Reorganize docs sidebar with top-level Learning Center

- Group existing sections under a new `Documentation` category
- Promote `Learning Center` to its own top-level sidebar section
- Move `Enterprise` and `Developer` into top-level navigation

.cargo/config.toml

@@ -1,2 +0,0 @@
-[build]
-rustflags = ["--cfg", "tokio_unstable"]

.cargo/deny.toml

@@ -1,47 +0,0 @@
-[licenses]
-allow = [
-  "Apache-2.0 WITH LLVM-exception",
-  "Apache-2.0",
-  "BSD-3-Clause",
-  "CC0-1.0",
-  "CDLA-Permissive-2.0",
-  "ISC",
-  "MIT",
-  "MPL-2.0",
-  "OpenSSL",
-  "Unicode-3.0",
-  "Zlib",
-]
-
-[licenses.private]
-ignore = true
-
-[bans]
-multiple-versions = "allow"
-wildcards = "deny"
-[bans.workspace-dependencies]
-duplicates = "deny"
-include-path-dependencies = true
-unused = "deny"
-
-# No non-FIPS compliant dependencies
-[[bans.deny]]
-name = "native-tls"
-[[bans.deny]]
-name = "openssl"
-[[bans.deny]]
-name = "openssl-sys"
-[[bans.deny]]
-name = "ring"
-[[bans.features]]
-allow = [
-  "alloc",
-  "aws-lc-sys",
-  "default",
-  "fips",
-  "prebuilt-nasm",
-  "ring-io",
-  "ring-sig-verify",
-]
-name = "aws-lc-rs"
-exact = true

.cargo/rustfmt.toml

@@ -1,16 +0,0 @@
-comment_width = 100
-format_code_in_doc_comments = true
-format_strings = true
-group_imports = "StdExternalCrate"
-hex_literal_case = "Lower"
-imports_granularity = "Crate"
-max_width = 100
-newline_style = "Unix"
-normalize_comments = true
-normalize_doc_attributes = true
-reorder_impl_items = true
-style_edition = "2024"
-use_field_init_shorthand = true
-use_try_shorthand = true
-where_single_line = true
-wrap_comments = true

.github/actions/setup/action.yml

@@ -4,7 +4,7 @@ description: "Setup authentik testing environment"
 inputs:
   dependencies:
     description: "List of dependencies to setup"
-    default: "system,python,rust,node,go,runtime"
+    default: "system,python,node,go,runtime"
   postgresql_version:
     description: "Optional postgresql image tag"
     default: "16"
@@ -22,7 +22,7 @@ runs:
         sudo rm -rf /usr/local/lib/android
     - name: Install uv
       if: ${{ contains(inputs.dependencies, 'python') }}
-      uses: astral-sh/setup-uv@37802adc94f370d6bfd71619e3f0bf239e1f3b78 # v5
+      uses: astral-sh/setup-uv@5a095e7a2014a4212f075830d4f7277575a9d098 # v5
       with:
         enable-cache: true
     - name: Setup python
@@ -34,40 +34,14 @@ runs:
       if: ${{ contains(inputs.dependencies, 'python') }}
       shell: bash
       run: uv sync --all-extras --dev --frozen
-    - name: Setup rust (stable)
-      if: ${{ contains(inputs.dependencies, 'rust') && !contains(inputs.dependencies, 'rust-nightly') }}
-      uses: actions-rust-lang/setup-rust-toolchain@a0b538fa0b742a6aa35d6e2c169b4bd06d225a98 # v1
-    - name: Setup rust (nightly)
-      if: ${{ contains(inputs.dependencies, 'rust-nightly') }}
-      uses: actions-rust-lang/setup-rust-toolchain@a0b538fa0b742a6aa35d6e2c169b4bd06d225a98 # v1
-      with:
-        toolchain: nightly
-        components: rustfmt
-    - name: Setup rust dependencies
-      if: ${{ contains(inputs.dependencies, 'rust') }}
-      uses: taiki-e/install-action@64c5c20c872907b6f7cd50994ac189e7274160f2 # v2
-      with:
-        tool: cargo-deny cargo-machete cargo-llvm-cov nextest
-    - name: Setup node (web)
+    - name: Setup node
       if: ${{ contains(inputs.dependencies, 'node') }}
-      uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v4
+      uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v4
       with:
         node-version-file: web/package.json
         cache: "npm"
         cache-dependency-path: web/package-lock.json
-        registry-url: "https://registry.npmjs.org"
-    - name: Setup node (root)
-      if: ${{ contains(inputs.dependencies, 'node') }}
-      uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v4
-      with:
-        node-version-file: package.json
-        cache: "npm"
-        cache-dependency-path: package-lock.json
-        registry-url: "https://registry.npmjs.org"
-    - name: Install Node deps
-      if: ${{ contains(inputs.dependencies, 'node') }}
-      shell: bash
-      run: npm ci
+        registry-url: 'https://registry.npmjs.org'
     - name: Setup go
       if: ${{ contains(inputs.dependencies, 'go') }}
       uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v5

.github/actions/test-results/action.yml

@@ -2,22 +2,18 @@ name: "Process test results"
 description: Convert test results to JUnit, add them to GitHub Actions and codecov
 
 inputs:
-  files:
-    description: Comma-separated explicit list of files to upload
   flags:
     description: Codecov flags
 
 runs:
   using: "composite"
   steps:
-    - uses: codecov/codecov-action@1af58845a975a7985b0beb0cbe6fbbb71a41dbad # v5
+    - uses: codecov/codecov-action@671740ac38dd9b0130fbe1cec585b89eea48d3de # v5
       with:
-        files: ${{ inputs.files }}
         flags: ${{ inputs.flags }}
         use_oidc: true
-    - uses: codecov/codecov-action@1af58845a975a7985b0beb0cbe6fbbb71a41dbad # v5
+    - uses: codecov/codecov-action@671740ac38dd9b0130fbe1cec585b89eea48d3de # v5
       with:
-        files: ${{ inputs.files }}
         flags: ${{ inputs.flags }}
         use_oidc: true
         report_type: test_results

.github/codespell-dictionary.txt

@@ -0,0 +1 @@
+authentic->authentik

.github/codespell-words.txt

@@ -0,0 +1,32 @@
+akadmin
+asgi
+assertIn
+authentik
+authn
+crate
+docstrings
+entra
+goauthentik
+gunicorn
+hass
+jwe
+jwks
+keypair
+keypairs
+kubernetes
+oidc
+ontext
+openid
+passwordless
+plex
+saml
+scim
+singed
+slo
+sso
+totp
+traefik
+# https://github.com/codespell-project/codespell/issues/1224
+upToDate
+warmup
+webauthn

.github/workflows/_reusable-docker-build-single.yml

@@ -43,8 +43,8 @@ jobs:
       contents: read
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v5
-      - uses: docker/setup-qemu-action@ce360397dd3f832beb865e1373c09c0e9f86d70a # v4.0.0
-      - uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0
+      - uses: docker/setup-qemu-action@c7c53464625b32c7a7e944ae62b3e17d2b600130 # v3.7.0
+      - uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3
       - name: prepare variables
         uses: ./.github/actions/docker-push-variables
         id: ev
@@ -56,18 +56,18 @@ jobs:
           release: ${{ inputs.release }}
       - name: Login to Docker Hub
         if: ${{ inputs.registry_dockerhub }}
-        uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0
+        uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3
         with:
           username: ${{ secrets.DOCKER_CORP_USERNAME }}
           password: ${{ secrets.DOCKER_CORP_PASSWORD }}
       - name: Login to GitHub Container Registry
         if: ${{ inputs.registry_ghcr }}
-        uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0
+        uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3
         with:
           registry: ghcr.io
           username: ${{ github.repository_owner }}
           password: ${{ secrets.GITHUB_TOKEN }}
-      - uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v5
+      - uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v5
         with:
           node-version-file: web/package.json
           cache: "npm"
@@ -80,7 +80,7 @@ jobs:
           make gen-client-ts
           make gen-client-go
       - name: Build Docker Image
-        uses: docker/build-push-action@d08e5c354a6adb9ed34480a06d141179aa583294 # v7.0.0
+        uses: docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8 # v6
         id: push
         with:
           context: .

.github/workflows/_reusable-docker-build.yml

@@ -79,13 +79,13 @@ jobs:
           image-name: ${{ inputs.image_name }}
       - name: Login to Docker Hub
         if: ${{ inputs.registry_dockerhub }}
-        uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0
+        uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3
         with:
           username: ${{ secrets.DOCKER_CORP_USERNAME }}
           password: ${{ secrets.DOCKER_CORP_PASSWORD }}
       - name: Login to GitHub Container Registry
         if: ${{ inputs.registry_ghcr }}
-        uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0
+        uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3
         with:
           registry: ghcr.io
           username: ${{ github.repository_owner }}

.github/workflows/api-ts-publish.yml

@@ -18,14 +18,14 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - id: generate_token
-        uses: actions/create-github-app-token@f8d387b68d61c58ab83c6c016672934102569859 # v2
+        uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf # v2
         with:
           app-id: ${{ secrets.GH_APP_ID }}
           private-key: ${{ secrets.GH_APP_PRIVATE_KEY }}
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v5
         with:
           token: ${{ steps.generate_token.outputs.token }}
-      - uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v5
+      - uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v5
         with:
           node-version-file: web/package.json
           registry-url: "https://registry.npmjs.org"

.github/workflows/ci-api-docs.yml

@@ -33,7 +33,7 @@ jobs:
 
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v5
-      - uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v5
+      - uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v5
         with:
           node-version-file: website/package.json
           cache: "npm"
@@ -41,7 +41,7 @@ jobs:
       - working-directory: website/
         name: Install Dependencies
         run: npm ci
-      - uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v4
+      - uses: actions/cache@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v4
         with:
           path: |
             ${{ github.workspace }}/website/api/.docusaurus
@@ -67,11 +67,11 @@ jobs:
       - build
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v5
-      - uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v5
+      - uses: actions/download-artifact@70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3 # v5
         with:
           name: api-docs
           path: website/api/build
-      - uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v5
+      - uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v5
         with:
           node-version-file: website/package.json
           cache: "npm"

.github/workflows/ci-aws-cfn.yml

@@ -24,7 +24,7 @@ jobs:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v5
       - name: Setup authentik env
         uses: ./.github/actions/setup
-      - uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v5
+      - uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v5
         with:
           node-version-file: lifecycle/aws/package.json
           cache: "npm"

.github/workflows/ci-docs.yml

@@ -36,7 +36,7 @@ jobs:
       NODE_ENV: production
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v5
-      - uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v5
+      - uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v5
         with:
           node-version-file: website/package.json
           cache: "npm"
@@ -53,7 +53,7 @@ jobs:
       NODE_ENV: production
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v5
-      - uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v5
+      - uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v5
         with:
           node-version-file: website/package.json
           cache: "npm"
@@ -77,9 +77,9 @@ jobs:
         with:
           ref: ${{ github.event.pull_request.head.sha }}
       - name: Set up QEMU
-        uses: docker/setup-qemu-action@ce360397dd3f832beb865e1373c09c0e9f86d70a # v4.0.0
+        uses: docker/setup-qemu-action@c7c53464625b32c7a7e944ae62b3e17d2b600130 # v3.7.0
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0
+        uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3
       - name: prepare variables
         uses: ./.github/actions/docker-push-variables
         id: ev
@@ -89,14 +89,14 @@ jobs:
           image-name: ghcr.io/goauthentik/dev-docs
       - name: Login to Container Registry
         if: ${{ steps.ev.outputs.shouldPush == 'true' }}
-        uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0
+        uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3
         with:
           registry: ghcr.io
           username: ${{ github.repository_owner }}
           password: ${{ secrets.GITHUB_TOKEN }}
       - name: Build Docker Image
         id: push
-        uses: docker/build-push-action@d08e5c354a6adb9ed34480a06d141179aa583294 # v7.0.0
+        uses: docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8 # v6
         with:
           tags: ${{ steps.ev.outputs.imageTags }}
           file: website/Dockerfile

.github/workflows/ci-main.yml

@@ -16,7 +16,6 @@ env:
   POSTGRES_DB: authentik
   POSTGRES_USER: authentik
   POSTGRES_PASSWORD: "EK-5jnKfjrGRm<77"
-  RUSTFLAGS: "-Dwarnings"
 
 permissions:
   # Needed for checkout
@@ -29,36 +28,20 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        include:
-          - job: bandit
-            deps: python
-          - job: black
-            deps: python
-          - job: spellcheck
-            deps: node
-          - job: pending-migrations
-            deps: python,runtime
-          - job: ruff
-            deps: python
-          - job: mypy
-            deps: python
-          - job: cargo-deny
-            deps: rust
-          - job: cargo-machete
-            deps: rust
-          - job: clippy
-            deps: rust
-          - job: rustfmt
-            deps: rust-nightly
+        job:
+          - bandit
+          - black
+          - codespell
+          - pending-migrations
+          - ruff
+          - mypy
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v5
       - name: Setup authentik env
         uses: ./.github/actions/setup
-        with:
-          dependencies: ${{ matrix.deps }}
       - name: run job
-        run: make ci-lint-${{ matrix.job }}
+        run: uv run make ci-${{ matrix.job }}
   test-gen-build:
     runs-on: ubuntu-latest
     steps:
@@ -144,7 +127,6 @@ jobs:
           CI_TEST_SEED: ${{ needs.test-make-seed.outputs.seed }}
           CI_RUN_ID: ${{ matrix.run_id }}
           CI_TOTAL_RUNS: "5"
-          PROMETHEUS_MULTIPROC_DIR: /tmp
         run: |
           uv run make ci-test
       - uses: ./.github/actions/test-results
@@ -174,7 +156,6 @@ jobs:
           CI_TEST_SEED: ${{ needs.test-make-seed.outputs.seed }}
           CI_RUN_ID: ${{ matrix.run_id }}
           CI_TOTAL_RUNS: "5"
-          PROMETHEUS_MULTIPROC_DIR: /tmp
         run: |
           uv run make ci-test
       - uses: ./.github/actions/test-results
@@ -191,8 +172,6 @@ jobs:
       - name: Create k8s Kind Cluster
         uses: helm/kind-action@ef37e7f390d99f746eb8b610417061a60e82a6cc # v1.14.0
       - name: run integration
-        env:
-          PROMETHEUS_MULTIPROC_DIR: /tmp
         run: |
           uv run coverage run manage.py test tests/integration
           uv run coverage xml
@@ -236,7 +215,7 @@ jobs:
         run: |
           docker compose -f tests/e2e/compose.yml up -d --quiet-pull
       - id: cache-web
-        uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v4
+        uses: actions/cache@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v4
         with:
           path: web/dist
           key: ${{ runner.os }}-web-${{ hashFiles('web/package-lock.json', 'package-lock.json', 'web/src/**', 'web/packages/sfe/src/**') }}-b
@@ -249,8 +228,6 @@ jobs:
           npm run build
           npm run build:sfe
       - name: run e2e
-        env:
-          PROMETHEUS_MULTIPROC_DIR: /tmp
         run: |
           uv run coverage run manage.py test ${{ matrix.job.glob }}
           uv run coverage xml
@@ -281,7 +258,7 @@ jobs:
         run: |
           docker compose -f tests/openid_conformance/compose.yml up -d --quiet-pull
       - id: cache-web
-        uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v4
+        uses: actions/cache@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v4
         with:
           path: web/dist
           key: ${{ runner.os }}-web-${{ hashFiles('web/package-lock.json', 'web/src/**', 'web/packages/sfe/src/**') }}-b
@@ -294,8 +271,6 @@ jobs:
           npm run build
           npm run build:sfe
       - name: run conformance
-        env:
-          PROMETHEUS_MULTIPROC_DIR: /tmp
         run: |
           uv run coverage run manage.py test ${{ matrix.job.glob }}
           uv run coverage xml
@@ -308,29 +283,6 @@ jobs:
         with:
           name: conformance-certification-${{ matrix.job.name }}
           path: tests/openid_conformance/exports/
-  test-rust:
-    runs-on: ubuntu-latest
-    timeout-minutes: 30
-    steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v5
-      - name: Setup authentik env
-        uses: ./.github/actions/setup
-        with:
-          dependencies: rust
-      - name: run tests
-        run: |
-          cargo llvm-cov --no-report nextest --workspace
-          cargo llvm-cov report --codecov --output-path target/llvm-cov-target/rust.json
-      - uses: ./.github/actions/test-results
-        if: ${{ always() }}
-        with:
-          files: target/llvm-cov-target/rust.json
-          flags: rust
-      - if: ${{ !cancelled() }}
-        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
-        with:
-          name: test-rust
-          path: target/llvm-cov-target/rust.json
   ci-core-mark:
     if: always()
     needs:

.github/workflows/ci-outpost.yml

@@ -90,9 +90,9 @@ jobs:
         with:
           ref: ${{ github.event.pull_request.head.sha }}
       - name: Set up QEMU
-        uses: docker/setup-qemu-action@ce360397dd3f832beb865e1373c09c0e9f86d70a # v4.0.0
+        uses: docker/setup-qemu-action@c7c53464625b32c7a7e944ae62b3e17d2b600130 # v3.7.0
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0
+        uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3
       - name: prepare variables
         uses: ./.github/actions/docker-push-variables
         id: ev
@@ -102,7 +102,7 @@ jobs:
           image-name: ghcr.io/goauthentik/dev-${{ matrix.type }}
       - name: Login to Container Registry
         if: ${{ steps.ev.outputs.shouldPush == 'true' }}
-        uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0
+        uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3
         with:
           registry: ghcr.io
           username: ${{ github.repository_owner }}
@@ -111,7 +111,7 @@ jobs:
         run: make gen-client-go
       - name: Build Docker Image
         id: push
-        uses: docker/build-push-action@d08e5c354a6adb9ed34480a06d141179aa583294 # v7.0.0
+        uses: docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8 # v6
         with:
           tags: ${{ steps.ev.outputs.imageTags }}
           file: lifecycle/container/${{ matrix.type }}.Dockerfile
@@ -151,7 +151,7 @@ jobs:
       - uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6
         with:
           go-version-file: "go.mod"
-      - uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v5
+      - uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v5
         with:
           node-version-file: web/package.json
           cache: "npm"

.github/workflows/ci-web.yml

@@ -32,7 +32,7 @@ jobs:
             project: web
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v5
-      - uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v5
+      - uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v5
         with:
           node-version-file: ${{ matrix.project }}/package.json
           cache: "npm"
@@ -49,7 +49,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v5
-      - uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v5
+      - uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v5
         with:
           node-version-file: web/package.json
           cache: "npm"
@@ -77,7 +77,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v5
-      - uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v5
+      - uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v5
         with:
           node-version-file: web/package.json
           cache: "npm"

