release: 2026.2.3

* website/docs: release notes for 2025.12.5 and 2026.2.3 (#22310)

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* fix typo

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

---------

Signed-off-by: Jens Langhammer <jens@goauthentik.io>
Co-authored-by: Jens L. <jens@goauthentik.io>

.github/actions/cherry-pick/action.yml

@@ -115,20 +115,13 @@ runs:
       shell: bash
       env:
         GITHUB_TOKEN: ${{ inputs.token }}
+        PR_NUMBER: ${{ steps.should_run.outputs.pr_number }}
+        REASON: ${{ steps.should_run.outputs.reason }}
       run: |
         set -e -o pipefail
-        PR_NUMBER="${{ steps.should_run.outputs.pr_number }}"
-
-        # Get PR details
-        PR_DATA=$(gh api repos/${{ github.repository }}/pulls/$PR_NUMBER)
-        PR_TITLE=$(echo "$PR_DATA" | jq -r '.title')
-        PR_AUTHOR=$(echo "$PR_DATA" | jq -r '.user.login')
-
-        echo "pr_title=$PR_TITLE" >> $GITHUB_OUTPUT
-        echo "pr_author=$PR_AUTHOR" >> $GITHUB_OUTPUT
 
         # Determine which labels to process
-        if [ "${{ steps.should_run.outputs.reason }}" = "label_added_to_merged_pr" ]; then
+        if [ "${REASON}" = "label_added_to_merged_pr" ]; then
           # Only process the specific label that was just added
           if [ "${{ github.event_name }}" = "issues" ]; then
             LABEL_NAME="${{ github.event.label.name }}"
@@ -152,13 +145,13 @@ runs:
       shell: bash
       env:
         GITHUB_TOKEN: ${{ inputs.token }}
+        PR_NUMBER: '${{ steps.should_run.outputs.pr_number }}'
+        COMMIT_SHA: '${{ steps.should_run.outputs.merge_commit_sha }}'
+        PR_TITLE: ${{ github.event.pull_request.title }}
+        PR_AUTHOR: ${{ github.event.pull_request.user.login }}
+        LABELS: '${{ steps.pr_details.outputs.labels }}'
       run: |
         set -e -o pipefail
-        PR_NUMBER='${{ steps.should_run.outputs.pr_number }}'
-        COMMIT_SHA='${{ steps.should_run.outputs.merge_commit_sha }}'
-        PR_TITLE='${{ steps.pr_details.outputs.pr_title }}'
-        PR_AUTHOR='${{ steps.pr_details.outputs.pr_author }}'
-        LABELS='${{ steps.pr_details.outputs.labels }}'
 
         echo "Processing PR #$PR_NUMBER (reason: ${{ steps.should_run.outputs.reason }})"
         echo "Found backport labels: $LABELS"

.github/actions/docker-push-variables/push_vars.py

@@ -89,6 +89,8 @@ if should_push:
     _cache_tag = "buildcache"
     if image_arch:
         _cache_tag += f"-{image_arch}"
+    if is_release:
+        _cache_tag += f"-{version_family}"
     cache_to = f"type=registry,ref={get_attest_image_names(image_tags)}:{_cache_tag},mode=max"
 
 

.github/actions/setup/action.yml

@@ -8,45 +8,61 @@ inputs:
   postgresql_version:
     description: "Optional postgresql image tag"
     default: "16"
+  working-directory:
+    description: |
+      Optional working directory if this repo isn't in the root of the actions workspace.
+      When set, needs to contain a trailing slash
+    default: ""
 
 runs:
   using: "composite"
   steps:
-    - name: Install apt deps & cleanup
+    - name: Cleanup apt
+      if: ${{ contains(inputs.dependencies, 'system') || contains(inputs.dependencies, 'python') }}
+      shell: bash
+      run: sudo apt-get remove --purge man-db
+    - name: Install apt deps
+      if: ${{ contains(inputs.dependencies, 'system') || contains(inputs.dependencies, 'python') }}
+      uses: gerlero/apt-install@f4fa5265092af9e750549565d28c99aec7189639
+      with:
+        packages: libpq-dev openssl libxmlsec1-dev pkg-config gettext krb5-multidev libkrb5-dev heimdal-multidev libclang-dev krb5-kdc krb5-user krb5-admin-server
+        update: true
+        upgrade: false
+        install-recommends: false
+    - name: Make space on disk
       if: ${{ contains(inputs.dependencies, 'system') || contains(inputs.dependencies, 'python') }}
       shell: bash
       run: |
-        sudo apt-get remove --purge man-db
-        sudo apt-get update
-        sudo apt-get install --no-install-recommends -y libpq-dev openssl libxmlsec1-dev pkg-config gettext krb5-multidev libkrb5-dev heimdal-multidev libclang-dev krb5-kdc krb5-user krb5-admin-server
-        sudo rm -rf /usr/local/lib/android
+        sudo mkdir -p /tmp/empty/
+        sudo rsync -a --delete /tmp/empty/ /usr/local/lib/android/
     - name: Install uv
       if: ${{ contains(inputs.dependencies, 'python') }}
-      uses: astral-sh/setup-uv@5a095e7a2014a4212f075830d4f7277575a9d098 # v5
+      uses: astral-sh/setup-uv@eac588ad8def6316056a12d4907a9d4d84ff7a3b # v5
       with:
         enable-cache: true
     - name: Setup python
       if: ${{ contains(inputs.dependencies, 'python') }}
       uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v5
       with:
-        python-version-file: "pyproject.toml"
+        python-version-file: "${{ inputs.working-directory }}pyproject.toml"
     - name: Install Python deps
       if: ${{ contains(inputs.dependencies, 'python') }}
       shell: bash
+      working-directory: ${{ inputs.working-directory }}
       run: uv sync --all-extras --dev --frozen
     - name: Setup node
       if: ${{ contains(inputs.dependencies, 'node') }}
       uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v4
       with:
-        node-version-file: web/package.json
+        node-version-file: ${{ inputs.working-directory }}web/package.json
         cache: "npm"
-        cache-dependency-path: web/package-lock.json
+        cache-dependency-path: ${{ inputs.working-directory }}web/package-lock.json
         registry-url: 'https://registry.npmjs.org'
     - name: Setup go
       if: ${{ contains(inputs.dependencies, 'go') }}
-      uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v5
+      uses: actions/setup-go@7a3fe6cf4cb3a834922a1244abfce67bcef6a0c5 # v5
       with:
-        go-version-file: "go.mod"
+        go-version-file: "${{ inputs.working-directory }}go.mod"
     - name: Setup docker cache
       if: ${{ contains(inputs.dependencies, 'runtime') }}
       uses: AndreKurait/docker-cache@0fe76702a40db986d9663c24954fc14c6a6031b7
@@ -55,6 +71,7 @@ runs:
     - name: Setup dependencies
       if: ${{ contains(inputs.dependencies, 'runtime') }}
       shell: bash
+      working-directory: ${{ inputs.working-directory }}
       run: |
         export PSQL_TAG=${{ inputs.postgresql_version }}
         docker compose -f .github/actions/setup/compose.yml up -d
@@ -62,6 +79,7 @@ runs:
     - name: Generate config
       if: ${{ contains(inputs.dependencies, 'python') }}
       shell: uv run python {0}
+      working-directory: ${{ inputs.working-directory }}
       run: |
         from authentik.lib.generators import generate_id
         from yaml import safe_dump

.github/actions/setup/compose.yml

@@ -2,7 +2,7 @@ services:
   postgresql:
     image: docker.io/library/postgres:${PSQL_TAG:-16}
     volumes:
-      - db-data:/var/lib/postgresql/data
+      - db-data:/var/lib/postgresql
     command: "-c log_statement=all"
     environment:
       POSTGRES_USER: authentik

.github/dependabot.yml

@@ -38,21 +38,6 @@ updates:
 
   #endregion
 
-  #region Rust
-
-  - package-ecosystem: rust-toolchain
-    directory: "/"
-    schedule:
-      interval: daily
-      time: "04:00"
-    open-pull-requests-limit: 10
-    commit-message:
-      prefix: "core:"
-    labels:
-      - dependencies
-
-  #endregion
-
   #region Web
 
   - package-ecosystem: npm
@@ -249,7 +234,7 @@ updates:
 
   - package-ecosystem: docker
     directories:
-      - /lifecycle/container
+      - /
       - /website
     schedule:
       interval: daily

.github/workflows/_reusable-docker-build-single.yml

@@ -72,7 +72,7 @@ jobs:
           node-version-file: web/package.json
           cache: "npm"
           cache-dependency-path: web/package-lock.json
-      - uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6
+      - uses: actions/setup-go@7a3fe6cf4cb3a834922a1244abfce67bcef6a0c5 # v6
         with:
           go-version-file: "go.mod"
       - name: Generate API Clients
@@ -80,7 +80,7 @@ jobs:
           make gen-client-ts
           make gen-client-go
       - name: Build Docker Image
-        uses: docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8 # v6
+        uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6
         id: push
         with:
           context: .
@@ -95,7 +95,7 @@ jobs:
           platforms: linux/${{ inputs.image_arch }}
           cache-from: type=registry,ref=${{ steps.ev.outputs.attestImageNames }}:buildcache-${{ inputs.image_arch }}
           cache-to: ${{ steps.ev.outputs.cacheTo }}
-      - uses: actions/attest-build-provenance@a2bbfa25375fe432b6a289bc6b6cd05ecd0c4c32 # v3
+      - uses: actions/attest-build-provenance@96278af6caaf10aea03fd8d33a09a777ca52d62f # v3
         id: attest
         if: ${{ steps.ev.outputs.shouldPush == 'true' }}
         with:

.github/workflows/_reusable-docker-build.yml

@@ -90,14 +90,14 @@ jobs:
           registry: ghcr.io
           username: ${{ github.repository_owner }}
           password: ${{ secrets.GITHUB_TOKEN }}
-      - uses: int128/docker-manifest-create-action@8aac06098a12365ccdf99372dcfb453ccce8a0b0 # v2
+      - uses: int128/docker-manifest-create-action@1a059c021f1d5e9f2bd39de745d5dd3a0ef6df90 # v2
         id: build
         with:
           tags: ${{ matrix.tag }}
           sources: |
             ${{ steps.ev.outputs.attestImageNames }}@${{ needs.build-server-amd64.outputs.image-digest }}
             ${{ steps.ev.outputs.attestImageNames }}@${{ needs.build-server-arm64.outputs.image-digest }}
-      - uses: actions/attest-build-provenance@a2bbfa25375fe432b6a289bc6b6cd05ecd0c4c32 # v3
+      - uses: actions/attest-build-provenance@96278af6caaf10aea03fd8d33a09a777ca52d62f # v3
         id: attest
         with:
           subject-name: ${{ steps.ev.outputs.attestImageNames }}

.github/workflows/api-ts-publish.yml

@@ -21,7 +21,7 @@ jobs:
         uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf # v2
         with:
           app-id: ${{ secrets.GH_APP_ID }}
-          private-key: ${{ secrets.GH_APP_PRIVATE_KEY }}
+          private-key: ${{ secrets.GH_APP_PRIV_KEY }}
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v5
         with:
           token: ${{ steps.generate_token.outputs.token }}

.github/workflows/ci-api-docs.yml

@@ -55,7 +55,7 @@ jobs:
         env:
           NODE_ENV: production
         run: npm run build -w api
-      - uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v4
+      - uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v4
         with:
           name: api-docs
           path: website/api/build
@@ -67,7 +67,7 @@ jobs:
       - build
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v5
-      - uses: actions/download-artifact@70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3 # v5
+      - uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v5
         with:
           name: api-docs
           path: website/api/build

.github/workflows/ci-docs.yml

@@ -96,7 +96,7 @@ jobs:
           password: ${{ secrets.GITHUB_TOKEN }}
       - name: Build Docker Image
         id: push
-        uses: docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8 # v6
+        uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6
         with:
           tags: ${{ steps.ev.outputs.imageTags }}
           file: website/Dockerfile
@@ -105,7 +105,7 @@ jobs:
           context: .
           cache-from: type=registry,ref=ghcr.io/goauthentik/dev-docs:buildcache
           cache-to: ${{ steps.ev.outputs.shouldPush == 'true' && 'type=registry,ref=ghcr.io/goauthentik/dev-docs:buildcache,mode=max' || '' }}
-      - uses: actions/attest-build-provenance@a2bbfa25375fe432b6a289bc6b6cd05ecd0c4c32 # v3
+      - uses: actions/attest-build-provenance@96278af6caaf10aea03fd8d33a09a777ca52d62f # v3
         id: attest
         if: ${{ steps.ev.outputs.shouldPush == 'true' }}
         with:

.github/workflows/ci-main-daily.yml

@@ -6,10 +6,6 @@ on:
   schedule:
     # Every night at 3am
     - cron: "0 3 * * *"
-  pull_request:
-    paths:
-      # Needs to refer to itself
-      - .github/workflows/ci-main-daily.yml
 
 jobs:
   test-container:
@@ -19,14 +15,14 @@ jobs:
       matrix:
         version:
           - docs
-          - version-2025-12
-          - version-2025-10
+          - version-2025-4
+          - version-2025-2
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v5
       - run: |
           current="$(pwd)"
           dir="/tmp/authentik/${{ matrix.version }}"
-          mkdir -p "${dir}/lifecycle/container"
-          cd "${dir}"
-          wget "https://${{ matrix.version }}.goauthentik.io/docker-compose.yml" -O "${dir}/lifecycle/container/compose.yml"
-          "${current}/scripts/test_docker.sh"
+          mkdir -p $dir
+          cd $dir
+          wget https://${{ matrix.version }}.goauthentik.io/compose.yml
+          ${current}/scripts/test_docker.sh

.github/workflows/ci-main.yml

@@ -42,16 +42,6 @@ jobs:
         uses: ./.github/actions/setup
       - name: run job
         run: uv run make ci-${{ matrix.job }}
-  test-gen-build:
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v5
-      - name: Setup authentik env
-        uses: ./.github/actions/setup
-      - name: generate schema
-        run: make migrate gen-build
-      - name: ensure schema is up-to-date
-        run: git diff --exit-code -- schema.yml blueprints/schema.json
   test-migrations:
     runs-on: ubuntu-latest
     steps:
@@ -105,7 +95,10 @@ jobs:
         with:
           postgresql_version: ${{ matrix.psql }}
       - name: run migrations to stable
-        run: uv run python -m lifecycle.migrate
+        run: |
+          docker ps
+          docker logs setup-postgresql-1
+          uv run python -m lifecycle.migrate
       - name: checkout current code
         run: |
           set -x
@@ -170,7 +163,7 @@ jobs:
       - name: Setup authentik env
         uses: ./.github/actions/setup
       - name: Create k8s Kind Cluster
-        uses: helm/kind-action@ef37e7f390d99f746eb8b610417061a60e82a6cc # v1.14.0
+        uses: helm/kind-action@92086f6be054225fa813e0a4b13787fc9088faab # v1.13.0
       - name: run integration
         run: |
           uv run coverage run manage.py test tests/integration
@@ -279,7 +272,7 @@ jobs:
         with:
           flags: conformance
       - if: ${{ !cancelled() }}
-        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
+        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6
         with:
           name: conformance-certification-${{ matrix.job.name }}
           path: tests/openid_conformance/exports/
@@ -287,7 +280,6 @@ jobs:
     if: always()
     needs:
       - lint
-      - test-gen-build
       - test-migrations
       - test-migrations-from-stable
       - test-unittest

.github/workflows/ci-outpost.yml

@@ -22,7 +22,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v5
-      - uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6
+      - uses: actions/setup-go@7a3fe6cf4cb3a834922a1244abfce67bcef6a0c5 # v6
         with:
           go-version-file: "go.mod"
       - name: Prepare and generate API
@@ -43,7 +43,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v5
-      - uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6
+      - uses: actions/setup-go@7a3fe6cf4cb3a834922a1244abfce67bcef6a0c5 # v6
         with:
           go-version-file: "go.mod"
       - name: Setup authentik env
@@ -111,7 +111,7 @@ jobs:
         run: make gen-client-go
       - name: Build Docker Image
         id: push
-        uses: docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8 # v6
+        uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6
         with:
           tags: ${{ steps.ev.outputs.imageTags }}
           file: lifecycle/container/${{ matrix.type }}.Dockerfile
@@ -122,7 +122,7 @@ jobs:
           context: .
           cache-from: type=registry,ref=ghcr.io/goauthentik/dev-${{ matrix.type }}:buildcache
           cache-to: ${{ steps.ev.outputs.shouldPush == 'true' && format('type=registry,ref=ghcr.io/goauthentik/dev-{0}:buildcache,mode=max', matrix.type) || '' }}
-      - uses: actions/attest-build-provenance@a2bbfa25375fe432b6a289bc6b6cd05ecd0c4c32 # v3
+      - uses: actions/attest-build-provenance@96278af6caaf10aea03fd8d33a09a777ca52d62f # v3
         id: attest
         if: ${{ steps.ev.outputs.shouldPush == 'true' }}
         with:
@@ -148,7 +148,7 @@ jobs:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v5
         with:
           ref: ${{ github.event.pull_request.head.sha }}
-      - uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6
+      - uses: actions/setup-go@7a3fe6cf4cb3a834922a1244abfce67bcef6a0c5 # v6
         with:
           go-version-file: "go.mod"
       - uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v5

.github/workflows/gen-image-compress.yml

@@ -32,7 +32,7 @@ jobs:
         uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf # v2
         with:
           app-id: ${{ secrets.GH_APP_ID }}
-          private-key: ${{ secrets.GH_APP_PRIVATE_KEY }}
+          private-key: ${{ secrets.GH_APP_PRIV_KEY }}
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v5
         with:
           token: ${{ steps.generate_token.outputs.token }}

.github/workflows/gen-update-webauthn-mds.yml

@@ -19,7 +19,7 @@ jobs:
         uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf # v2
         with:
           app-id: ${{ secrets.GH_APP_ID }}
-          private-key: ${{ secrets.GH_APP_PRIVATE_KEY }}
+          private-key: ${{ secrets.GH_APP_PRIV_KEY }}
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v5
         with:
           token: ${{ steps.generate_token.outputs.token }}

