avoid loops

Bumps [basic-ftp](https://github.com/patrickjuchli/basic-ftp) from 5.2.1 to 5.2.2.
- [Release notes](https://github.com/patrickjuchli/basic-ftp/releases)
- [Changelog](https://github.com/patrickjuchli/basic-ftp/blob/master/CHANGELOG.md)
- [Commits](https://github.com/patrickjuchli/basic-ftp/compare/v5.2.1...v5.2.2)

---
updated-dependencies:
- dependency-name: basic-ftp
  dependency-version: 5.2.2
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

.cargo/config.toml

@@ -0,0 +1,5 @@
+[alias]
+t = ["nextest", "run"]
+
+[build]
+rustflags = ["--cfg", "tokio_unstable"]

.cargo/deny.toml

@@ -0,0 +1,46 @@
+[licenses]
+allow = [
+  "Apache-2.0",
+  "BSD-3-Clause",
+  "CC0-1.0",
+  "CDLA-Permissive-2.0",
+  "ISC",
+  "MIT",
+  "MPL-2.0",
+  "OpenSSL",
+  "Unicode-3.0",
+  "Zlib",
+]
+
+[licenses.private]
+ignore = true
+
+[bans]
+multiple-versions = "allow"
+wildcards = "deny"
+[bans.workspace-dependencies]
+duplicates = "deny"
+include-path-dependencies = true
+unused = "deny"
+
+# No non-FIPS compliant dependencies
+[[bans.deny]]
+name = "native-tls"
+[[bans.deny]]
+name = "openssl"
+[[bans.deny]]
+name = "openssl-sys"
+[[bans.deny]]
+name = "ring"
+[[bans.features]]
+allow = [
+  "alloc",
+  "aws-lc-sys",
+  "default",
+  "fips",
+  "prebuilt-nasm",
+  "ring-io",
+  "ring-sig-verify",
+]
+name = "aws-lc-rs"
+exact = true

.cargo/rustfmt.toml

@@ -0,0 +1,15 @@
+comment_width = 100
+format_code_in_doc_comments = true
+format_strings = true
+group_imports = "StdExternalCrate"
+hex_literal_case = "Lower"
+imports_granularity = "Crate"
+max_width = 100
+newline_style = "Unix"
+normalize_comments = true
+normalize_doc_attributes = true
+reorder_impl_items = true
+style_edition = "2024"
+use_field_init_shorthand = true
+use_try_shorthand = true
+wrap_comments = true

.dockerignore

@@ -9,7 +9,5 @@ build_docs/**
 **/*Dockerfile
 blueprints/local
 .git
-!gen-ts-api/node_modules
-!gen-ts-api/dist/**
-!gen-go-api/
 .venv
+target

.gitattributes

@@ -0,0 +1,9 @@
+packages/client-*/** linguist-generated
+web/packages/lex/* linguist-vendored
+web/packages/node-domexception/* linguist-vendored
+web/packages/formdata-polyfill/* linguist-vendored
+web/packages/sfe/vendored/* linguist-vendored
+website/vendored/* linguist-vendored
+website/docs/** linguist-documentation
+website/integrations/** linguist-documentation
+website/api/** linguist-documentation

.github/actions/cherry-pick/action.yml

@@ -115,20 +115,13 @@ runs:
       shell: bash
       env:
         GITHUB_TOKEN: ${{ inputs.token }}
+        PR_NUMBER: ${{ steps.should_run.outputs.pr_number }}
+        REASON: ${{ steps.should_run.outputs.reason }}
       run: |
         set -e -o pipefail
-        PR_NUMBER="${{ steps.should_run.outputs.pr_number }}"
-
-        # Get PR details
-        PR_DATA=$(gh api repos/${{ github.repository }}/pulls/$PR_NUMBER)
-        PR_TITLE=$(echo "$PR_DATA" | jq -r '.title')
-        PR_AUTHOR=$(echo "$PR_DATA" | jq -r '.user.login')
-
-        echo "pr_title=$PR_TITLE" >> $GITHUB_OUTPUT
-        echo "pr_author=$PR_AUTHOR" >> $GITHUB_OUTPUT
 
         # Determine which labels to process
-        if [ "${{ steps.should_run.outputs.reason }}" = "label_added_to_merged_pr" ]; then
+        if [ "${REASON}" = "label_added_to_merged_pr" ]; then
           # Only process the specific label that was just added
           if [ "${{ github.event_name }}" = "issues" ]; then
             LABEL_NAME="${{ github.event.label.name }}"
@@ -152,13 +145,13 @@ runs:
       shell: bash
       env:
         GITHUB_TOKEN: ${{ inputs.token }}
+        PR_NUMBER: '${{ steps.should_run.outputs.pr_number }}'
+        COMMIT_SHA: '${{ steps.should_run.outputs.merge_commit_sha }}'
+        PR_TITLE: ${{ github.event.pull_request.title }}
+        PR_AUTHOR: ${{ github.event.pull_request.user.login }}
+        LABELS: '${{ steps.pr_details.outputs.labels }}'
       run: |
         set -e -o pipefail
-        PR_NUMBER='${{ steps.should_run.outputs.pr_number }}'
-        COMMIT_SHA='${{ steps.should_run.outputs.merge_commit_sha }}'
-        PR_TITLE='${{ steps.pr_details.outputs.pr_title }}'
-        PR_AUTHOR='${{ steps.pr_details.outputs.pr_author }}'
-        LABELS='${{ steps.pr_details.outputs.labels }}'
 
         echo "Processing PR #$PR_NUMBER (reason: ${{ steps.should_run.outputs.reason }})"
         echo "Found backport labels: $LABELS"

.github/actions/docker-push-variables/action.yml

@@ -54,10 +54,6 @@ outputs:
 runs:
   using: "composite"
   steps:
-    - name: Setup authentik env
-      uses: ./.github/actions/setup
-      with:
-        dependencies: "python"
     - name: Generate config
       id: ev
       shell: bash
@@ -68,4 +64,4 @@ runs:
         PR_HEAD_SHA: ${{ github.event.pull_request.head.sha }}
         REF: ${{ github.ref }}
       run: |
-        uv run python3 ${{ github.action_path }}/push_vars.py
+        python3 ${{ github.action_path }}/push_vars.py

.github/actions/docker-push-variables/push_vars.py

@@ -2,10 +2,19 @@
 
 import os
 from json import dumps
+from pathlib import Path
 from sys import exit as sysexit
 from time import time
+from typing import Any
 
-from authentik import authentik_version
+
+def authentik_version() -> str:
+    init = Path(__file__).parent.parent.parent.parent / "authentik" / "__init__.py"
+    with open(init) as f:
+        content = f.read()
+    locals: dict[str, Any] = {}
+    exec(content, None, locals)  # nosec
+    return str(locals["VERSION"])
 
 
 def must_or_fail(input: str | None, error: str) -> str:
@@ -97,6 +106,7 @@ if os.getenv("RELEASE", "false").lower() == "true":
     image_build_args = [f"VERSION={os.getenv('REF')}"]
 else:
     image_build_args = [f"GIT_BUILD_HASH={sha}"]
+image_build_args_str = "\n".join(image_build_args)
 
 with open(os.environ["GITHUB_OUTPUT"], "a+", encoding="utf-8") as _output:
     print(f"shouldPush={str(should_push).lower()}", file=_output)
@@ -109,4 +119,4 @@ with open(os.environ["GITHUB_OUTPUT"], "a+", encoding="utf-8") as _output:
     print(f"imageMainTag={image_main_tag}", file=_output)
     print(f"imageMainName={image_tags[0]}", file=_output)
     print(f"cacheTo={cache_to}", file=_output)
-    print(f"imageBuildArgs={"\n".join(image_build_args)}", file=_output)
+    print(f"imageBuildArgs={image_build_args_str}", file=_output)

.github/actions/setup/action.yml

@@ -4,61 +4,95 @@ description: "Setup authentik testing environment"
 inputs:
   dependencies:
     description: "List of dependencies to setup"
-    default: "system,python,node,go,runtime"
+    default: "system,python,rust,node,go,runtime"
   postgresql_version:
     description: "Optional postgresql image tag"
     default: "16"
+  working-directory:
+    description: |
+      Optional working directory if this repo isn't in the root of the actions workspace.
+      When set, needs to contain a trailing slash
+    default: ""
 
 runs:
   using: "composite"
   steps:
-    - name: Install apt deps & cleanup
+    - name: Cleanup apt
+      if: ${{ contains(inputs.dependencies, 'system') || contains(inputs.dependencies, 'python') }}
+      shell: bash
+      run: sudo apt-get remove --purge man-db
+    - name: Install apt deps
+      if: ${{ contains(inputs.dependencies, 'system') || contains(inputs.dependencies, 'python') }}
+      uses: gerlero/apt-install@f4fa5265092af9e750549565d28c99aec7189639
+      with:
+        packages: libpq-dev openssl libxmlsec1-dev pkg-config gettext krb5-multidev libkrb5-dev heimdal-multidev libclang-dev krb5-kdc krb5-user krb5-admin-server
+        update: true
+        upgrade: false
+        install-recommends: false
+    - name: Make space on disk
       if: ${{ contains(inputs.dependencies, 'system') || contains(inputs.dependencies, 'python') }}
       shell: bash
       run: |
-        sudo apt-get remove --purge man-db
-        sudo apt-get update
-        sudo apt-get install --no-install-recommends -y libpq-dev openssl libxmlsec1-dev pkg-config gettext krb5-multidev libkrb5-dev heimdal-multidev libclang-dev krb5-kdc krb5-user krb5-admin-server
-        sudo rm -rf /usr/local/lib/android
+        sudo mkdir -p /tmp/empty/
+        sudo rsync -a --delete /tmp/empty/ /usr/local/lib/android/
     - name: Install uv
       if: ${{ contains(inputs.dependencies, 'python') }}
-      uses: astral-sh/setup-uv@5a095e7a2014a4212f075830d4f7277575a9d098 # v5
+      uses: astral-sh/setup-uv@cec208311dfd045dd5311c1add060b2062131d57 # v5
       with:
         enable-cache: true
     - name: Setup python
       if: ${{ contains(inputs.dependencies, 'python') }}
       uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v5
       with:
-        python-version-file: "pyproject.toml"
+        python-version-file: "${{ inputs.working-directory }}pyproject.toml"
     - name: Install Python deps
       if: ${{ contains(inputs.dependencies, 'python') }}
       shell: bash
+      working-directory: ${{ inputs.working-directory }}
       run: uv sync --all-extras --dev --frozen
+    - name: Setup rust (stable)
+      if: ${{ contains(inputs.dependencies, 'rust') && !contains(inputs.dependencies, 'rust-nightly') }}
+      uses: actions-rust-lang/setup-rust-toolchain@150fca883cd4034361b621bd4e6a9d34e5143606 # v1
+      with:
+        rustflags: ""
+    - name: Setup rust (nightly)
+      if: ${{ contains(inputs.dependencies, 'rust-nightly') }}
+      uses: actions-rust-lang/setup-rust-toolchain@150fca883cd4034361b621bd4e6a9d34e5143606 # v1
+      with:
+        toolchain: nightly
+        components: rustfmt
+        rustflags: ""
+    - name: Setup rust dependencies
+      if: ${{ contains(inputs.dependencies, 'rust') }}
+      uses: taiki-e/install-action@80e6af7a2ec7f280fffe2d0a9d3a12a9d11d86e9 # v2
+      with:
+        tool: cargo-deny cargo-machete cargo-llvm-cov nextest
     - name: Setup node (web)
       if: ${{ contains(inputs.dependencies, 'node') }}
       uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v4
       with:
-        node-version-file: web/package.json
+        node-version-file: "${{ inputs.working-directory }}web/package.json"
         cache: "npm"
-        cache-dependency-path: web/package-lock.json
+        cache-dependency-path: "${{ inputs.working-directory }}web/package-lock.json"
         registry-url: "https://registry.npmjs.org"
     - name: Setup node (root)
       if: ${{ contains(inputs.dependencies, 'node') }}
       uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v4
       with:
-        node-version-file: package.json
+        node-version-file: "${{ inputs.working-directory }}package.json"
         cache: "npm"
-        cache-dependency-path: package-lock.json
+        cache-dependency-path: "${{ inputs.working-directory }}package-lock.json"
         registry-url: "https://registry.npmjs.org"
     - name: Install Node deps
       if: ${{ contains(inputs.dependencies, 'node') }}
       shell: bash
+      working-directory: ${{ inputs.working-directory }}
       run: npm ci
     - name: Setup go
       if: ${{ contains(inputs.dependencies, 'go') }}
-      uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v5
+      uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v5
       with:
-        go-version-file: "go.mod"
+        go-version-file: "${{ inputs.working-directory }}go.mod"
     - name: Setup docker cache
       if: ${{ contains(inputs.dependencies, 'runtime') }}
       uses: AndreKurait/docker-cache@0fe76702a40db986d9663c24954fc14c6a6031b7
@@ -67,6 +101,7 @@ runs:
     - name: Setup dependencies
       if: ${{ contains(inputs.dependencies, 'runtime') }}
       shell: bash
+      working-directory: ${{ inputs.working-directory }}
       run: |
         export PSQL_TAG=${{ inputs.postgresql_version }}
         docker compose -f .github/actions/setup/compose.yml up -d
@@ -74,6 +109,7 @@ runs:
     - name: Generate config
       if: ${{ contains(inputs.dependencies, 'python') }}
       shell: uv run python {0}
+      working-directory: ${{ inputs.working-directory }}
       run: |
         from authentik.lib.generators import generate_id
         from yaml import safe_dump

.github/actions/test-results/action.yml

@@ -2,18 +2,22 @@ name: "Process test results"
 description: Convert test results to JUnit, add them to GitHub Actions and codecov
 
 inputs:
+  files:
+    description: Comma-separated explicit list of files to upload
   flags:
     description: Codecov flags
 
 runs:
   using: "composite"
   steps:
-    - uses: codecov/codecov-action@671740ac38dd9b0130fbe1cec585b89eea48d3de # v5
+    - uses: codecov/codecov-action@57e3a136b779b570ffcdbf80b3bdc90e7fab3de2 # v5
       with:
+        files: ${{ inputs.files }}
         flags: ${{ inputs.flags }}
         use_oidc: true
-    - uses: codecov/codecov-action@671740ac38dd9b0130fbe1cec585b89eea48d3de # v5
+    - uses: codecov/codecov-action@57e3a136b779b570ffcdbf80b3bdc90e7fab3de2 # v5
       with:
+        files: ${{ inputs.files }}
         flags: ${{ inputs.flags }}
         use_oidc: true
         report_type: test_results

.github/codecov.yml

@@ -8,3 +8,6 @@ coverage:
         threshold: 1%
 comment:
   after_n_builds: 3
+ignore:
+  - packages/client-rust
+  - packages/client-ts

.github/dependabot.yml

@@ -20,6 +20,8 @@ updates:
       prefix: "ci:"
     labels:
       - dependencies
+    cooldown:
+      default-days: 3
 
   #endregion
 
@@ -35,11 +37,36 @@ updates:
       prefix: "core:"
     labels:
       - dependencies
+    cooldown:
+      default-days: 7
+      semver-major-days: 14
+      semver-patch-days: 3
+      exclude:
+        - "golang.org/x/crypto"
+        - "golang.org/x/net"
+        - "github.com/golang-jwt/jwt/*"
+        - "github.com/coreos/go-oidc/*"
+        - "github.com/go-ldap/ldap/*"
 
   #endregion
 
   #region Rust
 
+  - package-ecosystem: cargo
+    directory: "/"
+    schedule:
+      interval: daily
+      time: "04:00"
+    open-pull-requests-limit: 10
+    commit-message:
+      prefix: "core:"
+    labels:
+      - dependencies
+    cooldown:
+      default-days: 7
+      semver-major-days: 14
+      semver-patch-days: 3
+
   - package-ecosystem: rust-toolchain
     directory: "/"
     schedule:
@@ -50,6 +77,8 @@ updates:
       prefix: "core:"
     labels:
       - dependencies
+    cooldown:
+      default-days: 3
 
   #endregion
 
@@ -68,6 +97,10 @@ updates:
     open-pull-requests-limit: 10
     commit-message:
       prefix: "web:"
+    cooldown:
+      default-days: 7
+      semver-major-days: 14
+      semver-patch-days: 3
     groups:
       sentry:
         patterns:
@@ -131,6 +164,10 @@ updates:
     open-pull-requests-limit: 10
     commit-message:
       prefix: "core, web:"
+    cooldown:
+      default-days: 7
+      semver-major-days: 14
+      semver-patch-days: 3
     groups:
       sentry:
         patterns:
@@ -189,6 +226,10 @@ updates:
       prefix: "website:"
     labels:
       - dependencies
+    cooldown:
+      default-days: 7
+      semver-major-days: 14
+      semver-patch-days: 3
     groups:
       docusaurus:
         patterns:
@@ -227,6 +268,10 @@ updates:
       prefix: "lifecycle/aws:"
     labels:
       - dependencies
+    cooldown:
+      default-days: 7
+      semver-major-days: 14
+      semver-patch-days: 3
 
   #endregion
 
@@ -242,6 +287,18 @@ updates:
       prefix: "core:"
     labels:
       - dependencies
+    cooldown:
+      default-days: 7
+      semver-major-days: 14
+      semver-patch-days: 3
+      exclude:
+        - "django"
+        - "cryptography"
+        - "pyjwt"
+        - "xmlsec"
+        - "lxml"
+        - "psycopg"
+        - "pyopenssl"
 
   #endregion
 
@@ -259,10 +316,14 @@ updates:
       prefix: "core:"
     labels:
       - dependencies
+    cooldown:
+      default-days: 3
   - package-ecosystem: docker-compose
     directories:
+      - /packages/client-go
+      - /packages/client-rust
+      - /packages/client-ts
       # - /scripts # Maybe
-      - /scripts/api
       - /tests/e2e
     schedule:
       interval: daily
@@ -272,5 +333,7 @@ updates:
       prefix: "core:"
     labels:
       - dependencies
+    cooldown:
+      default-days: 3
 
   #endregion

.github/pull_request_template.md

@@ -26,7 +26,7 @@ REPLACE ME
 
 If an API change has been made
 
--   [ ] The API schema has been updated (`make gen-build`)
+-   [ ] The API schema and clients have been updated (`make gen`)
 
 If changes to the frontend have been made
 

.github/workflows/_reusable-docker-build-single.yml

@@ -56,29 +56,17 @@ jobs:
           release: ${{ inputs.release }}
       - name: Login to Docker Hub
         if: ${{ inputs.registry_dockerhub }}
-        uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0
+        uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0
         with:
           username: ${{ secrets.DOCKER_CORP_USERNAME }}
           password: ${{ secrets.DOCKER_CORP_PASSWORD }}
       - name: Login to GitHub Container Registry
         if: ${{ inputs.registry_ghcr }}
-        uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0
+        uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0
         with:
           registry: ghcr.io
           username: ${{ github.repository_owner }}
           password: ${{ secrets.GITHUB_TOKEN }}
-      - uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v5
-        with:
-          node-version-file: web/package.json
-          cache: "npm"
-          cache-dependency-path: web/package-lock.json
-      - uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6
-        with:
-          go-version-file: "go.mod"
-      - name: Generate API Clients
-        run: |
-          make gen-client-ts
-          make gen-client-go
       - name: Build Docker Image
         uses: docker/build-push-action@d08e5c354a6adb9ed34480a06d141179aa583294 # v7.0.0
         id: push

.github/workflows/_reusable-docker-build.yml

@@ -79,18 +79,18 @@ jobs:
           image-name: ${{ inputs.image_name }}
       - name: Login to Docker Hub
         if: ${{ inputs.registry_dockerhub }}
-        uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0
+        uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0
         with:
           username: ${{ secrets.DOCKER_CORP_USERNAME }}
           password: ${{ secrets.DOCKER_CORP_PASSWORD }}
       - name: Login to GitHub Container Registry
         if: ${{ inputs.registry_ghcr }}
-        uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0
+        uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0
         with:
           registry: ghcr.io
           username: ${{ github.repository_owner }}
           password: ${{ secrets.GITHUB_TOKEN }}
-      - uses: int128/docker-manifest-create-action@8aac06098a12365ccdf99372dcfb453ccce8a0b0 # v2
+      - uses: int128/docker-manifest-create-action@44422a4b046d55dc036df622039ed3aec43c613c # v2
         id: build
         with:
           tags: ${{ matrix.tag }}

.github/workflows/api-ts-publish.yml

@@ -1,66 +0,0 @@
----
-name: API - Publish Typescript client
-
-on:
-  push:
-    branches: [main]
-    paths:
-      - "schema.yml"
-  workflow_dispatch:
-
-permissions:
-  # Required for NPM OIDC trusted publisher
-  id-token: write
-  contents: read
-
-jobs:
-  build:
-    runs-on: ubuntu-latest
-    steps:
-      - id: generate_token
-        uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf # v2
-        with:
-          app-id: ${{ secrets.GH_APP_ID }}
-          private-key: ${{ secrets.GH_APP_PRIVATE_KEY }}
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v5
-        with:
-          token: ${{ steps.generate_token.outputs.token }}
-      - uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v5
-        with:
-          node-version-file: web/package.json
-          registry-url: "https://registry.npmjs.org"
-      - name: Generate API Client
-        run: make gen-client-ts
-      - name: Publish package
-        working-directory: gen-ts-api/
-        run: |
-          npm i
-          npm publish --tag generated
-      - name: Upgrade /web
-        working-directory: web
-        run: |
-          export VERSION=`node -e 'console.log(require("../gen-ts-api/package.json").version)'`
-          npm i @goauthentik/api@$VERSION
-      - name: Upgrade /web/packages/sfe
-        working-directory: web/packages/sfe
-        run: |
-          export VERSION=`node -e 'console.log(require("../gen-ts-api/package.json").version)'`
-          npm i @goauthentik/api@$VERSION
-      - uses: peter-evans/create-pull-request@c0f553fe549906ede9cf27b5156039d195d2ece0 # v7
-        id: cpr
-        with:
-          token: ${{ steps.generate_token.outputs.token }}
-          branch: update-web-api-client
-          commit-message: "web: bump API Client version"
-          title: "web: bump API Client version"
-          body: "web: bump API Client version"
-          delete-branch: true
-          signoff: true
-          # ID from https://api.github.com/users/authentik-automation[bot]
-          author: authentik-automation[bot] <135050075+authentik-automation[bot]@users.noreply.github.com>
-          labels: dependencies
-      - uses: peter-evans/enable-pull-request-automerge@a660677d5469627102a1c1e11409dd063606628d # v3
-        with:
-          token: ${{ steps.generate_token.outputs.token }}
-          pull-request-number: ${{ steps.cpr.outputs.pull-request-number }}
-          merge-method: squash

.github/workflows/ci-api-docs.yml

@@ -41,7 +41,7 @@ jobs:
       - working-directory: website/
         name: Install Dependencies
         run: npm ci
-      - uses: actions/cache@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v4
+      - uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v4
         with:
           path: |
             ${{ github.workspace }}/website/api/.docusaurus
@@ -67,7 +67,7 @@ jobs:
       - build
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v5
-      - uses: actions/download-artifact@70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3 # v5
+      - uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v5
         with:
           name: api-docs
           path: website/api/build

.github/workflows/ci-docs.yml

@@ -89,7 +89,7 @@ jobs:
           image-name: ghcr.io/goauthentik/dev-docs
       - name: Login to Container Registry
         if: ${{ steps.ev.outputs.shouldPush == 'true' }}
-        uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0
+        uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0
         with:
           registry: ghcr.io
           username: ${{ github.repository_owner }}

.github/workflows/ci-main-daily.yml

@@ -20,13 +20,19 @@ jobs:
         version:
           - docs
           - version-2025-12
-          - version-2025-10
+          - version-2026-2
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v5
       - run: |
+          set -euo pipefail
           current="$(pwd)"
           dir="/tmp/authentik/${{ matrix.version }}"
+          # 2025.12 still serves the legacy docker-compose filename; newer sites use compose.yml.
+          compose_path="compose.yml"
+          if [ "${{ matrix.version }}" = "version-2025-12" ]; then
+            compose_path="docker-compose.yml"
+          fi
           mkdir -p "${dir}/lifecycle/container"
           cd "${dir}"
-          wget "https://${{ matrix.version }}.goauthentik.io/docker-compose.yml" -O "${dir}/lifecycle/container/compose.yml"
+          wget "https://${{ matrix.version }}.goauthentik.io/${compose_path}" -O "${dir}/lifecycle/container/compose.yml"
           "${current}/scripts/test_docker.sh"