.github/workflows/gen-image-compress.yml

@@ -29,7 +29,7 @@ jobs:
        github.event.pull_request.head.repo.full_name == github.repository)
     steps:
       - id: generate_token
-        uses: actions/create-github-app-token@f8d387b68d61c58ab83c6c016672934102569859 # v2
+        uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf # v2
         with:
           app-id: ${{ secrets.GH_APP_ID }}
           private-key: ${{ secrets.GH_APP_PRIVATE_KEY }}
@@ -38,7 +38,7 @@ jobs:
           token: ${{ steps.generate_token.outputs.token }}
       - name: Compress images
         id: compress
-        uses: calibreapp/image-actions@03c976c29803442fc4040a9de5509669e7759b81 # main
+        uses: calibreapp/image-actions@d9c8ee5c3dc52ae4622c82ead88d658f4b16b65f # main
         with:
           GITHUB_TOKEN: ${{ steps.generate_token.outputs.token }}
           compressOnly: ${{ github.event_name != 'pull_request' }}

.github/workflows/gen-update-webauthn-mds.yml

@@ -16,7 +16,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - id: generate_token
-        uses: actions/create-github-app-token@f8d387b68d61c58ab83c6c016672934102569859 # v2
+        uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf # v2
         with:
           app-id: ${{ secrets.GH_APP_ID }}
           private-key: ${{ secrets.GH_APP_PRIVATE_KEY }}

.github/workflows/gh-cherry-pick.yml

@@ -10,7 +10,7 @@ jobs:
     steps:
       - id: app-token
         name: Generate app token
-        uses: actions/create-github-app-token@f8d387b68d61c58ab83c6c016672934102569859 # v2
+        uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf # v2
         if: ${{ env.GH_APP_ID != '' }}
         with:
           app-id: ${{ secrets.GH_APP_ID }}

.github/workflows/gh-ghcr-retention.yml

@@ -16,7 +16,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - id: generate_token
-        uses: actions/create-github-app-token@f8d387b68d61c58ab83c6c016672934102569859 # v2
+        uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf # v2
         with:
           app-id: ${{ secrets.GH_APP_ID }}
           private-key: ${{ secrets.GH_APP_PRIVATE_KEY }}

.github/workflows/packages-npm-publish.yml

@@ -35,7 +35,7 @@ jobs:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v5
         with:
           fetch-depth: 2
-      - uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v5
+      - uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v5
         with:
           node-version-file: ${{ matrix.package }}/package.json
           registry-url: "https://registry.npmjs.org"

.github/workflows/release-branch-off.yml

@@ -29,7 +29,7 @@ jobs:
     steps:
       - id: app-token
         name: Generate app token
-        uses: actions/create-github-app-token@f8d387b68d61c58ab83c6c016672934102569859 # v2
+        uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf # v2
         with:
           app-id: ${{ secrets.GH_APP_ID }}
           private-key: ${{ secrets.GH_APP_PRIVATE_KEY }}
@@ -57,7 +57,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - id: generate_token
-        uses: actions/create-github-app-token@f8d387b68d61c58ab83c6c016672934102569859 # v2
+        uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf # v2
         with:
           app-id: ${{ secrets.GH_APP_ID }}
           private-key: ${{ secrets.GH_APP_PRIVATE_KEY }}

.github/workflows/release-publish.yml

@@ -33,9 +33,9 @@ jobs:
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v5
       - name: Set up QEMU
-        uses: docker/setup-qemu-action@ce360397dd3f832beb865e1373c09c0e9f86d70a # v4.0.0
+        uses: docker/setup-qemu-action@c7c53464625b32c7a7e944ae62b3e17d2b600130 # v3.7.0
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0
+        uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3
       - name: prepare variables
         uses: ./.github/actions/docker-push-variables
         id: ev
@@ -44,14 +44,14 @@ jobs:
         with:
           image-name: ghcr.io/goauthentik/docs
       - name: Login to GitHub Container Registry
-        uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0
+        uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3
         with:
           registry: ghcr.io
           username: ${{ github.repository_owner }}
           password: ${{ secrets.GITHUB_TOKEN }}
       - name: Build Docker Image
         id: push
-        uses: docker/build-push-action@d08e5c354a6adb9ed34480a06d141179aa583294 # v7.0.0
+        uses: docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8 # v6
         with:
           tags: ${{ steps.ev.outputs.imageTags }}
           file: website/Dockerfile
@@ -87,15 +87,15 @@ jobs:
       - uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6
         with:
           go-version-file: "go.mod"
-      - uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v5
+      - uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v5
         with:
           node-version-file: web/package.json
           cache: "npm"
           cache-dependency-path: web/package-lock.json
       - name: Set up QEMU
-        uses: docker/setup-qemu-action@ce360397dd3f832beb865e1373c09c0e9f86d70a # v4.0.0
+        uses: docker/setup-qemu-action@c7c53464625b32c7a7e944ae62b3e17d2b600130 # v3.7.0
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0
+        uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3
       - name: prepare variables
         uses: ./.github/actions/docker-push-variables
         id: ev
@@ -108,18 +108,18 @@ jobs:
           make gen-client-ts
           make gen-client-go
       - name: Docker Login Registry
-        uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0
+        uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3
         with:
           username: ${{ secrets.DOCKER_CORP_USERNAME }}
           password: ${{ secrets.DOCKER_CORP_PASSWORD }}
       - name: Login to GitHub Container Registry
-        uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0
+        uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3
         with:
           registry: ghcr.io
           username: ${{ github.repository_owner }}
           password: ${{ secrets.GITHUB_TOKEN }}
       - name: Build Docker Image
-        uses: docker/build-push-action@d08e5c354a6adb9ed34480a06d141179aa583294 # v7.0.0
+        uses: docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8 # v6
         id: push
         with:
           push: true
@@ -155,7 +155,7 @@ jobs:
       - uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6
         with:
           go-version-file: "go.mod"
-      - uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v5
+      - uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v5
         with:
           node-version-file: web/package.json
           cache: "npm"
@@ -180,7 +180,7 @@ jobs:
           export CGO_ENABLED=0
           go build -tags=outpost_static_embed -v -o ./authentik-outpost-${{ matrix.type }}_${{ matrix.goos }}_${{ matrix.goarch }} ./cmd/${{ matrix.type }}
       - name: Upload binaries to release
-        uses: svenstaro/upload-release-action@29e53e917877a24fad85510ded594ab3c9ca12de # v2
+        uses: svenstaro/upload-release-action@b98a3b12e86552593f3e4e577ca8a62aa2f3f22b # v2
         with:
           repo_token: ${{ secrets.GITHUB_TOKEN }}
           file: ./authentik-outpost-${{ matrix.type }}_${{ matrix.goos }}_${{ matrix.goarch }}

.github/workflows/release-tag.yml

@@ -67,7 +67,7 @@ jobs:
     steps:
       - id: app-token
         name: Generate app token
-        uses: actions/create-github-app-token@f8d387b68d61c58ab83c6c016672934102569859 # v2
+        uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf # v2
         with:
           app-id: ${{ secrets.GH_APP_ID }}
           private-key: ${{ secrets.GH_APP_PRIVATE_KEY }}
@@ -91,12 +91,11 @@ jobs:
           # ID from https://api.github.com/users/authentik-automation[bot]
           git config --global user.name '${{ steps.app-token.outputs.app-slug }}[bot]'
           git config --global user.email '${{ steps.get-user-id.outputs.user-id }}+${{ steps.app-token.outputs.app-slug }}[bot]@users.noreply.github.com'
-          git pull
           git commit -a -m "release: ${{ inputs.version }}" --allow-empty
           git tag "version/${{ inputs.version }}" HEAD -m "version/${{ inputs.version }}"
           git push --follow-tags
       - name: Create Release
-        uses: softprops/action-gh-release@153bb8e04406b158c6c84fc1615b65b24149a1fe # v2.6.1
+        uses: softprops/action-gh-release@a06a81a03ee405af7f2048a818ed3f03bbf83c7b # v2.5.0
         with:
           token: "${{ steps.app-token.outputs.token }}"
           tag_name: "version/${{ inputs.version }}"
@@ -115,7 +114,7 @@ jobs:
     steps:
       - id: app-token
         name: Generate app token
-        uses: actions/create-github-app-token@f8d387b68d61c58ab83c6c016672934102569859 # v2
+        uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf # v2
         with:
           app-id: ${{ secrets.GH_APP_ID }}
           private-key: ${{ secrets.GH_APP_PRIVATE_KEY }}
@@ -157,7 +156,7 @@ jobs:
     steps:
       - id: app-token
         name: Generate app token
-        uses: actions/create-github-app-token@f8d387b68d61c58ab83c6c016672934102569859 # v2
+        uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf # v2
         with:
           app-id: ${{ secrets.GH_APP_ID }}
           private-key: ${{ secrets.GH_APP_PRIVATE_KEY }}
@@ -175,7 +174,7 @@ jobs:
         if: "${{ inputs.release_reason == 'feature' }}"
         run: |
           changelog_url="https://docs.goauthentik.io/docs/releases/${{ needs.check-inputs.outputs.major_version }}"
-          reason="${{ inputs.release_reason }}"
+          reason="{{ inputs.release_reason }}"
           jq \
             --arg version "${{ inputs.version }}" \
             --arg changelog "See ${changelog_url}" \
@@ -187,7 +186,7 @@ jobs:
         if: "${{ inputs.release_reason != 'feature' }}"
         run: |
           changelog_url="https://docs.goauthentik.io/docs/releases/${{ needs.check-inputs.outputs.major_version }}#fixed-in-$(echo -n ${{ inputs.version}} | sed 's/\.//g')"
-          reason="${{ inputs.release_reason }}"
+          reason="{{ inputs.release_reason }}"
           jq \
             --arg version "${{ inputs.version }}" \
             --arg changelog "See ${changelog_url}" \

.github/workflows/repo-stale.yml

@@ -15,7 +15,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - id: generate_token
-        uses: actions/create-github-app-token@f8d387b68d61c58ab83c6c016672934102569859 # v2
+        uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf # v2
         with:
           app-id: ${{ secrets.GH_APP_ID }}
           private-key: ${{ secrets.GH_APP_PRIVATE_KEY }}

.github/workflows/translation-extract-compile.yml

@@ -21,7 +21,7 @@ jobs:
     steps:
       - id: generate_token
         if: ${{ github.event_name != 'pull_request' }}
-        uses: actions/create-github-app-token@f8d387b68d61c58ab83c6c016672934102569859 # v2
+        uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf # v2
         with:
           app-id: ${{ secrets.GH_APP_ID }}
           private-key: ${{ secrets.GH_APP_PRIVATE_KEY }}

.gitignore

@@ -15,9 +15,6 @@ media
 
 node_modules
 
-.cspellcache
-cspell-report.*
-
 # If your build process includes running collectstatic, then you probably don't need or want to include staticfiles/
 # in your Git repository. Update and uncomment the following line accordingly.
 # <django-project-name>/staticfiles/
@@ -195,24 +192,6 @@ pyvenv.cfg
 pip-selfcheck.json
 
 # End of https://www.gitignore.io/api/python,django
-
-# Created by https://www.toptal.com/developers/gitignore/api/rust
-# Edit at https://www.toptal.com/developers/gitignore?templates=rust
-
-### Rust ###
-# Generated by Cargo
-# will have compiled files and executables
-debug/
-target/
-
-# These are backup files generated by rustfmt
-**/*.rs.bk
-
-# MSVC Windows builds of rustc generate these, which store debugging information
-*.pdb
-
-# End of https://www.toptal.com/developers/gitignore/api/rust
-
 /static/
 local.env.yml
 

.vscode/settings.json

@@ -14,10 +14,6 @@
     "[xml]": {
         "editor.minimap.markSectionHeaderRegex": "<!--\\s*#\\bregion\\s*(?<separator>-?)\\s*(?<label>.*)\\s*-->"
     },
-    "files.associations": {
-        // The built-in "ignore" language gives us enough syntax highlighting to make these files readable.
-        "**/dictionaries/*.txt": "ignore"
-    },
     "todo-tree.tree.showCountsInTree": true,
     "todo-tree.tree.showBadges": true,
     "yaml.customTags": [
@@ -53,9 +49,13 @@
             "ignoreCase": false
         }
     ],
-    "go.testFlags": ["-count=1"],
+    "go.testFlags": [
+        "-count=1"
+    ],
     "go.testEnvVars": {
         "WORKSPACE_DIR": "${workspaceFolder}"
     },
-    "github-actions.workflows.pinned.workflows": [".github/workflows/ci-main.yml"]
+    "github-actions.workflows.pinned.workflows": [
+        ".github/workflows/ci-main.yml"
+    ]
 }

CODEOWNERS

@@ -3,7 +3,6 @@
 # Backend
 authentik/                              @goauthentik/backend
 blueprints/                             @goauthentik/backend
-src/                                    @goauthentik/backend
 cmd/                                    @goauthentik/backend
 internal/                               @goauthentik/backend
 lifecycle/                              @goauthentik/backend
@@ -12,12 +11,8 @@ scripts/                                @goauthentik/backend
 tests/                                  @goauthentik/backend
 pyproject.toml                          @goauthentik/backend
 uv.lock                                 @goauthentik/backend
-Cargo.toml                              @goauthentik/backend
-Cargo.lock                              @goauthentik/backend
 go.mod                                  @goauthentik/backend
 go.sum                                  @goauthentik/backend
-.config/                                @goauthentik/backend
-rust-toolchain.toml                     @goauthentik/backend
 # Infrastructure
 .github/                                @goauthentik/infrastructure
 lifecycle/aws/                          @goauthentik/infrastructure