.github/workflows/gh-cherry-pick.yml

@@ -14,7 +14,7 @@ jobs:
         if: ${{ env.GH_APP_ID != '' }}
         with:
           app-id: ${{ secrets.GH_APP_ID }}
-          private-key: ${{ secrets.GH_APP_PRIVATE_KEY }}
+          private-key: ${{ secrets.GH_APP_PRIV_KEY }}
         env:
           GH_APP_ID: ${{ secrets.GH_APP_ID }}
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v5

.github/workflows/gh-ghcr-retention.yml

@@ -19,7 +19,7 @@ jobs:
         uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf # v2
         with:
           app-id: ${{ secrets.GH_APP_ID }}
-          private-key: ${{ secrets.GH_APP_PRIVATE_KEY }}
+          private-key: ${{ secrets.GH_APP_PRIV_KEY }}
       - name: Delete 'dev' containers older than a week
         uses: snok/container-retention-policy@3b0972b2276b171b212f8c4efbca59ebba26eceb # v3.0.1
         with:

.github/workflows/packages-npm-publish.yml

@@ -29,7 +29,6 @@ jobs:
           - packages/eslint-config
           - packages/prettier-config
           - packages/docusaurus-config
-          - packages/logger-js
           - packages/esbuild-plugin-live-reload
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v5
@@ -41,7 +40,7 @@ jobs:
           registry-url: "https://registry.npmjs.org"
       - name: Get changed files
         id: changed-files
-        uses: tj-actions/changed-files@22103cc46bda19c2b464ffe86db46df6922fd323 # 24d32ffd492484c1d75e0c0b894501ddb9d30d62
+        uses: tj-actions/changed-files@8cba46e29c11878d930bca7870bb54394d3e8b21 # 24d32ffd492484c1d75e0c0b894501ddb9d30d62
         with:
           files: |
             ${{ matrix.package }}/package.json

.github/workflows/release-branch-off.yml

@@ -32,7 +32,7 @@ jobs:
         uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf # v2
         with:
           app-id: ${{ secrets.GH_APP_ID }}
-          private-key: ${{ secrets.GH_APP_PRIVATE_KEY }}
+          private-key: ${{ secrets.GH_APP_PRIV_KEY }}
       - name: Checkout main
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v5
         with:
@@ -60,7 +60,7 @@ jobs:
         uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf # v2
         with:
           app-id: ${{ secrets.GH_APP_ID }}
-          private-key: ${{ secrets.GH_APP_PRIVATE_KEY }}
+          private-key: ${{ secrets.GH_APP_PRIV_KEY }}
       - name: Checkout main
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v5
         with:

.github/workflows/release-publish.yml

@@ -51,14 +51,14 @@ jobs:
           password: ${{ secrets.GITHUB_TOKEN }}
       - name: Build Docker Image
         id: push
-        uses: docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8 # v6
+        uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6
         with:
           tags: ${{ steps.ev.outputs.imageTags }}
           file: website/Dockerfile
           push: true
           platforms: linux/amd64,linux/arm64
           context: .
-      - uses: actions/attest-build-provenance@a2bbfa25375fe432b6a289bc6b6cd05ecd0c4c32 # v3
+      - uses: actions/attest-build-provenance@96278af6caaf10aea03fd8d33a09a777ca52d62f # v3
         id: attest
         if: true
         with:
@@ -84,7 +84,7 @@ jobs:
           - rac
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v5
-      - uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6
+      - uses: actions/setup-go@7a3fe6cf4cb3a834922a1244abfce67bcef6a0c5 # v6
         with:
           go-version-file: "go.mod"
       - uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v5
@@ -119,7 +119,7 @@ jobs:
           username: ${{ github.repository_owner }}
           password: ${{ secrets.GITHUB_TOKEN }}
       - name: Build Docker Image
-        uses: docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8 # v6
+        uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6
         id: push
         with:
           push: true
@@ -129,7 +129,7 @@ jobs:
           file: lifecycle/container/${{ matrix.type }}.Dockerfile
           platforms: linux/amd64,linux/arm64
           context: .
-      - uses: actions/attest-build-provenance@a2bbfa25375fe432b6a289bc6b6cd05ecd0c4c32 # v3
+      - uses: actions/attest-build-provenance@96278af6caaf10aea03fd8d33a09a777ca52d62f # v3
         id: attest
         with:
           subject-name: ${{ steps.ev.outputs.attestImageNames }}
@@ -152,7 +152,7 @@ jobs:
         goarch: [amd64, arm64]
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v5
-      - uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6
+      - uses: actions/setup-go@7a3fe6cf4cb3a834922a1244abfce67bcef6a0c5 # v6
         with:
           go-version-file: "go.mod"
       - uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v5
@@ -180,7 +180,7 @@ jobs:
           export CGO_ENABLED=0
           go build -tags=outpost_static_embed -v -o ./authentik-outpost-${{ matrix.type }}_${{ matrix.goos }}_${{ matrix.goarch }} ./cmd/${{ matrix.type }}
       - name: Upload binaries to release
-        uses: svenstaro/upload-release-action@b98a3b12e86552593f3e4e577ca8a62aa2f3f22b # v2
+        uses: svenstaro/upload-release-action@6b7fa9f267e90b50a19fef07b3596790bb941741 # v2
         with:
           repo_token: ${{ secrets.GITHUB_TOKEN }}
           file: ./authentik-outpost-${{ matrix.type }}_${{ matrix.goos }}_${{ matrix.goarch }}

.github/workflows/release-tag.yml

@@ -70,7 +70,7 @@ jobs:
         uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf # v2
         with:
           app-id: ${{ secrets.GH_APP_ID }}
-          private-key: ${{ secrets.GH_APP_PRIVATE_KEY }}
+          private-key: ${{ secrets.GH_APP_PRIV_KEY }}
       - id: get-user-id
         name: Get GitHub app user ID
         run: echo "user-id=$(gh api "/users/${{ steps.app-token.outputs.app-slug }}[bot]" --jq .id)" >> "$GITHUB_OUTPUT"
@@ -91,6 +91,7 @@ jobs:
           # ID from https://api.github.com/users/authentik-automation[bot]
           git config --global user.name '${{ steps.app-token.outputs.app-slug }}[bot]'
           git config --global user.email '${{ steps.get-user-id.outputs.user-id }}+${{ steps.app-token.outputs.app-slug }}[bot]@users.noreply.github.com'
+          git pull
           git commit -a -m "release: ${{ inputs.version }}" --allow-empty
           git tag "version/${{ inputs.version }}" HEAD -m "version/${{ inputs.version }}"
           git push --follow-tags
@@ -117,7 +118,7 @@ jobs:
         uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf # v2
         with:
           app-id: ${{ secrets.GH_APP_ID }}
-          private-key: ${{ secrets.GH_APP_PRIVATE_KEY }}
+          private-key: ${{ secrets.GH_APP_PRIV_KEY }}
           repositories: helm
       - id: get-user-id
         name: Get GitHub app user ID
@@ -159,7 +160,7 @@ jobs:
         uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf # v2
         with:
           app-id: ${{ secrets.GH_APP_ID }}
-          private-key: ${{ secrets.GH_APP_PRIVATE_KEY }}
+          private-key: ${{ secrets.GH_APP_PRIV_KEY }}
           repositories: version
       - id: get-user-id
         name: Get GitHub app user ID
@@ -174,7 +175,7 @@ jobs:
         if: "${{ inputs.release_reason == 'feature' }}"
         run: |
           changelog_url="https://docs.goauthentik.io/docs/releases/${{ needs.check-inputs.outputs.major_version }}"
-          reason="{{ inputs.release_reason }}"
+          reason="${{ inputs.release_reason }}"
           jq \
             --arg version "${{ inputs.version }}" \
             --arg changelog "See ${changelog_url}" \
@@ -186,7 +187,7 @@ jobs:
         if: "${{ inputs.release_reason != 'feature' }}"
         run: |
           changelog_url="https://docs.goauthentik.io/docs/releases/${{ needs.check-inputs.outputs.major_version }}#fixed-in-$(echo -n ${{ inputs.version}} | sed 's/\.//g')"
-          reason="{{ inputs.release_reason }}"
+          reason="${{ inputs.release_reason }}"
           jq \
             --arg version "${{ inputs.version }}" \
             --arg changelog "See ${changelog_url}" \

.github/workflows/repo-stale.yml

@@ -18,8 +18,8 @@ jobs:
         uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf # v2
         with:
           app-id: ${{ secrets.GH_APP_ID }}
-          private-key: ${{ secrets.GH_APP_PRIVATE_KEY }}
-      - uses: actions/stale@b5d41d4e1d5dceea10e7104786b73624c18a190f # v10
+          private-key: ${{ secrets.GH_APP_PRIV_KEY }}
+      - uses: actions/stale@997185467fa4f803885201cee163a9f38240193d # v10
         with:
           repo-token: ${{ steps.generate_token.outputs.token }}
           days-before-stale: 60

.github/workflows/translation-extract-compile.yml

@@ -24,7 +24,7 @@ jobs:
         uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf # v2
         with:
           app-id: ${{ secrets.GH_APP_ID }}
-          private-key: ${{ secrets.GH_APP_PRIVATE_KEY }}
+          private-key: ${{ secrets.GH_APP_PRIV_KEY }}
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v5
         if: ${{ github.event_name != 'pull_request' }}
         with:

CODEOWNERS

@@ -34,7 +34,6 @@ packages/docusaurus-config              @goauthentik/frontend
 packages/esbuild-plugin-live-reload     @goauthentik/frontend
 packages/eslint-config                  @goauthentik/frontend
 packages/prettier-config                @goauthentik/frontend
-packages/logger-js                      @goauthentik/frontend
 packages/tsconfig                       @goauthentik/frontend
 # Web
 web/                                    @goauthentik/frontend

Makefile

@@ -168,22 +168,12 @@ gen-build:  ## Extract the schema from the database
 gen-compose:
 	$(UV) run scripts/generate_compose.py
 
-gen-changelog:  ## (Release) generate the changelog based from the commits since the last version
-# These are best-effort guesses based on commit messages
-	$(eval last_version := $(shell git tag --list 'version/*' --sort 'version:refname' | grep -vE 'rc\d+$$' | tail -1))
-	$(eval current_commit := $(shell git rev-parse HEAD))
-	git log --pretty=format:"- %s" $(shell git merge-base ${last_version} ${current_commit})...${current_commit} > merged_to_current
-	git log --pretty=format:"- %s" $(shell git merge-base ${last_version} ${current_commit})...${last_version} > merged_to_last
-	grep -Eo 'cherry-pick (#\d+)' merged_to_last | cut -d ' ' -f 2 | sed 's/.*/(&)$$/' > cherry_picked_to_last
-	grep -vf cherry_picked_to_last merged_to_current | sort > changelog.md
-	rm merged_to_current
-	rm merged_to_last
-	rm cherry_picked_to_last
+gen-changelog:  ## (Release) generate the changelog based from the commits since the last tag
+	git log --pretty=format:" - %s" $(shell git describe --tags $(shell git rev-list --tags --max-count=1))...$(shell git branch --show-current) | sort > changelog.md
 	npx prettier --write changelog.md
 
-gen-diff:  ## (Release) generate the changelog diff between the current schema and the last version
-	$(eval last_version := $(shell git tag --list 'version/*' --sort 'version:refname' | grep -vE 'rc\d+$$' | tail -1))
-	git show ${last_version}:schema.yml > schema-old.yml
+gen-diff:  ## (Release) generate the changelog diff between the current schema and the last tag
+	git show $(shell git describe --tags $(shell git rev-list --tags --max-count=1)):schema.yml > schema-old.yml
 	docker compose -f scripts/api/compose.yml run --rm --user "${UID}:${GID}" diff \
 		--markdown \
 		/local/diff.md \

SECURITY.md

@@ -18,10 +18,10 @@ Even if the issue is not a CVE, we still greatly appreciate your help in hardeni
 
 (.x being the latest patch release for each version)
 
-| Version    | Supported  |
-| ---------- | ---------- |
-| 2025.12.x  | ✅         |
-| 2026.2.x   | ✅         |
+| Version   | Supported |
+| --------- | --------- |
+| 2025.12.x | ✅        |
+| 2026.2.x  | ✅        |
 
 ## Reporting a Vulnerability
 
@@ -60,6 +60,40 @@ authentik reserves the right to reclassify CVSS as necessary. To determine sever
 | 7.0 – 8.9  | High     |
 | 9.0 – 10.0 | Critical |
 
+## Intended functionality
+
+The following capabilities are part of intentional system design and should not be reported as security vulnerabilities:
+
+- Expressions (property mappings/policies/prompts) can execute arbitrary Python code without safeguards.
+
+This is expected behavior. Any user with permission to create or modify objects containing expression fields can write code that is executed within authentik. If a vulnerability allows a user without the required permissions to write or modify code and have it executed, that would be a valid security report.
+
+However, the fact that expressions are executed as part of normal operations is not considered a privilege escalation or security vulnerability.
+
+- Blueprints can access all files on the filesystem.
+
+This access is intentional to allow legitimate configuration and deployment tasks. It does not represent a security problem by itself.
+
+- Importing blueprints allows arbitrary modification of application objects.
+
+This is intended functionality. This behavior reflects the privileged design of blueprint imports. It is "exploitable" when importing blueprints from untrusted sources without reviewing the blueprint beforehand. However, any method to create, modify or execute blueprints without the required permissions would be a valid security report.
+
+- Flow imports may contain objects other than flows (such as policies, users, groups, etc.)
+
+This is expected behavior as flow imports are blueprint files.
+
+- Prompt HTML is not escaped.
+
+Prompts intentionally allow raw HTML, including script tags, so they can be used to create interactive or customized user interface elements. Because of this, scripts within prompts may affect or interact with the surrounding page as designed.
+
+- Open redirects that do not include tokens or other sensitive information are not considered a security vulnerability.
+
+Redirects that only change navigation flow and do not expose session tokens, API keys, or other confidential data are considered acceptable and do not require reporting.
+
+- Outgoing network requests are not filtered.
+
+The destinations of outgoing network requests (HTTP, TCP, etc.) made by authentik to configurable endpoints through objects such as OAuth Sources, SSO Providers, and others are not validated. Depending on your threat model, these requests should be restricted at the network level using appropriate firewall or network policies.
+
 ## Disclosure process
 
 1. Report from Github or Issue is reported via Email as listed above.

authentik/__init__.py

@@ -3,7 +3,7 @@
 from functools import lru_cache
 from os import environ
 
-VERSION = "2026.5.0-rc1"
+VERSION = "2026.2.3"
 ENV_GIT_HASH_KEY = "GIT_BUILD_HASH"
 
 

authentik/admin/files/backends/base.py

@@ -94,7 +94,7 @@ class Backend:
 
         Args:
             file_path: Relative file path
-            request: Optional Django HttpRequest for fully qualified URL building
+            request: Optional Django HttpRequest for fully qualifed URL building
             use_cache: whether to retrieve the URL from cache
 
         Returns:

authentik/admin/files/backends/s3.py

@@ -100,25 +100,13 @@ class S3Backend(ManageableBackend):
             f"storage.{self.usage.value}.{self.name}.addressing_style",
             CONFIG.get(f"storage.{self.name}.addressing_style", "auto"),
         )
-        signature_version = CONFIG.get(
-            f"storage.{self.usage.value}.{self.name}.signature_version",
-            CONFIG.get(f"storage.{self.name}.signature_version", "s3v4"),
-        )
-        # Keep signature_version pass-through and let boto3/botocore handle it.
-        # In boto3's S3 configuration docs, `s3v4` (default) and deprecated `s3`
-        # are the documented values:
-        # https://github.com/boto/boto3/blob/791a3e8f36d83664a47b4281a0586b3546cef3ec/docs/source/guide/configuration.rst?plain=1#L398-L407
-        # Botocore also supports additional signer names, so we intentionally do
-        # not enforce a restricted allowlist here.
 
         return self.session.client(
             "s3",
             endpoint_url=endpoint_url,
             use_ssl=use_ssl,
             region_name=region_name,
-            config=Config(
-                signature_version=signature_version, s3={"addressing_style": addressing_style}
-            ),
+            config=Config(signature_version="s3v4", s3={"addressing_style": addressing_style}),
         )
 
     @property

authentik/admin/files/backends/tests/test_s3_backend.py

@@ -1,6 +1,5 @@
 from unittest import skipUnless
 
-from botocore.exceptions import UnsupportedSignatureVersionError
 from django.test import TestCase
 
 from authentik.admin.files.tests.utils import FileTestS3BackendMixin, s3_test_server_available
@@ -82,27 +81,6 @@ class TestS3Backend(FileTestS3BackendMixin, TestCase):
         self.assertIn("X-Amz-Signature=", url)
         self.assertIn("test.png", url)
 
-    def test_client_signature_version_default_v4(self):
-        """Test S3 client defaults to v4 signature when not configured."""
-        self.assertEqual(self.media_s3_backend.client.meta.config.signature_version, "s3v4")
-
-    @CONFIG.patch("storage.s3.signature_version", "s3")
-    def test_client_signature_version_global_override(self):
-        """Test S3 client respects globally configured signature version."""
-        self.assertEqual(self.media_s3_backend.client.meta.config.signature_version, "s3")
-
-    @CONFIG.patch("storage.s3.signature_version", "s3v4")
-    @CONFIG.patch("storage.media.s3.signature_version", "s3")
-    def test_client_signature_version_media_override(self):
-        """Test usage-specific signature version takes precedence over global."""
-        self.assertEqual(self.media_s3_backend.client.meta.config.signature_version, "s3")
-
-    @CONFIG.patch("storage.media.s3.signature_version", "not-a-real-signature")
-    def test_client_signature_version_unsupported(self):
-        """Test unsupported signature version raises botocore error."""
-        with self.assertRaises(UnsupportedSignatureVersionError):
-            self.media_s3_backend.file_url("test.png", use_cache=False)
-
     @CONFIG.patch("storage.s3.bucket_name", "test-bucket")
     def test_file_exists_true(self):
         """Test file_exists returns True for existing file"""

authentik/api/authentication.py

@@ -42,11 +42,29 @@ def validate_auth(header: bytes, format="bearer") -> str | None:
     return auth_credentials
 