.github/workflows/ci-main.yml

@@ -28,30 +28,52 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        job:
-          - bandit
-          - black
-          - spellcheck
-          - pending-migrations
-          - ruff
-          - mypy
+        include:
+          - job: bandit
+            deps: python
+          - job: black
+            deps: python
+          - job: spellcheck
+            deps: node
+          - job: pending-migrations
+            deps: python,runtime
+          - job: ruff
+            deps: python
+          - job: mypy
+            deps: python
+          - job: cargo-deny
+            deps: rust
+          - job: cargo-machete
+            deps: rust
+          - job: clippy
+            deps: rust
+          - job: rustfmt
+            deps: rust-nightly
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v5
       - name: Setup authentik env
         uses: ./.github/actions/setup
+        with:
+          dependencies: ${{ matrix.deps }}
       - name: run job
-        run: uv run make ci-${{ matrix.job }}
-  test-gen-build:
+        run: make ci-lint-${{ matrix.job }}
+  test-gen:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v5
+        with:
+          ref: ${{ github.event.pull_request.head.sha }}
       - name: Setup authentik env
         uses: ./.github/actions/setup
+        with:
+          dependencies: "system,python,go,node,runtime,rust-nightly"
       - name: generate schema
         run: make migrate gen-build
+      - name: generate API clients
+        run: make gen-clients
       - name: ensure schema is up-to-date
-        run: git diff --exit-code -- schema.yml blueprints/schema.json
+        run: git diff --exit-code -- schema.yml blueprints/schema.json packages/client-go packages/client-rust packages/client-ts
   test-migrations:
     runs-on: ubuntu-latest
     steps:
@@ -174,6 +196,7 @@ jobs:
       - name: run integration
         run: |
           uv run coverage run manage.py test tests/integration
+          uv run coverage combine
           uv run coverage xml
       - uses: ./.github/actions/test-results
         if: ${{ always() }}
@@ -189,47 +212,60 @@ jobs:
         job:
           - name: proxy
             glob: tests/e2e/test_provider_proxy*
+            profiles: selenium
           - name: oauth
             glob: tests/e2e/test_provider_oauth2* tests/e2e/test_source_oauth*
+            profiles: selenium
           - name: oauth-oidc
             glob: tests/e2e/test_provider_oidc*
+            profiles: selenium
           - name: saml
             glob: tests/e2e/test_provider_saml* tests/e2e/test_source_saml*
+            profiles: selenium
           - name: ldap
             glob: tests/e2e/test_provider_ldap* tests/e2e/test_source_ldap*
+          - name: rac
+            glob: tests/e2e/test_provider_rac*
+            profiles: selenium
           - name: ws-fed
             glob: tests/e2e/test_provider_ws_fed*
+            profiles: selenium
           - name: radius
             glob: tests/e2e/test_provider_radius*
           - name: scim
             glob: tests/e2e/test_source_scim*
           - name: flows
             glob: tests/e2e/test_flows*
+            profiles: selenium
           - name: endpoints
             glob: tests/e2e/test_endpoints_*
+            profiles: selenium
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v5
       - name: Setup authentik env
         uses: ./.github/actions/setup
-      - name: Setup e2e env (chrome, etc)
+      - name: Setup e2e env
+        env:
+          COMPOSE_PROFILES: ${{ matrix.job.profiles }}
         run: |
           docker compose -f tests/e2e/compose.yml up -d --quiet-pull
       - id: cache-web
-        uses: actions/cache@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v4
+        uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v4
+        if: contains(matrix.job.profiles, 'selenium')
         with:
           path: web/dist
           key: ${{ runner.os }}-web-${{ hashFiles('web/package-lock.json', 'package-lock.json', 'web/src/**', 'web/packages/sfe/src/**') }}-b
       - name: prepare web ui
-        if: steps.cache-web.outputs.cache-hit != 'true'
+        if: steps.cache-web.outputs.cache-hit != 'true' && contains(matrix.job.profiles, 'selenium')
         working-directory: web
         run: |
           npm ci
-          make -C .. gen-client-ts
           npm run build
           npm run build:sfe
       - name: run e2e
         run: |
           uv run coverage run manage.py test ${{ matrix.job.glob }}
+          uv run coverage combine
           uv run coverage xml
       - uses: ./.github/actions/test-results
         if: ${{ always() }}
@@ -252,13 +288,15 @@ jobs:
       - name: Setup authentik env
         uses: ./.github/actions/setup
       - name: Setup e2e env (chrome, etc)
+        env:
+          COMPOSE_PROFILES: selenium
         run: |
           docker compose -f tests/e2e/compose.yml up -d --quiet-pull
       - name: Setup conformance suite
         run: |
           docker compose -f tests/openid_conformance/compose.yml up -d --quiet-pull
       - id: cache-web
-        uses: actions/cache@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v4
+        uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v4
         with:
           path: web/dist
           key: ${{ runner.os }}-web-${{ hashFiles('web/package-lock.json', 'web/src/**', 'web/packages/sfe/src/**') }}-b
@@ -267,12 +305,12 @@ jobs:
         working-directory: web
         run: |
           npm ci
-          make -C .. gen-client-ts
           npm run build
           npm run build:sfe
       - name: run conformance
         run: |
           uv run coverage run manage.py test ${{ matrix.job.glob }}
+          uv run coverage combine
           uv run coverage xml
       - uses: ./.github/actions/test-results
         if: ${{ always() }}
@@ -283,11 +321,34 @@ jobs:
         with:
           name: conformance-certification-${{ matrix.job.name }}
           path: tests/openid_conformance/exports/
+  test-rust:
+    runs-on: ubuntu-latest
+    timeout-minutes: 30
+    steps:
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v5
+      - name: Setup authentik env
+        uses: ./.github/actions/setup
+        with:
+          dependencies: rust,runtime
+      - name: run tests
+        run: |
+          cargo llvm-cov --no-report nextest --workspace
+          cargo llvm-cov report --codecov --output-path target/llvm-cov-target/rust.json
+      - uses: ./.github/actions/test-results
+        if: ${{ always() }}
+        with:
+          files: target/llvm-cov-target/rust.json
+          flags: rust
+      - if: ${{ !cancelled() }}
+        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
+        with:
+          name: test-rust
+          path: target/llvm-cov-target/rust.json
   ci-core-mark:
     if: always()
     needs:
       - lint
-      - test-gen-build
+      - test-gen
       - test-migrations
       - test-migrations-from-stable
       - test-unittest

.github/workflows/ci-outpost.yml

@@ -22,7 +22,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v5
-      - uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6
+      - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6
         with:
           go-version-file: "go.mod"
       - name: Prepare and generate API
@@ -31,8 +31,6 @@ jobs:
           mkdir -p web/dist
           mkdir -p website/help
           touch web/dist/test website/help/test
-      - name: Generate API
-        run: make gen-client-go
       - name: golangci-lint
         uses: golangci/golangci-lint-action@1e7e51e771db61008b38414a730f564565cf7c20 # v8
         with:
@@ -43,13 +41,11 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v5
-      - uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6
+      - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6
         with:
           go-version-file: "go.mod"
       - name: Setup authentik env
         uses: ./.github/actions/setup
-      - name: Generate API
-        run: make gen-client-go
       - name: prepare database
         run: |
           uv run make migrate
@@ -102,13 +98,11 @@ jobs:
           image-name: ghcr.io/goauthentik/dev-${{ matrix.type }}
       - name: Login to Container Registry
         if: ${{ steps.ev.outputs.shouldPush == 'true' }}
-        uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0
+        uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0
         with:
           registry: ghcr.io
           username: ${{ github.repository_owner }}
           password: ${{ secrets.GITHUB_TOKEN }}
-      - name: Generate API
-        run: make gen-client-go
       - name: Build Docker Image
         id: push
         uses: docker/build-push-action@d08e5c354a6adb9ed34480a06d141179aa583294 # v7.0.0
@@ -148,7 +142,7 @@ jobs:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v5
         with:
           ref: ${{ github.event.pull_request.head.sha }}
-      - uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6
+      - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6
         with:
           go-version-file: "go.mod"
       - uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v5
@@ -156,8 +150,6 @@ jobs:
           node-version-file: web/package.json
           cache: "npm"
           cache-dependency-path: web/package-lock.json
-      - name: Generate API
-        run: make gen-client-go
       - name: Build web
         working-directory: web/
         run: |

.github/workflows/ci-web.yml

@@ -40,8 +40,6 @@ jobs:
       - working-directory: ${{ matrix.project }}/
         run: |
           npm ci
-      - name: Generate API
-        run: make gen-client-ts
       - name: Lint
         working-directory: ${{ matrix.project }}/
         run: npm run ${{ matrix.command }}
@@ -56,8 +54,6 @@ jobs:
           cache-dependency-path: web/package-lock.json
       - working-directory: web/
         run: npm ci
-      - name: Generate API
-        run: make gen-client-ts
       - name: build
         working-directory: web/
         run: npm run build
@@ -84,8 +80,6 @@ jobs:
           cache-dependency-path: web/package-lock.json
       - working-directory: web/
         run: npm ci
-      - name: Generate API
-        run: make gen-client-ts
       - name: test
         working-directory: web/
         run: npm run test || exit 0

.github/workflows/gen-image-compress.yml

@@ -29,16 +29,16 @@ jobs:
        github.event.pull_request.head.repo.full_name == github.repository)
     steps:
       - id: generate_token
-        uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf # v2
+        uses: actions/create-github-app-token@f8d387b68d61c58ab83c6c016672934102569859 # v2
         with:
           app-id: ${{ secrets.GH_APP_ID }}
-          private-key: ${{ secrets.GH_APP_PRIVATE_KEY }}
+          private-key: ${{ secrets.GH_APP_PRIV_KEY }}
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v5
         with:
           token: ${{ steps.generate_token.outputs.token }}
       - name: Compress images
         id: compress
-        uses: calibreapp/image-actions@d9c8ee5c3dc52ae4622c82ead88d658f4b16b65f # main
+        uses: calibreapp/image-actions@03c976c29803442fc4040a9de5509669e7759b81 # main
         with:
           GITHUB_TOKEN: ${{ steps.generate_token.outputs.token }}
           compressOnly: ${{ github.event_name != 'pull_request' }}

.github/workflows/gen-update-webauthn-mds.yml

@@ -16,10 +16,10 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - id: generate_token
-        uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf # v2
+        uses: actions/create-github-app-token@f8d387b68d61c58ab83c6c016672934102569859 # v2
         with:
           app-id: ${{ secrets.GH_APP_ID }}
-          private-key: ${{ secrets.GH_APP_PRIVATE_KEY }}
+          private-key: ${{ secrets.GH_APP_PRIV_KEY }}
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v5
         with:
           token: ${{ steps.generate_token.outputs.token }}

.github/workflows/gh-cherry-pick.yml

@@ -10,11 +10,11 @@ jobs:
     steps:
       - id: app-token
         name: Generate app token
-        uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf # v2
+        uses: actions/create-github-app-token@f8d387b68d61c58ab83c6c016672934102569859 # v2
         if: ${{ env.GH_APP_ID != '' }}
         with:
           app-id: ${{ secrets.GH_APP_ID }}
-          private-key: ${{ secrets.GH_APP_PRIVATE_KEY }}
+          private-key: ${{ secrets.GH_APP_PRIV_KEY }}
         env:
           GH_APP_ID: ${{ secrets.GH_APP_ID }}
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v5

.github/workflows/gh-ghcr-retention.yml

@@ -16,10 +16,10 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - id: generate_token
-        uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf # v2
+        uses: actions/create-github-app-token@f8d387b68d61c58ab83c6c016672934102569859 # v2
         with:
           app-id: ${{ secrets.GH_APP_ID }}
-          private-key: ${{ secrets.GH_APP_PRIVATE_KEY }}
+          private-key: ${{ secrets.GH_APP_PRIV_KEY }}
       - name: Delete 'dev' containers older than a week
         uses: snok/container-retention-policy@3b0972b2276b171b212f8c4efbca59ebba26eceb # v3.0.1
         with:

.github/workflows/release-branch-off.yml

@@ -29,10 +29,10 @@ jobs:
     steps:
       - id: app-token
         name: Generate app token
-        uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf # v2
+        uses: actions/create-github-app-token@f8d387b68d61c58ab83c6c016672934102569859 # v2
         with:
           app-id: ${{ secrets.GH_APP_ID }}
-          private-key: ${{ secrets.GH_APP_PRIVATE_KEY }}
+          private-key: ${{ secrets.GH_APP_PRIV_KEY }}
       - name: Checkout main
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v5
         with:
@@ -57,10 +57,10 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - id: generate_token
-        uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf # v2
+        uses: actions/create-github-app-token@f8d387b68d61c58ab83c6c016672934102569859 # v2
         with:
           app-id: ${{ secrets.GH_APP_ID }}
-          private-key: ${{ secrets.GH_APP_PRIVATE_KEY }}
+          private-key: ${{ secrets.GH_APP_PRIV_KEY }}
       - name: Checkout main
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v5
         with:

.github/workflows/release-publish.yml

@@ -44,7 +44,7 @@ jobs:
         with:
           image-name: ghcr.io/goauthentik/docs
       - name: Login to GitHub Container Registry
-        uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0
+        uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0
         with:
           registry: ghcr.io
           username: ${{ github.repository_owner }}
@@ -84,7 +84,7 @@ jobs:
           - rac
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v5
-      - uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6
+      - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6
         with:
           go-version-file: "go.mod"
       - uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v5
@@ -103,17 +103,13 @@ jobs:
           DOCKER_USERNAME: ${{ secrets.DOCKER_CORP_USERNAME }}
         with:
           image-name: ghcr.io/goauthentik/${{ matrix.type }},authentik/${{ matrix.type }}
-      - name: Generate API Clients
-        run: |
-          make gen-client-ts
-          make gen-client-go
       - name: Docker Login Registry
-        uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0
+        uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0
         with:
           username: ${{ secrets.DOCKER_CORP_USERNAME }}
           password: ${{ secrets.DOCKER_CORP_PASSWORD }}
       - name: Login to GitHub Container Registry
-        uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0
+        uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0
         with:
           registry: ghcr.io
           username: ${{ github.repository_owner }}
@@ -152,7 +148,7 @@ jobs:
         goarch: [amd64, arm64]
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v5
-      - uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6
+      - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6
         with:
           go-version-file: "go.mod"
       - uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v5
@@ -164,10 +160,6 @@ jobs:
         working-directory: web/
         run: |
           npm ci
-      - name: Generate API Clients
-        run: |
-          make gen-client-ts
-          make gen-client-go
       - name: Build web
         working-directory: web/
         run: |
@@ -180,7 +172,7 @@ jobs:
           export CGO_ENABLED=0
           go build -tags=outpost_static_embed -v -o ./authentik-outpost-${{ matrix.type }}_${{ matrix.goos }}_${{ matrix.goarch }} ./cmd/${{ matrix.type }}
       - name: Upload binaries to release
-        uses: svenstaro/upload-release-action@b98a3b12e86552593f3e4e577ca8a62aa2f3f22b # v2
+        uses: svenstaro/upload-release-action@29e53e917877a24fad85510ded594ab3c9ca12de # v2
         with:
           repo_token: ${{ secrets.GITHUB_TOKEN }}
           file: ./authentik-outpost-${{ matrix.type }}_${{ matrix.goos }}_${{ matrix.goarch }}
@@ -199,7 +191,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v5
-      - uses: aws-actions/configure-aws-credentials@8df5847569e6427dd6c4fb1cf565c83acfa8afa7 # v6.0.0
+      - uses: aws-actions/configure-aws-credentials@ec61189d14ec14c8efccab744f656cffd0e33f37 # v6.1.0
         with:
           role-to-assume: "arn:aws:iam::016170277896:role/github_goauthentik_authentik"
           aws-region: ${{ env.AWS_REGION }}
@@ -244,7 +236,7 @@ jobs:
           container=$(docker container create ${{ steps.ev.outputs.imageMainName }})
           docker cp ${container}:web/ .
       - name: Create a Sentry.io release
-        uses: getsentry/action-release@dab6548b3c03c4717878099e43782cf5be654289 # v3
+        uses: getsentry/action-release@5657c9e888b4e2cc85f4d29143ea4131fde4a73a # v3
         continue-on-error: true
         env:
           SENTRY_AUTH_TOKEN: ${{ secrets.SENTRY_AUTH_TOKEN }}

.github/workflows/release-tag.yml

@@ -67,10 +67,10 @@ jobs:
     steps:
       - id: app-token
         name: Generate app token
-        uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf # v2
+        uses: actions/create-github-app-token@f8d387b68d61c58ab83c6c016672934102569859 # v2
         with:
           app-id: ${{ secrets.GH_APP_ID }}
-          private-key: ${{ secrets.GH_APP_PRIVATE_KEY }}
+          private-key: ${{ secrets.GH_APP_PRIV_KEY }}
       - id: get-user-id
         name: Get GitHub app user ID
         run: echo "user-id=$(gh api "/users/${{ steps.app-token.outputs.app-slug }}[bot]" --jq .id)" >> "$GITHUB_OUTPUT"
@@ -96,7 +96,7 @@ jobs:
           git tag "version/${{ inputs.version }}" HEAD -m "version/${{ inputs.version }}"
           git push --follow-tags
       - name: Create Release
-        uses: softprops/action-gh-release@a06a81a03ee405af7f2048a818ed3f03bbf83c7b # v2.5.0
+        uses: softprops/action-gh-release@153bb8e04406b158c6c84fc1615b65b24149a1fe # v2.6.1
         with:
           token: "${{ steps.app-token.outputs.token }}"
           tag_name: "version/${{ inputs.version }}"
@@ -115,10 +115,10 @@ jobs:
     steps:
       - id: app-token
         name: Generate app token
-        uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf # v2
+        uses: actions/create-github-app-token@f8d387b68d61c58ab83c6c016672934102569859 # v2
         with:
           app-id: ${{ secrets.GH_APP_ID }}
-          private-key: ${{ secrets.GH_APP_PRIVATE_KEY }}
+          private-key: ${{ secrets.GH_APP_PRIV_KEY }}
           repositories: helm
       - id: get-user-id
         name: Get GitHub app user ID
@@ -157,10 +157,10 @@ jobs:
     steps:
       - id: app-token
         name: Generate app token
-        uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf # v2
+        uses: actions/create-github-app-token@f8d387b68d61c58ab83c6c016672934102569859 # v2
         with:
           app-id: ${{ secrets.GH_APP_ID }}
-          private-key: ${{ secrets.GH_APP_PRIVATE_KEY }}
+          private-key: ${{ secrets.GH_APP_PRIV_KEY }}
           repositories: version
       - id: get-user-id
         name: Get GitHub app user ID

.github/workflows/repo-stale.yml

@@ -15,10 +15,10 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - id: generate_token
-        uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf # v2
+        uses: actions/create-github-app-token@f8d387b68d61c58ab83c6c016672934102569859 # v2
         with:
           app-id: ${{ secrets.GH_APP_ID }}
-          private-key: ${{ secrets.GH_APP_PRIVATE_KEY }}
+          private-key: ${{ secrets.GH_APP_PRIV_KEY }}
       - uses: actions/stale@b5d41d4e1d5dceea10e7104786b73624c18a190f # v10
         with:
           repo-token: ${{ steps.generate_token.outputs.token }}

.github/workflows/translation-extract-compile.yml

@@ -21,10 +21,10 @@ jobs:
     steps:
       - id: generate_token
         if: ${{ github.event_name != 'pull_request' }}
-        uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf # v2
+        uses: actions/create-github-app-token@f8d387b68d61c58ab83c6c016672934102569859 # v2
         with:
           app-id: ${{ secrets.GH_APP_ID }}
-          private-key: ${{ secrets.GH_APP_PRIVATE_KEY }}
+          private-key: ${{ secrets.GH_APP_PRIV_KEY }}
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v5
         if: ${{ github.event_name != 'pull_request' }}
         with:
@@ -33,8 +33,6 @@ jobs:
         if: ${{ github.event_name == 'pull_request' }}
       - name: Setup authentik env
         uses: ./.github/actions/setup
-      - name: Generate API
-        run: make gen-client-ts
       - name: run extract
         run: |
           uv run make i18n-extract

.gitignore

@@ -195,6 +195,24 @@ pyvenv.cfg
 pip-selfcheck.json
 
 # End of https://www.gitignore.io/api/python,django
+
+# Created by https://www.toptal.com/developers/gitignore/api/rust
+# Edit at https://www.toptal.com/developers/gitignore?templates=rust
+
+### Rust ###
+# Generated by Cargo
+# will have compiled files and executables
+debug/
+target/
+
+# These are backup files generated by rustfmt
+**/*.rs.bk
+
+# MSVC Windows builds of rustc generate these, which store debugging information
+*.pdb
+
+# End of https://www.toptal.com/developers/gitignore/api/rust
+
 /static/
 local.env.yml
 
@@ -202,7 +220,6 @@ media/
 *mmdb
 
 .idea/
-/gen-*/
 data/
 
 # Local Netlify folder

.prettierignore

@@ -1,6 +1,7 @@
 # Prettier Ignorefile
 
 ## Static Files
+CODEOWNERS
 **/LICENSE
 
 authentik/stages/**/*

.vscode/extensions.json

@@ -17,6 +17,6 @@
         "ms-python.vscode-pylance",
         "redhat.vscode-yaml",
         "Tobermory.es6-string-html",
-        "unifiedjs.vscode-mdx",
+        "unifiedjs.vscode-mdx"
     ]
 }

.vscode/settings.json

@@ -38,10 +38,10 @@
         "!AtIndex scalar",
         "!ParseJSON scalar"
     ],
-    "typescript.preferences.importModuleSpecifier": "non-relative",
-    "typescript.preferences.importModuleSpecifierEnding": "index",
-    "typescript.tsdk": "./node_modules/typescript/lib",
-    "typescript.enablePromptUseWorkspaceTsdk": true,
+    "js/ts.preferences.importModuleSpecifier": "non-relative",
+    "js/ts.preferences.importModuleSpecifierEnding": "index",
+    "js/ts.tsdk.path": "./node_modules/typescript/lib",
+    "js/ts.tsdk.promptToUseWorkspaceVersion": true,
     "yaml.schemas": {
         "./blueprints/schema.json": "blueprints/**/*.yaml"
     },
@@ -57,5 +57,13 @@
     "go.testEnvVars": {
         "WORKSPACE_DIR": "${workspaceFolder}"
     },
-    "github-actions.workflows.pinned.workflows": [".github/workflows/ci-main.yml"]
+    "github-actions.workflows.pinned.workflows": [".github/workflows/ci-main.yml"],
+    "search.exclude": {
+        "**/*.code-search": true,
+        "**/bower_components": true,
+        "**/node_modules": true,
+        "**/playwright-report/**": true,
+        "**/website/**/build": true,
+        "**/client-*": true
+    }
 }

CODEOWNERS

@@ -3,6 +3,7 @@
 # Backend
 authentik/                              @goauthentik/backend
 blueprints/                             @goauthentik/backend
+src/                                    @goauthentik/backend
 cmd/                                    @goauthentik/backend
 internal/                               @goauthentik/backend
 lifecycle/                              @goauthentik/backend
@@ -11,8 +12,12 @@ scripts/                                @goauthentik/backend
 tests/                                  @goauthentik/backend
 pyproject.toml                          @goauthentik/backend
 uv.lock                                 @goauthentik/backend
+Cargo.toml                              @goauthentik/backend
+Cargo.lock                              @goauthentik/backend
 go.mod                                  @goauthentik/backend
 go.sum                                  @goauthentik/backend
+.cargo/                                 @goauthentik/backend
+rust-toolchain.toml                     @goauthentik/backend
 # Infrastructure
 .github/                                @goauthentik/infrastructure
 lifecycle/aws/                          @goauthentik/infrastructure
@@ -22,14 +27,18 @@ Makefile                                @goauthentik/infrastructure
 .editorconfig                           @goauthentik/infrastructure
 CODEOWNERS                              @goauthentik/infrastructure
 # Backend packages
+packages/ak-*                           @goauthentik/backend
+packages/client-rust                    @goauthentik/backend
 packages/django-channels-postgres       @goauthentik/backend
 packages/django-postgres-cache          @goauthentik/backend
 packages/django-dramatiq-postgres       @goauthentik/backend
 # Web packages
+tsconfig.json                           @goauthentik/frontend
 package.json                            @goauthentik/frontend
 package-lock.json                       @goauthentik/frontend
 packages/package.json                   @goauthentik/frontend
 packages/package-lock.json              @goauthentik/frontend
+packages/client-ts                      @goauthentik/frontend
 packages/docusaurus-config              @goauthentik/frontend
 packages/esbuild-plugin-live-reload     @goauthentik/frontend
 packages/eslint-config                  @goauthentik/frontend

