web/dev/upgrade-to-typescript-7

## What

Upgrade our typechecking to use Typescript 7 (aka `tsgo`).

Steps taken:

- Eliminate using ordinary maps for reference holders; the constructors are incompatible with `WeakMap` and TSGO doesn’t allow for it.
- Strengthen the typecheck for `CurrentBrand`; TSGO needed help understand what constraint applied
- Narrow the types supplied to `JSONifiable` so that `symbol` isn’t a valid key; `JSON.stringify()` elides symbol keys.
- Correct bad typing in `paths.js`; at the type level, `dist` is the *type* of `const foo = "dist"`, so a `typeof` key here passes muster.

## Why

    $ time npm run lint:types # (TSC)
    real: 0m18.45s

    $ time npm run lint:types # (TSGO)
    real: 0m0.8s

.github/actions/setup/action.yml

@@ -22,7 +22,7 @@ runs:
         sudo rm -rf /usr/local/lib/android
     - name: Install uv
       if: ${{ contains(inputs.dependencies, 'python') }}
-      uses: astral-sh/setup-uv@eac588ad8def6316056a12d4907a9d4d84ff7a3b # v5
+      uses: astral-sh/setup-uv@5a095e7a2014a4212f075830d4f7277575a9d098 # v5
       with:
         enable-cache: true
     - name: Setup python
@@ -36,7 +36,7 @@ runs:
       run: uv sync --all-extras --dev --frozen
     - name: Setup node
       if: ${{ contains(inputs.dependencies, 'node') }}
-      uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v4
+      uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v4
       with:
         node-version-file: web/package.json
         cache: "npm"
@@ -44,7 +44,7 @@ runs:
         registry-url: 'https://registry.npmjs.org'
     - name: Setup go
       if: ${{ contains(inputs.dependencies, 'go') }}
-      uses: actions/setup-go@7a3fe6cf4cb3a834922a1244abfce67bcef6a0c5 # v5
+      uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v5
       with:
         go-version-file: "go.mod"
     - name: Setup docker cache
@@ -58,7 +58,7 @@ runs:
       run: |
         export PSQL_TAG=${{ inputs.postgresql_version }}
         docker compose -f .github/actions/setup/compose.yml up -d
-        cd web && npm i
+        cd web && npm ci
     - name: Generate config
       if: ${{ contains(inputs.dependencies, 'python') }}
       shell: uv run python {0}

.github/dependabot.yml

@@ -38,6 +38,21 @@ updates:
 
   #endregion
 
+  #region Rust
+
+  - package-ecosystem: rust-toolchain
+    directory: "/"
+    schedule:
+      interval: daily
+      time: "04:00"
+    open-pull-requests-limit: 10
+    commit-message:
+      prefix: "core:"
+    labels:
+      - dependencies
+
+  #endregion
+
   #region Web
 
   - package-ecosystem: npm
@@ -234,7 +249,7 @@ updates:
 
   - package-ecosystem: docker
     directories:
-      - /
+      - /lifecycle/container
       - /website
     schedule:
       interval: daily

.github/workflows/_reusable-docker-build-single.yml

@@ -67,12 +67,12 @@ jobs:
           registry: ghcr.io
           username: ${{ github.repository_owner }}
           password: ${{ secrets.GITHUB_TOKEN }}
-      - uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v5
+      - uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v5
         with:
           node-version-file: web/package.json
           cache: "npm"
           cache-dependency-path: web/package-lock.json
-      - uses: actions/setup-go@7a3fe6cf4cb3a834922a1244abfce67bcef6a0c5 # v6
+      - uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6
         with:
           go-version-file: "go.mod"
       - name: Generate API Clients
@@ -80,7 +80,7 @@ jobs:
           make gen-client-ts
           make gen-client-go
       - name: Build Docker Image
-        uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6
+        uses: docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8 # v6
         id: push
         with:
           context: .
@@ -95,7 +95,7 @@ jobs:
           platforms: linux/${{ inputs.image_arch }}
           cache-from: type=registry,ref=${{ steps.ev.outputs.attestImageNames }}:buildcache-${{ inputs.image_arch }}
           cache-to: ${{ steps.ev.outputs.cacheTo }}
-      - uses: actions/attest-build-provenance@96278af6caaf10aea03fd8d33a09a777ca52d62f # v3
+      - uses: actions/attest-build-provenance@a2bbfa25375fe432b6a289bc6b6cd05ecd0c4c32 # v3
         id: attest
         if: ${{ steps.ev.outputs.shouldPush == 'true' }}
         with:

.github/workflows/_reusable-docker-build.yml

@@ -90,14 +90,14 @@ jobs:
           registry: ghcr.io
           username: ${{ github.repository_owner }}
           password: ${{ secrets.GITHUB_TOKEN }}
-      - uses: int128/docker-manifest-create-action@1a059c021f1d5e9f2bd39de745d5dd3a0ef6df90 # v2
+      - uses: int128/docker-manifest-create-action@8aac06098a12365ccdf99372dcfb453ccce8a0b0 # v2
         id: build
         with:
           tags: ${{ matrix.tag }}
           sources: |
             ${{ steps.ev.outputs.attestImageNames }}@${{ needs.build-server-amd64.outputs.image-digest }}
             ${{ steps.ev.outputs.attestImageNames }}@${{ needs.build-server-arm64.outputs.image-digest }}
-      - uses: actions/attest-build-provenance@96278af6caaf10aea03fd8d33a09a777ca52d62f # v3
+      - uses: actions/attest-build-provenance@a2bbfa25375fe432b6a289bc6b6cd05ecd0c4c32 # v3
         id: attest
         with:
           subject-name: ${{ steps.ev.outputs.attestImageNames }}

.github/workflows/api-ts-publish.yml

@@ -25,7 +25,7 @@ jobs:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v5
         with:
           token: ${{ steps.generate_token.outputs.token }}
-      - uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v5
+      - uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v5
         with:
           node-version-file: web/package.json
           registry-url: "https://registry.npmjs.org"

.github/workflows/ci-api-docs.yml

@@ -33,7 +33,7 @@ jobs:
 
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v5
-      - uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v5
+      - uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v5
         with:
           node-version-file: website/package.json
           cache: "npm"
@@ -55,7 +55,7 @@ jobs:
         env:
           NODE_ENV: production
         run: npm run build -w api
-      - uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v4
+      - uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v4
         with:
           name: api-docs
           path: website/api/build
@@ -67,11 +67,11 @@ jobs:
       - build
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v5
-      - uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v5
+      - uses: actions/download-artifact@70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3 # v5
         with:
           name: api-docs
           path: website/api/build
-      - uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v5
+      - uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v5
         with:
           node-version-file: website/package.json
           cache: "npm"

.github/workflows/ci-aws-cfn.yml

@@ -24,7 +24,7 @@ jobs:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v5
       - name: Setup authentik env
         uses: ./.github/actions/setup
-      - uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v5
+      - uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v5
         with:
           node-version-file: lifecycle/aws/package.json
           cache: "npm"

.github/workflows/ci-docs.yml

@@ -36,7 +36,7 @@ jobs:
       NODE_ENV: production
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v5
-      - uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v5
+      - uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v5
         with:
           node-version-file: website/package.json
           cache: "npm"
@@ -53,7 +53,7 @@ jobs:
       NODE_ENV: production
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v5
-      - uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v5
+      - uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v5
         with:
           node-version-file: website/package.json
           cache: "npm"
@@ -96,7 +96,7 @@ jobs:
           password: ${{ secrets.GITHUB_TOKEN }}
       - name: Build Docker Image
         id: push
-        uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6
+        uses: docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8 # v6
         with:
           tags: ${{ steps.ev.outputs.imageTags }}
           file: website/Dockerfile
@@ -105,7 +105,7 @@ jobs:
           context: .
           cache-from: type=registry,ref=ghcr.io/goauthentik/dev-docs:buildcache
           cache-to: ${{ steps.ev.outputs.shouldPush == 'true' && 'type=registry,ref=ghcr.io/goauthentik/dev-docs:buildcache,mode=max' || '' }}
-      - uses: actions/attest-build-provenance@96278af6caaf10aea03fd8d33a09a777ca52d62f # v3
+      - uses: actions/attest-build-provenance@a2bbfa25375fe432b6a289bc6b6cd05ecd0c4c32 # v3
         id: attest
         if: ${{ steps.ev.outputs.shouldPush == 'true' }}
         with:

.github/workflows/ci-main-daily.yml

@@ -6,6 +6,10 @@ on:
   schedule:
     # Every night at 3am
     - cron: "0 3 * * *"
+  pull_request:
+    paths:
+      # Needs to refer to itself
+      - .github/workflows/ci-main-daily.yml
 
 jobs:
   test-container:
@@ -15,14 +19,14 @@ jobs:
       matrix:
         version:
           - docs
-          - version-2025-4
-          - version-2025-2
+          - version-2025-12
+          - version-2025-10
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v5
       - run: |
           current="$(pwd)"
           dir="/tmp/authentik/${{ matrix.version }}"
-          mkdir -p $dir
-          cd $dir
-          wget https://${{ matrix.version }}.goauthentik.io/compose.yml
-          ${current}/scripts/test_docker.sh
+          mkdir -p "${dir}/lifecycle/container"
+          cd "${dir}"
+          wget "https://${{ matrix.version }}.goauthentik.io/docker-compose.yml" -O "${dir}/lifecycle/container/compose.yml"
+          "${current}/scripts/test_docker.sh"

.github/workflows/ci-main.yml

@@ -42,6 +42,16 @@ jobs:
         uses: ./.github/actions/setup
       - name: run job
         run: uv run make ci-${{ matrix.job }}
+  test-gen-build:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v5
+      - name: Setup authentik env
+        uses: ./.github/actions/setup
+      - name: generate schema
+        run: make migrate gen-build
+      - name: ensure schema is up-to-date
+        run: git diff --exit-code -- schema.yml blueprints/schema.json
   test-migrations:
     runs-on: ubuntu-latest
     steps:
@@ -160,7 +170,7 @@ jobs:
       - name: Setup authentik env
         uses: ./.github/actions/setup
       - name: Create k8s Kind Cluster
-        uses: helm/kind-action@92086f6be054225fa813e0a4b13787fc9088faab # v1.13.0
+        uses: helm/kind-action@ef37e7f390d99f746eb8b610417061a60e82a6cc # v1.14.0
       - name: run integration
         run: |
           uv run coverage run manage.py test tests/integration
@@ -269,7 +279,7 @@ jobs:
         with:
           flags: conformance
       - if: ${{ !cancelled() }}
-        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6
+        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
         with:
           name: conformance-certification-${{ matrix.job.name }}
           path: tests/openid_conformance/exports/
@@ -277,6 +287,7 @@ jobs:
     if: always()
     needs:
       - lint
+      - test-gen-build
       - test-migrations
       - test-migrations-from-stable
       - test-unittest

.github/workflows/ci-outpost.yml

@@ -22,7 +22,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v5
-      - uses: actions/setup-go@7a3fe6cf4cb3a834922a1244abfce67bcef6a0c5 # v6
+      - uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6
         with:
           go-version-file: "go.mod"
       - name: Prepare and generate API
@@ -43,7 +43,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v5
-      - uses: actions/setup-go@7a3fe6cf4cb3a834922a1244abfce67bcef6a0c5 # v6
+      - uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6
         with:
           go-version-file: "go.mod"
       - name: Setup authentik env
@@ -111,7 +111,7 @@ jobs:
         run: make gen-client-go
       - name: Build Docker Image
         id: push
-        uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6
+        uses: docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8 # v6
         with:
           tags: ${{ steps.ev.outputs.imageTags }}
           file: lifecycle/container/${{ matrix.type }}.Dockerfile
@@ -122,7 +122,7 @@ jobs:
           context: .
           cache-from: type=registry,ref=ghcr.io/goauthentik/dev-${{ matrix.type }}:buildcache
           cache-to: ${{ steps.ev.outputs.shouldPush == 'true' && format('type=registry,ref=ghcr.io/goauthentik/dev-{0}:buildcache,mode=max', matrix.type) || '' }}
-      - uses: actions/attest-build-provenance@96278af6caaf10aea03fd8d33a09a777ca52d62f # v3
+      - uses: actions/attest-build-provenance@a2bbfa25375fe432b6a289bc6b6cd05ecd0c4c32 # v3
         id: attest
         if: ${{ steps.ev.outputs.shouldPush == 'true' }}
         with:
@@ -148,10 +148,10 @@ jobs:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v5
         with:
           ref: ${{ github.event.pull_request.head.sha }}
-      - uses: actions/setup-go@7a3fe6cf4cb3a834922a1244abfce67bcef6a0c5 # v6
+      - uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6
         with:
           go-version-file: "go.mod"
-      - uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v5
+      - uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v5
         with:
           node-version-file: web/package.json
           cache: "npm"

.github/workflows/ci-web.yml

@@ -32,7 +32,7 @@ jobs:
             project: web
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v5
-      - uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v5
+      - uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v5
         with:
           node-version-file: ${{ matrix.project }}/package.json
           cache: "npm"
@@ -49,7 +49,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v5
-      - uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v5
+      - uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v5
         with:
           node-version-file: web/package.json
           cache: "npm"
@@ -77,7 +77,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v5
-      - uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v5
+      - uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v5
         with:
           node-version-file: web/package.json
           cache: "npm"

.github/workflows/packages-npm-publish.yml

@@ -29,18 +29,19 @@ jobs:
           - packages/eslint-config
           - packages/prettier-config
           - packages/docusaurus-config
+          - packages/logger-js
           - packages/esbuild-plugin-live-reload
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v5
         with:
           fetch-depth: 2
-      - uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v5
+      - uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v5
         with:
           node-version-file: ${{ matrix.package }}/package.json
           registry-url: "https://registry.npmjs.org"
       - name: Get changed files
         id: changed-files
-        uses: tj-actions/changed-files@8cba46e29c11878d930bca7870bb54394d3e8b21 # 24d32ffd492484c1d75e0c0b894501ddb9d30d62
+        uses: tj-actions/changed-files@22103cc46bda19c2b464ffe86db46df6922fd323 # 24d32ffd492484c1d75e0c0b894501ddb9d30d62
         with:
           files: |
             ${{ matrix.package }}/package.json

.github/workflows/release-publish.yml

@@ -51,14 +51,14 @@ jobs:
           password: ${{ secrets.GITHUB_TOKEN }}
       - name: Build Docker Image
         id: push
-        uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6
+        uses: docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8 # v6
         with:
           tags: ${{ steps.ev.outputs.imageTags }}
           file: website/Dockerfile
           push: true
           platforms: linux/amd64,linux/arm64
           context: .
-      - uses: actions/attest-build-provenance@96278af6caaf10aea03fd8d33a09a777ca52d62f # v3
+      - uses: actions/attest-build-provenance@a2bbfa25375fe432b6a289bc6b6cd05ecd0c4c32 # v3
         id: attest
         if: true
         with:
@@ -84,10 +84,10 @@ jobs:
           - rac
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v5
-      - uses: actions/setup-go@7a3fe6cf4cb3a834922a1244abfce67bcef6a0c5 # v6
+      - uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6
         with:
           go-version-file: "go.mod"
-      - uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v5
+      - uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v5
         with:
           node-version-file: web/package.json
           cache: "npm"
@@ -119,7 +119,7 @@ jobs:
           username: ${{ github.repository_owner }}
           password: ${{ secrets.GITHUB_TOKEN }}
       - name: Build Docker Image
-        uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6
+        uses: docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8 # v6
         id: push
         with:
           push: true
@@ -129,7 +129,7 @@ jobs:
           file: lifecycle/container/${{ matrix.type }}.Dockerfile
           platforms: linux/amd64,linux/arm64
           context: .
-      - uses: actions/attest-build-provenance@96278af6caaf10aea03fd8d33a09a777ca52d62f # v3
+      - uses: actions/attest-build-provenance@a2bbfa25375fe432b6a289bc6b6cd05ecd0c4c32 # v3
         id: attest
         with:
           subject-name: ${{ steps.ev.outputs.attestImageNames }}
@@ -152,18 +152,25 @@ jobs:
         goarch: [amd64, arm64]
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v5
-      - uses: actions/setup-go@7a3fe6cf4cb3a834922a1244abfce67bcef6a0c5 # v6
+      - uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6
         with:
           go-version-file: "go.mod"
-      - uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v5
+      - uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v5
         with:
           node-version-file: web/package.json
           cache: "npm"
           cache-dependency-path: web/package-lock.json
-      - name: Build web
+      - name: Install web dependencies
         working-directory: web/
         run: |
           npm ci
+      - name: Generate API Clients
+        run: |
+          make gen-client-ts
+          make gen-client-go
+      - name: Build web
+        working-directory: web/
+        run: |
           npm run build-proxy
       - name: Build outpost
         run: |
@@ -173,7 +180,7 @@ jobs:
           export CGO_ENABLED=0
           go build -tags=outpost_static_embed -v -o ./authentik-outpost-${{ matrix.type }}_${{ matrix.goos }}_${{ matrix.goarch }} ./cmd/${{ matrix.type }}
       - name: Upload binaries to release
-        uses: svenstaro/upload-release-action@6b7fa9f267e90b50a19fef07b3596790bb941741 # v2
+        uses: svenstaro/upload-release-action@b98a3b12e86552593f3e4e577ca8a62aa2f3f22b # v2
         with:
           repo_token: ${{ secrets.GITHUB_TOKEN }}
           file: ./authentik-outpost-${{ matrix.type }}_${{ matrix.goos }}_${{ matrix.goarch }}
@@ -210,12 +217,12 @@ jobs:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v5
       - name: Run test suite in final docker images
         run: |
-          echo "PG_PASS=$(openssl rand 32 | base64 -w 0)" >> .env
-          echo "AUTHENTIK_SECRET_KEY=$(openssl rand 32 | base64 -w 0)" >> .env
-          docker compose pull -q
-          docker compose up --no-start
-          docker compose start postgresql
-          docker compose run -u root server test-all
+          echo "PG_PASS=$(openssl rand 32 | base64 -w 0)" >> lifecycle/container/.env
+          echo "AUTHENTIK_SECRET_KEY=$(openssl rand 32 | base64 -w 0)" >> lifecycle/container/.env
+          docker compose -f lifecycle/container/compose.yml pull -q
+          docker compose -f lifecycle/container/compose.yml up --no-start
+          docker compose -f lifecycle/container/compose.yml start postgresql
+          docker compose -f lifecycle/container/compose.yml run -u root server test-all
   sentry-release:
     needs:
       - build-server

.github/workflows/release-tag.yml

@@ -91,6 +91,7 @@ jobs:
           # ID from https://api.github.com/users/authentik-automation[bot]
           git config --global user.name '${{ steps.app-token.outputs.app-slug }}[bot]'
           git config --global user.email '${{ steps.get-user-id.outputs.user-id }}+${{ steps.app-token.outputs.app-slug }}[bot]@users.noreply.github.com'
+          git pull
           git commit -a -m "release: ${{ inputs.version }}" --allow-empty
           git tag "version/${{ inputs.version }}" HEAD -m "version/${{ inputs.version }}"
           git push --follow-tags
@@ -174,21 +175,25 @@ jobs:
         if: "${{ inputs.release_reason == 'feature' }}"
         run: |
           changelog_url="https://docs.goauthentik.io/docs/releases/${{ needs.check-inputs.outputs.major_version }}"
+          reason="${{ inputs.release_reason }}"
           jq \
             --arg version "${{ inputs.version }}" \
             --arg changelog "See ${changelog_url}" \
             --arg changelog_url "${changelog_url}" \
-            '.stable.version = $version | .stable.changelog = $changelog | .stable.changelog_url = $changelog_url' version.json > version.new.json
+            --arg reason "${reason}" \
+            '.stable.version = $version | .stable.changelog = $changelog | .stable.changelog_url = $changelog_url | .stable.reason = $reason' version.json > version.new.json
           mv version.new.json version.json
       - name: Bump version
         if: "${{ inputs.release_reason != 'feature' }}"
         run: |
           changelog_url="https://docs.goauthentik.io/docs/releases/${{ needs.check-inputs.outputs.major_version }}#fixed-in-$(echo -n ${{ inputs.version}} | sed 's/\.//g')"
+          reason="${{ inputs.release_reason }}"
           jq \
             --arg version "${{ inputs.version }}" \
             --arg changelog "See ${changelog_url}" \
             --arg changelog_url "${changelog_url}" \
-            '.stable.version = $version | .stable.changelog = $changelog | .stable.changelog_url = $changelog_url' version.json > version.new.json
+            --arg reason "${reason}" \
+            '.stable.version = $version | .stable.changelog = $changelog | .stable.changelog_url = $changelog_url | .stable.reason = $reason' version.json > version.new.json
           mv version.new.json version.json
       - name: Create pull request
         uses: peter-evans/create-pull-request@c0f553fe549906ede9cf27b5156039d195d2ece0 # v7

.github/workflows/repo-stale.yml

@@ -19,7 +19,7 @@ jobs:
         with:
           app-id: ${{ secrets.GH_APP_ID }}
           private-key: ${{ secrets.GH_APP_PRIVATE_KEY }}
-      - uses: actions/stale@997185467fa4f803885201cee163a9f38240193d # v10
+      - uses: actions/stale@b5d41d4e1d5dceea10e7104786b73624c18a190f # v10
         with:
           repo-token: ${{ steps.generate_token.outputs.token }}
           days-before-stale: 60

CODEOWNERS

@@ -34,6 +34,7 @@ packages/docusaurus-config              @goauthentik/frontend
 packages/esbuild-plugin-live-reload     @goauthentik/frontend
 packages/eslint-config                  @goauthentik/frontend
 packages/prettier-config                @goauthentik/frontend
+packages/logger-js                      @goauthentik/frontend
 packages/tsconfig                       @goauthentik/frontend
 # Web
 web/                                    @goauthentik/frontend

Makefile

@@ -148,11 +148,11 @@ bump:  ## Bump authentik version. Usage: make bump version=20xx.xx.xx
 ifndef version
 	$(error Usage: make bump version=20xx.xx.xx )
 endif
-	$(SED_INPLACE) 's/^version = ".*"/version = "$(version)"/' pyproject.toml
-	$(SED_INPLACE) 's/^VERSION = ".*"/VERSION = "$(version)"/' authentik/__init__.py
+	$(eval current_version := $(shell cat ${PWD}/internal/constants/VERSION))
+	$(SED_INPLACE) 's/^version = ".*"/version = "$(version)"/' ${PWD}/pyproject.toml
+	$(SED_INPLACE) 's/^VERSION = ".*"/VERSION = "$(version)"/' ${PWD}/authentik/__init__.py
 	$(MAKE) gen-build gen-compose aws-cfn
-	npm version --no-git-tag-version --allow-same-version $(version)
-	cd ${PWD}/web && npm version --no-git-tag-version --allow-same-version $(version)
+	$(SED_INPLACE) "s/\"${current_version}\"/\"$(version)\"/" ${PWD}/package.json ${PWD}/package-lock.json ${PWD}/web/package.json ${PWD}/web/package-lock.json
 	echo -n $(version) > ${PWD}/internal/constants/VERSION
 
 #########################
@@ -168,12 +168,22 @@ gen-build:  ## Extract the schema from the database
 gen-compose:
 	$(UV) run scripts/generate_compose.py
 