Cargo.toml

@@ -1,296 +0,0 @@
-[workspace]
-members = [".", "website/scripts/docsmg"]
-resolver = "3"
-
-[workspace.package]
-authors = ["authentik Team <hello@goauthentik.io>"]
-edition = "2024"
-readme = "README.md"
-homepage = "https://goauthentik.io"
-repository = "https://github.com/goauthentik/authentik.git"
-license-file = "LICENSE"
-publish = false
-
-[workspace.dependencies]
-arc-swap = "1.8.2"
-argh = "0.1.17"
-async-trait = "0.1.89"
-aws-lc-rs = { version = "1.16.1", features = ["fips"] }
-axum = { version = "0.8.8", features = ["http2", "macros", "ws"] }
-axum-server = { version = "0.8.0", features = ["tls-rustls-no-provider"] }
-bytes = "1.11.1"
-chrono = "0.4.44"
-clap = { version = "4.5.59", features = ["derive", "env"] }
-client-ip = { version = "0.2.1", features = ["forwarded-header"] }
-color-eyre = "0.6.5"
-colored = "3.1.1"
-config = { version = "0.15.19", default-features = false, features = [
-  "yaml",
-  "async",
-] }
-console-subscriber = "0.5.0"
-dotenvy = "0.15.7"
-durstr = "0.4.0"
-eyre = "0.6.12"
-forwarded-header-value = "0.1.1"
-futures = "0.3.32"
-glob = "0.3.3"
-http-body-util = "0.1.3"
-hyper = "1.8.1"
-hyper-unix-socket = "0.3.0"
-hyper-util = "0.1.20"
-ipnet = { version = "2.12.0", features = ["serde"] }
-# See https://github.com/mladedav/json-subscriber/pull/23
-json-subscriber = { git = "https://github.com/rissson/json-subscriber.git", rev = "950ad7cb887a0a14fd5cb8afb8e76db1f456c032" }
-jsonwebtoken = { version = "10.3.0", default-features = false, features = [
-  "aws_lc_rs",
-] }
-metrics = "0.24.3"
-metrics-exporter-prometheus = { version = "0.18.1", default-features = false }
-nix = { version = "0.31.2", features = ["hostname", "signal"] }
-notify = "8.2.0"
-pem = "3.0.6"
-pin-project-lite = "0.2.17"
-pyo3 = "0.28.2"
-percent-encoding = "2.3.2"
-rcgen = { version = "0.14.7", default-features = false, features = [
-  "aws_lc_rs",
-  "fips",
-] }
-regex = "1.12.3"
-rustls = { version = "0.23.37", features = ["fips"] }
-sentry = { version = "0.47.0", default-features = false, features = [
-  "backtrace",
-  "contexts",
-  "debug-images",
-  "panic",
-  "rustls",
-  "reqwest",
-  "tower",
-  "tracing",
-] }
-serde = { version = "1.0.228", features = ["derive"] }
-serde_json = "1.0.149"
-sqlx = { version = "0.8.6", default-features = false, features = [
-  "runtime-tokio",
-  "tls-rustls-aws-lc-rs",
-  "postgres",
-  "derive",
-  "macros",
-  "uuid",
-  "chrono",
-  "ipnet",
-  "json",
-] }
-time = "0.3.47"
-thiserror = "2.0.18"
-tokio = { version = "1.50.0", features = ["full"] }
-tokio-rustls = "0.26.4"
-tokio-tungstenite = "0.28.0"
-tokio-util = "0.7.18"
-tower = "0.5.3"
-tower-http = { version = "0.6.8", features = [
-  "compression-br",
-  "compression-deflate",
-  "compression-gzip",
-  "compression-zstd",
-  "fs",
-  "timeout",
-] }
-tower-service = "0.3.3"
-tracing = "0.1.44"
-tracing-error = "0.2.1"
-tracing-subscriber = { version = "0.3.22", features = [
-  "env-filter",
-  "json",
-  "tracing-log",
-] }
-url = "2.5.8"
-uuid = { version = "1.22.0", features = ["v4"] }
-
-[profile.dev.package.backtrace]
-opt-level = 3
-
-[profile.release]
-lto = true
-debug = 2
-
-[workspace.lints.rust]
-ambiguous_negative_literals = "warn"
-closure_returning_async_block = "warn"
-macro_use_extern_crate = "deny"
-# must_not_suspend = "deny", unstable see https://github.com/rust-lang/rust/issues/83310
-non_ascii_idents = "deny"
-redundant_imports = "warn"
-semicolon_in_expressions_from_macros = "warn"
-trivial_casts = "warn"
-trivial_numeric_casts = "warn"
-unit_bindings = "warn"
-unreachable_pub = "warn"
-unsafe_code = "deny"
-unused_extern_crates = "warn"
-unused_import_braces = "warn"
-unused_lifetimes = "warn"
-unused_macro_rules = "warn"
-unused_qualifications = "warn"
-
-[workspace.lints.rustdoc]
-unescaped_backticks = "warn"
-
-[workspace.lints.clippy]
-### enable all lints
-cargo = { priority = -1, level = "warn" }
-complexity = { priority = -1, level = "warn" }
-correctness = { priority = -1, level = "warn" }
-nursery = { priority = -1, level = "warn" }
-pedantic = { priority = -1, level = "warn" }
-perf = { priority = -1, level = "warn" }
-# Those are too restrictive and disabled by default, however we enable some below
-# restriction = { priority = -1, level = "warn" }
-style = { priority = -1, level = "warn" }
-suspicious = { priority = -1, level = "warn" }
-### and disable the ones we don't want
-### cargo group
-multiple_crate_versions = "allow"
-### pedantic group
-redundant_closure_for_method_calls = "allow"
-struct_field_names = "allow"
-too_many_lines = "allow"
-### nursery
-missing_const_for_fn = "allow"
-redundant_pub_crate = "allow"
-option_if_let_else = "allow"
-### restriction group
-allow_attributes = "warn"
-allow_attributes_without_reason = "warn"
-as_conversions = "warn"
-as_pointer_underscore = "warn"
-as_underscore = "warn"
-assertions_on_result_states = "warn"
-clone_on_ref_ptr = "warn"
-create_dir = "warn"
-dbg_macro = "warn"
-default_numeric_fallback = "warn"
-disallowed_script_idents = "warn"
-empty_drop = "warn"
-empty_enum_variants_with_brackets = "warn"
-empty_structs_with_brackets = "warn"
-error_impl_error = "warn"
-exit = "warn"
-filetype_is_file = "warn"
-float_cmp_const = "warn"
-fn_to_numeric_cast_any = "warn"
-get_unwrap = "warn"
-if_then_some_else_none = "warn"
-impl_trait_in_params = "warn"
-infinite_loop = "warn"
-lossy_float_literal = "warn"
-map_with_unused_argument_over_ranges = "warn"
-mem_forget = "warn"
-missing_asserts_for_indexing = "warn"
-missing_trait_methods = "warn"
-mixed_read_write_in_expression = "warn"
-mutex_atomic = "warn"
-mutex_integer = "warn"
-needless_raw_strings = "warn"
-non_zero_suggestions = "warn"
-panic_in_result_fn = "warn"
-pathbuf_init_then_push = "warn"
-print_stdout = "warn"
-rc_buffer = "warn"
-redundant_test_prefix = "warn"
-redundant_type_annotations = "warn"
-ref_patterns = "warn"
-renamed_function_params = "warn"
-rest_pat_in_fully_bound_structs = "warn"
-return_and_then = "warn"
-same_name_method = "warn"
-semicolon_inside_block = "warn"
-str_to_string = "warn"
-string_add = "warn"
-suspicious_xor_used_as_pow = "warn"
-tests_outside_test_module = "warn"
-todo = "warn"
-try_err = "warn"
-undocumented_unsafe_blocks = "warn"
-unimplemented = "warn"
-unnecessary_safety_comment = "warn"
-unnecessary_safety_doc = "warn"
-unnecessary_self_imports = "warn"
-unneeded_field_pattern = "warn"
-unseparated_literal_suffix = "warn"
-unused_result_ok = "warn"
-unused_trait_names = "warn"
-unwrap_in_result = "warn"
-unwrap_used = "warn"
-verbose_file_reads = "warn"
-
-[package]
-name = "authentik"
-version = "2026.5.0-rc1"
-authors.workspace = true
-edition.workspace = true
-readme.workspace = true
-homepage.workspace = true
-repository.workspace = true
-license-file.workspace = true
-publish.workspace = true
-
-[features]
-default = ["core", "proxy"]
-proxy = []
-core = ["proxy", "dep:sqlx", "dep:pyo3"]
-
-[dependencies]
-arc-swap.workspace = true
-argh.workspace = true
-async-trait.workspace = true
-aws-lc-rs.workspace = true
-axum-server.workspace = true
-axum.workspace = true
-client-ip.workspace = true
-color-eyre.workspace = true
-config.workspace = true
-console-subscriber.workspace = true
-durstr.workspace = true
-eyre.workspace = true
-forwarded-header-value.workspace = true
-futures.workspace = true
-glob.workspace = true
-http-body-util.workspace = true
-hyper-unix-socket.workspace = true
-hyper-util.workspace = true
-hyper.workspace = true
-ipnet.workspace = true
-json-subscriber.workspace = true
-jsonwebtoken.workspace = true
-metrics.workspace = true
-metrics-exporter-prometheus.workspace = true
-nix.workspace = true
-notify.workspace = true
-pem.workspace = true
-percent-encoding.workspace = true
-pin-project-lite.workspace = true
-pyo3 = { workspace = true, optional = true }
-rcgen.workspace = true
-rustls.workspace = true
-sentry.workspace = true
-serde.workspace = true
-serde_json.workspace = true
-sqlx = { workspace = true, optional = true }
-thiserror.workspace = true
-time.workspace = true
-tokio-rustls.workspace = true
-tokio-tungstenite.workspace = true
-tokio-util.workspace = true
-tokio.workspace = true
-tower-http.workspace = true
-tower.workspace = true
-tracing-error.workspace = true
-tracing-subscriber.workspace = true
-tracing.workspace = true
-url.workspace = true
-uuid.workspace = true
-
-[lints]
-workspace = true

Makefile

@@ -23,7 +23,6 @@ BREW_LDFLAGS :=
 BREW_CPPFLAGS :=
 BREW_PKG_CONFIG_PATH :=
 
-CARGO := cargo
 UV := uv
 
 # For macOS users, add the libxml2 installed from brew libxmlsec1 to the build path
@@ -70,26 +69,22 @@ help:  ## Show this help
 		sort
 	@echo ""
 
-go-test:  ## Run the golang tests
+go-test:
 	go test -timeout 0 -v -race -cover ./...
 
-rust-test:  ## Run the Rust tests
-	$(CARGO) nextest run --workspace
-
 test: ## Run the server tests and produce a coverage report (locally)
 	$(UV) run coverage run manage.py test --keepdb $(or $(filter-out $@,$(MAKECMDGOALS)),authentik)
 	$(UV) run coverage html
 	$(UV) run coverage report
 
-lint-fix:  ## Lint and automatically fix errors in the python source code. Reports spelling errors.
+lint-fix: lint-codespell  ## Lint and automatically fix errors in the python source code. Reports spelling errors.
 	$(UV) run black $(PY_SOURCES)
 	$(UV) run ruff check --fix $(PY_SOURCES)
-	$(CARGO) +nightly fmt --all -- --config-path .cargo/rustfmt.toml
 
-lint-spellcheck:  ## Reports spelling errors.
-	npm run lint:spellcheck
+lint-codespell:  ## Reports spelling errors.
+	$(UV) run codespell -w
 
-lint: ci-lint-bandit ci-lint-mypy ci-lint-cargo-deny ci-lint-cargo-machete  ## Lint the python and golang sources
+lint: ci-bandit ci-mypy ## Lint the python and golang sources
 	golangci-lint run -v
 
 core-install:
@@ -110,24 +105,12 @@ i18n-extract: core-i18n-extract web-i18n-extract  ## Extract strings that requir
 aws-cfn:
 	cd lifecycle/aws && npm i && $(UV) run npm run aws-cfn
 
-run:  ## Run the authentik server and worker, without auto reloading
-	$(UV) run ak allinone
-
-run-watch:  ## Run the authentik server and worker, with auto reloading
-	$(UV) run watchexec --on-busy-update=restart --stop-signal=SIGINT --exts py,rs --no-meta --notify -- ak allinone
-
-run-server:  ## Run the authentik server, without auto reloading
+run-server:  ## Run the main authentik server process
 	$(UV) run ak server
 
-run-server-watch:  ## Run the authentik server, with auto reloading
-	$(UV) run watchexec --on-busy-update=restart --stop-signal=SIGINT --exts py,rs --no-meta --notify -- ak server
-
-run-worker:  ## Run the authentik worker, without auto reloading
+run-worker:  ## Run the main authentik worker process
 	$(UV) run ak worker
 
-run-worker-watch:  ## Run the authentik worker, with auto reloading
-	$(UV) run watchexec --on-busy-update=restart --stop-signal=SIGINT --exts py,rs --no-meta --notify -- ak worker
-
 core-i18n-extract:
 	$(UV) run ak makemessages \
 		--add-location file \
@@ -166,7 +149,7 @@ ifndef version
 	$(error Usage: make bump version=20xx.xx.xx )
 endif
 	$(eval current_version := $(shell cat ${PWD}/internal/constants/VERSION))
-	$(SED_INPLACE) 's/^version = ".*"/version = "$(version)"/' ${PWD}/pyproject.toml ${PWD}/Cargo.toml
+	$(SED_INPLACE) 's/^version = ".*"/version = "$(version)"/' ${PWD}/pyproject.toml
 	$(SED_INPLACE) 's/^VERSION = ".*"/VERSION = "$(version)"/' ${PWD}/authentik/__init__.py
 	$(MAKE) gen-build gen-compose aws-cfn
 	$(SED_INPLACE) "s/\"${current_version}\"/\"$(version)\"/" ${PWD}/package.json ${PWD}/package-lock.json ${PWD}/web/package.json ${PWD}/web/package-lock.json
@@ -303,7 +286,7 @@ docs: docs-lint-fix docs-build  ## Automatically fix formatting issues in the Au
 docs-install:
 	npm ci --prefix website
 
-docs-lint-fix: lint-spellcheck
+docs-lint-fix: lint-codespell
 	npm run --prefix website prettier
 
 docs-build:
@@ -348,40 +331,27 @@ test-docker:
 # which makes the YAML File a lot smaller
 
 ci--meta-debug:
-	$(UV) run python -V || echo "No python installed"
-	$(CARGO) --version || echo "No rust installed"
-	node --version || echo "No node installed"
+	$(UV) run python -V
+	node --version
 
-ci-lint-mypy: ci--meta-debug
+ci-mypy: ci--meta-debug
 	$(UV) run mypy --strict $(PY_SOURCES)
 
-ci-lint-black: ci--meta-debug
+ci-black: ci--meta-debug
 	$(UV) run black --check $(PY_SOURCES)
 
-ci-lint-ruff: ci--meta-debug
+ci-ruff: ci--meta-debug
 	$(UV) run ruff check $(PY_SOURCES)
 
-ci-lint-spellcheck: ci--meta-debug
-	npm run lint:spellcheck
+ci-codespell: ci--meta-debug
+	$(UV) run codespell -s
 
-ci-lint-bandit: ci--meta-debug
+ci-bandit: ci--meta-debug
 	$(UV) run bandit -c pyproject.toml -r $(PY_SOURCES) -iii
 
-ci-lint-pending-migrations: ci--meta-debug
+ci-pending-migrations: ci--meta-debug
 	$(UV) run ak makemigrations --check
 
-ci-lint-cargo-deny: ci--meta-debug
-	$(CARGO) deny --locked --workspace check --config .cargo/deny.toml
-
-ci-lint-cargo-machete: ci--meta-debug
-	$(CARGO) machete
-
-ci-lint-rustfmt: ci--meta-debug
-	$(CARGO) +nightly fmt --all --check -- --config-path .cargo/rustfmt.toml
-
-ci-lint-clippy: ci--meta-debug
-	$(CARGO) clippy -- -D warnings
-
 ci-test: ci--meta-debug
 	$(UV) run coverage run manage.py test --keepdb authentik
 	$(UV) run coverage report

authentik/admin/files/backends/file.py

@@ -92,7 +92,6 @@ class FileBackend(ManageableBackend):
                     "nbf": now() - timedelta(seconds=15),
                 },
                 key=sha256(f"{settings.SECRET_KEY}:{self.usage}".encode()).hexdigest(),
-                # Must match crates/authentik-server/src/static.rs
                 algorithm="HS256",
             )
             url = f"{prefix}/files/{path}?token={token}"

authentik/blueprints/management/commands/apply_blueprint.py

@@ -1,5 +1,7 @@
 """Apply blueprint from commandline"""
 
+from sys import exit as sys_exit
+
 from django.core.management.base import BaseCommand, no_translations
 from structlog.stdlib import get_logger
 
@@ -26,7 +28,7 @@ class Command(BaseCommand):
                         self.stderr.write("Blueprint invalid")
                         for log in logs:
                             self.stderr.write(f"\t{log.logger}: {log.event}: {log.attributes}")
-                        raise RuntimeError("Blueprint invalid")
+                        sys_exit(1)
                     importer.apply()
 
     def add_arguments(self, parser):

authentik/core/models.py

@@ -1115,11 +1115,7 @@ class ExpiringModel(models.Model):
         default the object is deleted. This is less efficient compared
         to bulk deleting objects, but classes like Token() need to change
         values instead of being deleted."""
-        try:
-            return self.delete(*args, **kwargs)
-        except self.DoesNotExist:
-            # Object has already been deleted, so this should be fine
-            return None
+        return self.delete(*args, **kwargs)
 
     @classmethod
     def filter_not_expired(cls, **kwargs) -> QuerySet[Self]:

authentik/core/templates/base/skeleton.html

@@ -21,10 +21,6 @@
         {% block head_before %}
         {% endblock %}
 
-        {% block interface_stylesheet %}
-        <link rel="stylesheet" type="text/css" href="{% versioned_script 'dist/styles/interface-%v.css' %}" />
-        {% endblock %}
-
         {% include "base/theme.html" %}
 
         <style data-id="brand-css">{{ brand_css }}</style>

authentik/core/templates/base/theme.html

@@ -1,6 +1,8 @@
 {% load static %}
 {% load authentik_core %}
 
+<link rel="stylesheet" type="text/css" href="{% versioned_script 'dist/styles/interface-%v.css' %}" />
+
 {% if ui_theme == "dark" %}
   <meta name="color-scheme" content="dark" />
   <meta name="theme-color" content="#18191a">

authentik/core/tests/test_interface_views.py

@@ -1,101 +0,0 @@
-"""Test interface view redirect behavior by user type"""
-
-from django.test import TestCase
-from django.urls import reverse
-
-from authentik.brands.models import Brand
-from authentik.core.models import Application, UserTypes
-from authentik.core.tests.utils import create_test_brand, create_test_user
-
-
-class TestInterfaceRedirects(TestCase):
-    """Test RootRedirectView and BrandDefaultRedirectView redirect logic by user type"""
-
-    def setUp(self):
-        self.app = Application.objects.create(name="test-app", slug="test-app")
-        self.brand: Brand = create_test_brand(default_application=self.app)
-
-    def _assert_redirects_to_app(self, url_name: str, user_type: UserTypes):
-        user = create_test_user(type=user_type)
-        self.client.force_login(user)
-        response = self.client.get(reverse(f"authentik_core:{url_name}"))
-        self.assertRedirects(
-            response,
-            reverse(
-                "authentik_core:application-launch", kwargs={"application_slug": self.app.slug}
-            ),
-            fetch_redirect_response=False,
-        )
-
-    def _assert_no_redirect(self, url_name: str, user_type: UserTypes):
-        """Internal users should not be redirected away."""
-        user = create_test_user(type=user_type)
-        self.client.force_login(user)
-        response = self.client.get(reverse(f"authentik_core:{url_name}"))
-        # Internal users get a 200 (rendered template) or redirect to if-user, not to the app
-        app_url = reverse(
-            "authentik_core:application-launch", kwargs={"application_slug": self.app.slug}
-        )
-        self.assertNotEqual(response.get("Location"), app_url)
-
-    # --- RootRedirectView ---
-
-    def test_root_redirect_external_user(self):
-        """External users are redirected to the default app from root"""
-        self._assert_redirects_to_app("root-redirect", UserTypes.EXTERNAL)
-
-    def test_root_redirect_service_account(self):
-        """Service accounts are redirected to the default app from root"""
-        self._assert_redirects_to_app("root-redirect", UserTypes.SERVICE_ACCOUNT)
-
-    def test_root_redirect_internal_service_account(self):
-        """Internal service accounts are redirected to the default app from root"""
-        self._assert_redirects_to_app("root-redirect", UserTypes.INTERNAL_SERVICE_ACCOUNT)
-
-    def test_root_redirect_internal_user(self):
-        """Internal users are NOT redirected to the app from root"""
-        self._assert_no_redirect("root-redirect", UserTypes.INTERNAL)
-
-    # --- BrandDefaultRedirectView (if/user/) ---
-
-    def test_if_user_external_user(self):
-        """External users are redirected to the default app from if/user/"""
-        self._assert_redirects_to_app("if-user", UserTypes.EXTERNAL)
-
-    def test_if_user_service_account(self):
-        """Service accounts are redirected to the default app from if/user/"""
-        self._assert_redirects_to_app("if-user", UserTypes.SERVICE_ACCOUNT)
-
-    def test_if_user_internal_service_account(self):
-        """Internal service accounts are redirected to the default app from if/user/"""
-        self._assert_redirects_to_app("if-user", UserTypes.INTERNAL_SERVICE_ACCOUNT)
-
-    def test_if_user_internal_user(self):
-        """Internal users are NOT redirected to the app from if/user/"""
-        self._assert_no_redirect("if-user", UserTypes.INTERNAL)
-
-    # --- BrandDefaultRedirectView (if/admin/) ---
-
-    def test_if_admin_service_account(self):
-        """Service accounts are redirected to the default app from if/admin/"""
-        self._assert_redirects_to_app("if-admin", UserTypes.SERVICE_ACCOUNT)
-
-    def test_if_admin_internal_service_account(self):
-        """Internal service accounts are redirected to the default app from if/admin/"""
-        self._assert_redirects_to_app("if-admin", UserTypes.INTERNAL_SERVICE_ACCOUNT)
-
-    def test_if_admin_internal_user(self):
-        """Internal users are NOT redirected to the app from if/admin/"""
-        self._assert_no_redirect("if-admin", UserTypes.INTERNAL)
-
-    # --- No default app set ---
-
-    def test_service_account_no_default_app_access_denied(self):
-        """Service accounts get access denied when no default app is configured"""
-        self.brand.default_application = None
-        self.brand.save()
-        user = create_test_user(type=UserTypes.SERVICE_ACCOUNT)
-        self.client.force_login(user)
-        response = self.client.get(reverse("authentik_core:if-user"))
-        self.assertEqual(response.status_code, 200)
-        self.assertIn(b"Interface can only be accessed by internal users", response.content)

authentik/core/views/interface.py

@@ -26,11 +26,7 @@ class RootRedirectView(RedirectView):
     query_string = True
 
     def redirect_to_app(self, request: HttpRequest):
-        if request.user.is_authenticated and request.user.type in (
-            UserTypes.EXTERNAL,
-            UserTypes.SERVICE_ACCOUNT,
-            UserTypes.INTERNAL_SERVICE_ACCOUNT,
-        ):
+        if request.user.is_authenticated and request.user.type == UserTypes.EXTERNAL:
             brand: Brand = request.brand
             if brand.default_application:
                 return redirect(
@@ -66,11 +62,7 @@ class BrandDefaultRedirectView(InterfaceView):
     """By default redirect to default app"""
 
     def dispatch(self, request: HttpRequest, *args: Any, **kwargs: Any) -> HttpResponse:
-        if request.user.is_authenticated and request.user.type in (
-            UserTypes.EXTERNAL,
-            UserTypes.SERVICE_ACCOUNT,
-            UserTypes.INTERNAL_SERVICE_ACCOUNT,
-        ):
+        if request.user.is_authenticated and request.user.type == UserTypes.EXTERNAL:
             brand: Brand = request.brand
             if brand.default_application:
                 return redirect(

authentik/endpoints/api/stages.py

@@ -1,11 +1,8 @@
-from django.utils.translation import gettext_lazy as _
-from rest_framework.exceptions import ValidationError
 from rest_framework.viewsets import ModelViewSet
 
 from authentik.core.api.used_by import UsedByMixin
 from authentik.endpoints.api.connectors import ConnectorSerializer
-from authentik.endpoints.controller import Capabilities
-from authentik.endpoints.models import Connector, EndpointStage
+from authentik.endpoints.models import EndpointStage
 from authentik.flows.api.stages import StageSerializer
 
