common: introduce common (#19852)

Signed-off-by: Jens Langhammer <jens@goauthentik.io>
2026-04-25 17:15:26 +02:00 · 2026-01-30 16:27:41 +01:00
parent 25c7e6ed33
commit e90c249274
57 changed files with 215 additions and 215 deletions
--- a/2
+++ b/2
@@ -77,7 +77,7 @@ lint-fix: lint-codespell  ## Lint and automatically fix errors in the python sou
 lint-codespell:  ## Reports spelling errors.
 	$(UV) run codespell -w

-lint: ci-bandit ## Lint the python and golang sources
+lint: ci-bandit ci-mypy ## Lint the python and golang sources
 	golangci-lint run -v

 core-install:
--- a/authentik/api/authentication.py
+++ b/authentik/api/authentication.py
@@ -13,10 +13,10 @@ from rest_framework.exceptions import AuthenticationFailed
 from rest_framework.request import Request
 from structlog.stdlib import get_logger

+from authentik.common.oauth.constants import SCOPE_AUTHENTIK_API
 from authentik.core.middleware import CTX_AUTH_VIA
 from authentik.core.models import Token, TokenIntents, User, UserTypes
 from authentik.outposts.models import Outpost
-from authentik.providers.oauth2.constants import SCOPE_AUTHENTIK_API

 LOGGER = get_logger()
 _tmp = Path(gettempdir())
--- a/authentik/api/tests/test_auth.py
+++ b/authentik/api/tests/test_auth.py
@@ -11,12 +11,12 @@ from rest_framework.exceptions import AuthenticationFailed

 from authentik.api.authentication import IPCUser, TokenAuthentication
 from authentik.blueprints.tests import reconcile_app
+from authentik.common.oauth.constants import SCOPE_AUTHENTIK_API
 from authentik.core.models import Token, TokenIntents, UserTypes
 from authentik.core.tests.utils import create_test_admin_user, create_test_flow
 from authentik.lib.generators import generate_id
 from authentik.outposts.apps import MANAGED_OUTPOST
 from authentik.outposts.models import Outpost
-from authentik.providers.oauth2.constants import SCOPE_AUTHENTIK_API
 from authentik.providers.oauth2.models import AccessToken, OAuth2Provider


--- a/authentik/common/init.py
+++ b/authentik/common/init.py
--- a/authentik/common/oauth/init.py
+++ b/authentik/common/oauth/init.py
--- a/authentik/providers/oauth2/constants.py
+++ b/authentik/providers/oauth2/constants.py
--- a/authentik/common/saml/init.py
+++ b/authentik/common/saml/init.py
--- a/authentik/sources/saml/processors/constants.py
+++ b/authentik/sources/saml/processors/constants.py
--- a/authentik/enterprise/endpoints/connectors/agent/views/apple_token.py
+++ b/authentik/enterprise/endpoints/connectors/agent/views/apple_token.py
@@ -10,6 +10,7 @@ from jwt import PyJWTError, decode, encode, get_unverified_header
 from rest_framework.exceptions import ValidationError
 from structlog.stdlib import get_logger

+from authentik.common.oauth.constants import TOKEN_TYPE
 from authentik.core.models import AuthenticatedSession, Session, User
 from authentik.core.sessions import SessionStore
 from authentik.crypto.apps import MANAGED_KEY
@@ -26,7 +27,6 @@ from authentik.events.models import Event, EventAction
 from authentik.events.signals import SESSION_LOGIN_EVENT
 from authentik.flows.planner import PLAN_CONTEXT_DEVICE
 from authentik.lib.utils.time import timedelta_from_string
-from authentik.providers.oauth2.constants import TOKEN_TYPE
 from authentik.providers.oauth2.id_token import IDToken
 from authentik.providers.oauth2.models import JWTAlgorithms
 from authentik.root.middleware import SessionMiddleware
--- a/authentik/enterprise/providers/ws_federation/processors/constants.py
+++ b/authentik/enterprise/providers/ws_federation/processors/constants.py
@@ -1,4 +1,4 @@
-from authentik.sources.saml.processors.constants import NS_MAP as _map
+from authentik.common.saml.constants import NS_MAP as _map

 WS_FED_ACTION_SIGN_IN = "wsignin1.0"
 WS_FED_ACTION_SIGN_OUT = "wsignout1.0"
--- a/authentik/enterprise/providers/ws_federation/processors/metadata.py
+++ b/authentik/enterprise/providers/ws_federation/processors/metadata.py
@@ -1,6 +1,7 @@
 from django.urls import reverse
 from lxml.etree import SubElement, _Element  # nosec

+from authentik.common.saml.constants import NS_SAML_METADATA
 from authentik.enterprise.providers.ws_federation.processors.constants import (
    NS_ADDRESSING,
    NS_MAP,
@@ -8,7 +9,6 @@ from authentik.enterprise.providers.ws_federation.processors.constants import (
    NS_WSI,
 )
 from authentik.providers.saml.processors.metadata import MetadataProcessor as BaseMetadataProcessor
-from authentik.sources.saml.processors.constants import NS_SAML_METADATA


 class MetadataProcessor(BaseMetadataProcessor):
--- a/authentik/providers/iframe_logout.py
+++ b/authentik/providers/iframe_logout.py
@@ -3,9 +3,9 @@
 from django.http import HttpResponse
 from rest_framework.fields import CharField, DictField, ListField

+from authentik.common.oauth.constants import PLAN_CONTEXT_OIDC_LOGOUT_IFRAME_SESSIONS
 from authentik.flows.challenge import Challenge, ChallengeResponse
 from authentik.flows.stage import ChallengeStageView
-from authentik.providers.oauth2.constants import PLAN_CONTEXT_OIDC_LOGOUT_IFRAME_SESSIONS
 from authentik.providers.saml.views.flows import PLAN_CONTEXT_SAML_LOGOUT_IFRAME_SESSIONS


--- a/authentik/providers/oauth2/id_token.py
+++ b/authentik/providers/oauth2/id_token.py
@@ -7,10 +7,7 @@ from typing import TYPE_CHECKING, Any
 from django.http import HttpRequest
 from django.utils import timezone

-from authentik.core.models import default_token_duration
-from authentik.events.signals import get_login_event
-from authentik.lib.generators import generate_id
-from authentik.providers.oauth2.constants import (
+from authentik.common.oauth.constants import (
    ACR_AUTHENTIK_DEFAULT,
    AMR_MFA,
    AMR_PASSWORD,
@@ -18,6 +15,9 @@ from authentik.providers.oauth2.constants import (
    AMR_WEBAUTHN,
    SubModes,
 )
+from authentik.core.models import default_token_duration
+from authentik.events.signals import get_login_event
+from authentik.lib.generators import generate_id
 from authentik.stages.password.stage import PLAN_CONTEXT_METHOD, PLAN_CONTEXT_METHOD_ARGS

 if TYPE_CHECKING:
--- a/authentik/providers/oauth2/models.py
+++ b/authentik/providers/oauth2/models.py
@@ -33,6 +33,7 @@ from rest_framework.serializers import Serializer
 from structlog.stdlib import get_logger

 from authentik.brands.models import WebfingerProvider
+from authentik.common.oauth.constants import SubModes
 from authentik.core.models import (
    AuthenticatedSession,
    ExpiringModel,
@@ -44,7 +45,6 @@ from authentik.crypto.models import CertificateKeyPair
 from authentik.lib.generators import generate_code_fixed_length, generate_id, generate_key
 from authentik.lib.models import DomainlessURLValidator, InternallyManagedMixin, SerializerModel
 from authentik.lib.utils.time import timedelta_string_validator
-from authentik.providers.oauth2.constants import SubModes
 from authentik.sources.oauth.models import OAuthSource

 if TYPE_CHECKING:
--- a/authentik/providers/oauth2/signals.py
+++ b/authentik/providers/oauth2/signals.py
@@ -4,11 +4,11 @@ from django.db.models.signals import post_save, pre_delete
 from django.dispatch import receiver
 from structlog.stdlib import get_logger