-gen-changelog:  ## (Release) generate the changelog based from the commits since the last tag
-	git log --pretty=format:" - %s" $(shell git describe --tags $(shell git rev-list --tags --max-count=1))...$(shell git branch --show-current) | sort > changelog.md
+gen-changelog:  ## (Release) generate the changelog based from the commits since the last version
+# These are best-effort guesses based on commit messages
+	$(eval last_version := $(shell git tag --list 'version/*' --sort 'version:refname' | grep -vE 'rc\d+$$' | tail -1))
+	$(eval current_commit := $(shell git rev-parse HEAD))
+	git log --pretty=format:"- %s" $(shell git merge-base ${last_version} ${current_commit})...${current_commit} > merged_to_current
+	git log --pretty=format:"- %s" $(shell git merge-base ${last_version} ${current_commit})...${last_version} > merged_to_last
+	grep -Eo 'cherry-pick (#\d+)' merged_to_last | cut -d ' ' -f 2 | sed 's/.*/(&)$$/' > cherry_picked_to_last
+	grep -vf cherry_picked_to_last merged_to_current | sort > changelog.md
+	rm merged_to_current
+	rm merged_to_last
+	rm cherry_picked_to_last
 	npx prettier --write changelog.md
 
-gen-diff:  ## (Release) generate the changelog diff between the current schema and the last tag
-	git show $(shell git describe --tags $(shell git rev-list --tags --max-count=1)):schema.yml > schema-old.yml
+gen-diff:  ## (Release) generate the changelog diff between the current schema and the last version
+	$(eval last_version := $(shell git tag --list 'version/*' --sort 'version:refname' | grep -vE 'rc\d+$$' | tail -1))
+	git show ${last_version}:schema.yml > schema-old.yml
 	docker compose -f scripts/api/compose.yml run --rm --user "${UID}:${GID}" diff \
 		--markdown \
 		/local/diff.md \

SECURITY.md

@@ -20,8 +20,8 @@ Even if the issue is not a CVE, we still greatly appreciate your help in hardeni
 
 | Version    | Supported  |
 | ---------- | ---------- |
-| 2025.10.x  | ✅         |
 | 2025.12.x  | ✅         |
+| 2026.2.x   | ✅         |
 
 ## Reporting a Vulnerability
 

authentik/__init__.py

@@ -3,7 +3,7 @@
 from functools import lru_cache
 from os import environ
 
-VERSION = "2026.2.0-rc1"
+VERSION = "2026.5.0-rc1"
 ENV_GIT_HASH_KEY = "GIT_BUILD_HASH"
 
 

authentik/admin/files/backends/base.py

@@ -94,7 +94,7 @@ class Backend:
 
         Args:
             file_path: Relative file path
-            request: Optional Django HttpRequest for fully qualifed URL building
+            request: Optional Django HttpRequest for fully qualified URL building
             use_cache: whether to retrieve the URL from cache
 
         Returns:

authentik/admin/files/backends/s3.py

@@ -100,13 +100,25 @@ class S3Backend(ManageableBackend):
             f"storage.{self.usage.value}.{self.name}.addressing_style",
             CONFIG.get(f"storage.{self.name}.addressing_style", "auto"),
         )
+        signature_version = CONFIG.get(
+            f"storage.{self.usage.value}.{self.name}.signature_version",
+            CONFIG.get(f"storage.{self.name}.signature_version", "s3v4"),
+        )
+        # Keep signature_version pass-through and let boto3/botocore handle it.
+        # In boto3's S3 configuration docs, `s3v4` (default) and deprecated `s3`
+        # are the documented values:
+        # https://github.com/boto/boto3/blob/791a3e8f36d83664a47b4281a0586b3546cef3ec/docs/source/guide/configuration.rst?plain=1#L398-L407
+        # Botocore also supports additional signer names, so we intentionally do
+        # not enforce a restricted allowlist here.
 
         return self.session.client(
             "s3",
             endpoint_url=endpoint_url,
             use_ssl=use_ssl,
             region_name=region_name,
-            config=Config(signature_version="s3v4", s3={"addressing_style": addressing_style}),
+            config=Config(
+                signature_version=signature_version, s3={"addressing_style": addressing_style}
+            ),
         )
 
     @property

authentik/admin/files/backends/tests/test_s3_backend.py

@@ -1,5 +1,6 @@
 from unittest import skipUnless
 
+from botocore.exceptions import UnsupportedSignatureVersionError
 from django.test import TestCase
 
 from authentik.admin.files.tests.utils import FileTestS3BackendMixin, s3_test_server_available
@@ -81,6 +82,27 @@ class TestS3Backend(FileTestS3BackendMixin, TestCase):
         self.assertIn("X-Amz-Signature=", url)
         self.assertIn("test.png", url)
 
+    def test_client_signature_version_default_v4(self):
+        """Test S3 client defaults to v4 signature when not configured."""
+        self.assertEqual(self.media_s3_backend.client.meta.config.signature_version, "s3v4")
+
+    @CONFIG.patch("storage.s3.signature_version", "s3")
+    def test_client_signature_version_global_override(self):
+        """Test S3 client respects globally configured signature version."""
+        self.assertEqual(self.media_s3_backend.client.meta.config.signature_version, "s3")
+
+    @CONFIG.patch("storage.s3.signature_version", "s3v4")
+    @CONFIG.patch("storage.media.s3.signature_version", "s3")
+    def test_client_signature_version_media_override(self):
+        """Test usage-specific signature version takes precedence over global."""
+        self.assertEqual(self.media_s3_backend.client.meta.config.signature_version, "s3")
+
+    @CONFIG.patch("storage.media.s3.signature_version", "not-a-real-signature")
+    def test_client_signature_version_unsupported(self):
+        """Test unsupported signature version raises botocore error."""
+        with self.assertRaises(UnsupportedSignatureVersionError):
+            self.media_s3_backend.file_url("test.png", use_cache=False)
+
     @CONFIG.patch("storage.s3.bucket_name", "test-bucket")
     def test_file_exists_true(self):
         """Test file_exists returns True for existing file"""

authentik/api/schema.py

@@ -71,7 +71,7 @@ def postprocess_schema_responses(
 def postprocess_schema_query_params(
     result: dict[str, Any], generator: SchemaGenerator, **kwargs
 ) -> dict[str, Any]:
-    """Optimise pagination parameters, instead of redeclaring parameters for each endpoint
+    """Optimize pagination parameters, instead of redeclaring parameters for each endpoint
     declare them globally and refer to them"""
     LOGGER.debug("Deduplicating query parameters")
     for path in result["paths"].values():

authentik/api/tests/test_schema.py

@@ -1,6 +1,8 @@
 """Schema generation tests"""
 
 from pathlib import Path
+from tempfile import gettempdir
+from uuid import uuid4
 
 from django.core.management import call_command
 from django.urls import reverse
@@ -29,15 +31,14 @@ class TestSchemaGeneration(APITestCase):
 
     def test_build_schema(self):
         """Test schema build command"""
-        blueprint_file = Path("blueprints/schema.json")
-        api_file = Path("schema.yml")
-        blueprint_file.unlink()
-        api_file.unlink()
+        tmp = Path(gettempdir())
+        blueprint_file = tmp / f"{str(uuid4())}.json"
+        api_file = tmp / f"{str(uuid4())}.yml"
         with (
             CONFIG.patch("debug", True),
             CONFIG.patch("tenants.enabled", True),
             CONFIG.patch("outposts.disable_embedded_outpost", True),
         ):
-            call_command("build_schema")
+            call_command("build_schema", blueprint_file=blueprint_file, api_file=api_file)
         self.assertTrue(blueprint_file.exists())
         self.assertTrue(api_file.exists())

authentik/blueprints/v1/importer.py

@@ -272,7 +272,7 @@ class Importer:
             and entry.state != BlueprintEntryDesiredState.MUST_CREATED
         ):
             self.logger.debug(
-                "Initialise serializer with instance",
+                "Initialize serializer with instance",
                 model=model,
                 instance=model_instance,
                 pk=model_instance.pk,
@@ -290,7 +290,7 @@ class Importer:
             )
         else:
             self.logger.debug(
-                "Initialised new serializer instance",
+                "Initialized new serializer instance",
                 model=model,
                 **cleanse_dict(updated_identifiers),
             )

authentik/core/api/applications.py

@@ -154,14 +154,14 @@ class ApplicationViewSet(UsedByMixin, ModelViewSet):
         return queryset
 
     def _get_allowed_applications(
-        self, pagined_apps: Iterator[Application], user: User | None = None
+        self, paginated_apps: Iterator[Application], user: User | None = None
     ) -> list[Application]:
         applications = []
         request = self.request._request
         if user:
             request = copy(request)
             request.user = user
-        for application in pagined_apps:
+        for application in paginated_apps:
             engine = PolicyEngine(application, request.user, request)
             engine.build()
             if engine.passing:

authentik/core/models.py

@@ -1,5 +1,7 @@
 """authentik core models"""
 
+import re
+import traceback
 from datetime import datetime, timedelta
 from enum import StrEnum
 from hashlib import sha256
@@ -15,7 +17,6 @@ from django.contrib.sessions.base_session import AbstractBaseSession
 from django.core.validators import validate_slug
 from django.db import models
 from django.db.models import Q, QuerySet, options
-from django.db.models.constants import LOOKUP_SEP
 from django.http import HttpRequest
 from django.utils.functional import cached_property
 from django.utils.timezone import now
@@ -43,6 +44,7 @@ from authentik.lib.models import (
     DomainlessFormattedURLValidator,
     SerializerModel,
 )
+from authentik.lib.utils.inheritance import get_deepest_child
 from authentik.lib.utils.time import timedelta_from_string
 from authentik.policies.models import PolicyBindingModel
 from authentik.rbac.models import Role
@@ -528,23 +530,35 @@ class User(SerializerModel, AttributesMixin, AbstractUser):
             "default: in 30 days). See authentik logs for every will invocation of this "
             "deprecation."
         )
+        stacktrace = traceback.format_stack()
+        # The last line is this function, the next-to-last line is its caller
+        cause = stacktrace[-2] if len(stacktrace) > 1 else "Unknown, see stacktrace in logs"
+        if search := re.search(r'"(.*?)"', cause):
+            cause = f"Property mapping or Expression policy named {search.group(1)}"
+
         LOGGER.warning(
             "deprecation used",
             message=message_logger,
             deprecation=deprecation,
             replacement=replacement,
+            cause=cause,
+            stacktrace=stacktrace,
         )
         if not Event.filter_not_expired(
-            action=EventAction.CONFIGURATION_WARNING, context__deprecation=deprecation
+            action=EventAction.CONFIGURATION_WARNING,
+            context__deprecation=deprecation,
+            context__cause=cause,
         ).exists():
             event = Event.new(
                 EventAction.CONFIGURATION_WARNING,
                 deprecation=deprecation,
                 replacement=replacement,
                 message=message_event,
+                cause=cause,
             )
             event.expires = datetime.now() + timedelta(days=30)
             event.save()
+
         return self.groups
 
     def set_password(self, raw_password, signal=True, sender=None, request=None):
@@ -789,25 +803,7 @@ class Application(SerializerModel, PolicyBindingModel):
         """Get casted provider instance. Needs Application queryset with_provider"""
         if not self.provider:
             return None
-
-        candidates = []
-        base_class = Provider
-        for subclass in base_class.objects.get_queryset()._get_subclasses_recurse(base_class):
-            parent = self.provider
-            for level in subclass.split(LOOKUP_SEP):
-                try:
-                    parent = getattr(parent, level)
-                except AttributeError:
-                    break
-            if parent in candidates:
-                continue
-            idx = subclass.count(LOOKUP_SEP)
-            if type(parent) is not base_class:
-                idx += 1
-            candidates.insert(idx, parent)
-        if not candidates:
-            return None
-        return candidates[-1]
+        return get_deepest_child(self.provider)
 
     def backchannel_provider_for[T: Provider](self, provider_type: type[T], **kwargs) -> T | None:
         """Get Backchannel provider for a specific type"""

authentik/core/templates/login/base_full.html

@@ -44,19 +44,24 @@
                                 {% endblock %}
                             </div>
                         </main>
-                        <footer aria-label="Site footer" class="pf-c-login__footer pf-m-dark">
-                            <ul class="pf-c-list pf-m-inline">
-                                {% for link in footer_links %}
-                                <li>
-                                    <a href="{{ link.href }}">{{ link.name }}</a>
-                                </li>
-                                {% endfor %}
-                                <li>
-                                    <span>
-                                        {% trans 'Powered by authentik' %}
-                                    </span>
-                                </li>
-                            </ul>
+                        <footer
+                            name="site-footer"
+                            aria-label="{% trans 'Site footer' %}"
+                            class="pf-c-login__footer pf-m-dark">
+                            <div name="flow-links" aria-label="{% trans 'Flow links' %}">
+                                <ul class="pf-c-list pf-m-inline" part="list">
+                                    {% for link in footer_links %}
+                                    <li part="list-item">
+                                        <a part="list-item-link" href="{{ link.href }}">{{ link.name }}</a>
+                                    </li>
+                                    {% endfor %}
+                                    <li part="list-item">
+                                        <span>
+                                            {% trans 'Powered by authentik' %}
+                                        </span>
+                                    </li>
+                                </ul>
+                            </div>
                         </footer>
                     </div>
                 </div>

authentik/core/tests/test_property_mapping_api.py

@@ -63,7 +63,7 @@ class TestPropertyMappingAPI(APITestCase):
             PropertyMappingSerializer().validate_expression("/")
 
     def test_types(self):
-        """Test PropertyMappigns's types endpoint"""
+        """Test PropertyMapping's types endpoint"""
         response = self.client.get(
             reverse("authentik_api:propertymapping-types"),
         )

authentik/crypto/models.py

@@ -78,7 +78,7 @@ def generate_key_id_legacy(key_data: str) -> str:
     """Generate Key ID using MD5 (legacy format for backwards compatibility)."""
     if not key_data:
         return ""
-    return md5(key_data.encode("utf-8")).hexdigest()  # nosec
+    return md5(key_data.encode("utf-8"), usedforsecurity=False).hexdigest()  # nosec
 
 
 class CertificateKeyPair(SerializerModel, ManagedModel, CreatedUpdatedModel):

authentik/endpoints/connectors/agent/tests/test_stage.py

@@ -1,5 +1,6 @@
 from hashlib import sha256
 from json import loads
+from unittest.mock import PropertyMock, patch
 
 from django.urls import reverse
 from jwt import encode
@@ -232,3 +233,43 @@ class TestEndpointStage(FlowTestCase):
         plan = plan()
         self.assertNotIn(PLAN_CONTEXT_AGENT_ENDPOINT_CHALLENGE, plan.context)
         self.assertEqual(plan.context[PLAN_CONTEXT_DEVICE], self.device)
+
+    def test_endpoint_stage_connector_no_stage_optional(self):
+        flow = create_test_flow()
+        stage = EndpointStage.objects.create(connector=self.connector, mode=StageMode.OPTIONAL)
+        FlowStageBinding.objects.create(stage=stage, target=flow, order=0)
+
+        with patch(
+            "authentik.endpoints.connectors.agent.models.AgentConnector.stage",
+            PropertyMock(return_value=None),
+        ):
+            with self.assertFlowFinishes() as plan:
+                res = self.client.get(
+                    reverse("authentik_api:flow-executor", kwargs={"flow_slug": flow.slug}),
+                )
+                self.assertStageRedirects(res, reverse("authentik_core:root-redirect"))
+            plan = plan()
+            self.assertNotIn(PLAN_CONTEXT_AGENT_ENDPOINT_CHALLENGE, plan.context)
+            self.assertNotIn(PLAN_CONTEXT_DEVICE, plan.context)
+
+    def test_endpoint_stage_connector_no_stage_required(self):
+        flow = create_test_flow()
+        stage = EndpointStage.objects.create(connector=self.connector, mode=StageMode.REQUIRED)
+        FlowStageBinding.objects.create(stage=stage, target=flow, order=0)
+
+        with patch(
+            "authentik.endpoints.connectors.agent.models.AgentConnector.stage",
+            PropertyMock(return_value=None),
+        ):
+            with self.assertFlowFinishes() as plan:
+                res = self.client.get(
+                    reverse("authentik_api:flow-executor", kwargs={"flow_slug": flow.slug}),
+                )
+                self.assertStageResponse(
+                    res,
+                    component="ak-stage-access-denied",
+                    error_message="Invalid stage configuration",
+                )
+            plan = plan()
+            self.assertNotIn(PLAN_CONTEXT_AGENT_ENDPOINT_CHALLENGE, plan.context)
+            self.assertNotIn(PLAN_CONTEXT_DEVICE, plan.context)

authentik/endpoints/stage.py

@@ -1,4 +1,4 @@
-from authentik.endpoints.models import EndpointStage
+from authentik.endpoints.models import EndpointStage, StageMode
 from authentik.flows.stage import StageView
 
 PLAN_CONTEXT_ENDPOINT_CONNECTOR = "endpoint_connector"
@@ -6,15 +6,24 @@ PLAN_CONTEXT_ENDPOINT_CONNECTOR = "endpoint_connector"
 
 class EndpointStageView(StageView):
 
-    def _get_inner(self):
+    def _get_inner(self) -> StageView | None:
         stage: EndpointStage = self.executor.current_stage
         inner_stage: type[StageView] | None = stage.connector.stage
         if not inner_stage:
-            return self.executor.stage_ok()
+            return None
         return inner_stage(self.executor, request=self.request)
 
     def dispatch(self, request, *args, **kwargs):
-        return self._get_inner().dispatch(request, *args, **kwargs)
+        inner = self._get_inner()
+        if inner is None:
+            stage: EndpointStage = self.executor.current_stage
+            if stage.mode == StageMode.OPTIONAL:
+                return self.executor.stage_ok()
+            else:
+                return self.executor.stage_invalid("Invalid stage configuration")
+        return inner.dispatch(request, *args, **kwargs)
 
     def cleanup(self):
-        return self._get_inner().cleanup()
+        inner = self._get_inner()
+        if inner is not None:
+            return inner.cleanup()

authentik/enterprise/license.py

@@ -15,6 +15,7 @@ from django.core.cache import cache
 from django.db.models.query import QuerySet
 from django.utils.timezone import now
 from jwt import PyJWTError, decode, get_unverified_header
+from jwt.algorithms import ECAlgorithm
 from rest_framework.exceptions import ValidationError
 from rest_framework.fields import (
     ChoiceField,
@@ -109,13 +110,20 @@ class LicenseKey:
             intermediate.verify_directly_issued_by(get_licensing_key())
         except InvalidSignature, TypeError, ValueError, Error:
             raise ValidationError("Unable to verify license") from None
+        _validate_curve_original = ECAlgorithm._validate_curve
         try:
+            # authentik's license are generated with `algorithm="ES512"` and signed with
+            # a key of curve `secp384r1`. Starting with version 2.11.0, pyjwt enforces the spec, see
+            # https://github.com/jpadilla/pyjwt/commit/5b8622773358e56d3d3c0a9acf404809ff34433a
+            # authentik will change its license generation to `algorithm="ES384"` in 2026.
+            # TODO: remove this when the last incompatible license runs out.
+            ECAlgorithm._validate_curve = lambda *_: True
             body = from_dict(
                 LicenseKey,
                 decode(
                     jwt,
                     our_cert.public_key(),
-                    algorithms=["ES512"],
+                    algorithms=["ES384", "ES512"],
                     audience=get_license_aud(),
                     options={"verify_exp": check_expiry, "verify_signature": check_expiry},
                 ),
@@ -125,6 +133,8 @@ class LicenseKey:
             if unverified["aud"] != get_license_aud():
                 raise ValidationError("Invalid Install ID in license") from None
             raise ValidationError("Unable to verify license") from None
+        finally:
+            ECAlgorithm._validate_curve = _validate_curve_original
         return body
 
     @staticmethod

authentik/enterprise/lifecycle/api/iterations.py

@@ -1,11 +1,11 @@
-from datetime import date
+from datetime import datetime
 
 from django.db.models import BooleanField as ModelBooleanField
 from django.db.models import Case, Q, Value, When
 from django_filters.rest_framework import BooleanFilter, FilterSet
-from drf_spectacular.utils import extend_schema, extend_schema_field
+from drf_spectacular.utils import extend_schema
 from rest_framework.decorators import action
-from rest_framework.fields import DateField, IntegerField, SerializerMethodField
+from rest_framework.fields import IntegerField, SerializerMethodField
 from rest_framework.mixins import CreateModelMixin
 from rest_framework.request import Request
 from rest_framework.response import Response
@@ -21,6 +21,7 @@ from authentik.enterprise.lifecycle.utils import (
     ReviewerUserSerializer,
     admin_link_for_model,
     parse_content_type,
+    start_of_day,
 )
 from authentik.lib.utils.time import timedelta_from_string
 
@@ -67,13 +68,13 @@ class LifecycleIterationSerializer(EnterpriseRequiredMixin, ModelSerializer):
     def get_object_admin_url(self, iteration: LifecycleIteration) -> str:
         return admin_link_for_model(iteration.object)
 
-    @extend_schema_field(DateField())
-    def get_grace_period_end(self, iteration: LifecycleIteration) -> date:
-        return iteration.opened_on + timedelta_from_string(iteration.rule.grace_period)
+    def get_grace_period_end(self, iteration: LifecycleIteration) -> datetime:
+        return start_of_day(
+            iteration.opened_on + timedelta_from_string(iteration.rule.grace_period)
+        )
 
-    @extend_schema_field(DateField())
-    def get_next_review_date(self, iteration: LifecycleIteration):
-        return iteration.opened_on + timedelta_from_string(iteration.rule.interval)
+    def get_next_review_date(self, iteration: LifecycleIteration) -> datetime:
+        return start_of_day(iteration.opened_on + timedelta_from_string(iteration.rule.interval))
 
     def get_user_can_review(self, iteration: LifecycleIteration) -> bool:
         return iteration.user_can_review(self.context["request"].user)
@@ -102,7 +103,7 @@ class IterationViewSet(EnterpriseRequiredMixin, CreateModelMixin, GenericViewSet
                 default=Value(False),
                 output_field=ModelBooleanField(),
             )
-        )
+        ).distinct()
 
     @action(
         detail=False,

authentik/enterprise/lifecycle/migrations/0002_alter_lifecycleiteration_opened_on.py

@@ -0,0 +1,18 @@
+# Generated by Django 5.2.11 on 2026-02-13 09:33
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ("authentik_lifecycle", "0001_initial"),
+    ]
+
+    operations = [
+        migrations.AlterField(
+            model_name="lifecycleiteration",
+            name="opened_on",
+            field=models.DateTimeField(auto_now_add=True),
+        ),
+    ]

authentik/enterprise/lifecycle/models.py

@@ -1,3 +1,4 @@
+from datetime import timedelta
 from uuid import uuid4
 
 from django.contrib.contenttypes.fields import GenericForeignKey
@@ -13,7 +14,7 @@ from rest_framework.serializers import BaseSerializer
 
 from authentik.blueprints.models import ManagedModel
 from authentik.core.models import Group, User
-from authentik.enterprise.lifecycle.utils import link_for_model
+from authentik.enterprise.lifecycle.utils import link_for_model, start_of_day
 from authentik.events.models import Event, EventAction, NotificationSeverity, NotificationTransport
 from authentik.lib.models import SerializerModel
 from authentik.lib.utils.time import timedelta_from_string, timedelta_string_validator
@@ -98,7 +99,9 @@ class LifecycleRule(SerializerModel):
 
     def _get_newly_overdue_iterations(self) -> QuerySet[LifecycleIteration]:
         return self.lifecycleiteration_set.filter(
-            opened_on__lte=timezone.now() - timedelta_from_string(self.grace_period),
+            opened_on__lt=start_of_day(
+                timezone.now() + timedelta(days=1) - timedelta_from_string(self.grace_period)
+            ),
             state=ReviewState.PENDING,
         )
 