 
@@ -14,13 +11,6 @@ class EndpointStageSerializer(StageSerializer):
 
     connector_obj = ConnectorSerializer(source="connector", read_only=True)
 
-    def validate_connector(self, connector: Connector) -> Connector:
-        conn: Connector = Connector.objects.get_subclass(pk=connector.pk)
-        controller = conn.controller(conn)
-        if Capabilities.STAGE_ENDPOINTS not in controller.capabilities():
-            raise ValidationError(_("Selected connector is not compatible with this stage."))
-        return connector
-
     class Meta:
         model = EndpointStage
         fields = StageSerializer.Meta.fields + [

authentik/endpoints/connectors/agent/controller.py

@@ -8,7 +8,7 @@ from rest_framework.fields import CharField
 
 from authentik.core.api.utils import PassiveSerializer
 from authentik.endpoints.connectors.agent.models import AgentConnector, EnrollmentToken
-from authentik.endpoints.controller import BaseController, Capabilities
+from authentik.endpoints.controller import BaseController
 from authentik.endpoints.facts import OSFamily
 
 
@@ -48,8 +48,8 @@ class AgentConnectorController(BaseController[AgentConnector]):
     def vendor_identifier() -> str:
         return "goauthentik.io/platform"
 
-    def capabilities(self) -> list[Capabilities]:
-        return [Capabilities.STAGE_ENDPOINTS]
+    def supported_enrollment_methods(self):
+        return []
 
     def generate_mdm_config(
         self, target_platform: OSFamily, request: HttpRequest, token: EnrollmentToken

authentik/endpoints/controller.py

@@ -8,15 +8,13 @@ from authentik.lib.sentry import SentryIgnoredException
 MERGED_VENDOR = "goauthentik.io/@merged"
 
 
-class Capabilities(models.TextChoices):
+class EnrollmentMethods(models.TextChoices):
     # Automatically enrolled through user action
-    ENROLL_AUTOMATIC_USER = "enroll_automatic_user"
+    AUTOMATIC_USER = "automatic_user"
     # Automatically enrolled through connector integration
-    ENROLL_AUTOMATIC_API = "enroll_automatic_api"
+    AUTOMATIC_API = "automatic_api"
     # Manually enrolled with user interaction (user scanning a QR code for example)
-    ENROLL_MANUAL_USER = "enroll_manual_user"
-    # Supported for use with Endpoints stage
-    STAGE_ENDPOINTS = "stage_endpoints"
+    MANUAL_USER = "manual_user"
 
 
 class ConnectorSyncException(SentryIgnoredException):
@@ -36,7 +34,7 @@ class BaseController[T: "Connector"]:
     def vendor_identifier() -> str:
         raise NotImplementedError
 
-    def capabilities(self) -> list[Capabilities]:
+    def supported_enrollment_methods(self) -> list[EnrollmentMethods]:
         return []
 
     def stage_view_enrollment(self) -> StageView | None:
@@ -44,6 +42,3 @@ class BaseController[T: "Connector"]:
 
     def stage_view_authentication(self) -> StageView | None:
         return None
-
-    def sync_endpoints(self):
-        raise NotImplementedError

authentik/endpoints/facts.py

@@ -63,7 +63,7 @@ class OperatingSystemSerializer(Serializer):
             "Operating System version, must always be the version number but may contain build name"
         ),
     )
-    arch = CharField(required=False)
+    arch = CharField(required=True)
 
 
 class NetworkInterfaceSerializer(Serializer):

authentik/endpoints/models.py

@@ -162,11 +162,8 @@ class Connector(ScheduledModel, SerializerModel):
 
     @property
     def schedule_specs(self) -> list[ScheduleSpec]:
-        from authentik.endpoints.controller import Capabilities
         from authentik.endpoints.tasks import endpoints_sync
 
-        if Capabilities.ENROLL_AUTOMATIC_API not in self.controller(self).capabilities():
-            return []
         return [
             ScheduleSpec(
                 actor=endpoints_sync,

authentik/endpoints/tasks.py

@@ -6,7 +6,7 @@ from django.utils.translation import gettext_lazy as _
 from dramatiq.actor import actor
 from structlog.stdlib import get_logger
 
-from authentik.endpoints.controller import Capabilities
+from authentik.endpoints.controller import EnrollmentMethods
 from authentik.endpoints.models import Connector
 
 LOGGER = get_logger()
@@ -21,7 +21,7 @@ def endpoints_sync(connector_pk: Any):
         return
     controller = connector.controller
     ctrl = controller(connector)
-    if Capabilities.ENROLL_AUTOMATIC_API not in ctrl.capabilities():
+    if EnrollmentMethods.AUTOMATIC_API not in ctrl.supported_enrollment_methods():
         return
     LOGGER.info("Syncing connector", connector=connector.name)
     ctrl.sync_endpoints()

authentik/endpoints/tests/test_api.py

@@ -1,41 +0,0 @@
-from django.urls import reverse
-from rest_framework.test import APITestCase
-
-from authentik.core.tests.utils import create_test_admin_user
-from authentik.endpoints.connectors.agent.models import AgentConnector
-from authentik.endpoints.models import StageMode
-from authentik.enterprise.endpoints.connectors.fleet.models import FleetConnector
-from authentik.lib.generators import generate_id
-
-
-class TestAPI(APITestCase):
-    def setUp(self):
-        self.user = create_test_admin_user()
-        self.client.force_login(self.user)
-
-    def test_endpoint_stage_agent(self):
-        connector = AgentConnector.objects.create(name=generate_id())
-        res = self.client.post(
-            reverse("authentik_api:stages-endpoint-list"),
-            data={
-                "name": generate_id(),
-                "connector": str(connector.pk),
-                "mode": StageMode.REQUIRED,
-            },
-        )
-        self.assertEqual(res.status_code, 201)
-
-    def test_endpoint_stage_fleet(self):
-        connector = FleetConnector.objects.create(name=generate_id())
-        res = self.client.post(
-            reverse("authentik_api:stages-endpoint-list"),
-            data={
-                "name": generate_id(),
-                "connector": str(connector.pk),
-                "mode": StageMode.REQUIRED,
-            },
-        )
-        self.assertEqual(res.status_code, 400)
-        self.assertJSONEqual(
-            res.content, {"connector": ["Selected connector is not compatible with this stage."]}
-        )

authentik/endpoints/tests/test_tasks.py

@@ -1,35 +0,0 @@
-from unittest.mock import PropertyMock, patch
-
-from rest_framework.test import APITestCase
-
-from authentik.endpoints.controller import BaseController, Capabilities
-from authentik.endpoints.models import Connector
-from authentik.endpoints.tasks import endpoints_sync
-from authentik.lib.generators import generate_id
-
-
-class TestEndpointTasks(APITestCase):
-    def test_agent_sync(self):
-        class controller(BaseController):
-            def capabilities(self):
-                return [Capabilities.ENROLL_AUTOMATIC_API]
-
-            def sync_endpoints(self):
-                pass
-
-        with patch.object(Connector, "controller", PropertyMock(return_value=controller)):
-            connector = Connector.objects.create(name=generate_id())
-            self.assertEqual(len(connector.schedule_specs), 1)
-
-            endpoints_sync.send(connector.pk).get_result(block=True)
-
-    def test_agent_no_sync(self):
-        class controller(BaseController):
-            def capabilities(self):
-                return []
-
-        with patch.object(Connector, "controller", PropertyMock(return_value=controller)):
-            connector = Connector.objects.create(name=generate_id())
-            self.assertEqual(len(connector.schedule_specs), 0)
-
-            endpoints_sync.send(connector.pk).get_result(block=True)

authentik/enterprise/endpoints/connectors/fleet/controller.py

@@ -6,7 +6,7 @@ from requests import RequestException
 from rest_framework.exceptions import ValidationError
 
 from authentik.core.models import User
-from authentik.endpoints.controller import BaseController, Capabilities, ConnectorSyncException
+from authentik.endpoints.controller import BaseController, ConnectorSyncException, EnrollmentMethods
 from authentik.endpoints.facts import (
     DeviceFacts,
     OSFamily,
@@ -43,8 +43,8 @@ class FleetController(BaseController[DBC]):
     def vendor_identifier() -> str:
         return "fleetdm.com"
 
-    def capabilities(self) -> list[Capabilities]:
-        return [Capabilities.ENROLL_AUTOMATIC_API]
+    def supported_enrollment_methods(self) -> list[EnrollmentMethods]:
+        return [EnrollmentMethods.AUTOMATIC_API]
 
     def _url(self, path: str) -> str:
         return f"{self.connector.url}{path}"

authentik/enterprise/endpoints/connectors/google_chrome/api.py

@@ -1,42 +0,0 @@
-"""GoogleChromeConnector API Views"""
-
-from django.urls import reverse
-from rest_framework.fields import SerializerMethodField
-from rest_framework.request import Request
-from rest_framework.viewsets import ModelViewSet
-
-from authentik.core.api.used_by import UsedByMixin
-from authentik.endpoints.api.connectors import ConnectorSerializer
-from authentik.enterprise.api import EnterpriseRequiredMixin
-from authentik.enterprise.endpoints.connectors.google_chrome.models import GoogleChromeConnector
-
-
-class GoogleChromeConnectorSerializer(EnterpriseRequiredMixin, ConnectorSerializer):
-    """GoogleChromeConnector Serializer"""
-
-    chrome_url = SerializerMethodField()
-
-    def get_chrome_url(self, _: GoogleChromeConnector) -> str | None:
-        """Full URL to be used in Google Workspace configuration"""
-        request: Request = self.context.get("request", None)
-        if not request:
-            return True
-        return request.build_absolute_uri(
-            reverse("authentik_endpoints_connectors_google_chrome:chrome")
-        )
-
-    class Meta:
-        model = GoogleChromeConnector
-        fields = ConnectorSerializer.Meta.fields + ["credentials", "chrome_url"]
-
-
-class GoogleChromeConnectorViewSet(UsedByMixin, ModelViewSet):
-    """GoogleChromeConnector Viewset"""
-
-    queryset = GoogleChromeConnector.objects.all()
-    serializer_class = GoogleChromeConnectorSerializer
-    filterset_fields = [
-        "name",
-    ]
-    search_fields = ["name"]
-    ordering = ["name"]

authentik/enterprise/endpoints/connectors/google_chrome/apps.py

@@ -1,13 +0,0 @@
-"""authentik Endpoint app config"""
-
-from authentik.enterprise.apps import EnterpriseConfig
-
-
-class AuthentikEndpointsConnectorGoogleChromeAppConfig(EnterpriseConfig):
-    """authentik endpoint config"""
-
-    name = "authentik.enterprise.endpoints.connectors.google_chrome"
-    label = "authentik_endpoints_connectors_google_chrome"
-    verbose_name = "authentik Enterprise.Endpoints.Connectors.Google Chrome"
-    default = True
-    mountpoint = "endpoints/google/"

authentik/enterprise/endpoints/connectors/google_chrome/controller.py

@@ -1,116 +0,0 @@
-from json import dumps, loads
-
-from django.http import HttpRequest, HttpResponseRedirect
-from django.urls import reverse
-from googleapiclient.discovery import build
-
-from authentik.endpoints.controller import BaseController, Capabilities
-from authentik.endpoints.facts import DeviceFacts, OSFamily
-from authentik.endpoints.models import Device, DeviceConnection
-from authentik.enterprise.endpoints.connectors.google_chrome.google_schema import (
-    DeviceSignals,
-    VerifyChallengeResponseResult,
-)
-from authentik.enterprise.endpoints.connectors.google_chrome.models import GoogleChromeConnector
-from authentik.policies.utils import delete_none_values
-
-# Header we get from chrome that initiates verified access
-HEADER_DEVICE_TRUST = "X-Device-Trust"
-# Header we send to the client with the challenge
-HEADER_ACCESS_CHALLENGE = "X-Verified-Access-Challenge"
-# Header we get back from the client that we verify with google
-HEADER_ACCESS_CHALLENGE_RESPONSE = "X-Verified-Access-Challenge-Response"
-# Header value for x-device-trust that initiates the flow
-DEVICE_TRUST_VERIFIED_ACCESS = "VerifiedAccess"
-
-
-class GoogleChromeController(BaseController[GoogleChromeConnector]):
-
-    def __init__(self, connector):
-        super().__init__(connector)
-        self.google_client = build(
-            "verifiedaccess",
-            "v2",
-            cache_discovery=False,
-            **connector.google_credentials(),
-        )
-
-    @staticmethod
-    def vendor_identifier() -> str:
-        return "chrome.google.com"
-
-    def capabilities(self) -> list[Capabilities]:
-        return [Capabilities.STAGE_ENDPOINTS, Capabilities.ENROLL_AUTOMATIC_USER]
-
-    def generate_challenge(self, request: HttpRequest) -> HttpResponseRedirect:
-        challenge = self.google_client.challenge().generate().execute()
-        res = HttpResponseRedirect(
-            request.build_absolute_uri(
-                reverse("authentik_endpoints_connectors_google_chrome:chrome")
-            )
-        )
-        res[HEADER_ACCESS_CHALLENGE] = dumps(challenge)
-        return res
-
-    def validate_challenge(self, response: str) -> Device:
-        response = VerifyChallengeResponseResult(
-            self.google_client.challenge().verify(body=loads(response)).execute()
-        )
-        # Remove deprecated string representation of deviceSignals
-        response.pop("deviceSignal", None)
-        signals = DeviceSignals(response["deviceSignals"])
-        device, _ = Device.objects.update_or_create(
-            identifier=signals["serialNumber"],
-            defaults={
-                "name": signals["hostname"],
-            },
-        )
-        conn, _ = DeviceConnection.objects.update_or_create(
-            device=device,
-            connector=self.connector,
-        )
-        conn.create_snapshot(self.convert_data(signals))
-        return device
-
-    def convert_os_family(self, family) -> OSFamily:
-        return {
-            "CHROME_OS": OSFamily.linux,
-            "CHROMIUM_OS": OSFamily.linux,
-            "WINDOWS": OSFamily.windows,
-            "MAC_OS_X": OSFamily.macOS,
-            "LINUX": OSFamily.linux,
-        }.get(family, OSFamily.other)
-
-    def convert_data(self, raw_signals: DeviceSignals):
-        data = {
-            "os": delete_none_values(
-                {
-                    "family": self.convert_os_family(raw_signals["operatingSystem"]),
-                    "version": raw_signals["osVersion"],
-                }
-            ),
-            "disks": [],
-            "network": delete_none_values(
-                {
-                    "hostname": raw_signals["hostname"],
-                    "interfaces": [],
-                    "firewall_enabled": raw_signals["osFirewall"] == "OS_FIREWALL_ENABLED",
-                },
-            ),
-            "hardware": delete_none_values(
-                {
-                    "model": raw_signals["deviceModel"],
-                    "manufacturer": raw_signals["deviceManufacturer"],
-                    "serial": raw_signals["serialNumber"],
-                }
-            ),
-            "vendor": {
-                self.vendor_identifier(): {
-                    "agent_version": raw_signals["browserVersion"],
-                    "raw": raw_signals,
-                },
-            },
-        }
-        facts = DeviceFacts(data=data)
-        facts.is_valid(raise_exception=True)
-        return facts.validated_data

