sources/oauth: pick a single pkce method from OIDC discovery, not the whole list (#21689)

* sources/oauth: pick a single pkce method from OIDC discovery, not the whole list

When an OAuth source is configured with `oidc_well_known_url`, the API
serializer fetches the upstream's OpenID configuration and merges the
selected endpoints into the source attrs. The merge used a straight
field_map that aliased the pkce TextField to
`code_challenge_methods_supported`:

    field_map = {
        ...
        "pkce": "code_challenge_methods_supported",
    }
    for ak_key, oidc_key in field_map.items():
        ...
        attrs[ak_key] = config.get(oidc_key, "")

`code_challenge_methods_supported` is a JSON array per RFC 8414
(e.g. ["plain", "S256"]), but attrs["pkce"] is backed by a TextField
with choices NONE / PLAIN / S256. Django does not validate choices on
plain assignment, so the list survives serialisation and is later
formatted by the client as
    str(pkce_mode) -> "['plain', 'S256']"
which ships as `code_challenge_method=%5B%27plain%27%2C+%27S256%27%5D`
on the /authorize request. The upstream rejects the subsequent /token
exchange with HTTP 400 because it has no PKCE state for that value.

Separate the pkce handling from the rest of the field_map loop: only
fill pkce when the user has not set it, and select one scalar method
from the advertised list (prefer S256, the RFC 7636 MUST for public
clients, then plain, then NONE as a last resort). Non-list / missing
values fall back to NONE. User-supplied pkce still wins, matching the
existing "don't overwrite user-set values" intent.

Fixes #21665

Signed-off-by: SAY-5 <SAY-5@users.noreply.github.com>

* update test

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* simplify

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

---------

Signed-off-by: SAY-5 <SAY-5@users.noreply.github.com>
Signed-off-by: Jens Langhammer <jens@goauthentik.io>
Co-authored-by: SAY-5 <SAY-5@users.noreply.github.com>
Co-authored-by: Jens Langhammer <jens@goauthentik.io>

.github/actions/docker-push-variables/action.yml

@@ -54,10 +54,6 @@ outputs:
 runs:
   using: "composite"
   steps:
-    - name: Setup authentik env
-      uses: ./.github/actions/setup
-      with:
-        dependencies: "python"
     - name: Generate config
       id: ev
       shell: bash
@@ -68,4 +64,4 @@ runs:
         PR_HEAD_SHA: ${{ github.event.pull_request.head.sha }}
         REF: ${{ github.ref }}
       run: |
-        uv run python3 ${{ github.action_path }}/push_vars.py
+        python3 ${{ github.action_path }}/push_vars.py

.github/actions/docker-push-variables/push_vars.py

@@ -2,10 +2,19 @@
 
 import os
 from json import dumps
+from pathlib import Path
 from sys import exit as sysexit
 from time import time
+from typing import Any
 
-from authentik import authentik_version
+
+def authentik_version() -> str:
+    init = Path(__file__).parent.parent.parent.parent / "authentik" / "__init__.py"
+    with open(init) as f:
+        content = f.read()
+    locals: dict[str, Any] = {}
+    exec(content, None, locals)  # nosec
+    return str(locals["VERSION"])
 
 
 def must_or_fail(input: str | None, error: str) -> str:
@@ -97,6 +106,7 @@ if os.getenv("RELEASE", "false").lower() == "true":
     image_build_args = [f"VERSION={os.getenv('REF')}"]
 else:
     image_build_args = [f"GIT_BUILD_HASH={sha}"]
+image_build_args_str = "\n".join(image_build_args)
 
 with open(os.environ["GITHUB_OUTPUT"], "a+", encoding="utf-8") as _output:
     print(f"shouldPush={str(should_push).lower()}", file=_output)
@@ -109,4 +119,4 @@ with open(os.environ["GITHUB_OUTPUT"], "a+", encoding="utf-8") as _output:
     print(f"imageMainTag={image_main_tag}", file=_output)
     print(f"imageMainName={image_tags[0]}", file=_output)
     print(f"cacheTo={cache_to}", file=_output)
-    print(f"imageBuildArgs={"\n".join(image_build_args)}", file=_output)
+    print(f"imageBuildArgs={image_build_args_str}", file=_output)

.github/actions/setup/action.yml

@@ -17,17 +17,27 @@ inputs:
 runs:
   using: "composite"
   steps:
-    - name: Install apt deps & cleanup
+    - name: Cleanup apt
+      if: ${{ contains(inputs.dependencies, 'system') || contains(inputs.dependencies, 'python') }}
+      shell: bash
+      run: sudo apt-get remove --purge man-db
+    - name: Install apt deps
+      if: ${{ contains(inputs.dependencies, 'system') || contains(inputs.dependencies, 'python') }}
+      uses: gerlero/apt-install@f4fa5265092af9e750549565d28c99aec7189639
+      with:
+        packages: libpq-dev openssl libxmlsec1-dev pkg-config gettext krb5-multidev libkrb5-dev heimdal-multidev libclang-dev krb5-kdc krb5-user krb5-admin-server
+        update: true
+        upgrade: false
+        install-recommends: false
+    - name: Make space on disk
       if: ${{ contains(inputs.dependencies, 'system') || contains(inputs.dependencies, 'python') }}
       shell: bash
       run: |
-        sudo apt-get remove --purge man-db
-        sudo apt-get update
-        sudo apt-get install --no-install-recommends -y libpq-dev openssl libxmlsec1-dev pkg-config gettext krb5-multidev libkrb5-dev heimdal-multidev libclang-dev krb5-kdc krb5-user krb5-admin-server
-        sudo rm -rf /usr/local/lib/android
+        sudo mkdir -p /tmp/empty/
+        sudo rsync -a --delete /tmp/empty/ /usr/local/lib/android/
     - name: Install uv
       if: ${{ contains(inputs.dependencies, 'python') }}
-      uses: astral-sh/setup-uv@cec208311dfd045dd5311c1add060b2062131d57 # v5
+      uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b # v5
       with:
         enable-cache: true
     - name: Setup python
@@ -42,19 +52,19 @@ runs:
       run: uv sync --all-extras --dev --frozen
     - name: Setup rust (stable)
       if: ${{ contains(inputs.dependencies, 'rust') && !contains(inputs.dependencies, 'rust-nightly') }}
-      uses: actions-rust-lang/setup-rust-toolchain@150fca883cd4034361b621bd4e6a9d34e5143606 # v1
+      uses: actions-rust-lang/setup-rust-toolchain@2b1f5e9b395427c92ee4e3331786ca3c37afe2d7 # v1
       with:
         rustflags: ""
     - name: Setup rust (nightly)
       if: ${{ contains(inputs.dependencies, 'rust-nightly') }}
-      uses: actions-rust-lang/setup-rust-toolchain@150fca883cd4034361b621bd4e6a9d34e5143606 # v1
+      uses: actions-rust-lang/setup-rust-toolchain@2b1f5e9b395427c92ee4e3331786ca3c37afe2d7 # v1
       with:
         toolchain: nightly
         components: rustfmt
         rustflags: ""
     - name: Setup rust dependencies
       if: ${{ contains(inputs.dependencies, 'rust') }}
-      uses: taiki-e/install-action@d858f8113943481093e02986a7586a4819a3bfd6 # v2
+      uses: taiki-e/install-action@58e862542551f667fa44c8a2a4a1d64ad477c96a # v2
       with:
         tool: cargo-deny cargo-machete cargo-llvm-cov nextest
     - name: Setup node (web)

.github/dependabot.yml

@@ -20,6 +20,8 @@ updates:
       prefix: "ci:"
     labels:
       - dependencies
+    cooldown:
+      default-days: 3
 
   #endregion
 
@@ -35,6 +37,16 @@ updates:
       prefix: "core:"
     labels:
       - dependencies
+    cooldown:
+      default-days: 7
+      semver-major-days: 14
+      semver-patch-days: 3
+      exclude:
+        - "golang.org/x/crypto"
+        - "golang.org/x/net"
+        - "github.com/golang-jwt/jwt/*"
+        - "github.com/coreos/go-oidc/*"
+        - "github.com/go-ldap/ldap/*"
 
   #endregion
 
@@ -50,6 +62,10 @@ updates:
       prefix: "core:"
     labels:
       - dependencies
+    cooldown:
+      default-days: 7
+      semver-major-days: 14
+      semver-patch-days: 3
 
   - package-ecosystem: rust-toolchain
     directory: "/"
@@ -61,6 +77,8 @@ updates:
       prefix: "core:"
     labels:
       - dependencies
+    cooldown:
+      default-days: 3
 
   #endregion
 
@@ -79,6 +97,10 @@ updates:
     open-pull-requests-limit: 10
     commit-message:
       prefix: "web:"
+    cooldown:
+      default-days: 7
+      semver-major-days: 14
+      semver-patch-days: 3
     groups:
       sentry:
         patterns:
@@ -142,6 +164,10 @@ updates:
     open-pull-requests-limit: 10
     commit-message:
       prefix: "core, web:"
+    cooldown:
+      default-days: 7
+      semver-major-days: 14
+      semver-patch-days: 3
     groups:
       sentry:
         patterns:
@@ -200,6 +226,10 @@ updates:
       prefix: "website:"
     labels:
       - dependencies
+    cooldown:
+      default-days: 7
+      semver-major-days: 14
+      semver-patch-days: 3
     groups:
       docusaurus:
         patterns:
@@ -238,6 +268,10 @@ updates:
       prefix: "lifecycle/aws:"
     labels:
       - dependencies
+    cooldown:
+      default-days: 7
+      semver-major-days: 14
+      semver-patch-days: 3
 
   #endregion
 
@@ -253,6 +287,18 @@ updates:
       prefix: "core:"
     labels:
       - dependencies
+    cooldown:
+      default-days: 7
+      semver-major-days: 14
+      semver-patch-days: 3
+      exclude:
+        - "django"
+        - "cryptography"
+        - "pyjwt"
+        - "xmlsec"
+        - "lxml"
+        - "psycopg"
+        - "pyopenssl"
 
   #endregion
 
@@ -270,6 +316,8 @@ updates:
       prefix: "core:"
     labels:
       - dependencies
+    cooldown:
+      default-days: 3
   - package-ecosystem: docker-compose
     directories:
       - /packages/client-go
@@ -285,5 +333,7 @@ updates:
       prefix: "core:"
     labels:
       - dependencies
+    cooldown:
+      default-days: 3
 
   #endregion

.github/workflows/_reusable-docker-build-single.yml

@@ -67,16 +67,8 @@ jobs:
           registry: ghcr.io
           username: ${{ github.repository_owner }}
           password: ${{ secrets.GITHUB_TOKEN }}
-      - uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v5
-        with:
-          node-version-file: web/package.json
-          cache: "npm"
-          cache-dependency-path: web/package-lock.json
-      - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6
-        with:
-          go-version-file: "go.mod"
       - name: Build Docker Image
-        uses: docker/build-push-action@d08e5c354a6adb9ed34480a06d141179aa583294 # v7.0.0
+        uses: docker/build-push-action@bcafcacb16a39f128d818304e6c9c0c18556b85f # v7.1.0
         id: push
         with:
           context: .