@@ -106,7 +109,9 @@ class LifecycleRule(SerializerModel):
         recent_iteration_ids = LifecycleIteration.objects.filter(
             content_type=self.content_type,
             object_id__isnull=False,
-            opened_on__gte=timezone.now() - timedelta_from_string(self.interval),
+            opened_on__gte=start_of_day(
+                timezone.now() + timedelta(days=1) - timedelta_from_string(self.interval)
+            ),
         ).values_list(Cast("object_id", output_field=self._get_pk_field()), flat=True)
 
         return self.get_objects().exclude(pk__in=recent_iteration_ids)
@@ -186,7 +191,7 @@ class LifecycleIteration(SerializerModel, ManagedModel):
     rule = models.ForeignKey(LifecycleRule, null=True, on_delete=models.SET_NULL)
 
     state = models.CharField(max_length=10, choices=ReviewState, default=ReviewState.PENDING)
-    opened_on = models.DateField(auto_now_add=True)
+    opened_on = models.DateTimeField(auto_now_add=True)
 
     class Meta:
         indexes = [models.Index(fields=["content_type", "opened_on"])]

authentik/enterprise/lifecycle/tests/test_models.py

@@ -1,3 +1,4 @@
+import datetime as dt
 from datetime import timedelta
 from unittest.mock import patch
 
@@ -319,7 +320,7 @@ class TestLifecycleModels(TestCase):
             content_type=content_type, object_id=str(app_one.pk), rule=rule_overdue
         )
         LifecycleIteration.objects.filter(pk=iteration.pk).update(
-            opened_on=(timezone.now().date() - timedelta(days=20))
+            opened_on=(timezone.now() - timedelta(days=20))
         )
 
         # Apply again to trigger overdue logic
@@ -383,7 +384,7 @@ class TestLifecycleModels(TestCase):
             content_type=content_type, object_id=str(app_overdue.pk), rule=rule_overdue
         )
         LifecycleIteration.objects.filter(pk=overdue_iteration.pk).update(
-            opened_on=(timezone.now().date() - timedelta(days=20))
+            opened_on=(timezone.now() - timedelta(days=20))
         )
 
         # Apply overdue rule to mark iteration as overdue
@@ -667,3 +668,178 @@ class TestLifecycleModels(TestCase):
         reviewers = list(rule.get_reviewers())
         self.assertIn(explicit_reviewer, reviewers)
         self.assertIn(group_member, reviewers)
+
+
+class TestLifecycleDateBoundaries(TestCase):
+    """Verify that start_of_day normalization ensures correct overdue/due
+    detection regardless of exact task execution time within a day.
+
+    The daily task may run at any point during the day. The start_of_day
+    normalization in _get_newly_overdue_iterations and _get_newly_due_objects
+    ensures that the boundary is always at midnight, so millisecond variations
+    in task execution time do not affect results."""
+
+    def _create_rule_and_iteration(self, grace_period="days=1", interval="days=365"):
+        app = Application.objects.create(name=generate_id(), slug=generate_id())
+        content_type = ContentType.objects.get_for_model(Application)
+        rule = LifecycleRule.objects.create(
+            name=generate_id(),
+            content_type=content_type,
+            object_id=str(app.pk),
+            interval=interval,
+            grace_period=grace_period,
+        )
+        iteration = LifecycleIteration.objects.get(
+            content_type=content_type, object_id=str(app.pk), rule=rule
+        )
+        return app, rule, iteration
+
+    def test_overdue_iteration_opened_yesterday(self):
+        """grace_period=1 day: iteration opened yesterday at any time is overdue today."""
+        _, rule, iteration = self._create_rule_and_iteration(grace_period="days=1")
+        fixed_now = dt.datetime(2025, 6, 15, 14, 30, 0, tzinfo=dt.UTC)
+        for opened_on in [
+            dt.datetime(2025, 6, 14, 0, 0, 0, tzinfo=dt.UTC),
+            dt.datetime(2025, 6, 14, 12, 0, 0, tzinfo=dt.UTC),
+            dt.datetime(2025, 6, 14, 23, 59, 59, 999999, tzinfo=dt.UTC),
+        ]:
+            with self.subTest(opened_on=opened_on):
+                LifecycleIteration.objects.filter(pk=iteration.pk).update(
+                    opened_on=opened_on, state=ReviewState.PENDING
+                )
+                with patch("django.utils.timezone.now", return_value=fixed_now):
+                    self.assertIn(iteration, list(rule._get_newly_overdue_iterations()))
+
+    def test_not_overdue_iteration_opened_today(self):
+        """grace_period=1 day: iteration opened today at any time is NOT overdue."""
+        _, rule, iteration = self._create_rule_and_iteration(grace_period="days=1")
+        fixed_now = dt.datetime(2025, 6, 15, 14, 30, 0, tzinfo=dt.UTC)
+        for opened_on in [
+            dt.datetime(2025, 6, 15, 0, 0, 0, tzinfo=dt.UTC),
+            dt.datetime(2025, 6, 15, 14, 30, 0, tzinfo=dt.UTC),
+            dt.datetime(2025, 6, 15, 23, 59, 59, 999999, tzinfo=dt.UTC),
+        ]:
+            with self.subTest(opened_on=opened_on):
+                LifecycleIteration.objects.filter(pk=iteration.pk).update(
+                    opened_on=opened_on, state=ReviewState.PENDING
+                )
+                with patch("django.utils.timezone.now", return_value=fixed_now):
+                    self.assertNotIn(iteration, list(rule._get_newly_overdue_iterations()))
+
+    def test_overdue_independent_of_task_execution_time(self):
+        """Overdue detection gives the same result whether the task runs at 00:00:01 or 23:59:59."""
+        _, rule, iteration = self._create_rule_and_iteration(grace_period="days=1")
+        opened_on = dt.datetime(2025, 6, 14, 18, 0, 0, tzinfo=dt.UTC)
+        LifecycleIteration.objects.filter(pk=iteration.pk).update(
+            opened_on=opened_on, state=ReviewState.PENDING
+        )
+        for task_time in [
+            dt.datetime(2025, 6, 15, 0, 0, 1, tzinfo=dt.UTC),
+            dt.datetime(2025, 6, 15, 12, 0, 0, tzinfo=dt.UTC),
+            dt.datetime(2025, 6, 15, 23, 59, 59, tzinfo=dt.UTC),
+        ]:
+            with self.subTest(task_time=task_time):
+                with patch("django.utils.timezone.now", return_value=task_time):
+                    self.assertIn(iteration, list(rule._get_newly_overdue_iterations()))
+
+    def test_overdue_boundary_multi_day_grace_period(self):
+        """grace_period=30 days: overdue after 30 full days, not after 29."""
+        _, rule, iteration = self._create_rule_and_iteration(grace_period="days=30")
+        fixed_now = dt.datetime(2025, 6, 15, 14, 30, 0, tzinfo=dt.UTC)
+
+        # Opened 30 days ago (May 16), should go overdue
+        LifecycleIteration.objects.filter(pk=iteration.pk).update(
+            opened_on=dt.datetime(2025, 5, 16, 12, 0, 0, tzinfo=dt.UTC),
+            state=ReviewState.PENDING,
+        )
+        with patch("django.utils.timezone.now", return_value=fixed_now):
+            self.assertIn(iteration, list(rule._get_newly_overdue_iterations()))
+
+        # Opened 29 days ago (May 17), should NOT go overdue
+        LifecycleIteration.objects.filter(pk=iteration.pk).update(
+            opened_on=dt.datetime(2025, 5, 17, 12, 0, 0, tzinfo=dt.UTC),
+            state=ReviewState.PENDING,
+        )
+        with patch("django.utils.timezone.now", return_value=fixed_now):
+            self.assertNotIn(iteration, list(rule._get_newly_overdue_iterations()))
+
+    def test_due_object_iteration_opened_yesterday(self):
+        """interval=1 day: object with iteration opened yesterday is due for a new review."""
+        app, rule, iteration = self._create_rule_and_iteration(interval="days=1")
+        fixed_now = dt.datetime(2025, 6, 15, 14, 30, 0, tzinfo=dt.UTC)
+        for opened_on in [
+            dt.datetime(2025, 6, 14, 0, 0, 0, tzinfo=dt.UTC),
+            dt.datetime(2025, 6, 14, 12, 0, 0, tzinfo=dt.UTC),
+            dt.datetime(2025, 6, 14, 23, 59, 59, 999999, tzinfo=dt.UTC),
+        ]:
+            with self.subTest(opened_on=opened_on):
+                LifecycleIteration.objects.filter(pk=iteration.pk).update(opened_on=opened_on)
+                with patch("django.utils.timezone.now", return_value=fixed_now):
+                    self.assertIn(app, list(rule._get_newly_due_objects()))
+
+    def test_not_due_object_iteration_opened_today(self):
+        """interval=1 day: object with iteration opened today is NOT due."""
+        app, rule, iteration = self._create_rule_and_iteration(interval="days=1")
+        fixed_now = dt.datetime(2025, 6, 15, 14, 30, 0, tzinfo=dt.UTC)
+        for opened_on in [
+            dt.datetime(2025, 6, 15, 0, 0, 0, tzinfo=dt.UTC),
+            dt.datetime(2025, 6, 15, 14, 30, 0, tzinfo=dt.UTC),
+            dt.datetime(2025, 6, 15, 23, 59, 59, 999999, tzinfo=dt.UTC),
+        ]:
+            with self.subTest(opened_on=opened_on):
+                LifecycleIteration.objects.filter(pk=iteration.pk).update(opened_on=opened_on)
+                with patch("django.utils.timezone.now", return_value=fixed_now):
+                    self.assertNotIn(app, list(rule._get_newly_due_objects()))
+
+    def test_due_independent_of_task_execution_time(self):
+        """Due detection gives the same result whether the task runs at 00:00:01 or 23:59:59."""
+        app, rule, iteration = self._create_rule_and_iteration(interval="days=1")
+        opened_on = dt.datetime(2025, 6, 14, 18, 0, 0, tzinfo=dt.UTC)
+        LifecycleIteration.objects.filter(pk=iteration.pk).update(opened_on=opened_on)
+        for task_time in [
+            dt.datetime(2025, 6, 15, 0, 0, 1, tzinfo=dt.UTC),
+            dt.datetime(2025, 6, 15, 12, 0, 0, tzinfo=dt.UTC),
+            dt.datetime(2025, 6, 15, 23, 59, 59, tzinfo=dt.UTC),
+        ]:
+            with self.subTest(task_time=task_time):
+                with patch("django.utils.timezone.now", return_value=task_time):
+                    self.assertIn(app, list(rule._get_newly_due_objects()))
+
+    def test_due_boundary_multi_day_interval(self):
+        """interval=30 days: due after 30 full days, not after 29."""
+        app, rule, iteration = self._create_rule_and_iteration(interval="days=30")
+        fixed_now = dt.datetime(2025, 6, 15, 14, 30, 0, tzinfo=dt.UTC)
+
+        # Previous review opened 30 days ago (May 16), review is due for the object
+        LifecycleIteration.objects.filter(pk=iteration.pk).update(
+            opened_on=dt.datetime(2025, 5, 16, 12, 0, 0, tzinfo=dt.UTC)
+        )
+        with patch("django.utils.timezone.now", return_value=fixed_now):
+            self.assertIn(app, list(rule._get_newly_due_objects()))
+
+        # Previous review opened 29 days ago (May 17), new review is NOT due
+        LifecycleIteration.objects.filter(pk=iteration.pk).update(
+            opened_on=dt.datetime(2025, 5, 17, 12, 0, 0, tzinfo=dt.UTC)
+        )
+        with patch("django.utils.timezone.now", return_value=fixed_now):
+            self.assertNotIn(app, list(rule._get_newly_due_objects()))
+
+    def test_apply_overdue_at_boundary(self):
+        """apply() marks iteration overdue when grace period just expired,
+        regardless of what time the daily task runs."""
+        _, rule, iteration = self._create_rule_and_iteration(
+            grace_period="days=1", interval="days=365"
+        )
+        opened_on = dt.datetime(2025, 6, 14, 20, 0, 0, tzinfo=dt.UTC)
+        for task_time in [
+            dt.datetime(2025, 6, 15, 0, 0, 1, tzinfo=dt.UTC),
+            dt.datetime(2025, 6, 15, 23, 59, 59, tzinfo=dt.UTC),
+        ]:
+            with self.subTest(task_time=task_time):
+                LifecycleIteration.objects.filter(pk=iteration.pk).update(
+                    opened_on=opened_on, state=ReviewState.PENDING
+                )
+                with patch("django.utils.timezone.now", return_value=task_time):
+                    rule.apply()
+                iteration.refresh_from_db()
+                self.assertEqual(iteration.state, ReviewState.OVERDUE)

authentik/enterprise/lifecycle/utils.py

@@ -1,3 +1,4 @@
+from datetime import datetime
 from urllib import parse
 
 from django.contrib.contenttypes.models import ContentType
@@ -39,6 +40,10 @@ def link_for_model(model: Model) -> str:
     return f"{reverse("authentik_core:if-admin")}#{admin_link_for_model(model)}"
 
 
+def start_of_day(dt: datetime) -> datetime:
+    return dt.replace(hour=0, minute=0, second=0, microsecond=0)
+
+
 class ContentTypeField(ChoiceField):
     def __init__(self, **kwargs):
         super().__init__(choices=model_choices(), **kwargs)

authentik/enterprise/providers/microsoft_entra/clients/users.py

@@ -78,7 +78,8 @@ class MicrosoftEntraUserClient(MicrosoftEntraSyncClient[User, MicrosoftEntraProv
     def create(self, user: User):
         """Create user from scratch and create a connection object"""
         microsoft_user = self.to_schema(user, None)
-        self.check_email_valid(microsoft_user.user_principal_name)
+        if microsoft_user.user_principal_name:
+            self.check_email_valid(microsoft_user.user_principal_name)
         with transaction.atomic():
             try:
                 response = self._request(self.client.users.post(microsoft_user))
@@ -118,7 +119,8 @@ class MicrosoftEntraUserClient(MicrosoftEntraSyncClient[User, MicrosoftEntraProv
     def update(self, user: User, connection: MicrosoftEntraProviderUser):
         """Update existing user"""
         microsoft_user = self.to_schema(user, connection)
-        self.check_email_valid(microsoft_user.user_principal_name)
+        if microsoft_user.user_principal_name:
+            self.check_email_valid(microsoft_user.user_principal_name)
         response = self._request(
             self.client.users.by_user_id(connection.microsoft_id).patch(microsoft_user)
         )

authentik/enterprise/providers/ws_federation/api/providers.py

@@ -5,6 +5,7 @@ from django.urls import reverse
 from rest_framework.fields import CharField, SerializerMethodField, URLField
 
 from authentik.core.api.providers import ProviderSerializer
+from authentik.core.models import Provider
 from authentik.enterprise.api import EnterpriseRequiredMixin
 from authentik.enterprise.providers.ws_federation.models import WSFederationProvider
 from authentik.enterprise.providers.ws_federation.processors.metadata import MetadataProcessor
@@ -18,6 +19,29 @@ class WSFederationProviderSerializer(EnterpriseRequiredMixin, SAMLProviderSerial
     wtrealm = CharField(source="audience")
     url_wsfed = SerializerMethodField()
 
+    def get_url_download_metadata(self, instance: WSFederationProvider) -> str:
+        """Get metadata download URL"""
+        if "request" not in self._context:
+            return ""
+        request: HttpRequest = self._context["request"]._request
+        try:
+            return request.build_absolute_uri(
+                reverse(
+                    "authentik_providers_ws_federation:metadata-download",
+                    kwargs={"application_slug": instance.application.slug},
+                )
+            )
+        except Provider.application.RelatedObjectDoesNotExist:
+            return request.build_absolute_uri(
+                reverse(
+                    "authentik_api:wsfederationprovider-metadata",
+                    kwargs={
+                        "pk": instance.pk,
+                    },
+                )
+                + "?download"
+            )
+
     def get_url_wsfed(self, instance: WSFederationProvider) -> str:
         """Get WS-Fed url"""
         if "request" not in self._context:

authentik/enterprise/providers/ws_federation/processors/sign_in.py

@@ -81,6 +81,8 @@ class SignInProcessor:
         self.sign_in_request = sign_in_request
         self.saml_processor = AssertionProcessor(self.provider, self.request, AuthNRequest())
         self.saml_processor.provider.audience = self.sign_in_request.wtrealm
+        if self.provider.signing_kp:
+            self.saml_processor.provider.sign_assertion = True
 
     def create_response_token(self):
         root = Element(f"{{{NS_WS_FED_TRUST}}}RequestSecurityTokenResponse", nsmap=NS_MAP)
@@ -148,7 +150,8 @@ class SignInProcessor:
     def response(self) -> dict[str, str]:
         root = self.create_response_token()
         assertion = root.xpath("//saml:Assertion", namespaces=NS_MAP)[0]
-        self.saml_processor._sign(assertion)
+        if self.provider.signing_kp:
+            self.saml_processor._sign(assertion)
         str_token = etree.tostring(root).decode("utf-8")  # nosec
         return delete_none_values(
             {

authentik/enterprise/providers/ws_federation/urls.py

@@ -3,7 +3,7 @@
 from django.urls import path
 
 from authentik.enterprise.providers.ws_federation.api.providers import WSFederationProviderViewSet
-from authentik.enterprise.providers.ws_federation.views import WSFedEntryView
+from authentik.enterprise.providers.ws_federation.views import MetadataDownload, WSFedEntryView
 
 urlpatterns = [
     path(
@@ -11,6 +11,12 @@ urlpatterns = [
         WSFedEntryView.as_view(),
         name="wsfed",
     ),
+    # Metadata
+    path(
+        "<slug:application_slug>/metadata/",
+        MetadataDownload.as_view(),
+        name="metadata-download",
+    ),
 ]
 
 api_urlpatterns = [

authentik/enterprise/providers/ws_federation/views.py

@@ -1,6 +1,8 @@
 from django.http import Http404, HttpRequest, HttpResponse
-from django.shortcuts import get_object_or_404
+from django.shortcuts import get_object_or_404, redirect
+from django.urls import reverse
 from django.utils.translation import gettext as _
+from django.views import View
 from structlog.stdlib import get_logger
 
 from authentik.core.models import Application, AuthenticatedSession
@@ -160,3 +162,24 @@ class WSFedFlowFinalView(ChallengeStageView):
                 "attrs": response,
             },
         )
+
+
+class MetadataDownload(View):
+    """Redirect to metadata download"""
+
+    def dispatch(self, request: HttpRequest, application_slug: str) -> HttpResponse:
+        app = Application.objects.filter(slug=application_slug).with_provider().first()
+        if not app:
+            raise Http404
+        provider = app.get_provider()
+        if not provider:
+            raise Http404
+        return redirect(
+            reverse(
+                "authentik_api:wsfederationprovider-metadata",
+                kwargs={
+                    "pk": provider.pk,
+                },
+            )
+            + "?download"
+        )

authentik/flows/apps.py

@@ -29,6 +29,12 @@ class RefreshOtherFlowsAfterAuthentication(Flag[bool], key="flows_refresh_others
     visibility = "public"
 
 
+class ContinuousLogin(Flag[bool], key="flows_continuous_login"):
+
+    default = False
+    visibility = "public"
+
+
 class AuthentikFlowsConfig(ManagedAppConfig):
     """authentik flows app config"""
 

authentik/flows/templates/if/flow.html

@@ -9,7 +9,15 @@
 {{ block.super }}
 <link rel="prefetch" href="{{ flow_background_url }}" />
 {% if flow.compatibility_mode and not inspector %}
-<script data-id="shady-dom">ShadyDOM = { force: true };</script>
+{% comment %}
+    @see {@link web/types/webcomponents.d.ts} for type definitions.
+{% endcomment %}
+<script data-id="shady-dom">
+    "use strict";
+
+    window.ShadyDOM = window.ShadyDOM || {}
+    window.ShadyDOM.force = true
+</script>
 {% endif %}
 {% include "base/header_js.html" %}
 <script data-id="flow-config">
@@ -45,16 +53,11 @@
                             slug="{{ flow.slug }}"
                             class="pf-c-login"
                             data-layout="{{ flow.layout|default:'stacked' }}"
+                            loading
                         >
                             {% include "base/placeholder.html" %}
 
-                            <ak-brand-links
-                                slot="footer"
-                                exportparts="list:brand-links-list, list-item:brand-links-list-item"
-                                role="contentinfo"
-                                aria-label="{% trans 'Site footer' %}"
-                                class="pf-c-login__footer {% if flow.layout == 'stacked' %}pf-m-dark{% endif %}"
-                            ></ak-brand-links>
+                            <ak-brand-links name="flow-links" slot="footer"></ak-brand-links>
                         </ak-flow-executor>
                     </div>
                 </div>

authentik/lib/default.yml

@@ -141,6 +141,10 @@ web:
   # workers: 2
   threads: 4
   path: /
+  timeout_http_read_header: 5s
+  timeout_http_read: 30s
+  timeout_http_write: 60s
+  timeout_http_idle: 120s
 
 worker:
   processes: 1
@@ -162,6 +166,7 @@ storage:
     # region: "us-east-1"
     # use_ssl: True
     # endpoint: "https://s3.us-east-1.amazonaws.com"
+    # signature_version: "s3v4"
     # access_key: ""
     # secret_key: ""
     # bucket_name: "authentik-data"

authentik/lib/expression/evaluator.py

@@ -42,7 +42,7 @@ ARG_SANITIZE = re.compile(r"[:.-]")
 
 
 def sanitize_arg(arg_name: str) -> str:
-    return re.sub(ARG_SANITIZE, "_", arg_name)
+    return re.sub(ARG_SANITIZE, "_", slugify(arg_name))
 
 
 class BaseEvaluator:
@@ -311,7 +311,9 @@ class BaseEvaluator:
 
     def wrap_expression(self, expression: str) -> str:
         """Wrap expression in a function, call it, and save the result as `result`"""
-        handler_signature = ",".join(sanitize_arg(x) for x in self._context.keys())
+        handler_signature = ",".join(
+            [x for x in [sanitize_arg(x) for x in self._context.keys()] if x]
+        )
         full_expression = ""
         full_expression += f"def handler({handler_signature}):\n"
         full_expression += indent(expression, "    ")

authentik/lib/tests/test_evaluator.py

@@ -1,5 +1,6 @@
 """Test Evaluator base functions"""
 