+from authentik.common.oauth.constants import PLAN_CONTEXT_OIDC_LOGOUT_IFRAME_SESSIONS
 from authentik.core.models import AuthenticatedSession, User
 from authentik.flows.models import in_memory_stage
 from authentik.outposts.tasks import hash_session_key
 from authentik.providers.iframe_logout import IframeLogoutStageView
-from authentik.providers.oauth2.constants import PLAN_CONTEXT_OIDC_LOGOUT_IFRAME_SESSIONS
 from authentik.providers.oauth2.models import (
    AccessToken,
    DeviceToken,
--- a/authentik/providers/oauth2/tests/test_authorize.py
+++ b/authentik/providers/oauth2/tests/test_authorize.py
@@ -8,6 +8,7 @@ from django.urls import reverse
 from django.utils.timezone import now

 from authentik.blueprints.tests import apply_blueprint
+from authentik.common.oauth.constants import SCOPE_OFFLINE_ACCESS, SCOPE_OPENID, TOKEN_TYPE
 from authentik.core.models import Application
 from authentik.core.tests.utils import create_test_admin_user, create_test_brand, create_test_flow
 from authentik.events.models import Event, EventAction
@@ -16,7 +17,6 @@ from authentik.flows.stage import PLAN_CONTEXT_PENDING_USER_IDENTIFIER
 from authentik.flows.views.executor import SESSION_KEY_PLAN
 from authentik.lib.generators import generate_id
 from authentik.lib.utils.time import timedelta_from_string
-from authentik.providers.oauth2.constants import SCOPE_OFFLINE_ACCESS, SCOPE_OPENID, TOKEN_TYPE
 from authentik.providers.oauth2.errors import AuthorizeError, ClientIdError, RedirectUriError
 from authentik.providers.oauth2.models import (
    AccessToken,
--- a/authentik/providers/oauth2/tests/test_introspect.py
+++ b/authentik/providers/oauth2/tests/test_introspect.py
@@ -7,10 +7,10 @@ from dataclasses import asdict
 from django.urls import reverse
 from django.utils import timezone

+from authentik.common.oauth.constants import ACR_AUTHENTIK_DEFAULT
 from authentik.core.models import Application
 from authentik.core.tests.utils import create_test_admin_user, create_test_cert, create_test_flow
 from authentik.lib.generators import generate_id
-from authentik.providers.oauth2.constants import ACR_AUTHENTIK_DEFAULT
 from authentik.providers.oauth2.id_token import IDToken
 from authentik.providers.oauth2.models import (
    AccessToken,
--- a/authentik/providers/oauth2/tests/test_token.py
+++ b/authentik/providers/oauth2/tests/test_token.py
@@ -8,15 +8,15 @@ from django.urls import reverse
 from django.utils import timezone

 from authentik.blueprints.tests import apply_blueprint
-from authentik.core.models import Application
-from authentik.core.tests.utils import create_test_admin_user, create_test_flow
-from authentik.events.models import Event, EventAction
-from authentik.lib.generators import generate_id, generate_key
-from authentik.providers.oauth2.constants import (
+from authentik.common.oauth.constants import (
    GRANT_TYPE_AUTHORIZATION_CODE,
    GRANT_TYPE_REFRESH_TOKEN,
    TOKEN_TYPE,
 )
+from authentik.core.models import Application
+from authentik.core.tests.utils import create_test_admin_user, create_test_flow
+from authentik.events.models import Event, EventAction
+from authentik.lib.generators import generate_id, generate_key
 from authentik.providers.oauth2.errors import TokenError
 from authentik.providers.oauth2.models import (
    AccessToken,
--- a/authentik/providers/oauth2/tests/test_token_cc_jwt_provider.py
+++ b/authentik/providers/oauth2/tests/test_token_cc_jwt_provider.py
@@ -9,17 +9,17 @@ from django.utils.timezone import now
 from jwt import decode

 from authentik.blueprints.tests import apply_blueprint
-from authentik.core.models import Application, Group
-from authentik.core.tests.utils import create_test_cert, create_test_flow, create_test_user
-from authentik.lib.generators import generate_id
-from authentik.policies.models import PolicyBinding
-from authentik.providers.oauth2.constants import (
+from authentik.common.oauth.constants import (
    GRANT_TYPE_CLIENT_CREDENTIALS,
    SCOPE_OPENID,
    SCOPE_OPENID_EMAIL,
    SCOPE_OPENID_PROFILE,
    TOKEN_TYPE,
 )
+from authentik.core.models import Application, Group
+from authentik.core.tests.utils import create_test_cert, create_test_flow, create_test_user
+from authentik.lib.generators import generate_id
+from authentik.policies.models import PolicyBinding
 from authentik.providers.oauth2.models import (
    AccessToken,
    OAuth2Provider,
--- a/authentik/providers/oauth2/tests/test_token_cc_jwt_source.py
+++ b/authentik/providers/oauth2/tests/test_token_cc_jwt_source.py
@@ -8,17 +8,17 @@ from django.urls import reverse
 from jwt import decode

 from authentik.blueprints.tests import apply_blueprint
-from authentik.core.models import Application, Group
-from authentik.core.tests.utils import create_test_cert, create_test_flow
-from authentik.lib.generators import generate_id
-from authentik.policies.models import PolicyBinding
-from authentik.providers.oauth2.constants import (
+from authentik.common.oauth.constants import (
    GRANT_TYPE_CLIENT_CREDENTIALS,
    SCOPE_OPENID,
    SCOPE_OPENID_EMAIL,
    SCOPE_OPENID_PROFILE,
    TOKEN_TYPE,
 )
+from authentik.core.models import Application, Group
+from authentik.core.tests.utils import create_test_cert, create_test_flow
+from authentik.lib.generators import generate_id
+from authentik.policies.models import PolicyBinding
 from authentik.providers.oauth2.models import (
    OAuth2Provider,
    RedirectURI,
--- a/authentik/providers/oauth2/tests/test_token_cc_standard.py
+++ b/authentik/providers/oauth2/tests/test_token_cc_standard.py
@@ -7,10 +7,7 @@ from django.urls import reverse
 from jwt import decode