 
-class IPCUser(AnonymousUser):
+class VirtualUser(AnonymousUser):
+    is_active = True
+
+    @property
+    def type(self):
+        return UserTypes.INTERNAL_SERVICE_ACCOUNT
+
+    @property
+    def is_anonymous(self):
+        return False
+
+    @property
+    def is_authenticated(self):
+        return True
+
+    def all_roles(self):
+        return []
+
+
+class IPCUser(VirtualUser):
     """'Virtual' user for IPC communication between authentik core and the authentik router"""
 
     username = "authentik:system"
-    is_active = True
     is_superuser = True
 
     @property
@@ -62,17 +80,6 @@ class IPCUser(AnonymousUser):
     def has_module_perms(self, module):
         return True
 
-    @property
-    def is_anonymous(self):
-        return False
-
-    @property
-    def is_authenticated(self):
-        return True
-
-    def all_roles(self):
-        return []
-
 
 class TokenAuthentication(BaseAuthentication):
     """Token-based authentication using HTTP Bearer authentication"""

authentik/api/schema.py

@@ -71,7 +71,7 @@ def postprocess_schema_responses(
 def postprocess_schema_query_params(
     result: dict[str, Any], generator: SchemaGenerator, **kwargs
 ) -> dict[str, Any]:
-    """Optimize pagination parameters, instead of redeclaring parameters for each endpoint
+    """Optimise pagination parameters, instead of redeclaring parameters for each endpoint
     declare them globally and refer to them"""
     LOGGER.debug("Deduplicating query parameters")
     for path in result["paths"].values():

authentik/api/tests/test_viewsets.py

@@ -1,31 +1,73 @@
 """authentik API Modelviewset tests"""
 
 from collections.abc import Callable
+from urllib.parse import urlencode
 
 from django.test import TestCase
 from rest_framework.viewsets import ModelViewSet, ReadOnlyModelViewSet
 
+from authentik.admin.api.version_history import VersionHistoryViewSet
 from authentik.api.v3.urls import router
+from authentik.core.tests.utils import RequestFactory, create_test_admin_user
+from authentik.lib.generators import generate_id
+from authentik.tenants.api.domains import DomainViewSet
+from authentik.tenants.api.tenants import TenantViewSet
+from authentik.tenants.utils import get_current_tenant
 
 
 class TestModelViewSets(TestCase):
     """Test Viewset"""
 
+    def setUp(self):
+        self.user = create_test_admin_user()
+        self.factory = RequestFactory()
 
-def viewset_tester_factory(test_viewset: type[ModelViewSet]) -> Callable:
+
+def viewset_tester_factory(test_viewset: type[ModelViewSet], full=True) -> dict[str, Callable]:
     """Test Viewset"""
 
-    def tester(self: TestModelViewSets):
-        self.assertIsNotNone(getattr(test_viewset, "search_fields", None))
+    def test_attrs(self: TestModelViewSets) -> None:
+        """Test attributes we require on all viewsets"""
         self.assertIsNotNone(getattr(test_viewset, "ordering", None))
+        self.assertIsNotNone(getattr(test_viewset, "search_fields", None))
         filterset_class = getattr(test_viewset, "filterset_class", None)
         if not filterset_class:
             self.assertIsNotNone(getattr(test_viewset, "filterset_fields", None))
 
-    return tester
+    def test_ordering(self: TestModelViewSets) -> None:
+        """Test that all ordering fields are correct"""
+        view = test_viewset.as_view({"get": "list"})
+        for ordering_field in test_viewset.ordering:
+            with self.subTest(ordering_field):
+                req = self.factory.get(
+                    f"/?{urlencode({'ordering': ordering_field}, doseq=True)}", user=self.user
+                )
+                req.tenant = get_current_tenant()
+                res = view(req)
+                self.assertEqual(res.status_code, 200)
+
+    def test_search(self: TestModelViewSets) -> None:
+        """Test that search fields are correct"""
+        view = test_viewset.as_view({"get": "list"})
+        req = self.factory.get(
+            f"/?{urlencode({'search': generate_id()}, doseq=True)}", user=self.user
+        )
+        req.tenant = get_current_tenant()
+        res = view(req)
+        self.assertEqual(res.status_code, 200)
+
+    cases = {
+        "attrs": test_attrs,
+    }
+    if full:
+        cases["ordering"] = test_ordering
+        cases["search"] = test_search
+    return cases
 
 
 for _, viewset, _ in router.registry:
     if not issubclass(viewset, ModelViewSet | ReadOnlyModelViewSet):
         continue
-    setattr(TestModelViewSets, f"test_viewset_{viewset.__name__}", viewset_tester_factory(viewset))
+    full = viewset not in [VersionHistoryViewSet, DomainViewSet, TenantViewSet]
+    for test, case in viewset_tester_factory(viewset, full=full).items():
+        setattr(TestModelViewSets, f"test_viewset_{viewset.__name__}_{test}", case)

authentik/blueprints/apps.py

@@ -3,7 +3,6 @@
 import traceback
 from collections.abc import Callable
 from importlib import import_module
-from inspect import ismethod
 
 from django.apps import AppConfig
 from django.conf import settings
@@ -72,12 +71,19 @@ class ManagedAppConfig(AppConfig):
 
     def _reconcile(self, prefix: str) -> None:
         for meth_name in dir(self):
-            meth = getattr(self, meth_name)
-            if not ismethod(meth):
+            # Check the attribute on the class to avoid evaluating @property descriptors.
+            # Using getattr(self, ...) on a @property would evaluate it, which can trigger
+            # expensive side effects (e.g. tenant_schedule_specs iterating all providers
+            # and running PolicyEngine queries for every user).
+            class_attr = getattr(type(self), meth_name, None)
+            if class_attr is None or isinstance(class_attr, property):
                 continue
-            category = getattr(meth, "_authentik_managed_reconcile", None)
+            if not callable(class_attr):
+                continue
+            category = getattr(class_attr, "_authentik_managed_reconcile", None)
             if category != prefix:
                 continue
+            meth = getattr(self, meth_name)
             name = meth_name.replace(prefix, "")
             try:
                 self.logger.debug("Starting reconciler", name=name)

authentik/blueprints/v1/importer.py

@@ -272,7 +272,7 @@ class Importer:
             and entry.state != BlueprintEntryDesiredState.MUST_CREATED
         ):
             self.logger.debug(
-                "Initialize serializer with instance",
+                "Initialise serializer with instance",
                 model=model,
                 instance=model_instance,
                 pk=model_instance.pk,
@@ -290,7 +290,7 @@ class Importer:
             )
         else:
             self.logger.debug(
-                "Initialized new serializer instance",
+                "Initialised new serializer instance",
                 model=model,
                 **cleanse_dict(updated_identifiers),
             )

authentik/core/api/application_entitlements.py

@@ -47,7 +47,8 @@ class ApplicationEntitlementViewSet(UsedByMixin, ModelViewSet):
     search_fields = [
         "pbm_uuid",
         "name",
-        "app",
+        "app__name",
+        "app__slug",
         "attributes",
     ]
     filterset_fields = [

authentik/core/api/applications.py

@@ -47,7 +47,12 @@ class ApplicationSerializer(ModelSerializer):
     """Application Serializer"""
 
     launch_url = SerializerMethodField()
-    provider_obj = ProviderSerializer(source="get_provider", required=False, read_only=True)
+    provider_obj = ProviderSerializer(
+        source="get_provider",
+        required=False,
+        read_only=True,
+        allow_null=True,
+    )
     backchannel_providers_obj = ProviderSerializer(
         source="backchannel_providers", required=False, read_only=True, many=True
     )
@@ -154,14 +159,14 @@ class ApplicationViewSet(UsedByMixin, ModelViewSet):
         return queryset
 
     def _get_allowed_applications(
-        self, paginated_apps: Iterator[Application], user: User | None = None
+        self, pagined_apps: Iterator[Application], user: User | None = None
     ) -> list[Application]:
         applications = []
         request = self.request._request
         if user:
             request = copy(request)
             request.user = user
-        for application in paginated_apps:
+        for application in pagined_apps:
             engine = PolicyEngine(application, request.user, request)
             engine.build()
             if engine.passing:

authentik/core/api/groups.py

@@ -170,6 +170,25 @@ class GroupSerializer(ModelSerializer):
                 )
         return superuser
 
+    def validate_users(self, users: list) -> list:
+        """Require add_user_to_group permission when adding new members via group PATCH."""
+        request: Request = self.context.get("request", None)
+        if not request:
+            return users
+        if not self.instance:
+            return users
+        # BulkManyRelatedField returns raw PKs, not model instances
+        current_user_pks = set(self.instance.users.values_list("pk", flat=True))
+        new_users = [u.pk for u in users if u.pk not in current_user_pks]
+        if not new_users:
+            return users
+        has_perm = request.user.has_perm(
+            "authentik_core.add_user_to_group"
+        ) or request.user.has_perm("authentik_core.add_user_to_group", self.instance)
+        if not has_perm:
+            raise ValidationError(_("User does not have permission to add members to this group."))
+        return users
+
     class Meta:
         model = Group
         fields = [

authentik/core/api/users.py

@@ -246,6 +246,36 @@ class UserSerializer(ModelSerializer):
             raise ValidationError(_("Setting a user to internal service account is not allowed."))
         return user_type
 
+    def validate_groups(self, groups: list) -> list:
+        """Require enable_group_superuser permission when adding a user to a superuser group."""
+        request: Request = self.context.get("request", None)
+        if not request:
+            return groups
+        current_groups = set(self.instance.groups.all()) if self.instance else set()
+        for group in groups:
+            if not group.is_superuser:
+                continue
+            if group in current_groups:
+                continue
+            if not request.user.has_perm("authentik_core.enable_group_superuser"):
+                raise ValidationError(
+                    _("User does not have permission to add members to a superuser group.")
+                )
+        return groups
+
+    def validate_roles(self, roles: list) -> list:
+        """Require change_role permission when assigning new roles to a user."""
+        request: Request = self.context.get("request", None)
+        if not request:
+            return roles
+        current_roles = set(self.instance.roles.all()) if self.instance else set()
+        new_roles = [r for r in roles if r not in current_roles]
+        if not new_roles:
+            return roles
+        if not request.user.has_perm("authentik_rbac.change_role"):
+            raise ValidationError(_("User does not have permission to assign roles."))
+        return roles
+
     def validate(self, attrs: dict) -> dict:
         if self.instance and self.instance.type == UserTypes.INTERNAL_SERVICE_ACCOUNT:
             raise ValidationError(_("Can't modify internal service account users"))

authentik/core/models.py

@@ -1115,7 +1115,11 @@ class ExpiringModel(models.Model):
         default the object is deleted. This is less efficient compared
         to bulk deleting objects, but classes like Token() need to change
         values instead of being deleted."""
-        return self.delete(*args, **kwargs)
+        try:
+            return self.delete(*args, **kwargs)
+        except self.DoesNotExist:
+            # Object has already been deleted, so this should be fine
+            return None
 
     @classmethod
     def filter_not_expired(cls, **kwargs) -> QuerySet[Self]:

authentik/core/signals.py

@@ -24,7 +24,8 @@ from authentik.root.ws.consumer import build_device_group
 
 # Arguments: user: User, password: str
 password_changed = Signal()
-# Arguments: credentials: dict[str, any], request: HttpRequest, stage: Stage
+# Arguments: credentials: dict[str, any], request: HttpRequest,
+#            stage: Stage, context: dict[str, any]
 login_failed = Signal()
 
 LOGGER = get_logger()

authentik/core/tests/test_groups_api.py

@@ -158,3 +158,58 @@ class TestGroupsAPI(APITestCase):
             data={"name": generate_id(), "is_superuser": True},
         )
         self.assertEqual(res.status_code, 201)
+
+    def test_patch_users_no_perm(self):
+        """PATCH group with new users without add_user_to_group must be rejected."""
+        group = Group.objects.create(name=generate_id())
+        self.login_user.assign_perms_to_managed_role("authentik_core.view_group", group)
+        self.login_user.assign_perms_to_managed_role("authentik_core.change_group", group)
+        self.client.force_login(self.login_user)
+        res = self.client.patch(
+            reverse("authentik_api:group-detail", kwargs={"pk": group.pk}),
+            data={"users": [self.user.pk]},
+            content_type="application/json",
+        )
+        self.assertEqual(res.status_code, 400)
+
+    def test_patch_users_with_global_perm(self):
+        """PATCH group with new users with global add_user_to_group must succeed."""
+        group = Group.objects.create(name=generate_id())
+        self.login_user.assign_perms_to_managed_role("authentik_core.view_group", group)
+        self.login_user.assign_perms_to_managed_role("authentik_core.change_group", group)
+        self.login_user.assign_perms_to_managed_role("authentik_core.add_user_to_group")
+        self.client.force_login(self.login_user)
+        res = self.client.patch(
+            reverse("authentik_api:group-detail", kwargs={"pk": group.pk}),
+            data={"users": [self.user.pk]},
+            content_type="application/json",
+        )
+        self.assertEqual(res.status_code, 200)
+
+    def test_patch_users_with_obj_perm(self):
+        """PATCH group with new users with object-level add_user_to_group must succeed."""
+        group = Group.objects.create(name=generate_id())
+        self.login_user.assign_perms_to_managed_role("authentik_core.view_group", group)
+        self.login_user.assign_perms_to_managed_role("authentik_core.change_group", group)
+        self.login_user.assign_perms_to_managed_role("authentik_core.add_user_to_group", group)
+        self.client.force_login(self.login_user)
+        res = self.client.patch(
+            reverse("authentik_api:group-detail", kwargs={"pk": group.pk}),
+            data={"users": [self.user.pk]},
+            content_type="application/json",
+        )
+        self.assertEqual(res.status_code, 200)
+
+    def test_patch_existing_users_no_perm(self):
+        """PATCH group keeping existing membership without add_user_to_group must succeed."""
+        group = Group.objects.create(name=generate_id())
+        group.users.add(self.user)
+        self.login_user.assign_perms_to_managed_role("authentik_core.view_group", group)
+        self.login_user.assign_perms_to_managed_role("authentik_core.change_group", group)
+        self.client.force_login(self.login_user)
+        res = self.client.patch(
+            reverse("authentik_api:group-detail", kwargs={"pk": group.pk}),
+            data={"users": [self.user.pk]},
+            content_type="application/json",
+        )
+        self.assertEqual(res.status_code, 200)

authentik/core/tests/test_property_mapping_api.py

@@ -63,7 +63,7 @@ class TestPropertyMappingAPI(APITestCase):
             PropertyMappingSerializer().validate_expression("/")
 
     def test_types(self):
-        """Test PropertyMapping's types endpoint"""
+        """Test PropertyMappigns's types endpoint"""
         response = self.client.get(
             reverse("authentik_api:propertymapping-types"),
         )

authentik/core/tests/test_users_api.py

@@ -11,6 +11,7 @@ from authentik.brands.models import Brand
 from authentik.core.models import (
     USER_ATTRIBUTE_TOKEN_EXPIRING,
     AuthenticatedSession,
+    Group,
     Session,
     Token,
     User,
@@ -24,6 +25,7 @@ from authentik.core.tests.utils import (
 )
 from authentik.flows.models import FlowAuthenticationRequirement, FlowDesignation
 from authentik.lib.generators import generate_id, generate_key
+from authentik.rbac.models import Role
 from authentik.stages.email.models import EmailStage
 
 
@@ -878,3 +880,79 @@ class TestUsersAPI(APITestCase):
         self.assertIn(user2.pk, pks)
         # Verify user2 comes before user1 in descending order
         self.assertLess(pks.index(user2.pk), pks.index(user1.pk))
+
+
+class TestUsersAPIGroupRoleValidation(APITestCase):
+    """Test that PATCH /api/v3/core/users/{pk}/ enforces group and role permission checks."""
+
+    def setUp(self) -> None:
+        self.actor = create_test_user()
+        self.target = create_test_user()
+
+    def _patch(self, data: dict):
+        self.client.force_login(self.actor)
+        return self.client.patch(
+            reverse("authentik_api:user-detail", kwargs={"pk": self.target.pk}),
+            data=data,
+            content_type="application/json",
+        )
+
+    def test_patch_superuser_group_no_perm(self):
+        """Assigning a superuser group without enable_group_superuser must be rejected."""
+        self.actor.assign_perms_to_managed_role("authentik_core.view_user")
+        self.actor.assign_perms_to_managed_role("authentik_core.change_user", self.target)
+        group = Group.objects.create(name=generate_id(), is_superuser=True)
+        res = self._patch({"groups": [str(group.pk)]})
+        self.assertEqual(res.status_code, 400)
+
+    def test_patch_superuser_group_with_perm(self):
+        """Assigning a superuser group with enable_group_superuser must succeed."""
+        self.actor.assign_perms_to_managed_role("authentik_core.view_user")
+        self.actor.assign_perms_to_managed_role("authentik_core.change_user", self.target)
+        self.actor.assign_perms_to_managed_role("authentik_core.enable_group_superuser")
+        group = Group.objects.create(name=generate_id(), is_superuser=True)
+        res = self._patch({"groups": [str(group.pk)]})
+        self.assertEqual(res.status_code, 200)
+
+    def test_patch_non_superuser_group_no_perm(self):
+        """Assigning a non-superuser group without special permission must succeed."""
+        self.actor.assign_perms_to_managed_role("authentik_core.view_user")
+        self.actor.assign_perms_to_managed_role("authentik_core.change_user", self.target)
+        group = Group.objects.create(name=generate_id(), is_superuser=False)
+        res = self._patch({"groups": [str(group.pk)]})
+        self.assertEqual(res.status_code, 200)
+
+    def test_patch_existing_superuser_group_no_perm(self):
+        """Keeping an existing superuser group membership without the permission must succeed."""
+        self.actor.assign_perms_to_managed_role("authentik_core.view_user")
+        self.actor.assign_perms_to_managed_role("authentik_core.change_user", self.target)
+        group = Group.objects.create(name=generate_id(), is_superuser=True)
+        self.target.groups.add(group)
+        res = self._patch({"groups": [str(group.pk)]})
+        self.assertEqual(res.status_code, 200)
+
+    def test_patch_role_no_perm(self):
+        """Assigning a new role without change_role must be rejected."""
+        self.actor.assign_perms_to_managed_role("authentik_core.view_user")
+        self.actor.assign_perms_to_managed_role("authentik_core.change_user", self.target)
+        role = Role.objects.create(name=generate_id())
+        res = self._patch({"roles": [str(role.pk)]})
+        self.assertEqual(res.status_code, 400)
+
+    def test_patch_role_with_perm(self):
+        """Assigning a new role with change_role must succeed."""
+        self.actor.assign_perms_to_managed_role("authentik_core.view_user")
+        self.actor.assign_perms_to_managed_role("authentik_core.change_user", self.target)
+        self.actor.assign_perms_to_managed_role("authentik_rbac.change_role")
+        role = Role.objects.create(name=generate_id())
+        res = self._patch({"roles": [str(role.pk)]})
+        self.assertEqual(res.status_code, 200)
+
+    def test_patch_existing_role_no_perm(self):
+        """Keeping an existing role without change_role must succeed."""
+        self.actor.assign_perms_to_managed_role("authentik_core.view_user")
+        self.actor.assign_perms_to_managed_role("authentik_core.change_user", self.target)
+        role = Role.objects.create(name=generate_id())
+        self.target.roles.add(role)
+        res = self._patch({"roles": [str(role.pk)]})
+        self.assertEqual(res.status_code, 200)

authentik/endpoints/api/stages.py

@@ -1,8 +1,11 @@
+from django.utils.translation import gettext_lazy as _
+from rest_framework.exceptions import ValidationError
 from rest_framework.viewsets import ModelViewSet
 
 from authentik.core.api.used_by import UsedByMixin
 from authentik.endpoints.api.connectors import ConnectorSerializer
-from authentik.endpoints.models import EndpointStage
+from authentik.endpoints.controller import Capabilities
+from authentik.endpoints.models import Connector, EndpointStage
 from authentik.flows.api.stages import StageSerializer
 