.github/workflows/_reusable-docker-build.yml

@@ -90,7 +90,7 @@ jobs:
           registry: ghcr.io
           username: ${{ github.repository_owner }}
           password: ${{ secrets.GITHUB_TOKEN }}
-      - uses: int128/docker-manifest-create-action@44422a4b046d55dc036df622039ed3aec43c613c # v2
+      - uses: int128/docker-manifest-create-action@3de37de96c4e900bc3eef9055d3c50abdb4f769d # v2
         id: build
         with:
           tags: ${{ matrix.tag }}

.github/workflows/ci-api-docs.yml

@@ -41,7 +41,7 @@ jobs:
       - working-directory: website/
         name: Install Dependencies
         run: npm ci
-      - uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v4
+      - uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v4
         with:
           path: |
             ${{ github.workspace }}/website/api/.docusaurus
@@ -55,7 +55,7 @@ jobs:
         env:
           NODE_ENV: production
         run: npm run build -w api
-      - uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v4
+      - uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v4
         with:
           name: api-docs
           path: website/api/build

.github/workflows/ci-docs.yml

@@ -96,7 +96,7 @@ jobs:
           password: ${{ secrets.GITHUB_TOKEN }}
       - name: Build Docker Image
         id: push
-        uses: docker/build-push-action@d08e5c354a6adb9ed34480a06d141179aa583294 # v7.0.0
+        uses: docker/build-push-action@bcafcacb16a39f128d818304e6c9c0c18556b85f # v7.1.0
         with:
           tags: ${{ steps.ev.outputs.imageTags }}
           file: website/Dockerfile

.github/workflows/ci-main-daily.yml

@@ -20,13 +20,19 @@ jobs:
         version:
           - docs
           - version-2025-12
-          - version-2025-10
+          - version-2026-2
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v5
       - run: |
+          set -euo pipefail
           current="$(pwd)"
           dir="/tmp/authentik/${{ matrix.version }}"
+          # 2025.12 still serves the legacy docker-compose filename; newer sites use compose.yml.
+          compose_path="compose.yml"
+          if [ "${{ matrix.version }}" = "version-2025-12" ]; then
+            compose_path="docker-compose.yml"
+          fi
           mkdir -p "${dir}/lifecycle/container"
           cd "${dir}"
-          wget "https://${{ matrix.version }}.goauthentik.io/docker-compose.yml" -O "${dir}/lifecycle/container/compose.yml"
+          wget "https://${{ matrix.version }}.goauthentik.io/${compose_path}" -O "${dir}/lifecycle/container/compose.yml"
           "${current}/scripts/test_docker.sh"

.github/workflows/ci-main.yml

@@ -250,7 +250,7 @@ jobs:
         run: |
           docker compose -f tests/e2e/compose.yml up -d --quiet-pull
       - id: cache-web
-        uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v4
+        uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v4
         if: contains(matrix.job.profiles, 'selenium')
         with:
           path: web/dist
@@ -296,7 +296,7 @@ jobs:
         run: |
           docker compose -f tests/openid_conformance/compose.yml up -d --quiet-pull
       - id: cache-web
-        uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v4
+        uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v4
         with:
           path: web/dist
           key: ${{ runner.os }}-web-${{ hashFiles('web/package-lock.json', 'web/src/**', 'web/packages/sfe/src/**') }}-b
@@ -317,7 +317,7 @@ jobs:
         with:
           flags: conformance
       - if: ${{ !cancelled() }}
-        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
         with:
           name: conformance-certification-${{ matrix.job.name }}
           path: tests/openid_conformance/exports/
@@ -329,7 +329,7 @@ jobs:
       - name: Setup authentik env
         uses: ./.github/actions/setup
         with:
-          dependencies: rust
+          dependencies: rust,runtime
       - name: run tests
         run: |
           cargo llvm-cov --no-report nextest --workspace
@@ -340,7 +340,7 @@ jobs:
           files: target/llvm-cov-target/rust.json
           flags: rust
       - if: ${{ !cancelled() }}
-        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
         with:
           name: test-rust
           path: target/llvm-cov-target/rust.json

.github/workflows/ci-outpost.yml

@@ -105,7 +105,7 @@ jobs:
           password: ${{ secrets.GITHUB_TOKEN }}
       - name: Build Docker Image
         id: push
-        uses: docker/build-push-action@d08e5c354a6adb9ed34480a06d141179aa583294 # v7.0.0
+        uses: docker/build-push-action@bcafcacb16a39f128d818304e6c9c0c18556b85f # v7.1.0
         with:
           tags: ${{ steps.ev.outputs.imageTags }}
           file: lifecycle/container/${{ matrix.type }}.Dockerfile

.github/workflows/gen-image-compress.yml

@@ -29,7 +29,7 @@ jobs:
        github.event.pull_request.head.repo.full_name == github.repository)
     steps:
       - id: generate_token
-        uses: actions/create-github-app-token@f8d387b68d61c58ab83c6c016672934102569859 # v2
+        uses: actions/create-github-app-token@1b10c78c7865c340bc4f6099eb2f838309f1e8c3 # v2
         with:
           app-id: ${{ secrets.GH_APP_ID }}
           private-key: ${{ secrets.GH_APP_PRIV_KEY }}
@@ -38,11 +38,11 @@ jobs:
           token: ${{ steps.generate_token.outputs.token }}
       - name: Compress images
         id: compress
-        uses: calibreapp/image-actions@03c976c29803442fc4040a9de5509669e7759b81 # main
+        uses: calibreapp/image-actions@4f7260f5dbd809ec86d03721c1ad71b8a841d3e0 # main
         with:
           GITHUB_TOKEN: ${{ steps.generate_token.outputs.token }}
           compressOnly: ${{ github.event_name != 'pull_request' }}
-      - uses: peter-evans/create-pull-request@c0f553fe549906ede9cf27b5156039d195d2ece0 # v7
+      - uses: peter-evans/create-pull-request@5f6978faf089d4d20b00c7766989d076bb2fc7f1 # v7
         if: "${{ github.event_name != 'pull_request' && steps.compress.outputs.markdown != '' }}"
         id: cpr
         with:

.github/workflows/gen-update-webauthn-mds.yml

@@ -16,7 +16,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - id: generate_token
-        uses: actions/create-github-app-token@f8d387b68d61c58ab83c6c016672934102569859 # v2
+        uses: actions/create-github-app-token@1b10c78c7865c340bc4f6099eb2f838309f1e8c3 # v2
         with:
           app-id: ${{ secrets.GH_APP_ID }}
           private-key: ${{ secrets.GH_APP_PRIV_KEY }}
@@ -26,7 +26,7 @@ jobs:
       - name: Setup authentik env
         uses: ./.github/actions/setup
       - run: uv run ak update_webauthn_mds
-      - uses: peter-evans/create-pull-request@c0f553fe549906ede9cf27b5156039d195d2ece0 # v7
+      - uses: peter-evans/create-pull-request@5f6978faf089d4d20b00c7766989d076bb2fc7f1 # v7
         id: cpr
         with:
           token: ${{ steps.generate_token.outputs.token }}

.github/workflows/gh-cherry-pick.yml

@@ -10,7 +10,7 @@ jobs:
     steps:
       - id: app-token
         name: Generate app token
-        uses: actions/create-github-app-token@f8d387b68d61c58ab83c6c016672934102569859 # v2
+        uses: actions/create-github-app-token@1b10c78c7865c340bc4f6099eb2f838309f1e8c3 # v2
         if: ${{ env.GH_APP_ID != '' }}
         with:
           app-id: ${{ secrets.GH_APP_ID }}

.github/workflows/gh-ghcr-retention.yml

@@ -16,7 +16,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - id: generate_token
-        uses: actions/create-github-app-token@f8d387b68d61c58ab83c6c016672934102569859 # v2
+        uses: actions/create-github-app-token@1b10c78c7865c340bc4f6099eb2f838309f1e8c3 # v2
         with:
           app-id: ${{ secrets.GH_APP_ID }}
           private-key: ${{ secrets.GH_APP_PRIV_KEY }}

.github/workflows/packages-npm-publish.yml

@@ -41,7 +41,7 @@ jobs:
           registry-url: "https://registry.npmjs.org"
       - name: Get changed files
         id: changed-files
-        uses: tj-actions/changed-files@22103cc46bda19c2b464ffe86db46df6922fd323 # 24d32ffd492484c1d75e0c0b894501ddb9d30d62
+        uses: tj-actions/changed-files@9426d40962ed5378910ee2e21d5f8c6fcbf2dd96 # 24d32ffd492484c1d75e0c0b894501ddb9d30d62
         with:
           files: |
             ${{ matrix.package }}/package.json

.github/workflows/release-branch-off.yml

@@ -29,7 +29,7 @@ jobs:
     steps:
       - id: app-token
         name: Generate app token
-        uses: actions/create-github-app-token@f8d387b68d61c58ab83c6c016672934102569859 # v2
+        uses: actions/create-github-app-token@1b10c78c7865c340bc4f6099eb2f838309f1e8c3 # v2
         with:
           app-id: ${{ secrets.GH_APP_ID }}
           private-key: ${{ secrets.GH_APP_PRIV_KEY }}
@@ -57,7 +57,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - id: generate_token
-        uses: actions/create-github-app-token@f8d387b68d61c58ab83c6c016672934102569859 # v2
+        uses: actions/create-github-app-token@1b10c78c7865c340bc4f6099eb2f838309f1e8c3 # v2
         with:
           app-id: ${{ secrets.GH_APP_ID }}
           private-key: ${{ secrets.GH_APP_PRIV_KEY }}
@@ -73,7 +73,7 @@ jobs:
       - name: Bump version
         run: "make bump version=${{ inputs.next_version }}.0-rc1"
       - name: Create pull request
-        uses: peter-evans/create-pull-request@c0f553fe549906ede9cf27b5156039d195d2ece0 # v7
+        uses: peter-evans/create-pull-request@5f6978faf089d4d20b00c7766989d076bb2fc7f1 # v7
         with:
           token: ${{ steps.generate_token.outputs.token }}
           branch: release-bump-${{ inputs.next_version }}