 from authentik.blueprints.tests import apply_blueprint
-from authentik.core.models import Application, Group, Token, TokenIntents, UserTypes
-from authentik.core.tests.utils import create_test_admin_user, create_test_cert, create_test_flow
-from authentik.policies.models import PolicyBinding
-from authentik.providers.oauth2.constants import (
+from authentik.common.oauth.constants import (
    GRANT_TYPE_CLIENT_CREDENTIALS,
    GRANT_TYPE_PASSWORD,
    SCOPE_OPENID,
@@ -18,6 +15,9 @@ from authentik.providers.oauth2.constants import (
    SCOPE_OPENID_PROFILE,
    TOKEN_TYPE,
 )
+from authentik.core.models import Application, Group, Token, TokenIntents, UserTypes
+from authentik.core.tests.utils import create_test_admin_user, create_test_cert, create_test_flow
+from authentik.policies.models import PolicyBinding
 from authentik.providers.oauth2.errors import TokenError
 from authentik.providers.oauth2.models import (
    AccessToken,
--- a/authentik/providers/oauth2/tests/test_token_cc_standard_compat.py
+++ b/authentik/providers/oauth2/tests/test_token_cc_standard_compat.py
@@ -8,10 +8,7 @@ from django.urls import reverse
 from jwt import decode

 from authentik.blueprints.tests import apply_blueprint
-from authentik.core.models import Application, Group, Token, TokenIntents, UserTypes
-from authentik.core.tests.utils import create_test_admin_user, create_test_cert, create_test_flow
-from authentik.policies.models import PolicyBinding
-from authentik.providers.oauth2.constants import (
+from authentik.common.oauth.constants import (
    GRANT_TYPE_CLIENT_CREDENTIALS,
    GRANT_TYPE_PASSWORD,
    SCOPE_OPENID,
@@ -19,6 +16,9 @@ from authentik.providers.oauth2.constants import (
    SCOPE_OPENID_PROFILE,
    TOKEN_TYPE,
 )
+from authentik.core.models import Application, Group, Token, TokenIntents, UserTypes
+from authentik.core.tests.utils import create_test_admin_user, create_test_cert, create_test_flow
+from authentik.policies.models import PolicyBinding
 from authentik.providers.oauth2.errors import TokenError
 from authentik.providers.oauth2.models import (
    OAuth2Provider,
--- a/authentik/providers/oauth2/tests/test_token_cc_user_pw.py
+++ b/authentik/providers/oauth2/tests/test_token_cc_user_pw.py
@@ -7,6 +7,14 @@ from django.urls import reverse
 from jwt import decode

 from authentik.blueprints.tests import apply_blueprint
+from authentik.common.oauth.constants import (
+    GRANT_TYPE_CLIENT_CREDENTIALS,
+    GRANT_TYPE_PASSWORD,
+    SCOPE_OPENID,
+    SCOPE_OPENID_EMAIL,
+    SCOPE_OPENID_PROFILE,
+    TOKEN_TYPE,
+)
 from authentik.core.models import Application, Group, Token, TokenIntents, UserTypes
 from authentik.core.tests.utils import (
    create_test_admin_user,
@@ -15,14 +23,6 @@ from authentik.core.tests.utils import (
    create_test_user,
 )
 from authentik.policies.models import PolicyBinding
-from authentik.providers.oauth2.constants import (
-    GRANT_TYPE_CLIENT_CREDENTIALS,
-    GRANT_TYPE_PASSWORD,
-    SCOPE_OPENID,
-    SCOPE_OPENID_EMAIL,
-    SCOPE_OPENID_PROFILE,
-    TOKEN_TYPE,
-)
 from authentik.providers.oauth2.errors import TokenError
 from authentik.providers.oauth2.models import (
    OAuth2Provider,
--- a/authentik/providers/oauth2/tests/test_token_device.py
+++ b/authentik/providers/oauth2/tests/test_token_device.py
@@ -6,14 +6,14 @@ from django.test import RequestFactory
 from django.urls import reverse

 from authentik.blueprints.tests import apply_blueprint
-from authentik.core.models import Application
-from authentik.core.tests.utils import create_test_admin_user, create_test_cert, create_test_flow
-from authentik.lib.generators import generate_code_fixed_length, generate_id
-from authentik.providers.oauth2.constants import (
+from authentik.common.oauth.constants import (
    GRANT_TYPE_DEVICE_CODE,
    SCOPE_OPENID,
    SCOPE_OPENID_EMAIL,
 )
+from authentik.core.models import Application
+from authentik.core.tests.utils import create_test_admin_user, create_test_cert, create_test_flow
+from authentik.lib.generators import generate_code_fixed_length, generate_id
 from authentik.providers.oauth2.models import (
    AccessToken,
    DeviceToken,
--- a/authentik/providers/oauth2/tests/test_token_pkce.py
+++ b/authentik/providers/oauth2/tests/test_token_pkce.py
@@ -5,10 +5,10 @@ from base64 import b64encode
 from django.test import RequestFactory
 from django.urls import reverse

+from authentik.common.oauth.constants import GRANT_TYPE_AUTHORIZATION_CODE
 from authentik.core.models import Application
 from authentik.core.tests.utils import create_test_admin_user, create_test_flow
 from authentik.lib.generators import generate_id
-from authentik.providers.oauth2.constants import GRANT_TYPE_AUTHORIZATION_CODE
 from authentik.providers.oauth2.models import (
    AuthorizationCode,
    OAuth2Provider,
--- a/authentik/providers/oauth2/views/authorize.py
+++ b/authentik/providers/oauth2/views/authorize.py
@@ -17,6 +17,19 @@ from django.utils import timezone, translation
 from django.utils.translation import gettext as _
 from structlog.stdlib import get_logger

+from authentik.common.oauth.constants import (
+    PKCE_METHOD_PLAIN,
+    PKCE_METHOD_S256,
+    PROMPT_CONSENT,
+    PROMPT_LOGIN,
+    PROMPT_NONE,
+    QS_LOGIN_HINT,
+    SCOPE_GITHUB,
+    SCOPE_OFFLINE_ACCESS,
+    SCOPE_OPENID,
+    TOKEN_TYPE,
+    UI_LOCALES,
+)
 from authentik.core.models import Application
 from authentik.events.models import Event, EventAction
 from authentik.events.signals import get_login_event
@@ -33,19 +46,6 @@ from authentik.lib.utils.time import timedelta_from_string
 from authentik.lib.views import bad_request_message
 from authentik.policies.types import PolicyRequest
 from authentik.policies.views import BufferedPolicyAccessView, RequestValidationError
-from authentik.providers.oauth2.constants import (
-    PKCE_METHOD_PLAIN,
-    PKCE_METHOD_S256,
-    PROMPT_CONSENT,
-    PROMPT_LOGIN,
-    PROMPT_NONE,
-    QS_LOGIN_HINT,
-    SCOPE_GITHUB,
-    SCOPE_OFFLINE_ACCESS,
-    SCOPE_OPENID,
-    TOKEN_TYPE,
-    UI_LOCALES,
-)
 from authentik.providers.oauth2.errors import (
    AuthorizeError,
    ClientIdError,
--- a/authentik/providers/oauth2/views/github.py
+++ b/authentik/providers/oauth2/views/github.py
@@ -6,7 +6,7 @@ from django.utils.text import slugify
 from django.views import View
 from django.views.decorators.csrf import csrf_exempt