authentik/enterprise/endpoints/connectors/google_chrome/google_schema.py

@@ -1,129 +0,0 @@
-from typing import Literal, TypedDict
-
-# Based on https://github.com/henribru/google-api-python-client-stubs/blob/master/googleapiclient-stubs/_apis/verifiedaccess/v2/schemas.pyi
-
-
-class Antivirus(TypedDict, total=False):
-    state: Literal["STATE_UNSPECIFIED", "MISSING", "DISABLED", "ENABLED"]
-
-
-class Challenge(TypedDict, total=False):
-    challenge: str
-
-
-class CrowdStrikeAgent(TypedDict, total=False):
-    agentId: str
-    customerId: str
-
-
-class DeviceSignals(TypedDict, total=False):
-    allowScreenLock: bool
-    antivirus: Antivirus
-    browserVersion: str
-    builtInDnsClientEnabled: bool
-    chromeRemoteDesktopAppBlocked: bool
-    crowdStrikeAgent: CrowdStrikeAgent
-    deviceAffiliationIds: list[str]
-    deviceEnrollmentDomain: str
-    deviceManufacturer: str
-    deviceModel: str
-    diskEncryption: Literal[
-        "DISK_ENCRYPTION_UNSPECIFIED",
-        "DISK_ENCRYPTION_UNKNOWN",
-        "DISK_ENCRYPTION_DISABLED",
-        "DISK_ENCRYPTION_ENCRYPTED",
-    ]
-    displayName: str
-    hostname: str
-    imei: list[str]
-    macAddresses: list[str]
-    meid: list[str]
-    operatingSystem: Literal[
-        "OPERATING_SYSTEM_UNSPECIFIED",
-        "CHROME_OS",
-        "CHROMIUM_OS",
-        "WINDOWS",
-        "MAC_OS_X",
-        "LINUX",
-    ]
-    osFirewall: Literal[
-        "OS_FIREWALL_UNSPECIFIED",
-        "OS_FIREWALL_UNKNOWN",
-        "OS_FIREWALL_DISABLED",
-        "OS_FIREWALL_ENABLED",
-    ]
-    osVersion: str
-    passwordProtectionWarningTrigger: Literal[
-        "PASSWORD_PROTECTION_WARNING_TRIGGER_UNSPECIFIED",
-        "POLICY_UNSET",
-        "PASSWORD_PROTECTION_OFF",
-        "PASSWORD_REUSE",
-        "PHISHING_REUSE",
-    ]
-    profileAffiliationIds: list[str]
-    profileEnrollmentDomain: str
-    realtimeUrlCheckMode: Literal[
-        "REALTIME_URL_CHECK_MODE_UNSPECIFIED",
-        "REALTIME_URL_CHECK_MODE_DISABLED",
-        "REALTIME_URL_CHECK_MODE_ENABLED_MAIN_FRAME",
-    ]
-    safeBrowsingProtectionLevel: Literal[
-        "SAFE_BROWSING_PROTECTION_LEVEL_UNSPECIFIED", "INACTIVE", "STANDARD", "ENHANCED"
-    ]
-    screenLockSecured: Literal[
-        "SCREEN_LOCK_SECURED_UNSPECIFIED",
-        "SCREEN_LOCK_SECURED_UNKNOWN",
-        "SCREEN_LOCK_SECURED_DISABLED",
-        "SCREEN_LOCK_SECURED_ENABLED",
-    ]
-    secureBootMode: Literal[
-        "SECURE_BOOT_MODE_UNSPECIFIED",
-        "SECURE_BOOT_MODE_UNKNOWN",
-        "SECURE_BOOT_MODE_DISABLED",
-        "SECURE_BOOT_MODE_ENABLED",
-    ]
-    serialNumber: str
-    siteIsolationEnabled: bool
-    systemDnsServers: list[str]
-    thirdPartyBlockingEnabled: bool
-    trigger: Literal["TRIGGER_UNSPECIFIED", "TRIGGER_BROWSER_NAVIGATION", "TRIGGER_LOGIN_SCREEN"]
-    windowsMachineDomain: str
-    windowsUserDomain: str
-
-
-class Empty(TypedDict, total=False): ...
-
-
-class VerifyChallengeResponseRequest(TypedDict, total=False):
-    challengeResponse: str
-    expectedIdentity: str
-
-
-class VerifyChallengeResponseResult(TypedDict, total=False):
-    attestedDeviceId: str
-    customerId: str
-    deviceEnrollmentId: str
-    devicePermanentId: str
-    deviceSignal: str
-    deviceSignals: DeviceSignals
-    keyTrustLevel: Literal[
-        "KEY_TRUST_LEVEL_UNSPECIFIED",
-        "CHROME_OS_VERIFIED_MODE",
-        "CHROME_OS_DEVELOPER_MODE",
-        "CHROME_BROWSER_HW_KEY",
-        "CHROME_BROWSER_OS_KEY",
-        "CHROME_BROWSER_NO_KEY",
-    ]
-    profileCustomerId: str
-    profileKeyTrustLevel: Literal[
-        "KEY_TRUST_LEVEL_UNSPECIFIED",
-        "CHROME_OS_VERIFIED_MODE",
-        "CHROME_OS_DEVELOPER_MODE",
-        "CHROME_BROWSER_HW_KEY",
-        "CHROME_BROWSER_OS_KEY",
-        "CHROME_BROWSER_NO_KEY",
-    ]
-    profilePermanentId: str
-    signedPublicKeyAndChallenge: str
-    virtualDeviceId: str
-    virtualProfileId: str

authentik/enterprise/endpoints/connectors/google_chrome/migrations/0001_initial.py

@@ -1,38 +0,0 @@
-# Generated by Django 5.2.11 on 2026-03-01 18:38
-
-import django.db.models.deletion
-from django.db import migrations, models
-
-
-class Migration(migrations.Migration):
-
-    initial = True
-
-    dependencies = [
-        ("authentik_endpoints", "0004_deviceaccessgroup_attributes"),
-    ]
-
-    operations = [
-        migrations.CreateModel(
-            name="GoogleChromeConnector",
-            fields=[
-                (
-                    "connector_ptr",
-                    models.OneToOneField(
-                        auto_created=True,
-                        on_delete=django.db.models.deletion.CASCADE,
-                        parent_link=True,
-                        primary_key=True,
-                        serialize=False,
-                        to="authentik_endpoints.connector",
-                    ),
-                ),
-                ("credentials", models.JSONField()),
-            ],
-            options={
-                "verbose_name": "Google Device Trust Connector",
-                "verbose_name_plural": "Google Device Trust Connectors",
-            },
-            bases=("authentik_endpoints.connector",),
-        ),
-    ]

authentik/enterprise/endpoints/connectors/google_chrome/models.py

@@ -1,69 +0,0 @@
-"""Endpoint stage"""
-
-from typing import TYPE_CHECKING
-
-from django.db import models
-from django.templatetags.static import static
-from django.utils.translation import gettext_lazy as _
-from google.oauth2.service_account import Credentials
-from rest_framework.serializers import BaseSerializer
-
-from authentik.endpoints.models import Connector
-from authentik.flows.stage import StageView
-
-if TYPE_CHECKING:
-    from authentik.enterprise.endpoints.connectors.google_chrome.controller import (
-        GoogleChromeController,
-    )
-
-
-class GoogleChromeConnector(Connector):
-    """Verify Google Chrome Device Trust connection for the user's browser."""
-
-    credentials = models.JSONField()
-
-    def google_credentials(self):
-        return {
-            "credentials": Credentials.from_service_account_info(
-                self.credentials, scopes=["https://www.googleapis.com/auth/verifiedaccess"]
-            ),
-        }
-
-    @property
-    def icon_url(self):
-        return static("authentik/sources/google.svg")
-
-    @property
-    def serializer(self) -> type[BaseSerializer]:
-        from authentik.enterprise.endpoints.connectors.google_chrome.api import (
-            GoogleChromeConnectorSerializer,
-        )
-
-        return GoogleChromeConnectorSerializer
-
-    @property
-    def stage(self) -> type[StageView] | None:
-        from authentik.enterprise.endpoints.connectors.google_chrome.stage import (
-            GoogleChromeStageView,
-        )
-
-        return GoogleChromeStageView
-
-    @property
-    def controller(self) -> type[GoogleChromeController]:
-        from authentik.enterprise.endpoints.connectors.google_chrome.controller import (
-            GoogleChromeController,
-        )
-
-        return GoogleChromeController
-
-    @property
-    def component(self) -> str:
-        return "ak-endpoints-connector-gdtc-form"
-
-    def __str__(self) -> str:
-        return f"Google Device Trust Connector {self.name}"
-
-    class Meta:
-        verbose_name = _("Google Device Trust Connector")
-        verbose_name_plural = _("Google Device Trust Connectors")

authentik/enterprise/endpoints/connectors/google_chrome/stage.py

@@ -1,32 +0,0 @@
-from django.http import HttpResponse
-from django.urls import reverse
-from django.utils.translation import gettext as _
-
-from authentik.flows.challenge import (
-    Challenge,
-    ChallengeResponse,
-    FrameChallenge,
-    FrameChallengeResponse,
-)
-from authentik.flows.stage import ChallengeStageView
-
-
-class GoogleChromeStageView(ChallengeStageView):
-    """Endpoint stage"""
-
-    response_class = FrameChallengeResponse
-
-    def get_challenge(self, *args, **kwargs) -> Challenge:
-        return FrameChallenge(
-            data={
-                "component": "xak-flow-frame",
-                "url": self.request.build_absolute_uri(
-                    reverse("authentik_endpoints_connectors_google_chrome:chrome")
-                ),
-                "loading_overlay": True,
-                "loading_text": _("Verifying your browser..."),
-            }
-        )
-
-    def challenge_valid(self, response: ChallengeResponse) -> HttpResponse:
-        return self.executor.stage_ok()

authentik/enterprise/endpoints/connectors/google_chrome/tests/fixtures/host_macos.json

@@ -1,36 +0,0 @@
-{
-    "devicePermanentId": "6f30327d-e436-4f7a-9f89-c37a7b6bf408",
-    "keyTrustLevel": "CHROME_BROWSER_HW_KEY",
-    "virtualDeviceId": "Z5DDF07GK6",
-    "customerId": "qewrqer",
-    "deviceSignals": {
-        "deviceManufacturer": "Apple Inc.",
-        "deviceModel": "MacBookPro18,1",
-        "operatingSystem": "MAC_OS_X",
-        "osVersion": "26.2.0",
-        "displayName": "jens-mac-vm",
-        "diskEncryption": "DISK_ENCRYPTION_ENCRYPTED",
-        "serialNumber": "Z5DDF07GK6",
-        "osFirewall": "OS_FIREWALL_DISABLED",
-        "systemDnsServers": [
-            "10.120.20.250:53"
-        ],
-        "hostname": "jens-mac-vm.lab.beryju.org",
-        "macAddresses": [
-            "f4:d4:88:79:07:0e"
-        ],
-        "screenLockSecured": "SCREEN_LOCK_SECURED_ENABLED",
-        "deviceEnrollmentDomain": "beryju.org",
-        "browserVersion": "145.0.7632.76",
-        "deviceAffiliationIds": [
-            "qewrqer"
-        ],
-        "builtInDnsClientEnabled": true,
-        "chromeRemoteDesktopAppBlocked": false,
-        "safeBrowsingProtectionLevel": "STANDARD",
-        "siteIsolationEnabled": true,
-        "passwordProtectionWarningTrigger": "POLICY_UNSET",
-        "realtimeUrlCheckMode": "REALTIME_URL_CHECK_MODE_DISABLED",
-        "trigger": "TRIGGER_BROWSER_NAVIGATION"
-    }
-}

authentik/enterprise/endpoints/connectors/google_chrome/tests/test_controller.py

@@ -1,67 +0,0 @@
-from json import dumps
-from unittest.mock import MagicMock, patch
-
-from django.urls import reverse
-from rest_framework.test import APITestCase
-
-from authentik.core.tests.utils import RequestFactory
-from authentik.endpoints.facts import OSFamily
-from authentik.endpoints.models import Device
-from authentik.enterprise.endpoints.connectors.google_chrome.controller import (
-    HEADER_ACCESS_CHALLENGE,
-    GoogleChromeController,
-)
-from authentik.enterprise.endpoints.connectors.google_chrome.models import GoogleChromeConnector
-from authentik.enterprise.providers.google_workspace.clients.test_http import MockHTTP
-from authentik.lib.generators import generate_id
-from authentik.lib.tests.utils import load_fixture
-
-
-class TestGoogleChromeConnector(APITestCase):
-    def setUp(self):
-        self.connector = GoogleChromeConnector.objects.create(
-            name=generate_id(),
-            credentials={},
-        )
-        self.factory = RequestFactory()
-        self.api_key = generate_id()
-
-    def test_generate_challenge(self):
-        req = self.factory.get("/")
-        challenge = generate_id()
-        http = MockHTTP()
-        http.add_response(
-            f"https://verifiedaccess.googleapis.com/v2/challenge:generate?key={self.api_key}&alt=json",
-            {"challenge": challenge},
-            method="POST",
-        )
-        with patch(
-            "authentik.enterprise.endpoints.connectors.google_chrome.models.GoogleChromeConnector.google_credentials",
-            MagicMock(return_value={"developerKey": self.api_key, "http": http}),
-        ):
-            controller = GoogleChromeController(self.connector)
-            res = controller.generate_challenge(req)
-            self.assertEqual(
-                res["Location"],
-                req.build_absolute_uri(
-                    reverse("authentik_endpoints_connectors_google_chrome:chrome")
-                ),
-            )
-            self.assertEqual(res.headers[HEADER_ACCESS_CHALLENGE], dumps({"challenge": challenge}))
-
-    def test_validate_challenge(self):
-        http = MockHTTP()
-        http.add_response(
-            f"https://verifiedaccess.googleapis.com/v2/challenge:verify?key={self.api_key}&alt=json",
-            load_fixture("fixtures/host_macos.json"),
-            method="POST",
-        )
-        with patch(
-            "authentik.enterprise.endpoints.connectors.google_chrome.models.GoogleChromeConnector.google_credentials",
-            MagicMock(return_value={"developerKey": self.api_key, "http": http}),
-        ):
-            controller = GoogleChromeController(self.connector)
-            controller.validate_challenge(dumps("{}"))
-        device = Device.objects.get(identifier="Z5DDF07GK6")
-        self.assertIsNotNone(device)
-        self.assertEqual(device.cached_facts.data["os"]["family"], OSFamily.macOS)

authentik/enterprise/endpoints/connectors/google_chrome/tests/test_view.py

@@ -1,91 +0,0 @@
-from json import dumps
-from unittest.mock import MagicMock, patch
-
-from django.urls import reverse
-
-from authentik.core.tests.utils import RequestFactory, create_test_flow
-from authentik.endpoints.models import Device, EndpointStage
-from authentik.enterprise.endpoints.connectors.google_chrome.models import GoogleChromeConnector
-from authentik.enterprise.providers.google_workspace.clients.test_http import MockHTTP
-from authentik.flows.models import FlowStageBinding
-from authentik.flows.planner import PLAN_CONTEXT_DEVICE
-from authentik.flows.tests import FlowTestCase
-from authentik.lib.generators import generate_id
-from authentik.lib.tests.utils import load_fixture
-
-
-class TestChromeDTCView(FlowTestCase):
-    def setUp(self):
-        self.flow = create_test_flow()
-        self.connector = GoogleChromeConnector.objects.create(
-            name=generate_id(),
-            credentials={},
-        )
-        self.factory = RequestFactory()
-        self.api_key = generate_id()
-        self.stage = EndpointStage.objects.create(
-            name=generate_id(),
-            connector=self.connector,
-        )
-        FlowStageBinding.objects.create(
-            target=self.flow,
-            stage=self.stage,
-            order=0,
-        )
-
-    def test_dtc_generate_verify(self):
-        res = self.client.get(
-            reverse("authentik_api:flow-executor", kwargs={"flow_slug": self.flow.slug}),
-        )
-        self.assertStageResponse(
-            res,
-            self.flow,
-            component="xak-flow-frame",
-            url="http://testserver/endpoints/google/chrome/",
-        )
-
-        challenge = generate_id()
-        http = MockHTTP()
-        http.add_response(
-            f"https://verifiedaccess.googleapis.com/v2/challenge:generate?key={self.api_key}&alt=json",
-            {"challenge": challenge},
-            method="POST",
-        )
-        http.add_response(
-            f"https://verifiedaccess.googleapis.com/v2/challenge:verify?key={self.api_key}&alt=json",
-            load_fixture("fixtures/host_macos.json"),
-            method="POST",
-        )
-        with patch(
-            "authentik.enterprise.endpoints.connectors.google_chrome.models.GoogleChromeConnector.google_credentials",
-            MagicMock(return_value={"developerKey": self.api_key, "http": http}),
-        ):
-            # Generate challenge
-            res = self.client.get(
-                reverse("authentik_endpoints_connectors_google_chrome:chrome"),
-                HTTP_X_DEVICE_TRUST="VerifiedAccess",
-            )
-            self.assertEqual(res.status_code, 302)
-            self.assertEqual(
-                res.headers["X-Verified-Access-Challenge"],
-                dumps({"challenge": challenge}),
-            )
-
-            # Validate challenge
-            res = self.client.get(
-                reverse("authentik_endpoints_connectors_google_chrome:chrome"),
-                HTTP_X_VERIFIED_ACCESS_CHALLENGE_RESPONSE=dumps({}),
-            )
-            self.assertEqual(res.status_code, 200)
-        device = Device.objects.get(identifier="Z5DDF07GK6")
-        self.assertIsNotNone(device)
-
-        # Continue flow
-        with self.assertFlowFinishes() as plan:
-            res = self.client.post(
-                reverse("authentik_api:flow-executor", kwargs={"flow_slug": self.flow.slug}),
-            )
-            self.assertStageRedirects(res, "/")
-        plan = plan()
-        plan_device = plan.context[PLAN_CONTEXT_DEVICE]
-        self.assertEqual(device.pk, plan_device.pk)

authentik/enterprise/endpoints/connectors/google_chrome/urls.py

@@ -1,16 +0,0 @@
-"""API URLs"""
-
-from django.urls import path
-
-from authentik.enterprise.endpoints.connectors.google_chrome.api import GoogleChromeConnectorViewSet
-from authentik.enterprise.endpoints.connectors.google_chrome.views.dtc import (
-    GoogleChromeDeviceTrustConnector,
-)
-
-urlpatterns = [
-    path("chrome/", GoogleChromeDeviceTrustConnector.as_view(), name="chrome"),
-]
-
-api_urlpatterns = [
-    ("endpoints/google_chrome/connectors", GoogleChromeConnectorViewSet),
-]

authentik/enterprise/endpoints/connectors/google_chrome/views/dtc.py

@@ -1,46 +0,0 @@
-from typing import Any
-
-from django.http import HttpRequest, HttpResponse, HttpResponseBadRequest
-from django.template.response import TemplateResponse
-from django.utils.decorators import method_decorator
-from django.views import View
-from django.views.decorators.clickjacking import xframe_options_sameorigin
-
-from authentik.endpoints.models import EndpointStage
-from authentik.enterprise.endpoints.connectors.google_chrome.controller import (
-    HEADER_ACCESS_CHALLENGE_RESPONSE,
-    HEADER_DEVICE_TRUST,
-    GoogleChromeController,
-)
-from authentik.enterprise.endpoints.connectors.google_chrome.models import GoogleChromeConnector
-from authentik.flows.planner import PLAN_CONTEXT_DEVICE, FlowPlan
-from authentik.flows.views.executor import SESSION_KEY_PLAN
-
-
-@method_decorator(xframe_options_sameorigin, name="dispatch")
-class GoogleChromeDeviceTrustConnector(View):
-    """Google Chrome Device-trust connector based endpoint authenticator"""
-
-    def get_flow_plan(self) -> FlowPlan:
-        flow_plan: FlowPlan = self.request.session[SESSION_KEY_PLAN]
-        return flow_plan
-
-    def setup(self, request: HttpRequest, *args: Any, **kwargs: Any) -> None:
-        super().setup(request, *args, **kwargs)
-        stage: EndpointStage = self.get_flow_plan().bindings[0].stage
-        connector = GoogleChromeConnector.objects.filter(pk=stage.connector_id).first()
-        if not connector:
-            return HttpResponseBadRequest()
-        self.controller: GoogleChromeController = connector.controller(connector)
-
-    def get(self, request: HttpRequest) -> HttpResponse:
-        x_device_trust = request.headers.get(HEADER_DEVICE_TRUST)
-        x_access_challenge_response = request.headers.get(HEADER_ACCESS_CHALLENGE_RESPONSE)
-        if x_device_trust == "VerifiedAccess" and x_access_challenge_response is None:
-            return self.controller.generate_challenge(request)
-        if x_access_challenge_response:
-            device = self.controller.validate_challenge(x_access_challenge_response)
-            flow_plan = self.get_flow_plan()
-            flow_plan.context[PLAN_CONTEXT_DEVICE] = device
-            self.request.session[SESSION_KEY_PLAN] = flow_plan
-        return TemplateResponse(request, "flows/frame-submit.html")