.github/workflows/release-publish.yml

@@ -51,7 +51,7 @@ jobs:
           password: ${{ secrets.GITHUB_TOKEN }}
       - name: Build Docker Image
         id: push
-        uses: docker/build-push-action@d08e5c354a6adb9ed34480a06d141179aa583294 # v7.0.0
+        uses: docker/build-push-action@bcafcacb16a39f128d818304e6c9c0c18556b85f # v7.1.0
         with:
           tags: ${{ steps.ev.outputs.imageTags }}
           file: website/Dockerfile
@@ -115,7 +115,7 @@ jobs:
           username: ${{ github.repository_owner }}
           password: ${{ secrets.GITHUB_TOKEN }}
       - name: Build Docker Image
-        uses: docker/build-push-action@d08e5c354a6adb9ed34480a06d141179aa583294 # v7.0.0
+        uses: docker/build-push-action@bcafcacb16a39f128d818304e6c9c0c18556b85f # v7.1.0
         id: push
         with:
           push: true
@@ -191,7 +191,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v5
-      - uses: aws-actions/configure-aws-credentials@8df5847569e6427dd6c4fb1cf565c83acfa8afa7 # v6.0.0
+      - uses: aws-actions/configure-aws-credentials@ec61189d14ec14c8efccab744f656cffd0e33f37 # v6.1.0
         with:
           role-to-assume: "arn:aws:iam::016170277896:role/github_goauthentik_authentik"
           aws-region: ${{ env.AWS_REGION }}

.github/workflows/release-tag.yml

@@ -67,7 +67,7 @@ jobs:
     steps:
       - id: app-token
         name: Generate app token
-        uses: actions/create-github-app-token@f8d387b68d61c58ab83c6c016672934102569859 # v2
+        uses: actions/create-github-app-token@1b10c78c7865c340bc4f6099eb2f838309f1e8c3 # v2
         with:
           app-id: ${{ secrets.GH_APP_ID }}
           private-key: ${{ secrets.GH_APP_PRIV_KEY }}
@@ -96,7 +96,7 @@ jobs:
           git tag "version/${{ inputs.version }}" HEAD -m "version/${{ inputs.version }}"
           git push --follow-tags
       - name: Create Release
-        uses: softprops/action-gh-release@153bb8e04406b158c6c84fc1615b65b24149a1fe # v2.6.1
+        uses: softprops/action-gh-release@b4309332981a82ec1c5618f44dd2e27cc8bfbfda # v3.0.0
         with:
           token: "${{ steps.app-token.outputs.token }}"
           tag_name: "version/${{ inputs.version }}"
@@ -115,7 +115,7 @@ jobs:
     steps:
       - id: app-token
         name: Generate app token
-        uses: actions/create-github-app-token@f8d387b68d61c58ab83c6c016672934102569859 # v2
+        uses: actions/create-github-app-token@1b10c78c7865c340bc4f6099eb2f838309f1e8c3 # v2
         with:
           app-id: ${{ secrets.GH_APP_ID }}
           private-key: ${{ secrets.GH_APP_PRIV_KEY }}
@@ -137,7 +137,7 @@ jobs:
           sed -E -i 's/[0-9]{4}\.[0-9]{1,2}\.[0-9]+$/${{ inputs.version }}/' charts/authentik/Chart.yaml
           ./scripts/helm-docs.sh
       - name: Create pull request
-        uses: peter-evans/create-pull-request@c0f553fe549906ede9cf27b5156039d195d2ece0 # v7
+        uses: peter-evans/create-pull-request@5f6978faf089d4d20b00c7766989d076bb2fc7f1 # v7
         with:
           token: "${{ steps.app-token.outputs.token }}"
           branch: bump-${{ inputs.version }}
@@ -157,7 +157,7 @@ jobs:
     steps:
       - id: app-token
         name: Generate app token
-        uses: actions/create-github-app-token@f8d387b68d61c58ab83c6c016672934102569859 # v2
+        uses: actions/create-github-app-token@1b10c78c7865c340bc4f6099eb2f838309f1e8c3 # v2
         with:
           app-id: ${{ secrets.GH_APP_ID }}
           private-key: ${{ secrets.GH_APP_PRIV_KEY }}
@@ -196,7 +196,7 @@ jobs:
             '.stable.version = $version | .stable.changelog = $changelog | .stable.changelog_url = $changelog_url | .stable.reason = $reason' version.json > version.new.json
           mv version.new.json version.json
       - name: Create pull request
-        uses: peter-evans/create-pull-request@c0f553fe549906ede9cf27b5156039d195d2ece0 # v7
+        uses: peter-evans/create-pull-request@5f6978faf089d4d20b00c7766989d076bb2fc7f1 # v7
         with:
           token: "${{ steps.app-token.outputs.token }}"
           branch: bump-${{ inputs.version }}

.github/workflows/repo-stale.yml

@@ -15,7 +15,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - id: generate_token
-        uses: actions/create-github-app-token@f8d387b68d61c58ab83c6c016672934102569859 # v2
+        uses: actions/create-github-app-token@1b10c78c7865c340bc4f6099eb2f838309f1e8c3 # v2
         with:
           app-id: ${{ secrets.GH_APP_ID }}
           private-key: ${{ secrets.GH_APP_PRIV_KEY }}

.github/workflows/translation-extract-compile.yml

@@ -21,7 +21,7 @@ jobs:
     steps:
       - id: generate_token
         if: ${{ github.event_name != 'pull_request' }}
-        uses: actions/create-github-app-token@f8d387b68d61c58ab83c6c016672934102569859 # v2
+        uses: actions/create-github-app-token@1b10c78c7865c340bc4f6099eb2f838309f1e8c3 # v2
         with:
           app-id: ${{ secrets.GH_APP_ID }}
           private-key: ${{ secrets.GH_APP_PRIV_KEY }}
@@ -42,7 +42,7 @@ jobs:
           make web-check-compile
       - name: Create Pull Request
         if: ${{ github.event_name != 'pull_request' }}
-        uses: peter-evans/create-pull-request@c0f553fe549906ede9cf27b5156039d195d2ece0 # v7
+        uses: peter-evans/create-pull-request@5f6978faf089d4d20b00c7766989d076bb2fc7f1 # v7
         with:
           token: ${{ steps.generate_token.outputs.token }}
           branch: extract-compile-backend-translation

Cargo.toml

@@ -1,5 +1,6 @@
 [workspace]
 members = [
+  "packages/ak-axum",
   "packages/ak-common",
   "packages/client-rust",
   "website/scripts/docsmg",
@@ -18,18 +19,26 @@ license-file = "LICENSE"
 publish = false
 
 [workspace.dependencies]
-arc-swap = "= 1.9.0"
+arc-swap = "= 1.9.1"
 axum-server = { version = "= 0.8.0", features = ["tls-rustls-no-provider"] }
-aws-lc-rs = { version = "= 1.16.2", features = ["fips"] }
-clap = { version = "= 4.6.0", features = ["derive", "env"] }
+aws-lc-rs = { version = "= 1.16.3", features = ["fips"] }
+axum = { version = "= 0.8.9", features = ["http2", "macros", "ws"] }
+clap = { version = "= 4.6.1", features = ["derive", "env"] }
+client-ip = { version = "0.2.1", features = ["forwarded-header"] }
 colored = "= 3.1.1"
 config-rs = { package = "config", version = "= 0.15.22", default-features = false, features = [
+  "json",
   "yaml",
-  "async",
 ] }
+console-subscriber = "= 0.5.0"
 dotenvy = "= 0.15.7"
+durstr = "= 0.5.1"
 eyre = "= 0.6.12"
+forwarded-header-value = "= 0.1.1"
+futures = "= 0.3.32"
 glob = "= 0.3.3"
+ipnet = { version = "= 2.12.0", features = ["serde"] }
+json-subscriber = "= 0.2.8"
 nix = { version = "= 0.31.2", features = ["signal"] }
 notify = "= 8.2.0"
 pin-project-lite = "= 0.2.17"
@@ -49,22 +58,56 @@ reqwest-middleware = { version = "= 0.5.1", features = [
   "query",
   "rustls",
 ] }
-rustls = { version = "= 0.23.37", features = ["fips"] }
+rustls = { version = "= 0.23.38", features = ["fips"] }
+sentry = { version = "= 0.47.0", default-features = false, features = [
+  "backtrace",
+  "contexts",
+  "debug-images",
+  "panic",
+  "rustls",
+  "reqwest",
+  "tower",
+  "tracing",
+] }
 serde = { version = "= 1.0.228", features = ["derive"] }
 serde_json = "= 1.0.149"
 serde_repr = "= 0.1.20"
 serde_with = { version = "= 3.18.0", default-features = false, features = [
   "base64",
 ] }
+sqlx = { version = "= 0.8.6", default-features = false, features = [
+  "runtime-tokio",
+  "tls-rustls-aws-lc-rs",
+  "postgres",
+  "derive",
+  "macros",
+  "uuid",
+  "chrono",
+  "ipnet",
+  "json",
+] }
 tempfile = "= 3.27.0"
 thiserror = "= 2.0.18"
-tokio = { version = "= 1.50.0", features = ["full", "tracing"] }
+time = { version = "= 0.3.47", features = ["macros"] }
+tokio = { version = "= 1.51.1", features = ["full", "tracing"] }
+tokio-retry2 = "= 0.9.1"
+tokio-rustls = "= 0.26.4"
 tokio-util = { version = "= 0.7.18", features = ["full"] }
+tower = "= 0.5.3"
+tower-http = { version = "= 0.6.8", features = ["timeout"] }
 tracing = "= 0.1.44"
+tracing-error = "= 0.2.1"
+tracing-subscriber = { version = "= 0.3.23", features = [
+  "env-filter",
+  "json",
+  "local-time",
+  "tracing-log",
+] }
 url = "= 2.5.8"
-uuid = { version = "= 1.23.0", features = ["serde", "v4"] }
+uuid = { version = "= 1.23.1", features = ["serde", "v4"] }
 