 
@@ -11,6 +14,13 @@ class EndpointStageSerializer(StageSerializer):
 
     connector_obj = ConnectorSerializer(source="connector", read_only=True)
 
+    def validate_connector(self, connector: Connector) -> Connector:
+        conn: Connector = Connector.objects.get_subclass(pk=connector.pk)
+        controller = conn.controller(conn)
+        if Capabilities.STAGE_ENDPOINTS not in controller.capabilities():
+            raise ValidationError(_("Selected connector is not compatible with this stage."))
+        return connector
+
     class Meta:
         model = EndpointStage
         fields = StageSerializer.Meta.fields + [

authentik/endpoints/connectors/agent/api/connectors.py

@@ -7,7 +7,7 @@ from drf_spectacular.utils import OpenApiParameter, OpenApiResponse, extend_sche
 from rest_framework.decorators import action
 from rest_framework.exceptions import PermissionDenied, ValidationError
 from rest_framework.fields import ChoiceField
-from rest_framework.permissions import IsAuthenticated
+from rest_framework.permissions import AllowAny, IsAuthenticated
 from rest_framework.relations import PrimaryKeyRelatedField
 from rest_framework.request import Request
 from rest_framework.response import Response
@@ -44,7 +44,6 @@ from authentik.stages.password.stage import PLAN_CONTEXT_METHOD, PLAN_CONTEXT_ME
 
 
 class AgentConnectorSerializer(ConnectorSerializer):
-
     class Meta(ConnectorSerializer.Meta):
         model = AgentConnector
         fields = ConnectorSerializer.Meta.fields + [
@@ -87,7 +86,6 @@ class AgentConnectorViewSet(
     UsedByMixin,
     ModelViewSet,
 ):
-
     queryset = AgentConnector.objects.all()
     serializer_class = AgentConnectorSerializer
     search_fields = ["name"]
@@ -119,6 +117,8 @@ class AgentConnectorViewSet(
         methods=["POST"],
         detail=False,
         authentication_classes=[AgentEnrollmentAuth],
+        # Permissions are handled via AgentEnrollmentAuth
+        permission_classes=[AllowAny],
     )
     def enroll(self, request: Request):
         token: EnrollmentToken = request.auth
@@ -149,7 +149,13 @@ class AgentConnectorViewSet(
         request=OpenApiTypes.NONE,
         responses=AgentConfigSerializer(),
     )
-    @action(methods=["GET"], detail=False, authentication_classes=[AgentAuth])
+    @action(
+        methods=["GET"],
+        detail=False,
+        authentication_classes=[AgentAuth],
+        # Permissions are handled via AgentAuth
+        permission_classes=[AllowAny],
+    )
     def agent_config(self, request: Request):
         token: DeviceToken = request.auth
         connector: AgentConnector = token.device.connector.agentconnector
@@ -163,7 +169,13 @@ class AgentConnectorViewSet(
         request=DeviceFacts(),
         responses={204: OpenApiResponse(description="Successfully checked in")},
     )
-    @action(methods=["POST"], detail=False, authentication_classes=[AgentAuth])
+    @action(
+        methods=["POST"],
+        detail=False,
+        authentication_classes=[AgentAuth],
+        # Permissions are handled via AgentAuth
+        permission_classes=[AllowAny],
+    )
     def check_in(self, request: Request):
         token: DeviceToken = request.auth
         data = DeviceFacts(data=request.data)

authentik/endpoints/connectors/agent/api/enrollment_tokens.py

@@ -18,7 +18,10 @@ from authentik.rbac.decorators import permission_required
 class EnrollmentTokenSerializer(ModelSerializer):
 
     device_group_obj = DeviceAccessGroupSerializer(
-        source="device_group", read_only=True, required=False
+        source="device_group",
+        read_only=True,
+        required=False,
+        allow_null=True,
     )
 
     def __init__(self, *args, **kwargs) -> None:

authentik/endpoints/connectors/agent/auth.py

@@ -1,5 +1,6 @@
 from typing import Any
 
+from django.db.models import Model
 from django.http import HttpRequest
 from django.utils.timezone import now
 from drf_spectacular.extensions import OpenApiAuthenticationExtension
@@ -9,7 +10,7 @@ from rest_framework.exceptions import PermissionDenied
 from rest_framework.request import Request
 from structlog.stdlib import get_logger
 
-from authentik.api.authentication import IPCUser, validate_auth
+from authentik.api.authentication import VirtualUser, validate_auth
 from authentik.core.middleware import CTX_AUTH_VIA
 from authentik.core.models import User
 from authentik.crypto.apps import MANAGED_KEY
@@ -25,9 +26,19 @@ LOGGER = get_logger()
 PLATFORM_ISSUER = "goauthentik.io/platform"
 
 
-class DeviceUser(IPCUser):
+class DeviceUser(VirtualUser):
+
     username = "authentik:endpoints:device"
 
+    def has_perm(self, perm: str, obj: Model | None = None) -> bool:
+        print(perm)
+        if perm in [
+            "authentik_core.view_user",
+            "authentik_core.view_group",
+        ]:
+            return True
+        return False
+
 
 class AgentEnrollmentAuth(BaseAuthentication):
 
@@ -37,6 +48,8 @@ class AgentEnrollmentAuth(BaseAuthentication):
         token = EnrollmentToken.filter_not_expired(key=key).first()
         if not token:
             raise PermissionDenied()
+        if not token.connector.enabled:
+            raise PermissionDenied()
         CTX_AUTH_VIA.set("endpoint_token_enrollment")
         return (DeviceUser(), token)
 
@@ -51,6 +64,8 @@ class AgentAuth(BaseAuthentication):
         device_token = DeviceToken.filter_not_expired(key=key).first()
         if not device_token:
             raise PermissionDenied()
+        if not device_token.device.connector.enabled:
+            raise PermissionDenied()
         if device_token.device.device.is_expired:
             raise PermissionDenied()
         CTX_AUTH_VIA.set("endpoint_token")

authentik/endpoints/connectors/agent/controller.py

@@ -8,7 +8,7 @@ from rest_framework.fields import CharField
 
 from authentik.core.api.utils import PassiveSerializer
 from authentik.endpoints.connectors.agent.models import AgentConnector, EnrollmentToken
-from authentik.endpoints.controller import BaseController
+from authentik.endpoints.controller import BaseController, Capabilities
 from authentik.endpoints.facts import OSFamily
 
 
@@ -48,8 +48,8 @@ class AgentConnectorController(BaseController[AgentConnector]):
     def vendor_identifier() -> str:
         return "goauthentik.io/platform"
 
-    def supported_enrollment_methods(self):
-        return []
+    def capabilities(self) -> list[Capabilities]:
+        return [Capabilities.STAGE_ENDPOINTS]
 
     def generate_mdm_config(
         self, target_platform: OSFamily, request: HttpRequest, token: EnrollmentToken

authentik/endpoints/connectors/agent/tests/test_agent_api.py

@@ -58,6 +58,16 @@ class TestAgentAPI(APITestCase):
         )
         self.assertEqual(response.status_code, 200)
 
+    def test_enroll_disabled(self):
+        self.connector.enabled = False
+        self.connector.save()
+        response = self.client.post(
+            reverse("authentik_api:agentconnector-enroll"),
+            data={"device_serial": generate_id(), "device_name": "bar"},
+            HTTP_AUTHORIZATION=f"Bearer {self.token.key}",
+        )
+        self.assertEqual(response.status_code, 403)
+
     def test_enroll_token_delete(self):
         response = self.client.post(
             reverse("authentik_api:agentconnector-enroll"),
@@ -104,6 +114,16 @@ class TestAgentAPI(APITestCase):
         )
         self.assertEqual(response.status_code, 200)
 
+    @reconcile_app("authentik_crypto")
+    def test_config_disabled(self):
+        self.connector.enabled = False
+        self.connector.save()
+        response = self.client.get(
+            reverse("authentik_api:agentconnector-agent-config"),
+            HTTP_AUTHORIZATION=f"Bearer+agent {self.device_token.key}",
+        )
+        self.assertEqual(response.status_code, 403)
+
     def test_check_in(self):
         response = self.client.post(
             reverse("authentik_api:agentconnector-check-in"),
@@ -112,6 +132,16 @@ class TestAgentAPI(APITestCase):
         )
         self.assertEqual(response.status_code, 204)
 
+    def test_check_in_disabled(self):
+        self.connector.enabled = False
+        self.connector.save()
+        response = self.client.post(
+            reverse("authentik_api:agentconnector-check-in"),
+            data=CHECK_IN_DATA_VALID,
+            HTTP_AUTHORIZATION=f"Bearer+agent {self.device_token.key}",
+        )
+        self.assertEqual(response.status_code, 403)
+
     def test_check_in_token_expired(self):
         self.device_token.expiring = True
         self.device_token.expires = now() - timedelta(hours=1)
@@ -193,3 +223,17 @@ class TestAgentAPI(APITestCase):
             data={"platform": OSFamily.macOS, "enrollment_token": self.token.pk},
         )
         self.assertEqual(res.status_code, 200)
+
+    def test_users_list(self):
+        response = self.client.get(
+            reverse("authentik_api:user-list"),
+            HTTP_AUTHORIZATION=f"Bearer+agent {self.device_token.key}",
+        )
+        self.assertEqual(response.status_code, 200)
+
+    def test_other_api_forbidden(self):
+        response = self.client.get(
+            reverse("authentik_api:application-list"),
+            HTTP_AUTHORIZATION=f"Bearer+agent {self.device_token.key}",
+        )
+        self.assertEqual(response.status_code, 403)

authentik/endpoints/controller.py

@@ -8,13 +8,15 @@ from authentik.lib.sentry import SentryIgnoredException
 MERGED_VENDOR = "goauthentik.io/@merged"
 
 
-class EnrollmentMethods(models.TextChoices):
+class Capabilities(models.TextChoices):
     # Automatically enrolled through user action
-    AUTOMATIC_USER = "automatic_user"
+    ENROLL_AUTOMATIC_USER = "enroll_automatic_user"
     # Automatically enrolled through connector integration
-    AUTOMATIC_API = "automatic_api"
+    ENROLL_AUTOMATIC_API = "enroll_automatic_api"
     # Manually enrolled with user interaction (user scanning a QR code for example)
-    MANUAL_USER = "manual_user"
+    ENROLL_MANUAL_USER = "enroll_manual_user"
+    # Supported for use with Endpoints stage
+    STAGE_ENDPOINTS = "stage_endpoints"
 
 
 class ConnectorSyncException(SentryIgnoredException):
@@ -34,7 +36,7 @@ class BaseController[T: "Connector"]:
     def vendor_identifier() -> str:
         raise NotImplementedError
 
-    def supported_enrollment_methods(self) -> list[EnrollmentMethods]:
+    def capabilities(self) -> list[Capabilities]:
         return []
 
     def stage_view_enrollment(self) -> StageView | None:
@@ -42,3 +44,6 @@ class BaseController[T: "Connector"]:
 
     def stage_view_authentication(self) -> StageView | None:
         return None
+
+    def sync_endpoints(self):
+        raise NotImplementedError

authentik/endpoints/models.py

@@ -162,8 +162,11 @@ class Connector(ScheduledModel, SerializerModel):
 
     @property
     def schedule_specs(self) -> list[ScheduleSpec]:
+        from authentik.endpoints.controller import Capabilities
         from authentik.endpoints.tasks import endpoints_sync
 
+        if Capabilities.ENROLL_AUTOMATIC_API not in self.controller(self).capabilities():
+            return []
         return [
             ScheduleSpec(
                 actor=endpoints_sync,

authentik/endpoints/stage.py

@@ -1,4 +1,4 @@
-from authentik.endpoints.models import EndpointStage, StageMode
+from authentik.endpoints.models import Connector, EndpointStage, StageMode
 from authentik.flows.stage import StageView
 
 PLAN_CONTEXT_ENDPOINT_CONNECTOR = "endpoint_connector"
@@ -8,7 +8,10 @@ class EndpointStageView(StageView):
 
     def _get_inner(self) -> StageView | None:
         stage: EndpointStage = self.executor.current_stage
-        inner_stage: type[StageView] | None = stage.connector.stage
+        connector: Connector = stage.connector
+        if not connector.enabled:
+            return None
+        inner_stage: type[StageView] | None = connector.stage
         if not inner_stage:
             return None
         return inner_stage(self.executor, request=self.request)

authentik/endpoints/tasks.py

@@ -6,7 +6,7 @@ from django.utils.translation import gettext_lazy as _
 from dramatiq.actor import actor
 from structlog.stdlib import get_logger
 
-from authentik.endpoints.controller import EnrollmentMethods
+from authentik.endpoints.controller import Capabilities
 from authentik.endpoints.models import Connector
 
 LOGGER = get_logger()
@@ -17,11 +17,11 @@ def endpoints_sync(connector_pk: Any):
     connector: Connector | None = (
         Connector.objects.filter(pk=connector_pk).select_subclasses().first()
     )
-    if not connector:
+    if not connector or not connector.enabled:
         return
     controller = connector.controller
     ctrl = controller(connector)
-    if EnrollmentMethods.AUTOMATIC_API not in ctrl.supported_enrollment_methods():
+    if Capabilities.ENROLL_AUTOMATIC_API not in ctrl.capabilities():
         return
     LOGGER.info("Syncing connector", connector=connector.name)
     ctrl.sync_endpoints()

authentik/endpoints/tests/test_api.py

@@ -0,0 +1,41 @@
+from django.urls import reverse
+from rest_framework.test import APITestCase
+
+from authentik.core.tests.utils import create_test_admin_user
+from authentik.endpoints.connectors.agent.models import AgentConnector
+from authentik.endpoints.models import StageMode
+from authentik.enterprise.endpoints.connectors.fleet.models import FleetConnector
+from authentik.lib.generators import generate_id
+
+
+class TestAPI(APITestCase):
+    def setUp(self):
+        self.user = create_test_admin_user()
+        self.client.force_login(self.user)
+
+    def test_endpoint_stage_agent(self):
+        connector = AgentConnector.objects.create(name=generate_id())
+        res = self.client.post(
+            reverse("authentik_api:stages-endpoint-list"),
+            data={
+                "name": generate_id(),
+                "connector": str(connector.pk),
+                "mode": StageMode.REQUIRED,
+            },
+        )
+        self.assertEqual(res.status_code, 201)
+
+    def test_endpoint_stage_fleet(self):
+        connector = FleetConnector.objects.create(name=generate_id())
+        res = self.client.post(
+            reverse("authentik_api:stages-endpoint-list"),
+            data={
+                "name": generate_id(),
+                "connector": str(connector.pk),
+                "mode": StageMode.REQUIRED,
+            },
+        )
+        self.assertEqual(res.status_code, 400)
+        self.assertJSONEqual(
+            res.content, {"connector": ["Selected connector is not compatible with this stage."]}
+        )

authentik/endpoints/tests/test_tasks.py

@@ -0,0 +1,35 @@
+from unittest.mock import PropertyMock, patch
+
+from rest_framework.test import APITestCase
+
+from authentik.endpoints.controller import BaseController, Capabilities
+from authentik.endpoints.models import Connector
+from authentik.endpoints.tasks import endpoints_sync
+from authentik.lib.generators import generate_id
+
+
+class TestEndpointTasks(APITestCase):
+    def test_agent_sync(self):
+        class controller(BaseController):
+            def capabilities(self):
+                return [Capabilities.ENROLL_AUTOMATIC_API]
+
+            def sync_endpoints(self):
+                pass
+
+        with patch.object(Connector, "controller", PropertyMock(return_value=controller)):
+            connector = Connector.objects.create(name=generate_id())
+            self.assertEqual(len(connector.schedule_specs), 1)
+
+            endpoints_sync.send(connector.pk).get_result(block=True)
+
+    def test_agent_no_sync(self):
+        class controller(BaseController):
+            def capabilities(self):
+                return []
+
+        with patch.object(Connector, "controller", PropertyMock(return_value=controller)):
+            connector = Connector.objects.create(name=generate_id())
+            self.assertEqual(len(connector.schedule_specs), 0)
+
+            endpoints_sync.send(connector.pk).get_result(block=True)

authentik/enterprise/endpoints/connectors/agent/api/connectors.py

@@ -2,6 +2,7 @@ from django.urls import reverse
 from drf_spectacular.types import OpenApiTypes
 from drf_spectacular.utils import extend_schema
 from rest_framework.decorators import action
+from rest_framework.permissions import AllowAny
 from rest_framework.request import Request
 from rest_framework.response import Response
 from structlog.stdlib import get_logger
@@ -25,7 +26,13 @@ class AgentConnectorViewSetMixin:
         request=OpenApiTypes.NONE,
         responses=AgentAuthenticationResponse(),
     )
-    @action(methods=["POST"], detail=False, authentication_classes=[AgentAuth])
+    @action(
+        methods=["POST"],
+        detail=False,
+        authentication_classes=[AgentAuth],
+        # Permissions are handled via AgentAuth
+        permission_classes=[AllowAny],
+    )
     @enterprise_action
     def auth_ia(self, request: Request) -> Response:
         token: DeviceToken = request.auth

authentik/enterprise/endpoints/connectors/agent/views/auth_interactive.py

@@ -3,6 +3,7 @@ from hmac import compare_digest
 
 from django.http import Http404, HttpRequest, HttpResponse, HttpResponseBadRequest, QueryDict
 