authentik/enterprise/providers/google_workspace/tests/test_groups.py

@@ -331,7 +331,7 @@ class GoogleWorkspaceGroupTests(TestCase):
                 ).exists()
             )
             self.assertFalse(Event.objects.filter(action=EventAction.SYSTEM_EXCEPTION).exists())
-            self.assertEqual(len(http.requests()), 7)
+            self.assertEqual(len(http.requests()), 5)
 
     def test_sync_discover_multiple(self):
         """Test group discovery"""
@@ -372,7 +372,7 @@ class GoogleWorkspaceGroupTests(TestCase):
                 ).exists()
             )
             self.assertFalse(Event.objects.filter(action=EventAction.SYSTEM_EXCEPTION).exists())
-            self.assertEqual(len(http.requests()), 7)
+            self.assertEqual(len(http.requests()), 5)
             # Change response to trigger update
             http.add_response(
                 f"https://admin.googleapis.com/admin/directory/v1/groups?customer=my_customer&maxResults=500&orderBy=email&key={self.api_key}&alt=json",

authentik/enterprise/providers/google_workspace/tests/test_users.py

@@ -309,7 +309,7 @@ class GoogleWorkspaceUserTests(TestCase):
                 ).exists()
             )
             self.assertFalse(Event.objects.filter(action=EventAction.SYSTEM_EXCEPTION).exists())
-            self.assertEqual(len(http.requests()), 7)
+            self.assertEqual(len(http.requests()), 5)
 
     def test_sync_discover_multiple(self):
         """Test user discovery, running multiple times"""
@@ -352,7 +352,7 @@ class GoogleWorkspaceUserTests(TestCase):
                 ).exists()
             )
             self.assertFalse(Event.objects.filter(action=EventAction.SYSTEM_EXCEPTION).exists())
-            self.assertEqual(len(http.requests()), 7)
+            self.assertEqual(len(http.requests()), 5)
             # Change response, which will trigger a discovery update
             http.add_response(
                 f"https://admin.googleapis.com/admin/directory/v1/users?customer=my_customer&maxResults=500&orderBy=email&key={self.api_key}&alt=json",

authentik/enterprise/settings.py

@@ -4,7 +4,6 @@ TENANT_APPS = [
     "authentik.enterprise.audit",
     "authentik.enterprise.endpoints.connectors.agent",
     "authentik.enterprise.endpoints.connectors.fleet",
-    "authentik.enterprise.endpoints.connectors.google_chrome",
     "authentik.enterprise.lifecycle",
     "authentik.enterprise.policies.unique_password",
     "authentik.enterprise.providers.google_workspace",

authentik/enterprise/stages/authenticator_endpoint_gdtc/views/dtc.py

@@ -9,11 +9,6 @@ from django.views import View
 from django.views.decorators.clickjacking import xframe_options_sameorigin
 from googleapiclient.discovery import build
 
-from authentik.enterprise.endpoints.connectors.google_chrome.controller import (
-    HEADER_ACCESS_CHALLENGE,
-    HEADER_ACCESS_CHALLENGE_RESPONSE,
-    HEADER_DEVICE_TRUST,
-)
 from authentik.enterprise.stages.authenticator_endpoint_gdtc.models import (
     AuthenticatorEndpointGDTCStage,
     EndpointDevice,
@@ -24,6 +19,15 @@ from authentik.flows.views.executor import SESSION_KEY_PLAN
 from authentik.stages.password.stage import PLAN_CONTEXT_METHOD, PLAN_CONTEXT_METHOD_ARGS
 from authentik.stages.user_login.stage import PLAN_CONTEXT_METHOD_ARGS_KNOWN_DEVICE
 
+# Header we get from chrome that initiates verified access
+HEADER_DEVICE_TRUST = "X-Device-Trust"
+# Header we send to the client with the challenge
+HEADER_ACCESS_CHALLENGE = "X-Verified-Access-Challenge"
+# Header we get back from the client that we verify with google
+HEADER_ACCESS_CHALLENGE_RESPONSE = "X-Verified-Access-Challenge-Response"
+# Header value for x-device-trust that initiates the flow
+DEVICE_TRUST_VERIFIED_ACCESS = "VerifiedAccess"
+
 PLAN_CONTEXT_METHOD_ARGS_ENDPOINTS = "endpoints"
 
 
@@ -90,4 +94,4 @@ class GoogleChromeDeviceTrustConnector(View):
                 PLAN_CONTEXT_METHOD_ARGS_KNOWN_DEVICE, True
             )
             request.session[SESSION_KEY_PLAN] = flow_plan
-        return TemplateResponse(request, "flows/frame-submit.html")
+        return TemplateResponse(request, "stages/authenticator_endpoint/google_chrome_dtc.html")

authentik/events/api/notification_transports.py

@@ -63,7 +63,6 @@ class NotificationTransportSerializer(ModelSerializer):
             "mode",
             "mode_verbose",
             "webhook_url",
-            "webhook_ca",
             "webhook_mapping_body",
             "webhook_mapping_headers",
             "email_subject_prefix",

authentik/events/migrations/0017_notificationtransport_webhook_ca.py

@@ -1,26 +0,0 @@
-# Generated by Django 5.2.12 on 2026-03-10 10:40
-
-import django.db.models.deletion
-from django.db import migrations, models
-
-
-class Migration(migrations.Migration):
-
-    dependencies = [
-        ("authentik_crypto", "0006_certificatekeypair_cert_expiry_and_more"),
-        ("authentik_events", "0016_alter_event_action"),
-    ]
-
-    operations = [
-        migrations.AddField(
-            model_name="notificationtransport",
-            name="webhook_ca",
-            field=models.ForeignKey(
-                default=None,
-                help_text="When set, the selected ceritifcate is used to validate the certificate of the webhook server.",
-                null=True,
-                on_delete=django.db.models.deletion.SET_DEFAULT,
-                to="authentik_crypto.certificatekeypair",
-            ),
-        ),
-    ]

authentik/events/models.py

@@ -28,7 +28,6 @@ from authentik.core.middleware import (
     SESSION_KEY_IMPERSONATE_USER,
 )
 from authentik.core.models import ExpiringModel, Group, PropertyMapping, User
-from authentik.crypto.models import CertificateKeyPair
 from authentik.events.context_processors.base import get_context_processors
 from authentik.events.utils import (
     cleanse_dict,
@@ -42,7 +41,6 @@ from authentik.lib.sentry import SentryIgnoredException
 from authentik.lib.utils.errors import exception_to_dict
 from authentik.lib.utils.http import get_http_session
 from authentik.lib.utils.time import timedelta_from_string
-from authentik.outposts.docker_tls import DockerInlineTLS
 from authentik.policies.models import PolicyBindingModel
 from authentik.root.middleware import ClientIPMiddleware
 from authentik.root.ws.consumer import build_user_group
@@ -328,16 +326,6 @@ class NotificationTransport(TasksModel, SerializerModel):
     email_template = models.TextField(default=EmailTemplates.EVENT_NOTIFICATION)
 
     webhook_url = models.TextField(blank=True, validators=[DomainlessURLValidator()])
-    webhook_ca = models.ForeignKey(
-        CertificateKeyPair,
-        null=True,
-        default=None,
-        on_delete=models.SET_DEFAULT,
-        help_text=_(
-            "When set, the selected ceritifcate is used to "
-            "validate the certificate of the webhook server."
-        ),
-    )
     webhook_mapping_body = models.ForeignKey(
         "NotificationWebhookMapping",
         on_delete=models.SET_DEFAULT,
@@ -421,29 +409,21 @@ class NotificationTransport(TasksModel, SerializerModel):
                     notification=notification,
                 )
             )
-
-        def send(**kwargs):
-            try:
-                response = get_http_session().post(
-                    self.webhook_url,
-                    json=default_body,
-                    headers=headers,
-                    **kwargs,
-                )
-                response.raise_for_status()
-            except RequestException as exc:
-                raise NotificationTransportError(
-                    exc.response.text if exc.response else str(exc)
-                ) from exc
-            return [
-                response.status_code,
-                response.text,
-            ]
-
-        if self.webhook_ca:
-            with DockerInlineTLS(self.webhook_ca, authentication_kp=None) as tls:
-                return send(verify=tls.ca_cert)
-        return send()
+        try:
+            response = get_http_session().post(
+                self.webhook_url,
+                json=default_body,
+                headers=headers,
+            )
+            response.raise_for_status()
+        except RequestException as exc:
+            raise NotificationTransportError(
+                exc.response.text if exc.response else str(exc)
+            ) from exc
+        return [
+            response.status_code,
+            response.text,
+        ]
 
     def send_webhook_slack(self, notification: Notification) -> list[str]:
         """Send notification to slack or slack-compatible endpoints"""

authentik/events/tests/test_transports.py

@@ -10,7 +10,6 @@ from requests_mock import Mocker
 
 from authentik import authentik_full_version
 from authentik.core.tests.utils import create_test_admin_user
-from authentik.crypto.models import CertificateKeyPair
 from authentik.events.api.notification_transports import NotificationTransportSerializer
 from authentik.events.models import (
     Event,
@@ -62,37 +61,6 @@ class TestEventTransports(TestCase):
                 },
             )
 
-    def test_transport_webhook_ca_invalid_unset(self):
-        """Test webhook transport"""
-        transport: NotificationTransport = NotificationTransport.objects.create(
-            name=generate_id(),
-            mode=TransportMode.WEBHOOK,
-            webhook_url="https://localhost:1234/test",
-        )
-        with Mocker() as mocker:
-            mocker.post("https://localhost:1234/test")
-            transport.send(self.notification)
-            self.assertEqual(mocker.call_count, 1)
-            self.assertTrue(mocker.request_history[0].verify)
-
-    def test_transport_webhook_ca(self):
-        """Test webhook transport"""
-        kp = CertificateKeyPair.objects.create(
-            name=generate_id(),
-            certificate_data="foo",
-        )
-        transport: NotificationTransport = NotificationTransport.objects.create(
-            name=generate_id(),
-            mode=TransportMode.WEBHOOK,
-            webhook_url="https://localhost:1234/test",
-            webhook_ca=kp,
-        )
-        with Mocker() as mocker:
-            mocker.post("https://localhost:1234/test")
-            transport.send(self.notification)
-            self.assertEqual(mocker.call_count, 1)
-            self.assertIsNotNone(mocker.request_history[0].verify)
-
     def test_transport_webhook_mapping(self):
         """Test webhook transport with custom mapping"""
         mapping_body = NotificationWebhookMapping.objects.create(

authentik/flows/apps.py

@@ -29,12 +29,6 @@ class RefreshOtherFlowsAfterAuthentication(Flag[bool], key="flows_refresh_others
     visibility = "public"
 
 
-class ContinuousLogin(Flag[bool], key="flows_continuous_login"):
-
-    default = False
-    visibility = "public"
-
-
 class AuthentikFlowsConfig(ManagedAppConfig):
     """authentik flows app config"""
 

authentik/flows/templates/if/flow.html

@@ -27,10 +27,8 @@
         "layout": "{{ flow.layout }}",
     };
 </script>
-{% endblock %}
 
-{% block interface_stylesheet %}
-<link rel="stylesheet" type="text/css" href="{% versioned_script 'dist/styles/flow-%v.css' %}" />
+<link rel="stylesheet" type="text/css" href="{% versioned_script 'dist/styles/static-%v.css' %}" />
 {% endblock %}
 
 {% block head %}

authentik/lib/config.py

@@ -342,10 +342,10 @@ def django_db_config(config: ConfigLoader | None = None) -> dict:
         "default": {
             "ENGINE": "psqlextra.backend",
             "HOST": config.get("postgresql.host"),
-            "PORT": config.get("postgresql.port"),
+            "NAME": config.get("postgresql.name"),
             "USER": config.get("postgresql.user"),
             "PASSWORD": config.get("postgresql.password"),
-            "NAME": config.get("postgresql.name"),
+            "PORT": config.get("postgresql.port"),
             "OPTIONS": {
                 "sslmode": config.get("postgresql.sslmode"),
                 "sslrootcert": config.get("postgresql.sslrootcert"),
@@ -423,5 +423,4 @@ if __name__ == "__main__":
     if len(argv) < 2:  # noqa: PLR2004
         print(dumps(CONFIG.raw, indent=4, cls=AttrEncoder))
     else:
-        for arg in argv[1:]:
-            print(CONFIG.get(arg))
+        print(CONFIG.get(argv[-1]))

authentik/lib/default.yml

@@ -17,13 +17,11 @@
 
 postgresql:
   host: localhost
-  port: 5432
-  user: authentik
-  password: "env://POSTGRES_PASSWORD"
   name: authentik
+  user: authentik
+  port: 5432
+  password: "env://POSTGRES_PASSWORD"
   sslmode: disable
-  conn_max_age: 60
-  conn_health_checks: false
   use_pool: False
   test:
     name: test_authentik
@@ -34,18 +32,12 @@ postgresql:
   #   host: replica1.example.com
 
 listen:
-  http:
-    - "[::]:9000"
-  https:
-    - "[::]:9443"
-  ldap:
-    - "[::]:3389"
-  ldaps:
-    - "[::]:6636"
-  radius:
-    - "[::]:1812"
-  metrics:
-    - "[::]:9300"
+  http: 0.0.0.0:9000
+  https: 0.0.0.0:9443
+  ldap: 0.0.0.0:3389
+  ldaps: 0.0.0.0:6636
+  radius: 0.0.0.0:1812
+  metrics: 0.0.0.0:9300
   debug: 0.0.0.0:9900
   debug_py: 0.0.0.0:9901
   trusted_proxy_cidrs:
@@ -74,19 +66,6 @@ log_level: info
 log:
   http_headers:
     - User-Agent
-  rust_log:
-    "console_subscriber": info
-    "h2": info
-    "hyper_util": warn
-    "mio": info
-    "notify": info
-    "reqwest": info
-    "runtime": info
-    "rustls": info
-    "sqlx": info
-    "sqlx_postgres": info
-    "tokio": info
-    "tungstenite": info
 
 sessions:
   unauthenticated_age: days=1
@@ -158,7 +137,8 @@ tenants:
 blueprints_dir: /blueprints
 
 web:
-  workers: 2
+  # No default here as it's set dynamically
+  # workers: 2
   threads: 4
   path: /
   timeout_http_read_header: 5s
@@ -203,5 +183,3 @@ storage:
   #   backend: file # or s3
   #   file: {}
   #   s3: {}
-
-skip_migrations: false

authentik/lib/logging.py

@@ -41,7 +41,7 @@ def structlog_configure():
             add_process_id,
             add_tenant_information,
             structlog.stdlib.PositionalArgumentsFormatter(),
-            structlog.processors.TimeStamper(fmt="iso", utc=True),
+            structlog.processors.TimeStamper(fmt="iso", utc=False),
             structlog.processors.StackInfoRenderer(),
             structlog.processors.ExceptionRenderer(
                 structlog.tracebacks.ExceptionDictTransformer(show_locals=CONFIG.get_bool("debug"))

authentik/lib/sync/outgoing/tasks.py

@@ -103,7 +103,6 @@ class SyncTasks:
                 )
                 users_tasks.run().wait(timeout=provider.get_object_sync_time_limit_ms(User))
                 group_tasks.run().wait(timeout=provider.get_object_sync_time_limit_ms(Group))
-                self._sync_cleanup(provider, task)
             except TransientSyncException as exc:
                 self.logger.warning("transient sync exception", exc=exc)
                 task.warning("Sync encountered a transient exception. Retrying", exc=exc)
@@ -112,35 +111,6 @@ class SyncTasks:
                 task.error(exc)
                 return
 
-    def _sync_cleanup(self, provider: OutgoingSyncProvider, task: Task):
-        """Delete remote objects that are no longer in scope"""
-        for object_type in (User, Group):
-            try:
-                client = provider.client_for_model(object_type)
-            except TransientSyncException:
-                continue
-            in_scope_pks = set(provider.get_object_qs(object_type).values_list("pk", flat=True))
-            stale = client.connection_type.objects.filter(provider=provider).exclude(
-                **{f"{client.connection_type_query}__pk__in": in_scope_pks}
-            )
-            for connection in stale:
-                try:
-                    client.delete(connection.scim_id)
-                    task.info(
-                        f"Deleted out-of-scope {object_type._meta.verbose_name}",
-                        scim_id=connection.scim_id,
-                    )
-                except NotFoundSyncException:
-                    pass
-                except TransientSyncException as exc:
-                    self.logger.warning("transient error during cleanup", exc=exc)
-                    self.logger.warning(
-                        "Cleanup encountered a transient exception. Retrying", exc=exc
-                    )
-                    raise Retry() from exc
-                except DryRunRejected as exc:
-                    self.logger.info("Rejected dry-run cleanup event", exc=exc)
-
     def sync_objects(
         self,
         object_type: str,

authentik/outposts/docker_tls.py

@@ -27,12 +27,6 @@ class DockerInlineTLS:
         self.authentication_kp = authentication_kp
         self._paths = []
 
-    def __enter__(self):
-        return self.write()
-
-    def __exit__(self, exc_type, exc, tb):
-        self.cleanup()
-
     def write_file(self, name: str, contents: str) -> str:
         """Wrapper for mkstemp that uses fdopen"""
         path = Path(gettempdir(), name)

authentik/outposts/signals.py

@@ -163,5 +163,4 @@ def outpost_pre_delete_cleanup(sender, instance: Outpost, **_):
 @receiver(pre_delete, sender=AuthenticatedSession)
 def outpost_logout_revoke(sender: type[AuthenticatedSession], instance: AuthenticatedSession, **_):
     """Catch logout by expiring sessions being deleted"""
-    if Outpost.objects.exists():
-        outpost_session_end.send(instance.session.session_key)
+    outpost_session_end.send(instance.session.session_key)

authentik/outposts/tasks.py

@@ -7,6 +7,7 @@ from socket import gethostname
 from typing import Any
 from urllib.parse import urlparse
 