-ak-common = { package = "authentik-common", version = "2026.5.0-rc1", path = "./packages/ak-common" }
+ak-client = { package = "authentik-client", version = "2026.5.0-rc1", path = "./packages/client-rust" }
+ak-common = { package = "authentik-common", version = "2026.5.0-rc1", path = "./packages/ak-common", default-features = false }
 
 [profile.dev.package.backtrace]
 opt-level = 3

Makefile

@@ -144,8 +144,14 @@ dev-create-db:
 dev-reset: dev-drop-db dev-create-db migrate  ## Drop and restore the Authentik PostgreSQL instance to a "fresh install" state.
 
 update-test-mmdb:  ## Update test GeoIP and ASN Databases
-	curl -L https://raw.githubusercontent.com/maxmind/MaxMind-DB/refs/heads/main/test-data/GeoLite2-ASN-Test.mmdb -o ${PWD}/tests/GeoLite2-ASN-Test.mmdb
-	curl -L https://raw.githubusercontent.com/maxmind/MaxMind-DB/refs/heads/main/test-data/GeoLite2-City-Test.mmdb -o ${PWD}/tests/GeoLite2-City-Test.mmdb
+	curl \
+		-L \
+		-o ${PWD}/tests/geoip/GeoLite2-ASN-Test.mmdb \
+		https://raw.githubusercontent.com/maxmind/MaxMind-DB/refs/heads/main/test-data/GeoLite2-ASN-Test.mmdb
+	curl \
+		-L \
+		-o ${PWD}/tests/geoip/GeoLite2-City-Test.mmdb \
+		https://raw.githubusercontent.com/maxmind/MaxMind-DB/refs/heads/main/test-data/GeoLite2-City-Test.mmdb
 
 bump:  ## Bump authentik version. Usage: make bump version=20xx.xx.xx
 ifndef version
@@ -199,10 +205,10 @@ gen-diff:  ## (Release) generate the changelog diff between the current schema a
 	npx prettier --write diff.md
 
 gen-client-go:  ## Build and install the authentik API for Golang
-	make -C "${PWD}/packages/client-go" build
+	$(UV) run make -C "${PWD}/packages/client-go" build
 
 gen-client-rust:  ## Build and install the authentik API for Rust
-	make -C "${PWD}/packages/client-rust" build version=${NPM_VERSION}
+	$(UV) run make -C "${PWD}/packages/client-rust" build version=${NPM_VERSION}
 	make lint-fix-rust
 
 gen-client-ts:  ## Build and install the authentik API for Typescript into the authentik UI Application
@@ -344,7 +350,7 @@ ci-lint-clippy: ci--meta-debug
 	$(CARGO) clippy --workspace -- -D warnings
 
 ci-test: ci--meta-debug
-	$(UV) run coverage run manage.py test --keepdb authentik
+	$(UV) run coverage run manage.py test --keepdb --parallel auto authentik
 	$(UV) run coverage combine
 	$(UV) run coverage report
 	$(UV) run coverage xml

SECURITY.md

@@ -18,10 +18,10 @@ Even if the issue is not a CVE, we still greatly appreciate your help in hardeni
 
 (.x being the latest patch release for each version)
 
-| Version    | Supported  |
-| ---------- | ---------- |
-| 2025.12.x  | ✅         |
-| 2026.2.x   | ✅         |
+| Version   | Supported |
+| --------- | --------- |
+| 2025.12.x | ✅        |
+| 2026.2.x  | ✅        |
 
 ## Reporting a Vulnerability
 
@@ -90,6 +90,10 @@ Prompts intentionally allow raw HTML, including script tags, so they can be used
 
 Redirects that only change navigation flow and do not expose session tokens, API keys, or other confidential data are considered acceptable and do not require reporting.
 
+- Outgoing network requests are not filtered.
+
+The destinations of outgoing network requests (HTTP, TCP, etc.) made by authentik to configurable endpoints through objects such as OAuth Sources, SSO Providers, and others are not validated. Depending on your threat model, these requests should be restricted at the network level using appropriate firewall or network policies.
+
 ## Disclosure process
 
 1. Report from Github or Issue is reported via Email as listed above.

authentik/admin/files/backends/base.py

@@ -106,6 +106,7 @@ class Backend:
         self,
         name: str,
         request: HttpRequest | None = None,
+        use_cache: bool = True,
     ) -> dict[str, str] | None:
         """
         Get URLs for each theme variant when filename contains %(theme)s.
@@ -121,7 +122,7 @@ class Backend:
             return None
 
         return {
-            theme: self.file_url(substitute_theme(name, theme), request, use_cache=True)
+            theme: self.file_url(substitute_theme(name, theme), request, use_cache=use_cache)
             for theme in get_valid_themes()
         }
 

authentik/admin/files/backends/passthrough.py

@@ -51,6 +51,7 @@ class PassthroughBackend(Backend):
         self,
         name: str,
         request: HttpRequest | None = None,
+        use_cache: bool = True,
     ) -> dict[str, str] | None:
         """Support themed URLs for external URLs with %(theme)s placeholder.
 

authentik/admin/files/manager.py

@@ -74,6 +74,10 @@ class FileManager:
     ) -> str:
         """
         Get URL for accessing the file.
+
+        Set ``use_cache=False`` when the caller needs a fresh signed URL instead
+        of a cached one, for example when serializing flow/login payloads that
+        may be refreshed after the previous JWT has expired.
         """
         if not name:
             return ""
@@ -83,7 +87,7 @@ class FileManager:
 
         for backend in self.backends:
             if backend.supports_file(name):
-                return backend.file_url(name, request)
+                return backend.file_url(name, request, use_cache=use_cache)
 
         LOGGER.warning(f"Could not find file backend for file: {name}")
         return ""
@@ -92,10 +96,14 @@ class FileManager:
         self,
         name: str | None,
         request: HttpRequest | Request | None = None,
+        use_cache: bool = True,
     ) -> dict[str, str] | None:
         """
         Get URLs for each theme variant when filename contains %(theme)s.
 
+        ``use_cache`` has the same semantics as ``file_url()`` and allows
+        callers to force regeneration of expiring signed URLs.
+
         Returns dict mapping theme to URL if %(theme)s present, None otherwise.
         """
         if not name:
@@ -106,7 +114,7 @@ class FileManager:
 
         for backend in self.backends:
             if backend.supports_file(name):
-                return backend.themed_urls(name, request)
+                return backend.themed_urls(name, request, use_cache=use_cache)
 
         return None
 

authentik/admin/files/tests/test_manager.py

@@ -1,6 +1,7 @@
 """Test file service layer"""
 
 from unittest import skipUnless
+from unittest.mock import Mock
 from urllib.parse import urlparse
 
 from django.http import HttpRequest
@@ -53,6 +54,19 @@ class TestResolveFileUrlBasic(TestCase):
         result = manager.file_url("/static/authentik/sources/icon.svg")
         self.assertEqual(result, "/static/authentik/sources/icon.svg")
 
+    def test_file_url_forwards_use_cache(self):
+        """Test file_url forwards use_cache to backend."""
+        manager = FileManager(FileUsage.MEDIA)
+        backend = Mock()
+        backend.supports_file.return_value = True
+        backend.file_url.return_value = "/files/media/public/test.png?token=fresh"
+        manager.backends = [backend]
+
+        result = manager.file_url("test.png", use_cache=False)
+
+        self.assertEqual(result, "/files/media/public/test.png?token=fresh")
+        backend.file_url.assert_called_once_with("test.png", None, use_cache=False)
+
 
 class TestResolveFileUrlFileBackend(FileTestFileBackendMixin, TestCase):
     def test_resolve_storage_file(self):

authentik/api/pagination.py

@@ -1,10 +1,18 @@
 """Pagination which includes total pages and current page"""
 
+from typing import TYPE_CHECKING
+
 from drf_spectacular.plumbing import build_object_type
 from rest_framework import pagination
 from rest_framework.response import Response
 
+from authentik.api.search.ql import QLSearch
 from authentik.api.v3.schema.pagination import PAGINATION
+from authentik.api.v3.schema.search import AUTOCOMPLETE_SCHEMA
+
+if TYPE_CHECKING:
+    from django.db.models import QuerySet
+    from rest_framework.request import Request
 
 
 class Pagination(pagination.PageNumberPagination):
@@ -13,14 +21,14 @@ class Pagination(pagination.PageNumberPagination):
     page_query_param = "page"
     page_size_query_param = "page_size"
 
-    def get_page_size(self, request):
+    def get_page_size(self, request: Request) -> int:
         if self.page_size_query_param in request.query_params:
             page_size = super().get_page_size(request)
             if page_size is not None:
                 return min(super().get_page_size(request), request.tenant.pagination_max_page_size)
         return request.tenant.pagination_default_page_size
 
-    def get_paginated_response(self, data):
+    def get_paginated_response(self, data) -> Response:
         previous_page_number = 0
         if self.page.has_previous():
             previous_page_number = self.page.previous_page_number()
@@ -39,16 +47,33 @@ class Pagination(pagination.PageNumberPagination):
                     "end_index": self.page.end_index(),
                 },
                 "results": data,
+                "autocomplete": self.get_autocomplete(),
             }
         )
 
+    def paginate_queryset(self, queryset: QuerySet, request: Request, view=None):
+        self.view = view
+        return super().paginate_queryset(queryset, request, view)
+
+    def get_autocomplete(self):
+        schema = QLSearch().get_schema(self.request, self.view)
+        introspections = {}
+        if hasattr(self.view, "get_ql_fields"):
+            from authentik.api.search.schema import AKQLSchemaSerializer
+
+            introspections = AKQLSchemaSerializer().serialize(
+                schema(self.page.paginator.object_list.model)
+            )
+        return introspections
+
     def get_paginated_response_schema(self, schema):
         return build_object_type(
             properties={
                 "pagination": PAGINATION.ref,
                 "results": schema,
+                "autocomplete": AUTOCOMPLETE_SCHEMA.ref,
             },
-            required=["pagination", "results"],
+            required=["pagination", "results", "autocomplete"],
         )
 
 

authentik/api/search/ql.py

@@ -1,25 +1,17 @@
 """DjangoQL search"""
 