-from authentik.providers.oauth2.constants import SCOPE_GITHUB_ORG_READ, SCOPE_GITHUB_USER_EMAIL
+from authentik.common.oauth.constants import SCOPE_GITHUB_ORG_READ, SCOPE_GITHUB_USER_EMAIL
 from authentik.providers.oauth2.models import RefreshToken
 from authentik.providers.oauth2.utils import protected_resource_view

--- a/authentik/providers/oauth2/views/provider.py
+++ b/authentik/providers/oauth2/views/provider.py
@@ -8,9 +8,7 @@ from django.views import View
 from guardian.shortcuts import get_anonymous_user
 from structlog.stdlib import get_logger

-from authentik.core.expression.exceptions import PropertyMappingExpressionException
-from authentik.core.models import Application
-from authentik.providers.oauth2.constants import (
+from authentik.common.oauth.constants import (
    ACR_AUTHENTIK_DEFAULT,
    GRANT_TYPE_AUTHORIZATION_CODE,
    GRANT_TYPE_CLIENT_CREDENTIALS,
@@ -22,6 +20,8 @@ from authentik.providers.oauth2.constants import (
    PKCE_METHOD_S256,
    SCOPE_OPENID,
 )
+from authentik.core.expression.exceptions import PropertyMappingExpressionException
+from authentik.core.models import Application
 from authentik.providers.oauth2.models import (
    OAuth2Provider,
    ResponseMode,
--- a/authentik/providers/oauth2/views/token.py
+++ b/authentik/providers/oauth2/views/token.py
@@ -19,6 +19,19 @@ from jwt import PyJWK, PyJWT, PyJWTError, decode
 from sentry_sdk import start_span
 from structlog.stdlib import get_logger

+from authentik.common.oauth.constants import (
+    CLIENT_ASSERTION,
+    CLIENT_ASSERTION_TYPE,
+    CLIENT_ASSERTION_TYPE_JWT,
+    GRANT_TYPE_AUTHORIZATION_CODE,
+    GRANT_TYPE_CLIENT_CREDENTIALS,
+    GRANT_TYPE_DEVICE_CODE,
+    GRANT_TYPE_PASSWORD,
+    GRANT_TYPE_REFRESH_TOKEN,
+    PKCE_METHOD_S256,
+    SCOPE_OFFLINE_ACCESS,
+    TOKEN_TYPE,
+)
 from authentik.core.middleware import CTX_AUTH_VIA
 from authentik.core.models import (
    USER_ATTRIBUTE_EXPIRES,
@@ -36,19 +49,6 @@ from authentik.events.signals import get_login_event
 from authentik.flows.planner import PLAN_CONTEXT_APPLICATION
 from authentik.lib.utils.time import timedelta_from_string
 from authentik.policies.engine import PolicyEngine
-from authentik.providers.oauth2.constants import (
-    CLIENT_ASSERTION,
-    CLIENT_ASSERTION_TYPE,
-    CLIENT_ASSERTION_TYPE_JWT,
-    GRANT_TYPE_AUTHORIZATION_CODE,
-    GRANT_TYPE_CLIENT_CREDENTIALS,
-    GRANT_TYPE_DEVICE_CODE,
-    GRANT_TYPE_PASSWORD,
-    GRANT_TYPE_REFRESH_TOKEN,
-    PKCE_METHOD_S256,
-    SCOPE_OFFLINE_ACCESS,
-    TOKEN_TYPE,
-)
 from authentik.providers.oauth2.errors import DeviceCodeError, TokenError, UserAuthError
 from authentik.providers.oauth2.id_token import IDToken
 from authentik.providers.oauth2.models import (
--- a/authentik/providers/oauth2/views/userinfo.py
+++ b/authentik/providers/oauth2/views/userinfo.py
@@ -11,16 +11,16 @@ from django.views import View
 from django.views.decorators.csrf import csrf_exempt
 from structlog.stdlib import get_logger

-from authentik.core.expression.exceptions import PropertyMappingExpressionException
-from authentik.events.models import Event, EventAction
-from authentik.flows.challenge import PermissionDict
-from authentik.providers.oauth2.constants import (
+from authentik.common.oauth.constants import (
    SCOPE_GITHUB_ORG_READ,
    SCOPE_GITHUB_USER,
    SCOPE_GITHUB_USER_EMAIL,
    SCOPE_GITHUB_USER_READ,
    SCOPE_OPENID,
 )
+from authentik.core.expression.exceptions import PropertyMappingExpressionException
+from authentik.events.models import Event, EventAction
+from authentik.flows.challenge import PermissionDict
 from authentik.providers.oauth2.models import (
    BaseGrantModel,
    OAuth2Provider,
--- a/authentik/providers/saml/api/providers.py
+++ b/authentik/providers/saml/api/providers.py
@@ -24,6 +24,7 @@ from rest_framework.viewsets import ModelViewSet
 from structlog.stdlib import get_logger

 from authentik.api.validation import validate
+from authentik.common.saml.constants import SAML_BINDING_POST, SAML_BINDING_REDIRECT
 from authentik.core.api.providers import ProviderSerializer
 from authentik.core.api.used_by import UsedByMixin
 from authentik.core.api.utils import PassiveSerializer, PropertyMappingPreviewSerializer
@@ -35,7 +36,6 @@ from authentik.providers.saml.processors.authn_request_parser import AuthNReques
 from authentik.providers.saml.processors.metadata import MetadataProcessor
 from authentik.providers.saml.processors.metadata_parser import ServiceProviderMetadataParser
 from authentik.rbac.decorators import permission_required
-from authentik.sources.saml.processors.constants import SAML_BINDING_POST, SAML_BINDING_REDIRECT

 LOGGER = get_logger()

--- a/authentik/providers/saml/migrations/0009_auto_20201112_2016.py
+++ b/authentik/providers/saml/migrations/0009_auto_20201112_2016.py
@@ -4,7 +4,7 @@ from django.apps.registry import Apps
 from django.db import migrations, models
 from django.db.backends.base.schema import BaseDatabaseSchemaEditor

-from authentik.sources.saml.processors import constants
+from authentik.common.saml import constants


 def update_algorithms(apps: Apps, schema_editor: BaseDatabaseSchemaEditor):
--- a/authentik/providers/saml/models.py
+++ b/authentik/providers/saml/models.py
@@ -9,19 +9,7 @@ from django.utils.translation import gettext_lazy as _
 from rest_framework.serializers import Serializer
 from structlog.stdlib import get_logger

-from authentik.core.api.object_types import CreatableType
-from authentik.core.models import (
-    AuthenticatedSession,
-    ExpiringModel,
-    PropertyMapping,
-    Provider,
-    User,
-)
-from authentik.crypto.models import CertificateKeyPair
-from authentik.lib.models import DomainlessURLValidator, InternallyManagedMixin, SerializerModel
-from authentik.lib.utils.time import timedelta_string_validator
-from authentik.sources.saml.models import SAMLNameIDPolicy
-from authentik.sources.saml.processors.constants import (
+from authentik.common.saml.constants import (
    DSA_SHA1,
    ECDSA_SHA1,
    ECDSA_SHA256,
@@ -36,6 +24,18 @@ from authentik.sources.saml.processors.constants import (
    SHA384,
    SHA512,
 )
+from authentik.core.api.object_types import CreatableType
+from authentik.core.models import (
+    AuthenticatedSession,
+    ExpiringModel,
+    PropertyMapping,
+    Provider,
+    User,
+)
+from authentik.crypto.models import CertificateKeyPair
+from authentik.lib.models import DomainlessURLValidator, InternallyManagedMixin, SerializerModel
+from authentik.lib.utils.time import timedelta_string_validator
+from authentik.sources.saml.models import SAMLNameIDPolicy

