(self) -> None:
+        super().__init__()
+        self._query = Q()
+        self._last_node = Q()
+
+    @property
+    def query(self) -> Node:
+        return self._query
+
+    def enterParse(self, ctx: ScimFilterParser.ParseContext):
+        print("enterParse", ctx)
+
+    def exitParse(self, ctx: ScimFilterParser.ParseContext):
+        print("exitParse", ctx)
+
+    def enterAndExp(self, ctx: ScimFilterParser.AndExpContext):
+        print("enterAndExp", ctx)
+
+    def exitAndExp(self, ctx: ScimFilterParser.AndExpContext):
+        print("exitAndExp", ctx)
+
+    def enterValPathExp(self, ctx: ScimFilterParser.ValPathExpContext):
+        print("enterValPathExp", ctx.getText())
+
+    def exitValPathExp(self, ctx: ScimFilterParser.ValPathExpContext):
+        print("exitValPathExp", ctx)
+
+    def enterPresentExp(self, ctx: ScimFilterParser.PresentExpContext):
+        print("enterPresentExp", ctx)
+
+    def exitPresentExp(self, ctx: ScimFilterParser.PresentExpContext):
+        print("exitPresentExp", ctx)
+
+    def enterOperatorExp(self, ctx: ScimFilterParser.OperatorExpContext):
+        print("enterOperatorExp", ctx)
+
+    def exitOperatorExp(self, ctx: ScimFilterParser.OperatorExpContext):
+        print("exitOperatorExp", ctx)
+
+    def enterBraceExp(self, ctx: ScimFilterParser.BraceExpContext):
+        print("enterBraceExp", ctx)
+
+    def exitBraceExp(self, ctx: ScimFilterParser.BraceExpContext):
+        print("exitBraceExp", ctx)
+
+    def enterOrExp(self, ctx: ScimFilterParser.OrExpContext):
+        print("enterOrExp", ctx)
+
+    def exitOrExp(self, ctx: ScimFilterParser.OrExpContext):
+        print("exitOrExp", ctx)
+
+    def enterValPathOperatorExp(self, ctx: ScimFilterParser.ValPathOperatorExpContext):
+        print("enterValPathOperatorExp", ctx)
+
+    def exitValPathOperatorExp(self, ctx: ScimFilterParser.ValPathOperatorExpContext):
+        print("exitValPathOperatorExp", ctx)
+
+    def enterValPathPresentExp(self, ctx: ScimFilterParser.ValPathPresentExpContext):
+        print("enterValPathPresentExp", ctx)
+
+    def exitValPathPresentExp(self, ctx: ScimFilterParser.ValPathPresentExpContext):
+        print("exitValPathPresentExp", ctx)
+
+    def enterValPathAndExp(self, ctx: ScimFilterParser.ValPathAndExpContext):
+        print("enterValPathAndExp", ctx.getText())
+
+    def exitValPathAndExp(self, ctx: ScimFilterParser.ValPathAndExpContext):
+        print("exitValPathAndExp", ctx)
+
+    def enterValPathOrExp(self, ctx: ScimFilterParser.ValPathOrExpContext):
+        print("enterValPathOrExp", ctx)
+
+    def exitValPathOrExp(self, ctx: ScimFilterParser.ValPathOrExpContext):
+        print("exitValPathOrExp", ctx)
+
+    def enterValPathBraceExp(self, ctx: ScimFilterParser.ValPathBraceExpContext):
+        print("enterValPathBraceExp", ctx)
+
+    def exitValPathBraceExp(self, ctx: ScimFilterParser.ValPathBraceExpContext):
+        print("exitValPathBraceExp", ctx)
+
+    def enterAttrPath(self, ctx: ScimFilterParser.AttrPathContext):
+        self._last_node = Q(ctx.getText())
+
+    def exitAttrPath(self, ctx: ScimFilterParser.AttrPathContext):
+        self._query = self._last_node
+        self._last_node = Q()