-from django.apps import apps
 from django.db.models import QuerySet
 from djangoql.ast import Name
 from djangoql.exceptions import DjangoQLError
 from djangoql.queryset import apply_search
 from djangoql.schema import DjangoQLSchema
-from drf_spectacular.plumbing import ResolvedComponent, build_object_type
 from rest_framework.filters import SearchFilter
 from rest_framework.request import Request
 from structlog.stdlib import get_logger
 
-from authentik.enterprise.search.fields import JSONSearchField
+from authentik.api.search.fields import JSONSearchField
 
 LOGGER = get_logger()
-AUTOCOMPLETE_SCHEMA = ResolvedComponent(
-    name="Autocomplete",
-    object="Autocomplete",
-    type=ResolvedComponent.SCHEMA,
-    schema=build_object_type(additionalProperties={}),
-)
 
 
 class BaseSchema(DjangoQLSchema):
@@ -48,10 +40,6 @@ class QLSearch(SearchFilter):
         super().__init__()
         self._fallback = SearchFilter()
 
-    @property
-    def enabled(self):
-        return apps.get_app_config("authentik_enterprise").enabled()
-
     def get_search_terms(self, request: Request) -> str:
         """Search terms are set by a ?search=... query parameter,
         and may be comma and/or whitespace delimited."""
@@ -73,7 +61,7 @@ class QLSearch(SearchFilter):
     def filter_queryset(self, request: Request, queryset: QuerySet, view) -> QuerySet:
         search_query = self.get_search_terms(request)
         schema = self.get_schema(request, view)
-        if len(search_query) == 0 or not self.enabled:
+        if len(search_query) == 0:
             return self._fallback.filter_queryset(request, queryset, view)
         try:
             return apply_search(queryset, search_query, schema=schema)

authentik/api/search/schema.py

@@ -1,8 +1,6 @@
 from djangoql.serializers import DjangoQLSchemaSerializer
-from drf_spectacular.generators import SchemaGenerator
 
-from authentik.enterprise.search.fields import JSONSearchField
-from authentik.enterprise.search.ql import AUTOCOMPLETE_SCHEMA
+from authentik.api.search.fields import JSONSearchField
 
 
 class AKQLSchemaSerializer(DjangoQLSchemaSerializer):
@@ -20,9 +18,3 @@ class AKQLSchemaSerializer(DjangoQLSchemaSerializer):
         if isinstance(field, JSONSearchField):
             result["relation"] = field.relation()
         return result
-
-
-def postprocess_schema_search_autocomplete(result, generator: SchemaGenerator, **kwargs):
-    generator.registry.register_on_missing(AUTOCOMPLETE_SCHEMA)
-
-    return result

authentik/api/tests/test_search.py

@@ -1,5 +1,4 @@
 from json import loads
-from unittest.mock import PropertyMock, patch
 from urllib.parse import urlencode
 
 from django.urls import reverse
@@ -8,10 +7,6 @@ from rest_framework.test import APITestCase
 from authentik.core.tests.utils import create_test_admin_user
 
 
-@patch(
-    "authentik.enterprise.audit.middleware.EnterpriseAuditMiddleware.enabled",
-    PropertyMock(return_value=True),
-)
 class QLTest(APITestCase):
 
     def setUp(self):

authentik/api/v3/schema/search.py

@@ -0,0 +1,20 @@
+from typing import TYPE_CHECKING
+
+from drf_spectacular.plumbing import ResolvedComponent, build_object_type
+
+if TYPE_CHECKING:
+    from drf_spectacular.generators import SchemaGenerator
+
+
+AUTOCOMPLETE_SCHEMA = ResolvedComponent(
+    name="Autocomplete",
+    object="Autocomplete",
+    type=ResolvedComponent.SCHEMA,
+    schema=build_object_type(additionalProperties={}),
+)
+
+
+def postprocess_schema_search_autocomplete(result, generator: SchemaGenerator, **kwargs):
+    generator.registry.register_on_missing(AUTOCOMPLETE_SCHEMA)
+
+    return result

authentik/blueprints/apps.py

@@ -3,7 +3,6 @@
 import traceback
 from collections.abc import Callable
 from importlib import import_module
-from inspect import ismethod
 
 from django.apps import AppConfig
 from django.conf import settings
@@ -72,12 +71,19 @@ class ManagedAppConfig(AppConfig):
 
     def _reconcile(self, prefix: str) -> None:
         for meth_name in dir(self):
-            meth = getattr(self, meth_name)
-            if not ismethod(meth):
+            # Check the attribute on the class to avoid evaluating @property descriptors.
+            # Using getattr(self, ...) on a @property would evaluate it, which can trigger
+            # expensive side effects (e.g. tenant_schedule_specs iterating all providers
+            # and running PolicyEngine queries for every user).
+            class_attr = getattr(type(self), meth_name, None)
+            if class_attr is None or isinstance(class_attr, property):
                 continue
-            category = getattr(meth, "_authentik_managed_reconcile", None)
+            if not callable(class_attr):
+                continue
+            category = getattr(class_attr, "_authentik_managed_reconcile", None)
             if category != prefix:
                 continue
+            meth = getattr(self, meth_name)
             name = meth_name.replace(prefix, "")
             try:
                 self.logger.debug("Starting reconciler", name=name)

authentik/brands/models.py

@@ -101,13 +101,23 @@ class Brand(SerializerModel):
         """Get themed URLs for branding_favicon if it contains %(theme)s"""
         return get_file_manager(FileUsage.MEDIA).themed_urls(self.branding_favicon)
 
-    def branding_default_flow_background_url(self) -> str:
+    def branding_default_flow_background_url(self, request=None, use_cache: bool = True) -> str:
         """Get branding_default_flow_background URL"""
-        return get_file_manager(FileUsage.MEDIA).file_url(self.branding_default_flow_background)
+        return get_file_manager(FileUsage.MEDIA).file_url(
+            self.branding_default_flow_background,
+            request,
+            use_cache=use_cache,
+        )
 
-    def branding_default_flow_background_themed_urls(self) -> dict[str, str] | None:
+    def branding_default_flow_background_themed_urls(
+        self, request=None, use_cache: bool = True
+    ) -> dict[str, str] | None:
         """Get themed URLs for branding_default_flow_background if it contains %(theme)s"""
-        return get_file_manager(FileUsage.MEDIA).themed_urls(self.branding_default_flow_background)
+        return get_file_manager(FileUsage.MEDIA).themed_urls(
+            self.branding_default_flow_background,
+            request,
+            use_cache=use_cache,
+        )
 
     @property
     def serializer(self) -> type[Serializer]:

authentik/common/oauth/constants.py

@@ -21,6 +21,9 @@ PROMPT_CONSENT = "consent"
 PROMPT_LOGIN = "login"
 
 PLAN_CONTEXT_OIDC_LOGOUT_IFRAME_SESSIONS = "goauthentik.io/providers/oauth2/iframe_sessions"
+PLAN_CONTEXT_POST_LOGOUT_REDIRECT_URI = "goauthentik.io/providers/oauth2/post_logout_redirect_uri"
+
+OAUTH2_BINDING = "redirect"
 
 SCOPE_OPENID = "openid"
 SCOPE_OPENID_PROFILE = "profile"
@@ -37,6 +40,9 @@ TOKEN_TYPE = "Bearer"  # nosec
 
 SCOPE_AUTHENTIK_API = "goauthentik.io/api"
 
+# URI schemes that are forbidden for redirect URIs
+FORBIDDEN_URI_SCHEMES = {"javascript", "data", "vbscript"}
+
 # Read/write full user (including email)
 SCOPE_GITHUB_USER = "user"
 # Read user (without email)

authentik/core/api/groups.py

@@ -7,6 +7,7 @@ from django.http import Http404
 from django.utils.translation import gettext as _
 from django_filters.filters import CharFilter, ModelMultipleChoiceFilter
 from django_filters.filterset import FilterSet
+from djangoql.schema import BoolField, StrField
 from drf_spectacular.utils import (
     OpenApiParameter,
     OpenApiResponse,
@@ -25,6 +26,9 @@ from rest_framework.serializers import ListSerializer, ValidationError
 from rest_framework.viewsets import ModelViewSet
 
 from authentik.api.authentication import TokenAuthentication
+from authentik.api.search.fields import (
+    JSONSearchField,
+)
 from authentik.api.validation import validate
 from authentik.core.api.used_by import UsedByMixin
 from authentik.core.api.utils import JSONDictField, ModelSerializer, PassiveSerializer
@@ -265,12 +269,6 @@ class GroupViewSet(UsedByMixin, ModelViewSet):
     ]
 
     def get_ql_fields(self):
-        from djangoql.schema import BoolField, StrField
-
-        from authentik.enterprise.search.fields import (
-            JSONSearchField,
-        )
-
         return [
             StrField(Group, "name"),
             BoolField(Group, "is_superuser", nullable=True),

authentik/core/api/users.py

@@ -22,6 +22,7 @@ from django_filters.filters import (
     UUIDFilter,
 )
 from django_filters.filterset import FilterSet
+from djangoql.schema import BoolField, StrField
 from drf_spectacular.types import OpenApiTypes
 from drf_spectacular.utils import (
     OpenApiParameter,
@@ -55,6 +56,10 @@ from rest_framework.viewsets import ModelViewSet
 from structlog.stdlib import get_logger
 
 from authentik.api.authentication import TokenAuthentication
+from authentik.api.search.fields import (
+    ChoiceSearchField,
+    JSONSearchField,
+)
 from authentik.api.validation import validate
 from authentik.blueprints.v1.importer import SERIALIZER_CONTEXT_BLUEPRINT
 from authentik.brands.models import Brand
@@ -524,13 +529,6 @@ class UserViewSet(
     ]
 
     def get_ql_fields(self):
-        from djangoql.schema import BoolField, StrField
-
-        from authentik.enterprise.search.fields import (
-            ChoiceSearchField,
-            JSONSearchField,
-        )
-
         return [
             StrField(User, "username"),
             StrField(User, "name"),

authentik/core/models.py

@@ -951,21 +951,34 @@ class Source(ManagedModel, SerializerModel, PolicyBindingModel):
 
     objects = InheritanceManager()
 