 LOGGER = get_logger()

--- a/authentik/providers/saml/processors/assertion.py
+++ b/authentik/providers/saml/processors/assertion.py
@@ -11,6 +11,19 @@ from lxml import etree  # nosec
 from lxml.etree import Element, SubElement, _Element  # nosec
 from structlog.stdlib import get_logger

+from authentik.common.saml.constants import (
+    DIGEST_ALGORITHM_TRANSLATION_MAP,
+    NS_MAP,
+    NS_SAML_ASSERTION,
+    NS_SAML_PROTOCOL,
+    SAML_NAME_ID_FORMAT_EMAIL,
+    SAML_NAME_ID_FORMAT_PERSISTENT,
+    SAML_NAME_ID_FORMAT_TRANSIENT,
+    SAML_NAME_ID_FORMAT_UNSPECIFIED,
+    SAML_NAME_ID_FORMAT_WINDOWS,
+    SAML_NAME_ID_FORMAT_X509,
+    SIGN_ALGORITHM_TRANSFORM_MAP,
+)
 from authentik.core.expression.exceptions import PropertyMappingExpressionException
 from authentik.events.models import Event, EventAction
 from authentik.events.signals import get_login_event
@@ -26,19 +39,6 @@ from authentik.sources.saml.exceptions import (
    InvalidSignature,
    UnsupportedNameIDFormat,
 )
-from authentik.sources.saml.processors.constants import (
-    DIGEST_ALGORITHM_TRANSLATION_MAP,
-    NS_MAP,
-    NS_SAML_ASSERTION,
-    NS_SAML_PROTOCOL,
-    SAML_NAME_ID_FORMAT_EMAIL,
-    SAML_NAME_ID_FORMAT_PERSISTENT,
-    SAML_NAME_ID_FORMAT_TRANSIENT,
-    SAML_NAME_ID_FORMAT_UNSPECIFIED,
-    SAML_NAME_ID_FORMAT_WINDOWS,
-    SAML_NAME_ID_FORMAT_X509,
-    SIGN_ALGORITHM_TRANSFORM_MAP,
-)
 from authentik.stages.password.stage import PLAN_CONTEXT_METHOD, PLAN_CONTEXT_METHOD_ARGS

 LOGGER = get_logger()
--- a/authentik/providers/saml/processors/authn_request_parser.py
+++ b/authentik/providers/saml/processors/authn_request_parser.py
@@ -9,12 +9,7 @@ import xmlsec
 from defusedxml import ElementTree
 from structlog.stdlib import get_logger

-from authentik.lib.xml import lxml_from_string
-from authentik.providers.saml.exceptions import CannotHandleAssertion
-from authentik.providers.saml.models import SAMLProvider
-from authentik.providers.saml.utils.encoding import decode_base64_and_inflate
-from authentik.sources.saml.models import SAMLNameIDPolicy
-from authentik.sources.saml.processors.constants import (
+from authentik.common.saml.constants import (
    DSA_SHA1,
    NS_MAP,
    NS_SAML_PROTOCOL,
@@ -24,6 +19,11 @@ from authentik.sources.saml.processors.constants import (
    RSA_SHA512,
    SAML_NAME_ID_FORMAT_UNSPECIFIED,
 )
+from authentik.lib.xml import lxml_from_string
+from authentik.providers.saml.exceptions import CannotHandleAssertion
+from authentik.providers.saml.models import SAMLProvider
+from authentik.providers.saml.utils.encoding import decode_base64_and_inflate
+from authentik.sources.saml.models import SAMLNameIDPolicy

 ERROR_CANNOT_DECODE_REQUEST = "Cannot decode SAML request."
 ERROR_SIGNATURE_REQUIRED_BUT_ABSENT = (
--- a/authentik/providers/saml/processors/logout_request.py
+++ b/authentik/providers/saml/processors/logout_request.py
@@ -7,13 +7,7 @@ import xmlsec
 from lxml import etree  # nosec
 from lxml.etree import Element, _Element

-from authentik.core.models import User
-from authentik.lib.xml import remove_xml_newlines
-from authentik.providers.saml.models import SAMLProvider
-from authentik.providers.saml.utils import get_random_id
-from authentik.providers.saml.utils.encoding import deflate_and_base64_encode
-from authentik.providers.saml.utils.time import get_time_string
-from authentik.sources.saml.processors.constants import (
+from authentik.common.saml.constants import (
    DIGEST_ALGORITHM_TRANSLATION_MAP,
    NS_MAP,
    NS_SAML_ASSERTION,
@@ -21,6 +15,12 @@ from authentik.sources.saml.processors.constants import (
    SAML_NAME_ID_FORMAT_EMAIL,
    SIGN_ALGORITHM_TRANSFORM_MAP,
 )
+from authentik.core.models import User
+from authentik.lib.xml import remove_xml_newlines
+from authentik.providers.saml.models import SAMLProvider
+from authentik.providers.saml.utils import get_random_id
+from authentik.providers.saml.utils.encoding import deflate_and_base64_encode
+from authentik.providers.saml.utils.time import get_time_string


 class LogoutRequestProcessor:
--- a/authentik/providers/saml/processors/logout_request_parser.py
+++ b/authentik/providers/saml/processors/logout_request_parser.py
@@ -5,11 +5,11 @@ from dataclasses import dataclass

 from defusedxml import ElementTree

+from authentik.common.saml.constants import NS_SAML_ASSERTION, NS_SAML_PROTOCOL
 from authentik.providers.saml.exceptions import CannotHandleAssertion
 from authentik.providers.saml.models import SAMLProvider
 from authentik.providers.saml.processors.authn_request_parser import ERROR_CANNOT_DECODE_REQUEST
 from authentik.providers.saml.utils.encoding import decode_base64_and_inflate
-from authentik.sources.saml.processors.constants import NS_SAML_ASSERTION, NS_SAML_PROTOCOL


@dataclass(slots=True)
--- a/authentik/providers/saml/processors/metadata.py
+++ b/authentik/providers/saml/processors/metadata.py
@@ -8,10 +8,7 @@ from django.http import HttpRequest
 from django.urls import reverse
 from lxml.etree import Element, SubElement, _Element, tostring  # nosec

-from authentik.lib.xml import remove_xml_newlines
-from authentik.providers.saml.models import SAMLProvider
-from authentik.providers.saml.utils.encoding import strip_pem_header
-from authentik.sources.saml.processors.constants import (
+from authentik.common.saml.constants import (
    DIGEST_ALGORITHM_TRANSLATION_MAP,
    NS_MAP,
    NS_SAML_METADATA,
@@ -25,6 +22,9 @@ from authentik.sources.saml.processors.constants import (
    SAML_NAME_ID_FORMAT_X509,
    SIGN_ALGORITHM_TRANSFORM_MAP,
 )
+from authentik.lib.xml import remove_xml_newlines
+from authentik.providers.saml.models import SAMLProvider
+from authentik.providers.saml.utils.encoding import strip_pem_header


 class MetadataProcessor:
--- a/authentik/providers/saml/processors/metadata_parser.py
+++ b/authentik/providers/saml/processors/metadata_parser.py
@@ -9,16 +9,16 @@ from defusedxml.lxml import fromstring
 from lxml import etree  # nosec
 from structlog.stdlib import get_logger