Cargo.toml

@@ -0,0 +1,229 @@
+[workspace]
+members = [
+  "packages/ak-axum",
+  "packages/ak-common",
+  "packages/client-rust",
+  "website/scripts/docsmg",
+]
+resolver = "3"
+
+[workspace.package]
+version = "2026.5.0-rc1"
+authors = ["authentik Team <hello@goauthentik.io>"]
+description = "Making authentication simple."
+edition = "2024"
+readme = "README.md"
+homepage = "https://goauthentik.io"
+repository = "https://github.com/goauthentik/authentik.git"
+license-file = "LICENSE"
+publish = false
+
+[workspace.dependencies]
+arc-swap = "= 1.9.1"
+axum-server = { version = "= 0.8.0", features = ["tls-rustls-no-provider"] }
+aws-lc-rs = { version = "= 1.16.2", features = ["fips"] }
+axum = { version = "= 0.8.8", features = ["http2", "macros", "ws"] }
+clap = { version = "= 4.6.0", features = ["derive", "env"] }
+client-ip = { version = "0.2.1", features = ["forwarded-header"] }
+colored = "= 3.1.1"
+config-rs = { package = "config", version = "= 0.15.22", default-features = false, features = [
+  "json",
+  "yaml",
+] }
+console-subscriber = "= 0.5.0"
+dotenvy = "= 0.15.7"
+durstr = "= 0.5.1"
+eyre = "= 0.6.12"
+forwarded-header-value = "= 0.1.1"
+futures = "= 0.3.32"
+glob = "= 0.3.3"
+ipnet = { version = "= 2.12.0", features = ["serde"] }
+json-subscriber = "= 0.2.8"
+nix = { version = "= 0.31.2", features = ["signal"] }
+notify = "= 8.2.0"
+pin-project-lite = "= 0.2.17"
+regex = "= 1.12.3"
+reqwest = { version = "= 0.13.2", features = [
+  "form",
+  "json",
+  "multipart",
+  "query",
+  "rustls",
+  "stream",
+] }
+reqwest-middleware = { version = "= 0.5.1", features = [
+  "form",
+  "json",
+  "multipart",
+  "query",
+  "rustls",
+] }
+rustls = { version = "= 0.23.37", features = ["fips"] }
+sentry = { version = "= 0.47.0", default-features = false, features = [
+  "backtrace",
+  "contexts",
+  "debug-images",
+  "panic",
+  "rustls",
+  "reqwest",
+  "tower",
+  "tracing",
+] }
+serde = { version = "= 1.0.228", features = ["derive"] }
+serde_json = "= 1.0.149"
+serde_repr = "= 0.1.20"
+serde_with = { version = "= 3.18.0", default-features = false, features = [
+  "base64",
+] }
+sqlx = { version = "= 0.8.6", default-features = false, features = [
+  "runtime-tokio",
+  "tls-rustls-aws-lc-rs",
+  "postgres",
+  "derive",
+  "macros",
+  "uuid",
+  "chrono",
+  "ipnet",
+  "json",
+] }
+tempfile = "= 3.27.0"
+thiserror = "= 2.0.18"
+time = { version = "= 0.3.47", features = ["macros"] }
+tokio = { version = "= 1.51.1", features = ["full", "tracing"] }
+tokio-rustls = "= 0.26.4"
+tokio-util = { version = "= 0.7.18", features = ["full"] }
+tower = "= 0.5.3"
+tower-http = { version = "= 0.6.8", features = ["timeout"] }
+tracing = "= 0.1.44"
+tracing-error = "= 0.2.1"
+tracing-subscriber = { version = "= 0.3.23", features = [
+  "env-filter",
+  "json",
+  "local-time",
+  "tracing-log",
+] }
+url = "= 2.5.8"
+uuid = { version = "= 1.23.0", features = ["serde", "v4"] }
+
+ak-common = { package = "authentik-common", version = "2026.5.0-rc1", path = "./packages/ak-common", default-features = false }
+
+[profile.dev.package.backtrace]
+opt-level = 3
+
+[profile.release]
+lto = true
+debug = 2
+
+[workspace.lints.rust]
+ambiguous_negative_literals = "warn"
+closure_returning_async_block = "warn"
+macro_use_extern_crate = "deny"
+# must_not_suspend = "deny", unstable see https://github.com/rust-lang/rust/issues/83310
+non_ascii_idents = "deny"
+redundant_imports = "warn"
+semicolon_in_expressions_from_macros = "warn"
+trivial_casts = "warn"
+trivial_numeric_casts = "warn"
+unit_bindings = "warn"
+unreachable_pub = "warn"
+unsafe_code = "deny"
+unused_extern_crates = "warn"
+unused_import_braces = "warn"
+unused_lifetimes = "warn"
+unused_macro_rules = "warn"
+unused_qualifications = "warn"
+
+[workspace.lints.rustdoc]
+unescaped_backticks = "warn"
+
+[workspace.lints.clippy]
+### enable all lints
+cargo = { priority = -1, level = "warn" }
+complexity = { priority = -1, level = "warn" }
+correctness = { priority = -1, level = "warn" }
+nursery = { priority = -1, level = "warn" }
+pedantic = { priority = -1, level = "warn" }
+perf = { priority = -1, level = "warn" }
+# Those are too restrictive and disabled by default, however we enable some below
+# restriction = { priority = -1, level = "warn" }
+style = { priority = -1, level = "warn" }
+suspicious = { priority = -1, level = "warn" }
+### and disable the ones we don't want
+### cargo group
+multiple_crate_versions = "allow"
+### pedantic group
+missing_errors_doc = "allow"
+missing_panics_doc = "allow"
+must_use_candidate = "allow"
+redundant_closure_for_method_calls = "allow"
+struct_field_names = "allow"
+too_many_lines = "allow"
+### nursery
+missing_const_for_fn = "allow"
+option_if_let_else = "allow"
+redundant_pub_crate = "allow"
+significant_drop_tightening = "allow"
+### restriction group
+allow_attributes = "warn"
+allow_attributes_without_reason = "warn"
+as_conversions = "warn"
+as_pointer_underscore = "warn"
+as_underscore = "warn"
+assertions_on_result_states = "warn"
+clone_on_ref_ptr = "warn"
+create_dir = "warn"
+dbg_macro = "warn"
+default_numeric_fallback = "warn"
+disallowed_script_idents = "warn"
+empty_drop = "warn"
+empty_enum_variants_with_brackets = "warn"
+empty_structs_with_brackets = "warn"
+error_impl_error = "warn"
+exit = "warn"
+filetype_is_file = "warn"
+float_cmp_const = "warn"
+fn_to_numeric_cast_any = "warn"
+get_unwrap = "warn"
+if_then_some_else_none = "warn"
+impl_trait_in_params = "warn"
+infinite_loop = "warn"
+lossy_float_literal = "warn"
+map_with_unused_argument_over_ranges = "warn"
+mem_forget = "warn"
+missing_asserts_for_indexing = "warn"
+missing_trait_methods = "warn"
+mixed_read_write_in_expression = "warn"
+mutex_atomic = "warn"
+mutex_integer = "warn"
+needless_raw_strings = "warn"
+non_zero_suggestions = "warn"
+panic_in_result_fn = "warn"
+pathbuf_init_then_push = "warn"
+print_stdout = "warn"
+rc_buffer = "warn"
+redundant_test_prefix = "warn"
+redundant_type_annotations = "warn"
+ref_patterns = "warn"
+renamed_function_params = "warn"
+rest_pat_in_fully_bound_structs = "warn"
+return_and_then = "warn"
+same_name_method = "warn"
+semicolon_inside_block = "warn"
+str_to_string = "warn"
+string_add = "warn"
+suspicious_xor_used_as_pow = "warn"
+tests_outside_test_module = "warn"
+todo = "warn"
+try_err = "warn"
+undocumented_unsafe_blocks = "warn"
+unimplemented = "warn"
+unnecessary_safety_comment = "warn"
+unnecessary_safety_doc = "warn"
+unnecessary_self_imports = "warn"
+unneeded_field_pattern = "warn"
+unseparated_literal_suffix = "warn"
+unused_result_ok = "warn"
+unused_trait_names = "warn"
+unwrap_in_result = "warn"
+unwrap_used = "warn"
+verbose_file_reads = "warn"

Makefile

@@ -15,14 +15,11 @@ else
 	SED_INPLACE = sed -i
 endif
 
-GEN_API_TS = gen-ts-api
-GEN_API_PY = gen-py-api
-GEN_API_GO = gen-go-api
-
 BREW_LDFLAGS :=
 BREW_CPPFLAGS :=
 BREW_PKG_CONFIG_PATH :=
 
+CARGO := cargo
 UV := uv
 
 # For macOS users, add the libxml2 installed from brew libxmlsec1 to the build path
@@ -69,22 +66,29 @@ help:  ## Show this help
 		sort
 	@echo ""
 
-go-test:
+go-test:  ## Run the golang tests
 	go test -timeout 0 -v -race -cover ./...
 
+rust-test:  ## Run the Rust tests
+	$(CARGO) nextest run --workspace
+
 test: ## Run the server tests and produce a coverage report (locally)
 	$(UV) run coverage run manage.py test --keepdb $(or $(filter-out $@,$(MAKECMDGOALS)),authentik)
+	$(UV) run coverage combine
 	$(UV) run coverage html
 	$(UV) run coverage report
 
-lint-fix: lint-spellcheck  ## Lint and automatically fix errors in the python source code. Reports spelling errors.
+lint-fix-rust:
+	$(CARGO) +nightly fmt --all -- --config-path "${PWD}/.cargo/rustfmt.toml"
+
+lint-fix: lint-fix-rust  ## Lint and automatically fix errors in the python source code. Reports spelling errors.
 	$(UV) run black $(PY_SOURCES)
 	$(UV) run ruff check --fix $(PY_SOURCES)
 
 lint-spellcheck:  ## Reports spelling errors.
 	npm run lint:spellcheck
 
-lint: ci-bandit ci-mypy ## Lint the python and golang sources
+lint: ci-lint-bandit ci-lint-mypy ci-lint-cargo-deny ci-lint-cargo-machete  ## Lint the python and golang sources
 	golangci-lint run -v
 
 core-install:
@@ -117,8 +121,7 @@ core-i18n-extract:
 		--no-obsolete \
 		--ignore web \
 		--ignore internal \
-		--ignore ${GEN_API_TS} \
-		--ignore ${GEN_API_GO} \
+		--ignore packages/client-ts \
 		--ignore website \
 		-l en
 
@@ -141,8 +144,14 @@ dev-create-db:
 dev-reset: dev-drop-db dev-create-db migrate  ## Drop and restore the Authentik PostgreSQL instance to a "fresh install" state.
 
 update-test-mmdb:  ## Update test GeoIP and ASN Databases
-	curl -L https://raw.githubusercontent.com/maxmind/MaxMind-DB/refs/heads/main/test-data/GeoLite2-ASN-Test.mmdb -o ${PWD}/tests/GeoLite2-ASN-Test.mmdb
-	curl -L https://raw.githubusercontent.com/maxmind/MaxMind-DB/refs/heads/main/test-data/GeoLite2-City-Test.mmdb -o ${PWD}/tests/GeoLite2-City-Test.mmdb
+	curl \
+		-L \
+		-o ${PWD}/tests/geoip/GeoLite2-ASN-Test.mmdb \
+		https://raw.githubusercontent.com/maxmind/MaxMind-DB/refs/heads/main/test-data/GeoLite2-ASN-Test.mmdb
+	curl \
+		-L \
+		-o ${PWD}/tests/geoip/GeoLite2-City-Test.mmdb \
+		https://raw.githubusercontent.com/maxmind/MaxMind-DB/refs/heads/main/test-data/GeoLite2-City-Test.mmdb
 
 bump:  ## Bump authentik version. Usage: make bump version=20xx.xx.xx
 ifndef version
@@ -151,6 +160,7 @@ endif
 	$(eval current_version := $(shell cat ${PWD}/internal/constants/VERSION))
 	$(SED_INPLACE) 's/^version = ".*"/version = "$(version)"/' ${PWD}/pyproject.toml
 	$(SED_INPLACE) 's/^VERSION = ".*"/VERSION = "$(version)"/' ${PWD}/authentik/__init__.py
+	$(SED_INPLACE) "s/version = \"${current_version}\"/version = \"$(version)\"" ${PWD}/Cargo.toml ${PWD}/Cargo.lock
 	$(MAKE) gen-build gen-compose aws-cfn
 	$(SED_INPLACE) "s/\"${current_version}\"/\"$(version)\"/" ${PWD}/package.json ${PWD}/package-lock.json ${PWD}/web/package.json ${PWD}/web/package-lock.json
 	echo -n $(version) > ${PWD}/internal/constants/VERSION
@@ -184,7 +194,7 @@ gen-changelog:  ## (Release) generate the changelog based from the commits since
 gen-diff:  ## (Release) generate the changelog diff between the current schema and the last version
 	$(eval last_version := $(shell git tag --list 'version/*' --sort 'version:refname' | grep -vE 'rc\d+$$' | tail -1))
 	git show ${last_version}:schema.yml > schema-old.yml
-	docker compose -f scripts/api/compose.yml run --rm --user "${UID}:${GID}" diff \
+	docker compose -f scripts/compose.yml run --rm --user "${UID}:${GID}" diff \
 		--markdown \
 		/local/diff.md \
 		/local/schema-old.yml \
@@ -194,51 +204,26 @@ gen-diff:  ## (Release) generate the changelog diff between the current schema a
 	$(SED_INPLACE) 's/}/}/g' diff.md
 	npx prettier --write diff.md
 
-gen-clean-ts:  ## Remove generated API client for TypeScript
-	rm -rf ${PWD}/${GEN_API_TS}/
-	rm -rf ${PWD}/web/node_modules/@goauthentik/api/
+gen-client-go:  ## Build and install the authentik API for Golang
+	make -C "${PWD}/packages/client-go" build
 
-gen-clean-py:  ## Remove generated API client for Python
-	rm -rf ${PWD}/${GEN_API_PY}
+gen-client-rust:  ## Build and install the authentik API for Rust
+	make -C "${PWD}/packages/client-rust" build version=${NPM_VERSION}
+	make lint-fix-rust
 
-gen-clean-go:  ## Remove generated API client for Go
-	rm -rf ${PWD}/${GEN_API_GO}
+gen-client-ts:  ## Build and install the authentik API for Typescript into the authentik UI Application
+	make -C "${PWD}/packages/client-ts" build
+	npm --prefix web install
 
-gen-clean: gen-clean-ts gen-clean-go gen-clean-py  ## Remove generated API clients
+_gen-clients: gen-client-go gen-client-rust gen-client-ts
+gen-clients:  ## Build and install API clients used by authentik
+	$(MAKE) _gen-clients -j
 
-gen-client-ts: gen-clean-ts  ## Build and install the authentik API for Typescript into the authentik UI Application
-	docker compose -f scripts/api/compose.yml run --rm --user "${UID}:${GID}" gen \
-		generate \
-		-i /local/schema.yml \
-		-g typescript-fetch \
-		-o /local/${GEN_API_TS} \
-		-c /local/scripts/api/ts-config.yaml \
-		--additional-properties=npmVersion=${NPM_VERSION} \
-		--git-repo-id authentik \
-		--git-user-id goauthentik
-
-	cd ${PWD}/${GEN_API_TS} && npm i
-	cd ${PWD}/${GEN_API_TS} && npm link
-	cd ${PWD}/web && npm link @goauthentik/api
-
-gen-client-py: gen-clean-py ## Build and install the authentik API for Python
-	mkdir -p ${PWD}/${GEN_API_PY}
-	git clone --depth 1 https://github.com/goauthentik/client-python.git ${PWD}/${GEN_API_PY}
-	cp ${PWD}/schema.yml ${PWD}/${GEN_API_PY}
-	make -C ${PWD}/${GEN_API_PY} build version=${NPM_VERSION}
-
-gen-client-go: gen-clean-go  ## Build and install the authentik API for Golang
-	mkdir -p ${PWD}/${GEN_API_GO}
-	git clone --depth 1 https://github.com/goauthentik/client-go.git ${PWD}/${GEN_API_GO}
-	cp ${PWD}/schema.yml ${PWD}/${GEN_API_GO}
-	make -C ${PWD}/${GEN_API_GO} build version=${NPM_VERSION}
-	go mod edit -replace goauthentik.io/api/v3=./${GEN_API_GO}
+gen: gen-build gen-clients  ## Build and install API schema and clients used by authentik
 
 gen-dev-config:  ## Generate a local development config file
 	$(UV) run scripts/generate_config.py
 
-gen: gen-build gen-client-ts
-
 #########################
 ## Node.js
 #########################
@@ -307,7 +292,7 @@ docs-api-build:
 	npm run --prefix website -w api build
 
 docs-api-watch:  ## Build and watch the API documentation
-	npm run --prefix website -w api build:api
+	npm run --prefix website -w api generate
 	npm run --prefix website -w api start
 
 docs-api-clean: ## Clean generated API documentation
@@ -318,7 +303,6 @@ docs-api-clean: ## Clean generated API documentation
 #########################
 
 docker:  ## Build a docker image of the current source tree
-	mkdir -p ${GEN_API_TS}
 	DOCKER_BUILDKIT=1 docker build . -f lifecycle/container/Dockerfile --progress plain --tag ${DOCKER_IMAGE}
 
 test-docker:
@@ -331,28 +315,42 @@ test-docker:
 # which makes the YAML File a lot smaller
 
 ci--meta-debug:
-	$(UV) run python -V
-	node --version
+	$(UV) run python -V || echo "No python installed"
+	$(CARGO) --version || echo "No rust installed"
+	node --version || echo "No node installed"
 
-ci-mypy: ci--meta-debug
+ci-lint-mypy: ci--meta-debug
 	$(UV) run mypy --strict $(PY_SOURCES)
 
-ci-black: ci--meta-debug
+ci-lint-black: ci--meta-debug
 	$(UV) run black --check $(PY_SOURCES)
 
-ci-ruff: ci--meta-debug
+ci-lint-ruff: ci--meta-debug
 	$(UV) run ruff check $(PY_SOURCES)
 
-ci-spellcheck: ci--meta-debug
+ci-lint-spellcheck: ci--meta-debug
 	npm run lint:spellcheck
 
-ci-bandit: ci--meta-debug
+ci-lint-bandit: ci--meta-debug
 	$(UV) run bandit -c pyproject.toml -r $(PY_SOURCES) -iii
 
-ci-pending-migrations: ci--meta-debug
+ci-lint-pending-migrations: ci--meta-debug
 	$(UV) run ak makemigrations --check
 
+ci-lint-cargo-deny: ci--meta-debug
+	$(CARGO) deny --locked --workspace check --config "${PWD}/.cargo/deny.toml"
+
+ci-lint-cargo-machete: ci--meta-debug
+	$(CARGO) machete
+
+ci-lint-rustfmt: ci--meta-debug
+	$(CARGO) +nightly fmt --all --check -- --config-path "${PWD}/.cargo/rustfmt.toml"
+
+ci-lint-clippy: ci--meta-debug
+	$(CARGO) clippy --workspace -- -D warnings
+
 ci-test: ci--meta-debug
-	$(UV) run coverage run manage.py test --keepdb authentik
+	$(UV) run coverage run manage.py test --keepdb --parallel auto authentik
+	$(UV) run coverage combine
 	$(UV) run coverage report
 	$(UV) run coverage xml

SECURITY.md

@@ -18,10 +18,10 @@ Even if the issue is not a CVE, we still greatly appreciate your help in hardeni
 
 (.x being the latest patch release for each version)
 
-| Version    | Supported  |
-| ---------- | ---------- |
-| 2025.12.x  | ✅         |
-| 2026.2.x   | ✅         |
+| Version   | Supported |
+| --------- | --------- |
+| 2025.12.x | ✅        |
+| 2026.2.x  | ✅        |
 
 ## Reporting a Vulnerability
 
@@ -60,6 +60,40 @@ authentik reserves the right to reclassify CVSS as necessary. To determine sever
 | 7.0 – 8.9  | High     |
 | 9.0 – 10.0 | Critical |
 
+## Intended functionality
+
+The following capabilities are part of intentional system design and should not be reported as security vulnerabilities:
+
+- Expressions (property mappings/policies/prompts) can execute arbitrary Python code without safeguards.
+
+This is expected behavior. Any user with permission to create or modify objects containing expression fields can write code that is executed within authentik. If a vulnerability allows a user without the required permissions to write or modify code and have it executed, that would be a valid security report.
+
+However, the fact that expressions are executed as part of normal operations is not considered a privilege escalation or security vulnerability.
+
+- Blueprints can access all files on the filesystem.
+
+This access is intentional to allow legitimate configuration and deployment tasks. It does not represent a security problem by itself.
+
+- Importing blueprints allows arbitrary modification of application objects.
+
+This is intended functionality. This behavior reflects the privileged design of blueprint imports. It is "exploitable" when importing blueprints from untrusted sources without reviewing the blueprint beforehand. However, any method to create, modify or execute blueprints without the required permissions would be a valid security report.
+
+- Flow imports may contain objects other than flows (such as policies, users, groups, etc.)
+
+This is expected behavior as flow imports are blueprint files.
+
+- Prompt HTML is not escaped.
+
+Prompts intentionally allow raw HTML, including script tags, so they can be used to create interactive or customized user interface elements. Because of this, scripts within prompts may affect or interact with the surrounding page as designed.
+
+- Open redirects that do not include tokens or other sensitive information are not considered a security vulnerability.
+
+Redirects that only change navigation flow and do not expose session tokens, API keys, or other confidential data are considered acceptable and do not require reporting.
+
+- Outgoing network requests are not filtered.
+
+The destinations of outgoing network requests (HTTP, TCP, etc.) made by authentik to configurable endpoints through objects such as OAuth Sources, SSO Providers, and others are not validated. Depending on your threat model, these requests should be restricted at the network level using appropriate firewall or network policies.
+
 ## Disclosure process
 
 1. Report from Github or Issue is reported via Email as listed above.

authentik/admin/api/meta.py

@@ -8,8 +8,8 @@ from rest_framework.response import Response
 from rest_framework.viewsets import ViewSet
 
 from authentik.core.api.utils import PassiveSerializer
+from authentik.lib.api import Models
 from authentik.lib.utils.reflection import get_apps
-from authentik.policies.event_matcher.models import model_choices
 
 
 class AppSerializer(PassiveSerializer):
@@ -42,6 +42,6 @@ class ModelViewSet(ViewSet):
     def list(self, request: Request) -> Response:
         """Read-only view list all installed models"""
         data = []
-        for name, label in model_choices():
+        for name, label in Models.choices:
             data.append({"name": name, "label": label})
         return Response(AppSerializer(data, many=True).data)

authentik/api/authentication.py

@@ -106,14 +106,14 @@ class TokenAuthentication(BaseAuthentication):
         if not auth_credentials:
             return None
         # first, check traditional tokens
-        key_token = Token.filter_not_expired(
+        key_token = Token.objects.filter(
             key=auth_credentials, intent=TokenIntents.INTENT_API
         ).first()
         if key_token:
             CTX_AUTH_VIA.set("api_token")
             return key_token.user, key_token
         # then try to auth via JWT
-        jwt_token = AccessToken.filter_not_expired(
+        jwt_token = AccessToken.objects.filter(
             token=auth_credentials, _scope__icontains=SCOPE_AUTHENTIK_API
         ).first()
         if jwt_token:

authentik/api/pagination.py

@@ -1,10 +1,18 @@
 """Pagination which includes total pages and current page"""
 
+from typing import TYPE_CHECKING
+
 from drf_spectacular.plumbing import build_object_type
 from rest_framework import pagination
 from rest_framework.response import Response
 
-from authentik.api.v3.schema.response import PAGINATION
+from authentik.api.search.ql import QLSearch
+from authentik.api.v3.schema.pagination import PAGINATION
+from authentik.api.v3.schema.search import AUTOCOMPLETE_SCHEMA
+
+if TYPE_CHECKING:
+    from django.db.models import QuerySet
+    from rest_framework.request import Request
 
 
 class Pagination(pagination.PageNumberPagination):
@@ -13,14 +21,14 @@ class Pagination(pagination.PageNumberPagination):
     page_query_param = "page"
     page_size_query_param = "page_size"
 
-    def get_page_size(self, request):
+    def get_page_size(self, request: Request) -> int:
         if self.page_size_query_param in request.query_params:
             page_size = super().get_page_size(request)
             if page_size is not None:
                 return min(super().get_page_size(request), request.tenant.pagination_max_page_size)
         return request.tenant.pagination_default_page_size
 
-    def get_paginated_response(self, data):
+    def get_paginated_response(self, data) -> Response:
         previous_page_number = 0
         if self.page.has_previous():
             previous_page_number = self.page.previous_page_number()
@@ -39,16 +47,33 @@ class Pagination(pagination.PageNumberPagination):
                     "end_index": self.page.end_index(),
                 },
                 "results": data,
+                "autocomplete": self.get_autocomplete(),
             }
         )
 
+    def paginate_queryset(self, queryset: QuerySet, request: Request, view=None):
+        self.view = view
+        return super().paginate_queryset(queryset, request, view)
+
+    def get_autocomplete(self):
+        schema = QLSearch().get_schema(self.request, self.view)
+        introspections = {}
+        if hasattr(self.view, "get_ql_fields"):
+            from authentik.api.search.schema import AKQLSchemaSerializer
+
+            introspections = AKQLSchemaSerializer().serialize(
+                schema(self.page.paginator.object_list.model)
+            )
+        return introspections
+
     def get_paginated_response_schema(self, schema):
         return build_object_type(
             properties={
                 "pagination": PAGINATION.ref,
                 "results": schema,
+                "autocomplete": AUTOCOMPLETE_SCHEMA.ref,
             },
-            required=["pagination", "results"],
+            required=["pagination", "results", "autocomplete"],
         )
 