authentik/sources/scim/migrations/0001_initial.py

@@ -0,0 +1,46 @@
+# Generated by Django 4.0.5 on 2022-06-06 21:37
+
+import django.db.models.deletion
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    initial = True
+
+    dependencies = [
+        ("authentik_core", "0020_application_open_in_new_tab"),
+    ]
+
+    operations = [
+        migrations.CreateModel(
+            name="SCIMSource",
+            fields=[
+                (
+                    "source_ptr",
+                    models.OneToOneField(
+                        auto_created=True,
+                        on_delete=django.db.models.deletion.CASCADE,
+                        parent_link=True,
+                        primary_key=True,
+                        serialize=False,
+                        to="authentik_core.source",
+                    ),
+                ),
+                (
+                    "token",
+                    models.ForeignKey(
+                        default=None,
+                        null=True,
+                        on_delete=django.db.models.deletion.CASCADE,
+                        to="authentik_core.token",
+                    ),
+                ),
+            ],
+            options={
+                "verbose_name": "SCIM Source",
+                "verbose_name_plural": "SCIM Sources",
+            },
+            bases=("authentik_core.source",),
+        ),
+    ]

authentik/sources/scim/models.py

@@ -0,0 +1,36 @@
+"""SCIM Source"""
+from django.db import models
+from django.utils.translation import gettext_lazy as _
+from rest_framework.serializers import BaseSerializer
+
+from authentik.core.models import Source, Token
+
+USER_ATTRIBUTE_SCIM_ID = "goauthentik.io/sources/scim/id"
+USER_ATTRIBUTE_SCIM_ADDRESS = "goauthentik.io/sources/scim/address"
+USER_ATTRIBUTE_SCIM_ENTERPRISE = "goauthentik.io/sources/scim/enterprise"
+
+
+class SCIMSource(Source):
+    """System for Cross-domain Identity Management Source, allows for
+    cross-system user provisioning"""
+
+    token = models.ForeignKey(Token, on_delete=models.CASCADE, null=True, default=None)
+
+    @property
+    def component(self) -> str:
+        """Return component used to edit this object"""
+        return "ak-source-scim-form"
+
+    @property
+    def serializer(self) -> BaseSerializer:
+        from authentik.sources.scim.api import SCIMSourceSerializer
+
+        return SCIMSourceSerializer
+
+    def __str__(self) -> str:
+        return f"SCIM Source {self.name}"
+
+    class Meta:
+
+        verbose_name = _("SCIM Source")
+        verbose_name_plural = _("SCIM Sources")

authentik/sources/scim/tests/test_auth.py

@@ -0,0 +1,86 @@
+"""Test SCIM Auth"""
+from django.urls import reverse
+from rest_framework.test import APITestCase
+
+from authentik.core.models import Token, TokenIntents
+from authentik.core.tests.utils import create_test_admin_user
+from authentik.lib.generators import generate_id
+from authentik.sources.scim.models import SCIMSource
+
+
+class TestSCIMAuth(APITestCase):
+    """Test SCIM Auth view"""
+
+    def setUp(self) -> None:
+        self.user = create_test_admin_user()
+        self.token = Token.objects.create(
+            user=self.user,
+            identifier=generate_id(),
+            intent=TokenIntents.INTENT_API,
+        )
+        self.token2 = Token.objects.create(
+            user=self.user,
+            identifier=generate_id(),
+            intent=TokenIntents.INTENT_API,
+        )
+        self.token3 = Token.objects.create(
+            user=self.user,
+            identifier=generate_id(),
+            intent=TokenIntents.INTENT_API,
+        )
+        self.source = SCIMSource.objects.create(
+            name=generate_id(), slug=generate_id(), token=self.token
+        )
+        self.source2 = SCIMSource.objects.create(
+            name=generate_id(), slug=generate_id(), token=self.token2
+        )
+
+    def test_auth_ok(self):
+        """Test successful auth"""
+        response = self.client.get(
+            reverse(
+                "authentik_sources_scim:v2-schema",
+                kwargs={
+                    "source_slug": self.source.slug,
+                },
+            ),
+            HTTP_AUTHORIZATION=f"Bearer {self.token.key}",
+        )
+        self.assertEqual(response.status_code, 200)
+
+    def test_auth_missing(self):
+        """Test without header"""
+        response = self.client.get(
+            reverse(
+                "authentik_sources_scim:v2-schema",
+                kwargs={
+                    "source_slug": self.source.slug,
+                },
+            ),
+        )
+        self.assertEqual(response.status_code, 403)
+
+    def test_auth_wrong_token(self):
+        """Test with wrong token"""
+        # Token for wrong source
+        response = self.client.get(
+            reverse(
+                "authentik_sources_scim:v2-schema",
+                kwargs={
+                    "source_slug": self.source.slug,
+                },
+            ),
+            HTTP_AUTHORIZATION=f"Bearer {self.token2.key}",
+        )
+        self.assertEqual(response.status_code, 403)
+        # Token for no source
+        response = self.client.get(
+            reverse(
+                "authentik_sources_scim:v2-schema",
+                kwargs={
+                    "source_slug": self.source.slug,
+                },
+            ),
+            HTTP_AUTHORIZATION=f"Bearer {self.token3.key}",
+        )
+        self.assertEqual(response.status_code, 403)