-from authentik.crypto.models import CertificateKeyPair, format_cert
-from authentik.flows.models import Flow
-from authentik.providers.saml.models import SAMLBindings, SAMLPropertyMapping, SAMLProvider
-from authentik.sources.saml.models import SAMLNameIDPolicy
-from authentik.sources.saml.processors.constants import (
+from authentik.common.saml.constants import (
    NS_MAP,
    NS_SAML_METADATA,
    SAML_BINDING_POST,
    SAML_BINDING_REDIRECT,
 )
+from authentik.crypto.models import CertificateKeyPair, format_cert
+from authentik.flows.models import Flow
+from authentik.providers.saml.models import SAMLBindings, SAMLPropertyMapping, SAMLProvider
+from authentik.sources.saml.models import SAMLNameIDPolicy

 LOGGER = get_logger()

--- a/authentik/providers/saml/tests/test_auth_n_request.py
+++ b/authentik/providers/saml/tests/test_auth_n_request.py
@@ -9,6 +9,12 @@ from guardian.utils import get_anonymous_user
 from lxml import etree  # nosec

 from authentik.blueprints.tests import apply_blueprint
+from authentik.common.saml.constants import (
+    NS_MAP,
+    SAML_BINDING_POST,
+    SAML_NAME_ID_FORMAT_EMAIL,
+    SAML_NAME_ID_FORMAT_UNSPECIFIED,
+)
 from authentik.core.tests.utils import (
    RequestFactory,
    create_test_admin_user,
@@ -24,12 +30,6 @@ from authentik.providers.saml.processors.assertion import AssertionProcessor
 from authentik.providers.saml.processors.authn_request_parser import AuthNRequestParser
 from authentik.sources.saml.exceptions import MismatchedRequestID
 from authentik.sources.saml.models import SAMLSource
-from authentik.sources.saml.processors.constants import (
-    NS_MAP,
-    SAML_BINDING_POST,
-    SAML_NAME_ID_FORMAT_EMAIL,
-    SAML_NAME_ID_FORMAT_UNSPECIFIED,
-)
 from authentik.sources.saml.processors.request import SESSION_KEY_REQUEST_ID, RequestProcessor
 from authentik.sources.saml.processors.response import ResponseProcessor

--- a/authentik/providers/saml/tests/test_idp_logout.py
+++ b/authentik/providers/saml/tests/test_idp_logout.py
@@ -5,6 +5,10 @@ from unittest.mock import Mock

 from django.test import RequestFactory, TestCase

+from authentik.common.saml.constants import (
+    RSA_SHA256,
+    SAML_NAME_ID_FORMAT_EMAIL,
+)
 from authentik.core.tests.utils import create_test_flow
 from authentik.flows.planner import FlowPlan
 from authentik.flows.tests import FlowTestCase
@@ -22,10 +26,6 @@ from authentik.providers.saml.views.flows import (
    PLAN_CONTEXT_SAML_LOGOUT_IFRAME_SESSIONS,
    PLAN_CONTEXT_SAML_LOGOUT_NATIVE_SESSIONS,
 )
-from authentik.sources.saml.processors.constants import (
-    RSA_SHA256,
-    SAML_NAME_ID_FORMAT_EMAIL,
-)


 class TestNativeLogoutStageView(TestCase):
@@ -295,7 +295,7 @@ class TestIframeLogoutStageView(TestCase):
            },
        ]
        # OIDC sessions (pre-processed)
-        from authentik.providers.oauth2.constants import PLAN_CONTEXT_OIDC_LOGOUT_IFRAME_SESSIONS
+        from authentik.common.oauth.constants import PLAN_CONTEXT_OIDC_LOGOUT_IFRAME_SESSIONS

        plan.context[PLAN_CONTEXT_OIDC_LOGOUT_IFRAME_SESSIONS] = [
            {
--- a/authentik/providers/saml/tests/test_logout_processor_and_parser.py
+++ b/authentik/providers/saml/tests/test_logout_processor_and_parser.py
@@ -4,14 +4,14 @@ from urllib.parse import parse_qs, urlparse

 from django.test import TestCase

+from authentik.common.saml.constants import (
+    RSA_SHA256,
+    SAML_NAME_ID_FORMAT_EMAIL,
+)
 from authentik.core.tests.utils import create_test_cert, create_test_flow
 from authentik.providers.saml.models import SAMLProvider
 from authentik.providers.saml.processors.logout_request import LogoutRequestProcessor
 from authentik.providers.saml.processors.logout_request_parser import LogoutRequestParser
-from authentik.sources.saml.processors.constants import (
-    RSA_SHA256,
-    SAML_NAME_ID_FORMAT_EMAIL,
-)


 class TestLogoutIntegration(TestCase):
--- a/authentik/providers/saml/tests/test_logout_request_parser.py
+++ b/authentik/providers/saml/tests/test_logout_request_parser.py
@@ -3,11 +3,11 @@
 from django.test import TestCase

 from authentik.blueprints.tests import apply_blueprint
+from authentik.common.saml.constants import SAML_NAME_ID_FORMAT_TRANSIENT
 from authentik.core.tests.utils import create_test_cert, create_test_flow
 from authentik.providers.saml.models import SAMLPropertyMapping, SAMLProvider
 from authentik.providers.saml.processors.logout_request_parser import LogoutRequestParser
 from authentik.sources.saml.models import SAMLSource
-from authentik.sources.saml.processors.constants import SAML_NAME_ID_FORMAT_TRANSIENT

 GET_LOGOUT_REQUEST = (
    "lJLNauMwEMdfRejuSJbtEIvYsBAWDNlltyk99DaxJ41AllzNGNq3L3Z7CD0EehJo5vf/ENoTjH6yx/gSZ37A1xmJxdvo"
--- a/authentik/providers/saml/tests/test_logout_request_processor.py
+++ b/authentik/providers/saml/tests/test_logout_request_processor.py
@@ -7,16 +7,16 @@ from urllib.parse import parse_qs, urlparse
 from django.test import TestCase
 from lxml import etree

-from authentik.core.tests.utils import create_test_cert, create_test_flow
-from authentik.providers.saml.models import SAMLProvider
-from authentik.providers.saml.processors.logout_request import LogoutRequestProcessor
-from authentik.sources.saml.processors.constants import (
+from authentik.common.saml.constants import (
    NS_MAP,
    NS_SAML_ASSERTION,
    NS_SAML_PROTOCOL,
    RSA_SHA256,
    SAML_NAME_ID_FORMAT_EMAIL,
 )
+from authentik.core.tests.utils import create_test_cert, create_test_flow
+from authentik.providers.saml.models import SAMLProvider
+from authentik.providers.saml.processors.logout_request import LogoutRequestProcessor


 class TestLogoutRequestProcessor(TestCase):
--- a/authentik/providers/saml/tests/test_metadata.py
+++ b/authentik/providers/saml/tests/test_metadata.py
@@ -5,6 +5,7 @@ from defusedxml.lxml import fromstring
 from django.test import RequestFactory, TestCase
 from lxml import etree  # nosec