 

authentik/api/schema.py

@@ -1,103 +0,0 @@
-"""Error Response schema, from https://github.com/axnsan12/drf-yasg/issues/224"""
-
-from collections.abc import Callable
-from typing import Any
-
-from drf_spectacular.generators import SchemaGenerator
-from drf_spectacular.plumbing import ResolvedComponent
-from drf_spectacular.renderers import OpenApiJsonRenderer
-from drf_spectacular.settings import spectacular_settings
-from structlog.stdlib import get_logger
-
-from authentik.api.apps import AuthentikAPIConfig
-from authentik.api.v3.schema.query import QUERY_PARAMS
-from authentik.api.v3.schema.response import (
-    GENERIC_ERROR,
-    GENERIC_ERROR_RESPONSE,
-    PAGINATION,
-    VALIDATION_ERROR,
-    VALIDATION_ERROR_RESPONSE,
-)
-
-LOGGER = get_logger()
-
-
-def preprocess_schema_exclude_non_api(endpoints: list[tuple[str, Any, Any, Callable]], **kwargs):
-    """Filter out all API Views which are not mounted under /api"""
-    return [
-        (path, path_regex, method, callback)
-        for path, path_regex, method, callback in endpoints
-        if path.startswith("/" + AuthentikAPIConfig.mountpoint)
-    ]
-
-
-def postprocess_schema_register(
-    result: dict[str, Any], generator: SchemaGenerator, **kwargs
-) -> dict[str, Any]:
-    """Register custom schema components"""
-    LOGGER.debug("Registering custom schemas")
-    generator.registry.register_on_missing(PAGINATION)
-    generator.registry.register_on_missing(GENERIC_ERROR)
-    generator.registry.register_on_missing(GENERIC_ERROR_RESPONSE)
-    generator.registry.register_on_missing(VALIDATION_ERROR)
-    generator.registry.register_on_missing(VALIDATION_ERROR_RESPONSE)
-    for query in QUERY_PARAMS.values():
-        generator.registry.register_on_missing(query)
-    return result
-
-
-def postprocess_schema_responses(
-    result: dict[str, Any], generator: SchemaGenerator, **kwargs
-) -> dict[str, Any]:
-    """Default error responses"""
-    LOGGER.debug("Adding default error responses")
-    for path in result["paths"].values():
-        for method in path.values():
-            method["responses"].setdefault("400", VALIDATION_ERROR_RESPONSE.ref)
-            method["responses"].setdefault("403", GENERIC_ERROR_RESPONSE.ref)
-
-    result["components"] = generator.registry.build(spectacular_settings.APPEND_COMPONENTS)
-
-    # This is a workaround for authentik/stages/prompt/stage.py
-    # since the serializer PromptChallengeResponse
-    # accepts dynamic keys
-    for component in result["components"]["schemas"]:
-        if component == "PromptChallengeResponseRequest":
-            comp = result["components"]["schemas"][component]
-            comp["additionalProperties"] = {}
-    return result
-
-
-def postprocess_schema_query_params(
-    result: dict[str, Any], generator: SchemaGenerator, **kwargs
-) -> dict[str, Any]:
-    """Optimize pagination parameters, instead of redeclaring parameters for each endpoint
-    declare them globally and refer to them"""
-    LOGGER.debug("Deduplicating query parameters")
-    for path in result["paths"].values():
-        for method in path.values():
-            for idx, param in enumerate(method.get("parameters", [])):
-                if param["name"] not in QUERY_PARAMS:
-                    continue
-                method["parameters"][idx] = QUERY_PARAMS[param["name"]].ref
-    return result
-
-
-def postprocess_schema_remove_unused(
-    result: dict[str, Any], generator: SchemaGenerator, **kwargs
-) -> dict[str, Any]:
-    """Remove unused components"""
-    # To check if the schema is used, render it to JSON and then substring check that
-    # less efficient than walking through the tree but a lot simpler and no
-    # possibility that we miss something
-    raw = OpenApiJsonRenderer().render(result, renderer_context={}).decode()
-    count = 0
-    for key in result["components"][ResolvedComponent.SCHEMA].keys():
-        schema_usages = raw.count(f"#/components/{ResolvedComponent.SCHEMA}/{key}")
-        if schema_usages >= 1:
-            continue
-        del generator.registry[(key, ResolvedComponent.SCHEMA)]
-        count += 1
-    LOGGER.debug("Removing unused components", count=count)
-    result["components"] = generator.registry.build(spectacular_settings.APPEND_COMPONENTS)
-    return result

authentik/api/search/ql.py

@@ -1,25 +1,17 @@
 """DjangoQL search"""
 
-from django.apps import apps
 from django.db.models import QuerySet
 from djangoql.ast import Name
 from djangoql.exceptions import DjangoQLError
 from djangoql.queryset import apply_search
 from djangoql.schema import DjangoQLSchema
-from drf_spectacular.plumbing import ResolvedComponent, build_object_type
 from rest_framework.filters import SearchFilter
 from rest_framework.request import Request
 from structlog.stdlib import get_logger
 
-from authentik.enterprise.search.fields import JSONSearchField
+from authentik.api.search.fields import JSONSearchField
 
 LOGGER = get_logger()
-AUTOCOMPLETE_SCHEMA = ResolvedComponent(
-    name="Autocomplete",
-    object="Autocomplete",
-    type=ResolvedComponent.SCHEMA,
-    schema=build_object_type(additionalProperties={}),
-)
 
 
 class BaseSchema(DjangoQLSchema):
@@ -48,10 +40,6 @@ class QLSearch(SearchFilter):
         super().__init__()
         self._fallback = SearchFilter()
 
-    @property
-    def enabled(self):
-        return apps.get_app_config("authentik_enterprise").enabled()
-
     def get_search_terms(self, request: Request) -> str:
         """Search terms are set by a ?search=... query parameter,
         and may be comma and/or whitespace delimited."""
@@ -73,7 +61,7 @@ class QLSearch(SearchFilter):
     def filter_queryset(self, request: Request, queryset: QuerySet, view) -> QuerySet:
         search_query = self.get_search_terms(request)
         schema = self.get_schema(request, view)
-        if len(search_query) == 0 or not self.enabled:
+        if len(search_query) == 0:
             return self._fallback.filter_queryset(request, queryset, view)
         try:
             return apply_search(queryset, search_query, schema=schema)

authentik/api/search/schema.py

@@ -1,8 +1,6 @@
 from djangoql.serializers import DjangoQLSchemaSerializer
-from drf_spectacular.generators import SchemaGenerator
 
-from authentik.enterprise.search.fields import JSONSearchField
-from authentik.enterprise.search.ql import AUTOCOMPLETE_SCHEMA
+from authentik.api.search.fields import JSONSearchField
 
 
 class AKQLSchemaSerializer(DjangoQLSchemaSerializer):
@@ -20,9 +18,3 @@ class AKQLSchemaSerializer(DjangoQLSchemaSerializer):
         if isinstance(field, JSONSearchField):
             result["relation"] = field.relation()
         return result
-
-
-def postprocess_schema_search_autocomplete(result, generator: SchemaGenerator, **kwargs):
-    generator.registry.register_on_missing(AUTOCOMPLETE_SCHEMA)
-
-    return result

authentik/api/tests/test_search.py

@@ -1,5 +1,4 @@
 from json import loads
-from unittest.mock import PropertyMock, patch
 from urllib.parse import urlencode
 
 from django.urls import reverse
@@ -8,10 +7,6 @@ from rest_framework.test import APITestCase
 from authentik.core.tests.utils import create_test_admin_user
 
 
-@patch(
-    "authentik.enterprise.audit.middleware.EnterpriseAuditMiddleware.enabled",
-    PropertyMock(return_value=True),
-)
 class QLTest(APITestCase):
 
     def setUp(self):

authentik/api/v3/schema/cleanup.py

@@ -0,0 +1,75 @@
+"""Error Response schema, from https://github.com/axnsan12/drf-yasg/issues/224"""
+
+from collections.abc import Callable
+from typing import Any
+
+from drf_spectacular.contrib.django_filters import (
+    DjangoFilterExtension as BaseDjangoFilterExtension,
+)
+from drf_spectacular.generators import SchemaGenerator
+from drf_spectacular.plumbing import (
+    ResolvedComponent,
+    follow_field_source,
+)
+from drf_spectacular.renderers import OpenApiJsonRenderer
+from drf_spectacular.settings import spectacular_settings
+from structlog.stdlib import get_logger
+
+from authentik.api.apps import AuthentikAPIConfig
+
+LOGGER = get_logger()
+
+
+def preprocess_schema_exclude_non_api(endpoints: list[tuple[str, Any, Any, Callable]], **kwargs):
+    """Filter out all API Views which are not mounted under /api"""
+    return [
+        (path, path_regex, method, callback)
+        for path, path_regex, method, callback in endpoints
+        if path.startswith("/" + AuthentikAPIConfig.mountpoint)
+    ]
+
+
+def postprocess_schema_remove_unused(
+    result: dict[str, Any], generator: SchemaGenerator, **kwargs
+) -> dict[str, Any]:
+    """Remove unused components"""
+    # To check if the schema is used, render it to JSON and then substring check that
+    # less efficient than walking through the tree but a lot simpler and no
+    # possibility that we miss something
+    raw = OpenApiJsonRenderer().render(result, renderer_context={}).decode()
+    count = 0
+    for key in result["components"][ResolvedComponent.SCHEMA].keys():
+        schema_usages = raw.count(f"#/components/{ResolvedComponent.SCHEMA}/{key}")
+        if schema_usages >= 1:
+            continue
+        del generator.registry[(key, ResolvedComponent.SCHEMA)]
+        count += 1
+    LOGGER.debug("Removing unused components", count=count)
+    result["components"] = generator.registry.build(spectacular_settings.APPEND_COMPONENTS)
+    return result
+
+
+class DjangoFilterExtension(BaseDjangoFilterExtension):
+    """
+    From https://github.com/netbox-community/netbox/pull/21521:
+
+    Overrides drf-spectacular's DjangoFilterExtension to fix a regression in v0.29.0 where
+    _get_model_field() incorrectly double-appends to_field_name when field_name already ends
+    with that value (e.g. field_name='tags__slug', to_field_name='slug' produces the invalid
+    path ['tags', 'slug', 'slug']). This caused hundreds of spurious warnings during schema
+    generation for filters such as TagFilter, TenancyFilterSet.tenant, and OwnerFilterMixin.owner.
+
+    See: https://github.com/netbox-community/netbox/issues/20787
+         https://github.com/tfranzel/drf-spectacular/issues/1475
+    """
+
+    priority = 1
+
+    def _get_model_field(self, filter_field, model):
+        if not filter_field.field_name:
+            return None
+        path = filter_field.field_name.split("__")
+        to_field_name = filter_field.extra.get("to_field_name")
+        if to_field_name is not None and path[-1] != to_field_name:
+            path.append(to_field_name)
+        return follow_field_source(model, path, emit_warnings=False)

authentik/api/v3/schema/enum.py

@@ -0,0 +1,287 @@
+"""Error Response schema, from https://github.com/axnsan12/drf-yasg/issues/224"""
+
+import functools
+import inspect
+import re
+from collections import defaultdict
+from enum import Enum
+
+from django.db.models import Choices
+from django.utils.translation import get_language
+from drf_spectacular.drainage import error, warn
+from drf_spectacular.hooks import postprocess_schema_enum_id_removal
+from drf_spectacular.plumbing import (
+    ResolvedComponent,
+    deep_import_string,
+    list_hash,
+    safe_ref,
+)
+from drf_spectacular.settings import spectacular_settings
+from inflection import camelize
+from structlog.stdlib import get_logger
+
+LOGGER = get_logger()
+
+
+# See https://github.com/tfranzel/drf-spectacular/blob/master/drf_spectacular/hooks.py
+# and https://github.com/tfranzel/drf-spectacular/issues/520
+def postprocess_schema_enums(result, generator, **kwargs):  # noqa: PLR0912, PLR0915
+    """
+    simple replacement of Enum/Choices that globally share the same name and have
+    the same choices. Aids client generation to not generate a separate enum for
+    every occurrence. only takes effect when replacement is guaranteed to be correct.
+    """
+
+    def is_enum_prop(prop_schema):
+        return (
+            "enum" in prop_schema
+            or prop_schema.get("type") == "array"
+            and "enum" in prop_schema.get("items", {})
+        )
+
+    def iter_field_schemas():
+        def iter_prop_containers(schema, component_name=None):
+            if not component_name:
+                for _component_name, _schema in schema.items():
+                    if spectacular_settings.COMPONENT_SPLIT_PATCH:
+                        _component_name = re.sub("^Patched(.+)", r"\1", _component_name)
+                    if spectacular_settings.COMPONENT_SPLIT_REQUEST:
+                        _component_name = re.sub("(.+)Request$", r"\1", _component_name)
+                    yield from iter_prop_containers(_schema, _component_name)
+            elif isinstance(schema, list):
+                for item in schema:
+                    yield from iter_prop_containers(item, component_name)
+            elif isinstance(schema, dict):
+                if schema.get("properties"):
+                    yield component_name, schema["properties"]
+                yield from iter_prop_containers(schema.get("oneOf", []), component_name)
+                yield from iter_prop_containers(schema.get("allOf", []), component_name)
+                yield from iter_prop_containers(schema.get("anyOf", []), component_name)
+
+        def iter_path_parameters():
+            for path in result.get("paths", {}).values():
+                for operation in path.values():
+                    for parameter in operation.get("parameters", []):
+                        parameter_schema = parameter.get("schema", {})
+                        if is_enum_prop(parameter_schema):
+                            # Move description into enum schema
+                            if "description" in parameter:
+                                parameter_schema["description"] = parameter.pop("description")
+                        if "name" not in parameter:
+                            continue
+                        yield "", {parameter["name"]: parameter_schema}
+
+        component_schemas = result.get("components", {}).get("schemas", {})
+
+        yield from iter_prop_containers(component_schemas)
+        yield from iter_path_parameters()
+
+    def create_enum_component(name, schema):
+        component = ResolvedComponent(
+            name=name,
+            type=ResolvedComponent.SCHEMA,
+            schema=schema,
+            object=name,
+        )
+        generator.registry.register_on_missing(component)
+        return component
+
+    def extract_hash(schema):
+        if "x-spec-enum-id" in schema:
+            # try to use the injected enum hash first as it generated from (name, value) tuples,
+            # which prevents collisions on choice sets only differing in labels not values.
+            return schema["x-spec-enum-id"]
+        else:
+            # fall back to actual list hashing when we encounter enums not generated by us.
+            # remove blank/null entry for hashing. will be reconstructed in the last step
+            return list_hash([(i, i) for i in schema["enum"] if i not in ("", None)])
+
+    overrides = load_enum_name_overrides()
+
+    prop_hash_mapping = defaultdict(set)
+    hash_name_mapping = defaultdict(set)
+    # collect all enums, their names and choice sets
+    for component_name, props in iter_field_schemas():
+        for prop_name, prop_schema in props.items():
+            _prop_schema = prop_schema
+            if prop_schema.get("type") == "array":
+                _prop_schema = prop_schema.get("items", {})
+            if "enum" not in _prop_schema:
+                continue
+
+            prop_enum_cleaned_hash = extract_hash(_prop_schema)
+            prop_hash_mapping[prop_name].add(prop_enum_cleaned_hash)
+            hash_name_mapping[prop_enum_cleaned_hash].add((component_name, prop_name))
+
+    # get the suffix to be used for enums from settings
+    enum_suffix = spectacular_settings.ENUM_SUFFIX
+
+    # traverse all enum properties and generate a name for the choice set. naming collisions
+    # are resolved and a warning is emitted. giving a choice set multiple names is technically
+    # correct but potentially unwanted. also emit a warning there to make the user aware.
+    enum_name_mapping = {}
+    for prop_name, prop_hash_set in prop_hash_mapping.items():
+        for prop_hash in prop_hash_set:
+            if prop_hash in overrides:
+                enum_name = overrides[prop_hash]
+            elif len(prop_hash_set) == 1:
+                # prop_name has been used exclusively for one choice set (best case)
+                enum_name = f"{camelize(prop_name)}{enum_suffix}"
+            elif len(hash_name_mapping[prop_hash]) == 1:
+                # prop_name has multiple choice sets, but each one limited to one component only
+                component_name, _ = next(iter(hash_name_mapping[prop_hash]))
+                enum_name = f"{camelize(component_name)}{camelize(prop_name)}{enum_suffix}"
+            else:
+                enum_name = f"{camelize(prop_name)}{prop_hash[:3].capitalize()}{enum_suffix}"
+                warn(
+                    f"enum naming encountered a non-optimally resolvable collision for fields "
+                    f'named "{prop_name}". The same name has been used for multiple choice sets '
+                    f'in multiple components. The collision was resolved with "{enum_name}". '
+                    f"add an entry to ENUM_NAME_OVERRIDES to fix the naming."
+                )
+            if enum_name_mapping.get(prop_hash, enum_name) != enum_name:
+                warn(
+                    f"encountered multiple names for the same choice set ({enum_name}). This "
+                    f"may be unwanted even though the generated schema is technically correct. "
+                    f"Add an entry to ENUM_NAME_OVERRIDES to fix the naming."
+                )
+                del enum_name_mapping[prop_hash]
+            else:
+                enum_name_mapping[prop_hash] = enum_name
+            enum_name_mapping[(prop_hash, prop_name)] = enum_name
+
+    # replace all enum occurrences with a enum schema component. cut out the
+    # enum, replace it with a reference and add a corresponding component.
+    for _, props in iter_field_schemas():
+        for prop_name, _prop_schema in props.items():
+            prop_schema = _prop_schema
+            is_array = prop_schema.get("type") == "array"
+            if is_array:
+                prop_schema = prop_schema.get("items", {})
+
+            if "enum" not in prop_schema:
+                continue
+
+            prop_enum_original_list = prop_schema["enum"]
+            prop_schema["enum"] = [i for i in prop_schema["enum"] if i not in ["", None]]
+            prop_hash = extract_hash(prop_schema)
+            # when choice sets are reused under multiple names, the generated name cannot be
+            # resolved from the hash alone. fall back to prop_name and hash for resolution.
+            enum_name = enum_name_mapping.get(prop_hash) or enum_name_mapping[prop_hash, prop_name]
+
+            # split property into remaining property and enum component parts
+            enum_schema = {k: v for k, v in prop_schema.items() if k in ["type", "enum"]}
+            prop_schema = {
+                k: v for k, v in prop_schema.items() if k not in ["type", "enum", "x-spec-enum-id"]
+            }
+
+            # separate actual description from name-value tuples
+            if spectacular_settings.ENUM_GENERATE_CHOICE_DESCRIPTION:
+                if prop_schema.get("description", "").startswith("*"):
+                    enum_schema["description"] = prop_schema.pop("description")
+                elif "\n\n*" in prop_schema.get("description", ""):
+                    _, _, post = prop_schema["description"].partition("\n\n*")
+                    enum_schema["description"] = "*" + post
+
+            components = [create_enum_component(enum_name, schema=enum_schema)]
+            if spectacular_settings.ENUM_ADD_EXPLICIT_BLANK_NULL_CHOICE:
+                if "" in prop_enum_original_list:
+                    components.append(
+                        create_enum_component(f"Blank{enum_suffix}", schema={"enum": [""]})
+                    )
+                if None in prop_enum_original_list:
+                    if spectacular_settings.OAS_VERSION.startswith("3.1"):
+                        components.append(
+                            create_enum_component(f"Null{enum_suffix}", schema={"type": "null"})
+                        )
+                    else:
+                        components.append(
+                            create_enum_component(f"Null{enum_suffix}", schema={"enum": [None]})
+                        )
+
+            # undo OAS 3.1 type list NULL construction as we cover
+            # this in a separate component already
+            if spectacular_settings.OAS_VERSION.startswith("3.1") and isinstance(
+                enum_schema["type"], list
+            ):
+                enum_schema["type"] = [t for t in enum_schema["type"] if t != "null"][0]
+
+            if len(components) == 1:
+                prop_schema.update(components[0].ref)
+            else:
+                prop_schema.update({"oneOf": [c.ref for c in components]})
+
+            patch_target = props[prop_name]  # noqa: PLR1733
+            if is_array:
+                patch_target = patch_target["items"]
+
+            # Replace existing schema information with reference
+            patch_target.clear()
+            patch_target.update(safe_ref(prop_schema))
+
+    # sort again with additional components
+    result["components"] = generator.registry.build(spectacular_settings.APPEND_COMPONENTS)
+
+    # remove remaining ids that were not part of this hook (operation parameters mainly)
+    postprocess_schema_enum_id_removal(result, generator)
+
+    return result
+
+
+# Fixed version of `load_enum_name_overrides()` with a LRU cache based on language
+# *and* enum overrides.
+# Without this, API generation breaks if there is more than 1 API present (such as in split APIs)
+# Original source: drf-spectacular/drf_spectacular/plumbing.py
+def load_enum_name_overrides():
+    cache_key = get_language() or ""
+
+    for k, v in sorted(spectacular_settings.ENUM_NAME_OVERRIDES.items()):
+        cache_key += f";{k}:{v}"
+
+    return _load_enum_name_overrides(cache_key)
+
+
+# Original source: drf-spectacular/drf_spectacular/plumbing.py
+# Only change: cache_key argument instead of language.
+@functools.lru_cache
+def _load_enum_name_overrides(cache_key):
+    overrides = {}
+    for name, _choices in spectacular_settings.ENUM_NAME_OVERRIDES.items():
+        choices = _choices
+        if isinstance(choices, str):
+            choices = deep_import_string(choices)
+        if not choices:
+            warn(
+                f"unable to load choice override for {name} from ENUM_NAME_OVERRIDES. "
+                f"please check module path string."
+            )
+            continue
+        if inspect.isclass(choices) and issubclass(choices, Choices):
+            choices = choices.choices
+        if inspect.isclass(choices) and issubclass(choices, Enum):
+            choices = [(c.value, c.name) for c in choices]
+        normalized_choices = []
+        for choice in choices:
+            # Allow None values in the simple values list case
+            if isinstance(choice, str) or choice is None:
+                # TODO warning
+                normalized_choices.append((choice, choice))  # simple choice list
+            elif isinstance(choice[1], (list, tuple)):
+                normalized_choices.extend(choice[1])  # categorized nested choices
+            else:
+                normalized_choices.append(choice)  # normal 2-tuple form
+
+        # Get all of choice values that should be used in the hash, blank and
+        # None values get excluded in the post-processing hook for enum overrides,
+        # so we do the same here to ensure the hashes match
+        hashable_values = [
+            (value, label) for value, label in normalized_choices if value not in ["", None]
+        ]
+        overrides[list_hash(hashable_values)] = name
+
+    if len(spectacular_settings.ENUM_NAME_OVERRIDES) != len(overrides):
+        error(
+            "ENUM_NAME_OVERRIDES has duplication issues. Encountered multiple names "
+            "for the same choice set. Enum naming might be unexpected."
+        )
+    return overrides

authentik/api/v3/schema/pagination.py

@@ -0,0 +1,32 @@
+from drf_spectacular.plumbing import (
+    ResolvedComponent,
+    build_basic_type,
+    build_object_type,
+)
+from drf_spectacular.types import OpenApiTypes
+
+PAGINATION = ResolvedComponent(
+    name="Pagination",
+    type=ResolvedComponent.SCHEMA,
+    object="Pagination",
+    schema=build_object_type(
+        properties={
+            "next": build_basic_type(OpenApiTypes.NUMBER),
+            "previous": build_basic_type(OpenApiTypes.NUMBER),
+            "count": build_basic_type(OpenApiTypes.NUMBER),
+            "current": build_basic_type(OpenApiTypes.NUMBER),
+            "total_pages": build_basic_type(OpenApiTypes.NUMBER),
+            "start_index": build_basic_type(OpenApiTypes.NUMBER),
+            "end_index": build_basic_type(OpenApiTypes.NUMBER),
+        },
+        required=[
+            "next",
+            "previous",
+            "count",
+            "current",
+            "total_pages",
+            "start_index",
+            "end_index",
+        ],
+    ),
+)

authentik/api/v3/schema/query.py

@@ -1,10 +1,17 @@
+from typing import Any
+
 from django.utils.translation import gettext_lazy as _
+from drf_spectacular.generators import SchemaGenerator
 from drf_spectacular.plumbing import (
     ResolvedComponent,
     build_basic_type,
     build_parameter_type,
 )
 from drf_spectacular.types import OpenApiTypes
+from structlog.stdlib import get_logger
+
+LOGGER = get_logger()
+
 