+from asgiref.sync import async_to_sync
 from channels.layers import get_channel_layer
 from django.core.cache import cache
 from django.utils.translation import gettext_lazy as _
@@ -158,7 +159,7 @@ def outpost_send_update(pk: Any):
     layer = get_channel_layer()
     group = build_outpost_group(outpost.pk)
     LOGGER.debug("sending update", channel=group, outpost=outpost)
-    layer.group_send_blocking(group, {"type": "event.update"})
+    async_to_sync(layer.group_send)(group, {"type": "event.update"})
 
 
 @actor(description=_("Checks the local environment and create Service connections."))
@@ -209,7 +210,7 @@ def outpost_session_end(session_id: str):
     for outpost in Outpost.objects.all():
         LOGGER.info("Sending session end signal to outpost", outpost=outpost)
         group = build_outpost_group(outpost.pk)
-        layer.group_send_blocking(
+        async_to_sync(layer.group_send)(
             group,
             {
                 "type": "event.session.end",

authentik/policies/apps.py

@@ -7,6 +7,7 @@ For example: The 'dummy' policy is available at `authentik.policies.dummy`.
 from prometheus_client import Gauge, Histogram
 
 from authentik.blueprints.apps import ManagedAppConfig
+from authentik.tenants.flags import Flag
 
 GAUGE_POLICIES_CACHED = Gauge(
     "authentik_policies_cached",
@@ -31,6 +32,12 @@ HIST_POLICIES_EXECUTION_TIME = Histogram(
 )
 
 
+class BufferedPolicyAccessViewFlag(Flag[bool], key="policies_buffered_access_view"):
+
+    default = False
+    visibility = "public"
+
+
 class AuthentikPoliciesConfig(ManagedAppConfig):
     """authentik policies app config"""
 

authentik/policies/tests/test_views.py

@@ -1,19 +1,29 @@
 from django.http import Http404, HttpResponse
 from django.test import TestCase
+from django.urls import reverse
 
 from authentik.blueprints.tests import apply_blueprint
 from authentik.core.models import Application, Group, Provider
 from authentik.core.tests.utils import (
     RequestFactory,
     create_test_brand,
+    create_test_flow,
     create_test_user,
 )
 from authentik.flows.models import Flow, FlowDesignation
+from authentik.flows.planner import FlowPlan
+from authentik.flows.views.executor import SESSION_KEY_PLAN
 from authentik.lib.generators import generate_id
+from authentik.policies.apps import BufferedPolicyAccessViewFlag
 from authentik.policies.models import PolicyBinding
 from authentik.policies.views import (
+    QS_BUFFER_ID,
+    SESSION_KEY_BUFFER,
+    BufferedPolicyAccessView,
+    BufferView,
     PolicyAccessView,
 )
+from authentik.tenants.flags import patch_flag
 
 
 class TestPolicyViews(TestCase):
@@ -114,3 +124,71 @@ class TestPolicyViews(TestCase):
         res = TestView.as_view()(req)
         self.assertEqual(res.status_code, 302)
         self.assertEqual(res.url, "/if/flow/default-authentication-flow/?next=%2F")
+
+    @patch_flag(BufferedPolicyAccessViewFlag, True)
+    def test_pav_buffer(self):
+        """Test simple policy access view"""
+        provider = Provider.objects.create(
+            name=generate_id(),
+        )
+        app = Application.objects.create(name=generate_id(), slug=generate_id(), provider=provider)
+        flow = create_test_flow(FlowDesignation.AUTHENTICATION)
+
+        class TestView(BufferedPolicyAccessView):
+            def resolve_provider_application(self):
+                self.provider = provider
+                self.application = app
+
+            def get(self, *args, **kwargs):
+                return HttpResponse("foo")
+
+        req = self.factory.get("/")
+        req.session[SESSION_KEY_PLAN] = FlowPlan(flow.pk)
+        req.session.save()
+        res = TestView.as_view()(req)
+        self.assertEqual(res.status_code, 302)
+        self.assertTrue(res.url.startswith(reverse("authentik_policies:buffer")))
+
+    @patch_flag(BufferedPolicyAccessViewFlag, True)
+    @apply_blueprint("default/flow-default-authentication-flow.yaml")
+    def test_pav_buffer_skip(self):
+        """Test simple policy access view (skip buffer)"""
+        provider = Provider.objects.create(
+            name=generate_id(),
+        )
+        app = Application.objects.create(name=generate_id(), slug=generate_id(), provider=provider)
+        flow = Flow.objects.get(slug="default-authentication-flow")
+
+        class TestView(BufferedPolicyAccessView):
+            def resolve_provider_application(self):
+                self.provider = provider
+                self.application = app
+
+            def get(self, *args, **kwargs):
+                return HttpResponse("foo")
+
+        req = self.factory.get("/?skip_buffer=true")
+        req.brand = create_test_brand(flow_authentication=flow)
+        req.session[SESSION_KEY_PLAN] = FlowPlan(flow.pk)
+        req.session.save()
+        res = TestView.as_view()(req)
+        self.assertEqual(res.status_code, 302)
+        self.assertTrue(
+            res.url.startswith(reverse("authentik_core:if-flow", kwargs={"flow_slug": flow.slug}))
+        )
+
+    def test_buffer(self):
+        """Test buffer view"""
+        uid = generate_id()
+        req = self.factory.get(f"/?{QS_BUFFER_ID}={uid}")
+        ts = generate_id()
+        req.session[SESSION_KEY_BUFFER % uid] = {
+            "method": "get",
+            "body": {},
+            "url": f"/{ts}",
+        }
+        req.session.save()
+
+        res = BufferView.as_view()(req)
+        self.assertEqual(res.status_code, 200)
+        self.assertIn(ts, res.render().content.decode())

authentik/policies/views.py

@@ -1,10 +1,12 @@
 """authentik access helper classes"""
 
 from typing import Any
+from uuid import uuid4
 
 from django.contrib import messages
 from django.contrib.auth.mixins import AccessMixin
 from django.http import Http404, HttpRequest, HttpResponse, QueryDict
+from django.shortcuts import redirect
 from django.urls import reverse
 from django.utils.http import urlencode
 from django.utils.translation import gettext as _
@@ -17,13 +19,16 @@ from authentik.flows.models import Flow, FlowDesignation
 from authentik.flows.planner import (
     PLAN_CONTEXT_APPLICATION,
     PLAN_CONTEXT_POST,
+    FlowPlan,
     FlowPlanner,
 )
 from authentik.flows.views.executor import (
+    SESSION_KEY_PLAN,
     SESSION_KEY_POST,
     ToDefaultFlow,
 )
 from authentik.lib.sentry import SentryIgnoredException
+from authentik.policies.apps import BufferedPolicyAccessViewFlag
 from authentik.policies.denied import AccessDeniedResponse
 from authentik.policies.engine import PolicyEngine
 from authentik.policies.models import PolicyBindingModel
@@ -189,3 +194,39 @@ class BufferView(TemplateView):
         kwargs["check_auth_url"] = reverse("authentik_api:user-me")
         kwargs["continue_url"] = url_with_qs(buffer["url"], **{QS_BUFFER_ID: buf_id})
         return super().get_context_data(**kwargs)
+
+
+class BufferedPolicyAccessView(PolicyAccessView):
+    """PolicyAccessView which buffers access requests in case the user is not logged in"""
+
+    def handle_no_permission(self):
+        plan: FlowPlan | None = self.request.session.get(SESSION_KEY_PLAN)
+        if plan:
+            flow = Flow.objects.filter(pk=plan.flow_pk).first()
+            if not flow or flow.designation != FlowDesignation.AUTHENTICATION:
+                LOGGER.debug("Not buffering request, no flow or flow not for authentication")
+                return super().handle_no_permission()
+        if not plan:
+            LOGGER.debug("Not buffering request, no flow plan active")
+            return super().handle_no_permission()
+        if not BufferedPolicyAccessViewFlag.get():
+            return super().handle_no_permission()
+        if self.request.GET.get(QS_SKIP_BUFFER):
+            LOGGER.debug("Not buffering request, explicit skip")
+            return super().handle_no_permission()
+        buffer_id = str(uuid4())
+        LOGGER.debug("Buffering access request", bf_id=buffer_id)
+        self.request.session[SESSION_KEY_BUFFER % buffer_id] = {
+            "body": self.request.POST,
+            "url": self.request.build_absolute_uri(self.request.get_full_path()),
+            "method": self.request.method.lower(),
+        }
+        return redirect(
+            url_with_qs(reverse("authentik_policies:buffer"), **{QS_BUFFER_ID: buffer_id})
+        )
+
+    def dispatch(self, request, *args, **kwargs):
+        response = super().dispatch(request, *args, **kwargs)
+        if QS_BUFFER_ID in self.request.GET:
+            self.request.session.pop(SESSION_KEY_BUFFER % self.request.GET[QS_BUFFER_ID], None)
+        return response

authentik/providers/oauth2/tests/test_device_backchannel.py

@@ -2,7 +2,6 @@
 
 from base64 import b64encode
 from json import loads
-from urllib.parse import quote
 
 from django.urls import reverse
 
@@ -97,16 +96,3 @@ class TesOAuth2DeviceBackchannel(OAuthTestCase):
         self.assertEqual(res.status_code, 200)
         body = loads(res.content.decode())
         self.assertEqual(body["expires_in"], 60)
-
-    def test_backchannel_client_id_via_auth_header_urlencoded(self):
-        """Test URL-encoded client IDs in Basic auth"""
-        self.provider.client_id = "test/client+id"
-        self.provider.save()
-        creds = b64encode(f"{quote(self.provider.client_id, safe='')}:".encode()).decode()
-        res = self.client.post(
-            reverse("authentik_providers_oauth2:device"),
-            HTTP_AUTHORIZATION=f"Basic {creds}",
-        )
-        self.assertEqual(res.status_code, 200)
-        body = loads(res.content.decode())
-        self.assertEqual(body["expires_in"], 60)

authentik/providers/oauth2/tests/test_token.py

@@ -2,7 +2,6 @@
 
 from base64 import b64encode
 from json import dumps
-from urllib.parse import quote
 
 from django.test import RequestFactory
 from django.urls import reverse
@@ -29,7 +28,6 @@ from authentik.providers.oauth2.models import (
     ScopeMapping,
 )
 from authentik.providers.oauth2.tests.utils import OAuthTestCase
-from authentik.providers.oauth2.utils import extract_client_auth
 from authentik.providers.oauth2.views.token import TokenParams
 
 
@@ -117,20 +115,6 @@ class TestToken(OAuthTestCase):
         params = TokenParams.parse(request, provider, provider.client_id, provider.client_secret)
         self.assertEqual(params.provider, provider)
 
-    def test_extract_client_auth_basic_auth_percent_decodes(self):
-        """test percent-decoding of client credentials in Basic auth"""
-        header = b64encode(
-            f"{quote('client/id', safe='')}:{quote('secret+/==', safe='')}".encode()
-        ).decode()
-        request = self.factory.post("/", HTTP_AUTHORIZATION=f"Basic {header}")
-        self.assertEqual(extract_client_auth(request), ("client/id", "secret+/=="))
-
-    def test_extract_client_auth_basic_auth_preserves_raw_plus(self):
-        """test compatibility with clients that still send raw plus characters"""
-        header = b64encode(b"client:secret+plus").decode()
-        request = self.factory.post("/", HTTP_AUTHORIZATION=f"Basic {header}")
-        self.assertEqual(extract_client_auth(request), ("client", "secret+plus"))
-
     def test_auth_code_view(self):
         """test request param"""
         provider = OAuth2Provider.objects.create(

authentik/providers/oauth2/tests/test_token_cc_jwt_source.py

@@ -15,7 +15,7 @@ from authentik.common.oauth.constants import (
     SCOPE_OPENID_PROFILE,
     TOKEN_TYPE,
 )
-from authentik.core.models import USERNAME_MAX_LENGTH, Application, Group, User
+from authentik.core.models import Application, Group
 from authentik.core.tests.utils import create_test_cert, create_test_flow
 from authentik.lib.generators import generate_id
 from authentik.policies.models import PolicyBinding
@@ -27,7 +27,7 @@ from authentik.providers.oauth2.models import (
 )
 from authentik.providers.oauth2.tests.utils import OAuthTestCase
 from authentik.providers.oauth2.views.jwks import JWKSView
-from authentik.sources.oauth.models import OAuthSource, OAuthSourcePropertyMapping
+from authentik.sources.oauth.models import OAuthSource
 
 
 class TestTokenClientCredentialsJWTSource(OAuthTestCase):
@@ -220,10 +220,6 @@ class TestTokenClientCredentialsJWTSource(OAuthTestCase):
             },
         )
         self.assertEqual(response.status_code, 200)
-
-        user = User.objects.filter(username=f"{self.provider.name}-foo").first()
-        self.assertIsNotNone(user)
-
         body = loads(response.content.decode())
         self.assertEqual(body["token_type"], TOKEN_TYPE)
         _, alg = self.provider.jwt_key
@@ -237,54 +233,3 @@ class TestTokenClientCredentialsJWTSource(OAuthTestCase):
             jwt["given_name"], "Autogenerated user from application test (client credentials JWT)"
         )
         self.assertEqual(jwt["preferred_username"], "test-foo")
-
-    def test_successful_mapping(self):
-        """test successful"""
-        test_username = ("mapped-foo" + ("a" * 150))[:USERNAME_MAX_LENGTH]
-        mapping = OAuthSourcePropertyMapping.objects.create(
-            name="test-mapping",
-            expression="""return {
-                "email": oauth_userinfo.get("email"),
-                "name": oauth_userinfo.get("name"),
-                "username": oauth_userinfo.get("username"),
-            }""",
-        )
-        self.source.user_property_mappings.add(mapping)
-
-        token = self.helper_provider.encode(
-            {
-                "sub": "foo",
-                "email": "test-user@example.com",
-                "name": "Mapped Test User",
-                "username": "mapped-foo" + ("a" * 150),
-                "exp": datetime.now() + timedelta(hours=2),
-            }
-        )
-        response = self.client.post(
-            reverse("authentik_providers_oauth2:token"),
-            {
-                "grant_type": GRANT_TYPE_CLIENT_CREDENTIALS,
-                "scope": f"{SCOPE_OPENID} {SCOPE_OPENID_EMAIL} {SCOPE_OPENID_PROFILE}",
-                "client_id": self.provider.client_id,
-                "client_assertion_type": "urn:ietf:params:oauth:client-assertion-type:jwt-bearer",
-                "client_assertion": token,
-            },
-        )
-        self.assertEqual(response.status_code, 200)
-
-        user = User.objects.filter(username=test_username).first()
-        self.assertIsNotNone(user)
-
-        body = loads(response.content.decode())
-        self.assertEqual(body["token_type"], TOKEN_TYPE)
-        key_obj, alg = self.provider.jwt_key
-        jwt = decode(
-            body["access_token"],
-            key=key_obj.public_key(),
-            algorithms=[alg],
-            audience=self.provider.client_id,
-        )
-
-        self.assertEqual(jwt["email"], "test-user@example.com")
-        self.assertEqual(jwt["given_name"], "Mapped Test User")
-        self.assertEqual(jwt["preferred_username"], test_username)

authentik/providers/oauth2/tests/test_token_cc_standard_compat.py

@@ -2,7 +2,6 @@
 
 from base64 import b64encode
 from json import loads
-from urllib.parse import quote
 
 from django.test import RequestFactory
 from django.urls import reverse
@@ -179,41 +178,6 @@ class TestTokenClientCredentialsStandardCompat(OAuthTestCase):
         self.assertEqual(jwt["given_name"], self.user.name)
         self.assertEqual(jwt["preferred_username"], self.user.username)
 
-    def test_successful_basic_auth_urlencoded_client_secret(self):
-        """test successful with URL-encoded Basic auth credentials"""
-        client_secret = b64encode(f"sa:{self.token.key}".encode()).decode()
-        header = b64encode(
-            f"{quote(self.provider.client_id, safe='')}:{quote(client_secret, safe='')}".encode()
-        ).decode()
-        response = self.client.post(
-            reverse("authentik_providers_oauth2:token"),
-            {
-                "grant_type": GRANT_TYPE_CLIENT_CREDENTIALS,
-                "scope": f"{SCOPE_OPENID} {SCOPE_OPENID_EMAIL} {SCOPE_OPENID_PROFILE}",
-            },
-            HTTP_AUTHORIZATION=f"Basic {header}",
-        )
-        self.assertEqual(response.status_code, 200)
-        body = loads(response.content.decode())
-        self.assertEqual(body["token_type"], TOKEN_TYPE)
-        _, alg = self.provider.jwt_key
-        jwt = decode(
-            body["access_token"],
-            key=self.provider.signing_key.public_key,
-            algorithms=[alg],
-            audience=self.provider.client_id,
-        )
-        self.assertEqual(jwt["given_name"], self.user.name)
-        self.assertEqual(jwt["preferred_username"], self.user.username)
-        jwt = decode(
-            body["id_token"],
-            key=self.provider.signing_key.public_key,
-            algorithms=[alg],
-            audience=self.provider.client_id,
-        )
-        self.assertEqual(jwt["given_name"], self.user.name)
-        self.assertEqual(jwt["preferred_username"], self.user.username)
-
     def test_successful_password(self):
         """test successful (password grant)"""
         response = self.client.post(

authentik/providers/oauth2/utils.py

@@ -7,7 +7,7 @@ from binascii import Error
 from hashlib import sha256
 from hmac import compare_digest
 from typing import Any
-from urllib.parse import unquote, urlparse
+from urllib.parse import urlparse
 
 from django.http import HttpRequest, HttpResponse, JsonResponse
 from django.http.response import HttpResponseRedirect
@@ -122,10 +122,6 @@ def extract_client_auth(request: HttpRequest) -> tuple[str, str]:
         try:
             user_pass = b64decode(b64_user_pass).decode("utf-8").partition(":")
             client_id, _, client_secret = user_pass
-            # RFC 6749 requires client credentials in Basic auth to be form-encoded first.
-            # We only percent-decode here so raw `+` characters keep their previous meaning.
-            client_id = unquote(client_id)
-            client_secret = unquote(client_secret)
         except ValueError, Error:
             client_id = client_secret = ""  # nosec
     else:

authentik/providers/oauth2/views/authorize.py

@@ -45,7 +45,7 @@ from authentik.flows.stage import PLAN_CONTEXT_PENDING_USER_IDENTIFIER, StageVie
 from authentik.lib.utils.time import timedelta_from_string
 from authentik.lib.views import bad_request_message
 from authentik.policies.types import PolicyRequest
-from authentik.policies.views import PolicyAccessView, RequestValidationError
+from authentik.policies.views import BufferedPolicyAccessView, RequestValidationError
 from authentik.providers.oauth2.errors import (
     AuthorizeError,
     ClientIdError,
@@ -338,7 +338,7 @@ class OAuthAuthorizationParams:
         return code
 