+    def get_icon_url(self, request=None, use_cache: bool = True) -> str | None:
+        """Get the URL to the source icon."""
+        if not self.icon:
+            return None
+        return get_file_manager(FileUsage.MEDIA).file_url(self.icon, request, use_cache=use_cache)
+
     @property
     def icon_url(self) -> str | None:
         """Get the URL to the source icon"""
+        return self.get_icon_url()
+
+    def get_icon_themed_urls(
+        self,
+        request=None,
+        use_cache: bool = True,
+    ) -> dict[str, str] | None:
+        """Get themed URLs for icon if it contains %(theme)s."""
         if not self.icon:
             return None
-
-        return get_file_manager(FileUsage.MEDIA).file_url(self.icon)
+        return get_file_manager(FileUsage.MEDIA).themed_urls(
+            self.icon,
+            request,
+            use_cache=use_cache,
+        )
 
     @property
     def icon_themed_urls(self) -> dict[str, str] | None:
-        """Get themed URLs for icon if it contains %(theme)s"""
-        if not self.icon:
-            return None
-
-        return get_file_manager(FileUsage.MEDIA).themed_urls(self.icon)
+        return self.get_icon_themed_urls()
 
     def get_user_path(self) -> str:
         """Get user path, fallback to default for formatting errors"""

authentik/core/sessions.py

@@ -72,6 +72,7 @@ class SessionStore(SessionBase):
             #                  and their descriptors fail to initialize (e.g., missing storage)
             # TypeError - can happen with incompatible pickled objects
             # If any of these happen, just return an empty dictionary (an empty session)
+            LOGGER.warning("Failed to decode session data", exc_info=True)
             pass
         return {}
 

authentik/core/tests/test_models.py

@@ -2,6 +2,7 @@
 
 from collections.abc import Callable
 from datetime import timedelta
+from unittest.mock import patch
 
 from django.test import RequestFactory, TestCase
 from django.utils.timezone import now
@@ -10,6 +11,7 @@ from guardian.shortcuts import get_anonymous_user
 
 from authentik.core.models import Provider, Source, Token
 from authentik.events.models import Event, EventAction
+from authentik.flows.models import Flow
 from authentik.lib.generators import generate_id
 from authentik.lib.utils.reflection import all_subclasses
 
@@ -47,6 +49,58 @@ class TestModels(TestCase):
             event.context["deprecation"], "authentik.core.models.Token.filter_not_expired"
         )
 
+    @patch("authentik.core.models.get_file_manager")
+    def test_source_icon_url_can_bypass_cache(self, get_file_manager):
+        request = RequestFactory().get("/")
+        manager = get_file_manager.return_value
+        manager.file_url.return_value = "/files/media/public/source-icons/icon.svg?token=fresh"
+
+        source = Source(icon="source-icons/icon.svg")
+
+        self.assertEqual(
+            source.get_icon_url(request, use_cache=False),
+            "/files/media/public/source-icons/icon.svg?token=fresh",
+        )
+        manager.file_url.assert_called_once_with(
+            "source-icons/icon.svg",
+            request,
+            use_cache=False,
+        )
+
+    @patch("authentik.flows.models.get_file_manager")
+    def test_flow_background_urls_can_bypass_cache(self, get_file_manager):
+        request = RequestFactory().get("/")
+        manager = get_file_manager.return_value
+        manager.file_url.return_value = "/files/media/public/background.svg?token=fresh"
+        manager.themed_urls.return_value = {
+            "light": "/files/media/public/background-light.svg?token=fresh",
+            "dark": "/files/media/public/background-dark.svg?token=fresh",
+        }
+
+        flow = Flow(background="background-%(theme)s.svg")
+
+        self.assertEqual(
+            flow.background_url(request, use_cache=False),
+            "/files/media/public/background.svg?token=fresh",
+        )
+        self.assertEqual(
+            flow.background_themed_urls(request, use_cache=False),
+            {
+                "light": "/files/media/public/background-light.svg?token=fresh",
+                "dark": "/files/media/public/background-dark.svg?token=fresh",
+            },
+        )
+        manager.file_url.assert_called_once_with(
+            "background-%(theme)s.svg",
+            request,
+            use_cache=False,
+        )
+        manager.themed_urls.assert_called_once_with(
+            "background-%(theme)s.svg",
+            request,
+            use_cache=False,
+        )
+
 
 def source_tester_factory(test_model: type[Source]) -> Callable:
     """Test source"""

authentik/endpoints/connectors/agent/controller.py

@@ -138,13 +138,7 @@ class AgentConnectorController(BaseController[AgentConnector]):
                             "AllowDeviceIdentifiersInAttestation": True,
                             "AuthenticationMethod": "UserSecureEnclaveKey",
                             "EnableAuthorization": True,
-                            "EnableCreateUserAtLogin": True,
-                            "FileVaultPolicy": ["RequireAuthentication"],
-                            "LoginPolicy": ["RequireAuthentication"],
-                            "NewUserAuthorizationMode": "Standard",
-                            "UnlockPolicy": ["RequireAuthentication"],
                             "UseSharedDeviceKeys": True,
-                            "UserAuthorizationMode": "Standard",
                         },
                     },
                 ],

authentik/endpoints/connectors/agent/migrations/0005_appleindependentsecureenclave.py

@@ -0,0 +1,54 @@
+# Generated by Django 5.2.12 on 2026-03-06 14:38
+
+import django.db.models.deletion
+import uuid
+from django.conf import settings
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        (
+            "authentik_endpoints_connectors_agent",
+            "0004_agentconnector_challenge_idle_timeout_and_more",
+        ),
+        migrations.swappable_dependency(settings.AUTH_USER_MODEL),
+    ]
+
+    operations = [
+        migrations.CreateModel(
+            name="AppleIndependentSecureEnclave",
+            fields=[
+                ("created", models.DateTimeField(auto_now_add=True)),
+                ("last_updated", models.DateTimeField(auto_now=True)),
+                (
+                    "name",
+                    models.CharField(
+                        help_text="The human-readable name of this device.", max_length=64
+                    ),
+                ),
+                (
+                    "confirmed",
+                    models.BooleanField(default=True, help_text="Is this device ready for use?"),
+                ),
+                ("last_used", models.DateTimeField(null=True)),
+                ("uuid", models.UUIDField(default=uuid.uuid4, primary_key=True, serialize=False)),
+                ("apple_secure_enclave_key", models.TextField()),
+                ("apple_enclave_key_id", models.TextField()),
+                ("device_type", models.TextField()),
+                (
+                    "user",
+                    models.ForeignKey(
+                        help_text="The user that this device belongs to.",
+                        on_delete=django.db.models.deletion.CASCADE,
+                        to=settings.AUTH_USER_MODEL,
+                    ),
+                ),
+            ],
+            options={
+                "verbose_name": "Apple Independent Secure Enclave",
+                "verbose_name_plural": "Apple Independent Secure Enclaves",
+            },
+        ),
+    ]

authentik/endpoints/connectors/agent/models.py

@@ -19,6 +19,7 @@ from authentik.flows.stage import StageView
 from authentik.lib.generators import generate_key
 from authentik.lib.models import InternallyManagedMixin, SerializerModel
 from authentik.lib.utils.time import timedelta_string_validator
+from authentik.stages.authenticator.models import Device as Authenticator
 
 if TYPE_CHECKING:
     from authentik.endpoints.connectors.agent.controller import AgentConnectorController
@@ -172,3 +173,17 @@ class AppleNonce(InternallyManagedMixin, ExpiringModel):
     class Meta(ExpiringModel.Meta):
         verbose_name = _("Apple Nonce")
         verbose_name_plural = _("Apple Nonces")
+
+
+class AppleIndependentSecureEnclave(Authenticator):
+    """A device-independent secure enclave key, used by Tap-to-login"""
+
+    uuid = models.UUIDField(primary_key=True, default=uuid4)
+
+    apple_secure_enclave_key = models.TextField()
+    apple_enclave_key_id = models.TextField()
+    device_type = models.TextField()
+
+    class Meta:
+        verbose_name = _("Apple Independent Secure Enclave")
+        verbose_name_plural = _("Apple Independent Secure Enclaves")

authentik/enterprise/endpoints/connectors/agent/api/secure_enclave.py

@@ -0,0 +1,28 @@
+from rest_framework.viewsets import ModelViewSet
+
+from authentik.core.api.used_by import UsedByMixin
+from authentik.core.api.utils import ModelSerializer
+from authentik.endpoints.connectors.agent.models import AppleIndependentSecureEnclave
+
+
+class AppleIndependentSecureEnclaveSerializer(ModelSerializer):
+    class Meta:
+        model = AppleIndependentSecureEnclave
+        fields = [
+            "uuid",
+            "user",
+            "apple_secure_enclave_key",
+            "apple_enclave_key_id",
+            "device_type",
+        ]
+
+
+class AppleIndependentSecureEnclaveViewSet(UsedByMixin, ModelViewSet):
+    queryset = AppleIndependentSecureEnclave.objects.all()
+    serializer_class = AppleIndependentSecureEnclaveSerializer
+    search_fields = [
+        "name",
+        "user__name",
+    ]
+    ordering = ["uuid"]
+    filterset_fields = ["user", "apple_enclave_key_id"]

authentik/enterprise/endpoints/connectors/agent/tests/test_apple_token.py

@@ -11,6 +11,7 @@ from authentik.endpoints.connectors.agent.models import (
     AgentConnector,
     AgentDeviceConnection,
     AgentDeviceUserBinding,
+    AppleIndependentSecureEnclave,
     AppleNonce,
     DeviceToken,
     EnrollmentToken,
@@ -25,7 +26,7 @@ class TestAppleToken(TestCase):
 
     def setUp(self):
         self.apple_sign_key = create_test_cert(PrivateKeyAlg.ECDSA)
-        sign_key_pem = self.apple_sign_key.public_key.public_bytes(
+        self.sign_key_pem = self.apple_sign_key.public_key.public_bytes(
             encoding=serialization.Encoding.PEM,
             format=serialization.PublicFormat.SubjectPublicKeyInfo,
         ).decode()
@@ -50,7 +51,7 @@ class TestAppleToken(TestCase):
             device=self.device,
             connector=self.connector,
             apple_sign_key_id=self.apple_sign_key.kid,
-            apple_signing_key=sign_key_pem,
+            apple_signing_key=self.sign_key_pem,
             apple_encryption_key=self.enc_pub,
         )
         self.user = create_test_user()
@@ -59,7 +60,7 @@ class TestAppleToken(TestCase):
             user=self.user,
             order=0,
             apple_enclave_key_id=self.apple_sign_key.kid,
-            apple_secure_enclave_key=sign_key_pem,
+            apple_secure_enclave_key=self.sign_key_pem,
         )
         self.device_token = DeviceToken.objects.create(device=self.connection)
 