+from pathlib import Path
 from unittest.mock import patch
 
 from django.test import RequestFactory, TestCase
@@ -353,3 +354,18 @@ class TestEvaluator(TestCase):
         self.assertEqual(message.to, ["to@example.com"])
         self.assertEqual(message.cc, ["cc1@example.com", "cc2@example.com"])
         self.assertEqual(message.bcc, ["bcc1@example.com", "bcc2@example.com"])
+
+    def test_expr_arg_escape(self):
+        """Test escaping of arguments"""
+        eval = BaseEvaluator()
+        eval._context = {
+            'z=getattr(getattr(__import__("os"), "popen")("id > /tmp/test"), "read")()': "bar",
+            "@@": "baz",
+            "{{": "baz",
+            "aa@@": "baz",
+        }
+        res = eval.evaluate("return locals()")
+        self.assertEqual(
+            res, {"zgetattrgetattr__import__os_popenid_tmptest_read": "bar", "aa": "baz"}
+        )
+        self.assertFalse(Path("/tmp/test").exists())

authentik/lib/tests/test_utils_inheritance.py

@@ -0,0 +1,119 @@
+"""Tests for inheritance helpers."""
+
+from contextlib import contextmanager
+
+from django.db import connection, models
+from django.test import TransactionTestCase
+from django.test.utils import isolate_apps
+
+from authentik.lib.utils.inheritance import get_deepest_child
+
+
+@contextmanager
+def temporary_inheritance_models():
+    """Create a temporary multi-table inheritance graph for testing."""
+    with isolate_apps("authentik.lib.tests"):
+
+        class GrandParent(models.Model):
+            class Meta:
+                app_label = "tests"
+
+            def __str__(self) -> str:
+                return f"GrandParent({self.pk})"
+
+        class Parent(GrandParent):
+            class Meta:
+                app_label = "tests"
+
+            def __str__(self) -> str:
+                return f"Parent({self.pk})"
+
+        class Child(Parent):
+            class Meta:
+                app_label = "tests"
+
+            def __str__(self) -> str:
+                return f"Child({self.pk})"
+
+        class GrandChild(Child):
+            class Meta:
+                app_label = "tests"
+
+            def __str__(self) -> str:
+                return f"GrandChild({self.pk})"
+
+        with connection.schema_editor() as schema_editor:
+            schema_editor.create_model(GrandParent)
+            schema_editor.create_model(Parent)
+            schema_editor.create_model(Child)
+            schema_editor.create_model(GrandChild)
+
+        try:
+            yield GrandParent, Parent, Child, GrandChild
+        finally:
+            with connection.schema_editor() as schema_editor:
+                schema_editor.delete_model(GrandChild)
+                schema_editor.delete_model(Child)
+                schema_editor.delete_model(Parent)
+                schema_editor.delete_model(GrandParent)
+
+
+class TestInheritanceUtils(TransactionTestCase):
+    """Tests for helper functions in authentik.lib.utils.inheritance."""
+
+    def test_get_deepest_child_grandparent_to_parent(self):
+        """GrandParent -> Parent."""
+        with temporary_inheritance_models() as (GrandParent, Parent, _Child, _GrandChild):
+            parent = Parent.objects.create()
+            grandparent = GrandParent.objects.get(pk=parent.pk)
+
+            resolved = get_deepest_child(grandparent)
+
+            self.assertIsInstance(resolved, Parent)
+            self.assertEqual(resolved.pk, parent.pk)
+
+    def test_get_deepest_child_grandparent_to_child(self):
+        """GrandParent -> Child."""
+        with temporary_inheritance_models() as (GrandParent, _Parent, Child, _GrandChild):
+            child = Child.objects.create()
+            grandparent = GrandParent.objects.get(pk=child.pk)
+
+            resolved = get_deepest_child(grandparent)
+
+            self.assertIsInstance(resolved, Child)
+            self.assertEqual(resolved.pk, child.pk)
+
+    def test_get_deepest_child_grandparent_to_grandchild(self):
+        """GrandParent -> GrandChild."""
+        with temporary_inheritance_models() as (GrandParent, _Parent, _Child, GrandChild):
+            grandchild = GrandChild.objects.create()
+            grandparent = GrandParent.objects.get(pk=grandchild.pk)
+
+            resolved = get_deepest_child(grandparent)
+
+            self.assertIsInstance(resolved, GrandChild)
+            self.assertEqual(resolved.pk, grandchild.pk)
+
+    def test_get_deepest_child_parent_to_child(self):
+        """Parent -> Child (start from non-root)."""
+        with temporary_inheritance_models() as (_GrandParent, Parent, Child, _GrandChild):
+            child = Child.objects.create()
+            parent = Parent.objects.get(pk=child.pk)
+
+            resolved = get_deepest_child(parent)
+
+            self.assertIsInstance(resolved, Child)
+            self.assertEqual(resolved.pk, child.pk)
+
+    def test_get_deepest_child_no_queries_with_preloaded_relations(self):
+        """No extra queries when the inheritance chain is fully select_related."""
+        with temporary_inheritance_models() as (GrandParent, _Parent, _Child, GrandChild):
+            grandchild = GrandChild.objects.create()
+            grandparent = GrandParent.objects.select_related("parent__child__grandchild").get(
+                pk=grandchild.pk
+            )
+
+            with self.assertNumQueries(0):
+                resolved = get_deepest_child(grandparent)
+
+            self.assertIsInstance(resolved, GrandChild)

authentik/lib/utils/inheritance.py

@@ -0,0 +1,41 @@
+from django.db.models import Model, OneToOneField, OneToOneRel
+
+
+def get_deepest_child(parent: Model) -> Model:
+    """
+    In multiple table inheritance, given any ancestor object, get the deepest child object.
+    See https://docs.djangoproject.com/en/dev/topics/db/models/#multi-table-inheritance
+
+    This function does not query the database if `select_related` has been performed on all
+    subclasses of `parent`'s model.
+    """
+
+    # Almost verbatim copy from django-model-utils, see
+    # https://github.com/jazzband/django-model-utils/blob/5.0.0/model_utils/managers.py#L132
+    one_to_one_rels = [
+        field for field in parent._meta.get_fields() if isinstance(field, OneToOneRel)
+    ]
+
+    submodel_fields = [
+        rel
+        for rel in one_to_one_rels
+        if isinstance(rel.field, OneToOneField)
+        and issubclass(rel.field.model, parent._meta.model)
+        and parent._meta.model is not rel.field.model
+        and rel.parent_link
+    ]
+
+    submodel_accessors = [submodel_field.get_accessor_name() for submodel_field in submodel_fields]
+    # End Copy
+
+    child = None
+    for submodel in submodel_accessors:
+        try:
+            child = getattr(parent, submodel)
+            break
+        except AttributeError:
+            continue
+
+    if not child:
+        return parent
+    return get_deepest_child(child)

authentik/policies/engine.py

@@ -132,9 +132,14 @@ class PolicyEngine:
             # If we didn't find any static bindings, do nothing
             return
         self.logger.debug("P_ENG: Found static bindings", **matched_bindings)
-        if matched_bindings.get("passing", 0) > 0:
-            # Any passing static binding -> passing
-            passing = True
+        if self.mode == PolicyEngineMode.MODE_ANY:
+            if matched_bindings.get("passing", 0) > 0:
+                # Any passing static binding -> passing
+                passing = True
+        elif self.mode == PolicyEngineMode.MODE_ALL:
+            if matched_bindings.get("passing", 0) == matched_bindings["total"]:
+                # All static bindings are passing -> passing
+                passing = True
         elif matched_bindings["total"] > 0 and matched_bindings.get("passing", 0) < 1:
             # No matching static bindings but at least one is configured -> not passing
             passing = False
@@ -185,6 +190,16 @@ class PolicyEngine:
                 # Only call .recv() if no result is saved, otherwise we just deadlock here
                 if not proc_info.result:
                     proc_info.result = proc_info.connection.recv()
+                if proc_info.result and proc_info.result._exec_time:
+                    HIST_POLICIES_EXECUTION_TIME.labels(
+                        binding_order=proc_info.binding.order,
+                        binding_target_type=proc_info.binding.target_type,
+                        binding_target_name=proc_info.binding.target_name,
+                        object_type=(
+                            class_to_path(self.request.obj.__class__) if self.request.obj else ""
+                        ),
+                        mode="execute_process",
+                    ).observe(proc_info.result._exec_time)
             return self
 
     @property

authentik/policies/process.py

@@ -2,6 +2,7 @@
 
 from multiprocessing import get_context
 from multiprocessing.connection import Connection
+from time import perf_counter
 
 from django.core.cache import cache
 from sentry_sdk import start_span
@@ -11,8 +12,6 @@ from structlog.stdlib import get_logger
 from authentik.events.models import Event, EventAction
 from authentik.lib.config import CONFIG
 from authentik.lib.utils.errors import exception_to_dict
-from authentik.lib.utils.reflection import class_to_path
-from authentik.policies.apps import HIST_POLICIES_EXECUTION_TIME
 from authentik.policies.exceptions import PolicyException
 from authentik.policies.models import PolicyBinding
 from authentik.policies.types import CACHE_PREFIX, PolicyRequest, PolicyResult
@@ -123,18 +122,9 @@ class PolicyProcess(PROCESS_CLASS):
 
     def profiling_wrapper(self):
         """Run with profiling enabled"""
-        with (
-            start_span(
-                op="authentik.policy.process.execute",
-            ) as span,
-            HIST_POLICIES_EXECUTION_TIME.labels(
-                binding_order=self.binding.order,
-                binding_target_type=self.binding.target_type,
-                binding_target_name=self.binding.target_name,
-                object_type=class_to_path(self.request.obj.__class__) if self.request.obj else "",
-                mode="execute_process",
-            ).time(),
-        ):
+        with start_span(
+            op="authentik.policy.process.execute",
+        ) as span:
             span: Span
             span.set_data("policy", self.binding.policy)
             span.set_data("request", self.request)
@@ -142,8 +132,14 @@ class PolicyProcess(PROCESS_CLASS):
 
     def run(self):  # pragma: no cover
         """Task wrapper to run policy checking"""
+        result = None
         try:
-            self.connection.send(self.profiling_wrapper())
+            start = perf_counter()
+            result = self.profiling_wrapper()
+            end = perf_counter()
+            result._exec_time = max((end - start), 0)
         except Exception as exc:  # noqa
             LOGGER.warning("Policy failed to run", exc=exc)
-            self.connection.send(PolicyResult(False, str(exc)))
+            result = PolicyResult(False, str(exc))
+        finally:
+            self.connection.send(result)

authentik/policies/tests/test_engine.py

@@ -33,6 +33,9 @@ class TestPolicyEngine(TestCase):
         self.policy_raises = ExpressionPolicy.objects.create(
             name=generate_id(), expression="{{ 0/0 }}"
         )
+        self.group_member = Group.objects.create(name=generate_id())
+        self.user.groups.add(self.group_member)
+        self.group_non_member = Group.objects.create(name=generate_id())
 
     def test_engine_empty(self):
         """Ensure empty policy list passes"""
@@ -51,7 +54,7 @@ class TestPolicyEngine(TestCase):
         self.assertEqual(result.passing, True)
         self.assertEqual(result.messages, ("dummy",))
 
-    def test_engine_mode_all(self):
+    def test_engine_mode_all_dyn(self):
         """Ensure all policies passes with AND mode (false and true -> false)"""
         pbm = PolicyBindingModel.objects.create(policy_engine_mode=PolicyEngineMode.MODE_ALL)
         PolicyBinding.objects.create(target=pbm, policy=self.policy_false, order=0)
@@ -67,7 +70,7 @@ class TestPolicyEngine(TestCase):
             ),
         )
 
-    def test_engine_mode_any(self):
+    def test_engine_mode_any_dyn(self):
         """Ensure all policies passes with OR mode (false and true -> true)"""
         pbm = PolicyBindingModel.objects.create(policy_engine_mode=PolicyEngineMode.MODE_ANY)
         PolicyBinding.objects.create(target=pbm, policy=self.policy_false, order=0)
@@ -83,6 +86,26 @@ class TestPolicyEngine(TestCase):
             ),
         )
 
+    def test_engine_mode_all_static(self):
+        """Ensure all policies passes with OR mode (false and true -> true)"""
+        pbm = PolicyBindingModel.objects.create(policy_engine_mode=PolicyEngineMode.MODE_ALL)
+        PolicyBinding.objects.create(target=pbm, group=self.group_member, order=0)
+        PolicyBinding.objects.create(target=pbm, group=self.group_non_member, order=1)
+        engine = PolicyEngine(pbm, self.user)
+        result = engine.build().result
+        self.assertEqual(result.passing, False)
+        self.assertEqual(result.messages, ())
+
+    def test_engine_mode_any_static(self):
+        """Ensure all policies passes with OR mode (false and true -> true)"""
+        pbm = PolicyBindingModel.objects.create(policy_engine_mode=PolicyEngineMode.MODE_ANY)
+        PolicyBinding.objects.create(target=pbm, group=self.group_member, order=0)
+        PolicyBinding.objects.create(target=pbm, group=self.group_non_member, order=1)
+        engine = PolicyEngine(pbm, self.user)
+        result = engine.build().result
+        self.assertEqual(result.passing, True)
+        self.assertEqual(result.messages, ())
+
     def test_engine_negate(self):
         """Test negate flag"""
         pbm = PolicyBindingModel.objects.create()

authentik/policies/types.py

@@ -77,6 +77,8 @@ class PolicyResult:
 
     log_messages: list[LogEvent] | None
 
+    _exec_time: int | None
+
     def __init__(self, passing: bool, *messages: str):
         self.passing = passing
         self.messages = messages
@@ -84,6 +86,7 @@ class PolicyResult:
         self.source_binding = None
         self.source_results = []
         self.log_messages = []
+        self._exec_time = None
 
     def __repr__(self):
         return self.__str__()

authentik/providers/iframe_logout.py

@@ -1,19 +1,31 @@
 """Shared logout stages for SAML and OIDC providers"""
 
 from django.http import HttpResponse
-from rest_framework.fields import CharField, DictField, ListField
+from rest_framework.fields import CharField, ListField
 
 from authentik.common.oauth.constants import PLAN_CONTEXT_OIDC_LOGOUT_IFRAME_SESSIONS
+from authentik.core.api.utils import PassiveSerializer
 from authentik.flows.challenge import Challenge, ChallengeResponse
 from authentik.flows.stage import ChallengeStageView
 from authentik.providers.saml.views.flows import PLAN_CONTEXT_SAML_LOGOUT_IFRAME_SESSIONS
 
 
+class LogoutURL(PassiveSerializer):
+    """Data for a single logout URL"""
+
+    url = CharField()
+    provider_name = CharField(required=False, allow_null=True)
+    binding = CharField(required=False, allow_null=True)
+    saml_request = CharField(required=False, allow_null=True)
+    saml_response = CharField(required=False, allow_null=True)
+    saml_relay_state = CharField(required=False, allow_null=True)
+
+
 class IframeLogoutChallenge(Challenge):
     """Challenge for iframe logout"""
 
     component = CharField(default="ak-provider-iframe-logout")
-    logout_urls = ListField(child=DictField(), default=list)
+    logout_urls = ListField(child=LogoutURL(), default=list)
 
 
 class IframeLogoutChallengeResponse(ChallengeResponse):

authentik/providers/oauth2/id_token.py

@@ -68,6 +68,8 @@ class IDToken:
     at_hash: str | None = None
     # Session ID, https://openid.net/specs/openid-connect-frontchannel-1_0.html#ClaimsContents
     sid: str | None = None
+    # JWT ID, https://www.rfc-editor.org/rfc/rfc7519.html#section-4.1.7
+    jti: str | None = None
 
     claims: dict[str, Any] = field(default_factory=dict)
 
@@ -81,6 +83,7 @@ class IDToken:
             (token.expires if token.expires is not None else default_token_duration()).timestamp()
         )
         id_token.iss = provider.get_issuer(request)
+        id_token.jti = generate_id()
         id_token.aud = provider.client_id
         id_token.claims = {}
 

authentik/providers/oauth2/tests/test_authorize.py

@@ -5,6 +5,7 @@ from urllib.parse import parse_qs, urlparse
 
 from django.test import RequestFactory
 from django.urls import reverse
+from django.utils import translation
 from django.utils.timezone import now
 
 from authentik.blueprints.tests import apply_blueprint
@@ -690,18 +691,21 @@ class TestAuthorize(OAuthTestCase):
         Application.objects.create(name="app", slug="app", provider=provider)
         state = generate_id()
         self.client.logout()
-        response = self.client.get(
-            reverse("authentik_providers_oauth2:authorize"),
-            data={
-                "response_type": "code",
-                "client_id": "test",
-                "state": state,
-                "redirect_uri": "foo://localhost",
-                "ui_locales": "invalid fr",
-            },
-        )
-        parsed = parse_qs(urlparse(response.url).query)
-        self.assertEqual(parsed["locale"], ["fr"])
+        try:
+            response = self.client.get(
+                reverse("authentik_providers_oauth2:authorize"),
+                data={
+                    "response_type": "code",
+                    "client_id": "test",
+                    "state": state,
+                    "redirect_uri": "foo://localhost",
+                    "ui_locales": "invalid fr",
+                },
+            )
+            parsed = parse_qs(urlparse(response.url).query)
+            self.assertEqual(parsed["locale"], ["fr"])
+        finally:
+            translation.deactivate()
 
     @apply_blueprint("default/flow-default-authentication-flow.yaml")
     def test_ui_locales_invalid(self):

authentik/providers/oauth2/tests/test_device_backchannel.py

@@ -1,5 +1,6 @@
 """Device backchannel tests"""
 
+from base64 import b64encode
 from json import loads
 
 from django.urls import reverse
@@ -26,7 +27,7 @@ class TesOAuth2DeviceBackchannel(OAuthTestCase):
             provider=self.provider,
         )
 
-    def test_backchannel_invalid(self):
+    def test_backchannel_invalid_client_id_via_post_body(self):
         """Test backchannel"""
         res = self.client.post(
             reverse("authentik_providers_oauth2:device"),
@@ -50,7 +51,7 @@ class TesOAuth2DeviceBackchannel(OAuthTestCase):
         )
         self.assertEqual(res.status_code, 400)
 
-    def test_backchannel(self):
+    def test_backchannel_client_id_via_post_body(self):
         """Test backchannel"""
         res = self.client.post(
             reverse("authentik_providers_oauth2:device"),
@@ -61,3 +62,37 @@ class TesOAuth2DeviceBackchannel(OAuthTestCase):
         self.assertEqual(res.status_code, 200)
         body = loads(res.content.decode())
         self.assertEqual(body["expires_in"], 60)
+
+    def test_backchannel_invalid_client_id_via_auth_header(self):
+        """Test backchannel"""
+        creds = b64encode(b"foo:").decode()
+        res = self.client.post(
+            reverse("authentik_providers_oauth2:device"),
+            HTTP_AUTHORIZATION=f"Basic {creds}",
+        )
+        self.assertEqual(res.status_code, 400)
+        res = self.client.post(
+            reverse("authentik_providers_oauth2:device"),
+        )
+        self.assertEqual(res.status_code, 400)
+        # test without application
+        self.application.provider = None
+        self.application.save()
+        res = self.client.post(
+            reverse("authentik_providers_oauth2:device"),
+            data={
+                "client_id": "test",
+            },
+        )
+        self.assertEqual(res.status_code, 400)
+
+    def test_backchannel_client_id_via_auth_header(self):
+        """Test backchannel"""
+        creds = b64encode(f"{self.provider.client_id}:".encode()).decode()
+        res = self.client.post(
+            reverse("authentik_providers_oauth2:device"),
+            HTTP_AUTHORIZATION=f"Basic {creds}",
+        )
+        self.assertEqual(res.status_code, 200)
+        body = loads(res.content.decode())
+        self.assertEqual(body["expires_in"], 60)

authentik/providers/oauth2/views/authorize.py

@@ -432,7 +432,7 @@ class AuthorizationFlowInitView(BufferedPolicyAccessView):
         return response
 
     def dispatch(self, request: HttpRequest, *args, **kwargs):
-        # Activate language before parsing params (error messages should be localised)
+        # Activate language before parsing params (error messages should be localized)
         return self.dispatch_with_language(request, *args, **kwargs)
 
     def get(self, request: HttpRequest, *args, **kwargs) -> HttpResponse:

authentik/providers/oauth2/views/device_backchannel.py

@@ -16,7 +16,7 @@ from authentik.lib.config import CONFIG
 from authentik.lib.utils.time import timedelta_from_string
 from authentik.providers.oauth2.errors import DeviceCodeError
 from authentik.providers.oauth2.models import DeviceToken, OAuth2Provider
-from authentik.providers.oauth2.utils import TokenResponse
+from authentik.providers.oauth2.utils import TokenResponse, extract_client_auth
 from authentik.providers.oauth2.views.device_init import QS_KEY_CODE
 
 LOGGER = get_logger()
@@ -32,7 +32,7 @@ class DeviceView(View):
 
     def parse_request(self):
         """Parse incoming request"""
-        client_id = self.request.POST.get("client_id", None)
+        client_id, _ = extract_client_auth(self.request)
         if not client_id:
             raise DeviceCodeError("invalid_client")
         provider = OAuth2Provider.objects.filter(client_id=client_id).first()

authentik/providers/oauth2/views/token.py

@@ -368,7 +368,7 @@ class TokenParams:
     ) -> tuple[dict, OAuthSource] | tuple[None, None]:
         # Fully decode the JWT without verifying the signature, so we can get access to
         # the header.
-        # Get the Key ID from the header, and use that to optimise our source query to only find
+        # Get the Key ID from the header, and use that to optimize our source query to only find
         # sources that have a JWK for that Key ID
         # The Key ID doesn't have a fixed format, but must match between an issued JWT
         # and whatever is returned by the JWKS endpoint

authentik/providers/saml/api/providers.py

@@ -213,6 +213,7 @@ class SAMLProviderSerializer(ProviderSerializer):
             "sign_assertion",
             "sign_response",
             "sign_logout_request",
+            "sign_logout_response",
             "sp_binding",
             "sls_binding",
             "logout_method",

authentik/providers/saml/migrations/0021_samlprovider_sign_logout_response.py

@@ -0,0 +1,18 @@
+# Generated by Django 5.2.7 on 2025-10-24 18:15
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ("authentik_providers_saml", "0020_samlprovider_logout_method_and_more"),
+    ]
+
+    operations = [
+        migrations.AddField(
+            model_name="samlprovider",
+            name="sign_logout_response",
+            field=models.BooleanField(default=False),
+        ),
+    ]

authentik/providers/saml/models.py

@@ -227,6 +227,7 @@ class SAMLProvider(Provider):
     sign_assertion = models.BooleanField(default=True)
     sign_response = models.BooleanField(default=False)
     sign_logout_request = models.BooleanField(default=False)
+    sign_logout_response = models.BooleanField(default=False)
 
     @property
     def launch_url(self) -> str | None:

authentik/providers/saml/native_logout.py

@@ -1,11 +1,12 @@
 """SAML Logout stages for automatic injection"""
 
 from django.http import HttpResponse
-from rest_framework.fields import BooleanField, CharField
+from rest_framework.fields import BooleanField, CharField, ChoiceField
 from structlog.stdlib import get_logger
 
 from authentik.flows.challenge import Challenge, ChallengeResponse, HttpChallengeResponse
 from authentik.flows.stage import ChallengeStageView
+from authentik.providers.saml.models import SAMLBindings
 from authentik.providers.saml.views.flows import PLAN_CONTEXT_SAML_LOGOUT_NATIVE_SESSIONS
 
 LOGGER = get_logger()
@@ -19,14 +20,17 @@ class NativeLogoutChallenge(Challenge):
     """Challenge for native browser logout"""
 
     component = CharField(default="ak-provider-saml-native-logout")
-    post_url = CharField(required=False)
-    saml_request = CharField(required=False)
-    relay_state = CharField(required=False)
     provider_name = CharField(required=False)
-    binding = CharField(required=False)
-    redirect_url = CharField(required=False)
     is_complete = BooleanField(required=False, default=False)
 