+from authentik.common.saml.constants import ECDSA_SHA256, NS_MAP, NS_SAML_METADATA
 from authentik.core.models import Application
 from authentik.core.tests.utils import create_test_cert, create_test_flow
 from authentik.crypto.builder import PrivateKeyAlg
@@ -15,7 +16,6 @@ from authentik.providers.saml.models import SAMLBindings, SAMLPropertyMapping, S
 from authentik.providers.saml.processors.metadata import MetadataProcessor
 from authentik.providers.saml.processors.metadata_parser import ServiceProviderMetadataParser
 from authentik.sources.saml.models import SAMLNameIDPolicy
-from authentik.sources.saml.processors.constants import ECDSA_SHA256, NS_MAP, NS_SAML_METADATA


 class TestServiceProviderMetadataParser(TestCase):
--- a/authentik/providers/saml/tests/test_models_session.py
+++ b/authentik/providers/saml/tests/test_models_session.py
@@ -6,14 +6,14 @@ from django.db import IntegrityError
 from django.test import TestCase
 from django.utils import timezone

+from authentik.common.saml.constants import (
+    SAML_NAME_ID_FORMAT_EMAIL,
+)
 from authentik.core.models import AuthenticatedSession, Session, User
 from authentik.core.tests.utils import create_test_flow
 from authentik.lib.generators import generate_id
 from authentik.providers.saml.api.sessions import SAMLSessionSerializer
 from authentik.providers.saml.models import SAMLProvider, SAMLSession
-from authentik.sources.saml.processors.constants import (
-    SAML_NAME_ID_FORMAT_EMAIL,
-)


 class TestSAMLSessionModel(TestCase):
--- a/authentik/providers/saml/tests/test_views_sp_slo.py
+++ b/authentik/providers/saml/tests/test_views_sp_slo.py
@@ -6,6 +6,7 @@ from django.http import Http404
 from django.test import RequestFactory, TestCase
 from django.urls import reverse

+from authentik.common.saml.constants import SAML_NAME_ID_FORMAT_EMAIL
 from authentik.core.models import Application
 from authentik.core.tests.utils import create_test_brand, create_test_flow
 from authentik.flows.planner import FlowPlan
@@ -18,7 +19,6 @@ from authentik.providers.saml.views.sp_slo import (
    SPInitiatedSLOBindingPOSTView,
    SPInitiatedSLOBindingRedirectView,
 )
-from authentik.sources.saml.processors.constants import SAML_NAME_ID_FORMAT_EMAIL


 class TestSPInitiatedSLOViews(TestCase):
--- a/authentik/sources/saml/migrations/0001_squashed_0009_auto_20210301_0949.py
+++ b/authentik/sources/saml/migrations/0001_squashed_0009_auto_20210301_0949.py
@@ -6,7 +6,7 @@ from django.db import migrations, models
 from django.db.backends.base.schema import BaseDatabaseSchemaEditor

 import authentik.lib.utils.time
-from authentik.sources.saml.processors import constants
+from authentik.common.saml import constants


 def update_algorithms(apps: Apps, schema_editor: BaseDatabaseSchemaEditor):
--- a/authentik/sources/saml/models.py
+++ b/authentik/sources/saml/models.py
@@ -9,20 +9,7 @@ from django.urls import reverse
 from django.utils.translation import gettext_lazy as _
 from rest_framework.serializers import Serializer

-from authentik.core.models import (
-    GroupSourceConnection,
-    PropertyMapping,
-    Source,
-    UserSourceConnection,
-)
-from authentik.core.types import UILoginButton, UserSettingSerializer
-from authentik.crypto.models import CertificateKeyPair
-from authentik.flows.challenge import RedirectChallenge
-from authentik.flows.models import Flow
-from authentik.lib.expression.evaluator import BaseEvaluator
-from authentik.lib.models import DomainlessURLValidator
-from authentik.lib.utils.time import timedelta_string_validator
-from authentik.sources.saml.processors.constants import (
+from authentik.common.saml.constants import (
    DSA_SHA1,
    ECDSA_SHA1,
    ECDSA_SHA256,
@@ -47,6 +34,19 @@ from authentik.sources.saml.processors.constants import (
    SHA384,
    SHA512,
 )
+from authentik.core.models import (
+    GroupSourceConnection,
+    PropertyMapping,
+    Source,
+    UserSourceConnection,
+)
+from authentik.core.types import UILoginButton, UserSettingSerializer
+from authentik.crypto.models import CertificateKeyPair
+from authentik.flows.challenge import RedirectChallenge
+from authentik.flows.models import Flow
+from authentik.lib.expression.evaluator import BaseEvaluator
+from authentik.lib.models import DomainlessURLValidator
+from authentik.lib.utils.time import timedelta_string_validator


 class SAMLBindingTypes(models.TextChoices):
--- a/authentik/sources/saml/processors/metadata.py
+++ b/authentik/sources/saml/processors/metadata.py
@@ -3,14 +3,14 @@
 from django.http import HttpRequest
 from lxml.etree import Element, SubElement, tostring  # nosec

-from authentik.providers.saml.utils.encoding import strip_pem_header
-from authentik.sources.saml.models import SAMLSource
-from authentik.sources.saml.processors.constants import (
+from authentik.common.saml.constants import (
    NS_MAP,
    NS_SAML_METADATA,
    NS_SIGNATURE,
    SAML_BINDING_POST,
 )
+from authentik.providers.saml.utils.encoding import strip_pem_header
+from authentik.sources.saml.models import SAMLSource


 class MetadataProcessor:
--- a/authentik/sources/saml/processors/request.py
+++ b/authentik/sources/saml/processors/request.py
@@ -8,12 +8,7 @@ from django.http import HttpRequest
 from lxml import etree  # nosec
 from lxml.etree import Element  # nosec

-from authentik.lib.xml import remove_xml_newlines
-from authentik.providers.saml.utils import get_random_id
-from authentik.providers.saml.utils.encoding import deflate_and_base64_encode
-from authentik.providers.saml.utils.time import get_time_string
-from authentik.sources.saml.models import SAMLSource
-from authentik.sources.saml.processors.constants import (
+from authentik.common.saml.constants import (
    DIGEST_ALGORITHM_TRANSLATION_MAP,
    NS_MAP,
    NS_SAML_ASSERTION,
@@ -21,6 +16,11 @@ from authentik.sources.saml.processors.constants import (
    SAML_BINDING_POST,
    SIGN_ALGORITHM_TRANSFORM_MAP,
 )
+from authentik.lib.xml import remove_xml_newlines
+from authentik.providers.saml.utils import get_random_id
+from authentik.providers.saml.utils.encoding import deflate_and_base64_encode
+from authentik.providers.saml.utils.time import get_time_string
+from authentik.sources.saml.models import SAMLSource

 SESSION_KEY_REQUEST_ID = "authentik/sources/saml/request_id"