+from authentik.common.oauth.constants import QS_LOGIN_HINT
 from authentik.endpoints.connectors.agent.auth import (
     agent_auth_issue_token,
     check_device_policies,
@@ -14,7 +15,7 @@ from authentik.enterprise.policy import EnterprisePolicyAccessView
 from authentik.flows.exceptions import FlowNonApplicableException
 from authentik.flows.models import in_memory_stage
 from authentik.flows.planner import PLAN_CONTEXT_DEVICE, FlowPlanner
-from authentik.flows.stage import StageView
+from authentik.flows.stage import PLAN_CONTEXT_PENDING_USER_IDENTIFIER, StageView
 from authentik.providers.oauth2.utils import HttpResponseRedirectScheme
 
 QS_AGENT_IA_TOKEN = "ak-auth-ia-token"  # nosec
@@ -64,14 +65,14 @@ class AgentInteractiveAuth(EnterprisePolicyAccessView):
 
         planner = FlowPlanner(self.connector.authorization_flow)
         planner.allow_empty_flows = True
+        context = {
+            PLAN_CONTEXT_DEVICE: self.device,
+            PLAN_CONTEXT_DEVICE_AUTH_TOKEN: self.auth_token,
+        }
+        if QS_LOGIN_HINT in request.GET:
+            context[PLAN_CONTEXT_PENDING_USER_IDENTIFIER] = request.GET[QS_LOGIN_HINT]
         try:
-            plan = planner.plan(
-                self.request,
-                {
-                    PLAN_CONTEXT_DEVICE: self.device,
-                    PLAN_CONTEXT_DEVICE_AUTH_TOKEN: self.auth_token,
-                },
-            )
+            plan = planner.plan(self.request, context)
         except FlowNonApplicableException:
             return self.handle_no_permission_authenticated()
         plan.append_stage(in_memory_stage(AgentAuthFulfillmentStage))
@@ -84,7 +85,6 @@ class AgentInteractiveAuth(EnterprisePolicyAccessView):
 
 
 class AgentAuthFulfillmentStage(StageView):
-
     def get(self, request: HttpRequest, *args, **kwargs) -> HttpResponse:
         device: Device = self.executor.plan.context.pop(PLAN_CONTEXT_DEVICE)
         auth_token: DeviceAuthenticationToken = self.executor.plan.context.pop(

authentik/enterprise/endpoints/connectors/fleet/controller.py

@@ -6,7 +6,7 @@ from requests import RequestException
 from rest_framework.exceptions import ValidationError
 
 from authentik.core.models import User
-from authentik.endpoints.controller import BaseController, ConnectorSyncException, EnrollmentMethods
+from authentik.endpoints.controller import BaseController, Capabilities, ConnectorSyncException
 from authentik.endpoints.facts import (
     DeviceFacts,
     OSFamily,
@@ -43,8 +43,8 @@ class FleetController(BaseController[DBC]):
     def vendor_identifier() -> str:
         return "fleetdm.com"
 
-    def supported_enrollment_methods(self) -> list[EnrollmentMethods]:
-        return [EnrollmentMethods.AUTOMATIC_API]
+    def capabilities(self) -> list[Capabilities]:
+        return [Capabilities.ENROLL_AUTOMATIC_API]
 
     def _url(self, path: str) -> str:
         return f"{self.connector.url}{path}"

authentik/enterprise/providers/google_workspace/tests/test_groups.py

@@ -331,7 +331,7 @@ class GoogleWorkspaceGroupTests(TestCase):
                 ).exists()
             )
             self.assertFalse(Event.objects.filter(action=EventAction.SYSTEM_EXCEPTION).exists())
-            self.assertEqual(len(http.requests()), 5)
+            self.assertEqual(len(http.requests()), 7)
 
     def test_sync_discover_multiple(self):
         """Test group discovery"""
@@ -372,7 +372,7 @@ class GoogleWorkspaceGroupTests(TestCase):
                 ).exists()
             )
             self.assertFalse(Event.objects.filter(action=EventAction.SYSTEM_EXCEPTION).exists())
-            self.assertEqual(len(http.requests()), 5)
+            self.assertEqual(len(http.requests()), 7)
             # Change response to trigger update
             http.add_response(
                 f"https://admin.googleapis.com/admin/directory/v1/groups?customer=my_customer&maxResults=500&orderBy=email&key={self.api_key}&alt=json",

authentik/enterprise/providers/google_workspace/tests/test_users.py

@@ -309,7 +309,7 @@ class GoogleWorkspaceUserTests(TestCase):
                 ).exists()
             )
             self.assertFalse(Event.objects.filter(action=EventAction.SYSTEM_EXCEPTION).exists())
-            self.assertEqual(len(http.requests()), 5)
+            self.assertEqual(len(http.requests()), 7)
 
     def test_sync_discover_multiple(self):
         """Test user discovery, running multiple times"""
@@ -352,7 +352,7 @@ class GoogleWorkspaceUserTests(TestCase):
                 ).exists()
             )
             self.assertFalse(Event.objects.filter(action=EventAction.SYSTEM_EXCEPTION).exists())
-            self.assertEqual(len(http.requests()), 5)
+            self.assertEqual(len(http.requests()), 7)
             # Change response, which will trigger a discovery update
             http.add_response(
                 f"https://admin.googleapis.com/admin/directory/v1/users?customer=my_customer&maxResults=500&orderBy=email&key={self.api_key}&alt=json",

authentik/enterprise/providers/ws_federation/processors/sign_in.py

@@ -1,4 +1,5 @@
 from dataclasses import dataclass
+from urllib.parse import urlparse
 
 from django.http import HttpRequest
 from django.shortcuts import get_object_or_404
@@ -55,7 +56,9 @@ class SignInRequest:
         _, provider = req.get_app_provider()
         if not req.wreply:
             req.wreply = provider.acs_url
-        if not req.wreply.startswith(provider.acs_url):
+        reply = urlparse(req.wreply)
+        configured = urlparse(provider.acs_url)
+        if not (reply[:2] == configured[:2] and reply.path.startswith(configured.path)):
             raise ValueError("Invalid wreply")
         return req
 

authentik/enterprise/providers/ws_federation/processors/sign_out.py

@@ -1,4 +1,5 @@
 from dataclasses import dataclass
+from urllib.parse import urlparse
 
 from django.http import HttpRequest
 from django.shortcuts import get_object_or_404
@@ -32,7 +33,9 @@ class SignOutRequest:
         _, provider = req.get_app_provider()
         if not req.wreply:
             req.wreply = provider.acs_url
-        if not req.wreply.startswith(provider.acs_url):
+        reply = urlparse(req.wreply)
+        configured = urlparse(provider.acs_url)
+        if not (reply[:2] == configured[:2] and reply.path.startswith(configured.path)):
             raise ValueError("Invalid wreply")
         return req
 

authentik/enterprise/providers/ws_federation/tests/test_sign_in.py

@@ -27,12 +27,27 @@ class TestWSFedSignIn(TestCase):
             name=generate_id(),
             authorization_flow=self.flow,
             signing_kp=self.cert,
+            acs_url="https://t.goauthentik.io",
+            audience="foo",
         )
         self.app = Application.objects.create(
             name=generate_id(), slug=generate_id(), provider=self.provider
         )
         self.factory = RequestFactory()
 
+    def test_wreply(self):
+        request = self.factory.get(
+            "/?wreply=https://t.goauthentik.io/foo&wa=wsignin1.0&wtrealm=foo",
+            user=get_anonymous_user(),
+        )
+        SignInRequest.parse(request)
+        with self.assertRaises(ValueError):
+            request = self.factory.get(
+                "/?wreply=https://t.goauthentik.io.invalid.com&wa=wsignin1.0&wtrealm=foo",
+                user=get_anonymous_user(),
+            )
+            SignInRequest.parse(request)
+
     def test_token_gen(self):
         request = self.factory.get("/", user=get_anonymous_user())
         proc = SignInProcessor(

authentik/events/api/notification_rules.py

@@ -11,7 +11,9 @@ from authentik.events.models import NotificationRule
 class NotificationRuleSerializer(ModelSerializer):
     """NotificationRule Serializer"""
 
-    destination_group_obj = GroupSerializer(read_only=True, source="destination_group")
+    destination_group_obj = GroupSerializer(
+        read_only=True, source="destination_group", required=False, allow_null=True
+    )
 
     class Meta:
         model = NotificationRule

authentik/events/signals.py

@@ -93,11 +93,13 @@ def on_login_failed(
     credentials: dict[str, str],
     request: HttpRequest,
     stage: Stage | None = None,
+    context: dict[str, Any] | None = None,
     **kwargs,
 ):
     """Failed Login, authentik custom event"""
     user = User.objects.filter(username=credentials.get("username")).first()
-    Event.new(EventAction.LOGIN_FAILED, **credentials, stage=stage, **kwargs).from_http(
+    context = context or {}
+    Event.new(EventAction.LOGIN_FAILED, **credentials, stage=stage, **context).from_http(
         request, user
     )
 

authentik/events/tests/test_event.py

@@ -207,3 +207,9 @@ class TestEvents(TestCase):
                 "username": user.username,
             },
         )
+
+    def test_invalid_string(self):
+        """Test creating an event with invalid unicode string data"""
+        event = Event.new("unittest", foo="foo bar \u0000 baz")
+        event.save()
+        self.assertEqual(event.context["foo"], "foo bar  baz")

authentik/events/utils.py

@@ -36,6 +36,10 @@ ALLOWED_SPECIAL_KEYS = re.compile(
 )
 
 
+def cleanse_str(raw: Any) -> str:
+    return str(raw).replace("\u0000", "")
+
+
 def cleanse_item(key: str, value: Any) -> Any:
     """Cleanse a single item"""
     if isinstance(value, dict):
@@ -66,7 +70,7 @@ def cleanse_dict(source: dict[Any, Any]) -> dict[Any, Any]:
 
 def model_to_dict(model: Model) -> dict[str, Any]:
     """Convert model to dict"""
-    name = str(model)
+    name = cleanse_str(model)
     if hasattr(model, "name"):
         name = model.name
     return {
@@ -133,11 +137,11 @@ def sanitize_item(value: Any) -> Any:  # noqa: PLR0911, PLR0912
     if isinstance(value, ASN):
         return ASN_CONTEXT_PROCESSOR.asn_to_dict(value)
     if isinstance(value, Path):
-        return str(value)
+        return cleanse_str(value)
     if isinstance(value, Exception):
-        return str(value)
+        return cleanse_str(value)
     if isinstance(value, YAMLTag):
-        return str(value)
+        return cleanse_str(value)
     if isinstance(value, Enum):
         return value.value
     if isinstance(value, type):
@@ -161,7 +165,7 @@ def sanitize_item(value: Any) -> Any:  # noqa: PLR0911, PLR0912
             raise ValueError("JSON can't represent timezone-aware times.")
         return value.isoformat()
     if isinstance(value, timedelta):
-        return str(value.total_seconds())
+        return cleanse_str(value.total_seconds())
     if callable(value):
         return {
             "type": "callable",
@@ -174,8 +178,8 @@ def sanitize_item(value: Any) -> Any:  # noqa: PLR0911, PLR0912
     try:
         return DjangoJSONEncoder().default(value)
     except TypeError:
-        return str(value)
-    return str(value)
+        return cleanse_str(value)
+    return cleanse_str(value)
 
 
 def sanitize_dict(source: dict[Any, Any]) -> dict[Any, Any]:

authentik/flows/apps.py

@@ -29,6 +29,12 @@ class RefreshOtherFlowsAfterAuthentication(Flag[bool], key="flows_refresh_others
     visibility = "public"
 
 
+class ContinuousLogin(Flag[bool], key="flows_continuous_login"):
+
+    default = False
+    visibility = "public"
+
+
 class AuthentikFlowsConfig(ManagedAppConfig):
     """authentik flows app config"""
 

authentik/lib/default.yml

@@ -166,7 +166,6 @@ storage:
     # region: "us-east-1"
     # use_ssl: True
     # endpoint: "https://s3.us-east-1.amazonaws.com"
-    # signature_version: "s3v4"
     # access_key: ""
     # secret_key: ""
     # bucket_name: "authentik-data"
@@ -183,3 +182,5 @@ storage:
   #   backend: file # or s3
   #   file: {}
   #   s3: {}
+
+skip_migrations: false

authentik/lib/sync/outgoing/models.py

@@ -1,3 +1,4 @@
+import math
 from typing import Any, Self
 
 import pglock
@@ -68,7 +69,12 @@ class OutgoingSyncProvider(ScheduledModel, Model):
         return Paginator(self.get_object_qs(type), self.sync_page_size)
 
     def get_object_sync_time_limit_ms[T: User | Group](self, type: type[T]) -> int:
-        num_pages: int = self.get_paginator(type).num_pages
+        # Use a simple COUNT(*) on the model instead of materializing get_object_qs(),
+        # which for some providers (e.g. SCIM) runs PolicyEngine per-user and is
+        # extremely expensive. The time limit is an upper-bound estimate, so using
+        # the total count (without policy filtering) is a safe overestimate.
+        total_count = type.objects.count()
+        num_pages = math.ceil(total_count / self.sync_page_size) if total_count > 0 else 1
         page_timeout_ms = timedelta_from_string(self.sync_page_timeout).total_seconds() * 1000
         return int(num_pages * page_timeout_ms * 1.5)
 

authentik/lib/sync/outgoing/tasks.py

@@ -103,6 +103,7 @@ class SyncTasks:
                 )
                 users_tasks.run().wait(timeout=provider.get_object_sync_time_limit_ms(User))
                 group_tasks.run().wait(timeout=provider.get_object_sync_time_limit_ms(Group))
+                self._sync_cleanup(provider, task)
             except TransientSyncException as exc:
                 self.logger.warning("transient sync exception", exc=exc)
                 task.warning("Sync encountered a transient exception. Retrying", exc=exc)
@@ -111,6 +112,35 @@ class SyncTasks:
                 task.error(exc)
                 return
 
+    def _sync_cleanup(self, provider: OutgoingSyncProvider, task: Task):
+        """Delete remote objects that are no longer in scope"""
+        for object_type in (User, Group):
+            try:
+                client = provider.client_for_model(object_type)
+            except TransientSyncException:
+                continue
+            in_scope_pks = set(provider.get_object_qs(object_type).values_list("pk", flat=True))
+            stale = client.connection_type.objects.filter(provider=provider).exclude(
+                **{f"{client.connection_type_query}__pk__in": in_scope_pks}
+            )
+            for connection in stale:
+                try:
+                    client.delete(connection.scim_id)
+                    task.info(
+                        f"Deleted out-of-scope {object_type._meta.verbose_name}",
+                        scim_id=connection.scim_id,
+                    )
+                except NotFoundSyncException:
+                    pass
+                except TransientSyncException as exc:
+                    self.logger.warning("transient error during cleanup", exc=exc)
+                    self.logger.warning(
+                        "Cleanup encountered a transient exception. Retrying", exc=exc
+                    )
+                    raise Retry() from exc
+                except DryRunRejected as exc:
+                    self.logger.info("Rejected dry-run cleanup event", exc=exc)
+
     def sync_objects(
         self,
         object_type: str,

authentik/outposts/controllers/k8s/base.py

@@ -185,8 +185,10 @@ class KubernetesObjectReconciler[T]:
 
         patch = self.get_patch()
         if patch is not None:
-            current_json = ApiClient().sanitize_for_serialization(current)
-
+            try:
+                current_json = ApiClient().sanitize_for_serialization(current)
+            except AttributeError:
+                current_json = asdict(current)
             try:
                 if apply_patch(current_json, patch) != current_json:
                     raise NeedsUpdate()

authentik/outposts/signals.py

@@ -163,4 +163,5 @@ def outpost_pre_delete_cleanup(sender, instance: Outpost, **_):
 @receiver(pre_delete, sender=AuthenticatedSession)
 def outpost_logout_revoke(sender: type[AuthenticatedSession], instance: AuthenticatedSession, **_):
     """Catch logout by expiring sessions being deleted"""
-    outpost_session_end.send(instance.session.session_key)
+    if Outpost.objects.exists():
+        outpost_session_end.send(instance.session.session_key)

authentik/outposts/tasks.py

@@ -7,7 +7,6 @@ from socket import gethostname
 from typing import Any
 from urllib.parse import urlparse
 
-from asgiref.sync import async_to_sync
 from channels.layers import get_channel_layer
 from django.core.cache import cache
 from django.utils.translation import gettext_lazy as _
@@ -159,7 +158,7 @@ def outpost_send_update(pk: Any):
     layer = get_channel_layer()
     group = build_outpost_group(outpost.pk)
     LOGGER.debug("sending update", channel=group, outpost=outpost)
-    async_to_sync(layer.group_send)(group, {"type": "event.update"})
+    layer.group_send_blocking(group, {"type": "event.update"})
 
 
 @actor(description=_("Checks the local environment and create Service connections."))
@@ -210,7 +209,7 @@ def outpost_session_end(session_id: str):
     for outpost in Outpost.objects.all():
         LOGGER.info("Sending session end signal to outpost", outpost=outpost)
         group = build_outpost_group(outpost.pk)
-        async_to_sync(layer.group_send)(
+        layer.group_send_blocking(
             group,
             {
                 "type": "event.session.end",

authentik/policies/api/bindings.py

@@ -57,9 +57,11 @@ class PolicyBindingSerializer(ModelSerializer):
         required=True,
     )
 
-    policy_obj = PolicySerializer(required=False, read_only=True, source="policy")
-    group_obj = PartialGroupSerializer(required=False, read_only=True, source="group")
-    user_obj = PartialUserSerializer(required=False, read_only=True, source="user")
+    policy_obj = PolicySerializer(required=False, allow_null=True, read_only=True, source="policy")
+    group_obj = PartialGroupSerializer(
+        required=False, allow_null=True, read_only=True, source="group"
+    )
+    user_obj = PartialUserSerializer(required=False, allow_null=True, read_only=True, source="user")
 
     class Meta:
         model = PolicyBinding

authentik/providers/iframe_logout.py

@@ -1,31 +1,19 @@
 """Shared logout stages for SAML and OIDC providers"""
 
 from django.http import HttpResponse
-from rest_framework.fields import CharField, ListField
+from rest_framework.fields import CharField, DictField, ListField
 
 from authentik.common.oauth.constants import PLAN_CONTEXT_OIDC_LOGOUT_IFRAME_SESSIONS
-from authentik.core.api.utils import PassiveSerializer
 from authentik.flows.challenge import Challenge, ChallengeResponse
 from authentik.flows.stage import ChallengeStageView
 from authentik.providers.saml.views.flows import PLAN_CONTEXT_SAML_LOGOUT_IFRAME_SESSIONS
 