 
-class AuthorizationFlowInitView(PolicyAccessView):
+class AuthorizationFlowInitView(BufferedPolicyAccessView):
     """OAuth2 Flow initializer, checks access to application and starts flow"""
 
     params: OAuthAuthorizationParams

authentik/providers/oauth2/views/token.py

@@ -45,7 +45,6 @@ from authentik.core.models import (
     User,
     UserTypes,
 )
-from authentik.core.sources.mapper import SourceMapper
 from authentik.events.middleware import audit_ignore
 from authentik.events.models import Event, EventAction
 from authentik.events.signals import get_login_event
@@ -477,7 +476,7 @@ class TokenParams:
 
         self.__check_policy_access(app, request, oauth_jwt=token)
         if not provider:
-            self.__create_user_from_jwt(token, app, source, request)
+            self.__create_user_from_jwt(token, app, source)
 
         method_args = {
             "jwt": token,
@@ -531,30 +530,18 @@ class TokenParams:
             raise TokenError("invalid_grant")
         self.device_code = code
 
-    def __create_user_from_jwt(
-        self, token: dict[str, Any], app: Application, source: OAuthSource, request: HttpRequest
-    ):
+    def __create_user_from_jwt(self, token: dict[str, Any], app: Application, source: OAuthSource):
         """Create user from JWT"""
         with audit_ignore():
-            # Run the JWT payload through the core mapping engine
-            mapped = SourceMapper(source).build_object_properties(
-                User, request=request, info=token, oauth_userinfo=token
-            )
-
             self.user, created = User.objects.update_or_create(
-                username=mapped.get("username", f"{self.provider.name}-{token.get('sub')}")[
-                    :USERNAME_MAX_LENGTH
-                ],
+                username=f"{self.provider.name}-{token.get('sub')}",
                 defaults={
                     "last_login": timezone.now(),
-                    "name": mapped.get(
-                        "name",
-                        f"Autogenerated user from application {app.name} (client credentials JWT)",
+                    "name": (
+                        f"Autogenerated user from application {app.name} (client credentials JWT)"
                     ),
-                    "email": mapped.get("email", ""),
                     "path": source.get_user_path(),
                     "type": UserTypes.SERVICE_ACCOUNT,
-                    "attributes": mapped.get("attributes", {}),
                 },
             )
             self.user.attributes[USER_ATTRIBUTE_GENERATED] = True

authentik/providers/proxy/signals.py

@@ -0,0 +1,13 @@
+"""Proxy provider signals"""
+
+from django.db.models.signals import pre_delete
+from django.dispatch import receiver
+
+from authentik.core.models import AuthenticatedSession
+from authentik.providers.proxy.tasks import proxy_on_logout
+
+
+@receiver(pre_delete, sender=AuthenticatedSession)
+def logout_proxy_revoke(sender: type[AuthenticatedSession], instance: AuthenticatedSession, **_):
+    """Catch logout by expiring sessions being deleted"""
+    proxy_on_logout.send(instance.session.session_key)

authentik/providers/proxy/tasks.py

@@ -0,0 +1,26 @@
+"""proxy provider tasks"""
+
+from asgiref.sync import async_to_sync
+from channels.layers import get_channel_layer
+from django.utils.translation import gettext_lazy as _
+from dramatiq.actor import actor
+
+from authentik.outposts.consumer import build_outpost_group
+from authentik.outposts.models import Outpost, OutpostType
+from authentik.providers.oauth2.id_token import hash_session_key
+
+
+@actor(description=_("Terminate session on Proxy outpost."))
+def proxy_on_logout(session_id: str):
+    layer = get_channel_layer()
+    hashed_session_id = hash_session_key(session_id)
+    for outpost in Outpost.objects.filter(type=OutpostType.PROXY):
+        group = build_outpost_group(outpost.pk)
+        async_to_sync(layer.group_send)(
+            group,
+            {
+                "type": "event.provider.specific",
+                "sub_type": "logout",
+                "session_id": hashed_session_id,
+            },
+        )

authentik/providers/rac/views.py

@@ -18,14 +18,14 @@ from authentik.flows.planner import PLAN_CONTEXT_APPLICATION, FlowPlanner
 from authentik.flows.stage import RedirectStage
 from authentik.lib.utils.time import timedelta_from_string
 from authentik.policies.engine import PolicyEngine
-from authentik.policies.views import PolicyAccessView
+from authentik.policies.views import BufferedPolicyAccessView
 from authentik.providers.rac.models import ConnectionToken, Endpoint, RACProvider
 from authentik.stages.prompt.stage import PLAN_CONTEXT_PROMPT
 
 PLAN_CONNECTION_SETTINGS = "connection_settings"
 
 
-class RACStartView(PolicyAccessView):
+class RACStartView(BufferedPolicyAccessView):
     """Start a RAC connection by checking access and creating a connection token"""
 
     endpoint: Endpoint

authentik/providers/saml/views/sso.py

@@ -15,7 +15,7 @@ from authentik.flows.models import in_memory_stage
 from authentik.flows.planner import PLAN_CONTEXT_APPLICATION, PLAN_CONTEXT_SSO, FlowPlanner
 from authentik.flows.views.executor import SESSION_KEY_POST
 from authentik.lib.views import bad_request_message
-from authentik.policies.views import PolicyAccessView
+from authentik.policies.views import BufferedPolicyAccessView
 from authentik.providers.saml.exceptions import CannotHandleAssertion
 from authentik.providers.saml.models import SAMLBindings, SAMLProvider
 from authentik.providers.saml.processors.authn_request_parser import AuthNRequestParser
@@ -35,7 +35,7 @@ from authentik.stages.consent.stage import (
 LOGGER = get_logger()
 
 
-class SAMLSSOView(PolicyAccessView):
+class SAMLSSOView(BufferedPolicyAccessView):
     """SAML SSO Base View, which plans a flow and injects our final stage.
     Calls get/post handler."""
 
@@ -88,7 +88,7 @@ class SAMLSSOView(PolicyAccessView):
 
     def post(self, request: HttpRequest, application_slug: str) -> HttpResponse:
         """GET and POST use the same handler, but we can't
-        override .dispatch easily because PolicyAccessView's dispatch"""
+        override .dispatch easily because BufferedPolicyAccessView's dispatch"""
         return self.get(request, application_slug)
 
 

authentik/providers/scim/clients/groups.py

@@ -7,6 +7,7 @@ from django.db import transaction
 from django.utils.http import urlencode
 from orjson import dumps
 from pydantic import ValidationError
+from pydanticscim.group import GroupMember
 
 from authentik.core.models import Group
 from authentik.lib.merge import MERGE_LIST_UNIQUE
@@ -24,7 +25,6 @@ from authentik.providers.scim.clients.exceptions import (
 )
 from authentik.providers.scim.clients.schema import (
     SCIM_GROUP_SCHEMA,
-    GroupMember,
     PatchOp,
     PatchOperation,
     PatchRequest,
@@ -111,7 +111,7 @@ class SCIMGroupClient(SCIMClient[Group, SCIMProviderGroup, SCIMGroupSchema]):
                     raise exc
                 groups = self._request(
                     "GET",
-                    f"/Groups?{urlencode({'filter': f'displayName eq "{group.name}"'})}",
+                    f"/Groups?{urlencode({'filter': f'displayName eq \"{group.name}\"'})}",
                 )
                 groups_res = groups.get("Resources", [])
                 if len(groups_res) < 1:
@@ -321,12 +321,7 @@ class SCIMGroupClient(SCIMClient[Group, SCIMProviderGroup, SCIMGroupSchema]):
                 PatchOperation(
                     op=PatchOp.add,
                     path="members",
-                    value=[
-                        GroupMember(value=x).model_dump(
-                            mode="json",
-                            exclude_unset=True,
-                        )
-                    ],
+                    value=[{"value": x}],
                 )
                 for x in users_to_add
             ],
@@ -334,12 +329,7 @@ class SCIMGroupClient(SCIMClient[Group, SCIMProviderGroup, SCIMGroupSchema]):
                 PatchOperation(
                     op=PatchOp.remove,
                     path="members",
-                    value=[
-                        GroupMember(value=x).model_dump(
-                            mode="json",
-                            exclude_unset=True,
-                        )
-                    ],
+                    value=[{"value": x}],
                 )
                 for x in users_to_remove
             ],
@@ -362,12 +352,7 @@ class SCIMGroupClient(SCIMClient[Group, SCIMProviderGroup, SCIMGroupSchema]):
                 PatchOperation(
                     op=PatchOp.add,
                     path="members",
-                    value=[
-                        GroupMember(value=x).model_dump(
-                            mode="json",
-                            exclude_unset=True,
-                        )
-                    ],
+                    value=[{"value": x}],
                 )
                 for x in user_ids
             ],
@@ -390,39 +375,8 @@ class SCIMGroupClient(SCIMClient[Group, SCIMProviderGroup, SCIMGroupSchema]):
                 PatchOperation(
                     op=PatchOp.remove,
                     path="members",
-                    value=[
-                        GroupMember(value=x).model_dump(
-                            mode="json",
-                            exclude_unset=True,
-                        )
-                    ],
+                    value=[{"value": x}],
                 )
                 for x in user_ids
             ],
         )
-
-    def discover(self):
-        res = self._request("GET", "/Groups")
-        seen_items = 0
-        expected_items = int(res["totalResults"])
-        while True:
-            for group in res["Resources"]:
-                self._discover_group_single(group)
-                seen_items += 1
-            if seen_items >= expected_items:
-                break
-            res = self._request("GET", f"/Groups?startIndex={seen_items + 1}")
-
-    def _discover_group_single(self, group: dict):
-        scim_group = SCIMGroupSchema.model_validate(group)
-        if SCIMProviderGroup.objects.filter(scim_id=scim_group.id, provider=self.provider).exists():
-            return
-        ak_group = Group.objects.filter(name=scim_group.displayName).first()
-        if not ak_group:
-            return
-        SCIMProviderGroup.objects.create(
-            provider=self.provider,
-            group=ak_group,
-            scim_id=scim_group.id,
-            attributes=group,
-        )

authentik/providers/scim/clients/schema.py

@@ -7,7 +7,6 @@ from django.core.exceptions import ValidationError
 from django.core.validators import validate_email
 from pydantic import AnyUrl, BaseModel, ConfigDict, Field, model_validator
 from pydanticscim.group import Group as BaseGroup
-from pydanticscim.group import GroupMember as BaseGroupMember
 from pydanticscim.responses import PatchOperation as BasePatchOperation
 from pydanticscim.responses import PatchRequest as BasePatchRequest
 from pydanticscim.responses import SCIMError as BaseSCIMError
@@ -161,13 +160,6 @@ class Group(BaseGroup):
     schemas: list[str] = [SCIM_GROUP_SCHEMA]
     externalId: str | None = None
     meta: dict | None = None
-    members: list[GroupMember] | None = Field(None, description="A list of members of the Group.")
-
-
-class GroupMember(BaseGroupMember):
-    """Modified GroupMember that allows extra fields"""
-
-    model_config = ConfigDict(extra="allow")
 
 
 class Bulk(BaseBulk):

authentik/providers/scim/clients/users.py

@@ -3,7 +3,6 @@
 from typing import Any
 
 from django.db import transaction
-from django.db.models import Q
 from django.utils.http import urlencode
 from orjson import dumps
 from pydantic import ValidationError
@@ -119,32 +118,3 @@ class SCIMUserClient(SCIMClient[User, SCIMProviderUser, SCIMUserSchema]):
         )
         connection.attributes = response
         connection.save()
-
-    def discover(self):
-        res = self._request("GET", "/Users")
-        seen_items = 0
-        expected_items = int(res["totalResults"])
-        while True:
-            for user in res["Resources"]:
-                self._discover_user_single(user)
-                seen_items += 1
-            if seen_items >= expected_items:
-                break
-            res = self._request("GET", f"/Users?startIndex={seen_items+1}")
-
-    def _discover_user_single(self, user: dict):
-        scim_user = SCIMUserSchema.model_validate(user)
-        if SCIMProviderUser.objects.filter(scim_id=scim_user.id, provider=self.provider).exists():
-            return
-        user_query = Q(username=scim_user.userName)
-        for email in scim_user.emails:
-            user_query |= Q(username=email.value) | Q(email=email.value)
-        ak_user = User.objects.filter(user_query).first()
-        if not ak_user:
-            return
-        SCIMProviderUser.objects.create(
-            provider=self.provider,
-            user=ak_user,
-            scim_id=scim_user.id,
-            attributes=user,
-        )

authentik/providers/scim/tests/test_group.py

@@ -10,7 +10,6 @@ from authentik.blueprints.tests import apply_blueprint
 from authentik.core.models import Application, Group, User
 from authentik.lib.generators import generate_id
 from authentik.providers.scim.models import SCIMMapping, SCIMProvider, SCIMProviderGroup
-from authentik.providers.scim.tasks import scim_sync
 
 
 class SCIMGroupTests(TestCase):
@@ -206,128 +205,3 @@ class SCIMGroupTests(TestCase):
         self.assertEqual(mock.request_history[1].method, "POST")
         self.assertEqual(mock.request_history[2].method, "GET")
         self.assertNotIn("PUT", [req.method for req in mock.request_history])
-
-    @Mocker()
-    def test_discover(self, mock: Mocker):
-        group = Group.objects.create(name="acl_admins")
-        mock.get(
-            "https://localhost/ServiceProviderConfig",
-            json={},
-        )
-        mock.get(
-            "https://localhost/Groups",
-            json={
-                "schemas": ["urn:ietf:params:scim:api:messages:2.0:ListResponse"],
-                "totalResults": 2,
-                "startIndex": 1,
-                "itemsPerPage": 1,
-                "Resources": [
-                    {
-                        "schemas": ["urn:ietf:params:scim:schemas:core:2.0:Group"],
-                        "id": "3",
-                        "displayName": "acl_admins",
-                        "meta": {"resourceType": "Group"},
-                        "members": [],
-                    },
-                ],
-            },
-        )
-        mock.get(
-            "https://localhost/Groups?startIndex=2",
-            json={
-                "schemas": ["urn:ietf:params:scim:api:messages:2.0:ListResponse"],
-                "totalResults": 2,
-                "startIndex": 2,
-                "itemsPerPage": 1,
-                "Resources": [
-                    {
-                        "schemas": ["urn:ietf:params:scim:schemas:core:2.0:Group"],
-                        "id": "10",
-                        "displayName": "test",
-                        "meta": {"resourceType": "Group"},
-                        "members": [],
-                    },
-                ],
-            },
-        )
-        self.provider.client_for_model(Group).discover()
-        connection = SCIMProviderGroup.objects.filter(provider=self.provider, group=group).first()
-        self.assertIsNotNone(connection)
-        self.assertEqual(connection.scim_id, "3")
-
-    def _create_stale_provider_group(self, scim_id: str) -> Group:
-        """Create a group that is outside the provider's scope (via group_filters) with an
-        existing SCIMProviderGroup, simulating a previously synced group now out of scope."""
-        self.app.backchannel_providers.remove(self.provider)
-        anchor = Group.objects.create(name=generate_id())
-        stale = Group.objects.create(name=generate_id())
-        self.app.backchannel_providers.add(self.provider)
-
-        self.provider.group_filters.set([anchor])
-        SCIMProviderGroup.objects.create(provider=self.provider, group=stale, scim_id=scim_id)
-        return stale
-
-    @Mocker()
-    def test_sync_cleanup_stale_group_delete(self, mock: Mocker):
-        """Stale (out-of-scope) groups are deleted during full sync cleanup"""
-        scim_id = generate_id()
-        mock.get("https://localhost/ServiceProviderConfig", json={})
-
-        mock.post("https://localhost/Groups", json={"id": generate_id()})
-        mock.delete(f"https://localhost/Groups/{scim_id}", status_code=204)
-        self._create_stale_provider_group(scim_id)
-
-        scim_sync.send(self.provider.pk).get_result()
-
-        delete_reqs = [r for r in mock.request_history if r.method == "DELETE"]
-        self.assertEqual(len(delete_reqs), 1)
-        self.assertEqual(delete_reqs[0].url, f"https://localhost/Groups/{scim_id}")
-        self.assertFalse(
-            SCIMProviderGroup.objects.filter(provider=self.provider, scim_id=scim_id).exists()
-        )
-
-    @Mocker()
-    def test_sync_cleanup_stale_group_not_found(self, mock: Mocker):
-        """Stale group cleanup handles 404 from the remote gracefully"""
-        scim_id = generate_id()
-        mock.get("https://localhost/ServiceProviderConfig", json={})
-        mock.post("https://localhost/Groups", json={"id": generate_id()})
-        mock.delete(f"https://localhost/Groups/{scim_id}", status_code=404)
-        self._create_stale_provider_group(scim_id)
-
-        scim_sync.send(self.provider.pk).get_result()
-
-        delete_reqs = [r for r in mock.request_history if r.method == "DELETE"]
-        self.assertEqual(len(delete_reqs), 1)
-
-        self.assertFalse(
-            SCIMProviderGroup.objects.filter(provider=self.provider, scim_id=scim_id).exists()
-        )
-
-    @Mocker()
-    def test_sync_cleanup_stale_group_transient_error(self, mock: Mocker):
-        """Stale group cleanup logs and retries on transient HTTP errors"""
-        scim_id = generate_id()
-        mock.get("https://localhost/ServiceProviderConfig", json={})
-        mock.post("https://localhost/Groups", json={"id": generate_id()})
-        mock.delete(f"https://localhost/Groups/{scim_id}", status_code=429)
-        self._create_stale_provider_group(scim_id)
-
-        scim_sync.send(self.provider.pk)
-
-        delete_reqs = [r for r in mock.request_history if r.method == "DELETE"]
-        self.assertEqual(len(delete_reqs), 1)
-
-    @Mocker()
-    def test_sync_cleanup_stale_group_dry_run(self, mock: Mocker):
-        """Stale group cleanup skips HTTP DELETE in dry_run mode"""
-        self.provider.dry_run = True
-        self.provider.save()
-        scim_id = generate_id()
-        mock.get("https://localhost/ServiceProviderConfig", json={})
-        self._create_stale_provider_group(scim_id)
-
-        scim_sync.send(self.provider.pk)
-
-        delete_reqs = [r for r in mock.request_history if r.method == "DELETE"]
-        self.assertEqual(len(delete_reqs), 0)