@@ -113,3 +114,62 @@ class TestAppleToken(TestCase):
         ).first()
         self.assertIsNotNone(event)
         self.assertEqual(event.context["device"]["name"], self.device.name)
+
+    @reconcile_app("authentik_crypto")
+    def test_token_independent(self):
+        nonce = generate_id()
+
+        AgentDeviceUserBinding.objects.all().delete()
+        AppleIndependentSecureEnclave.objects.create(
+            user=self.user,
+            apple_enclave_key_id=self.apple_sign_key.kid,
+            apple_secure_enclave_key=self.sign_key_pem,
+        )
+
+        AppleNonce.objects.create(
+            device_token=self.device_token,
+            nonce=nonce,
+        )
+        embedded = encode(
+            {"iss": str(self.connector.pk), "aud": str(self.device.pk), "request_nonce": nonce},
+            self.apple_sign_key.private_key,
+            headers={
+                "kid": self.apple_sign_key.kid,
+            },
+            algorithm=JWTAlgorithms.from_private_key(self.apple_sign_key.private_key),
+        )
+        assertion = encode(
+            {
+                "iss": str(self.connector.pk),
+                "aud": "http://testserver/endpoints/agent/psso/token/",
+                "request_nonce": nonce,
+                "assertion": embedded,
+                "jwe_crypto": {
+                    "apv": (
+                        "AAAABUFwcGxlAAAAQQTFgZOospN6KbkhXhx1lfa-AKYxjEfJhTJrkpdEY_srMmkPzS7VN0Bzt2AtNBEXE"
+                        "aphDONiP2Mq6Oxytv5JKOxHAAAAJDgyOThERkY5LTVFMUUtNEUwMS04OEUwLUI3QkQzOUM4QjA3Qw"
+                    )
+                },
+            },
+            self.apple_sign_key.private_key,
+            headers={
+                "kid": self.apple_sign_key.kid,
+            },
+            algorithm=JWTAlgorithms.from_private_key(self.apple_sign_key.private_key),
+        )
+        res = self.client.post(
+            reverse("authentik_enterprise_endpoints_connectors_agent:psso-token"),
+            data={
+                "assertion": assertion,
+                "platform_sso_version": "1.0",
+                "grant_type": "urn:ietf:params:oauth:grant-type:jwt-bearer",
+            },
+        )
+
+        self.assertEqual(res.status_code, 200)
+        event = Event.objects.filter(
+            action=EventAction.LOGIN,
+            app="authentik.endpoints.connectors.agent",
+        ).first()
+        self.assertIsNotNone(event)
+        self.assertEqual(event.context["device"]["name"], self.device.name)

authentik/enterprise/endpoints/connectors/agent/urls.py

@@ -1,5 +1,8 @@
 from django.urls import path
 
+from authentik.enterprise.endpoints.connectors.agent.api.secure_enclave import (
+    AppleIndependentSecureEnclaveViewSet,
+)
 from authentik.enterprise.endpoints.connectors.agent.views.apple_jwks import AppleJWKSView
 from authentik.enterprise.endpoints.connectors.agent.views.apple_nonce import NonceView
 from authentik.enterprise.endpoints.connectors.agent.views.apple_register import (
@@ -23,6 +26,7 @@ urlpatterns = [
 ]
 
 api_urlpatterns = [
+    ("endpoints/agents/psso/ise", AppleIndependentSecureEnclaveViewSet),
     path(
         "endpoints/agents/psso/register/device/",
         RegisterDeviceView.as_view(),

authentik/enterprise/endpoints/connectors/agent/views/apple_token.py

@@ -19,6 +19,7 @@ from authentik.endpoints.connectors.agent.models import (
     AgentConnector,
     AgentDeviceConnection,
     AgentDeviceUserBinding,
+    AppleIndependentSecureEnclave,
     AppleNonce,
     DeviceAuthenticationToken,
 )
@@ -103,7 +104,9 @@ class TokenView(View):
         nonce.delete()
         return decoded
 
-    def validate_embedded_assertion(self, assertion: str) -> tuple[AgentDeviceUserBinding, dict]:
+    def validate_embedded_assertion(
+        self, assertion: str
+    ) -> tuple[AgentDeviceUserBinding | AppleIndependentSecureEnclave, dict]:
         """Decode an embedded assertion and validate it by looking up the matching device user"""
         decode_unvalidated = get_unverified_header(assertion)
         expected_kid = decode_unvalidated["kid"]
@@ -112,8 +115,13 @@ class TokenView(View):
             target=self.device_connection.device, apple_enclave_key_id=expected_kid
         ).first()
         if not device_user:
-            LOGGER.warning("Could not find device user binding for user")
-            raise ValidationError("Invalid request")
+            independent_user = AppleIndependentSecureEnclave.objects.filter(
+                apple_enclave_key_id=expected_kid
+            ).first()
+            if not independent_user:
+                LOGGER.warning("Could not find device user binding or independent enclave for user")
+                raise ValidationError("Invalid request")
+            device_user = independent_user
         decoded: dict[str, Any] = decode(
             assertion,
             device_user.apple_secure_enclave_key,

authentik/enterprise/search/apps.py

@@ -1,12 +0,0 @@
-"""Enterprise app config"""
-
-from authentik.enterprise.apps import EnterpriseConfig
-
-
-class AuthentikEnterpriseSearchConfig(EnterpriseConfig):
-    """Enterprise app config"""
-
-    name = "authentik.enterprise.search"
-    label = "authentik_search"
-    verbose_name = "authentik Enterprise.Search"
-    default = True

authentik/enterprise/search/pagination.py

@@ -1,51 +0,0 @@
-from rest_framework.response import Response
-
-from authentik.api.pagination import Pagination
-from authentik.enterprise.search.ql import AUTOCOMPLETE_SCHEMA, QLSearch
-
-
-class AutocompletePagination(Pagination):
-
-    def paginate_queryset(self, queryset, request, view=None):
-        self.view = view
-        return super().paginate_queryset(queryset, request, view)
-
-    def get_autocomplete(self):
-        schema = QLSearch().get_schema(self.request, self.view)
-        introspections = {}
-        if hasattr(self.view, "get_ql_fields"):
-            from authentik.enterprise.search.schema import AKQLSchemaSerializer
-
-            introspections = AKQLSchemaSerializer().serialize(
-                schema(self.page.paginator.object_list.model)
-            )
-        return introspections
-
-    def get_paginated_response(self, data):
-        previous_page_number = 0
-        if self.page.has_previous():
-            previous_page_number = self.page.previous_page_number()
-        next_page_number = 0
-        if self.page.has_next():
-            next_page_number = self.page.next_page_number()
-        return Response(
-            {
-                "pagination": {
-                    "next": next_page_number,
-                    "previous": previous_page_number,
-                    "count": self.page.paginator.count,
-                    "current": self.page.number,
-                    "total_pages": self.page.paginator.num_pages,
-                    "start_index": self.page.start_index(),
-                    "end_index": self.page.end_index(),
-                },
-                "results": data,
-                "autocomplete": self.get_autocomplete(),
-            }
-        )
-
-    def get_paginated_response_schema(self, schema):
-        final_schema = super().get_paginated_response_schema(schema)
-        final_schema["properties"]["autocomplete"] = AUTOCOMPLETE_SCHEMA.ref
-        final_schema["required"].append("autocomplete")
-        return final_schema

authentik/enterprise/search/settings.py

@@ -1,20 +0,0 @@
-SPECTACULAR_SETTINGS = {
-    "POSTPROCESSING_HOOKS": [
-        "authentik.api.v3.schema.response.postprocess_schema_register",
-        "authentik.api.v3.schema.response.postprocess_schema_responses",
-        "authentik.api.v3.schema.query.postprocess_schema_query_params",
-        "authentik.api.v3.schema.cleanup.postprocess_schema_remove_unused",
-        "authentik.enterprise.search.schema.postprocess_schema_search_autocomplete",
-        "authentik.api.v3.schema.enum.postprocess_schema_enums",
-    ],
-}
-
-REST_FRAMEWORK = {
-    "DEFAULT_PAGINATION_CLASS": "authentik.enterprise.search.pagination.AutocompletePagination",
-    "DEFAULT_FILTER_BACKENDS": [
-        "authentik.enterprise.search.ql.QLSearch",
-        "authentik.rbac.filters.ObjectFilter",
-        "django_filters.rest_framework.DjangoFilterBackend",
-        "rest_framework.filters.OrderingFilter",
-    ],
-}

authentik/enterprise/settings.py

@@ -14,7 +14,6 @@ TENANT_APPS = [
     "authentik.enterprise.providers.ssf",
     "authentik.enterprise.providers.ws_federation",
     "authentik.enterprise.reports",
-    "authentik.enterprise.search",
     "authentik.enterprise.stages.authenticator_endpoint_gdtc",
     "authentik.enterprise.stages.mtls",
     "authentik.enterprise.stages.source",

authentik/enterprise/stages/mtls/stage.py

@@ -102,7 +102,7 @@ class MTLSStageView(ChallengeStageView):
             return []
         certs = []
         for cert in ftcc_raw.split(","):
-            certs.extend(self.__parse_single_cert(cert, ParseOptions.UNQUOTE, ParseOptions.FORMAT))
+            certs.extend(self.__parse_single_cert(cert, ParseOptions.FORMAT))
         return certs
 
     def _parse_cert_outpost(self) -> list[Certificate]:

authentik/enterprise/stages/mtls/tests/test_stage.py

@@ -53,7 +53,7 @@ class MTLSStageTests(FlowTestCase):
 
     def _format_traefik(self, cert: str | None = None):
         cert = cert if cert else self.client_cert
-        return quote_plus(cert.replace(PEM_HEADER, "").replace(PEM_FOOTER, "").replace("\n", ""))
+        return cert.replace(PEM_HEADER, "").replace(PEM_FOOTER, "").replace("\n", "")
 
     def test_parse_xfcc(self):
         """Test authentik Proxy/Envoy's XFCC format"""

authentik/events/api/events.py

@@ -11,6 +11,8 @@ from django.db.models.functions import TruncHour
 from django.db.models.query_utils import Q
 from django.utils.text import slugify
 from django.utils.timezone import now
+from djangoql.schema import DateTimeField as QLDateTimeFIeld
+from djangoql.schema import IntField, StrField
 from drf_spectacular.types import OpenApiTypes
 from drf_spectacular.utils import OpenApiParameter, extend_schema
 from guardian.shortcuts import get_objects_for_user
@@ -27,6 +29,7 @@ from rest_framework.request import Request
 from rest_framework.response import Response
 from rest_framework.viewsets import ModelViewSet
 