 QUERY_PARAMS = {
     "ordering": ResolvedComponent(
@@ -63,3 +70,18 @@ QUERY_PARAMS = {
         ),
     ),
 }
+
+
+def postprocess_schema_query_params(
+    result: dict[str, Any], generator: SchemaGenerator, **kwargs
+) -> dict[str, Any]:
+    """Optimize pagination parameters, instead of redeclaring parameters for each endpoint
+    declare them globally and refer to them"""
+    LOGGER.debug("Deduplicating query parameters")
+    for path in result["paths"].values():
+        for method in path.values():
+            for idx, param in enumerate(method.get("parameters", [])):
+                if param["name"] not in QUERY_PARAMS:
+                    continue
+                method["parameters"][idx] = QUERY_PARAMS[param["name"]].ref
+    return result

authentik/api/v3/schema/response.py

@@ -1,12 +1,22 @@
+from typing import Any
+
 from django.utils.translation import gettext_lazy as _
+from drf_spectacular.generators import SchemaGenerator
 from drf_spectacular.plumbing import (
     ResolvedComponent,
     build_array_type,
     build_basic_type,
     build_object_type,
 )
+from drf_spectacular.settings import spectacular_settings
 from drf_spectacular.types import OpenApiTypes
 from rest_framework.settings import api_settings
+from structlog.stdlib import get_logger
+
+from authentik.api.v3.schema.pagination import PAGINATION
+from authentik.api.v3.schema.query import QUERY_PARAMS
+
+LOGGER = get_logger()
 
 GENERIC_ERROR = ResolvedComponent(
     name="GenericError",
@@ -57,28 +67,40 @@ VALIDATION_ERROR_RESPONSE = ResolvedComponent(
         "description": "",
     },
 )
-PAGINATION = ResolvedComponent(
-    name="Pagination",
-    type=ResolvedComponent.SCHEMA,
-    object="Pagination",
-    schema=build_object_type(
-        properties={
-            "next": build_basic_type(OpenApiTypes.NUMBER),
-            "previous": build_basic_type(OpenApiTypes.NUMBER),
-            "count": build_basic_type(OpenApiTypes.NUMBER),
-            "current": build_basic_type(OpenApiTypes.NUMBER),
-            "total_pages": build_basic_type(OpenApiTypes.NUMBER),
-            "start_index": build_basic_type(OpenApiTypes.NUMBER),
-            "end_index": build_basic_type(OpenApiTypes.NUMBER),
-        },
-        required=[
-            "next",
-            "previous",
-            "count",
-            "current",
-            "total_pages",
-            "start_index",
-            "end_index",
-        ],
-    ),
-)
+
+
+def postprocess_schema_register(
+    result: dict[str, Any], generator: SchemaGenerator, **kwargs
+) -> dict[str, Any]:
+    """Register custom schema components"""
+    LOGGER.debug("Registering custom schemas")
+    generator.registry.register_on_missing(PAGINATION)
+    generator.registry.register_on_missing(GENERIC_ERROR)
+    generator.registry.register_on_missing(GENERIC_ERROR_RESPONSE)
+    generator.registry.register_on_missing(VALIDATION_ERROR)
+    generator.registry.register_on_missing(VALIDATION_ERROR_RESPONSE)
+    for query in QUERY_PARAMS.values():
+        generator.registry.register_on_missing(query)
+    return result
+
+
+def postprocess_schema_responses(
+    result: dict[str, Any], generator: SchemaGenerator, **kwargs
+) -> dict[str, Any]:
+    """Default error responses"""
+    LOGGER.debug("Adding default error responses")
+    for path in result["paths"].values():
+        for method in path.values():
+            method["responses"].setdefault("400", VALIDATION_ERROR_RESPONSE.ref)
+            method["responses"].setdefault("403", GENERIC_ERROR_RESPONSE.ref)
+
+    result["components"] = generator.registry.build(spectacular_settings.APPEND_COMPONENTS)
+
+    # This is a workaround for authentik/stages/prompt/stage.py
+    # since the serializer PromptChallengeResponse
+    # accepts dynamic keys
+    for component in result["components"]["schemas"]:
+        if component == "PromptChallengeResponseRequest":
+            comp = result["components"]["schemas"][component]
+            comp["additionalProperties"] = {}
+    return result

authentik/api/v3/schema/search.py

@@ -0,0 +1,20 @@
+from typing import TYPE_CHECKING
+
+from drf_spectacular.plumbing import ResolvedComponent, build_object_type
+
+if TYPE_CHECKING:
+    from drf_spectacular.generators import SchemaGenerator
+
+
+AUTOCOMPLETE_SCHEMA = ResolvedComponent(
+    name="Autocomplete",
+    object="Autocomplete",
+    type=ResolvedComponent.SCHEMA,
+    schema=build_object_type(additionalProperties={}),
+)
+
+
+def postprocess_schema_search_autocomplete(result, generator: SchemaGenerator, **kwargs):
+    generator.registry.register_on_missing(AUTOCOMPLETE_SCHEMA)
+
+    return result

authentik/blueprints/api.py

@@ -1,24 +1,60 @@
 """Serializer mixin for managed models"""
 
+from typing import cast
+
+from django.conf import settings
+from django.core.files.uploadedfile import InMemoryUploadedFile
 from django.utils.translation import gettext_lazy as _
 from drf_spectacular.utils import extend_schema, inline_serializer
 from rest_framework.decorators import action
-from rest_framework.exceptions import ValidationError
-from rest_framework.fields import CharField, DateTimeField
+from rest_framework.exceptions import PermissionDenied, ValidationError
+from rest_framework.fields import (
+    BooleanField,
+    CharField,
+    DateTimeField,
+    FileField,
+)
+from rest_framework.parsers import MultiPartParser
 from rest_framework.request import Request
 from rest_framework.response import Response
 from rest_framework.serializers import ListSerializer
 from rest_framework.viewsets import ModelViewSet
 
+from authentik.api.validation import validate
 from authentik.blueprints.models import BlueprintInstance
+from authentik.blueprints.v1.common import Blueprint
 from authentik.blueprints.v1.importer import Importer
 from authentik.blueprints.v1.oci import OCI_PREFIX
 from authentik.blueprints.v1.tasks import apply_blueprint, blueprints_find_dict
 from authentik.core.api.used_by import UsedByMixin
 from authentik.core.api.utils import JSONDictField, ModelSerializer, PassiveSerializer
+from authentik.core.models import User
+from authentik.events.logs import LogEventSerializer
 from authentik.rbac.decorators import permission_required
 
 
+def get_blueprints():
+    if settings.DEBUG:
+        return blueprints_find_dict()
+    return blueprints_find_dict.send().get_result(block=True)
+
+
+class BlueprintUploadSerializer(PassiveSerializer):
+    """Serializer to upload file"""
+
+    file = FileField(required=False)
+    path = CharField(required=False)
+
+    def validate_path(self, path: str) -> str:
+        """Ensure the path (if set) specified is retrievable"""
+        if path == "":
+            return path
+        files: list[dict] = get_blueprints()
+        if path not in [file["path"] for file in files]:
+            raise ValidationError(_("Blueprint file does not exist"))
+        return path
+
+
 class ManagedSerializer:
     """Managed Serializer"""
 
@@ -39,7 +75,7 @@ class BlueprintInstanceSerializer(ModelSerializer):
         """Ensure the path (if set) specified is retrievable"""
         if path == "" or path.startswith(OCI_PREFIX):
             return path
-        files: list[dict] = blueprints_find_dict.send().get_result(block=True)
+        files: list[dict] = get_blueprints()
         if path not in [file["path"] for file in files]:
             raise ValidationError(_("Blueprint file does not exist"))
         return path
@@ -88,6 +124,33 @@ class BlueprintInstanceSerializer(ModelSerializer):
         }
 
 
+def check_blueprint_perms(blueprint: Blueprint, user: User, explicit_action: str | None = None):
+    """Check for individual permissions for each model in a blueprint"""
+    for entry in blueprint.entries:
+        full_model = entry.get_model(blueprint)
+        app, __, model = full_model.partition(".")
+        perms = [
+            f"{app}.add_{model}",
+            f"{app}.change_{model}",
+            f"{app}.delete_{model}",
+        ]
+        if explicit_action:
+            perms = [f"{app}.{explicit_action}_{model}"]
+        for perm in perms:
+            if not user.has_perm(perm):
+                raise PermissionDenied(
+                    {
+                        entry.id: _(
+                            "User lacks permission to create {model}".format_map(
+                                {
+                                    "model": full_model,
+                                }
+                            )
+                        )
+                    }
+                )
+
+
 class BlueprintInstanceViewSet(UsedByMixin, ModelViewSet):
     """Blueprint instances"""
 
@@ -97,6 +160,12 @@ class BlueprintInstanceViewSet(UsedByMixin, ModelViewSet):
     filterset_fields = ["name", "path"]
     ordering = ["name"]
 
+    class BlueprintImportResultSerializer(PassiveSerializer):
+        """Logs of an attempted blueprint import"""
+
+        logs = LogEventSerializer(many=True, read_only=True)
+        success = BooleanField(read_only=True)
+
     @extend_schema(
         responses={
             200: ListSerializer(
@@ -115,7 +184,7 @@ class BlueprintInstanceViewSet(UsedByMixin, ModelViewSet):
     @action(detail=False, pagination_class=None, filter_backends=[])
     def available(self, request: Request) -> Response:
         """Get blueprints"""
-        files: list[dict] = blueprints_find_dict.send().get_result(block=True)
+        files: list[dict] = get_blueprints()
         return Response(files)
 
     @permission_required("authentik_blueprints.view_blueprintinstance")
@@ -131,3 +200,53 @@ class BlueprintInstanceViewSet(UsedByMixin, ModelViewSet):
         blueprint = self.get_object()
         apply_blueprint.send_with_options(args=(blueprint.pk,), rel_obj=blueprint)
         return self.retrieve(request, *args, **kwargs)
+
+    @extend_schema(
+        request={"multipart/form-data": BlueprintUploadSerializer},
+        responses={
+            204: BlueprintImportResultSerializer,
+            400: BlueprintImportResultSerializer,
+        },
+    )
+    @action(url_path="import", detail=False, methods=["POST"], parser_classes=(MultiPartParser,))
+    @validate(
+        BlueprintUploadSerializer,
+    )
+    def import_(self, request: Request, body: BlueprintUploadSerializer) -> Response:
+        """Import blueprint from .yaml file and apply it once, without creating an instance"""
+        string_contents = ""
+        if body.validated_data.get("file"):
+            file = cast(InMemoryUploadedFile, body.validated_data["file"])
+            string_contents = file.read().decode()
+        elif body.validated_data.get("path"):
+            string_contents = BlueprintInstance(
+                path=body.validated_data.get("path")
+            ).retrieve_file()
+        else:
+            raise ValidationError("Either path or file must be set")
+        importer = Importer.from_string(string_contents)
+
+        check_blueprint_perms(importer.blueprint, request.user)
+
+        valid, logs = importer.validate()
+
+        import_response = self.BlueprintImportResultSerializer(
+            data={
+                "logs": [],
+                "success": False,
+            }
+        )
+        import_response.is_valid(raise_exception=True)
+
+        import_response.initial_data["logs"] = [LogEventSerializer(log).data for log in logs]
+        import_response.initial_data["success"] = valid
+        import_response.is_valid()
+        if not valid:
+            return Response(data=import_response.initial_data, status=200)
+
+        successful = importer.apply()
+        import_response.initial_data["success"] = successful
+        import_response.is_valid()
+        if not successful:
+            return Response(data=import_response.initial_data, status=200)
+        return Response(data=import_response.initial_data, status=200)

authentik/common/oauth/constants.py

@@ -21,6 +21,9 @@ PROMPT_CONSENT = "consent"
 PROMPT_LOGIN = "login"
 
 PLAN_CONTEXT_OIDC_LOGOUT_IFRAME_SESSIONS = "goauthentik.io/providers/oauth2/iframe_sessions"
+PLAN_CONTEXT_POST_LOGOUT_REDIRECT_URI = "goauthentik.io/providers/oauth2/post_logout_redirect_uri"
+
+OAUTH2_BINDING = "redirect"
 
 SCOPE_OPENID = "openid"
 SCOPE_OPENID_PROFILE = "profile"
@@ -37,6 +40,9 @@ TOKEN_TYPE = "Bearer"  # nosec
 
 SCOPE_AUTHENTIK_API = "goauthentik.io/api"
 
+# URI schemes that are forbidden for redirect URIs
+FORBIDDEN_URI_SCHEMES = {"javascript", "data", "vbscript"}
+
 # Read/write full user (including email)
 SCOPE_GITHUB_USER = "user"
 # Read user (without email)

authentik/core/api/applications.py

@@ -25,6 +25,7 @@ from authentik.core.api.providers import ProviderSerializer
 from authentik.core.api.used_by import UsedByMixin
 from authentik.core.api.users import UserSerializer
 from authentik.core.api.utils import ModelSerializer, ThemedUrlsSerializer
+from authentik.core.apps import AppAccessWithoutBindings
 from authentik.core.models import Application, User
 from authentik.events.logs import LogEventSerializer, capture_logs
 from authentik.policies.api.exec import PolicyTestResultSerializer
@@ -47,7 +48,12 @@ class ApplicationSerializer(ModelSerializer):
     """Application Serializer"""
 
     launch_url = SerializerMethodField()
-    provider_obj = ProviderSerializer(source="get_provider", required=False, read_only=True)
+    provider_obj = ProviderSerializer(
+        source="get_provider",
+        required=False,
+        read_only=True,
+        allow_null=True,
+    )
     backchannel_providers_obj = ProviderSerializer(
         source="backchannel_providers", required=False, read_only=True, many=True
     )
@@ -163,6 +169,7 @@ class ApplicationViewSet(UsedByMixin, ModelViewSet):
             request.user = user
         for application in paginated_apps:
             engine = PolicyEngine(application, request.user, request)
+            engine.empty_result = AppAccessWithoutBindings.get()
             engine.build()
             if engine.passing:
                 applications.append(application)
@@ -220,6 +227,7 @@ class ApplicationViewSet(UsedByMixin, ModelViewSet):
             if not for_user:
                 raise ValidationError({"for_user": "User not found"})
         engine = PolicyEngine(application, for_user, request)
+        engine.empty_result = AppAccessWithoutBindings.get()
         engine.use_cache = False
         with capture_logs() as logs:
             engine.build()

authentik/core/api/groups.py

@@ -7,6 +7,7 @@ from django.http import Http404
 from django.utils.translation import gettext as _
 from django_filters.filters import CharFilter, ModelMultipleChoiceFilter
 from django_filters.filterset import FilterSet
+from djangoql.schema import BoolField, StrField
 from drf_spectacular.utils import (
     OpenApiParameter,
     OpenApiResponse,
@@ -25,6 +26,9 @@ from rest_framework.serializers import ListSerializer, ValidationError
 from rest_framework.viewsets import ModelViewSet
 
 from authentik.api.authentication import TokenAuthentication
+from authentik.api.search.fields import (
+    JSONSearchField,
+)
 from authentik.api.validation import validate
 from authentik.core.api.used_by import UsedByMixin
 from authentik.core.api.utils import JSONDictField, ModelSerializer, PassiveSerializer
@@ -265,12 +269,6 @@ class GroupViewSet(UsedByMixin, ModelViewSet):
     ]
 
     def get_ql_fields(self):
-        from djangoql.schema import BoolField, StrField
-
-        from authentik.enterprise.search.fields import (
-            JSONSearchField,
-        )
-
         return [
             StrField(Group, "name"),
             BoolField(Group, "is_superuser", nullable=True),

authentik/core/api/tokens.py

@@ -1,5 +1,6 @@
 """Tokens API Viewset"""
 
+from datetime import timedelta
 from typing import Any
 
 from django.utils.timezone import now
@@ -18,12 +19,15 @@ from authentik.core.api.used_by import UsedByMixin
 from authentik.core.api.users import UserSerializer
 from authentik.core.api.utils import ModelSerializer, PassiveSerializer
 from authentik.core.models import (
+    USER_ATTRIBUTE_AGENT_OWNER_PK,
+    USER_ATTRIBUTE_IS_AGENT,
     USER_ATTRIBUTE_TOKEN_EXPIRING,
     USER_ATTRIBUTE_TOKEN_MAXIMUM_LIFETIME,
     Token,
     TokenIntents,
     User,
     default_token_duration,
+    default_token_key,
 )
 from authentik.events.models import Event, EventAction
 from authentik.events.utils import model_to_dict
@@ -124,7 +128,7 @@ class TokenViewSet(UsedByMixin, ModelViewSet):
     """Token Viewset"""
 
     lookup_field = "identifier"
-    queryset = Token.objects.all()
+    queryset = Token.objects.including_expired().all()
     serializer_class = TokenSerializer
     search_fields = [
         "identifier",
@@ -171,6 +175,33 @@ class TokenViewSet(UsedByMixin, ModelViewSet):
         Event.new(EventAction.SECRET_VIEW, secret=token).from_http(request)  # noqa # nosec
         return Response(TokenViewSerializer({"key": token.key}).data)
 
+    @extend_schema(
+        request=None,
+        responses={
+            200: TokenViewSerializer(many=False),
+            403: OpenApiResponse(description="Not the token owner, agent owner, or superuser"),
+        },
+    )
+    @action(detail=True, pagination_class=None, filter_backends=[], methods=["POST"])
+    def rotate(self, request: Request, identifier: str) -> Response:
+        """Rotate the token key and reset the expiry to 24 hours. Only callable by the token
+        owner, the owning agent's human owner, or a superuser."""
+        token: Token = self.get_object()
+
+        if not request.user.is_superuser:
+            is_token_owner = token.user_id == request.user.pk
+            is_agent_owner = token.user.attributes.get(USER_ATTRIBUTE_IS_AGENT) and str(
+                request.user.pk
+            ) == token.user.attributes.get(USER_ATTRIBUTE_AGENT_OWNER_PK)
+            if not is_token_owner and not is_agent_owner:
+                return Response(status=403)
+
+        token.key = default_token_key()
+        token.expires = now() + timedelta(hours=24)
+        token.save()
+        Event.new(EventAction.SECRET_ROTATE, secret=token).from_http(request)  # noqa # nosec
+        return Response(TokenViewSerializer({"key": token.key}).data)
+
     @permission_required("authentik_core.set_token_key")
     @extend_schema(
         request=TokenSetKeySerializer(),

authentik/core/api/transactional_applications.py

@@ -2,9 +2,8 @@
 
 from django.apps import apps
 from django.db.models import Model
-from django.utils.translation import gettext as _
 from drf_spectacular.utils import PolymorphicProxySerializer, extend_schema, extend_schema_field
-from rest_framework.exceptions import PermissionDenied, ValidationError
+from rest_framework.exceptions import ValidationError
 from rest_framework.fields import BooleanField, CharField, ChoiceField, DictField, ListField
 from rest_framework.permissions import IsAuthenticated
 from rest_framework.request import Request
@@ -13,6 +12,7 @@ from rest_framework.views import APIView
 from yaml import ScalarNode
 
 from authentik.api.validation import validate
+from authentik.blueprints.api import check_blueprint_perms
 from authentik.blueprints.v1.common import (
     Blueprint,
     BlueprintEntry,
@@ -165,21 +165,7 @@ class TransactionalApplicationView(APIView):
     def put(self, request: Request, body: TransactionApplicationSerializer) -> Response:
         """Convert data into a blueprint, validate it and apply it"""
         blueprint: Blueprint = body.validated_data
-        for entry in blueprint.entries:
-            full_model = entry.get_model(blueprint)
-            app, __, model = full_model.partition(".")
-            if not request.user.has_perm(f"{app}.add_{model}"):
-                raise PermissionDenied(
-                    {
-                        entry.id: _(
-                            "User lacks permission to create {model}".format_map(
-                                {
-                                    "model": full_model,
-                                }
-                            )
-                        )
-                    }
-                )
+        check_blueprint_perms(blueprint, request.user, explicit_action="add")
         importer = Importer(blueprint, {})
         applied = importer.apply()
         response = {"applied": False, "logs": []}

authentik/core/api/users.py

@@ -22,6 +22,7 @@ from django_filters.filters import (
     UUIDFilter,
 )
 from django_filters.filterset import FilterSet
+from djangoql.schema import BoolField, StrField
 from drf_spectacular.types import OpenApiTypes
 from drf_spectacular.utils import (
     OpenApiParameter,
@@ -55,6 +56,10 @@ from rest_framework.viewsets import ModelViewSet
 from structlog.stdlib import get_logger
 
 from authentik.api.authentication import TokenAuthentication
+from authentik.api.search.fields import (
+    ChoiceSearchField,
+    JSONSearchField,
+)
 from authentik.api.validation import validate
 from authentik.blueprints.v1.importer import SERIALIZER_CONTEXT_BLUEPRINT
 from authentik.brands.models import Brand
@@ -70,9 +75,14 @@ from authentik.core.middleware import (
     SESSION_KEY_IMPERSONATE_USER,
 )
 from authentik.core.models import (
+    USER_ATTRIBUTE_AGENT_ALLOWED_APPS,
+    USER_ATTRIBUTE_AGENT_OWNER_PK,
+    USER_ATTRIBUTE_IS_AGENT,
     USER_ATTRIBUTE_TOKEN_EXPIRING,
+    USER_PATH_AGENT,
     USER_PATH_SERVICE_ACCOUNT,
     USERNAME_MAX_LENGTH,
+    Application,
     Group,
     Session,
     Token,
@@ -81,6 +91,7 @@ from authentik.core.models import (
     UserTypes,
     default_token_duration,
 )
+from authentik.core.apps import AppAccessWithoutBindings
 from authentik.endpoints.connectors.agent.auth import AgentAuth
 from authentik.events.models import Event, EventAction
 from authentik.flows.exceptions import FlowNonApplicableException
@@ -90,6 +101,7 @@ from authentik.flows.views.executor import QS_KEY_TOKEN
 from authentik.lib.avatars import get_avatar
 from authentik.lib.utils.reflection import ConditionalInheritance
 from authentik.lib.utils.time import timedelta_from_string, timedelta_string_validator
+from authentik.policies.engine import PolicyEngine
 from authentik.rbac.api.roles import RoleSerializer
 from authentik.rbac.decorators import permission_required
 from authentik.rbac.models import Role, get_permission_choices
@@ -244,8 +256,27 @@ class UserSerializer(ModelSerializer):
             raise ValidationError(_("Can't change internal service account to other user type."))
         if not self.instance and user_type == UserTypes.INTERNAL_SERVICE_ACCOUNT.value:
             raise ValidationError(_("Setting a user to internal service account is not allowed."))
+        if (
+            self.instance
+            and self.instance.attributes.get(USER_ATTRIBUTE_IS_AGENT)
+            and user_type != UserTypes.SERVICE_ACCOUNT.value
+        ):
+            raise ValidationError(_("Can't change agent user to other user type."))
         return user_type
 
+    def validate_attributes(self, attrs: dict) -> dict:
+        """Prevent removal of agent marker or change of agent owner"""
+        if not self.instance:
+            return attrs
+        if self.instance.attributes.get(USER_ATTRIBUTE_IS_AGENT):
+            if not attrs.get(USER_ATTRIBUTE_IS_AGENT):
+                raise ValidationError(_("Can't remove agent marker from agent user."))
+            existing_owner = self.instance.attributes.get(USER_ATTRIBUTE_AGENT_OWNER_PK)
+            new_owner = attrs.get(USER_ATTRIBUTE_AGENT_OWNER_PK)
+            if existing_owner is not None and new_owner != existing_owner:
+                raise ValidationError(_("Can't change owner of agent user."))
+        return attrs
+
     def validate(self, attrs: dict) -> dict:
         if self.instance and self.instance.type == UserTypes.INTERNAL_SERVICE_ACCOUNT:
             raise ValidationError(_("Can't modify internal service account users"))
@@ -400,6 +431,24 @@ class UserServiceAccountSerializer(PassiveSerializer):
     )
 
 
+class UserAgentSerializer(PassiveSerializer):
+    """Payload to create an agent user"""
+
+    name = CharField(
+        required=True,
+        validators=[UniqueValidator(queryset=User.objects.all().order_by("username"))],
+    )
+
+
+class UserAgentAllowedAppsSerializer(PassiveSerializer):
+    """Payload to replace the allowed application list for an agent user"""
+
+    allowed_apps = ListField(
+        child=UUIDField(),
+        help_text="List of application UUIDs the agent is permitted to access.",
+    )
+
+
 class UserRecoveryLinkSerializer(PassiveSerializer):
     """Payload to create a recovery link"""
 
@@ -524,13 +573,6 @@ class UserViewSet(
     ]
 
     def get_ql_fields(self):
-        from djangoql.schema import BoolField, StrField
-
-        from authentik.enterprise.search.fields import (
-            ChoiceSearchField,
-            JSONSearchField,
-        )
-
         return [
             StrField(User, "username"),
             StrField(User, "name"),
@@ -693,6 +735,175 @@ class UserViewSet(
                     status=500,
                 )
 