 
-class LogoutURL(PassiveSerializer):
-    """Data for a single logout URL"""
-
-    url = CharField()
-    provider_name = CharField(required=False, allow_null=True)
-    binding = CharField(required=False, allow_null=True)
-    saml_request = CharField(required=False, allow_null=True)
-    saml_response = CharField(required=False, allow_null=True)
-    saml_relay_state = CharField(required=False, allow_null=True)
-
-
 class IframeLogoutChallenge(Challenge):
     """Challenge for iframe logout"""
 
     component = CharField(default="ak-provider-iframe-logout")
-    logout_urls = ListField(child=LogoutURL(), default=list)
+    logout_urls = ListField(child=DictField(), default=list)
 
 
 class IframeLogoutChallengeResponse(ChallengeResponse):

authentik/providers/oauth2/api/tokens.py

@@ -9,10 +9,10 @@ from rest_framework.fields import CharField, ListField, SerializerMethodField
 from rest_framework.filters import OrderingFilter, SearchFilter
 from rest_framework.viewsets import GenericViewSet
 
+from authentik.core.api.providers import ProviderSerializer
 from authentik.core.api.used_by import UsedByMixin
 from authentik.core.api.users import UserSerializer
 from authentik.core.api.utils import MetaNameSerializer, ModelSerializer
-from authentik.providers.oauth2.api.providers import OAuth2ProviderSerializer
 from authentik.providers.oauth2.models import AccessToken, AuthorizationCode, RefreshToken
 
 
@@ -20,7 +20,7 @@ class ExpiringBaseGrantModelSerializer(ModelSerializer, MetaNameSerializer):
     """Serializer for BaseGrantModel and ExpiringBaseGrant"""
 
     user = UserSerializer()
-    provider = OAuth2ProviderSerializer()
+    provider = ProviderSerializer()
     scope = ListField(child=CharField())
 
     class Meta:

authentik/providers/oauth2/tests/test_authorize.py

@@ -141,26 +141,6 @@ class TestAuthorize(OAuthTestCase):
             OAuthAuthorizationParams.from_request(request)
         self.assertEqual(cm.exception.cause, "redirect_uri_forbidden_scheme")
 
-    def test_invalid_redirect_uri_empty(self):
-        """test missing/invalid redirect URI"""
-        provider = OAuth2Provider.objects.create(
-            name=generate_id(),
-            client_id="test",
-            authorization_flow=create_test_flow(),
-            redirect_uris=[],
-        )
-        request = self.factory.get(
-            "/",
-            data={
-                "response_type": "code",
-                "client_id": "test",
-                "redirect_uri": "+",
-            },
-        )
-        OAuthAuthorizationParams.from_request(request)
-        provider.refresh_from_db()
-        self.assertEqual(provider.redirect_uris, [RedirectURI(RedirectURIMatchingMode.STRICT, "+")])
-
     def test_invalid_redirect_uri_regex(self):
         """test missing/invalid redirect URI"""
         OAuth2Provider.objects.create(
@@ -394,7 +374,7 @@ class TestAuthorize(OAuthTestCase):
                     "nonce": generate_id(),
                 },
             )
-            token: AccessToken = AccessToken.objects.filter(user=user).first()
+            token = AccessToken.objects.filter(user=user).first()
             expires = timedelta_from_string(provider.access_token_validity).total_seconds()
             self.assertEqual(
                 response.url,
@@ -466,7 +446,7 @@ class TestAuthorize(OAuthTestCase):
                 },
             )
             self.assertEqual(response.status_code, 302)
-            token: AccessToken = AccessToken.objects.filter(user=user).first()
+            token = AccessToken.objects.filter(user=user).first()
             expires = timedelta_from_string(provider.access_token_validity).total_seconds()
             jwt = self.validate_jwe(token, provider)
             self.assertEqual(jwt["amr"], ["pwd"])
@@ -565,7 +545,7 @@ class TestAuthorize(OAuthTestCase):
         response = self.client.get(
             reverse("authentik_api:flow-executor", kwargs={"flow_slug": flow.slug}),
         )
-        token: AccessToken = AccessToken.objects.filter(user=user).first()
+        token = AccessToken.objects.filter(user=user).first()
         self.assertIsNotNone(token)
         self.assertJSONEqual(
             response.content.decode(),

authentik/providers/oauth2/tests/test_backchannel_logout.py

@@ -4,22 +4,19 @@ from unittest.mock import Mock, patch
 
 import jwt
 from django.test import RequestFactory
-from django.utils import timezone
 from dramatiq.results.errors import ResultFailure
 from requests import Response
 from requests.exceptions import HTTPError, Timeout
 
-from authentik.core.models import Application, AuthenticatedSession, Session
+from authentik.core.models import Application
 from authentik.core.tests.utils import create_test_admin_user, create_test_flow
 from authentik.lib.generators import generate_id
 from authentik.providers.oauth2.id_token import hash_session_key
 from authentik.providers.oauth2.models import (
-    AccessToken,
     OAuth2LogoutMethod,
     OAuth2Provider,
     RedirectURI,
     RedirectURIMatchingMode,
-    RefreshToken,
 )
 from authentik.providers.oauth2.tasks import send_backchannel_logout_request
 from authentik.providers.oauth2.tests.utils import OAuthTestCase
@@ -45,52 +42,6 @@ class TestBackChannelLogout(OAuthTestCase):
         self.app.provider = self.provider
         self.app.save()
 
-    def _create_session(self, session_key=None):
-        """Create a session with the given key or a generated one"""
-        session_key = session_key or f"session-{generate_id()}"
-        session = Session.objects.create(
-            session_key=session_key,
-            expires=timezone.now() + timezone.timedelta(hours=1),
-            last_ip="255.255.255.255",
-        )
-        auth_session = AuthenticatedSession.objects.create(
-            session=session,
-            user=self.user,
-        )
-        return auth_session
-
-    def _create_token(
-        self, provider, user, session=None, token_type="access", token_id=None
-    ):  # nosec
-        """Create a token of the specified type"""
-        token_id = token_id or f"{token_type}-token-{generate_id()}"
-        kwargs = {
-            "provider": provider,
-            "user": user,
-            "session": session,
-            "token": token_id,
-            "_id_token": "{}",
-            "auth_time": timezone.now(),
-        }
-
-        if token_type == "access":  # nosec
-            return AccessToken.objects.create(**kwargs)
-        else:  # refresh
-            return RefreshToken.objects.create(**kwargs)
-
-    def _create_provider(self, name=None):
-        """Create an OAuth2 provider"""
-        name = name or f"provider-{generate_id()}"
-        provider = OAuth2Provider.objects.create(
-            name=name,
-            authorization_flow=create_test_flow(),
-            redirect_uris=[
-                RedirectURI(RedirectURIMatchingMode.STRICT, f"http://{name}/callback"),
-            ],
-            signing_key=self.keypair,
-        )
-        return provider
-
     def _create_logout_token(
         self,
         provider: OAuth2Provider | None = None,

authentik/providers/oauth2/tests/test_device_backchannel.py

@@ -2,13 +2,15 @@
 
 from base64 import b64encode
 from json import loads
+from urllib.parse import quote
 
 from django.urls import reverse
 
+from authentik.blueprints.tests import apply_blueprint
 from authentik.core.models import Application
 from authentik.core.tests.utils import create_test_flow
 from authentik.lib.generators import generate_id
-from authentik.providers.oauth2.models import OAuth2Provider
+from authentik.providers.oauth2.models import DeviceToken, OAuth2Provider, ScopeMapping
 from authentik.providers.oauth2.tests.utils import OAuthTestCase
 
 
@@ -96,3 +98,70 @@ class TesOAuth2DeviceBackchannel(OAuthTestCase):
         self.assertEqual(res.status_code, 200)
         body = loads(res.content.decode())
         self.assertEqual(body["expires_in"], 60)
+
+    def test_backchannel_client_id_via_auth_header_urlencoded(self):
+        """Test URL-encoded client IDs in Basic auth"""
+        self.provider.client_id = "test/client+id"
+        self.provider.save()
+        creds = b64encode(f"{quote(self.provider.client_id, safe='')}:".encode()).decode()
+        res = self.client.post(
+            reverse("authentik_providers_oauth2:device"),
+            HTTP_AUTHORIZATION=f"Basic {creds}",
+        )
+        self.assertEqual(res.status_code, 200)
+        body = loads(res.content.decode())
+        self.assertEqual(body["expires_in"], 60)
+
+    @apply_blueprint("system/providers-oauth2.yaml")
+    def test_backchannel_scopes(self):
+        """Test backchannel"""
+        self.provider.property_mappings.set(
+            ScopeMapping.objects.filter(
+                managed__in=[
+                    "goauthentik.io/providers/oauth2/scope-openid",
+                    "goauthentik.io/providers/oauth2/scope-email",
+                    "goauthentik.io/providers/oauth2/scope-profile",
+                ]
+            )
+        )
+        creds = b64encode(f"{self.provider.client_id}:".encode()).decode()
+        res = self.client.post(
+            reverse("authentik_providers_oauth2:device"),
+            HTTP_AUTHORIZATION=f"Basic {creds}",
+            data={"scope": "openid email"},
+        )
+        self.assertEqual(res.status_code, 200)
+        body = loads(res.content.decode())
+        self.assertEqual(body["expires_in"], 60)
+        token = DeviceToken.objects.filter(device_code=body["device_code"]).first()
+        self.assertIsNotNone(token)
+        self.assertEqual(len(token.scope), 2)
+        self.assertIn("openid", token.scope)
+        self.assertIn("email", token.scope)
+
+    @apply_blueprint("system/providers-oauth2.yaml")
+    def test_backchannel_scopes_extra(self):
+        """Test backchannel"""
+        self.provider.property_mappings.set(
+            ScopeMapping.objects.filter(
+                managed__in=[
+                    "goauthentik.io/providers/oauth2/scope-openid",
+                    "goauthentik.io/providers/oauth2/scope-email",
+                    "goauthentik.io/providers/oauth2/scope-profile",
+                ]
+            )
+        )
+        creds = b64encode(f"{self.provider.client_id}:".encode()).decode()
+        res = self.client.post(
+            reverse("authentik_providers_oauth2:device"),
+            HTTP_AUTHORIZATION=f"Basic {creds}",
+            data={"scope": "openid email foo"},
+        )
+        self.assertEqual(res.status_code, 200)
+        body = loads(res.content.decode())
+        self.assertEqual(body["expires_in"], 60)
+        token = DeviceToken.objects.filter(device_code=body["device_code"]).first()
+        self.assertIsNotNone(token)
+        self.assertEqual(len(token.scope), 2)
+        self.assertIn("openid", token.scope)
+        self.assertIn("email", token.scope)

authentik/providers/oauth2/tests/test_introspect.py

@@ -14,6 +14,7 @@ from authentik.lib.generators import generate_id
 from authentik.providers.oauth2.id_token import IDToken
 from authentik.providers.oauth2.models import (
     AccessToken,
+    ClientTypes,
     OAuth2Provider,
     RedirectURI,
     RedirectURIMatchingMode,
@@ -43,7 +44,7 @@ class TesOAuth2Introspection(OAuthTestCase):
 
     def test_introspect_refresh(self):
         """Test introspect"""
-        token: RefreshToken = RefreshToken.objects.create(
+        token = RefreshToken.objects.create(
             provider=self.provider,
             user=self.user,
             token=generate_id(),
@@ -75,7 +76,7 @@ class TesOAuth2Introspection(OAuthTestCase):
 
     def test_introspect_access(self):
         """Test introspect"""
-        token: AccessToken = AccessToken.objects.create(
+        token = AccessToken.objects.create(
             provider=self.provider,
             user=self.user,
             token=generate_id(),
@@ -130,7 +131,7 @@ class TesOAuth2Introspection(OAuthTestCase):
         )
         auth = b64encode(f"{provider.client_id}:{provider.client_secret}".encode()).decode()
 
-        token: AccessToken = AccessToken.objects.create(
+        token = AccessToken.objects.create(
             provider=self.provider,
             user=self.user,
             token=generate_id(),
@@ -169,3 +170,76 @@ class TesOAuth2Introspection(OAuthTestCase):
                 "active": False,
             },
         )
+
+    def test_introspect_provider_public(self):
+        """Test introspect"""
+        self.provider.client_type = ClientTypes.PUBLIC
+        self.provider.save()
+        token = AccessToken.objects.create(
+            provider=self.provider,
+            user=self.user,
+            token=generate_id(),
+            auth_time=timezone.now(),
+            _scope="openid user profile",
+            _id_token=json.dumps(
+                asdict(
+                    IDToken("foo", "bar"),
+                )
+            ),
+        )
+        res = self.client.post(
+            reverse("authentik_providers_oauth2:token-introspection"),
+            HTTP_AUTHORIZATION=f"Basic {self.auth}",
+            data={"token": token.token},
+        )
+        self.assertEqual(res.status_code, 200)
+        self.assertJSONEqual(
+            res.content.decode(),
+            {
+                "active": False,
+            },
+        )
+
+    def test_introspect_provider_fed(self):
+        """Test introspect with federation. self.provider is a confidential
+        client and other_provider is a public client."""
+        other_provider = OAuth2Provider.objects.create(
+            name=generate_id(),
+            authorization_flow=create_test_flow(),
+            redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "")],
+            signing_key=create_test_cert(),
+            client_type=ClientTypes.PUBLIC,
+        )
+        Application.objects.create(name=generate_id(), slug=generate_id(), provider=other_provider)
+
+        other_provider.jwt_federation_providers.add(self.provider)
+
+        token = AccessToken.objects.create(
+            provider=other_provider,
+            user=self.user,
+            token=generate_id(),
+            auth_time=timezone.now(),
+            _scope="openid user profile",
+            _id_token=json.dumps(
+                asdict(
+                    IDToken("foo", "bar"),
+                )
+            ),
+        )
+        res = self.client.post(
+            reverse("authentik_providers_oauth2:token-introspection"),
+            HTTP_AUTHORIZATION=f"Basic {self.auth}",
+            data={"token": token.token},
+        )
+        self.assertEqual(res.status_code, 200)
+        self.assertJSONEqual(
+            res.content.decode(),
+            {
+                "acr": ACR_AUTHENTIK_DEFAULT,
+                "sub": "bar",
+                "iss": "foo",
+                "active": True,
+                "client_id": other_provider.client_id,
+                "scope": " ".join(token.scope),
+            },
+        )

authentik/providers/oauth2/tests/test_revoke.py

@@ -46,7 +46,7 @@ class TesOAuth2Revoke(OAuthTestCase):
 
     def test_revoke_refresh(self):
         """Test revoke"""
-        token: RefreshToken = RefreshToken.objects.create(
+        token = RefreshToken.objects.create(
             provider=self.provider,
             user=self.user,
             token=generate_id(),
@@ -69,7 +69,7 @@ class TesOAuth2Revoke(OAuthTestCase):
 
     def test_revoke_access(self):
         """Test revoke"""
-        token: AccessToken = AccessToken.objects.create(
+        token = AccessToken.objects.create(
             provider=self.provider,
             user=self.user,
             token=generate_id(),
@@ -105,7 +105,19 @@ class TesOAuth2Revoke(OAuthTestCase):
         """Test revoke (invalid auth)"""
         res = self.client.post(
             reverse("authentik_providers_oauth2:token-revoke"),
-            HTTP_AUTHORIZATION="Basic fqewr",
+            HTTP_AUTHORIZATION="Basic aaa",
+            data={
+                "token": generate_id(),
+            },
+        )
+        self.assertEqual(res.status_code, 401)
+
+    def test_revoke_invalid_auth_secret(self):
+        """Test revoke (invalid secret)"""
+        invalid_auth = b64encode(f"{self.provider.client_id}:aaa".encode()).decode()
+        res = self.client.post(
+            reverse("authentik_providers_oauth2:token-revoke"),
+            HTTP_AUTHORIZATION=f"Basic {invalid_auth}",
             data={
                 "token": generate_id(),
             },
@@ -116,7 +128,7 @@ class TesOAuth2Revoke(OAuthTestCase):
         """Test revoke public client"""
         self.provider.client_type = ClientTypes.PUBLIC
         self.provider.save()
-        token: AccessToken = AccessToken.objects.create(
+        token = AccessToken.objects.create(
             provider=self.provider,
             user=self.user,
             token=generate_id(),
@@ -220,3 +232,74 @@ class TesOAuth2Revoke(OAuthTestCase):
         self.assertEqual(AccessToken.objects.all().count(), 0)
         self.assertEqual(RefreshToken.objects.all().count(), 0)
         self.assertEqual(DeviceToken.objects.all().count(), 0)
+
+    def test_revoke_provider_fed(self):
+        """Test revoke with federation. self.provider is a confidential
+        client and other_provider is a public client."""
+        other_provider = OAuth2Provider.objects.create(
+            name=generate_id(),
+            authorization_flow=create_test_flow(),
+            redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "")],
+            signing_key=create_test_cert(),
+            client_type=ClientTypes.PUBLIC,
+        )
+        Application.objects.create(name=generate_id(), slug=generate_id(), provider=other_provider)
+
+        other_provider.jwt_federation_providers.add(self.provider)
+
+        token = AccessToken.objects.create(
+            provider=other_provider,
+            user=self.user,
+            token=generate_id(),
+            auth_time=timezone.now(),
+            _scope="openid user profile",
+            _id_token=json.dumps(
+                asdict(
+                    IDToken("foo", "bar"),
+                )
+            ),
+        )
+        res = self.client.post(
+            reverse("authentik_providers_oauth2:token-revoke"),
+            HTTP_AUTHORIZATION=f"Basic {self.auth}",
+            data={"token": token.token},
+        )
+        self.assertEqual(res.status_code, 200)
+        self.assertJSONEqual(res.content.decode(), {})
+
+    def test_revoke_provider_fed_public(self):
+        """Test revoke with federation. self.provider is a public
+        client and other_provider is a public client."""
+        self.provider.client_type = ClientTypes.PUBLIC
+        self.provider.save()
+        other_provider = OAuth2Provider.objects.create(
+            name=generate_id(),
+            authorization_flow=create_test_flow(),
+            redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "")],
+            signing_key=create_test_cert(),
+            client_type=ClientTypes.PUBLIC,
+        )
+        Application.objects.create(name=generate_id(), slug=generate_id(), provider=other_provider)
+
+        other_provider.jwt_federation_providers.add(self.provider)
+
+        token = AccessToken.objects.create(
+            provider=other_provider,
+            user=self.user,
+            token=generate_id(),
+            auth_time=timezone.now(),
+            _scope="openid user profile",
+            _id_token=json.dumps(
+                asdict(
+                    IDToken("foo", "bar"),
+                )
+            ),
+        )
+        auth_public = b64encode(f"{self.provider.client_id}:{generate_id()}".encode()).decode()
+        res = self.client.post(
+            reverse("authentik_providers_oauth2:token-revoke"),
+            HTTP_AUTHORIZATION=f"Basic {auth_public}",
+            data={"token": token.token},
+        )
+        self.assertEqual(res.status_code, 200)
+        self.assertTrue(AccessToken.objects.filter(token=token.token).exists())

authentik/providers/oauth2/tests/test_token.py

@@ -1,11 +1,15 @@
 """Test token view"""
 
 from base64 import b64encode
+from datetime import timedelta
 from json import dumps
+from urllib.parse import quote
 
 from django.test import RequestFactory
 from django.urls import reverse
 from django.utils import timezone
+from django.utils.timezone import now
+from freezegun import freeze_time
 
 from authentik.blueprints.tests import apply_blueprint
 from authentik.common.oauth.constants import (
@@ -28,6 +32,7 @@ from authentik.providers.oauth2.models import (
     ScopeMapping,
 )
 from authentik.providers.oauth2.tests.utils import OAuthTestCase
+from authentik.providers.oauth2.utils import extract_client_auth
 from authentik.providers.oauth2.views.token import TokenParams
 