authentik/sources/scim/tests/test_resource_types.py

@@ -0,0 +1,64 @@
+"""Test SCIM ResourceTypes"""
+from django.urls import reverse
+from rest_framework.test import APITestCase
+
+from authentik.core.models import Token, TokenIntents
+from authentik.core.tests.utils import create_test_admin_user
+from authentik.lib.generators import generate_id
+from authentik.sources.scim.models import SCIMSource
+
+
+class TestSCIMResourceTypes(APITestCase):
+    """Test SCIM ResourceTypes view"""
+
+    def setUp(self) -> None:
+        self.user = create_test_admin_user()
+        self.token = Token.objects.create(
+            user=self.user,
+            identifier=generate_id(),
+            intent=TokenIntents.INTENT_API,
+        )
+        self.source = SCIMSource.objects.create(
+            name=generate_id(), slug=generate_id(), token=self.token
+        )
+
+    def test_resource_type(self):
+        """Test full resource type view"""
+        response = self.client.get(
+            reverse(
+                "authentik_sources_scim:v2-resource-types",
+                kwargs={
+                    "source_slug": self.source.slug,
+                },
+            ),
+            HTTP_AUTHORIZATION=f"Bearer {self.token.key}",
+        )
+        self.assertEqual(response.status_code, 200)
+
+    def test_resource_type_single(self):
+        """Test single resource type"""
+        response = self.client.get(
+            reverse(
+                "authentik_sources_scim:v2-resource-types",
+                kwargs={
+                    "source_slug": self.source.slug,
+                    "resource_type": "ServiceProviderConfig",
+                },
+            ),
+            HTTP_AUTHORIZATION=f"Bearer {self.token.key}",
+        )
+        self.assertEqual(response.status_code, 200)
+
+    def test_resource_type_single_404(self):
+        """Test single resource type (404"""
+        response = self.client.get(
+            reverse(
+                "authentik_sources_scim:v2-resource-types",
+                kwargs={
+                    "source_slug": self.source.slug,
+                    "resource_type": "foo",
+                },
+            ),
+            HTTP_AUTHORIZATION=f"Bearer {self.token.key}",
+        )
+        self.assertEqual(response.status_code, 404)

authentik/sources/scim/tests/test_schemas.py

@@ -0,0 +1,64 @@
+"""Test SCIM Schema"""
+from django.urls import reverse
+from rest_framework.test import APITestCase
+
+from authentik.core.models import Token, TokenIntents
+from authentik.core.tests.utils import create_test_admin_user
+from authentik.lib.generators import generate_id
+from authentik.sources.scim.models import SCIMSource
+
+
+class TestSCIMSchemas(APITestCase):
+    """Test SCIM Schema view"""
+
+    def setUp(self) -> None:
+        self.user = create_test_admin_user()
+        self.token = Token.objects.create(
+            user=self.user,
+            identifier=generate_id(),
+            intent=TokenIntents.INTENT_API,
+        )
+        self.source = SCIMSource.objects.create(
+            name=generate_id(), slug=generate_id(), token=self.token
+        )
+
+    def test_schema(self):
+        """Test full schema view"""
+        response = self.client.get(
+            reverse(
+                "authentik_sources_scim:v2-schema",
+                kwargs={
+                    "source_slug": self.source.slug,
+                },
+            ),
+            HTTP_AUTHORIZATION=f"Bearer {self.token.key}",
+        )
+        self.assertEqual(response.status_code, 200)
+
+    def test_schema_single(self):
+        """Test single schema"""
+        response = self.client.get(
+            reverse(
+                "authentik_sources_scim:v2-schema",
+                kwargs={
+                    "source_slug": self.source.slug,
+                    "schema_uri": "urn:ietf:params:scim:schemas:core:2.0:Meta",
+                },
+            ),
+            HTTP_AUTHORIZATION=f"Bearer {self.token.key}",
+        )
+        self.assertEqual(response.status_code, 200)
+
+    def test_schema_single_404(self):
+        """Test single schema (404"""
+        response = self.client.get(
+            reverse(
+                "authentik_sources_scim:v2-schema",
+                kwargs={
+                    "source_slug": self.source.slug,
+                    "schema_uri": "foo",
+                },
+            ),
+            HTTP_AUTHORIZATION=f"Bearer {self.token.key}",
+        )
+        self.assertEqual(response.status_code, 404)