+    post_url = CharField(required=False)
+    redirect_url = CharField(required=False)
+
+    saml_binding = ChoiceField(choices=SAMLBindings.choices, required=False)
+    saml_request = CharField(required=False)
+    saml_response = CharField(required=False)
+    saml_relay_state = CharField(required=False)
+
 
 class NativeLogoutChallengeResponse(ChallengeResponse):
     """Response for native browser logout"""

authentik/providers/saml/processors/logout_response_processor.py

@@ -0,0 +1,196 @@
+"""LogoutResponse processor"""
+
+import base64
+from urllib.parse import quote, urlencode
+
+import xmlsec
+from lxml import etree
+from lxml.etree import Element, SubElement
+
+from authentik.common.saml.constants import (
+    DIGEST_ALGORITHM_TRANSLATION_MAP,
+    NS_MAP,
+    NS_SAML_ASSERTION,
+    NS_SAML_PROTOCOL,
+    SIGN_ALGORITHM_TRANSFORM_MAP,
+)
+from authentik.providers.saml.models import SAMLProvider
+from authentik.providers.saml.processors.logout_request_parser import LogoutRequest
+from authentik.providers.saml.utils import get_random_id
+from authentik.providers.saml.utils.encoding import deflate_and_base64_encode
+from authentik.providers.saml.utils.time import get_time_string
+
+
+class LogoutResponseProcessor:
+    """Generate a SAML LogoutResponse"""
+
+    provider: SAMLProvider
+    logout_request: LogoutRequest
+    destination: str | None
+    relay_state: str | None
+    _issue_instant: str
+    _response_id: str
+
+    def __init__(
+        self,
+        provider: SAMLProvider,
+        logout_request: LogoutRequest,
+        destination: str | None = None,
+        relay_state: str | None = None,
+    ):
+        self.provider = provider
+        self.logout_request = logout_request
+        self.destination = destination
+        self.relay_state = relay_state or (logout_request.relay_state if logout_request else None)
+        self._issue_instant = get_time_string()
+        self._response_id = get_random_id()
+
+    def get_issuer(self) -> Element:
+        """Get Issuer element"""
+        issuer = Element(f"{{{NS_SAML_ASSERTION}}}Issuer")
+        issuer.text = self.provider.issuer
+        return issuer
+
+    def build(self, status: str = "Success") -> Element:
+        """Build a SAML LogoutResponse as etree Element"""
+        response = Element(f"{{{NS_SAML_PROTOCOL}}}LogoutResponse", nsmap=NS_MAP)
+        response.attrib["Version"] = "2.0"
+        response.attrib["IssueInstant"] = self._issue_instant
+        response.attrib["ID"] = self._response_id
+
+        if self.destination:
+            response.attrib["Destination"] = self.destination
+
+        if self.logout_request and self.logout_request.id:
+            response.attrib["InResponseTo"] = self.logout_request.id
+
+        response.append(self.get_issuer())
+
+        # Add Status element
+        status_element = SubElement(response, f"{{{NS_SAML_PROTOCOL}}}Status")
+        status_code = SubElement(status_element, f"{{{NS_SAML_PROTOCOL}}}StatusCode")
+        status_code.attrib["Value"] = f"urn:oasis:names:tc:SAML:2.0:status:{status}"
+
+        return response
+
+    def build_response(self, status: str = "Success") -> str:
+        """Build and sign LogoutResponse, return as XML string (not encoded)"""
+        response = self.build(status)
+        if self.provider.signing_kp and self.provider.sign_logout_response:
+            self._add_signature(response)
+            self._sign_response(response)
+        return etree.tostring(response).decode()
+
+    def encode_post(self, status: str = "Success") -> str:
+        """Encode LogoutResponse for POST binding"""
+        response = self.build(status)
+        if self.provider.signing_kp and self.provider.sign_logout_response:
+            self._add_signature(response)
+            self._sign_response(response)
+        return base64.b64encode(etree.tostring(response)).decode()
+
+    def encode_redirect(self, status: str = "Success") -> str:
+        """Encode LogoutResponse for Redirect binding"""
+        response = self.build(status)
+        # Note: For redirect binding, signatures are added as query parameters, not in XML
+        xml_str = etree.tostring(response, encoding="UTF-8", xml_declaration=True)
+        return deflate_and_base64_encode(xml_str.decode("UTF-8"))
+
+    def get_redirect_url(self, status: str = "Success") -> str:
+        """Build complete logout response URL for redirect binding with signature if needed"""
+        encoded_response = self.encode_redirect(status)
+        params = {
+            "SAMLResponse": encoded_response,
+        }
+
+        if self.relay_state:
+            params["RelayState"] = self.relay_state
+
+        if self.provider.signing_kp and self.provider.sign_logout_response:
+            sig_alg = self.provider.signature_algorithm
+            params["SigAlg"] = sig_alg
+
+            # Build the string to sign
+            query_string = self._build_signable_query_string(params)
+
+            signature = self._sign_query_string(query_string)
+            params["Signature"] = base64.b64encode(signature).decode()
+
+        # Some SP's use query params on their sls endpoint
+        if not self.destination:
+            raise ValueError("destination is required for redirect URL")
+
+        separator = "&" if "?" in self.destination else "?"
+        return f"{self.destination}{separator}{urlencode(params)}"
+
+    def _add_signature(self, element: Element):
+        """Add signature placeholder to element"""
+        sign_algorithm_transform = SIGN_ALGORITHM_TRANSFORM_MAP.get(
+            self.provider.signature_algorithm, xmlsec.constants.TransformRsaSha1
+        )
+        signature = xmlsec.template.create(
+            element,
+            xmlsec.constants.TransformExclC14N,
+            sign_algorithm_transform,
+            ns=xmlsec.constants.DSigNs,
+        )
+        element.insert(1, signature)  # Insert after Issuer
+
+    def _sign_response(self, response: Element):
+        """Sign the response element"""
+        digest_algorithm_transform = DIGEST_ALGORITHM_TRANSLATION_MAP.get(
+            self.provider.digest_algorithm, xmlsec.constants.TransformSha1
+        )
+
+        xmlsec.tree.add_ids(response, ["ID"])
+        signature_node = xmlsec.tree.find_node(response, xmlsec.constants.NodeSignature)
+
+        ref = xmlsec.template.add_reference(
+            signature_node,
+            digest_algorithm_transform,
+            uri="#" + response.attrib["ID"],
+        )
+        xmlsec.template.add_transform(ref, xmlsec.constants.TransformEnveloped)
+        xmlsec.template.add_transform(ref, xmlsec.constants.TransformExclC14N)
+        key_info = xmlsec.template.ensure_key_info(signature_node)
+        xmlsec.template.add_x509_data(key_info)
+
+        ctx = xmlsec.SignatureContext()
+        ctx.key = xmlsec.Key.from_memory(
+            self.provider.signing_kp.key_data,  # Use key_data for the private key
+            xmlsec.constants.KeyDataFormatPem,
+        )
+        ctx.key.load_cert_from_memory(
+            self.provider.signing_kp.certificate_data, xmlsec.constants.KeyDataFormatPem
+        )
+        ctx.sign(signature_node)
+
+    def _build_signable_query_string(self, params: dict) -> str:
+        """Build query string for signing (order matters per SAML spec)"""
+        # SAML spec requires specific order: SAMLResponse, RelayState, SigAlg
+        # Values must be URL-encoded individually before concatenation
+        ordered = []
+        if "SAMLResponse" in params:
+            ordered.append(f"SAMLResponse={quote(params['SAMLResponse'], safe='')}")
+        if "RelayState" in params:
+            ordered.append(f"RelayState={quote(params['RelayState'], safe='')}")
+        if "SigAlg" in params:
+            ordered.append(f"SigAlg={quote(params['SigAlg'], safe='')}")
+        return "&".join(ordered)
+
+    def _sign_query_string(self, query_string: str) -> bytes:
+        """Sign the query string for redirect binding"""
+        signature_algorithm_transform = SIGN_ALGORITHM_TRANSFORM_MAP.get(
+            self.provider.signature_algorithm, xmlsec.constants.TransformRsaSha256
+        )
+
+        key = xmlsec.Key.from_memory(
+            self.provider.signing_kp.key_data,
+            xmlsec.constants.KeyDataFormatPem,
+            None,
+        )
+
+        ctx = xmlsec.SignatureContext()
+        ctx.key = key
+
+        return ctx.sign_binary(query_string.encode("utf-8"), signature_algorithm_transform)

authentik/providers/saml/signals.py

@@ -175,16 +175,16 @@ def handle_flow_pre_user_logout(
                 logout_data = {
                     "post_url": session.provider.sls_url,
                     "saml_request": form_data["SAMLRequest"],
-                    "relay_state": form_data["RelayState"],
+                    "saml_relay_state": form_data["RelayState"],
                     "provider_name": session.provider.name,
-                    "binding": SAMLBindings.POST,
+                    "saml_binding": SAMLBindings.POST,
                 }
             else:
                 logout_url = processor.get_redirect_url()
                 logout_data = {
                     "redirect_url": logout_url,
                     "provider_name": session.provider.name,
-                    "binding": SAMLBindings.REDIRECT,
+                    "saml_binding": SAMLBindings.REDIRECT,
                 }
 
             native_sessions.append(logout_data)

authentik/providers/saml/tasks.py

@@ -5,8 +5,11 @@ from django.contrib.auth import get_user_model
 from dramatiq.actor import actor
 from structlog.stdlib import get_logger
 
+from authentik.events.models import Event, EventAction
 from authentik.providers.saml.models import SAMLProvider
 from authentik.providers.saml.processors.logout_request import LogoutRequestProcessor
+from authentik.providers.saml.processors.logout_request_parser import LogoutRequest
+from authentik.providers.saml.processors.logout_response_processor import LogoutResponseProcessor
 
 LOGGER = get_logger()
 User = get_user_model()
@@ -78,3 +81,86 @@ def send_post_logout_request(provider: SAMLProvider, processor: LogoutRequestPro
     )
 
     return True
+
+
+@actor(description="Send SAML LogoutResponse to a Service Provider (backchannel)")
+def send_saml_logout_response(
+    provider_pk: int,
+    sls_url: str,
+    logout_request_id: str | None = None,
+    relay_state: str | None = None,
+):
+    """Send SAML LogoutResponse to a Service Provider using backchannel (server-to-server)"""
+    provider = SAMLProvider.objects.filter(pk=provider_pk).first()
+    if not provider:
+        LOGGER.error(
+            "Provider not found for SAML logout response",
+            provider_pk=provider_pk,
+        )
+        return False
+
+    LOGGER.debug(
+        "Sending backchannel SAML logout response",
+        provider=provider.name,
+        sls_url=sls_url,
+    )
+
+    # Create a minimal LogoutRequest object for the response processor
+    # We only need the ID and relay_state for building the response
+    logout_request = None
+    if logout_request_id:
+        logout_request = LogoutRequest()
+        logout_request.id = logout_request_id
+        logout_request.relay_state = relay_state
+
+    # Build the logout response
+    processor = LogoutResponseProcessor(
+        provider=provider,
+        logout_request=logout_request,
+        destination=sls_url,
+        relay_state=relay_state,
+    )
+
+    encoded_response = processor.encode_post()
+
+    form_data = {
+        "SAMLResponse": encoded_response,
+    }
+
+    if relay_state:
+        form_data["RelayState"] = relay_state
+
+    # Send the logout response to the SP
+    try:
+        response = requests.post(
+            sls_url,
+            data=form_data,
+            timeout=10,
+            headers={
+                "Content-Type": "application/x-www-form-urlencoded",
+            },
+            allow_redirects=True,
+        )
+        response.raise_for_status()
+
+        LOGGER.info(
+            "Successfully sent backchannel logout response to SP",
+            provider=provider.name,
+            sls_url=sls_url,
+            status_code=response.status_code,
+        )
+        return True
+
+    except requests.exceptions.RequestException as exc:
+        LOGGER.warning(
+            "Failed to send backchannel logout response to SP",
+            provider=provider.name,
+            sls_url=sls_url,
+            error=str(exc),
+        )
+        Event.new(
+            EventAction.CONFIGURATION_ERROR,
+            provider=provider,
+            message=f"Backchannel logout response failed: {str(exc)}",
+        ).save()
+        return False

authentik/providers/saml/tests/test_idp_logout.py

@@ -69,7 +69,7 @@ class TestNativeLogoutStageView(TestCase):
             {
                 "redirect_url": "https://sp1.example.com/sls?SAMLRequest=encoded",
                 "provider_name": "test-provider-1",
-                "binding": "redirect",
+                "saml_binding": "redirect",
             }
         ]
         stage_view = NativeLogoutStageView(
@@ -85,7 +85,7 @@ class TestNativeLogoutStageView(TestCase):
 
         # Should return a NativeLogoutChallenge
         self.assertIsInstance(challenge, NativeLogoutChallenge)
-        self.assertEqual(challenge.initial_data["binding"], "redirect")
+        self.assertEqual(challenge.initial_data["saml_binding"], "redirect")
         self.assertEqual(challenge.initial_data["provider_name"], "test-provider-1")
         self.assertIn("redirect_url", challenge.initial_data)
 
@@ -102,9 +102,9 @@ class TestNativeLogoutStageView(TestCase):
             {
                 "post_url": "https://sp2.example.com/sls",
                 "saml_request": "encoded_saml_request",
-                "relay_state": "https://idp.example.com/flow/test-flow",
+                "saml_relay_state": "https://idp.example.com/flow/test-flow",
                 "provider_name": "test-provider-2",
-                "binding": "post",
+                "saml_binding": "post",
             }
         ]
         stage_view = NativeLogoutStageView(
@@ -120,11 +120,11 @@ class TestNativeLogoutStageView(TestCase):
 
         # Should return a NativeLogoutChallenge
         self.assertIsInstance(challenge, NativeLogoutChallenge)
-        self.assertEqual(challenge.initial_data["binding"], "post")
+        self.assertEqual(challenge.initial_data["saml_binding"], "post")
         self.assertEqual(challenge.initial_data["provider_name"], "test-provider-2")
         self.assertEqual(challenge.initial_data["post_url"], "https://sp2.example.com/sls")
         self.assertIn("saml_request", challenge.initial_data)
-        self.assertIn("relay_state", challenge.initial_data)
+        self.assertIn("saml_relay_state", challenge.initial_data)
 
     def test_get_challenge_all_complete(self):
         """Test get_challenge when all providers are done"""

authentik/providers/saml/tests/test_logout_response_processor.py

@@ -0,0 +1,139 @@
+"""logout response tests"""
+
+from defusedxml import ElementTree
+from django.test import TestCase
+
+from authentik.blueprints.tests import apply_blueprint
+from authentik.common.saml.constants import (
+    NS_SAML_ASSERTION,
+    NS_SAML_PROTOCOL,
+    NS_SIGNATURE,
+)
+from authentik.core.tests.utils import create_test_cert, create_test_flow
+from authentik.providers.saml.models import SAMLPropertyMapping, SAMLProvider
+from authentik.providers.saml.processors.logout_request_parser import LogoutRequest
+from authentik.providers.saml.processors.logout_response_processor import LogoutResponseProcessor
+
+
+class TestLogoutResponse(TestCase):
+    """Test LogoutResponse processor"""
+
+    @apply_blueprint("system/providers-saml.yaml")
+    def setUp(self):
+        cert = create_test_cert()
+        self.provider: SAMLProvider = SAMLProvider.objects.create(
+            authorization_flow=create_test_flow(),
+            acs_url="http://testserver/source/saml/provider/acs/",
+            sls_url="http://testserver/source/saml/provider/sls/",
+            signing_kp=cert,
+            verification_kp=cert,
+        )
+        self.provider.property_mappings.set(SAMLPropertyMapping.objects.all())
+        self.provider.save()
+
+    def test_build_response(self):
+        """Test building a LogoutResponse"""
+        logout_request = LogoutRequest(
+            id="test-request-id",
+            issuer="test-sp",
+            relay_state="test-relay-state",
+        )
+
+        processor = LogoutResponseProcessor(
+            self.provider, logout_request, destination=self.provider.sls_url
+        )
+        response_xml = processor.build_response(status="Success")
+
+        # Parse and verify
+        root = ElementTree.fromstring(response_xml)
+        self.assertEqual(root.tag, f"{{{NS_SAML_PROTOCOL}}}LogoutResponse")
+        self.assertEqual(root.attrib["Version"], "2.0")
+        self.assertEqual(root.attrib["Destination"], self.provider.sls_url)
+        self.assertEqual(root.attrib["InResponseTo"], "test-request-id")
+
+        # Check Issuer
+        issuer = root.find(f"{{{NS_SAML_ASSERTION}}}Issuer")
+        self.assertEqual(issuer.text, self.provider.issuer)
+
+        # Check Status
+        status = root.find(f".//{{{NS_SAML_PROTOCOL}}}StatusCode")
+        self.assertEqual(status.attrib["Value"], "urn:oasis:names:tc:SAML:2.0:status:Success")
+
+    def test_build_response_signed(self):
+        """Test building a signed LogoutResponse"""
+        self.provider.sign_logout_response = True
+        self.provider.save()
+
+        logout_request = LogoutRequest(
+            id="test-request-id",
+            issuer="test-sp",
+            relay_state="test-relay-state",
+        )
+
+        processor = LogoutResponseProcessor(
+            self.provider, logout_request, destination=self.provider.sls_url
+        )
+        response_xml = processor.build_response(status="Success")
+
+        # Parse and verify signature is present
+        root = ElementTree.fromstring(response_xml)
+        signature = root.find(f".//{{{NS_SIGNATURE}}}Signature")
+        self.assertIsNotNone(signature)
+
+        # Verify signature structure
+        signed_info = signature.find(f"{{{NS_SIGNATURE}}}SignedInfo")
+        self.assertIsNotNone(signed_info)
+        signature_value = signature.find(f"{{{NS_SIGNATURE}}}SignatureValue")
+        self.assertIsNotNone(signature_value)
+        self.assertIsNotNone(signature_value.text)
+
+    def test_no_inresponseto(self):
+        """Test building response without a logout request omits InResponseTo attribute"""
+        processor = LogoutResponseProcessor(self.provider, None, destination=self.provider.sls_url)
+        response_xml = processor.build_response(status="Success")
+
+        root = ElementTree.fromstring(response_xml)
+        self.assertEqual(root.tag, f"{{{NS_SAML_PROTOCOL}}}LogoutResponse")
+        self.assertNotIn("InResponseTo", root.attrib)
+
+    def test_no_destination(self):
+        """Test building response without destination"""
+        logout_request = LogoutRequest(
+            id="test-request-id",
+            issuer="test-sp",
+        )
+
+        processor = LogoutResponseProcessor(self.provider, logout_request, destination=None)
+        response_xml = processor.build_response(status="Success")
+
+        root = ElementTree.fromstring(response_xml)
+        self.assertNotIn("Destination", root.attrib)
+
+    def test_relay_state_from_logout_request(self):
+        """Test that relay_state is taken from logout_request if not provided"""
+        logout_request = LogoutRequest(
+            id="test-request-id",
+            issuer="test-sp",
+            relay_state="request-relay-state",
+        )
+
+        processor = LogoutResponseProcessor(
+            self.provider, logout_request, destination=self.provider.sls_url
+        )
+        self.assertEqual(processor.relay_state, "request-relay-state")
+
+    def test_relay_state_override(self):
+        """Test that explicit relay_state overrides logout_request relay_state"""
+        logout_request = LogoutRequest(
+            id="test-request-id",
+            issuer="test-sp",
+            relay_state="request-relay-state",
+        )
+
+        processor = LogoutResponseProcessor(
+            self.provider,
+            logout_request,
+            destination=self.provider.sls_url,
+            relay_state="explicit-relay-state",
+        )
+        self.assertEqual(processor.relay_state, "explicit-relay-state")