+    @permission_required(None, ["authentik_core.add_agent_user"])
+    @extend_schema(
+        request=UserAgentSerializer,
+        responses={
+            200: inline_serializer(
+                "UserAgentResponse",
+                {
+                    "username": CharField(required=True),
+                    "token": CharField(required=True),
+                    "user_uid": CharField(required=True),
+                    "user_pk": IntegerField(required=True),
+                },
+            )
+        },
+    )
+    @action(
+        detail=False,
+        methods=["POST"],
+        pagination_class=None,
+        filter_backends=[],
+    )
+    @validate(UserAgentSerializer)
+    def agent(self, request: Request, body: UserAgentSerializer) -> Response:
+        """Create a new agent user. Enterprise only. Caller must be an internal user."""
+        from authentik.enterprise.license import LicenseKey
+
+        if not LicenseKey.cached_summary().status.is_valid:
+            raise ValidationError(_("Enterprise is required to use this endpoint."))
+
+        if request.user.type != UserTypes.INTERNAL:
+            raise ValidationError(_("Only internal users can create agent users."))
+
+        username = body.validated_data["name"]
+        with atomic():
+            try:
+                user: User = User.objects.create(
+                    username=username,
+                    name=username,
+                    type=UserTypes.SERVICE_ACCOUNT,
+                    attributes={
+                        USER_ATTRIBUTE_IS_AGENT: True,
+                        USER_ATTRIBUTE_AGENT_OWNER_PK: str(request.user.pk),
+                        USER_ATTRIBUTE_AGENT_ALLOWED_APPS: [],
+                    },
+                    path=USER_PATH_AGENT,
+                )
+                user.set_unusable_password()
+                user.save()
+
+                token = Token.objects.create(
+                    identifier=slugify(f"agent-{username}-token"),
+                    intent=TokenIntents.INTENT_API,
+                    user=user,
+                    expires=now() + timedelta(hours=24),
+                    expiring=True,
+                )
+                # Allow the agent to read its own rotated token key
+                user.assign_perms_to_managed_role("authentik_core.view_token_key", token)
+
+                return Response(
+                    {
+                        "username": user.username,
+                        "user_uid": user.uid,
+                        "user_pk": user.pk,
+                        "token": token.key,
+                    }
+                )
+            except IntegrityError as exc:
+                error_msg = str(exc).lower()
+                if "unique" in error_msg:
+                    return Response(
+                        data={
+                            "non_field_errors": [
+                                _("A user with this username already exists")
+                            ]
+                        },
+                        status=400,
+                    )
+                else:
+                    LOGGER.warning("Agent user creation failed", exc=exc)
+                    return Response(
+                        data={"non_field_errors": [_("Unable to create user")]},
+                        status=400,
+                    )
+            except (ValueError, TypeError) as exc:
+                LOGGER.error("Unexpected error during agent user creation", exc=exc)
+                return Response(
+                    data={"non_field_errors": [_("Unknown error occurred")]},
+                    status=500,
+                )
+
+    @extend_schema(
+        request=UserAgentAllowedAppsSerializer,
+        responses={
+            200: UserAgentAllowedAppsSerializer,
+            400: OpenApiResponse(description="Invalid app UUIDs or owner lacks access"),
+            403: OpenApiResponse(description="Not the agent's owner or superuser"),
+        },
+    )
+    @action(
+        detail=True,
+        methods=["PUT"],
+        url_path="agent_allowed_apps",
+        url_name="agent-allowed-apps",
+        pagination_class=None,
+        filter_backends=[],
+    )
+    @validate(UserAgentAllowedAppsSerializer)
+    def agent_allowed_apps(
+        self, request: Request, pk: int, body: UserAgentAllowedAppsSerializer
+    ) -> Response:
+        """Replace the allowed application list for an agent user.
+        Caller must be the agent's owner or a superuser. Each supplied application UUID
+        is validated against the owner's current access."""
+        agent: User = self.get_object()
+
+        if not agent.attributes.get(USER_ATTRIBUTE_IS_AGENT):
+            return Response(
+                data={"non_field_errors": [_("User is not an agent user.")]},
+                status=400,
+            )
+
+        owner_pk = agent.attributes.get(USER_ATTRIBUTE_AGENT_OWNER_PK)
+        is_owner = str(request.user.pk) == owner_pk
+        if not request.user.is_superuser and not is_owner:
+            return Response(status=403)
+
+        try:
+            owner = User.objects.get(pk=owner_pk)
+        except User.DoesNotExist:
+            return Response(
+                data={"non_field_errors": [_("Agent owner not found.")]},
+                status=400,
+            )
+
+        app_uuids = body.validated_data["allowed_apps"]
+        errors = []
+        for app_uuid in app_uuids:
+            try:
+                app = Application.objects.get(pk=app_uuid)
+            except Application.DoesNotExist:
+                errors.append(str(app_uuid))
+                continue
+            engine = PolicyEngine(app, owner, request)
+            engine.empty_result = AppAccessWithoutBindings.get()
+            engine.use_cache = False
+            engine.build()
+            if not engine.passing:
+                errors.append(str(app_uuid))
+
+        if errors:
+            return Response(
+                data={
+                    "allowed_apps": [
+                        _(
+                            "Owner does not have access to application %(uuid)s "
+                            "or application does not exist."
+                        )
+                        % {"uuid": uuid}
+                        for uuid in errors
+                    ]
+                },
+                status=400,
+            )
+
+        agent.attributes[USER_ATTRIBUTE_AGENT_ALLOWED_APPS] = [str(u) for u in app_uuids]
+        agent.save(update_fields=["attributes"])
+        return Response({"allowed_apps": [str(u) for u in app_uuids]})
+
     @extend_schema(responses={200: SessionUserSerializer(many=False)})
     @action(
         url_path="me",

authentik/core/apps.py

@@ -1,7 +1,20 @@
 """authentik core app config"""
 
+from django.utils.translation import gettext_lazy as _
+
 from authentik.blueprints.apps import ManagedAppConfig
 from authentik.tasks.schedules.common import ScheduleSpec
+from authentik.tenants.flags import Flag
+
+
+class AppAccessWithoutBindings(Flag[bool], key="core_default_app_access"):
+
+    default = True
+    visibility = "none"
+    description = _(
+        "Configure if applications without any policy/group/user bindings "
+        "should be accessible to any user."
+    )
 
 
 class AuthentikCoreConfig(ManagedAppConfig):

authentik/core/auth.py

@@ -81,7 +81,7 @@ class TokenBackend(InbuiltBackend):
             User().set_password(password, request=request)
             return None
 
-        tokens = Token.filter_not_expired(
+        tokens = Token.objects.filter(
             user=user, key=password, intent=TokenIntents.INTENT_APP_PASSWORD
         )
         if not tokens.exists():

authentik/core/migrations/0058_user_add_agent_user_permission.py

@@ -0,0 +1,27 @@
+"""Add add_agent_user permission to User model"""
+
+from django.db import migrations
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ("authentik_core", "0057_remove_user_groups_remove_user_user_permissions_and_more"),
+    ]
+
+    operations = [
+        migrations.AlterModelOptions(
+            name="user",
+            options={
+                "permissions": [
+                    ("reset_user_password", "Reset Password"),
+                    ("impersonate", "Can impersonate other users"),
+                    ("preview_user", "Can preview user data sent to providers"),
+                    ("view_user_applications", "View applications the user has access to"),
+                    ("add_agent_user", "Can create agent users"),
+                ],
+                "verbose_name": "User",
+                "verbose_name_plural": "Users",
+            },
+        ),
+    ]

authentik/core/models.py

@@ -2,7 +2,7 @@
 
 import re
 import traceback
-from datetime import datetime, timedelta
+from datetime import datetime
 from enum import StrEnum
 from hashlib import sha256
 from typing import Any, Self
@@ -16,7 +16,7 @@ from django.contrib.auth.models import UserManager as DjangoUserManager
 from django.contrib.sessions.base_session import AbstractBaseSession
 from django.core.validators import validate_slug
 from django.db import models
-from django.db.models import Q, QuerySet, options
+from django.db.models import Manager, Q, QuerySet, options
 from django.http import HttpRequest
 from django.utils.functional import cached_property
 from django.utils.timezone import now
@@ -45,6 +45,7 @@ from authentik.lib.models import (
     SerializerModel,
 )
 from authentik.lib.utils.inheritance import get_deepest_child
+from authentik.lib.utils.reflection import class_to_path
 from authentik.lib.utils.time import timedelta_from_string
 from authentik.policies.models import PolicyBindingModel
 from authentik.rbac.models import Role
@@ -65,7 +66,12 @@ USER_ATTRIBUTE_TOKEN_MAXIMUM_LIFETIME = f"{_USER_ATTR_PREFIX}/token-maximum-life
 USER_ATTRIBUTE_CHANGE_USERNAME = f"{_USER_ATTR_PREFIX}/can-change-username"
 USER_ATTRIBUTE_CHANGE_NAME = f"{_USER_ATTR_PREFIX}/can-change-name"
 USER_ATTRIBUTE_CHANGE_EMAIL = f"{_USER_ATTR_PREFIX}/can-change-email"
+_USER_ATTR_AGENT_PREFIX = f"{USER_PATH_SYSTEM_PREFIX}/agent"
+USER_ATTRIBUTE_IS_AGENT = f"{_USER_ATTR_AGENT_PREFIX}/is-agent"
+USER_ATTRIBUTE_AGENT_OWNER_PK = f"{_USER_ATTR_AGENT_PREFIX}/owner-pk"
+USER_ATTRIBUTE_AGENT_ALLOWED_APPS = f"{_USER_ATTR_AGENT_PREFIX}/allowed-apps"
 USER_PATH_SERVICE_ACCOUNT = f"{USER_PATH_SYSTEM_PREFIX}/service-accounts"
+USER_PATH_AGENT = f"{USER_PATH_SYSTEM_PREFIX}/agents"
 
 options.DEFAULT_NAMES = options.DEFAULT_NAMES + (
     # used_by API that allows models to specify if they shadow an object
@@ -384,6 +390,7 @@ class User(SerializerModel, AttributesMixin, AbstractUser):
             ("impersonate", _("Can impersonate other users")),
             ("preview_user", _("Can preview user data sent to providers")),
             ("view_user_applications", _("View applications the user has access to")),
+            ("add_agent_user", _("Can create agent users")),
         ]
         indexes = [
             models.Index(fields=["last_login"]),
@@ -517,7 +524,7 @@ class User(SerializerModel, AttributesMixin, AbstractUser):
     @property
     def ak_groups(self):
         """This is a proxy for a renamed, deprecated field."""
-        from authentik.events.models import Event, EventAction
+        from authentik.events.models import Event
 
         deprecation = "authentik.core.models.User.ak_groups"
         replacement = "authentik.core.models.User.groups"
@@ -544,21 +551,9 @@ class User(SerializerModel, AttributesMixin, AbstractUser):
             cause=cause,
             stacktrace=stacktrace,
         )
-        if not Event.filter_not_expired(
-            action=EventAction.CONFIGURATION_WARNING,
-            context__deprecation=deprecation,
-            context__cause=cause,
-        ).exists():
-            event = Event.new(
-                EventAction.CONFIGURATION_WARNING,
-                deprecation=deprecation,
-                replacement=replacement,
-                message=message_event,
-                cause=cause,
-            )
-            event.expires = datetime.now() + timedelta(days=30)
-            event.save()
-
+        Event.log_deprecation(
+            deprecation, message=message_event, cause=cause, replacement=replacement
+        )
         return self.groups
 
     def set_password(self, raw_password, signal=True, sender=None, request=None):
@@ -807,11 +802,11 @@ class Application(SerializerModel, PolicyBindingModel):
 
     def backchannel_provider_for[T: Provider](self, provider_type: type[T], **kwargs) -> T | None:
         """Get Backchannel provider for a specific type"""
-        providers = self.backchannel_providers.filter(
+        provider: BackchannelProvider | None = self.backchannel_providers.filter(
             **{f"{provider_type._meta.model_name}__isnull": False},
             **kwargs,
-        )
-        return getattr(providers.first(), provider_type._meta.model_name)
+        ).first()
+        return getattr(provider, provider_type._meta.model_name) if provider else None
 
     def __str__(self):
         return str(self.name)
@@ -1096,12 +1091,24 @@ class GroupSourceConnection(SerializerModel, CreatedUpdatedModel):
         unique_together = (("group", "source"),)
 
 
+class ExpiringManager(Manager):
+    """Manager for expiring objects which filters out expired objects by default"""
+
+    def get_queryset(self):
+        return QuerySet(self.model, using=self._db).exclude(expires__lt=now(), expiring=True)
+
+    def including_expired(self):
+        return QuerySet(self.model, using=self._db)
+
+
 class ExpiringModel(models.Model):
     """Base Model which can expire, and is automatically cleaned up."""
 
     expires = models.DateTimeField(default=None, null=True)
     expiring = models.BooleanField(default=True)
 
+    objects = ExpiringManager()
+
     class Meta:
         abstract = True
         indexes = [
@@ -1115,13 +1122,33 @@ class ExpiringModel(models.Model):
         default the object is deleted. This is less efficient compared
         to bulk deleting objects, but classes like Token() need to change
         values instead of being deleted."""
-        return self.delete(*args, **kwargs)
+        try:
+            return self.delete(*args, **kwargs)
+        except self.DoesNotExist:
+            # Object has already been deleted, so this should be fine
+            return None
 
     @classmethod
     def filter_not_expired(cls, **kwargs) -> QuerySet[Self]:
         """Filer for tokens which are not expired yet or are not expiring,
         and match filters in `kwargs`"""
-        for obj in cls.objects.filter(**kwargs).filter(Q(expires__lt=now(), expiring=True)):
+        from authentik.events.models import Event
+
+        deprecation_id = f"{class_to_path(cls)}.filter_not_expired"
+
+        Event.log_deprecation(
+            deprecation_id,
+            message=(
+                ".filter_not_expired() is deprecated as the default lookup now excludes "
+                "expired objects."
+            ),
+        )
+
+        for obj in (
+            cls.objects.including_expired()
+            .filter(**kwargs)
+            .filter(Q(expires__lt=now(), expiring=True))
+        ):
             obj.delete()
         return cls.objects.filter(**kwargs)
 

authentik/core/sessions.py

@@ -72,6 +72,7 @@ class SessionStore(SessionBase):
             #                  and their descriptors fail to initialize (e.g., missing storage)
             # TypeError - can happen with incompatible pickled objects
             # If any of these happen, just return an empty dictionary (an empty session)
+            LOGGER.warning("Failed to decode session data", exc_info=True)
             pass
         return {}
 

authentik/core/signals.py

@@ -11,12 +11,15 @@ from django.http.request import HttpRequest
 from structlog.stdlib import get_logger
 
 from authentik.core.models import (
+    USER_ATTRIBUTE_AGENT_OWNER_PK,
+    USER_ATTRIBUTE_IS_AGENT,
     Application,
     AuthenticatedSession,
     BackchannelProvider,
     ExpiringModel,
     Session,
     User,
+    UserTypes,
     default_token_duration,
 )
 from authentik.flows.apps import RefreshOtherFlowsAfterAuthentication
@@ -24,7 +27,8 @@ from authentik.root.ws.consumer import build_device_group
 
 # Arguments: user: User, password: str
 password_changed = Signal()
-# Arguments: credentials: dict[str, any], request: HttpRequest, stage: Stage
+# Arguments: credentials: dict[str, any], request: HttpRequest,
+#            stage: Stage, context: dict[str, any]
 login_failed = Signal()
 
 LOGGER = get_logger()
@@ -68,6 +72,38 @@ def authenticated_session_delete(sender: type[Model], instance: AuthenticatedSes
     Session.objects.filter(session_key=instance.pk).delete()
 
 
+def _agent_qs_for_owner(owner_pk: int):
+    """Return a queryset of agent users belonging to the given owner pk"""
+    return User.objects.filter(
+        type=UserTypes.SERVICE_ACCOUNT,
+        attributes__contains={
+            USER_ATTRIBUTE_IS_AGENT: True,
+            USER_ATTRIBUTE_AGENT_OWNER_PK: str(owner_pk),
+        },
+    )
+
+
+@receiver(post_delete, sender=User)
+def user_delete_cascade_agents(sender: type[Model], instance: User, **_):
+    """Delete agent users when their owner is deleted"""
+    _agent_qs_for_owner(instance.pk).delete()
+
+
+@receiver(post_save, sender=User)
+def user_save_propagate_agent_active(
+    sender: type[Model], instance: User, update_fields: frozenset[str] | None = None, **_
+):
+    """Propagate is_active changes to owned agent users"""
+    if update_fields is not None and "is_active" not in update_fields:
+        return
+    agents = _agent_qs_for_owner(instance.pk)
+    if not instance.is_active:
+        Session.objects.filter(
+            authenticatedsession__user__in=agents.filter(is_active=True)
+        ).delete()
+    agents.update(is_active=instance.is_active)
+
+
 @receiver(pre_save)
 def backchannel_provider_pre_save(sender: type[Model], instance: Model, **_):
     """Ensure backchannel providers have is_backchannel set to true"""

authentik/core/tasks.py

@@ -27,7 +27,10 @@ def clean_expired_models():
     for cls in ExpiringModel.__subclasses__():
         cls: ExpiringModel
         objects = (
-            cls.objects.all().exclude(expiring=False).exclude(expiring=True, expires__gt=now())
+            cls.objects.including_expired()
+            .all()
+            .exclude(expiring=False)
+            .exclude(expiring=True, expires__gt=now())
         )
         amount = objects.count()
         for obj in chunked_queryset(objects):

authentik/core/tests/test_interface_views.py

@@ -0,0 +1,101 @@
+"""Test interface view redirect behavior by user type"""
+
+from django.test import TestCase
+from django.urls import reverse
+
+from authentik.brands.models import Brand
+from authentik.core.models import Application, UserTypes
+from authentik.core.tests.utils import create_test_brand, create_test_user
+
+
+class TestInterfaceRedirects(TestCase):
+    """Test RootRedirectView and BrandDefaultRedirectView redirect logic by user type"""
+
+    def setUp(self):
+        self.app = Application.objects.create(name="test-app", slug="test-app")
+        self.brand: Brand = create_test_brand(default_application=self.app)
+
+    def _assert_redirects_to_app(self, url_name: str, user_type: UserTypes):
+        user = create_test_user(type=user_type)
+        self.client.force_login(user)
+        response = self.client.get(reverse(f"authentik_core:{url_name}"))
+        self.assertRedirects(
+            response,
+            reverse(
+                "authentik_core:application-launch", kwargs={"application_slug": self.app.slug}
+            ),
+            fetch_redirect_response=False,
+        )
+
+    def _assert_no_redirect(self, url_name: str, user_type: UserTypes):
+        """Internal users should not be redirected away."""
+        user = create_test_user(type=user_type)
+        self.client.force_login(user)
+        response = self.client.get(reverse(f"authentik_core:{url_name}"))
+        # Internal users get a 200 (rendered template) or redirect to if-user, not to the app
+        app_url = reverse(
+            "authentik_core:application-launch", kwargs={"application_slug": self.app.slug}
+        )
+        self.assertNotEqual(response.get("Location"), app_url)
+
+    # --- RootRedirectView ---
+
+    def test_root_redirect_external_user(self):
+        """External users are redirected to the default app from root"""
+        self._assert_redirects_to_app("root-redirect", UserTypes.EXTERNAL)
+
+    def test_root_redirect_service_account(self):
+        """Service accounts are redirected to the default app from root"""
+        self._assert_redirects_to_app("root-redirect", UserTypes.SERVICE_ACCOUNT)
+
+    def test_root_redirect_internal_service_account(self):
+        """Internal service accounts are redirected to the default app from root"""
+        self._assert_redirects_to_app("root-redirect", UserTypes.INTERNAL_SERVICE_ACCOUNT)
+
+    def test_root_redirect_internal_user(self):
+        """Internal users are NOT redirected to the app from root"""
+        self._assert_no_redirect("root-redirect", UserTypes.INTERNAL)
+
+    # --- BrandDefaultRedirectView (if/user/) ---
+
+    def test_if_user_external_user(self):
+        """External users are redirected to the default app from if/user/"""
+        self._assert_redirects_to_app("if-user", UserTypes.EXTERNAL)
+
+    def test_if_user_service_account(self):
+        """Service accounts are redirected to the default app from if/user/"""
+        self._assert_redirects_to_app("if-user", UserTypes.SERVICE_ACCOUNT)
+
+    def test_if_user_internal_service_account(self):
+        """Internal service accounts are redirected to the default app from if/user/"""
+        self._assert_redirects_to_app("if-user", UserTypes.INTERNAL_SERVICE_ACCOUNT)
+
+    def test_if_user_internal_user(self):
+        """Internal users are NOT redirected to the app from if/user/"""
+        self._assert_no_redirect("if-user", UserTypes.INTERNAL)
+
+    # --- BrandDefaultRedirectView (if/admin/) ---
+
+    def test_if_admin_service_account(self):
+        """Service accounts are redirected to the default app from if/admin/"""
+        self._assert_redirects_to_app("if-admin", UserTypes.SERVICE_ACCOUNT)
+
+    def test_if_admin_internal_service_account(self):
+        """Internal service accounts are redirected to the default app from if/admin/"""
+        self._assert_redirects_to_app("if-admin", UserTypes.INTERNAL_SERVICE_ACCOUNT)
+
+    def test_if_admin_internal_user(self):
+        """Internal users are NOT redirected to the app from if/admin/"""
+        self._assert_no_redirect("if-admin", UserTypes.INTERNAL)
+
+    # --- No default app set ---
+
+    def test_service_account_no_default_app_access_denied(self):
+        """Service accounts get access denied when no default app is configured"""
+        self.brand.default_application = None
+        self.brand.save()
+        user = create_test_user(type=UserTypes.SERVICE_ACCOUNT)
+        self.client.force_login(user)
+        response = self.client.get(reverse("authentik_core:if-user"))
+        self.assertEqual(response.status_code, 200)
+        self.assertIn(b"Interface can only be accessed by internal users", response.content)

authentik/core/tests/test_models.py

@@ -9,6 +9,8 @@ from freezegun import freeze_time
 from guardian.shortcuts import get_anonymous_user
 
 from authentik.core.models import Provider, Source, Token
+from authentik.events.models import Event, EventAction
+from authentik.lib.generators import generate_id
 from authentik.lib.utils.reflection import all_subclasses
 
 
@@ -29,6 +31,22 @@ class TestModels(TestCase):
             freeze.tick(timedelta(seconds=1))
             self.assertFalse(token.is_expired)
 
+    def test_filter_not_expired_warning(self):
+        """Test filter_not_expired's deprecation message"""
+        id = generate_id()
+        Token.objects.create(
+            expires=now() - timedelta(hours=1),
+            expiring=True,
+            user=get_anonymous_user(),
+            identifier=id,
+        )
+        self.assertFalse(Token.filter_not_expired(identifier=id).exists())
+        event = Event.objects.filter(action=EventAction.CONFIGURATION_WARNING).first()
+        self.assertIsNotNone(event)
+        self.assertEqual(
+            event.context["deprecation"], "authentik.core.models.Token.filter_not_expired"
+        )
+
 
 def source_tester_factory(test_model: type[Source]) -> Callable:
     """Test source"""

authentik/core/tests/test_token_api.py

@@ -173,7 +173,7 @@ class TestTokenAPI(APITestCase):
 
     def test_list(self):
         """Test Token List (Test normal authentication)"""
-        Token.objects.all().delete()
+        Token.objects.including_expired().all().delete()
         token_should: Token = Token.objects.create(
             identifier="test", expiring=False, user=self.user
         )
@@ -185,7 +185,7 @@ class TestTokenAPI(APITestCase):
 
     def test_list_with_permission(self):
         """Test Token List (Test with `view_token` permission)"""
-        Token.objects.all().delete()
+        Token.objects.including_expired().all().delete()
         token_should: Token = Token.objects.create(
             identifier="test", expiring=False, user=self.user
         )
@@ -199,6 +199,50 @@ class TestTokenAPI(APITestCase):
         self.assertEqual(body["results"][0]["identifier"], token_should.identifier)
         self.assertEqual(body["results"][1]["identifier"], token_should_not.identifier)
 
+    def test_token_rotate_by_owner(self):
+        """Token owner can rotate their own token"""
+        token = Token.objects.create(
+            identifier=generate_id(),
+            intent=TokenIntents.INTENT_API,
+            user=self.user,
+            expiring=True,
+        )
+        original_key = token.key
+        response = self.client.post(
+            reverse("authentik_api:token-rotate", kwargs={"identifier": token.identifier}),
+        )
+        self.assertEqual(response.status_code, 200)
+        token.refresh_from_db()
+        self.assertNotEqual(token.key, original_key)
+        self.assertEqual(token.key, loads(response.content)["key"])
+
+    def test_token_rotate_by_superuser(self):
+        """Superuser can rotate any token"""
+        token = Token.objects.create(
+            identifier=generate_id(),
+            intent=TokenIntents.INTENT_API,
+            user=self.user,
+            expiring=True,
+        )
+        self.client.force_login(self.admin)
+        response = self.client.post(
+            reverse("authentik_api:token-rotate", kwargs={"identifier": token.identifier}),
+        )
+        self.assertEqual(response.status_code, 200)
+
+    def test_token_rotate_unauthorized(self):
+        """Non-owner cannot rotate another user's token"""
+        token = Token.objects.create(
+            identifier=generate_id(),
+            intent=TokenIntents.INTENT_API,
+            user=self.admin,
+            expiring=True,
+        )
+        response = self.client.post(
+            reverse("authentik_api:token-rotate", kwargs={"identifier": token.identifier}),
+        )
+        self.assertEqual(response.status_code, 403)
+
     def test_serializer_no_request(self):
         """Test serializer without request"""
         self.assertTrue(

authentik/core/tests/test_token_auth.py

@@ -1,6 +1,9 @@
 """Test token auth"""
 