authentik/sources/scim/tests/test_service_provider_config.py

@@ -0,0 +1,36 @@
+"""Test SCIM ServiceProviderConfig"""
+from django.urls import reverse
+from rest_framework.test import APITestCase
+
+from authentik.core.models import Token, TokenIntents
+from authentik.core.tests.utils import create_test_admin_user
+from authentik.lib.generators import generate_id
+from authentik.sources.scim.models import SCIMSource
+
+
+class TestSCIMServiceProviderConfig(APITestCase):
+    """Test SCIM ServiceProviderConfig view"""
+
+    def setUp(self) -> None:
+        self.user = create_test_admin_user()
+        self.token = Token.objects.create(
+            user=self.user,
+            identifier=generate_id(),
+            intent=TokenIntents.INTENT_API,
+        )
+        self.source = SCIMSource.objects.create(
+            name=generate_id(), slug=generate_id(), token=self.token
+        )
+
+    def test_config(self):
+        """Test full config view"""
+        response = self.client.get(
+            reverse(
+                "authentik_sources_scim:v2-service-provider-config",
+                kwargs={
+                    "source_slug": self.source.slug,
+                },
+            ),
+            HTTP_AUTHORIZATION=f"Bearer {self.token.key}",
+        )
+        self.assertEqual(response.status_code, 200)

authentik/sources/scim/tests/test_users.py

@@ -0,0 +1,83 @@
+"""Test SCIM User"""
+from json import dumps
+
+from django.urls import reverse
+from rest_framework.test import APITestCase
+
+from authentik.core.models import Token, TokenIntents, User
+from authentik.core.tests.utils import create_test_admin_user
+from authentik.lib.generators import generate_id
+from authentik.sources.scim.models import USER_ATTRIBUTE_SCIM_ID, SCIMSource
+from authentik.sources.scim.views.v2.base import SCIM_CONTENT_TYPE
+
+
+class TestSCIMUsers(APITestCase):
+    """Test SCIM User view"""
+
+    def setUp(self) -> None:
+        self.user = create_test_admin_user()
+        self.token = Token.objects.create(
+            user=self.user,
+            identifier=generate_id(),
+            intent=TokenIntents.INTENT_API,
+        )
+        self.source = SCIMSource.objects.create(
+            name=generate_id(), slug=generate_id(), token=self.token
+        )
+
+    def test_user_list(self):
+        """Test full user list"""
+        response = self.client.get(
+            reverse(
+                "authentik_sources_scim:v2-users",
+                kwargs={
+                    "source_slug": self.source.slug,
+                },
+            ),
+            HTTP_AUTHORIZATION=f"Bearer {self.token.key}",
+        )
+        self.assertEqual(response.status_code, 200)
+
+    def test_user_list_single(self):
+        """Test full user list (single user)"""
+        response = self.client.get(
+            reverse(
+                "authentik_sources_scim:v2-users",
+                kwargs={
+                    "source_slug": self.source.slug,
+                    "user_id": str(self.user.pk),
+                },
+            ),
+            HTTP_AUTHORIZATION=f"Bearer {self.token.key}",
+        )
+        self.assertEqual(response.status_code, 200)
+
+    def test_user_create(self):
+        """Test user create"""
+        ext_id = generate_id()
+        response = self.client.post(
+            reverse(
+                "authentik_sources_scim:v2-users",
+                kwargs={
+                    "source_slug": self.source.slug,
+                },
+            ),
+            data=dumps(
+                {
+                    "userName": generate_id(),
+                    "externalId": ext_id,
+                    "emails": [
+                        {
+                            "primary": True,
+                            "value": self.user.email,
+                        }
+                    ],
+                }
+            ),
+            content_type=SCIM_CONTENT_TYPE,
+            HTTP_AUTHORIZATION=f"Bearer {self.token.key}",
+        )
+        self.assertEqual(response.status_code, 201)
+        self.assertTrue(
+            User.objects.filter(**{f"attributes__{USER_ATTRIBUTE_SCIM_ID}": ext_id}).exists()
+        )