authentik/providers/saml/tests/test_tasks.py

@@ -0,0 +1,291 @@
+"""Tests for SAML provider tasks"""
+
+from unittest.mock import MagicMock, patch
+
+from django.test import TestCase
+from requests.exceptions import ConnectionError, HTTPError
+
+from authentik.common.saml.constants import SAML_NAME_ID_FORMAT_EMAIL
+from authentik.core.tests.utils import create_test_cert, create_test_flow
+from authentik.providers.saml.models import SAMLProvider
+from authentik.providers.saml.tasks import (
+    send_post_logout_request,
+    send_saml_logout_request,
+    send_saml_logout_response,
+)
+
+
+class TestSendSamlLogoutResponse(TestCase):
+    """Tests for send_saml_logout_response task"""
+
+    def setUp(self):
+        """Set up test fixtures"""
+        self.cert = create_test_cert()
+        self.flow = create_test_flow()
+
+        self.provider = SAMLProvider.objects.create(
+            name="test-provider",
+            authorization_flow=self.flow,
+            acs_url="https://sp.example.com/acs",
+            sls_url="https://sp.example.com/sls",
+            issuer="https://idp.example.com",
+            signing_kp=self.cert,
+        )
+
+    @patch("authentik.providers.saml.tasks.requests.post")
+    def test_successful_logout_response(self, mock_post):
+        """Test successful POST to SP returns True"""
+        mock_response = MagicMock()
+        mock_response.status_code = 200
+        mock_response.raise_for_status = MagicMock()
+        mock_post.return_value = mock_response
+
+        result = send_saml_logout_response(
+            provider_pk=self.provider.pk,
+            sls_url=self.provider.sls_url,
+            logout_request_id="test-request-id",
+            relay_state="https://sp.example.com/return",
+        )
+
+        self.assertTrue(result)
+        mock_post.assert_called_once()
+
+        # Verify the POST was made with correct data
+        call_kwargs = mock_post.call_args[1]
+        self.assertEqual(call_kwargs["timeout"], 10)
+        self.assertEqual(
+            call_kwargs["headers"]["Content-Type"], "application/x-www-form-urlencoded"
+        )
+
+        # Verify form data contains SAMLResponse and RelayState
+        form_data = call_kwargs["data"]
+        self.assertIn("SAMLResponse", form_data)
+        self.assertIn("RelayState", form_data)
+        self.assertEqual(form_data["RelayState"], "https://sp.example.com/return")
+
+    @patch("authentik.providers.saml.tasks.requests.post")
+    def test_successful_logout_response_no_relay_state(self, mock_post):
+        """Test successful POST without relay_state"""
+        mock_response = MagicMock()
+        mock_response.status_code = 200
+        mock_response.raise_for_status = MagicMock()
+        mock_post.return_value = mock_response
+
+        result = send_saml_logout_response(
+            provider_pk=self.provider.pk,
+            sls_url=self.provider.sls_url,
+            logout_request_id="test-request-id",
+            relay_state=None,
+        )
+
+        self.assertTrue(result)
+
+        # Verify form data does not contain RelayState
+        form_data = mock_post.call_args[1]["data"]
+        self.assertIn("SAMLResponse", form_data)
+        self.assertNotIn("RelayState", form_data)
+
+    def test_provider_not_found(self):
+        """Test returns False when provider doesn't exist"""
+        result = send_saml_logout_response(
+            provider_pk=99999,  # Non-existent provider
+            sls_url="https://sp.example.com/sls",
+            logout_request_id="test-request-id",
+            relay_state=None,
+        )
+
+        self.assertFalse(result)
+
+    @patch("authentik.providers.saml.tasks.Event")
+    @patch("authentik.providers.saml.tasks.requests.post")
+    def test_http_error_creates_event(self, mock_post, mock_event_class):
+        """Test HTTP error creates an error event"""
+        mock_response = MagicMock()
+        mock_response.status_code = 500
+        mock_response.raise_for_status.side_effect = HTTPError("500 Server Error")
+        mock_post.return_value = mock_response
+
+        mock_event = MagicMock()
+        mock_event_class.new.return_value = mock_event
+
+        result = send_saml_logout_response(
+            provider_pk=self.provider.pk,
+            sls_url=self.provider.sls_url,
+            logout_request_id="test-request-id",
+            relay_state=None,
+        )
+
+        self.assertFalse(result)
+
+        # Verify error event was created
+        mock_event_class.new.assert_called_once()
+        call_kwargs = mock_event_class.new.call_args[1]
+        self.assertIn("Backchannel logout response failed", call_kwargs["message"])
+        mock_event.save.assert_called_once()
+
+
+class TestSendSamlLogoutRequest(TestCase):
+    """Tests for send_saml_logout_request task"""
+
+    def setUp(self):
+        """Set up test fixtures"""
+        self.cert = create_test_cert()
+        self.flow = create_test_flow()
+
+        self.provider = SAMLProvider.objects.create(
+            name="test-provider",
+            authorization_flow=self.flow,
+            acs_url="https://sp.example.com/acs",
+            sls_url="https://sp.example.com/sls",
+            issuer="https://idp.example.com",
+            signing_kp=self.cert,
+        )
+
+    @patch("authentik.providers.saml.tasks.requests.post")
+    def test_successful_logout_request(self, mock_post):
+        """Test successful POST logout request returns True"""
+        mock_response = MagicMock()
+        mock_response.status_code = 200
+        mock_response.raise_for_status = MagicMock()
+        mock_post.return_value = mock_response
+
+        result = send_saml_logout_request(
+            provider_pk=self.provider.pk,
+            sls_url=self.provider.sls_url,
+            name_id="test@example.com",
+            name_id_format=SAML_NAME_ID_FORMAT_EMAIL,
+            session_index="test-session-123",
+        )
+
+        self.assertTrue(result)
+        mock_post.assert_called_once()
+
+        # Verify the POST was made with correct data
+        call_kwargs = mock_post.call_args[1]
+        self.assertEqual(call_kwargs["timeout"], 10)
+        self.assertEqual(
+            call_kwargs["headers"]["Content-Type"], "application/x-www-form-urlencoded"
+        )
+
+        # Verify form data contains SAMLRequest
+        form_data = call_kwargs["data"]
+        self.assertIn("SAMLRequest", form_data)
+
+    def test_provider_not_found(self):
+        """Test returns False when provider doesn't exist"""
+        result = send_saml_logout_request(
+            provider_pk=99999,  # Non-existent provider
+            sls_url="https://sp.example.com/sls",
+            name_id="test@example.com",
+            name_id_format=SAML_NAME_ID_FORMAT_EMAIL,
+            session_index="test-session-123",
+        )
+
+        self.assertFalse(result)
+
+    @patch("authentik.providers.saml.tasks.requests.post")
+    def test_http_error_raises(self, mock_post):
+        """Test HTTP error raises exception (no try/catch in send_post_logout_request)"""
+        mock_response = MagicMock()
+        mock_response.status_code = 500
+        mock_response.raise_for_status.side_effect = HTTPError("500 Server Error")
+        mock_post.return_value = mock_response
+
+        with self.assertRaises(HTTPError):
+            send_saml_logout_request(
+                provider_pk=self.provider.pk,
+                sls_url=self.provider.sls_url,
+                name_id="test@example.com",
+                name_id_format=SAML_NAME_ID_FORMAT_EMAIL,
+                session_index="test-session-123",
+            )
+
+
+class TestSendPostLogoutRequest(TestCase):
+    """Tests for send_post_logout_request function"""
+
+    def setUp(self):
+        """Set up test fixtures"""
+        self.cert = create_test_cert()
+        self.flow = create_test_flow()
+
+        self.provider = SAMLProvider.objects.create(
+            name="test-provider",
+            authorization_flow=self.flow,
+            acs_url="https://sp.example.com/acs",
+            sls_url="https://sp.example.com/sls",
+            issuer="https://idp.example.com",
+            signing_kp=self.cert,
+        )
+
+    @patch("authentik.providers.saml.tasks.requests.post")
+    def test_successful_post(self, mock_post):
+        """Test successful POST returns True"""
+        from authentik.providers.saml.processors.logout_request import LogoutRequestProcessor
+
+        mock_response = MagicMock()
+        mock_response.status_code = 200
+        mock_response.raise_for_status = MagicMock()
+        mock_post.return_value = mock_response
+
+        processor = LogoutRequestProcessor(
+            provider=self.provider,
+            user=None,
+            destination=self.provider.sls_url,
+            name_id="test@example.com",
+            name_id_format=SAML_NAME_ID_FORMAT_EMAIL,
+            session_index="test-session-123",
+        )
+
+        result = send_post_logout_request(self.provider, processor)
+
+        self.assertTrue(result)
+        mock_post.assert_called_once()
+
+    @patch("authentik.providers.saml.tasks.requests.post")
+    def test_with_relay_state(self, mock_post):
+        """Test POST includes RelayState when present"""
+        from authentik.providers.saml.processors.logout_request import LogoutRequestProcessor
+
+        mock_response = MagicMock()
+        mock_response.status_code = 200
+        mock_response.raise_for_status = MagicMock()
+        mock_post.return_value = mock_response
+
+        processor = LogoutRequestProcessor(
+            provider=self.provider,
+            user=None,
+            destination=self.provider.sls_url,
+            name_id="test@example.com",
+            name_id_format=SAML_NAME_ID_FORMAT_EMAIL,
+            session_index="test-session-123",
+            relay_state="https://sp.example.com/return",
+        )
+
+        result = send_post_logout_request(self.provider, processor)
+
+        self.assertTrue(result)
+
+        # Verify RelayState is included
+        form_data = mock_post.call_args[1]["data"]
+        self.assertIn("RelayState", form_data)
+        self.assertEqual(form_data["RelayState"], "https://sp.example.com/return")
+
+    @patch("authentik.providers.saml.tasks.requests.post")
+    def test_connection_error_raises(self, mock_post):
+        """Test connection error raises exception"""
+        from authentik.providers.saml.processors.logout_request import LogoutRequestProcessor
+
+        mock_post.side_effect = ConnectionError("Connection refused")
+
+        processor = LogoutRequestProcessor(
+            provider=self.provider,
+            user=None,
+            destination=self.provider.sls_url,
+            name_id="test@example.com",
+            name_id_format=SAML_NAME_ID_FORMAT_EMAIL,
+            session_index="test-session-123",
+        )
+
+        with self.assertRaises(ConnectionError):
+            send_post_logout_request(self.provider, processor)

authentik/providers/saml/tests/test_views_sp_slo.py

@@ -8,13 +8,15 @@ from django.urls import reverse
 
 from authentik.common.saml.constants import SAML_NAME_ID_FORMAT_EMAIL
 from authentik.core.models import Application
-from authentik.core.tests.utils import create_test_brand, create_test_flow
+from authentik.core.tests.utils import create_test_brand, create_test_cert, create_test_flow
 from authentik.flows.planner import FlowPlan
 from authentik.flows.views.executor import SESSION_KEY_PLAN
 from authentik.providers.saml.exceptions import CannotHandleAssertion
-from authentik.providers.saml.models import SAMLProvider
+from authentik.providers.saml.models import SAMLBindings, SAMLLogoutMethods, SAMLProvider
 from authentik.providers.saml.processors.logout_request import LogoutRequestProcessor
-from authentik.providers.saml.views.flows import PLAN_CONTEXT_SAML_RELAY_STATE
+from authentik.providers.saml.views.flows import (
+    PLAN_CONTEXT_SAML_RELAY_STATE,
+)
 from authentik.providers.saml.views.sp_slo import (
     SPInitiatedSLOBindingPOSTView,
     SPInitiatedSLOBindingRedirectView,
@@ -436,3 +438,290 @@ class TestSPInitiatedSLOViews(TestCase):
         # Should treat it as plain URL and redirect to it
         self.assertEqual(response.status_code, 302)
         self.assertEqual(response.url, "/some/invalid/path")
+
+
+class TestSPInitiatedSLOLogoutMethods(TestCase):
+    """Test SP-initiated SAML SLO logout method branching"""
+
+    def setUp(self):
+        """Set up test fixtures"""
+        self.factory = RequestFactory()
+        self.brand = create_test_brand()
+        self.flow = create_test_flow()
+        self.invalidation_flow = create_test_flow()
+        self.cert = create_test_cert()
+
+        # Create provider with sls_url
+        self.provider = SAMLProvider.objects.create(
+            name="test-provider",
+            authorization_flow=self.flow,
+            invalidation_flow=self.invalidation_flow,
+            acs_url="https://sp.example.com/acs",
+            sls_url="https://sp.example.com/sls",
+            issuer="https://idp.example.com",
+            sp_binding="redirect",
+            sls_binding="redirect",
+            signing_kp=self.cert,
+        )
+
+        # Create application
+        self.application = Application.objects.create(
+            name="test-app",
+            slug="test-app-logout-methods",
+            provider=self.provider,
+        )
+
+        # Create logout request processor for generating test requests
+        self.processor = LogoutRequestProcessor(
+            provider=self.provider,
+            user=None,
+            destination="https://idp.example.com/sls",
+            name_id="test@example.com",
+            name_id_format=SAML_NAME_ID_FORMAT_EMAIL,
+            session_index="test-session-123",
+            relay_state="https://sp.example.com/return",
+        )
+
+    @patch("authentik.providers.saml.views.sp_slo.AuthenticatedSession")
+    def test_frontchannel_native_post_binding(self, mock_auth_session):
+        """Test FRONTCHANNEL_NATIVE with POST binding parses request correctly"""
+        mock_auth_session.from_request.return_value = None
+
+        self.provider.logout_method = SAMLLogoutMethods.FRONTCHANNEL_NATIVE
+        self.provider.sls_binding = SAMLBindings.POST
+        self.provider.save()
+
+        encoded_request = self.processor.encode_redirect()
+
+        request = self.factory.get(
+            f"/slo/redirect/{self.application.slug}/",
+            {
+                "SAMLRequest": encoded_request,
+                "RelayState": "https://sp.example.com/return",
+            },
+        )
+        request.session = {}
+        request.brand = self.brand
+        request.user = MagicMock()
+
+        view = SPInitiatedSLOBindingRedirectView()
+        view.setup(request, application_slug=self.application.slug)
+        view.resolve_provider_application()
+        view.check_saml_request()
+
+        # Verify the logout request was parsed and provider is configured correctly
+        self.assertIn("authentik/providers/saml/logout_request", view.plan_context)
+        self.assertEqual(view.provider.logout_method, SAMLLogoutMethods.FRONTCHANNEL_NATIVE)
+        self.assertEqual(view.provider.sls_binding, SAMLBindings.POST)
+
+    @patch("authentik.providers.saml.views.sp_slo.AuthenticatedSession")
+    def test_frontchannel_native_redirect_binding(self, mock_auth_session):
+        """Test FRONTCHANNEL_NATIVE with REDIRECT binding creates redirect URL"""
+        mock_auth_session.from_request.return_value = None
+
+        self.provider.logout_method = SAMLLogoutMethods.FRONTCHANNEL_NATIVE
+        self.provider.sls_binding = SAMLBindings.REDIRECT
+        self.provider.save()
+
+        encoded_request = self.processor.encode_redirect()
+
+        request = self.factory.get(
+            f"/slo/redirect/{self.application.slug}/",
+            {
+                "SAMLRequest": encoded_request,
+                "RelayState": "https://sp.example.com/return",
+            },
+        )
+        request.session = {}
+        request.brand = self.brand
+        request.user = MagicMock()
+
+        view = SPInitiatedSLOBindingRedirectView()
+        view.setup(request, application_slug=self.application.slug)
+        view.resolve_provider_application()
+        view.check_saml_request()
+
+        # Verify the logout request was parsed
+        self.assertIn("authentik/providers/saml/logout_request", view.plan_context)
+
+    @patch("authentik.providers.saml.views.sp_slo.AuthenticatedSession")
+    def test_frontchannel_iframe_post_binding(self, mock_auth_session):
+        """Test FRONTCHANNEL_IFRAME with POST binding creates IframeLogoutStageView"""
+        mock_auth_session.from_request.return_value = None
+
+        self.provider.logout_method = SAMLLogoutMethods.FRONTCHANNEL_IFRAME
+        self.provider.sls_binding = SAMLBindings.POST
+        self.provider.save()
+
+        encoded_request = self.processor.encode_redirect()
+
+        request = self.factory.get(
+            f"/slo/redirect/{self.application.slug}/",
+            {
+                "SAMLRequest": encoded_request,
+                "RelayState": "https://sp.example.com/return",
+            },
+        )
+        request.session = {}
+        request.brand = self.brand
+        request.user = MagicMock()
+
+        view = SPInitiatedSLOBindingRedirectView()
+        view.setup(request, application_slug=self.application.slug)
+        view.resolve_provider_application()
+        view.check_saml_request()
+
+        # Verify the logout request was parsed
+        self.assertIn("authentik/providers/saml/logout_request", view.plan_context)
+
+    @patch("authentik.providers.saml.views.sp_slo.AuthenticatedSession")
+    def test_frontchannel_iframe_redirect_binding(self, mock_auth_session):
+        """Test FRONTCHANNEL_IFRAME with REDIRECT binding"""
+        mock_auth_session.from_request.return_value = None
+
+        self.provider.logout_method = SAMLLogoutMethods.FRONTCHANNEL_IFRAME
+        self.provider.sls_binding = SAMLBindings.REDIRECT
+        self.provider.save()
+
+        encoded_request = self.processor.encode_redirect()
+
+        request = self.factory.get(
+            f"/slo/redirect/{self.application.slug}/",
+            {
+                "SAMLRequest": encoded_request,
+                "RelayState": "https://sp.example.com/return",
+            },
+        )
+        request.session = {}
+        request.brand = self.brand
+        request.user = MagicMock()
+
+        view = SPInitiatedSLOBindingRedirectView()
+        view.setup(request, application_slug=self.application.slug)
+        view.resolve_provider_application()
+        view.check_saml_request()
+
+        # Verify the logout request was parsed
+        self.assertIn("authentik/providers/saml/logout_request", view.plan_context)
+
+    @patch("authentik.providers.saml.views.sp_slo.AuthenticatedSession")
+    def test_backchannel_parses_request(self, mock_auth_session):
+        """Test BACKCHANNEL mode parses request correctly"""
+        mock_auth_session.from_request.return_value = None
+
+        self.provider.logout_method = SAMLLogoutMethods.BACKCHANNEL
+        self.provider.sls_binding = SAMLBindings.POST
+        self.provider.save()
+
+        encoded_request = self.processor.encode_redirect()
+
+        request = self.factory.get(
+            f"/slo/redirect/{self.application.slug}/",
+            {
+                "SAMLRequest": encoded_request,
+                "RelayState": "https://sp.example.com/return",
+            },
+        )
+        request.session = {}
+        request.brand = self.brand
+        request.user = MagicMock()
+
+        view = SPInitiatedSLOBindingRedirectView()
+        view.setup(request, application_slug=self.application.slug)
+        view.resolve_provider_application()
+        view.check_saml_request()
+
+        # Verify the logout request was parsed and provider is configured correctly
+        self.assertIn("authentik/providers/saml/logout_request", view.plan_context)
+        self.assertEqual(view.provider.logout_method, SAMLLogoutMethods.BACKCHANNEL)
+        self.assertEqual(view.provider.sls_binding, SAMLBindings.POST)
+
+    @patch("authentik.providers.saml.views.sp_slo.AuthenticatedSession")
+    def test_no_sls_url_only_session_end(self, mock_auth_session):
+        """Test that only SessionEndStage is appended when sls_url is empty"""
+        mock_auth_session.from_request.return_value = None
+
+        # Create provider without sls_url
+        provider_no_sls = SAMLProvider.objects.create(
+            name="no-sls-provider",
+            authorization_flow=self.flow,
+            invalidation_flow=self.invalidation_flow,
+            acs_url="https://sp.example.com/acs",
+            sls_url="",  # No SLS URL
+            issuer="https://idp.example.com",
+        )
+
+        app_no_sls = Application.objects.create(
+            name="no-sls-app",
+            slug="no-sls-app",
+            provider=provider_no_sls,
+        )
+
+        processor = LogoutRequestProcessor(
+            provider=provider_no_sls,
+            user=None,
+            destination="https://idp.example.com/sls",
+            name_id="test@example.com",
+            name_id_format=SAML_NAME_ID_FORMAT_EMAIL,
+            session_index="test-session-123",
+        )
+        encoded_request = processor.encode_redirect()
+
+        request = self.factory.get(
+            f"/slo/redirect/{app_no_sls.slug}/",
+            {
+                "SAMLRequest": encoded_request,
+            },
+        )
+        request.session = {}
+        request.brand = self.brand
+        request.user = MagicMock()
+
+        view = SPInitiatedSLOBindingRedirectView()
+        view.setup(request, application_slug=app_no_sls.slug)
+        view.resolve_provider_application()
+        view.check_saml_request()
+
+        # Verify the provider has no sls_url
+        self.assertEqual(view.provider.sls_url, "")
+
+    @patch("authentik.providers.saml.views.sp_slo.AuthenticatedSession")
+    def test_relay_state_propagation(self, mock_auth_session):
+        """Test that relay state from logout request is passed through to response"""
+        mock_auth_session.from_request.return_value = None
+
+        self.provider.logout_method = SAMLLogoutMethods.FRONTCHANNEL_IFRAME
+        self.provider.save()
+
+        expected_relay_state = "https://sp.example.com/custom-return"
+
+        processor = LogoutRequestProcessor(
+            provider=self.provider,
+            user=None,
+            destination="https://idp.example.com/sls",
+            name_id="test@example.com",
+            name_id_format=SAML_NAME_ID_FORMAT_EMAIL,
+            session_index="test-session-123",
+            relay_state=expected_relay_state,
+        )
+        encoded_request = processor.encode_redirect()
+
+        request = self.factory.get(
+            f"/slo/redirect/{self.application.slug}/",
+            {
+                "SAMLRequest": encoded_request,
+                "RelayState": expected_relay_state,
+            },
+        )
+        request.session = {}
+        request.brand = self.brand
+        request.user = MagicMock()
+
+        view = SPInitiatedSLOBindingRedirectView()
+        view.setup(request, application_slug=self.application.slug)
+        view.resolve_provider_application()
+        view.check_saml_request()
+
+        # Verify relay state was captured
+        logout_request = view.plan_context.get("authentik/providers/saml/logout_request")
+        self.assertEqual(logout_request.relay_state, expected_relay_state)

authentik/providers/saml/views/sp_slo.py

@@ -15,10 +15,22 @@ from authentik.flows.stage import SessionEndStage
 from authentik.flows.views.executor import SESSION_KEY_PLAN
 from authentik.lib.views import bad_request_message
 from authentik.policies.views import PolicyAccessView
+from authentik.providers.iframe_logout import IframeLogoutStageView
 from authentik.providers.saml.exceptions import CannotHandleAssertion
-from authentik.providers.saml.models import SAMLProvider, SAMLSession
+from authentik.providers.saml.models import (
+    SAMLBindings,
+    SAMLLogoutMethods,
+    SAMLProvider,
+    SAMLSession,
+)
+from authentik.providers.saml.native_logout import NativeLogoutStageView
 from authentik.providers.saml.processors.logout_request_parser import LogoutRequestParser
+from authentik.providers.saml.processors.logout_response_processor import LogoutResponseProcessor
+from authentik.providers.saml.tasks import send_saml_logout_response
+from authentik.providers.saml.utils.encoding import nice64
 from authentik.providers.saml.views.flows import (
+    PLAN_CONTEXT_SAML_LOGOUT_IFRAME_SESSIONS,
+    PLAN_CONTEXT_SAML_LOGOUT_NATIVE_SESSIONS,
     PLAN_CONTEXT_SAML_LOGOUT_REQUEST,
     PLAN_CONTEXT_SAML_RELAY_STATE,
     REQUEST_KEY_RELAY_STATE,
@@ -68,7 +80,102 @@ class SPInitiatedSLOView(PolicyAccessView):
                 **self.plan_context,
             },
         )
-        plan.append_stage(in_memory_stage(SessionEndStage))
+
+        if self.provider.sls_url:
+            # Get logout request and extract relay state
+            logout_request = self.plan_context.get(PLAN_CONTEXT_SAML_LOGOUT_REQUEST)
+            relay_state = logout_request.relay_state if logout_request else None
+
+            # Store relay state for the logout response
+            plan.context[PLAN_CONTEXT_SAML_RELAY_STATE] = relay_state
+
+            if self.provider.logout_method == SAMLLogoutMethods.FRONTCHANNEL_NATIVE:
+                # Native mode - user will be redirected/posted away from authentik
+                processor = LogoutResponseProcessor(
+                    self.provider,
+                    logout_request,
+                    destination=self.provider.sls_url,
+                )
+
+                if self.provider.sls_binding == SAMLBindings.POST:
+                    logout_response = processor.encode_post()
+                    logout_data = {
+                        "post_url": self.provider.sls_url,
+                        "saml_response": logout_response,
+                        "saml_relay_state": relay_state,
+                        "provider_name": self.provider.name,
+                        "saml_binding": SAMLBindings.POST,
+                    }
+                else:
+                    logout_url = processor.get_redirect_url()
+                    logout_data = {
+                        "redirect_url": logout_url,
+                        "provider_name": self.provider.name,
+                        "saml_binding": SAMLBindings.REDIRECT,
+                    }
+
+                plan.context[PLAN_CONTEXT_SAML_LOGOUT_NATIVE_SESSIONS] = [logout_data]
+                plan.append_stage(in_memory_stage(NativeLogoutStageView))
+            elif self.provider.logout_method == SAMLLogoutMethods.BACKCHANNEL:
+                # Backchannel mode - server sends logout response directly to SP in background
+                # No user interaction needed
+                if self.provider.sls_binding != SAMLBindings.POST:
+                    LOGGER.warning(
+                        "Backchannel logout requires POST binding, but provider is configured "
+                        "with %s binding",
+                        self.provider.sls_binding,
+                        provider=self.provider,
+                    )
+
+                # Queue the logout response to be sent in the background
+                # This doesn't block the user's logout from completing
+                send_saml_logout_response.send(
+                    provider_pk=self.provider.pk,
+                    sls_url=self.provider.sls_url,
+                    logout_request_id=logout_request.id if logout_request else None,
+                    relay_state=relay_state,
+                )
+
+                LOGGER.debug(
+                    "Queued backchannel logout response",
+                    provider=self.provider,
+                    sls_url=self.provider.sls_url,
+                )
+
+                # Just end the session - no user interaction needed
+                plan.append_stage(in_memory_stage(SessionEndStage))
+            else:
+                # Iframe mode (default for FRONTCHANNEL_IFRAME) - user stays on authentik
+                processor = LogoutResponseProcessor(
+                    self.provider,
+                    logout_request,
+                    destination=self.provider.sls_url,
+                )
+
+                logout_response = processor.build_response()
+
+                if self.provider.sls_binding == SAMLBindings.POST:
+                    logout_data = {
+                        "url": self.provider.sls_url,
+                        "saml_response": nice64(logout_response),
+                        "saml_relay_state": relay_state,
+                        "provider_name": self.provider.name,
+                        "binding": SAMLBindings.POST,
+                    }
+                else:
+                    logout_url = processor.get_redirect_url()
+                    logout_data = {
+                        "url": logout_url,
+                        "provider_name": self.provider.name,
+                        "binding": SAMLBindings.REDIRECT,
+                    }
+
+                plan.context[PLAN_CONTEXT_SAML_LOGOUT_IFRAME_SESSIONS] = [logout_data]
+                plan.append_stage(in_memory_stage(IframeLogoutStageView))
+                plan.append_stage(in_memory_stage(SessionEndStage))
+        else:
+            # No SLS URL configured, just end session
+            plan.append_stage(in_memory_stage(SessionEndStage))
 
         # Remove samlsession from database
         auth_session = AuthenticatedSession.from_request(self.request, self.request.user)

authentik/providers/scim/clients/schema.py

@@ -65,7 +65,7 @@ class EnterpriseUser(BaseModel):
     employeeNumber: str | None = Field(
         None,
         description="Numeric or alphanumeric identifier assigned to a person, "
-        "typically based on order of hire or association with anorganization.",
+        "typically based on order of hire or association with an organization.",
     )
     costCenter: str | None = Field(None, description="Identifies the name of a cost center.")
     organization: str | None = Field(None, description="Identifies the name of an organization.")
@@ -73,7 +73,7 @@ class EnterpriseUser(BaseModel):
     department: str | None = Field(
         None,
         description="Numeric or alphanumeric identifier assigned to a person,"
-        " typically based on order of hire or association with anorganization.",
+        " typically based on order of hire or association with an organization.",
     )
     manager: Manager | None = Field(
         None,

authentik/providers/scim/tests/test_application_policies.py

@@ -52,10 +52,10 @@ class SCIMApplicationPoliciesTests(TestCase):
                 email=f"{uid}@goauthentik.io",
             )
 