 
@@ -97,7 +102,7 @@ class TestToken(OAuthTestCase):
         )
         header = b64encode(f"{provider.client_id}:{provider.client_secret}".encode()).decode()
         user = create_test_admin_user()
-        token: RefreshToken = RefreshToken.objects.create(
+        token = RefreshToken.objects.create(
             provider=provider,
             user=user,
             token=generate_id(),
@@ -115,6 +120,20 @@ class TestToken(OAuthTestCase):
         params = TokenParams.parse(request, provider, provider.client_id, provider.client_secret)
         self.assertEqual(params.provider, provider)
 
+    def test_extract_client_auth_basic_auth_percent_decodes(self):
+        """test percent-decoding of client credentials in Basic auth"""
+        header = b64encode(
+            f"{quote('client/id', safe='')}:{quote('secret+/==', safe='')}".encode()
+        ).decode()
+        request = self.factory.post("/", HTTP_AUTHORIZATION=f"Basic {header}")
+        self.assertEqual(extract_client_auth(request), ("client/id", "secret+/=="))
+
+    def test_extract_client_auth_basic_auth_preserves_raw_plus(self):
+        """test compatibility with clients that still send raw plus characters"""
+        header = b64encode(b"client:secret+plus").decode()
+        request = self.factory.post("/", HTTP_AUTHORIZATION=f"Basic {header}")
+        self.assertEqual(extract_client_auth(request), ("client", "secret+plus"))
+
     def test_auth_code_view(self):
         """test request param"""
         provider = OAuth2Provider.objects.create(
@@ -140,7 +159,7 @@ class TestToken(OAuthTestCase):
             },
             HTTP_AUTHORIZATION=f"Basic {header}",
         )
-        access: AccessToken = AccessToken.objects.filter(user=user, provider=provider).first()
+        access = AccessToken.objects.filter(user=user, provider=provider).first()
         self.assertJSONEqual(
             response.content.decode(),
             {
@@ -182,7 +201,7 @@ class TestToken(OAuthTestCase):
             HTTP_AUTHORIZATION=f"Basic {header}",
         )
         self.assertEqual(response.status_code, 200)
-        access: AccessToken = AccessToken.objects.filter(user=user, provider=provider).first()
+        access = AccessToken.objects.filter(user=user, provider=provider).first()
         self.validate_jwe(access, provider)
 
     @apply_blueprint("system/providers-oauth2.yaml")
@@ -209,7 +228,7 @@ class TestToken(OAuthTestCase):
         self.app.save()
         header = b64encode(f"{provider.client_id}:{provider.client_secret}".encode()).decode()
         user = create_test_admin_user()
-        token: RefreshToken = RefreshToken.objects.create(
+        token = RefreshToken.objects.create(
             provider=provider,
             user=user,
             token=generate_id(),
@@ -229,10 +248,8 @@ class TestToken(OAuthTestCase):
         )
         self.assertEqual(response["Access-Control-Allow-Credentials"], "true")
         self.assertEqual(response["Access-Control-Allow-Origin"], "http://local.invalid")
-        access: AccessToken = AccessToken.objects.filter(user=user, provider=provider).first()
-        refresh: RefreshToken = RefreshToken.objects.filter(
-            user=user, provider=provider, revoked=False
-        ).first()
+        access = AccessToken.objects.filter(user=user, provider=provider).first()
+        refresh = RefreshToken.objects.filter(user=user, provider=provider, revoked=False).first()
         self.assertJSONEqual(
             response.content.decode(),
             {
@@ -269,7 +286,7 @@ class TestToken(OAuthTestCase):
         )
         header = b64encode(f"{provider.client_id}:{provider.client_secret}".encode()).decode()
         user = create_test_admin_user()
-        token: RefreshToken = RefreshToken.objects.create(
+        token = RefreshToken.objects.create(
             provider=provider,
             user=user,
             token=generate_id(),
@@ -287,10 +304,8 @@ class TestToken(OAuthTestCase):
             HTTP_AUTHORIZATION=f"Basic {header}",
             HTTP_ORIGIN="http://another.invalid",
         )
-        access: AccessToken = AccessToken.objects.filter(user=user, provider=provider).first()
-        refresh: RefreshToken = RefreshToken.objects.filter(
-            user=user, provider=provider, revoked=False
-        ).first()
+        access = AccessToken.objects.filter(user=user, provider=provider).first()
+        refresh = RefreshToken.objects.filter(user=user, provider=provider, revoked=False).first()
         self.assertNotIn("Access-Control-Allow-Credentials", response)
         self.assertNotIn("Access-Control-Allow-Origin", response)
         self.assertJSONEqual(
@@ -331,7 +346,7 @@ class TestToken(OAuthTestCase):
         self.app.save()
         header = b64encode(f"{provider.client_id}:{provider.client_secret}".encode()).decode()
         user = create_test_admin_user()
-        token: RefreshToken = RefreshToken.objects.create(
+        token = RefreshToken.objects.create(
             provider=provider,
             user=user,
             token=generate_id(),
@@ -349,9 +364,7 @@ class TestToken(OAuthTestCase):
             },
             HTTP_AUTHORIZATION=f"Basic {header}",
         )
-        new_token: RefreshToken = (
-            RefreshToken.objects.filter(user=user).exclude(pk=token.pk).first()
-        )
+        new_token = RefreshToken.objects.filter(user=user).exclude(pk=token.pk).first()
         # Post again with initial token -> get new refresh token
         # and revoke old one
         response = self.client.post(
@@ -379,7 +392,11 @@ class TestToken(OAuthTestCase):
 
     @apply_blueprint("system/providers-oauth2.yaml")
     def test_refresh_token_view_threshold(self):
-        """test request param"""
+        """refresh token threshold
+
+        threshold set to 1 hour, refresh token expires in 2 hours.
+        First request should not return a new refresh token, second request
+        has a fake time 1 hours in the future which should return a new access token"""
         provider = OAuth2Provider.objects.create(
             name=generate_id(),
             authorization_flow=create_test_flow(),
@@ -402,13 +419,14 @@ class TestToken(OAuthTestCase):
         self.app.save()
         header = b64encode(f"{provider.client_id}:{provider.client_secret}".encode()).decode()
         user = create_test_admin_user()
-        token: RefreshToken = RefreshToken.objects.create(
+        token = RefreshToken.objects.create(
             provider=provider,
             user=user,
             token=generate_id(),
             _id_token=dumps({}),
             auth_time=timezone.now(),
             _scope="offline_access",
+            expires=now() + timedelta(hours=2),
         )
         response = self.client.post(
             reverse("authentik_providers_oauth2:token"),
@@ -420,9 +438,7 @@ class TestToken(OAuthTestCase):
             HTTP_AUTHORIZATION=f"Basic {header}",
             HTTP_ORIGIN="http://local.invalid",
         )
-        self.assertEqual(response["Access-Control-Allow-Credentials"], "true")
-        self.assertEqual(response["Access-Control-Allow-Origin"], "http://local.invalid")
-        access: AccessToken = AccessToken.objects.filter(user=user, provider=provider).first()
+        access = AccessToken.objects.filter(user=user, provider=provider).first()
         self.assertJSONEqual(
             response.content.decode(),
             {
@@ -437,6 +453,42 @@ class TestToken(OAuthTestCase):
         )
         self.validate_jwt(access, provider)
 
+        with freeze_time(now() + timedelta(hours=1, minutes=10)):
+            response = self.client.post(
+                reverse("authentik_providers_oauth2:token"),
+                data={
+                    "grant_type": GRANT_TYPE_REFRESH_TOKEN,
+                    "refresh_token": token.token,
+                    "redirect_uri": "http://local.invalid",
+                },
+                HTTP_AUTHORIZATION=f"Basic {header}",
+                HTTP_ORIGIN="http://local.invalid",
+            )
+            access = (
+                AccessToken.objects.filter(user=user, provider=provider)
+                .exclude(pk=access.pk)
+                .first()
+            )
+            refresh = (
+                RefreshToken.objects.filter(user=user, provider=provider)
+                .exclude(pk=token.pk)
+                .first()
+            )
+            self.assertJSONEqual(
+                response.content.decode(),
+                {
+                    "access_token": access.token,
+                    "token_type": TOKEN_TYPE,
+                    "expires_in": 3600,
+                    "id_token": provider.encode(
+                        access.id_token.to_dict(),
+                    ),
+                    "scope": "offline_access",
+                    "refresh_token": refresh.token,
+                },
+            )
+            self.validate_jwt(access, provider)
+
     @apply_blueprint("system/providers-oauth2.yaml")
     def test_scope_claim_override_via_property_mapping(self):
         """Test that property mappings can override the scope claim in access tokens.
@@ -484,7 +536,7 @@ class TestToken(OAuthTestCase):
         )
         self.assertEqual(response.status_code, 200)
 
-        access: AccessToken = AccessToken.objects.filter(user=user, provider=provider).first()
+        access = AccessToken.objects.filter(user=user, provider=provider).first()
         jwt_data = self.validate_jwt(access, provider)
 
         # The scope should be the custom value from the property mapping,

authentik/providers/oauth2/tests/test_token_cc_standard_compat.py

@@ -2,6 +2,7 @@
 
 from base64 import b64encode
 from json import loads
+from urllib.parse import quote
 
 from django.test import RequestFactory
 from django.urls import reverse
@@ -178,6 +179,41 @@ class TestTokenClientCredentialsStandardCompat(OAuthTestCase):
         self.assertEqual(jwt["given_name"], self.user.name)
         self.assertEqual(jwt["preferred_username"], self.user.username)
 
+    def test_successful_basic_auth_urlencoded_client_secret(self):
+        """test successful with URL-encoded Basic auth credentials"""
+        client_secret = b64encode(f"sa:{self.token.key}".encode()).decode()
+        header = b64encode(
+            f"{quote(self.provider.client_id, safe='')}:{quote(client_secret, safe='')}".encode()
+        ).decode()
+        response = self.client.post(
+            reverse("authentik_providers_oauth2:token"),
+            {
+                "grant_type": GRANT_TYPE_CLIENT_CREDENTIALS,
+                "scope": f"{SCOPE_OPENID} {SCOPE_OPENID_EMAIL} {SCOPE_OPENID_PROFILE}",
+            },
+            HTTP_AUTHORIZATION=f"Basic {header}",
+        )
+        self.assertEqual(response.status_code, 200)
+        body = loads(response.content.decode())
+        self.assertEqual(body["token_type"], TOKEN_TYPE)
+        _, alg = self.provider.jwt_key
+        jwt = decode(
+            body["access_token"],
+            key=self.provider.signing_key.public_key,
+            algorithms=[alg],
+            audience=self.provider.client_id,
+        )
+        self.assertEqual(jwt["given_name"], self.user.name)
+        self.assertEqual(jwt["preferred_username"], self.user.username)
+        jwt = decode(
+            body["id_token"],
+            key=self.provider.signing_key.public_key,
+            algorithms=[alg],
+            audience=self.provider.client_id,
+        )
+        self.assertEqual(jwt["given_name"], self.user.name)
+        self.assertEqual(jwt["preferred_username"], self.user.username)
+
     def test_successful_password(self):
         """test successful (password grant)"""
         response = self.client.post(

authentik/providers/oauth2/tests/test_userinfo.py

@@ -40,7 +40,7 @@ class TestUserinfo(OAuthTestCase):
         self.app.provider = self.provider
         self.app.save()
         self.user = create_test_admin_user()
-        self.token: AccessToken = AccessToken.objects.create(
+        self.token = AccessToken.objects.create(
             provider=self.provider,
             user=self.user,
             token=generate_id(),

authentik/providers/oauth2/utils.py

@@ -7,7 +7,7 @@ from binascii import Error
 from hashlib import sha256
 from hmac import compare_digest
 from typing import Any
-from urllib.parse import urlparse
+from urllib.parse import unquote, urlparse
 
 from django.http import HttpRequest, HttpResponse, JsonResponse
 from django.http.response import HttpResponseRedirect
@@ -122,6 +122,10 @@ def extract_client_auth(request: HttpRequest) -> tuple[str, str]:
         try:
             user_pass = b64decode(b64_user_pass).decode("utf-8").partition(":")
             client_id, _, client_secret = user_pass
+            # RFC 6749 requires client credentials in Basic auth to be form-encoded first.
+            # We only percent-decode here so raw `+` characters keep their previous meaning.
+            client_id = unquote(client_id)
+            client_secret = unquote(client_secret)
         except ValueError, Error:
             client_id = client_secret = ""  # nosec
     else:

authentik/providers/oauth2/views/authorize.py

@@ -58,7 +58,6 @@ from authentik.providers.oauth2.models import (
     AuthorizationCode,
     GrantTypes,
     OAuth2Provider,
-    RedirectURI,
     RedirectURIMatchingMode,
     ResponseMode,
     ResponseTypes,
@@ -196,14 +195,6 @@ class OAuthAuthorizationParams:
             LOGGER.warning("Missing redirect uri.")
             raise RedirectUriError("", allowed_redirect_urls).with_cause("redirect_uri_missing")
 
-        if len(allowed_redirect_urls) < 1:
-            LOGGER.info("Setting redirect for blank redirect_uris", redirect=self.redirect_uri)
-            self.provider.redirect_uris = [
-                RedirectURI(RedirectURIMatchingMode.STRICT, self.redirect_uri)
-            ]
-            self.provider.save()
-            allowed_redirect_urls = self.provider.redirect_uris
-
         match_found = False
         for allowed in allowed_redirect_urls:
             if allowed.matching_mode == RedirectURIMatchingMode.STRICT:
@@ -432,7 +423,7 @@ class AuthorizationFlowInitView(BufferedPolicyAccessView):
         return response
 
     def dispatch(self, request: HttpRequest, *args, **kwargs):
-        # Activate language before parsing params (error messages should be localized)
+        # Activate language before parsing params (error messages should be localised)
         return self.dispatch_with_language(request, *args, **kwargs)
 
     def get(self, request: HttpRequest, *args, **kwargs) -> HttpResponse:

authentik/providers/oauth2/views/device_backchannel.py

@@ -15,7 +15,7 @@ from authentik.core.models import Application
 from authentik.lib.config import CONFIG
 from authentik.lib.utils.time import timedelta_from_string
 from authentik.providers.oauth2.errors import DeviceCodeError
-from authentik.providers.oauth2.models import DeviceToken, OAuth2Provider
+from authentik.providers.oauth2.models import DeviceToken, OAuth2Provider, ScopeMapping
 from authentik.providers.oauth2.utils import TokenResponse, extract_client_auth
 from authentik.providers.oauth2.views.device_init import QS_KEY_CODE
 
@@ -28,7 +28,7 @@ class DeviceView(View):
 
     client_id: str
     provider: OAuth2Provider
-    scopes: list[str] = []
+    scopes: set[str] = []
 
     def parse_request(self):
         """Parse incoming request"""
@@ -44,7 +44,21 @@ class DeviceView(View):
             raise DeviceCodeError("invalid_client") from None
         self.provider = provider
         self.client_id = client_id
-        self.scopes = self.request.POST.get("scope", "").split(" ")
+
+        scopes_to_check = set(self.request.POST.get("scope", "").split())
+        default_scope_names = set(
+            ScopeMapping.objects.filter(provider__in=[self.provider]).values_list(
+                "scope_name", flat=True
+            )
+        )
+        self.scopes = scopes_to_check
+        if not scopes_to_check.issubset(default_scope_names):
+            LOGGER.info(
+                "Application requested scopes not configured, setting to overlap",
+                scope_allowed=default_scope_names,
+                scope_given=self.scopes,
+            )
+            self.scopes = self.scopes.intersection(default_scope_names)
 
     def dispatch(self, request: HttpRequest, *args, **kwargs) -> HttpResponse:
         throttle = AnonRateThrottle()

authentik/providers/oauth2/views/introspection.py

@@ -2,6 +2,7 @@
 
 from dataclasses import dataclass, field
 
+from django.db.models import Q
 from django.http import HttpRequest, HttpResponse
 from django.utils.decorators import method_decorator
 from django.views import View
@@ -10,7 +11,7 @@ from structlog.stdlib import get_logger
 
 from authentik.providers.oauth2.errors import TokenIntrospectionError
 from authentik.providers.oauth2.id_token import IDToken
-from authentik.providers.oauth2.models import AccessToken, OAuth2Provider, RefreshToken
+from authentik.providers.oauth2.models import AccessToken, ClientTypes, OAuth2Provider, RefreshToken
 from authentik.providers.oauth2.utils import TokenResponse, authenticate_provider
 