authentik/sources/scim/urls.py

@@ -0,0 +1,64 @@
+"""SCIM URLs"""
+from django.urls import path
+
+from authentik.sources.scim.views.v2 import (
+    base,
+    groups,
+    resource_types,
+    schemas,
+    service_provider_config,
+    users,
+)
+
+urlpatterns = [
+    path(
+        "<slug:source_slug>/v2",
+        base.SCIMRootView.as_view(),
+        name="v2-root",
+    ),
+    path(
+        "<slug:source_slug>/v2/Users",
+        users.UsersView.as_view(),
+        name="v2-users",
+    ),
+    path(
+        "<slug:source_slug>/v2/Users/<str:user_id>",
+        users.UsersView.as_view(),
+        name="v2-users",
+    ),
+    path(
+        "<slug:source_slug>/v2/Groups",
+        groups.GroupsView.as_view(),
+        name="v2-groups",
+    ),
+    path(
+        "<slug:source_slug>/v2/Groups/<str:group_id>",
+        groups.GroupsView.as_view(),
+        name="v2-groups",
+    ),
+    path(
+        "<slug:source_slug>/v2/Schemas",
+        schemas.SchemaView.as_view(),
+        name="v2-schema",
+    ),
+    path(
+        "<slug:source_slug>/v2/Schemas/<str:schema_uri>",
+        schemas.SchemaView.as_view(),
+        name="v2-schema",
+    ),
+    path(
+        "<slug:source_slug>/v2/ServiceProviderConfig",
+        service_provider_config.ServiceProviderConfigView.as_view(),
+        name="v2-service-provider-config",
+    ),
+    path(
+        "<slug:source_slug>/v2/ResourceTypes",
+        resource_types.ResourceTypesView.as_view(),
+        name="v2-resource-types",
+    ),
+    path(
+        "<slug:source_slug>/v2/ResourceTypes/<str:resource_type>",
+        resource_types.ResourceTypesView.as_view(),
+        name="v2-resource-types",
+    ),
+]

authentik/sources/scim/views/v2/auth.py

@@ -0,0 +1,46 @@
+"""SCIM Token auth"""
+from base64 import b64decode
+from typing import Any, Optional, Union
+
+from django.conf import settings
+from rest_framework.authentication import BaseAuthentication, get_authorization_header
+from rest_framework.request import Request
+
+from authentik.core.models import Token, TokenIntents, User
+
+
+class SCIMTokenAuth(BaseAuthentication):
+    """SCIM Token auth"""
+
+    def legacy(self, key: str, source_slug: str) -> Optional[Token]:  # pragma: no cover
+        """Legacy HTTP-Basic auth for testing"""
+        if not settings.TEST and not settings.DEBUG:
+            return None
+        _username, _, password = b64decode(key.encode()).decode().partition(":")
+        token = self.check_token(password, source_slug)
+        if token:
+            return (token.user, token)
+        return None
+
+    def check_token(self, key: str, source_slug: str) -> Optional[Token]:
+        """Check that a token exists, is not expired, and is assigned to the correct source"""
+        token = Token.filter_not_expired(key=key, intent=TokenIntents.INTENT_API).first()
+        if not token:
+            return None
+        if not token.scimsource_set.exists():
+            return None
+        if token.scimsource_set.first().slug != source_slug:
+            return None
+        return token
+
+    def authenticate(self, request: Request) -> Union[tuple[User, Any], None]:
+        kwargs = request._request.resolver_match.kwargs
+        source_slug = kwargs.get("source_slug", None)
+        auth = get_authorization_header(request).decode()
+        auth_type, _, key = auth.partition(" ")
+        if auth_type != "Bearer":
+            return self.legacy(key, source_slug)
+        token = self.check_token(key, source_slug)
+        if not token:
+            return None
+        return (token.user, token)