+from datetime import timedelta
+
 from django.test import TestCase
+from django.utils.timezone import now
 
 from authentik.core.auth import TokenBackend
 from authentik.core.models import Token, TokenIntents, User
@@ -28,6 +31,15 @@ class TestTokenAuth(TestCase):
             TokenBackend().authenticate(self.request, "test-user", self.token.key), self.user
         )
 
+    def test_token_auth_expired(self):
+        """Test auth with token"""
+        self.token.expiring = True
+        self.token.expires = now() - timedelta(hours=1)
+        self.token.save()
+        self.assertEqual(
+            TokenBackend().authenticate(self.request, "test-user", self.token.key), None
+        )
+
     def test_token_auth_none(self):
         """Test auth with token (non-existent user)"""
         self.assertIsNone(

authentik/core/tests/test_users.py

@@ -2,7 +2,15 @@
 
 from django.test.testcases import TestCase
 
-from authentik.core.models import User
+from authentik.core.models import (
+    USER_ATTRIBUTE_AGENT_OWNER_PK,
+    USER_ATTRIBUTE_IS_AGENT,
+    USER_PATH_AGENT,
+    AuthenticatedSession,
+    Session,
+    User,
+    UserTypes,
+)
 from authentik.events.models import Event
 from authentik.lib.generators import generate_id
 
@@ -33,3 +41,92 @@ class TestUsers(TestCase):
         self.assertEqual(Event.objects.count(), 1)
         user.ak_groups.all()
         self.assertEqual(Event.objects.count(), 1)
+
+
+class TestAgentUserSignals(TestCase):
+    """Test signals related to agent user lifecycle"""
+
+    def _create_owner(self):
+        owner = User.objects.create(username=generate_id())
+        owner.set_unusable_password()
+        owner.save()
+        return owner
+
+    def _create_agent(self, owner):
+        agent = User.objects.create(
+            username=generate_id(),
+            type=UserTypes.SERVICE_ACCOUNT,
+            attributes={
+                USER_ATTRIBUTE_IS_AGENT: True,
+                USER_ATTRIBUTE_AGENT_OWNER_PK: str(owner.pk),
+            },
+            path=USER_PATH_AGENT,
+        )
+        agent.set_unusable_password()
+        agent.save()
+        return agent
+
+    def test_delete_owner_cascades_to_agents(self):
+        """Deleting an owner also deletes all their agent users"""
+        owner = self._create_owner()
+        agent1 = self._create_agent(owner)
+        agent2 = self._create_agent(owner)
+        other_owner = self._create_owner()
+        other_agent = self._create_agent(other_owner)
+
+        owner.delete()
+
+        self.assertFalse(User.objects.filter(pk=agent1.pk).exists())
+        self.assertFalse(User.objects.filter(pk=agent2.pk).exists())
+        self.assertTrue(User.objects.filter(pk=other_agent.pk).exists())
+
+    def test_deactivate_owner_deactivates_agents(self):
+        """Setting an owner inactive also marks all their agents inactive"""
+        owner = self._create_owner()
+        agent = self._create_agent(owner)
+
+        owner.is_active = False
+        owner.save(update_fields=["is_active"])
+
+        agent.refresh_from_db()
+        self.assertFalse(agent.is_active)
+
+    def test_reactivate_owner_reactivates_agents(self):
+        """Setting an owner active again also re-activates their agents"""
+        owner = self._create_owner()
+        owner.is_active = False
+        owner.save(update_fields=["is_active"])
+        agent = self._create_agent(owner)
+        agent.is_active = False
+        agent.save(update_fields=["is_active"])
+
+        owner.is_active = True
+        owner.save(update_fields=["is_active"])
+
+        agent.refresh_from_db()
+        self.assertTrue(agent.is_active)
+
+    def test_unrelated_owner_save_does_not_affect_agents(self):
+        """Saving an owner without changing is_active does not touch agents"""
+        owner = self._create_owner()
+        agent = self._create_agent(owner)
+        agent.is_active = False
+        agent.save(update_fields=["is_active"])
+
+        owner.name = generate_id()
+        owner.save(update_fields=["name"])
+
+        agent.refresh_from_db()
+        self.assertFalse(agent.is_active)
+
+    def test_deactivate_owner_clears_agent_sessions(self):
+        """Deactivating an owner removes authenticated sessions for their agents"""
+        owner = self._create_owner()
+        agent = self._create_agent(owner)
+        session = Session.objects.create(session_key=generate_id(), session_data="{}")
+        AuthenticatedSession.objects.create(user=agent, session=session)
+
+        owner.is_active = False
+        owner.save(update_fields=["is_active"])
+
+        self.assertFalse(Session.objects.filter(pk=session.pk).exists())

authentik/core/tests/test_users_api.py

@@ -3,16 +3,24 @@
 from datetime import datetime, timedelta
 from json import loads
 
+from unittest.mock import MagicMock, patch
+
 from django.urls.base import reverse
 from django.utils.timezone import now
 from rest_framework.test import APITestCase
 
 from authentik.brands.models import Brand
 from authentik.core.models import (
+    USER_ATTRIBUTE_AGENT_ALLOWED_APPS,
+    USER_ATTRIBUTE_AGENT_OWNER_PK,
+    USER_ATTRIBUTE_IS_AGENT,
     USER_ATTRIBUTE_TOKEN_EXPIRING,
+    USER_PATH_AGENT,
+    Application,
     AuthenticatedSession,
     Session,
     Token,
+    TokenIntents,
     User,
     UserTypes,
 )
@@ -878,3 +886,189 @@ class TestUsersAPI(APITestCase):
         self.assertIn(user2.pk, pks)
         # Verify user2 comes before user1 in descending order
         self.assertLess(pks.index(user2.pk), pks.index(user1.pk))
+
+
+class TestAgentUserAPI(APITestCase):
+    """Test agent user API"""
+
+    def setUp(self) -> None:
+        self.admin = create_test_admin_user()
+        self.admin.assign_perms_to_managed_role("authentik_core.add_agent_user")
+        self.user = create_test_user()
+
+    def _create_agent(self, name="test-agent", owner=None):
+        """Helper to create an agent user directly in the database"""
+        owner = owner or self.admin
+        agent = User.objects.create(
+            username=name,
+            name=name,
+            type=UserTypes.SERVICE_ACCOUNT,
+            attributes={
+                USER_ATTRIBUTE_IS_AGENT: True,
+                USER_ATTRIBUTE_AGENT_OWNER_PK: str(owner.pk),
+                USER_ATTRIBUTE_AGENT_ALLOWED_APPS: [],
+            },
+            path=USER_PATH_AGENT,
+        )
+        agent.set_unusable_password()
+        agent.save()
+        return agent
+
+    def test_agent_create(self):
+        """Agent user creation"""
+        self.client.force_login(self.admin)
+        with patch(
+            "authentik.enterprise.license.LicenseKey.cached_summary",
+            MagicMock(return_value=MagicMock(status=MagicMock(is_valid=True))),
+        ):
+            response = self.client.post(
+                reverse("authentik_api:user-agent"),
+                data={"name": "test-agent"},
+            )
+        self.assertEqual(response.status_code, 200)
+        agent = User.objects.get(username="test-agent")
+        self.assertEqual(agent.type, UserTypes.SERVICE_ACCOUNT)
+        self.assertEqual(agent.path, USER_PATH_AGENT)
+        self.assertTrue(agent.attributes.get(USER_ATTRIBUTE_IS_AGENT))
+        self.assertEqual(agent.attributes.get(USER_ATTRIBUTE_AGENT_OWNER_PK), str(self.admin.pk))
+        self.assertEqual(agent.attributes.get(USER_ATTRIBUTE_AGENT_ALLOWED_APPS), [])
+        self.assertFalse(agent.has_usable_password())
+        token = Token.objects.filter(user=agent, intent=TokenIntents.INTENT_API).first()
+        self.assertIsNotNone(token)
+        self.assertTrue(token.expiring)
+
+    def test_agent_create_no_license(self):
+        """Agent creation is rejected without a valid enterprise license"""
+        self.client.force_login(self.admin)
+        with patch(
+            "authentik.enterprise.license.LicenseKey.cached_summary",
+            MagicMock(return_value=MagicMock(status=MagicMock(is_valid=False))),
+        ):
+            response = self.client.post(
+                reverse("authentik_api:user-agent"),
+                data={"name": "test-agent"},
+            )
+        self.assertEqual(response.status_code, 400)
+
+    def test_agent_create_non_internal_user(self):
+        """Only internal users can create agent users"""
+        external = create_test_user()
+        external.type = UserTypes.EXTERNAL
+        external.save()
+        external.assign_perms_to_managed_role("authentik_core.add_agent_user")
+        self.client.force_login(external)
+        with patch(
+            "authentik.enterprise.license.LicenseKey.cached_summary",
+            MagicMock(return_value=MagicMock(status=MagicMock(is_valid=True))),
+        ):
+            response = self.client.post(
+                reverse("authentik_api:user-agent"),
+                data={"name": "test-agent"},
+            )
+        self.assertEqual(response.status_code, 400)
+
+    def test_agent_create_duplicate(self):
+        """Duplicate agent username returns a user-friendly error"""
+        self._create_agent("test-agent-dup")
+        self.client.force_login(self.admin)
+        with patch(
+            "authentik.enterprise.license.LicenseKey.cached_summary",
+            MagicMock(return_value=MagicMock(status=MagicMock(is_valid=True))),
+        ):
+            response = self.client.post(
+                reverse("authentik_api:user-agent"),
+                data={"name": "test-agent-dup"},
+            )
+        self.assertEqual(response.status_code, 400)
+
+    def test_agent_type_cannot_be_changed(self):
+        """Agent user type cannot be changed via the users API"""
+        agent = self._create_agent()
+        self.client.force_login(self.admin)
+        response = self.client.patch(
+            reverse("authentik_api:user-detail", kwargs={"pk": agent.pk}),
+            data={"type": UserTypes.INTERNAL},
+            content_type="application/json",
+        )
+        self.assertEqual(response.status_code, 400)
+
+    def test_agent_marker_cannot_be_removed(self):
+        """Agent is-agent attribute cannot be removed via the users API"""
+        agent = self._create_agent()
+        self.client.force_login(self.admin)
+        new_attrs = dict(agent.attributes)
+        del new_attrs[USER_ATTRIBUTE_IS_AGENT]
+        response = self.client.patch(
+            reverse("authentik_api:user-detail", kwargs={"pk": agent.pk}),
+            data={"attributes": new_attrs},
+            content_type="application/json",
+        )
+        self.assertEqual(response.status_code, 400)
+
+    def test_agent_owner_cannot_be_changed(self):
+        """Agent owner cannot be changed via the users API"""
+        agent = self._create_agent()
+        other = create_test_user()
+        self.client.force_login(self.admin)
+        new_attrs = dict(agent.attributes)
+        new_attrs[USER_ATTRIBUTE_AGENT_OWNER_PK] = str(other.pk)
+        response = self.client.patch(
+            reverse("authentik_api:user-detail", kwargs={"pk": agent.pk}),
+            data={"attributes": new_attrs},
+            content_type="application/json",
+        )
+        self.assertEqual(response.status_code, 400)
+
+    def test_agent_allowed_apps_update(self):
+        """Owner can update the agent's allowed apps list"""
+        agent = self._create_agent(owner=self.admin)
+        app = Application.objects.create(name=generate_id(), slug=generate_id())
+        self.client.force_login(self.admin)
+        response = self.client.put(
+            reverse("authentik_api:user-agent-allowed-apps", kwargs={"pk": agent.pk}),
+            data={"allowed_apps": [str(app.pk)]},
+            content_type="application/json",
+        )
+        self.assertEqual(response.status_code, 200)
+        agent.refresh_from_db()
+        self.assertIn(str(app.pk), agent.attributes[USER_ATTRIBUTE_AGENT_ALLOWED_APPS])
+
+    def test_agent_allowed_apps_update_unauthorized(self):
+        """Non-owner cannot update the agent's allowed apps list"""
+        other = create_test_user()
+        agent = self._create_agent(owner=other)
+        self.client.force_login(self.admin)
+        response = self.client.put(
+            reverse("authentik_api:user-agent-allowed-apps", kwargs={"pk": agent.pk}),
+            data={"allowed_apps": []},
+            content_type="application/json",
+        )
+        self.assertEqual(response.status_code, 403)
+
+    def test_agent_allowed_apps_update_non_agent(self):
+        """Endpoint rejects non-agent users"""
+        self.client.force_login(self.admin)
+        response = self.client.put(
+            reverse("authentik_api:user-agent-allowed-apps", kwargs={"pk": self.user.pk}),
+            data={"allowed_apps": []},
+            content_type="application/json",
+        )
+        self.assertEqual(response.status_code, 400)
+
+    def test_token_rotate_by_agent_owner(self):
+        """Agent owner can rotate the agent's token"""
+        agent = self._create_agent(owner=self.user)
+        token = Token.objects.create(
+            identifier=generate_id(),
+            intent=TokenIntents.INTENT_API,
+            user=agent,
+            expiring=True,
+        )
+        original_key = token.key
+        self.client.force_login(self.user)
+        response = self.client.post(
+            reverse("authentik_api:token-rotate", kwargs={"identifier": token.identifier}),
+        )
+        self.assertEqual(response.status_code, 200)
+        token.refresh_from_db()
+        self.assertNotEqual(token.key, original_key)

authentik/core/views/interface.py

@@ -26,7 +26,11 @@ class RootRedirectView(RedirectView):
     query_string = True
 
     def redirect_to_app(self, request: HttpRequest):
-        if request.user.is_authenticated and request.user.type == UserTypes.EXTERNAL:
+        if request.user.is_authenticated and request.user.type in (
+            UserTypes.EXTERNAL,
+            UserTypes.SERVICE_ACCOUNT,
+            UserTypes.INTERNAL_SERVICE_ACCOUNT,
+        ):
             brand: Brand = request.brand
             if brand.default_application:
                 return redirect(
@@ -62,7 +66,11 @@ class BrandDefaultRedirectView(InterfaceView):
     """By default redirect to default app"""
 
     def dispatch(self, request: HttpRequest, *args: Any, **kwargs: Any) -> HttpResponse:
-        if request.user.is_authenticated and request.user.type == UserTypes.EXTERNAL:
+        if request.user.is_authenticated and request.user.type in (
+            UserTypes.EXTERNAL,
+            UserTypes.SERVICE_ACCOUNT,
+            UserTypes.INTERNAL_SERVICE_ACCOUNT,
+        ):
             brand: Brand = request.brand
             if brand.default_application:
                 return redirect(

authentik/crypto/tasks.py

@@ -114,15 +114,16 @@ def certificate_discovery():
     discovered = 0
     for file in glob(CONFIG.get("cert_discovery_dir") + "/**", recursive=True):
         path = Path(file)
-        if not path.exists():
-            continue
-        if path.is_dir():
+        if not path.exists() or path.is_dir():
             continue
         # For certbot setups, we want to ignore archive.
         if "archive" in file:
             continue
-        # Support certbot's directory structure
-        if path.name in ["fullchain.pem", "privkey.pem"]:
+        # Handle additionalOutputFormats from cert-manager gracefully
+        if path.name in ["ca.crt", "tls-combined.pem", "key.der"]:
+            continue
+        # Support certbot & kubernetes.io/tls directory structure
+        if path.name in ["fullchain.pem", "privkey.pem", "tls.crt", "tls.key"]:
             cert_name = path.parent.name
         else:
             cert_name = path.name.replace(path.suffix, "")

authentik/crypto/tests.py

@@ -355,6 +355,16 @@ class TestCrypto(APITestCase):
             subject_alt_names=[],
             validity_days=3,
         )
+
+        name3 = generate_id()
+        builder3 = CertificateBuilder(name3)
+        with self.assertRaises(ValueError):
+            builder3.save()
+        builder3.build(
+            subject_alt_names=[],
+            validity_days=3,
+        )
+
         with TemporaryDirectory() as temp_dir:
             with open(f"{temp_dir}/foo.pem", "w+", encoding="utf-8") as _cert:
                 _cert.write(builder.certificate)
@@ -365,6 +375,8 @@ class TestCrypto(APITestCase):
                 _cert.write(builder2.certificate)
             with open(f"{temp_dir}/foo.bar/privkey.pem", "w+", encoding="utf-8") as _key:
                 _key.write(builder2.private_key)
+            with open(f"{temp_dir}/tls-combined.pem", "w+", encoding="utf-8") as _cert:
+                _cert.write(builder3.certificate)
             with CONFIG.patch("cert_discovery_dir", temp_dir):
                 certificate_discovery.send()
         keypair: CertificateKeyPair = CertificateKeyPair.objects.filter(
@@ -376,6 +388,9 @@ class TestCrypto(APITestCase):
         self.assertTrue(
             CertificateKeyPair.objects.filter(managed=MANAGED_DISCOVERED % "foo.bar").exists()
         )
+        self.assertFalse(
+            CertificateKeyPair.objects.filter(managed=MANAGED_DISCOVERED % "tls-combined").exists()
+        )
 
     def test_discovery_updating_same_private_key(self):
         """Test certificate discovery updating certs with matching private keys"""

authentik/endpoints/api/devices.py

@@ -97,7 +97,7 @@ class DeviceViewSet(
     def summary(self, request: Request) -> Response:
         delta = now() - timedelta(hours=24)
         unreachable = (
-            Device.filter_not_expired()
+            Device.objects.all()
             .annotate(
                 latest_snapshot=Subquery(
                     DeviceFactSnapshot.objects.filter(connection__device=OuterRef("pk"))
@@ -110,7 +110,7 @@ class DeviceViewSet(
             .count()
         )
         data = {
-            "total_count": Device.filter_not_expired().count(),
+            "total_count": Device.objects.all().count(),
             "unreachable_count": unreachable,
             # Currently not supported
             "outdated_agent_count": 0,

authentik/endpoints/connectors/agent/api/connectors.py

@@ -65,7 +65,9 @@ class AgentConnectorSerializer(ConnectorSerializer):
 class MDMConfigSerializer(PassiveSerializer):
 
     platform = ChoiceField(choices=OSFamily.choices)
-    enrollment_token = PrimaryKeyRelatedField(queryset=EnrollmentToken.objects.all())
+    enrollment_token = PrimaryKeyRelatedField(
+        queryset=EnrollmentToken.objects.including_expired().all()
+    )
 
     def validate_platform(self, platform: OSFamily) -> OSFamily:
         if platform not in [OSFamily.iOS, OSFamily.macOS, OSFamily.windows]:
@@ -136,7 +138,7 @@ class AgentConnectorViewSet(
             device=device,
             connector=token.connector,
         )
-        DeviceToken.objects.filter(device=connection).delete()
+        DeviceToken.objects.including_expired().filter(device=connection).delete()
         token = DeviceToken.objects.create(device=connection, expiring=False)
         return Response(
             {

authentik/endpoints/connectors/agent/api/enrollment_tokens.py

@@ -18,7 +18,10 @@ from authentik.rbac.decorators import permission_required
 class EnrollmentTokenSerializer(ModelSerializer):
 
     device_group_obj = DeviceAccessGroupSerializer(
-        source="device_group", read_only=True, required=False
+        source="device_group",
+        read_only=True,
+        required=False,
+        allow_null=True,
     )
 
     def __init__(self, *args, **kwargs) -> None:

authentik/endpoints/connectors/agent/auth.py

@@ -34,9 +34,11 @@ class AgentEnrollmentAuth(BaseAuthentication):
     def authenticate(self, request: Request) -> tuple[User, Any] | None:
         auth = get_authorization_header(request)
         key = validate_auth(auth)
-        token = EnrollmentToken.filter_not_expired(key=key).first()
+        token = EnrollmentToken.objects.filter(key=key).first()
         if not token:
             raise PermissionDenied()
+        if not token.connector.enabled:
+            raise PermissionDenied()
         CTX_AUTH_VIA.set("endpoint_token_enrollment")
         return (DeviceUser(), token)
 
@@ -48,9 +50,11 @@ class AgentAuth(BaseAuthentication):
         key = validate_auth(auth, format="bearer+agent")
         if not key:
             return None
-        device_token = DeviceToken.filter_not_expired(key=key).first()
+        device_token = DeviceToken.objects.filter(key=key).first()
         if not device_token:
             raise PermissionDenied()
+        if not device_token.device.connector.enabled:
+            raise PermissionDenied()
         if device_token.device.device.is_expired:
             raise PermissionDenied()
         CTX_AUTH_VIA.set("endpoint_token")
@@ -87,7 +91,7 @@ class DeviceAuthFedAuthentication(BaseAuthentication):
         if not raw_token:
             LOGGER.warning("Missing token")
             return None
-        device = Device.filter_not_expired(name=request.query_params.get("device")).first()
+        device = Device.objects.filter(name=request.query_params.get("device")).first()
         if not device:
             LOGGER.warning("Couldn't find device")
             return None

authentik/endpoints/connectors/agent/stage.py

@@ -53,11 +53,11 @@ class EndpointAgentChallengeResponse(ChallengeResponse):
         except PyJWTError as exc:
             self.stage.logger.warning("Could not parse response", exc=exc)
             raise ValidationError("Invalid challenge response") from None
-        device = Device.filter_not_expired(identifier=raw["iss"]).first()
+        device = Device.objects.filter(identifier=raw["iss"]).first()
         if not device:
             self.stage.logger.warning("Could not find device for challenge")
             raise ValidationError("Invalid challenge response")
-        for token in DeviceToken.filter_not_expired(
+        for token in DeviceToken.objects.filter(
             device__device=device,
             device__connector=self.stage.executor.current_stage.connector,
         ).values_list("key", flat=True):

authentik/endpoints/connectors/agent/tests/test_agent_api.py

@@ -58,6 +58,16 @@ class TestAgentAPI(APITestCase):
         )
         self.assertEqual(response.status_code, 200)
 
+    def test_enroll_disabled(self):
+        self.connector.enabled = False
+        self.connector.save()
+        response = self.client.post(
+            reverse("authentik_api:agentconnector-enroll"),
+            data={"device_serial": generate_id(), "device_name": "bar"},
+            HTTP_AUTHORIZATION=f"Bearer {self.token.key}",
+        )
+        self.assertEqual(response.status_code, 403)
+
     def test_enroll_token_delete(self):
         response = self.client.post(
             reverse("authentik_api:agentconnector-enroll"),
@@ -79,7 +89,7 @@ class TestAgentAPI(APITestCase):
             HTTP_AUTHORIZATION=f"Bearer {self.token.key}",
         )
         self.assertEqual(response.status_code, 200)
-        device = Device.filter_not_expired(identifier=ident).first()
+        device = Device.objects.filter(identifier=ident).first()
         self.assertIsNotNone(device)
         self.assertEqual(device.access_group, device_group)
 
@@ -94,7 +104,7 @@ class TestAgentAPI(APITestCase):
             HTTP_AUTHORIZATION=f"Bearer {self.token.key}",
         )
         self.assertEqual(response.status_code, 403)
-        self.assertFalse(Device.filter_not_expired(identifier=dev_id).exists())
+        self.assertFalse(Device.objects.filter(identifier=dev_id).exists())
 
     @reconcile_app("authentik_crypto")
     def test_config(self):
@@ -104,6 +114,16 @@ class TestAgentAPI(APITestCase):
         )
         self.assertEqual(response.status_code, 200)
 
+    @reconcile_app("authentik_crypto")
+    def test_config_disabled(self):
+        self.connector.enabled = False
+        self.connector.save()
+        response = self.client.get(
+            reverse("authentik_api:agentconnector-agent-config"),
+            HTTP_AUTHORIZATION=f"Bearer+agent {self.device_token.key}",
+        )
+        self.assertEqual(response.status_code, 403)
+
     def test_check_in(self):
         response = self.client.post(
             reverse("authentik_api:agentconnector-check-in"),
@@ -112,6 +132,16 @@ class TestAgentAPI(APITestCase):
         )
         self.assertEqual(response.status_code, 204)
 