 LOGGER = get_logger()
@@ -33,10 +34,7 @@ class TokenIntrospectionParams:
         self.id_token = self.token.id_token
 
         if not self.token.id_token:
-            LOGGER.debug(
-                "token not an authentication token",
-                token=self.token,
-            )
+            LOGGER.debug("token not an authentication token", token=self.token)
             raise TokenIntrospectionError()
 
     @staticmethod
@@ -45,14 +43,23 @@ class TokenIntrospectionParams:
         raw_token = request.POST.get("token")
         provider = authenticate_provider(request)
         if not provider:
+            LOGGER.info("Failed to authenticate introspection request")
+            raise TokenIntrospectionError
+        if provider.client_type != ClientTypes.CONFIDENTIAL:
+            LOGGER.info("Introspection request from public provider, denying.")
             raise TokenIntrospectionError
 
-        access_token = AccessToken.objects.filter(token=raw_token, provider=provider).first()
+        query = Q(
+            Q(provider=provider) | Q(provider__jwt_federation_providers__in=[provider]),
+            token=raw_token,
+        )
+
+        access_token = AccessToken.objects.filter(query).first()
         if access_token:
-            return TokenIntrospectionParams(access_token, provider)
-        refresh_token = RefreshToken.objects.filter(token=raw_token, provider=provider).first()
+            return TokenIntrospectionParams(access_token, access_token.provider)
+        refresh_token = RefreshToken.objects.filter(query).first()
         if refresh_token:
-            return TokenIntrospectionParams(refresh_token, provider)
+            return TokenIntrospectionParams(refresh_token, refresh_token.provider)
         LOGGER.debug("Token does not exist", token=raw_token)
         raise TokenIntrospectionError()
 

authentik/providers/oauth2/views/token.py

@@ -368,7 +368,7 @@ class TokenParams:
     ) -> tuple[dict, OAuthSource] | tuple[None, None]:
         # Fully decode the JWT without verifying the signature, so we can get access to
         # the header.
-        # Get the Key ID from the header, and use that to optimize our source query to only find
+        # Get the Key ID from the header, and use that to optimise our source query to only find
         # sources that have a JWK for that Key ID
         # The Key ID doesn't have a fixed format, but must match between an issued JWT
         # and whatever is returned by the JWKS endpoint
@@ -704,7 +704,7 @@ class TokenView(View):
         refresh_token_threshold = timedelta_from_string(self.provider.refresh_token_threshold)
         if (
             refresh_token_threshold.total_seconds() == 0
-            or (now - self.params.refresh_token.expires) > refresh_token_threshold
+            or (self.params.refresh_token.expires - now) < refresh_token_threshold
         ):
             refresh_token_expiry = now + timedelta_from_string(self.provider.refresh_token_validity)
             refresh_token = RefreshToken(

authentik/providers/oauth2/views/token_revoke.py

@@ -2,6 +2,7 @@
 
 from dataclasses import dataclass
 
+from django.db.models import Q
 from django.http import Http404, HttpRequest, HttpResponse
 from django.utils.decorators import method_decorator
 from django.views import View
@@ -32,15 +33,25 @@ class TokenRevocationParams:
         raw_token = request.POST.get("token")
 
         provider, _, _ = provider_from_request(request)
-        if provider and provider.client_type == ClientTypes.CONFIDENTIAL:
-            provider = authenticate_provider(request)
         if not provider:
             raise TokenRevocationError("invalid_client")
+        # By default clients can only revoke their own tokens
+        query = Q(provider=provider, token=raw_token)
+        if provider.client_type == ClientTypes.CONFIDENTIAL:
+            provider = authenticate_provider(request)
+            if not provider:
+                raise TokenRevocationError("invalid_client")
+            # If the request is authenticated by a confidential provider, it can also
+            # revoke federated tokens
+            query = Q(
+                Q(provider=provider) | Q(provider__jwt_federation_providers__in=[provider]),
+                token=raw_token,
+            )
 
-        access_token = AccessToken.objects.filter(token=raw_token).first()
+        access_token = AccessToken.objects.filter(query).first()
         if access_token:
             return TokenRevocationParams(access_token, provider)
-        refresh_token = RefreshToken.objects.filter(token=raw_token).first()
+        refresh_token = RefreshToken.objects.filter(query).first()
         if refresh_token:
             return TokenRevocationParams(refresh_token, provider)
         LOGGER.debug("Token does not exist", token=raw_token)

authentik/providers/proxy/controllers/k8s/traefik_3.py

@@ -27,6 +27,8 @@ class TraefikMiddlewareSpecForwardAuth:
 
     trustForwardHeader: bool = field(default=True)
 
+    maxResponseBodySize: int = field(default=1024 * 1024 * 4)
+
 
 @dataclass(slots=True)
 class TraefikMiddlewareSpec:
@@ -140,6 +142,7 @@ class Traefik3MiddlewareReconciler(KubernetesObjectReconciler[TraefikMiddleware]
                     ],
                     authResponseHeadersRegex="",
                     trustForwardHeader=True,
+                    maxResponseBodySize=1024 * 1024 * 4,
                 )
             ),
         )

authentik/providers/proxy/signals.py

@@ -1,13 +0,0 @@
-"""Proxy provider signals"""
-
-from django.db.models.signals import pre_delete
-from django.dispatch import receiver
-
-from authentik.core.models import AuthenticatedSession
-from authentik.providers.proxy.tasks import proxy_on_logout
-
-
-@receiver(pre_delete, sender=AuthenticatedSession)
-def logout_proxy_revoke(sender: type[AuthenticatedSession], instance: AuthenticatedSession, **_):
-    """Catch logout by expiring sessions being deleted"""
-    proxy_on_logout.send(instance.session.session_key)

authentik/providers/proxy/tasks.py

@@ -1,26 +0,0 @@
-"""proxy provider tasks"""
-
-from asgiref.sync import async_to_sync
-from channels.layers import get_channel_layer
-from django.utils.translation import gettext_lazy as _
-from dramatiq.actor import actor
-
-from authentik.outposts.consumer import build_outpost_group
-from authentik.outposts.models import Outpost, OutpostType
-from authentik.providers.oauth2.id_token import hash_session_key
-
-
-@actor(description=_("Terminate session on Proxy outpost."))
-def proxy_on_logout(session_id: str):
-    layer = get_channel_layer()
-    hashed_session_id = hash_session_key(session_id)
-    for outpost in Outpost.objects.filter(type=OutpostType.PROXY):
-        group = build_outpost_group(outpost.pk)
-        async_to_sync(layer.group_send)(
-            group,
-            {
-                "type": "event.provider.specific",
-                "sub_type": "logout",
-                "session_id": hashed_session_id,
-            },
-        )

authentik/providers/saml/api/providers.py

@@ -213,7 +213,6 @@ class SAMLProviderSerializer(ProviderSerializer):
             "sign_assertion",
             "sign_response",
             "sign_logout_request",
-            "sign_logout_response",
             "sp_binding",
             "sls_binding",
             "logout_method",
@@ -232,8 +231,8 @@ class SAMLProviderSerializer(ProviderSerializer):
 class SAMLMetadataSerializer(PassiveSerializer):
     """SAML Provider Metadata serializer"""
 
-    metadata = CharField(read_only=True)
-    download_url = CharField(read_only=True, required=False)
+    metadata = CharField()
+    download_url = CharField(required=False, allow_null=True)
 
 
 class SAMLProviderImportSerializer(PassiveSerializer):
@@ -315,7 +314,7 @@ class SAMLProviderViewSet(UsedByMixin, ModelViewSet):
                 return response
             return Response({"metadata": metadata}, content_type="application/json")
         except Provider.application.RelatedObjectDoesNotExist:
-            return Response({"metadata": ""}, content_type="application/json")
+            raise Http404 from None
 
     @permission_required(
         None,

authentik/providers/saml/migrations/0021_samlprovider_sign_logout_response.py

@@ -1,18 +0,0 @@
-# Generated by Django 5.2.7 on 2025-10-24 18:15
-
-from django.db import migrations, models
-
-
-class Migration(migrations.Migration):
-
-    dependencies = [
-        ("authentik_providers_saml", "0020_samlprovider_logout_method_and_more"),
-    ]
-
-    operations = [
-        migrations.AddField(
-            model_name="samlprovider",
-            name="sign_logout_response",
-            field=models.BooleanField(default=False),
-        ),
-    ]

authentik/providers/saml/models.py

@@ -227,7 +227,6 @@ class SAMLProvider(Provider):
     sign_assertion = models.BooleanField(default=True)
     sign_response = models.BooleanField(default=False)
     sign_logout_request = models.BooleanField(default=False)
-    sign_logout_response = models.BooleanField(default=False)
 
     @property
     def launch_url(self) -> str | None:

authentik/providers/saml/native_logout.py

@@ -1,12 +1,11 @@
 """SAML Logout stages for automatic injection"""
 
 from django.http import HttpResponse
-from rest_framework.fields import BooleanField, CharField, ChoiceField
+from rest_framework.fields import BooleanField, CharField
 from structlog.stdlib import get_logger
 
 from authentik.flows.challenge import Challenge, ChallengeResponse, HttpChallengeResponse
 from authentik.flows.stage import ChallengeStageView
-from authentik.providers.saml.models import SAMLBindings
 from authentik.providers.saml.views.flows import PLAN_CONTEXT_SAML_LOGOUT_NATIVE_SESSIONS
 
 LOGGER = get_logger()
@@ -20,16 +19,13 @@ class NativeLogoutChallenge(Challenge):
     """Challenge for native browser logout"""
 
     component = CharField(default="ak-provider-saml-native-logout")
-    provider_name = CharField(required=False)
-    is_complete = BooleanField(required=False, default=False)
-
     post_url = CharField(required=False)
-    redirect_url = CharField(required=False)
-
-    saml_binding = ChoiceField(choices=SAMLBindings.choices, required=False)
     saml_request = CharField(required=False)
-    saml_response = CharField(required=False)
-    saml_relay_state = CharField(required=False)
+    relay_state = CharField(required=False)
+    provider_name = CharField(required=False)
+    binding = CharField(required=False)
+    redirect_url = CharField(required=False)
+    is_complete = BooleanField(required=False, default=False)
 
 
 class NativeLogoutChallengeResponse(ChallengeResponse):

authentik/providers/saml/processors/logout_response_processor.py

@@ -1,196 +0,0 @@
-"""LogoutResponse processor"""
-
-import base64
-from urllib.parse import quote, urlencode
-
-import xmlsec
-from lxml import etree
-from lxml.etree import Element, SubElement
-
-from authentik.common.saml.constants import (
-    DIGEST_ALGORITHM_TRANSLATION_MAP,
-    NS_MAP,
-    NS_SAML_ASSERTION,
-    NS_SAML_PROTOCOL,
-    SIGN_ALGORITHM_TRANSFORM_MAP,
-)
-from authentik.providers.saml.models import SAMLProvider
-from authentik.providers.saml.processors.logout_request_parser import LogoutRequest
-from authentik.providers.saml.utils import get_random_id
-from authentik.providers.saml.utils.encoding import deflate_and_base64_encode
-from authentik.providers.saml.utils.time import get_time_string
-
-
-class LogoutResponseProcessor:
-    """Generate a SAML LogoutResponse"""
-
-    provider: SAMLProvider
-    logout_request: LogoutRequest
-    destination: str | None
-    relay_state: str | None
-    _issue_instant: str
-    _response_id: str
-
-    def __init__(
-        self,
-        provider: SAMLProvider,
-        logout_request: LogoutRequest,
-        destination: str | None = None,
-        relay_state: str | None = None,
-    ):
-        self.provider = provider
-        self.logout_request = logout_request
-        self.destination = destination
-        self.relay_state = relay_state or (logout_request.relay_state if logout_request else None)
-        self._issue_instant = get_time_string()
-        self._response_id = get_random_id()
-
-    def get_issuer(self) -> Element:
-        """Get Issuer element"""
-        issuer = Element(f"{{{NS_SAML_ASSERTION}}}Issuer")
-        issuer.text = self.provider.issuer
-        return issuer
-
-    def build(self, status: str = "Success") -> Element:
-        """Build a SAML LogoutResponse as etree Element"""
-        response = Element(f"{{{NS_SAML_PROTOCOL}}}LogoutResponse", nsmap=NS_MAP)
-        response.attrib["Version"] = "2.0"
-        response.attrib["IssueInstant"] = self._issue_instant
-        response.attrib["ID"] = self._response_id
-
-        if self.destination:
-            response.attrib["Destination"] = self.destination
-
-        if self.logout_request and self.logout_request.id:
-            response.attrib["InResponseTo"] = self.logout_request.id
-
-        response.append(self.get_issuer())
-
-        # Add Status element
-        status_element = SubElement(response, f"{{{NS_SAML_PROTOCOL}}}Status")
-        status_code = SubElement(status_element, f"{{{NS_SAML_PROTOCOL}}}StatusCode")
-        status_code.attrib["Value"] = f"urn:oasis:names:tc:SAML:2.0:status:{status}"
-
-        return response
-
-    def build_response(self, status: str = "Success") -> str:
-        """Build and sign LogoutResponse, return as XML string (not encoded)"""
-        response = self.build(status)
-        if self.provider.signing_kp and self.provider.sign_logout_response:
-            self._add_signature(response)
-            self._sign_response(response)
-        return etree.tostring(response).decode()
-
-    def encode_post(self, status: str = "Success") -> str:
-        """Encode LogoutResponse for POST binding"""
-        response = self.build(status)
-        if self.provider.signing_kp and self.provider.sign_logout_response:
-            self._add_signature(response)
-            self._sign_response(response)
-        return base64.b64encode(etree.tostring(response)).decode()
-
-    def encode_redirect(self, status: str = "Success") -> str:
-        """Encode LogoutResponse for Redirect binding"""
-        response = self.build(status)
-        # Note: For redirect binding, signatures are added as query parameters, not in XML
-        xml_str = etree.tostring(response, encoding="UTF-8", xml_declaration=True)
-        return deflate_and_base64_encode(xml_str.decode("UTF-8"))
-
-    def get_redirect_url(self, status: str = "Success") -> str:
-        """Build complete logout response URL for redirect binding with signature if needed"""
-        encoded_response = self.encode_redirect(status)
-        params = {
-            "SAMLResponse": encoded_response,
-        }
-
-        if self.relay_state:
-            params["RelayState"] = self.relay_state
-
-        if self.provider.signing_kp and self.provider.sign_logout_response:
-            sig_alg = self.provider.signature_algorithm
-            params["SigAlg"] = sig_alg
-
-            # Build the string to sign
-            query_string = self._build_signable_query_string(params)
-
-            signature = self._sign_query_string(query_string)
-            params["Signature"] = base64.b64encode(signature).decode()
-
-        # Some SP's use query params on their sls endpoint
-        if not self.destination:
-            raise ValueError("destination is required for redirect URL")
-
-        separator = "&" if "?" in self.destination else "?"
-        return f"{self.destination}{separator}{urlencode(params)}"
-
-    def _add_signature(self, element: Element):
-        """Add signature placeholder to element"""
-        sign_algorithm_transform = SIGN_ALGORITHM_TRANSFORM_MAP.get(
-            self.provider.signature_algorithm, xmlsec.constants.TransformRsaSha1
-        )
-        signature = xmlsec.template.create(
-            element,
-            xmlsec.constants.TransformExclC14N,
-            sign_algorithm_transform,
-            ns=xmlsec.constants.DSigNs,
-        )
-        element.insert(1, signature)  # Insert after Issuer
-
-    def _sign_response(self, response: Element):
-        """Sign the response element"""
-        digest_algorithm_transform = DIGEST_ALGORITHM_TRANSLATION_MAP.get(
-            self.provider.digest_algorithm, xmlsec.constants.TransformSha1
-        )
-
-        xmlsec.tree.add_ids(response, ["ID"])
-        signature_node = xmlsec.tree.find_node(response, xmlsec.constants.NodeSignature)
-
-        ref = xmlsec.template.add_reference(
-            signature_node,
-            digest_algorithm_transform,
-            uri="#" + response.attrib["ID"],
-        )
-        xmlsec.template.add_transform(ref, xmlsec.constants.TransformEnveloped)
-        xmlsec.template.add_transform(ref, xmlsec.constants.TransformExclC14N)
-        key_info = xmlsec.template.ensure_key_info(signature_node)
-        xmlsec.template.add_x509_data(key_info)
-
-        ctx = xmlsec.SignatureContext()
-        ctx.key = xmlsec.Key.from_memory(
-            self.provider.signing_kp.key_data,  # Use key_data for the private key
-            xmlsec.constants.KeyDataFormatPem,
-        )
-        ctx.key.load_cert_from_memory(
-            self.provider.signing_kp.certificate_data, xmlsec.constants.KeyDataFormatPem
-        )
-        ctx.sign(signature_node)
-
-    def _build_signable_query_string(self, params: dict) -> str:
-        """Build query string for signing (order matters per SAML spec)"""
-        # SAML spec requires specific order: SAMLResponse, RelayState, SigAlg
-        # Values must be URL-encoded individually before concatenation
-        ordered = []
-        if "SAMLResponse" in params:
-            ordered.append(f"SAMLResponse={quote(params['SAMLResponse'], safe='')}")
-        if "RelayState" in params:
-            ordered.append(f"RelayState={quote(params['RelayState'], safe='')}")
-        if "SigAlg" in params:
-            ordered.append(f"SigAlg={quote(params['SigAlg'], safe='')}")
-        return "&".join(ordered)
-
-    def _sign_query_string(self, query_string: str) -> bytes:
-        """Sign the query string for redirect binding"""
-        signature_algorithm_transform = SIGN_ALGORITHM_TRANSFORM_MAP.get(
-            self.provider.signature_algorithm, xmlsec.constants.TransformRsaSha256
-        )
-
-        key = xmlsec.Key.from_memory(
-            self.provider.signing_kp.key_data,
-            xmlsec.constants.KeyDataFormatPem,
-            None,
-        )
-
-        ctx = xmlsec.SignatureContext()
-        ctx.key = key
-
-        return ctx.sign_binary(query_string.encode("utf-8"), signature_algorithm_transform)