authentik/sources/scim/views/v2/base.py

@@ -0,0 +1,81 @@
+"""SCIM Utils"""
+from typing import Optional
+from urllib.parse import urlparse
+
+from antlr4 import CommonTokenStream, InputStream, ParseTreeWalker
+from django.urls import resolve
+from rest_framework.parsers import JSONParser
+from rest_framework.permissions import IsAuthenticated
+from rest_framework.renderers import JSONRenderer
+from rest_framework.request import Request
+from rest_framework.response import Response
+from rest_framework.views import APIView
+
+from authentik.core.models import Group, User
+from authentik.sources.scim.filters.django import DjangoQueryListener
+from authentik.sources.scim.filters.ScimFilterLexer import ScimFilterLexer
+from authentik.sources.scim.filters.ScimFilterParser import ScimFilterParser
+from authentik.sources.scim.views.v2.auth import SCIMTokenAuth
+
+SCIM_CONTENT_TYPE = "application/scim+json"
+
+
+class SCIMParser(JSONParser):
+    """SCIM clients use a custom content type"""
+
+    media_type = SCIM_CONTENT_TYPE
+
+
+class SCIMRenderer(JSONRenderer):
+    """SCIM clients also expect a custom content type"""
+
+    media_type = SCIM_CONTENT_TYPE
+
+
+class SCIMView(APIView):
+    """Base class for SCIM Views"""
+
+    authentication_classes = [SCIMTokenAuth]
+    permission_classes = [IsAuthenticated]
+    parser_classes = [SCIMParser]
+    renderer_classes = [SCIMRenderer]
+
+    def patch_resolve_value(self, raw_value: dict) -> Optional[User | Group]:
+        """Attempt to resolve a raw `value` attribute of a patch operation into
+        a database model"""
+        model = User
+        query = {}
+        if "$ref" in raw_value:
+            url = urlparse(raw_value["$ref"])
+            if match := resolve(url.path):
+                if match.url_name == "v2-users":
+                    model = User
+                    query = {"pk": int(match.kwargs["user_id"])}
+        elif "type" in raw_value:
+            match raw_value["tyoe"]:
+                case "User":
+                    model = User
+                    query = {"pk": int(raw_value["value"])}
+                case "Group":
+                    model = Group
+        else:
+            return None
+        return model.objects.filter(**query).first()
+
+    def patch_parse_path(self, path: str):
+        """Parse the path of a Patch Operation"""
+        lexer = ScimFilterLexer(InputStream(path))
+        stream = CommonTokenStream(lexer)
+        parser = ScimFilterParser(stream)
+        tree = parser.filter_()
+        listener = DjangoQueryListener()
+        walker = ParseTreeWalker()
+        walker.walk(listener, tree)
+        return listener.query
+
+
+class SCIMRootView(SCIMView):
+    """Root SCIM View"""
+
+    def dispatch(self, request: Request, *args, **kwargs) -> Response:
+        return Response({"message": "Use this base-URL with an SCIM-compatible system."})