+    def test_check_in_disabled(self):
+        self.connector.enabled = False
+        self.connector.save()
+        response = self.client.post(
+            reverse("authentik_api:agentconnector-check-in"),
+            data=CHECK_IN_DATA_VALID,
+            HTTP_AUTHORIZATION=f"Bearer+agent {self.device_token.key}",
+        )
+        self.assertEqual(response.status_code, 403)
+
     def test_check_in_token_expired(self):
         self.device_token.expiring = True
         self.device_token.expires = now() - timedelta(hours=1)

authentik/endpoints/controller.py

@@ -44,3 +44,6 @@ class BaseController[T: "Connector"]:
 
     def stage_view_authentication(self) -> StageView | None:
         return None
+
+    def sync_endpoints(self):
+        raise NotImplementedError

authentik/endpoints/models.py

@@ -54,7 +54,7 @@ class Device(InternallyManagedMixin, ExpiringModel, AttributesMixin, PolicyBindi
     def facts(self) -> DeviceFactSnapshot:
         data = {}
         last_updated = datetime.fromtimestamp(0, UTC)
-        for snapshot_data, snapshort_created in DeviceFactSnapshot.filter_not_expired(
+        for snapshot_data, snapshort_created in DeviceFactSnapshot.objects.filter(
             snapshot_id__in=Subquery(
                 DeviceFactSnapshot.objects.filter(
                     connection__connector=OuterRef("connection__connector"), connection__device=self
@@ -162,8 +162,11 @@ class Connector(ScheduledModel, SerializerModel):
 
     @property
     def schedule_specs(self) -> list[ScheduleSpec]:
+        from authentik.endpoints.controller import Capabilities
         from authentik.endpoints.tasks import endpoints_sync
 
+        if Capabilities.ENROLL_AUTOMATIC_API not in self.controller(self).capabilities():
+            return []
         return [
             ScheduleSpec(
                 actor=endpoints_sync,

authentik/endpoints/stage.py

@@ -1,4 +1,4 @@
-from authentik.endpoints.models import EndpointStage, StageMode
+from authentik.endpoints.models import Connector, EndpointStage, StageMode
 from authentik.flows.stage import StageView
 
 PLAN_CONTEXT_ENDPOINT_CONNECTOR = "endpoint_connector"
@@ -8,7 +8,10 @@ class EndpointStageView(StageView):
 
     def _get_inner(self) -> StageView | None:
         stage: EndpointStage = self.executor.current_stage
-        inner_stage: type[StageView] | None = stage.connector.stage
+        connector: Connector = stage.connector
+        if not connector.enabled:
+            return None
+        inner_stage: type[StageView] | None = connector.stage
         if not inner_stage:
             return None
         return inner_stage(self.executor, request=self.request)

authentik/endpoints/tasks.py

@@ -17,11 +17,11 @@ def endpoints_sync(connector_pk: Any):
     connector: Connector | None = (
         Connector.objects.filter(pk=connector_pk).select_subclasses().first()
     )
-    if not connector:
+    if not connector or not connector.enabled:
         return
     controller = connector.controller
     ctrl = controller(connector)
-    if Capabilities.AUTOMATIC_API not in ctrl.capabilities():
+    if Capabilities.ENROLL_AUTOMATIC_API not in ctrl.capabilities():
         return
     LOGGER.info("Syncing connector", connector=connector.name)
     ctrl.sync_endpoints()

authentik/endpoints/tests/test_tasks.py

@@ -0,0 +1,35 @@
+from unittest.mock import PropertyMock, patch
+
+from rest_framework.test import APITestCase
+
+from authentik.endpoints.controller import BaseController, Capabilities
+from authentik.endpoints.models import Connector
+from authentik.endpoints.tasks import endpoints_sync
+from authentik.lib.generators import generate_id
+
+
+class TestEndpointTasks(APITestCase):
+    def test_agent_sync(self):
+        class controller(BaseController):
+            def capabilities(self):
+                return [Capabilities.ENROLL_AUTOMATIC_API]
+
+            def sync_endpoints(self):
+                pass
+
+        with patch.object(Connector, "controller", PropertyMock(return_value=controller)):
+            connector = Connector.objects.create(name=generate_id())
+            self.assertEqual(len(connector.schedule_specs), 1)
+
+            endpoints_sync.send(connector.pk).get_result(block=True)
+
+    def test_agent_no_sync(self):
+        class controller(BaseController):
+            def capabilities(self):
+                return []
+
+        with patch.object(Connector, "controller", PropertyMock(return_value=controller)):
+            connector = Connector.objects.create(name=generate_id())
+            self.assertEqual(len(connector.schedule_specs), 0)
+
+            endpoints_sync.send(connector.pk).get_result(block=True)

authentik/enterprise/audit/apps.py

@@ -1,6 +1,7 @@
 """Enterprise app config"""
 
 from django.conf import settings
+from django.utils.translation import gettext_lazy as _
 
 from authentik.enterprise.apps import EnterpriseConfig
 from authentik.tenants.flags import Flag
@@ -9,6 +10,9 @@ from authentik.tenants.flags import Flag
 class AuditIncludeExpandedDiff(Flag[bool], key="enterprise_audit_include_expanded_diff"):
     default = False
     visibility = "none"
+    description = _(
+        "Include additional information in audit logs, may incur a performance penalty."
+    )
 
 
 class AuthentikEnterpriseAuditConfig(EnterpriseConfig):

authentik/enterprise/endpoints/connectors/agent/views/apple_nonce.py

@@ -17,7 +17,7 @@ class NonceView(View):
 
     def post(self, request: HttpRequest, *args, **kwargs):
         raw_token = unquote(self.request.POST.get("x-ak-device-token"))
-        device_token = DeviceToken.filter_not_expired(key=raw_token).first()
+        device_token = DeviceToken.objects.filter(key=raw_token).first()
         if not device_token:
             return HttpResponseBadRequest()
         nonce = AppleNonce.objects.create(

authentik/enterprise/endpoints/connectors/agent/views/apple_register.py

@@ -106,7 +106,7 @@ class RegisterUserView(APIView):
     def post(self, request: Request, body: AgentPSSOUserRegistration) -> Response:
         device_token: DeviceToken = request.auth
         conn: AgentDeviceConnection = device_token.device
-        user_token = DeviceAuthenticationToken.filter_not_expired(
+        user_token = DeviceAuthenticationToken.objects.filter(
             device=conn.device,
             token=body.validated_data["user_auth"],
             device_token=device_token,

authentik/enterprise/endpoints/connectors/agent/views/apple_token.py

@@ -96,7 +96,7 @@ class TokenView(View):
         self.remote_nonce = decoded.get("nonce")
 
         # Check that the nonce hasn't been used before
-        nonce = AppleNonce.filter_not_expired(nonce=decoded["request_nonce"]).first()
+        nonce = AppleNonce.objects.filter(nonce=decoded["request_nonce"]).first()
         if not nonce:
             raise ValidationError("Invalid nonce")
         self.nonce = nonce

authentik/enterprise/endpoints/connectors/agent/views/auth_interactive.py

@@ -3,6 +3,7 @@ from hmac import compare_digest
 
 from django.http import Http404, HttpRequest, HttpResponse, HttpResponseBadRequest, QueryDict
 
+from authentik.common.oauth.constants import QS_LOGIN_HINT
 from authentik.endpoints.connectors.agent.auth import (
     agent_auth_issue_token,
     check_device_policies,
@@ -14,7 +15,7 @@ from authentik.enterprise.policy import EnterprisePolicyAccessView
 from authentik.flows.exceptions import FlowNonApplicableException
 from authentik.flows.models import in_memory_stage
 from authentik.flows.planner import PLAN_CONTEXT_DEVICE, FlowPlanner
-from authentik.flows.stage import StageView
+from authentik.flows.stage import PLAN_CONTEXT_PENDING_USER_IDENTIFIER, StageView
 from authentik.providers.oauth2.utils import HttpResponseRedirectScheme
 
 QS_AGENT_IA_TOKEN = "ak-auth-ia-token"  # nosec
@@ -29,7 +30,7 @@ class AgentInteractiveAuth(EnterprisePolicyAccessView):
 
     def resolve_provider_application(self):
         auth_token = (
-            DeviceAuthenticationToken.filter_not_expired(identifier=self.kwargs["token_uuid"])
+            DeviceAuthenticationToken.objects.filter(identifier=self.kwargs["token_uuid"])
             .prefetch_related()
             .first()
         )
@@ -64,14 +65,14 @@ class AgentInteractiveAuth(EnterprisePolicyAccessView):
 
         planner = FlowPlanner(self.connector.authorization_flow)
         planner.allow_empty_flows = True
+        context = {
+            PLAN_CONTEXT_DEVICE: self.device,
+            PLAN_CONTEXT_DEVICE_AUTH_TOKEN: self.auth_token,
+        }
+        if QS_LOGIN_HINT in request.GET:
+            context[PLAN_CONTEXT_PENDING_USER_IDENTIFIER] = request.GET[QS_LOGIN_HINT]
         try:
-            plan = planner.plan(
-                self.request,
-                {
-                    PLAN_CONTEXT_DEVICE: self.device,
-                    PLAN_CONTEXT_DEVICE_AUTH_TOKEN: self.auth_token,
-                },
-            )
+            plan = planner.plan(self.request, context)
         except FlowNonApplicableException:
             return self.handle_no_permission_authenticated()
         plan.append_stage(in_memory_stage(AgentAuthFulfillmentStage))
@@ -84,7 +85,6 @@ class AgentInteractiveAuth(EnterprisePolicyAccessView):
 
 
 class AgentAuthFulfillmentStage(StageView):
-
     def get(self, request: HttpRequest, *args, **kwargs) -> HttpResponse:
         device: Device = self.executor.plan.context.pop(PLAN_CONTEXT_DEVICE)
         auth_token: DeviceAuthenticationToken = self.executor.plan.context.pop(

authentik/enterprise/providers/ssf/api/providers.py

@@ -18,6 +18,10 @@ class SSFProviderSerializer(EnterpriseRequiredMixin, ProviderSerializer):
     ssf_url = SerializerMethodField()
     token_obj = TokenSerializer(source="token", required=False, read_only=True)
 
+    oidc_auth_providers_obj = ProviderSerializer(
+        read_only=True, source="oidc_auth_providers", many=True
+    )
+
     def get_ssf_url(self, instance: SSFProvider) -> str | None:
         request: Request = self._context.get("request")
         if not request:
@@ -45,8 +49,10 @@ class SSFProviderSerializer(EnterpriseRequiredMixin, ProviderSerializer):
             "signing_key",
             "token_obj",
             "oidc_auth_providers",
+            "oidc_auth_providers_obj",
             "ssf_url",
             "event_retention",
+            "push_verify_certificates",
         ]
         extra_kwargs = {}
 
@@ -54,7 +60,7 @@ class SSFProviderSerializer(EnterpriseRequiredMixin, ProviderSerializer):
 class SSFProviderViewSet(UsedByMixin, ModelViewSet):
     """SSFProvider Viewset"""
 
-    queryset = SSFProvider.objects.all()
+    queryset = SSFProvider.objects.all().prefetch_related("oidc_auth_providers")
     serializer_class = SSFProviderSerializer
     filterset_fields = {
         "application": ["isnull"],

authentik/enterprise/providers/ssf/api/streams.py

@@ -1,6 +1,7 @@
 """SSF Stream API Views"""
 
-from rest_framework.viewsets import ReadOnlyModelViewSet
+from rest_framework import mixins
+from rest_framework.viewsets import GenericViewSet
 
 from authentik.core.api.utils import ModelSerializer
 from authentik.enterprise.providers.ssf.api.providers import SSFProviderSerializer
@@ -16,6 +17,7 @@ class SSFStreamSerializer(ModelSerializer):
         model = Stream
         fields = [
             "pk",
+            "status",
             "provider",
             "provider_obj",
             "delivery_method",
@@ -27,7 +29,12 @@ class SSFStreamSerializer(ModelSerializer):
         ]
 
 
-class SSFStreamViewSet(ReadOnlyModelViewSet):
+class SSFStreamViewSet(
+    mixins.RetrieveModelMixin,
+    mixins.DestroyModelMixin,
+    mixins.ListModelMixin,
+    GenericViewSet,
+):
     """SSFStream Viewset"""
 
     queryset = Stream.objects.all()

authentik/enterprise/providers/ssf/migrations/0002_ssfprovider_push_verify_certificates_and_more.py

@@ -0,0 +1,43 @@
+# Generated by Django 5.2.12 on 2026-04-04 16:58
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ("authentik_providers_ssf", "0001_initial"),
+    ]
+
+    operations = [
+        migrations.AddField(
+            model_name="ssfprovider",
+            name="push_verify_certificates",
+            field=models.BooleanField(default=True),
+        ),
+        migrations.AddField(
+            model_name="stream",
+            name="authorization_header",
+            field=models.TextField(default=None, null=True),
+        ),
+        migrations.AddField(
+            model_name="stream",
+            name="status",
+            field=models.TextField(
+                choices=[("enabled", "Enabled"), ("paused", "Paused"), ("disabled", "Disabled")],
+                default="enabled",
+            ),
+        ),
+        migrations.AlterField(
+            model_name="stream",
+            name="delivery_method",
+            field=models.TextField(
+                choices=[
+                    ("https://schemas.openid.net/secevent/risc/delivery-method/push", "Risc Push"),
+                    ("https://schemas.openid.net/secevent/risc/delivery-method/poll", "Risc Poll"),
+                    ("urn:ietf:rfc:8935", "SSF RFC Push"),
+                    ("urn:ietf:rfc:8936", "SSF RFC Pull"),
+                ]
+            ),
+        ),
+    ]

authentik/enterprise/providers/ssf/models.py

@@ -33,6 +33,8 @@ class DeliveryMethods(models.TextChoices):
 
     RISC_PUSH = "https://schemas.openid.net/secevent/risc/delivery-method/push"
     RISC_POLL = "https://schemas.openid.net/secevent/risc/delivery-method/poll"
+    RFC_PUSH = "urn:ietf:rfc:8935", _("SSF RFC Push")
+    RFC_PULL = "urn:ietf:rfc:8936", _("SSF RFC Pull")
 
 
 class SSFEventStatus(models.TextChoices):
@@ -43,6 +45,13 @@ class SSFEventStatus(models.TextChoices):
     SENT = "sent"
 
 
+class StreamStatus(models.TextChoices):
+
+    ENABLED = "enabled"
+    PAUSED = "paused"
+    DISABLED = "disabled"
+
+
 class SSFProvider(TasksModel, BackchannelProvider):
     """Shared Signals Framework provider to allow applications to
     receive user events from authentik."""
@@ -54,6 +63,8 @@ class SSFProvider(TasksModel, BackchannelProvider):
         help_text=_("Key used to sign the SSF Events."),
     )
 
+    push_verify_certificates = models.BooleanField(default=True)
+
     oidc_auth_providers = models.ManyToManyField(OAuth2Provider, blank=True, default=None)
 
     token = models.ForeignKey(Token, on_delete=models.CASCADE, null=True, default=None)
@@ -106,10 +117,14 @@ class Stream(models.Model):
     """SSF Stream"""
 
     uuid = models.UUIDField(default=uuid4, primary_key=True, editable=False)
+
+    status = models.TextField(choices=StreamStatus.choices, default=StreamStatus.ENABLED)
+
     provider = models.ForeignKey(SSFProvider, on_delete=models.CASCADE)
 
     delivery_method = models.TextField(choices=DeliveryMethods.choices)
     endpoint_url = models.TextField(null=True)
+    authorization_header = models.TextField(null=True, default=None)
 
     events_requested = ArrayField(models.TextField(choices=EventTypes.choices), default=list)
     format = models.TextField()
@@ -146,7 +161,7 @@ class Stream(models.Model):
         }
 
     def encode(self, data: dict) -> str:
-        headers = {}
+        headers = {"typ": "secevent+jwt"}
         if self.provider.signing_key:
             headers["kid"] = self.provider.signing_key.kid
         key, alg = self.provider.jwt_key

authentik/enterprise/providers/ssf/tasks.py

@@ -8,6 +8,7 @@ from dramatiq.actor import actor
 from requests.exceptions import RequestException
 from structlog.stdlib import get_logger
 
+from authentik.core.apps import AppAccessWithoutBindings
 from authentik.core.models import User
 from authentik.enterprise.providers.ssf.models import (
     DeliveryMethods,
@@ -15,6 +16,7 @@ from authentik.enterprise.providers.ssf.models import (
     SSFEventStatus,
     Stream,
     StreamEvent,
+    StreamStatus,
 )
 from authentik.lib.utils.http import get_http_session
 from authentik.lib.utils.time import timedelta_from_string
@@ -68,6 +70,7 @@ def _check_app_access(stream: Stream, event_data: dict) -> bool:
     if not user:
         return True
     engine = PolicyEngine(stream.provider.backchannel_application, user)
+    engine.empty_result = AppAccessWithoutBindings.get()
     engine.use_cache = False
     engine.build()
     return engine.passing
@@ -86,23 +89,42 @@ def send_ssf_event(stream_uuid: UUID, event_data: dict[str, Any]):
     self.set_uid(event.pk)
     if event.status == SSFEventStatus.SENT:
         return
-    if stream.delivery_method != DeliveryMethods.RISC_PUSH:
+    if stream.delivery_method not in [DeliveryMethods.RISC_PUSH, DeliveryMethods.RFC_PUSH]:
         return
 
+    headers = {"Content-Type": "application/secevent+jwt", "Accept": "application/json"}
+    if stream.authorization_header:
+        headers["Authorization"] = stream.authorization_header
     try:
         response = session.post(
             event.stream.endpoint_url,
             data=event.stream.encode(event.payload),
-            headers={"Content-Type": "application/secevent+jwt", "Accept": "application/json"},
+            headers=headers,
+            verify=stream.provider.push_verify_certificates,
+            timeout=180,
         )
         response.raise_for_status()
         event.status = SSFEventStatus.SENT
         event.save()
-        return
+        self.info("Event successfully sent", status=response.status_code)
+        # Cleanup, if we were the last pending message for this stream and it has been deleted
+        # (status=StreamStatus.DISABLED), then we can delete the stream
+        if (
+            not StreamEvent.objects.filter(
+                stream=stream,
+                status__in=[SSFEventStatus.PENDING_FAILED, SSFEventStatus.PENDING_NEW],
+            ).exists()
+            and stream.status == StreamStatus.DISABLED
+        ):
+            LOGGER.info(
+                "Deleting inactive stream as all pending messages were sent.", stream=stream
+            )
+            self.info("Deleting inactive stream as all pending messages were sent.")
+            stream.delete()
     except RequestException as exc:
-        LOGGER.warning("Failed to send SSF event", exc=exc)
+        LOGGER.warning("Failed to send SSF event", exc=exc, stream=stream)
         attrs = {}
-        if exc.response:
+        if exc.response is not None:
             attrs["response"] = {
                 "content": exc.response.text,
                 "status": exc.response.status_code,
@@ -111,5 +133,6 @@ def send_ssf_event(stream_uuid: UUID, event_data: dict[str, Any]):
         self.warning("Failed to send request", **attrs)
         # Re-up the expiry of the stream event
         event.expires = now() + timedelta_from_string(event.stream.provider.event_retention)
+        self.info(f"Event will be re-sent at {event.expires}")
         event.status = SSFEventStatus.PENDING_FAILED
         event.save()

authentik/enterprise/providers/ssf/tests/test_auth.py

@@ -0,0 +1,170 @@
+import json
+from dataclasses import asdict
+
+from django.urls import reverse
+from django.utils import timezone
+from rest_framework.test import APITestCase
+
+from authentik.core.models import Application, Token, TokenIntents
+from authentik.core.tests.utils import (
+    create_test_admin_user,
+    create_test_cert,
+    create_test_flow,
+    create_test_user,
+)
+from authentik.enterprise.providers.ssf.models import (
+    SSFEventStatus,
+    SSFProvider,
+    Stream,
+    StreamEvent,
+)
+from authentik.lib.generators import generate_id
+from authentik.providers.oauth2.id_token import IDToken
+from authentik.providers.oauth2.models import AccessToken, OAuth2Provider
+
+
+class TestSSFAuth(APITestCase):
+    def setUp(self):
+        self.application = Application.objects.create(name=generate_id(), slug=generate_id())
+        self.provider = SSFProvider.objects.create(
+            name=generate_id(),
+            signing_key=create_test_cert(),
+            backchannel_application=self.application,
+        )
+
+    def test_stream_add_token(self):
+        """test stream add (token auth)"""
+        res = self.client.post(
+            reverse(
+                "authentik_providers_ssf:stream",
+                kwargs={"application_slug": self.application.slug},
+            ),
+            data={
+                "iss": "https://authentik.company/.well-known/ssf-configuration/foo/5",
+                "aud": ["https://app.authentik.company"],
+                "delivery": {
+                    "method": "https://schemas.openid.net/secevent/risc/delivery-method/push",
+                    "endpoint_url": "https://app.authentik.company",
+                },
+                "events_requested": [
+                    "https://schemas.openid.net/secevent/caep/event-type/credential-change",
+                    "https://schemas.openid.net/secevent/caep/event-type/session-revoked",
+                ],
+                "format": "iss_sub",
+            },
+            HTTP_AUTHORIZATION=f"Bearer {self.provider.token.key}",
+        )
+        self.assertEqual(res.status_code, 201)
+        stream = Stream.objects.filter(provider=self.provider).first()
+        self.assertIsNotNone(stream)
+        event = StreamEvent.objects.filter(stream=stream).first()
+        self.assertIsNotNone(event)
+        self.assertEqual(event.status, SSFEventStatus.PENDING_FAILED)
+        self.assertEqual(
+            event.payload["events"],
+            {"https://schemas.openid.net/secevent/ssf/event-type/verification": {"state": None}},
+        )
+
+    def test_stream_add_oidc(self):
+        """test stream add (oidc auth)"""
+        provider = OAuth2Provider.objects.create(
+            name=generate_id(),
+            authorization_flow=create_test_flow(),
+        )
+        self.application.provider = provider
+        self.application.save()
+        user = create_test_admin_user()
+        token = AccessToken.objects.create(
+            provider=provider,
+            user=user,
+            token=generate_id(),
+            auth_time=timezone.now(),
+            _scope="openid user profile",
+            _id_token=json.dumps(
+                asdict(
+                    IDToken("foo", "bar"),
+                )
+            ),
+        )
+
+        res = self.client.post(
+            reverse(
+                "authentik_providers_ssf:stream",
+                kwargs={"application_slug": self.application.slug},
+            ),
+            data={
+                "iss": "https://authentik.company/.well-known/ssf-configuration/foo/5",
+                "aud": ["https://app.authentik.company"],
+                "delivery": {
+                    "method": "https://schemas.openid.net/secevent/risc/delivery-method/push",
+                    "endpoint_url": "https://app.authentik.company",
+                },
+                "events_requested": [
+                    "https://schemas.openid.net/secevent/caep/event-type/credential-change",
+                    "https://schemas.openid.net/secevent/caep/event-type/session-revoked",
+                ],
+                "format": "iss_sub",
+            },
+            HTTP_AUTHORIZATION=f"Bearer {token.token}",
+        )
+        self.assertEqual(res.status_code, 201)
+        stream = Stream.objects.filter(provider=self.provider).first()
+        self.assertIsNotNone(stream)
+        event = StreamEvent.objects.filter(stream=stream).first()
+        self.assertIsNotNone(event)
+        self.assertEqual(event.status, SSFEventStatus.PENDING_FAILED)
+        self.assertEqual(
+            event.payload["events"],
+            {"https://schemas.openid.net/secevent/ssf/event-type/verification": {"state": None}},
+        )
+
+    def test_token_invalid(self):
+        res = self.client.post(
+            reverse(
+                "authentik_providers_ssf:stream",
+                kwargs={"application_slug": self.application.slug},
+            ),
+            data={
+                "iss": "https://authentik.company/.well-known/ssf-configuration/foo/5",
+                "aud": ["https://app.authentik.company"],
+                "delivery": {
+                    "method": "https://schemas.openid.net/secevent/risc/delivery-method/push",
+                    "endpoint_url": "https://app.authentik.company",
+                },
+                "events_requested": [
+                    "https://schemas.openid.net/secevent/caep/event-type/credential-change",
+                    "https://schemas.openid.net/secevent/caep/event-type/session-revoked",
+                ],
+                "format": "iss_sub",
+            },
+            HTTP_AUTHORIZATION=f"Bearer {self.provider.token.key}a",
+        )
+        # Response code needs to be 401 according to spec
+        self.assertEqual(res.status_code, 401)
+
+    def test_token_unrelated(self):
+        token = Token.objects.create(
+            identifier=generate_id(), user=create_test_user(), intent=TokenIntents.INTENT_API
+        )
+        res = self.client.post(
+            reverse(
+                "authentik_providers_ssf:stream",
+                kwargs={"application_slug": self.application.slug},
+            ),
+            data={
+                "iss": "https://authentik.company/.well-known/ssf-configuration/foo/5",
+                "aud": ["https://app.authentik.company"],
+                "delivery": {
+                    "method": "https://schemas.openid.net/secevent/risc/delivery-method/push",
+                    "endpoint_url": "https://app.authentik.company",
+                },
+                "events_requested": [
+                    "https://schemas.openid.net/secevent/caep/event-type/credential-change",
+                    "https://schemas.openid.net/secevent/caep/event-type/session-revoked",
+                ],
+                "format": "iss_sub",
+            },
+            HTTP_AUTHORIZATION=f"Bearer {token.key}",
+        )
+        # Response code needs to be 401 according to spec
+        self.assertEqual(res.status_code, 401)