-        self.users[1].ak_groups.add(self.group1)
-        self.users[2].ak_groups.add(self.group2)
-        self.users[4].ak_groups.add(self.group1)
-        self.users[4].ak_groups.add(self.group2)
+        self.users[1].groups.add(self.group1)
+        self.users[2].groups.add(self.group2)
+        self.users[4].groups.add(self.group1)
+        self.users[4].groups.add(self.group2)
 
     def test_no_group_policy(self):
         """Test with no group policy set"""

authentik/root/test_runner.py

@@ -89,7 +89,7 @@ class PytestTestRunner(DiscoverRunner):  # pragma: no cover
         sentry_init()
         self.logger.debug("Test environment configured")
 
-        use_test_broker()
+        self.task_broker = use_test_broker()
 
         # Send startup signals
         pre_startup.send(sender=self, mode="test")
@@ -185,7 +185,9 @@ class PytestTestRunner(DiscoverRunner):  # pragma: no cover
         self.logger.info("Running tests", test_files=self.args)
         with patch("guardian.shortcuts._get_ct_cached", patched__get_ct_cached):
             try:
-                return pytest.main(self.args)
-            except Exception as e:  # noqa
-                self.logger.error("Error running tests", error=str(e), test_files=self.args)
+                ret = pytest.main(self.args)
+                self.task_broker.close()
+                return ret
+            except Exception as exc:  # noqa
+                self.logger.error("Error running tests", exc=exc, test_files=self.args)
                 return 1

authentik/sources/ldap/models.py

@@ -14,6 +14,7 @@ from django.utils.translation import gettext_lazy as _
 from ldap3 import ALL, NONE, RANDOM, Connection, Server, ServerPool, Tls
 from ldap3.core.exceptions import LDAPException, LDAPInsufficientAccessRightsResult, LDAPSchemaError
 from rest_framework.serializers import Serializer
+from structlog.stdlib import get_logger
 
 from authentik.core.models import (
     Group,
@@ -31,6 +32,7 @@ from authentik.tasks.schedules.common import ScheduleSpec
 LDAP_TIMEOUT = 15
 LDAP_UNIQUENESS = "ldap_uniq"
 LDAP_DISTINGUISHED_NAME = "distinguishedName"
+LOGGER = get_logger()
 
 
 def flatten(value: Any) -> Any:
@@ -268,6 +270,7 @@ class LDAPSource(IncomingSyncSource):
         )
 
         if self.start_tls:
+            LOGGER.debug("Connection StartTLS", source=self)
             conn.start_tls(read_server_info=False)
         try:
             successful = conn.bind()
@@ -278,7 +281,9 @@ class LDAPSource(IncomingSyncSource):
             # See https://github.com/goauthentik/authentik/issues/4590
             # See also https://github.com/goauthentik/authentik/issues/3399
             if server_kwargs.get("get_info", ALL) == NONE:
+                LOGGER.warning("Failed to connect after schema downgrade", source=self, exc=exc)
                 raise exc
+            LOGGER.warning("Downgrading connection to no schema info", source=self, exc=exc)
             server_kwargs["get_info"] = NONE
             return self.connection(server, server_kwargs, connection_kwargs)
         finally:

authentik/sources/saml/exceptions.py

@@ -14,24 +14,6 @@ class SAMLException(SentryIgnoredException):
         return self.default_message
 
 
-class MissingSAMLResponse(SAMLException):
-    """Exception raised when request does not contain SAML Response."""
-
-    default_message = "Request does not contain a SAML response."
-
-
-class UnsupportedNameIDFormat(SAMLException):
-    """Exception raised when SAML Response contains NameID Format not supported."""
-
-    default_message = "The NameID Format in the SAML Response is not supported."
-
-
-class MismatchedRequestID(SAMLException):
-    """Exception raised when the returned request ID doesn't match the saved ID."""
-
-    default_message = "The SAML Response ID does not match the original request ID."
-
-
 class InvalidEncryption(SAMLException):
     """Encryption of XML Object is either missing or invalid."""
 
@@ -42,3 +24,21 @@ class InvalidSignature(SAMLException):
     """Signature of XML Object is either missing or invalid."""
 
     default_message = "The signature of the SAML object is either missing or invalid."
+
+
+class MismatchedRequestID(SAMLException):
+    """Exception raised when the returned request ID doesn't match the saved ID."""
+
+    default_message = "The SAML Response ID does not match the original request ID."
+
+
+class MissingSAMLResponse(SAMLException):
+    """Exception raised when request does not contain SAML Response."""
+
+    default_message = "Request does not contain a SAML response."
+
+
+class UnsupportedNameIDFormat(SAMLException):
+    """Exception raised when SAML Response contains NameID Format not supported."""
+
+    default_message = "The NameID Format in the SAML Response is not supported."

authentik/sources/saml/models.py

@@ -7,6 +7,7 @@ from django.http import HttpRequest
 from django.templatetags.static import static
 from django.urls import reverse
 from django.utils.translation import gettext_lazy as _
+from lxml.etree import _Element  # nosec
 from rest_framework.serializers import Serializer
 
 from authentik.common.saml.constants import (
@@ -217,9 +218,8 @@ class SAMLSource(Source):
     def property_mapping_type(self) -> type[PropertyMapping]:
         return SAMLSourcePropertyMapping
 
-    def get_base_user_properties(self, root: Any, name_id: Any, **kwargs):
+    def get_base_user_properties(self, root: _Element, assertion: _Element, name_id: Any, **kwargs):
         attributes = {}
-        assertion = root.find(f"{{{NS_SAML_ASSERTION}}}Assertion")
         if assertion is None:
             raise ValueError("Assertion element not found")
         attribute_statement = assertion.find(f"{{{NS_SAML_ASSERTION}}}AttributeStatement")

authentik/sources/saml/processors/response.py

@@ -66,6 +66,8 @@ class ResponseProcessor:
 
     _http_request: HttpRequest
 
+    _assertion: _Element | None = None
+
     def __init__(self, source: SAMLSource, request: HttpRequest):
         self._source = source
         self._http_request = request
@@ -122,6 +124,7 @@ class ResponseProcessor:
             index_of,
             decrypted_assertion,
         )
+        self._assertion = decrypted_assertion
 
     def _verify_signature(self, signature_node: _Element):
         """Verify a single signature node"""
@@ -162,6 +165,10 @@ class ResponseProcessor:
             raise InvalidSignature("No Signature exists in the Assertion element.")
 
         self._verify_signature(signature_nodes[0])
+        parent = signature_nodes[0].getparent()
+        if parent is None or parent.tag != f"{{{NS_SAML_ASSERTION}}}Assertion":
+            raise InvalidSignature("No Signature exists in the Assertion element.")
+        self._assertion = parent
 
     def _verify_request_id(self):
         if self._source.allow_idp_initiated:
@@ -239,14 +246,21 @@ class ResponseProcessor:
             identifier=str(name_id.text),
             user_info={
                 "root": self._root,
+                "assertion": self.get_assertion(),
                 "name_id": name_id,
             },
             policy_context={},
         )
 
+    def get_assertion(self) -> Element | None:
+        """Get assertion element, if we have a signed assertion"""
+        if self._assertion is not None:
+            return self._assertion
+        return self._root.find(f"{{{NS_SAML_ASSERTION}}}Assertion")
+
     def _get_name_id(self) -> Element:
         """Get NameID Element"""
-        assertion = self._root.find(f"{{{NS_SAML_ASSERTION}}}Assertion")
+        assertion = self.get_assertion()
         if assertion is None:
             raise ValueError("Assertion element not found")
         subject = assertion.find(f"{{{NS_SAML_ASSERTION}}}Subject")
@@ -299,6 +313,7 @@ class ResponseProcessor:
             identifier=str(name_id.text),
             user_info={
                 "root": self._root,
+                "assertion": self.get_assertion(),
                 "name_id": name_id,
             },
             policy_context={

authentik/sources/saml/tests/fixtures/response_signed_assertion_dup.xml

@@ -0,0 +1,68 @@
+<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="_8e8dc5f69a98cc4c1ff3427e5ce34606fd672f91e6" Version="2.0" IssueInstant="2014-07-17T01:01:48Z" Destination="http://sp.example.com/demo1/index.php?acs" InResponseTo="ONELOGIN_4fee3b046395c4e751011e97f8900b5273d56685">
+  <saml:Issuer>http://idp.example.com/metadata.php</saml:Issuer>
+  <samlp:Status>
+    <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
+  </samlp:Status>
+  <saml:Assertion xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xs="http://www.w3.org/2001/XMLSchema" ID="_other_id_pfxa06693ef-cec7-f4a6-cb7f-ad074445a1a3" Version="2.0" IssueInstant="2014-07-17T01:01:48Z">
+    <saml:Issuer>http://idp.example.com/metadata.php</saml:Issuer>
+    <saml:Subject>
+      <saml:NameID SPNameQualifier="http://sp.example.com/demo1/metadata.php" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient">bad</saml:NameID>
+      <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
+        <saml:SubjectConfirmationData NotOnOrAfter="2024-01-18T06:21:48Z" Recipient="http://sp.example.com/demo1/index.php?acs" InResponseTo="ONELOGIN_4fee3b046395c4e751011e97f8900b5273d56685"/>
+      </saml:SubjectConfirmation>
+    </saml:Subject>
+    <saml:Conditions NotBefore="2014-07-17T01:01:18Z" NotOnOrAfter="2024-01-18T06:21:48Z">
+      <saml:AudienceRestriction>
+        <saml:Audience>http://sp.example.com/demo1/metadata.php</saml:Audience>
+      </saml:AudienceRestriction>
+    </saml:Conditions>
+    <saml:AuthnStatement AuthnInstant="2014-07-17T01:01:48Z" SessionNotOnOrAfter="2024-07-17T09:01:48Z" SessionIndex="_be9967abd904ddcae3c0eb4189adbe3f71e327cf93">
+      <saml:AuthnContext>
+        <saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</saml:AuthnContextClassRef>
+      </saml:AuthnContext>
+    </saml:AuthnStatement>
+    <saml:AttributeStatement>
+      <saml:Attribute Name="uid" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
+        <saml:AttributeValue xsi:type="xs:string">bad</saml:AttributeValue>
+      </saml:Attribute>
+      <saml:Attribute Name="mail" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
+        <saml:AttributeValue xsi:type="xs:string">bad</saml:AttributeValue>
+      </saml:Attribute>
+    </saml:AttributeStatement>
+  </saml:Assertion>
+  <saml:Assertion xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xs="http://www.w3.org/2001/XMLSchema" ID="pfxa06693ef-cec7-f4a6-cb7f-ad074445a1a3" Version="2.0" IssueInstant="2014-07-17T01:01:48Z">
+    <saml:Issuer>http://idp.example.com/metadata.php</saml:Issuer><ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
+  <ds:SignedInfo><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
+    <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
+  <ds:Reference URI="#pfxa06693ef-cec7-f4a6-cb7f-ad074445a1a3"><ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><ds:DigestValue>zNDuGxwP4gVkv/Dzt7kiKo/4gzk=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>GLP/vE8uxerB0uDpPslUgLPBL6ePQB619MoQ0I2Y5lAtFE6CB1zh8BnzChRx/bFjNy4byfOe8mFfM0r7WUi1PJOFWyUPoatdLl7wHHBIRTnPpYmu3Tb2Gz0sOP0F8wW7JkBft5gJfVw49nk5si9/3Q3o52jnJZ7dPtqfIOh8uNeopikK0HLF6sU05qCCtjcXfniEnLQFNBFMo9uY5GQqmR5n3nqPz1wYyyfFOAbVmGgBIoO2PfGX2GVLQhltc9qf2JMhks4jgZsZ8iLUIiH1lcLGWZEEs94k8k0P6gSv1uZ7Vbhksd/N9Jq9pCVuEJ/jRPcAdVjzbxqKQAj6ELwr8O6fepTzA+CAdwEolBnx/C6TmSbVZ+IWk6QUGe4x4+IAukC+0hkKENlO0ELOScksvyhpgHbxNA4rp+DhGupCaO/I2RrsQkmvavbqm+wSEspK7scK112SDunjDvqPHsPYgukD33T/97PxTLorg2kKP9HHJwPJKoXXeyOGcA6vwK+RqrAlZ2dLGAgcXo+sJcdCLuvxDNz9VXofBjBZIKVKdmYhm0QJaPYHtuQsAyFavQhdOBOmGHb7QX3YE3Xy4dX4LymtT+Jlb1I4FJSht/9HUIHW1FdhfDak4f7gUgjuMamMddLD0jVgeESupSREzFv/gj2IrctkbgjAO0iuuiBgKMg=</ds:SignatureValue>
+<ds:KeyInfo><ds:X509Data><ds:X509Certificate>MIIFUzCCAzugAwIBAgIRAL6tbNcE9Ej9gNlbGKswfFMwDQYJKoZIhvcNAQELBQAwHTEbMBkGA1UEAwwSYXV0aGVudGlrIDIwMjUuNi4zMB4XDTI1MDcxNTE4MDQzNloXDTI2MDcxNjE4MDQzNlowVjEqMCgGA1UEAwwhYXV0aGVudGlrIFNlbGYtc2lnbmVkIENlcnRpZmljYXRlMRIwEAYDVQQKDAlhdXRoZW50aWsxFDASBgNVBAsMC1NlbGYtc2lnbmVkMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAjmut/+bBRLlyrbf+WIfg8ZTw9t6VnsiU1n04nPTulpRAz4nBOoOHNRIruSpZyFeFa6x9jwn4Ma5EFUH7HqnRvhoujm8U17OglXWZt0DLCZ6S5xPmdMogFXjJDmg9okIcI/cb9VbR6I8uvm1oiaOWCr36RTiqZ6rmdjQcuUPLr1+V/LxWQI463S+5QA2HZxAGalp45MJAz2sa9iczktKMgyYlfjj1cruFARxxeheu5qIK7aQWfyPj1QlMb9mi4VQaxUwGrAui4Tq614ivRJY2SkZb0Aq/LLSQoQWYHtYyQIasrOXJm0JuPDqhINPBDowyhu8DihC3uzOpmTXLKc5UoIQk+Q1h5iH74A3/kxOJUw13FXzRiDxC/yGthPYLyFHsDiJolscMKSCqlDvEMcpM4mxFeud9sKUb71SZr8sqmJl3qtvZmKpkR4y8pN2c00p10t0htqONmr5kyPxmhz0HCrosiPYB4olNjaydKviNTtPJ7TtnPyeA3iXGzCP1e80XzUoJrDqON5/GcpYgqsP/kGj8Qvqesa4Fez+1+5pAGHN2VzQbkHAgK3s4YRXrGLTs7wg27F9T0RE28Mm0RYBkYpdp4/5PuTTulthB9mkUBSJMgENmQAYkapvonFDsJkTi39qnsddbZusOLT4z3hsA38eFEwRqnbNZVUGPIp/O1SsCAwEAAaNVMFMwUQYDVR0RAQH/BEcwRYJDRUZ4QXVLRzV6SlVUTWpWNTJoMkRJMUQ5MXdLblZKaXFwNmpwRTRTTy5zZWxmLXNpZ25lZC5nb2F1dGhlbnRpay5pbzANBgkqhkiG9w0BAQsFAAOCAgEAYLThxDVpA1OIAVK/buueRJExIWr6y4s6NtpuR8UQEcfq5hfoc4zMFGHR5+u1WFIb5siK25xh/OnS7bLdLic6AkjZSrx91+0v2Jn9gfUqbs5AJ040XzAAdx/Mb4s0+537yhB+/JXPylR1QxhGbO7koXQ5JDhAXWKCw2O1C+80mN8dbhQvDkEtsXrHrtXclcqf2TT89XAzc5HAC8NmP4SF+FafAREQB1KdaG4QAbc/gnjsX2YJD89SDL+3jMp6F7R1Ym+bWt5oWqx2tkm6HGXd3fbpfQlnfrRN60tMjjLmw1cDMhOhpdragY5zokniEUL2pKVtrxFp7V1ZpoMI0Kt5MKkOXrezi542NWSgkGehlsDLD9wtuCNem2arR0mNnMLdYkMG7G0dpAq3Tl32dgfMfyKnNyE2O/6/EeEuzUH2NfTU1p7AUQfLrf4rtNcJEs9OAPuC9vy7w9YEpF997T+FhR2Ub1C423NQj4bwlS/9f7MIBkSi1EgnQuiSGB5epxAKI3oOVrmzOpTuvr6wZXV9pM3zdfbcoGuFWP6Ix7W8G5vg+0WvoSjc2fwGXYlidEK3xlQSMAaQ4CMClpPsKLScRq1nrQGzPYoiL1DYubsOWx9ohll6+jNjKI6f79WwbHYrW4EeRIOz38+m46EDjAWZBMgrE7J/3DhgeLEVJYBA5K0=</ds:X509Certificate></ds:X509Data></ds:KeyInfo></ds:Signature>
+    <saml:Subject>
+      <saml:NameID SPNameQualifier="http://sp.example.com/demo1/metadata.php" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient">_ce3d2948b4cf20146dee0a0b3dd6f69b6cf86f62d7</saml:NameID>
+      <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
+        <saml:SubjectConfirmationData NotOnOrAfter="2024-01-18T06:21:48Z" Recipient="http://sp.example.com/demo1/index.php?acs" InResponseTo="ONELOGIN_4fee3b046395c4e751011e97f8900b5273d56685"/>
+      </saml:SubjectConfirmation>
+    </saml:Subject>
+    <saml:Conditions NotBefore="2014-07-17T01:01:18Z" NotOnOrAfter="2024-01-18T06:21:48Z">
+      <saml:AudienceRestriction>
+        <saml:Audience>http://sp.example.com/demo1/metadata.php</saml:Audience>
+      </saml:AudienceRestriction>
+    </saml:Conditions>
+    <saml:AuthnStatement AuthnInstant="2014-07-17T01:01:48Z" SessionNotOnOrAfter="2024-07-17T09:01:48Z" SessionIndex="_be9967abd904ddcae3c0eb4189adbe3f71e327cf93">
+      <saml:AuthnContext>
+        <saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</saml:AuthnContextClassRef>
+      </saml:AuthnContext>
+    </saml:AuthnStatement>
+    <saml:AttributeStatement>
+      <saml:Attribute Name="uid" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
+        <saml:AttributeValue xsi:type="xs:string">test</saml:AttributeValue>
+      </saml:Attribute>
+      <saml:Attribute Name="mail" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
+        <saml:AttributeValue xsi:type="xs:string">test@example.com</saml:AttributeValue>
+      </saml:Attribute>
+      <saml:Attribute Name="eduPersonAffiliation" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
+        <saml:AttributeValue xsi:type="xs:string">users</saml:AttributeValue>
+        <saml:AttributeValue xsi:type="xs:string">examplerole1</saml:AttributeValue>
+      </saml:Attribute>
+    </saml:AttributeStatement>
+  </saml:Assertion>
+</samlp:Response>

authentik/sources/saml/tests/test_property_mappings.py

@@ -36,7 +36,9 @@ class TestPropertyMappings(TestCase):
 
     def test_user_base_properties(self):
         """Test user base properties"""
-        properties = self.source.get_base_user_properties(root=ROOT, name_id=NAME_ID)
+        properties = self.source.get_base_user_properties(
+            root=ROOT, assertion=ROOT.find(f"{{{NS_SAML_ASSERTION}}}Assertion"), name_id=NAME_ID
+        )
         self.assertEqual(
             properties,
             {
@@ -49,7 +51,11 @@ class TestPropertyMappings(TestCase):
 
     def test_group_base_properties(self):
         """Test group base properties"""
-        properties = self.source.get_base_user_properties(root=ROOT_GROUPS, name_id=NAME_ID)
+        properties = self.source.get_base_user_properties(
+            root=ROOT_GROUPS,
+            assertion=ROOT_GROUPS.find(f"{{{NS_SAML_ASSERTION}}}Assertion"),
+            name_id=NAME_ID,
+        )
         self.assertEqual(properties["groups"], ["group 1", "group 2"])
         for group_id in ["group 1", "group 2"]:
             properties = self.source.get_base_group_properties(root=ROOT, group_id=group_id)

authentik/sources/saml/tests/test_response.py

@@ -164,6 +164,31 @@ class TestResponseProcessor(TestCase):
         parser = ResponseProcessor(self.source, request)
         parser.parse()
 
+    def test_verification_assertion_duplicate(self):
+        """Test verifying signature inside assertion, where the response has another assertion
+        before our signed assertion"""
+        key = load_fixture("fixtures/signature_cert.pem")
+        kp = CertificateKeyPair.objects.create(
+            name=generate_id(),
+            certificate_data=key,
+        )
+        self.source.verification_kp = kp
+        self.source.signed_assertion = True
+        self.source.signed_response = False
+        request = self.factory.post(
+            "/",
+            data={
+                "SAMLResponse": b64encode(
+                    load_fixture("fixtures/response_signed_assertion_dup.xml").encode()
+                ).decode()
+            },
+        )
+
+        parser = ResponseProcessor(self.source, request)
+        parser.parse()
+        self.assertNotEqual(parser._get_name_id().text, "bad")
+        self.assertEqual(parser._get_name_id().text, "_ce3d2948b4cf20146dee0a0b3dd6f69b6cf86f62d7")
+
     def test_verification_response(self):
         """Test verifying signature inside response"""
         key = load_fixture("fixtures/signature_cert.pem")

authentik/sources/saml/views.py

@@ -4,6 +4,7 @@ from urllib.parse import parse_qsl, urlparse, urlunparse
 
 from django.contrib.auth import logout
 from django.contrib.auth.mixins import LoginRequiredMixin
+from django.core.exceptions import SuspiciousOperation
 from django.http import Http404, HttpRequest, HttpResponse
 from django.http.response import HttpResponseBadRequest
 from django.shortcuts import get_object_or_404, redirect
@@ -37,7 +38,9 @@ from authentik.flows.views.executor import NEXT_ARG_NAME, SESSION_KEY_GET, SESSI
 from authentik.lib.views import bad_request_message
 from authentik.providers.saml.utils.encoding import nice64
 from authentik.sources.saml.exceptions import (
+    InvalidEncryption,
     InvalidSignature,
+    MismatchedRequestID,
     MissingSAMLResponse,
     UnsupportedNameIDFormat,
 )
@@ -156,7 +159,15 @@ class ACSView(View):
         processor = ResponseProcessor(source, request)
         try:
             processor.parse()
-        except (InvalidSignature, MissingSAMLResponse, VerificationError, ValueError) as exc:
+        except (
+            InvalidEncryption,
+            InvalidSignature,
+            MismatchedRequestID,
+            MissingSAMLResponse,
+            SuspiciousOperation,
+            VerificationError,
+            ValueError,
+        ) as exc:
             return bad_request_message(request, str(exc))
 
         try:

authentik/stages/captcha/stage.py

@@ -58,7 +58,7 @@ def verify_captcha_token(stage: CaptchaStage, token: str, remote_ip: str, key: s
                 # [reCAPTCHA](https://developers.google.com/recaptcha/docs/verify#error_code_reference)
                 # [hCaptcha](https://docs.hcaptcha.com/#siteverify-error-codes-table)
                 # [Turnstile](https://developers.cloudflare.com/turnstile/get-started/server-side-validation/#error-codes)
-                retriable_error_codes = [
+                retryable_error_codes = [
                     "missing-input-response",
                     "invalid-input-response",
                     "timeout-or-duplicate",
@@ -66,7 +66,7 @@ def verify_captcha_token(stage: CaptchaStage, token: str, remote_ip: str, key: s
                     "already-seen-response",
                 ]
 