authentik/sources/scim/views/v2/groups.py

@@ -0,0 +1,126 @@
+"""SCIM Group Views"""
+from typing import Optional
+
+from django.core.paginator import Paginator
+from django.db.transaction import atomic
+from django.http import Http404, QueryDict
+from django.urls import reverse
+from rest_framework.request import Request
+from rest_framework.response import Response
+from structlog.stdlib import get_logger
+
+from authentik.core.models import Group
+from authentik.sources.scim.errors import PatchError
+from authentik.sources.scim.views.v2.base import SCIM_CONTENT_TYPE, SCIMView
+
+LOGGER = get_logger()
+
+
+class GroupsView(SCIMView):
+    """SCIM Group View"""
+
+    def group_to_scim(self, group: Group) -> dict:
+        """Convert group to SCIM"""
+        return {
+            "id": str(group.pk),
+            "meta": {
+                "resourceType": "Group",
+                "location": self.request.build_absolute_uri(
+                    reverse(
+                        "authentik_sources_scim:v2-groups",
+                        kwargs={
+                            "source_slug": self.kwargs["source_slug"],
+                            "group_id": str(group.pk),
+                        },
+                    )
+                ),
+            },
+            "displayName": group.name,
+            "schemas": ["urn:ietf:params:scim:schemas:core:2.0:Group"],
+        }
+
+    def get(self, request: Request, group_id: Optional[str] = None, **kwargs) -> Response:
+        """List Group handler"""
+        if group_id:
+            group = Group.objects.filter(pk=group_id).first()
+            if not group:
+                raise Http404
+            return Response(self.group_to_scim(group))
+        groups = Group.objects.all().order_by("pk")
+        per_page = 50
+        paginator = Paginator(groups, per_page=per_page)
+        start_index = int(request.query_params.get("startIndex", 1))
+        page = paginator.page(int(max(start_index / per_page, 1)))
+        return Response(
+            {
+                "totalResults": paginator.count,
+                "itemsPerPage": per_page,
+                "startIndex": page.start_index(),
+                "schemas": ["urn:ietf:params:scim:api:messages:2.0:ListResponse"],
+                "Resources": [self.group_to_scim(group) for group in page],
+            }
+        )
+
+    def update_group(self, group: Group, data: QueryDict) -> Group:
+        """Partial update a group"""
+        if "displayName" in data:
+            group.name = data.get("displayName")
+        return group
+
+    def post(self, request: Request, **kwargs) -> Response:
+        """Create group handler"""
+        group = Group.objects.filter(name=request.data.get("displayName")).first()
+        if group:
+            LOGGER.debug("Found existing group")
+            return Response(status=409)
+        group = self.update_group(Group(), request.data)
+        group.save()
+        return Response(self.group_to_scim(group), status=201)
+
+    def patch(self, request: Request, group_id: str, **kwargs) -> Response:
+        """Update group handler"""
+        group: Optional[Group] = Group.objects.filter(pk=group_id).first()
+        if not group:
+            raise Http404
+        if request.data.get("schemas", []) != ["urn:ietf:params:scim:api:messages:2.0:PatchOp"]:
+            return Response(status=400)
+        try:
+            with atomic():
+                for op in request.data.get("Operations", []):
+                    path = self.patch_parse_path(op["path"])
+                    operation = op["op"]
+                    raw_value = op.get("value", None)
+                    values = []
+                    for value in raw_value:
+                        values.append(self.patch_resolve_value(value))
+                    match operation:
+                        case "add":
+                            group.users.add(*[x.pk for x in values])
+                        case "remove":
+                            pass
+                return Response(self.group_to_scim(group), status=200)
+        except (KeyError, PatchError):
+            return Response(status=400)
+
+    def put(self, request: Request, group_id: str, **kwargs) -> Response:
+        """Update group handler"""
+        group: Optional[Group] = Group.objects.filter(pk=group_id).first()
+        if not group:
+            raise Http404
+        self.update_group(group, request.data)
+        group.save()
+        return Response(self.group_to_scim(group), status=200)
+
+    def delete(self, request: Request, group_id: str, **kwargs) -> Response:
+        """Delete group handler"""
+        group: Optional[Group] = Group.objects.filter(pk=group_id).first()
+        if not group:
+            raise Http404
+        group.delete()
+        return Response(
+            {},
+            status=204,
+            headers={
+                "Content-Type": SCIM_CONTENT_TYPE,
+            },
+        )