--- a/authentik/sources/saml/processors/response.py
+++ b/authentik/sources/saml/processors/response.py
@@ -14,6 +14,16 @@ from lxml import etree  # nosec
 from lxml.etree import _Element  # nosec
 from structlog.stdlib import get_logger

+from authentik.common.saml.constants import (
+    NS_MAP,
+    NS_SAML_ASSERTION,
+    NS_SAML_PROTOCOL,
+    SAML_NAME_ID_FORMAT_EMAIL,
+    SAML_NAME_ID_FORMAT_PERSISTENT,
+    SAML_NAME_ID_FORMAT_TRANSIENT,
+    SAML_NAME_ID_FORMAT_WINDOWS,
+    SAML_NAME_ID_FORMAT_X509,
+)
 from authentik.core.models import (
    USER_ATTRIBUTE_DELETE_ON_LOGOUT,
    USER_ATTRIBUTE_EXPIRES,
@@ -35,16 +45,6 @@ from authentik.sources.saml.models import (
    SAMLSource,
    UserSAMLSourceConnection,
 )
-from authentik.sources.saml.processors.constants import (
-    NS_MAP,
-    NS_SAML_ASSERTION,
-    NS_SAML_PROTOCOL,
-    SAML_NAME_ID_FORMAT_EMAIL,
-    SAML_NAME_ID_FORMAT_PERSISTENT,
-    SAML_NAME_ID_FORMAT_TRANSIENT,
-    SAML_NAME_ID_FORMAT_WINDOWS,
-    SAML_NAME_ID_FORMAT_X509,
-)
 from authentik.sources.saml.processors.request import SESSION_KEY_REQUEST_ID

 LOGGER = get_logger()
--- a/authentik/sources/saml/tests/test_property_mappings.py
+++ b/authentik/sources/saml/tests/test_property_mappings.py
@@ -5,11 +5,11 @@ from base64 import b64encode
 from defusedxml.lxml import fromstring
 from django.test import TestCase

+from authentik.common.saml.constants import NS_SAML_ASSERTION
 from authentik.core.tests.utils import RequestFactory, create_test_flow
 from authentik.lib.generators import generate_id
 from authentik.lib.tests.utils import load_fixture
 from authentik.sources.saml.models import SAMLSource, SAMLSourcePropertyMapping
-from authentik.sources.saml.processors.constants import NS_SAML_ASSERTION
 from authentik.sources.saml.processors.response import ResponseProcessor

 ROOT = fromstring(load_fixture("fixtures/response_success.xml").encode())
--- a/tests/e2e/test_provider_oauth2_grafana.py
+++ b/tests/e2e/test_provider_oauth2_grafana.py
@@ -8,6 +8,12 @@ from selenium.webdriver.common.by import By
 from selenium.webdriver.support import expected_conditions as ec

 from authentik.blueprints.tests import apply_blueprint, reconcile_app
+from authentik.common.oauth.constants import (
+    SCOPE_OFFLINE_ACCESS,
+    SCOPE_OPENID,
+    SCOPE_OPENID_EMAIL,
+    SCOPE_OPENID_PROFILE,
+)
 from authentik.core.models import Application
 from authentik.core.tests.utils import create_test_cert
 from authentik.flows.models import Flow
@@ -15,12 +21,6 @@ from authentik.lib.generators import generate_id, generate_key
 from authentik.policies.apps import BufferedPolicyAccessViewFlag
 from authentik.policies.expression.models import ExpressionPolicy
 from authentik.policies.models import PolicyBinding
-from authentik.providers.oauth2.constants import (
-    SCOPE_OFFLINE_ACCESS,
-    SCOPE_OPENID,
-    SCOPE_OPENID_EMAIL,
-    SCOPE_OPENID_PROFILE,
-)
 from authentik.providers.oauth2.models import (
    ClientTypes,
    OAuth2Provider,
--- a/tests/e2e/test_provider_oidc.py
+++ b/tests/e2e/test_provider_oidc.py
@@ -7,18 +7,18 @@ from selenium.webdriver.common.by import By
 from selenium.webdriver.support import expected_conditions as ec

 from authentik.blueprints.tests import apply_blueprint, reconcile_app
+from authentik.common.oauth.constants import (
+    SCOPE_OFFLINE_ACCESS,
+    SCOPE_OPENID,
+    SCOPE_OPENID_EMAIL,
+    SCOPE_OPENID_PROFILE,
+)
 from authentik.core.models import Application
 from authentik.core.tests.utils import create_test_cert
 from authentik.flows.models import Flow
 from authentik.lib.generators import generate_id, generate_key
 from authentik.policies.expression.models import ExpressionPolicy
 from authentik.policies.models import PolicyBinding
-from authentik.providers.oauth2.constants import (
-    SCOPE_OFFLINE_ACCESS,
-    SCOPE_OPENID,
-    SCOPE_OPENID_EMAIL,
-    SCOPE_OPENID_PROFILE,
-)
 from authentik.providers.oauth2.models import (
    ClientTypes,
    OAuth2Provider,
--- a/tests/e2e/test_provider_oidc_implicit.py
+++ b/tests/e2e/test_provider_oidc_implicit.py
@@ -7,18 +7,18 @@ from selenium.webdriver.common.by import By
 from selenium.webdriver.support import expected_conditions as ec

 from authentik.blueprints.tests import apply_blueprint, reconcile_app
+from authentik.common.oauth.constants import (
+    SCOPE_OFFLINE_ACCESS,
+    SCOPE_OPENID,
+    SCOPE_OPENID_EMAIL,
+    SCOPE_OPENID_PROFILE,
+)
 from authentik.core.models import Application
 from authentik.core.tests.utils import create_test_cert
 from authentik.flows.models import Flow
 from authentik.lib.generators import generate_id, generate_key
 from authentik.policies.expression.models import ExpressionPolicy
 from authentik.policies.models import PolicyBinding
-from authentik.providers.oauth2.constants import (
-    SCOPE_OFFLINE_ACCESS,
-    SCOPE_OPENID,
-    SCOPE_OPENID_EMAIL,
-    SCOPE_OPENID_PROFILE,
-)
 from authentik.providers.oauth2.models import (
    ClientTypes,
    OAuth2Provider,
--- a/tests/e2e/test_provider_saml.py
+++ b/tests/e2e/test_provider_saml.py
@@ -8,6 +8,7 @@ from selenium.webdriver.common.by import By
 from selenium.webdriver.support import expected_conditions as ec

 from authentik.blueprints.tests import apply_blueprint, reconcile_app
+from authentik.common.saml.constants import SAML_BINDING_POST
 from authentik.core.models import Application
 from authentik.core.tests.utils import create_test_cert
 from authentik.flows.models import Flow
@@ -16,7 +17,6 @@ from authentik.policies.apps import BufferedPolicyAccessViewFlag
 from authentik.policies.expression.models import ExpressionPolicy
 from authentik.policies.models import PolicyBinding
 from authentik.providers.saml.models import SAMLBindings, SAMLPropertyMapping, SAMLProvider
-from authentik.sources.saml.processors.constants import SAML_BINDING_POST
 from authentik.tenants.flags import patch_flag
 from tests.e2e.utils import SeleniumTestCase, retry