-                if set(error_codes).issubset(set(retriable_error_codes)):
+                if set(error_codes).issubset(set(retryable_error_codes)):
                     error_message = _("Invalid captcha response. Retrying may solve this issue.")
                 else:
                     error_message = _("Invalid captcha response")

authentik/stages/consent/stage.py

@@ -80,7 +80,7 @@ class ConsentStageView(ChallengeStageView):
 
     def should_always_prompt(self) -> bool:
         """Check if the current request should require a prompt for non consent reasons,
-        i.e. this stage injected from another stage, mode is always requireed or no application
+        i.e. this stage injected from another stage, mode is always required or no application
         is set."""
         current_stage: ConsentStage = self.executor.current_stage
         # Make this StageView work when injected, in which case `current_stage` is an instance

authentik/stages/email/models.py

@@ -40,6 +40,10 @@ class EmailTemplates(models.TextChoices):
         "email/event_notification.html",
         _("Event Notification"),
     )
+    INVITATION = (
+        "email/invitation.html",
+        _("Invitation"),
+    )
 
 
 def get_template_choices():

authentik/stages/email/templates/email/invitation.html

@@ -0,0 +1,55 @@
+{% extends "email/base.html" %}
+
+{% load i18n %}
+{% load humanize %}
+
+{% block content %}
+<tr>
+  <td align="center">
+    <h1>
+      {% blocktrans %}
+      You're Invited!
+      {% endblocktrans %}
+    </h1>
+  </td>
+</tr>
+<tr>
+  <td align="center">
+    <table border="0">
+      <tr>
+        <td align="center" style="max-width: 300px; padding: 20px 0; color: #212124;">
+          {% blocktrans %}
+          You have been invited to join {{ host }}. Click the button below to get started.
+          {% endblocktrans %}
+        </td>
+      </tr>
+      {% if expires %}
+      <tr>
+        <td align="center" style="max-width: 300px; padding: 10px 0; color: #212124; font-size: 12px;">
+          {% blocktrans with expires=expires|naturaltime %}
+          This invitation expires {{ expires }}.
+          {% endblocktrans %}
+        </td>
+      </tr>
+      {% endif %}
+      <tr>
+        <td align="center" class="btn btn-primary">
+          <a id="confirm" href="{{ url }}" rel="noopener noreferrer" target="_blank">{% trans 'Accept Invitation' %}</a>
+        </td>
+      </tr>
+    </table>
+  </td>
+</tr>
+{% endblock %}
+
+{% block sub_content %}
+<tr>
+  <td style="padding: 20px; font-size: 12px; color: #212124;" align="center">
+    {% blocktrans %}
+    If you cannot click the button above, please copy and paste the following URL into your browser:
+    {% endblocktrans %}
+    <br>
+    <a href="{{ url }}" rel="noopener noreferrer" target="_blank">{{ url }}</a>
+  </td>
+</tr>
+{% endblock %}

authentik/stages/email/templates/email/invitation.txt

@@ -0,0 +1,16 @@
+{% load i18n %}
+{% load humanize %}
+
+{% blocktrans %}You're Invited!{% endblocktrans %}
+
+{% blocktrans %}You have been invited to join {{ host }}. Use the link below to get started.{% endblocktrans %}
+
+{% trans 'Accept Invitation' %}: {{ url }}
+
+{% if expires %}
+{% blocktrans with expires=expires|naturaltime %}This invitation expires {{ expires }}.{% endblocktrans %}
+{% endif %}
+
+{% blocktrans %}If you cannot click the link above, please copy and paste the following URL into your browser:{% endblocktrans %}
+
+{{ url }}

authentik/stages/email/tests/test_templates.py

@@ -54,7 +54,7 @@ class TestEmailStageTemplates(FlowTestCase):
             chmod(file2, 0o000)  # Remove all permissions so we can't read the file
             choices = get_template_choices()
             self.assertEqual(choices[-1][0], Path(file).name)
-            self.assertEqual(len(choices), 5)
+            self.assertEqual(len(choices), 6)
             unlink(file)
             unlink(file2)
 

authentik/stages/identification/stage.py

@@ -99,6 +99,7 @@ class IdentificationChallenge(Challenge):
     password_fields = BooleanField()
     allow_show_password = BooleanField(default=False)
     application_pre = CharField(required=False)
+    application_pre_launch = CharField(required=False)
     flow_designation = ChoiceField(FlowDesignation.choices)
     captcha_stage = CaptchaChallenge(required=False, allow_null=True)
 
@@ -348,9 +349,12 @@ class IdentificationStageView(ChallengeStageView):
         # If the user has been redirected to us whilst trying to access an
         # application, PLAN_CONTEXT_APPLICATION is set in the flow plan
         if PLAN_CONTEXT_APPLICATION in self.executor.plan.context:
-            challenge.initial_data["application_pre"] = self.executor.plan.context.get(
+            app: Application = self.executor.plan.context.get(
                 PLAN_CONTEXT_APPLICATION, Application()
-            ).name
+            )
+            challenge.initial_data["application_pre"] = app.name
+            if launch_url := app.get_launch_url():
+                challenge.initial_data["application_pre_launch"] = launch_url
         if (
             PLAN_CONTEXT_DEVICE in self.executor.plan.context
             and PLAN_CONTEXT_DEVICE_AUTH_TOKEN in self.executor.plan.context

authentik/stages/invitation/api.py

@@ -1,10 +1,21 @@
 """Invitation Stage API Views"""
 
+from django.http import HttpRequest
 from django_filters.filters import BooleanFilter
 from django_filters.filterset import FilterSet
+from drf_spectacular.utils import extend_schema
 from guardian.shortcuts import get_anonymous_user
-from rest_framework.serializers import PrimaryKeyRelatedField
+from rest_framework.decorators import action
+from rest_framework.request import Request
+from rest_framework.response import Response
+from rest_framework.serializers import (
+    CharField,
+    ListField,
+    PrimaryKeyRelatedField,
+    Serializer,
+)
 from rest_framework.viewsets import ModelViewSet
+from structlog.stdlib import get_logger
 
 from authentik.blueprints.v1.importer import SERIALIZER_CONTEXT_BLUEPRINT
 from authentik.core.api.groups import PartialUserSerializer
@@ -13,8 +24,11 @@ from authentik.core.api.utils import JSONDictField, ModelSerializer
 from authentik.core.models import User
 from authentik.flows.api.flows import FlowSerializer
 from authentik.flows.api.stages import StageSerializer
+from authentik.lib.expression.evaluator import BaseEvaluator
 from authentik.stages.invitation.models import Invitation, InvitationStage
 
+LOGGER = get_logger()
+
 
 class InvitationStageSerializer(StageSerializer):
     """InvitationStage Serializer"""
@@ -77,6 +91,15 @@ class InvitationSerializer(ModelSerializer):
         ]
 
 
+class InvitationSendEmailSerializer(Serializer):
+    """Serializer for sending invitation emails"""
+
+    email_addresses = ListField(required=True)
+    cc_addresses = ListField(required=False)
+    bcc_addresses = ListField(required=False)
+    template = CharField(required=False, default="invitation")
+
+
 class InvitationViewSet(UsedByMixin, ModelViewSet):
     """Invitation Viewset"""
 
@@ -91,3 +114,61 @@ class InvitationViewSet(UsedByMixin, ModelViewSet):
         if SERIALIZER_CONTEXT_BLUEPRINT not in serializer.context:
             kwargs["created_by"] = self.request.user
         serializer.save(**kwargs)
+
+    @extend_schema(
+        request=InvitationSendEmailSerializer,
+        responses={204: None},
+    )
+    @action(
+        detail=True,
+        methods=["post"],
+        serializer_class=InvitationSendEmailSerializer,
+    )
+    def send_email(self, request: Request, pk: str) -> Response:
+        """Send invitation link via email to one or more addresses"""
+        invitation = self.get_object()
+        email_addresses = request.data.get("email_addresses", [])
+        cc_addresses = request.data.get("cc_addresses", [])
+        bcc_addresses = request.data.get("bcc_addresses", [])
+        template = request.data.get("template", "email/invitation.html")
+
+        if not email_addresses:
+            return Response({"error": "No email addresses provided"}, status=400)
+
+        # Build the invitation link
+        http_request: HttpRequest = request._request
+        protocol = "https" if http_request.is_secure() else "http"
+        host = http_request.get_host()
+
+        # Determine the flow slug
+        flow_slug = invitation.flow.slug if invitation.flow else None
+        if not flow_slug:
+            return Response({"error": "Invitation has no associated flow"}, status=400)
+
+        invitation_link = f"{protocol}://{host}/if/flow/{flow_slug}/?itoken={invitation.pk}"
+
+        # Prepare template context
+        context = {
+            "url": invitation_link,
+            "expires": invitation.expires,
+            "host": host,
+        }
+
+        # Prepare email content
+        subject = f"You have been invited to {host}"
+
+        # Queue emails for sending via async ak_send_email
+        evaluator = BaseEvaluator()
+
+        for email in email_addresses:
+            evaluator.expr_send_email(
+                address=email,
+                subject=subject,
+                template=template,
+                context=context,
+                stage=None,
+                cc=cc_addresses if cc_addresses else None,
+                bcc=bcc_addresses if bcc_addresses else None,
+            )
+
+        return Response(status=204)

authentik/stages/invitation/tests.py

@@ -217,3 +217,105 @@ class TestInvitationsAPI(APITestCase):
         self.assertEqual(invitation.created_by, get_anonymous_user())
         self.assertEqual(invitation.name, "test-blueprint-invitation")
         self.assertEqual(invitation.fixed_data, {"email": "test@example.com"})
+
+    def test_send_email_no_addresses(self):
+        """Test send_email endpoint with no email addresses"""
+        flow = create_test_flow(FlowDesignation.ENROLLMENT)
+        invite = Invitation.objects.create(
+            name="test-invite",
+            created_by=self.user,
+            flow=flow,
+        )
+
+        response = self.client.post(
+            reverse("authentik_api:invitation-send-email", kwargs={"pk": invite.pk}),
+            {"email_addresses": []},
+            format="json",
+        )
+        self.assertEqual(response.status_code, 400)
+        self.assertIn("error", response.data)
+
+    def test_send_email_no_flow(self):
+        """Test send_email endpoint with invitation without flow"""
+        invite = Invitation.objects.create(
+            name="test-invite-no-flow",
+            created_by=self.user,
+            flow=None,
+        )
+
+        response = self.client.post(
+            reverse("authentik_api:invitation-send-email", kwargs={"pk": invite.pk}),
+            {"email_addresses": ["test@example.com"]},
+            format="json",
+        )
+        self.assertEqual(response.status_code, 400)
+        self.assertIn("error", response.data)
+
+    @patch("authentik.stages.invitation.api.BaseEvaluator.expr_send_email")
+    def test_send_email_success(self, mock_send_email: MagicMock):
+        """Test send_email endpoint successfully queues emails"""
+        flow = create_test_flow(FlowDesignation.ENROLLMENT)
+        invite = Invitation.objects.create(
+            name="test-invite",
+            created_by=self.user,
+            flow=flow,
+        )
+
+        response = self.client.post(
+            reverse("authentik_api:invitation-send-email", kwargs={"pk": invite.pk}),
+            {
+                "email_addresses": ["user1@example.com", "user2@example.com"],
+                "template": "email/invitation.html",
+            },
+            format="json",
+        )
+        self.assertEqual(response.status_code, 204)
+        self.assertEqual(mock_send_email.call_count, 2)
+
+    @patch("authentik.stages.invitation.api.BaseEvaluator.expr_send_email")
+    def test_send_email_with_cc_bcc(self, mock_send_email: MagicMock):
+        """Test send_email endpoint with CC and BCC addresses"""
+        flow = create_test_flow(FlowDesignation.ENROLLMENT)
+        invite = Invitation.objects.create(
+            name="test-invite",
+            created_by=self.user,
+            flow=flow,
+        )
+
+        response = self.client.post(
+            reverse("authentik_api:invitation-send-email", kwargs={"pk": invite.pk}),
+            {
+                "email_addresses": ["user@example.com"],
+                "cc_addresses": ["cc@example.com"],
+                "bcc_addresses": ["bcc@example.com"],
+                "template": "email/invitation.html",
+            },
+            format="json",
+        )
+        self.assertEqual(response.status_code, 204)
+        mock_send_email.assert_called_once()
+        call_kwargs = mock_send_email.call_args.kwargs
+        self.assertEqual(call_kwargs["cc"], ["cc@example.com"])
+        self.assertEqual(call_kwargs["bcc"], ["bcc@example.com"])
+
+    @patch("authentik.stages.invitation.api.BaseEvaluator.expr_send_email")
+    def test_send_email_context(self, mock_send_email: MagicMock):
+        """Test send_email endpoint passes correct context to email"""
+        flow = create_test_flow(FlowDesignation.ENROLLMENT)
+        invite = Invitation.objects.create(
+            name="test-invite",
+            created_by=self.user,
+            flow=flow,
+        )
+
+        response = self.client.post(
+            reverse("authentik_api:invitation-send-email", kwargs={"pk": invite.pk}),
+            {"email_addresses": ["user@example.com"]},
+            format="json",
+        )
+        self.assertEqual(response.status_code, 204)
+        mock_send_email.assert_called_once()
+        call_kwargs = mock_send_email.call_args.kwargs
+        self.assertIn("url", call_kwargs["context"])
+        self.assertIn(str(invite.pk), call_kwargs["context"]["url"])
+        self.assertIn(flow.slug, call_kwargs["context"]["url"])

authentik/stages/user_login/middleware.py

@@ -6,6 +6,7 @@ from django.contrib.auth.views import redirect_to_login
 from django.http.request import HttpRequest
 from structlog.stdlib import get_logger
 
+from authentik.core.middleware import get_user
 from authentik.core.models import Session
 from authentik.events.context_processors.asn import ASN_CONTEXT_PROCESSOR
 from authentik.events.context_processors.geoip import GEOIP_CONTEXT_PROCESSOR
@@ -54,11 +55,13 @@ class SessionBindingBroken(SentryIgnoredException):
 
 def logout_extra(request: HttpRequest, exc: SessionBindingBroken):
     """Similar to django's logout method, but able to carry more info to the signal"""
-    # Dispatch the signal before the user is logged out so the receivers have a
-    # chance to find out *who* logged out.
-    user = getattr(request, "user", None)
+    # Since this middleware runs before the AuthenticationMiddleware, we can't use `request.user`
+    # as it hasn't been populated yet.
+    user = get_user(request)
     if not getattr(user, "is_authenticated", True):
         user = None
+    # Dispatch the signal before the user is logged out so the receivers have a
+    # chance to find out *who* logged out.
     user_logged_out.send(
         sender=user.__class__, request=request, user=user, event_extra=exc.to_event()
     )

authentik/stages/user_login/tests.py

@@ -10,6 +10,8 @@ from django.utils.timezone import now
 from authentik.blueprints.tests import apply_blueprint
 from authentik.core.models import AuthenticatedSession, Session
 from authentik.core.tests.utils import create_test_flow, create_test_user
+from authentik.events.models import Event, EventAction
+from authentik.events.utils import get_user
 from authentik.flows.markers import StageMarker
 from authentik.flows.models import FlowDesignation, FlowStageBinding
 from authentik.flows.planner import PLAN_CONTEXT_PENDING_USER, FlowPlan
@@ -270,6 +272,7 @@ class TestUserLoginStage(FlowTestCase):
 
     def test_session_binding_broken(self):
         """Test session binding"""
+        Event.objects.all().delete()
         self.client.force_login(self.user)
         session = self.client.session
         session[Session.Keys.LAST_IP] = "192.0.2.1"
@@ -285,3 +288,5 @@ class TestUserLoginStage(FlowTestCase):
             )
             + f"?{NEXT_ARG_NAME}={reverse("authentik_api:user-me")}",
         )
+        event = Event.objects.filter(action=EventAction.LOGOUT).first()
+        self.assertEqual(event.user, get_user(self.user))

authentik/tasks/forks.py

@@ -1,44 +0,0 @@
-from signal import pause
-
-from structlog.stdlib import get_logger
-
-from authentik.lib.config import CONFIG
-
-LOGGER = get_logger()
-
-
-def worker_healthcheck():
-    import authentik.tasks.setup  # noqa
-    from authentik.tasks.middleware import WorkerHealthcheckMiddleware
-
-    host, _, port = CONFIG.get("listen.http").rpartition(":")
-
-    try:
-        port = int(port)
-    except ValueError:
-        LOGGER.error(f"Invalid port entered: {port}")
-
-    WorkerHealthcheckMiddleware.run(host, port)
-    pause()
-
-
-def worker_status():
-    import authentik.tasks.setup  # noqa
-    from authentik.tasks.middleware import WorkerStatusMiddleware
-
-    WorkerStatusMiddleware.run()
-
-
-def worker_metrics():
-    import authentik.tasks.setup  # noqa
-    from authentik.tasks.middleware import MetricsMiddleware
-
-    addr, _, port = CONFIG.get("listen.metrics").rpartition(":")
-
-    try:
-        port = int(port)
-    except ValueError:
-        LOGGER.error(f"Invalid port entered: {port}")
-
-    MetricsMiddleware.run(addr, port)
-    pause()

authentik/tasks/middleware.py

@@ -1,29 +1,37 @@
 import socket
+from collections.abc import Callable
 from http.server import BaseHTTPRequestHandler
-from time import sleep
+from threading import Event as TEvent
+from threading import Thread, current_thread
 from typing import Any, cast
 
 import pglock
-from django.db import OperationalError, connections
+from django.db import OperationalError, connections, transaction
 from django.utils.timezone import now
 from django_dramatiq_postgres.middleware import (
     CurrentTask as BaseCurrentTask,
 )
-from django_dramatiq_postgres.middleware import HTTPServer
+from django_dramatiq_postgres.middleware import (
+    HTTPServer,
+    HTTPServerThread,
+)
 from django_dramatiq_postgres.middleware import (
     MetricsMiddleware as BaseMetricsMiddleware,
 )
 from django_dramatiq_postgres.middleware import (
     _MetricsHandler as BaseMetricsHandler,
 )
+from dramatiq import Worker
 from dramatiq.broker import Broker
 from dramatiq.message import Message
 from dramatiq.middleware import Middleware
 from psycopg.errors import Error
+from setproctitle import setthreadtitle
 from structlog.stdlib import get_logger
 
 from authentik import authentik_full_version
 from authentik.events.models import Event, EventAction
+from authentik.lib.config import CONFIG
 from authentik.lib.sentry import should_ignore_exception
 from authentik.lib.utils.reflection import class_to_path
 from authentik.root.monitoring import monitoring_set
@@ -213,17 +221,39 @@ class _healthcheck_handler(BaseHTTPRequestHandler):
 
 
 class WorkerHealthcheckMiddleware(Middleware):
-    @property
-    def forks(self):
-        from authentik.tasks.forks import worker_healthcheck
+    thread: HTTPServerThread | None
 
-        return [worker_healthcheck]
+    def __init__(self):
+        host, _, port = CONFIG.get("listen.http").rpartition(":")
+
+        try:
+            port = int(port)
+        except ValueError:
+            LOGGER.error(f"Invalid port entered: {port}")
+
+        self.host, self.port = host, port
+
+    def after_worker_boot(self, broker: Broker, worker: Worker):
+        self.thread = HTTPServerThread(
+            target=WorkerHealthcheckMiddleware.run, args=(self.host, self.port)
+        )
+        self.thread.start()
+
+    def before_worker_shutdown(self, broker: Broker, worker: Worker):
+        server = self.thread.server
+        if server:
+            server.shutdown()
+        LOGGER.debug("Stopping WorkerHealthcheckMiddleware")
+        self.thread.join()
 
     @staticmethod
     def run(addr: str, port: int):
+        setthreadtitle("authentik Worker Healthcheck server")
         try:
-            httpd = HTTPServer((addr, port), _healthcheck_handler)
-            httpd.serve_forever()
+            server = HTTPServer((addr, port), _healthcheck_handler)
+            thread = cast(HTTPServerThread, current_thread())
+            thread.server = server
+            server.serve_forever()
         except OSError as exc:
             get_logger(__name__, type(WorkerHealthcheckMiddleware)).warning(
                 "Port is already in use, not starting healthcheck server",
@@ -232,36 +262,50 @@ class WorkerHealthcheckMiddleware(Middleware):
 
 
 class WorkerStatusMiddleware(Middleware):
-    @property
-    def forks(self):
-        from authentik.tasks.forks import worker_status
+    thread: Thread | None
+    thread_event: TEvent | None
 
-        return [worker_status]
+    def after_worker_boot(self, broker: Broker, worker: Worker):
+        self.thread_event = TEvent()
+        self.thread = Thread(target=WorkerStatusMiddleware.run, args=(self.thread_event,))
+        self.thread.start()
+
+    def before_worker_shutdown(self, broker: Broker, worker: Worker):
+        self.thread_event.set()
+        LOGGER.debug("Stopping WorkerStatusMiddleware")
+        self.thread.join()
 
     @staticmethod
-    def run():
-        status = WorkerStatus.objects.create(
-            hostname=socket.gethostname(),
-            version=authentik_full_version(),
-        )
-        while True:
+    def run(event: TEvent):
+        setthreadtitle("authentik Worker status")
+        with transaction.atomic():
+            hostname = socket.gethostname()
+            WorkerStatus.objects.filter(hostname=hostname).delete()
+            status, _ = WorkerStatus.objects.update_or_create(
+                hostname=hostname,
+                version=authentik_full_version(),
+            )
+        while not event.is_set():
             try:
-                WorkerStatusMiddleware.keep(status)
+                WorkerStatusMiddleware.keep(event, status)
             except DB_ERRORS:  # pragma: no cover
-                sleep(10)
+                event.wait(10)
                 try:
                     connections.close_all()
                 except DB_ERRORS:
                     pass
 
     @staticmethod
-    def keep(status: WorkerStatus):
+    def keep(event: TEvent, status: WorkerStatus):
         lock_id = f"goauthentik.io/worker/status/{status.pk}"
         with pglock.advisory(lock_id, side_effect=pglock.Raise):
-            while True:
+            while not event.is_set():
+                status.refresh_from_db()
+                old_last_seen = status.last_seen
                 status.last_seen = now()
-                status.save(update_fields=("last_seen",))
-                sleep(30)
+                if old_last_seen != status.last_seen:
+                    status.save(update_fields=("last_seen",))
+                event.wait(30)
 
 
 class _MetricsHandler(BaseMetricsHandler):
@@ -271,10 +315,26 @@ class _MetricsHandler(BaseMetricsHandler):
 
 
 class MetricsMiddleware(BaseMetricsMiddleware):
+    thread: HTTPServerThread | None
     handler_class = _MetricsHandler
 
     @property
-    def forks(self):
-        from authentik.tasks.forks import worker_metrics
+    def forks(self) -> list[Callable[[], None]]:
+        return []
 
-        return [worker_metrics]
+    def after_worker_boot(self, broker: Broker, worker: Worker):
+        addr, _, port = CONFIG.get("listen.metrics").rpartition(":")
+
+        try:
+            port = int(port)
+        except ValueError:
+            LOGGER.error(f"Invalid port entered: {port}")
+        self.thread = HTTPServerThread(target=MetricsMiddleware.run, args=(addr, port))
+        self.thread.start()
+
+    def before_worker_shutdown(self, broker: Broker, worker: Worker):
+        server = self.thread.server
+        if server:
+            server.shutdown()
+        LOGGER.debug("Stopping MetricsMiddleware")
+        self.thread.join()