authentik/sources/scim/views/v2/resource_types.py

@@ -0,0 +1,153 @@
+"""SCIM Meta views"""
+from typing import Optional
+
+from django.http import Http404
+from django.urls import reverse
+from rest_framework.request import Request
+from rest_framework.response import Response
+
+from authentik.sources.scim.views.v2.base import SCIMView
+
+
+class ResourceTypesView(SCIMView):
+    """https://ldapwiki.com/wiki/SCIM%20ResourceTypes%20endpoint"""
+
+    def get_resource_types(self):
+        """List all resource types"""
+        return [
+            {
+                "id": "ServiceProviderConfig",
+                "name": "ServiceProviderConfig",
+                "description": "the service providers configuration",
+                "endpoint": "/ServiceProviderConfig",
+                "schema": "urn:ietf:params:scim:schemas:core:2.0:ServiceProviderConfig",
+                "schemas": [
+                    "urn:ietf:params:scim:schemas:core:2.0:ResourceType",
+                ],
+                "meta": {
+                    "resourceType": "ResourceType",
+                    "location": self.request.build_absolute_uri(
+                        reverse(
+                            "authentik_sources_scim:v2-resource-types",
+                            kwargs={
+                                "source_slug": self.kwargs["source_slug"],
+                                "resource_type": "ServiceProviderConfig",
+                            },
+                        )
+                    ),
+                },
+            },
+            {
+                "id": "ResourceType",
+                "name": "ResourceType",
+                "description": "ResourceType",
+                "endpoint": "/ResourceTypes",
+                "schema": "urn:ietf:params:scim:schemas:core:2.0:ResourceType",
+                "schemas": [
+                    "urn:ietf:params:scim:schemas:core:2.0:ResourceType",
+                ],
+                "meta": {
+                    "resourceType": "ResourceType",
+                    "location": self.request.build_absolute_uri(
+                        reverse(
+                            "authentik_sources_scim:v2-resource-types",
+                            kwargs={
+                                "source_slug": self.kwargs["source_slug"],
+                                "resource_type": "ResourceType",
+                            },
+                        )
+                    ),
+                },
+            },
+            {
+                "id": "Schema",
+                "name": "Schema",
+                "description": "Schema endpoint description",
+                "endpoint": "/Schemas",
+                "schema": "urn:ietf:params:scim:schemas:core:2.0:Schema",
+                "schemas": [
+                    "urn:ietf:params:scim:schemas:core:2.0:ResourceType",
+                ],
+                "meta": {
+                    "resourceType": "ResourceType",
+                    "location": self.request.build_absolute_uri(
+                        reverse(
+                            "authentik_sources_scim:v2-resource-types",
+                            kwargs={
+                                "source_slug": self.kwargs["source_slug"],
+                                "resource_type": "Schema",
+                            },
+                        )
+                    ),
+                },
+            },
+            {
+                "id": "User",
+                "name": "User",
+                "endpoint": "/Users",
+                "description": "https://tools.ietf.org/html/rfc7643#section-8.7.1",
+                "schemas": ["urn:ietf:params:scim:schemas:core:2.0:ResourceType"],
+                "schema": "urn:ietf:params:scim:schemas:core:2.0:User",
+                "schemaExtensions": [
+                    {
+                        "schema": "urn:ietf:params:scim:schemas:extension:enterprise:2.0:User",
+                        "required": True,
+                    }
+                ],
+                "meta": {
+                    "location": self.request.build_absolute_uri(
+                        reverse(
+                            "authentik_sources_scim:v2-resource-types",
+                            kwargs={
+                                "source_slug": self.kwargs["source_slug"],
+                                "resource_type": "User",
+                            },
+                        )
+                    ),
+                    "resourceType": "ResourceType",
+                },
+            },
+            {
+                "id": "Group",
+                "name": "Group",
+                "description": "Group",
+                "endpoint": "/Groups",
+                "schema": "urn:ietf:params:scim:schemas:core:2.0:Group",
+                "schemas": [
+                    "urn:ietf:params:scim:schemas:core:2.0:ResourceType",
+                ],
+                "meta": {
+                    "resourceType": "ResourceType",
+                    "location": self.request.build_absolute_uri(
+                        reverse(
+                            "authentik_sources_scim:v2-resource-types",
+                            kwargs={
+                                "source_slug": self.kwargs["source_slug"],
+                                "resource_type": "Group",
+                            },
+                        )
+                    ),
+                },
+            },
+        ]
+
+    # pylint: disable=unused-argument
+    def get(
+        self, request: Request, source_slug: str, resource_type: Optional[str] = None
+    ) -> Response:
+        """Get resource types as SCIM response"""
+        resource_types = self.get_resource_types()
+        if resource_type:
+            resource = [x for x in resource_types if x.get("id") == resource_type]
+            if resource:
+                return Response(resource[0])
+            raise Http404
+        return Response(
+            {
+                "schemas": ["urn:ietf:params:scim:api:messages:2.0:ListResponse"],
+                "totalResults": len(resource_types),
+                "itemsPerPage": len(resource_types),
+                "startIndex": 1,
+                "Resources": resource_types,
+            }
+        )