+from authentik.api.search.fields import ChoiceSearchField, JSONSearchField
 from authentik.api.validation import validate
 from authentik.core.api.object_types import TypeCreateSerializer
 from authentik.core.api.utils import ModelSerializer, PassiveSerializer
@@ -171,10 +174,6 @@ class EventViewSet(
     filterset_class = EventsFilter
 
     def get_ql_fields(self):
-        from djangoql.schema import DateTimeField, IntField, StrField
-
-        from authentik.enterprise.search.fields import ChoiceSearchField, JSONSearchField
-
         return [
             ChoiceSearchField(Event, "action"),
             StrField(Event, "event_uuid"),
@@ -216,7 +215,7 @@ class EventViewSet(
                     ),
                 ),
             ),
-            DateTimeField(Event, "created", suggest_options=True),
+            QLDateTimeFIeld(Event, "created", suggest_options=True),
         ]
 
     @extend_schema(

authentik/events/middleware.py

@@ -13,6 +13,7 @@ from django.core.exceptions import SuspiciousOperation
 from django.db.models import Model
 from django.db.models.signals import m2m_changed, post_save, pre_delete
 from django.http import HttpRequest, HttpResponse
+from django_postgres_cache.models import CacheEntry
 from structlog.stdlib import BoundLogger, get_logger
 
 from authentik.blueprints.v1.importer import excluded_models
@@ -31,6 +32,7 @@ IGNORED_MODELS = tuple(
         Notification,
         StaticToken,
         Session,
+        CacheEntry,
     )
 )
 

authentik/events/migrations/0018_event_authentik_e_user_pk__idx.py

@@ -0,0 +1,17 @@
+# Generated by Django 5.2.12 on 2026-04-09 16:03
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ("authentik_events", "0017_notificationtransport_webhook_ca"),
+    ]
+
+    operations = [
+        migrations.AddIndex(
+            model_name="event",
+            index=models.Index(models.F("user__pk"), name="authentik_e_user_pk__idx"),
+        ),
+    ]

authentik/events/models.py

@@ -321,6 +321,10 @@ class Event(SerializerModel, ExpiringModel):
                 models.F("context__authorized_application"),
                 name="authentik_e_ctx_app__idx",
             ),
+            models.Index(
+                models.F("user__pk"),
+                name="authentik_e_user_pk__idx",
+            ),
         ]
 
 
@@ -456,7 +460,7 @@ class NotificationTransport(TasksModel, SerializerModel):
                 response.raise_for_status()
             except RequestException as exc:
                 raise NotificationTransportError(
-                    exc.response.text if exc.response else str(exc)
+                    exc.response.text if exc.response is not None else str(exc)
                 ) from exc
             return [
                 response.status_code,
@@ -519,7 +523,7 @@ class NotificationTransport(TasksModel, SerializerModel):
             response = get_http_session().post(self.webhook_url, json=body)
             response.raise_for_status()
         except RequestException as exc:
-            text = exc.response.text if exc.response else str(exc)
+            text = exc.response.text if exc.response is not None else str(exc)
             raise NotificationTransportError(text) from exc
         return [
             response.status_code,

authentik/flows/models.py

@@ -185,25 +185,47 @@ class Flow(SerializerModel, PolicyBindingModel):
         help_text=_("Required level of authentication and authorization to access a flow."),
     )
 
-    def background_url(self, request: HttpRequest | None = None) -> str:
+    def background_url(
+        self,
+        request: HttpRequest | None = None,
+        use_cache: bool = True,
+    ) -> str:
         """Get the URL to the background image"""
         if not self.background:
             if request:
-                return request.brand.branding_default_flow_background_url()
+                return request.brand.branding_default_flow_background_url(
+                    request,
+                    use_cache=use_cache,
+                )
             return (
                 CONFIG.get("web.path", "/")[:-1] + "/static/dist/assets/images/flow_background.jpg"
             )
 
-        return get_file_manager(FileUsage.MEDIA).file_url(self.background, request)
+        return get_file_manager(FileUsage.MEDIA).file_url(
+            self.background,
+            request,
+            use_cache=use_cache,
+        )
 
-    def background_themed_urls(self, request: HttpRequest | None = None) -> dict[str, str] | None:
+    def background_themed_urls(
+        self,
+        request: HttpRequest | None = None,
+        use_cache: bool = True,
+    ) -> dict[str, str] | None:
         """Get themed URLs for background if it contains %(theme)s"""
         if not self.background:
             if request:
-                return request.brand.branding_default_flow_background_themed_urls()
+                return request.brand.branding_default_flow_background_themed_urls(
+                    request,
+                    use_cache=use_cache,
+                )
             return None
 
-        return get_file_manager(FileUsage.MEDIA).themed_urls(self.background, request)
+        return get_file_manager(FileUsage.MEDIA).themed_urls(
+            self.background,
+            request,
+            use_cache=use_cache,
+        )
 
     stages = models.ManyToManyField(Stage, through="FlowStageBinding", blank=True)
 

authentik/flows/stage.py

@@ -15,6 +15,7 @@ from rest_framework.request import Request
 from sentry_sdk import start_span
 from structlog.stdlib import BoundLogger, get_logger
 
+from authentik.common.oauth.constants import PLAN_CONTEXT_POST_LOGOUT_REDIRECT_URI
 from authentik.core.models import Application, User
 from authentik.flows.challenge import (
     AccessDeniedChallenge,
@@ -193,12 +194,14 @@ class ChallengeStageView(StageView):
             if not hasattr(challenge, "initial_data"):
                 challenge.initial_data = {}
             if "flow_info" not in challenge.initial_data:
+                # Flow payloads can outlive the previous signed media JWT, so
+                # refreshes must mint fresh URLs instead of reusing cached ones.
                 flow_info = ContextualFlowInfo(
                     data={
                         "title": self.format_title(),
-                        "background": self.executor.flow.background_url(self.request),
+                        "background": self.executor.flow.background_url(use_cache=False),
                         "background_themed_urls": self.executor.flow.background_themed_urls(
-                            self.request
+                            use_cache=False,
                         ),
                         "cancel_url": self.cancel_url,
                         "layout": self.executor.flow.layout,
@@ -300,7 +303,24 @@ class SessionEndStage(ChallengeStageView):
     that the user is likely to take after signing out of a provider."""
 
     def get_challenge(self, *args, **kwargs) -> Challenge:
+        # Check for OIDC post_logout_redirect_uri in context
+        post_logout_redirect_uri = self.executor.plan.context.get(
+            PLAN_CONTEXT_POST_LOGOUT_REDIRECT_URI
+        )
+
+        if post_logout_redirect_uri:
+            self.logger.debug(
+                "SessionEndStage redirecting to post_logout_redirect_uri",
+                redirect_url=post_logout_redirect_uri,
+            )
+            return RedirectChallenge(
+                data={
+                    "to": post_logout_redirect_uri,
+                },
+            )
+
         if not self.request.user.is_authenticated:
+            # User is logged out with no redirect URI - go to default
             return RedirectChallenge(
                 data={
                     "to": reverse("authentik_core:root-redirect"),

authentik/flows/tests/test_inspector.py

@@ -33,7 +33,7 @@ class TestFlowInspector(APITestCase):
         FlowStageBinding.objects.create(
             target=flow,
             stage=ident_stage,
-            order=1,
+            order=0,
             invalid_response_action=InvalidResponseAction.RESTART_WITH_CONTEXT,
         )
         dummy_stage = DummyStage.objects.create(name=generate_id())

authentik/flows/tests/test_stage_views.py

@@ -4,9 +4,14 @@ from collections.abc import Callable
 
 from django.test import RequestFactory, TestCase
 
+from authentik.core.tests.utils import RequestFactory as AuthentikRequestFactory
+from authentik.core.tests.utils import create_test_flow
+from authentik.flows.models import FlowStageBinding
 from authentik.flows.stage import StageView
 from authentik.flows.views.executor import FlowExecutorView
 from authentik.lib.utils.reflection import all_subclasses
+from authentik.stages.dummy.models import DummyStage
+from authentik.stages.dummy.stage import DummyStageView
 
 
 class TestViews(TestCase):
@@ -15,6 +20,27 @@ class TestViews(TestCase):
     def setUp(self) -> None:
         self.factory = RequestFactory()
         self.exec = FlowExecutorView(request=self.factory.get("/"))
+        self.authentik_factory = AuthentikRequestFactory()
+
+    def test_challenge_stage_flow_info_uses_relative_background(self):
+        """Test challenge flow info keeps background URLs app-relative."""
+        flow = create_test_flow()
+        stage = DummyStage.objects.create(name="dummy")
+        FlowStageBinding.objects.create(target=flow, stage=stage, order=0)
+        request = self.authentik_factory.get("/")
+
+        executor = FlowExecutorView(flow=flow, request=request)
+        executor.current_stage = stage
+
+        view = DummyStageView(executor)
+        view.request = request
+
+        challenge = view._get_challenge()
+
+        self.assertEqual(
+            challenge.initial_data["flow_info"]["background"],
+            "/static/dist/assets/images/flow_background.jpg",
+        )
 
 
 def view_tester_factory(view_class: type[StageView]) -> Callable:

authentik/lib/sync/outgoing/models.py

@@ -1,3 +1,4 @@
+import math
 from typing import Any, Self
 
 import pglock
@@ -68,7 +69,12 @@ class OutgoingSyncProvider(ScheduledModel, Model):
         return Paginator(self.get_object_qs(type), self.sync_page_size)
 
     def get_object_sync_time_limit_ms[T: User | Group](self, type: type[T]) -> int:
-        num_pages: int = self.get_paginator(type).num_pages
+        # Use a simple COUNT(*) on the model instead of materializing get_object_qs(),
+        # which for some providers (e.g. SCIM) runs PolicyEngine per-user and is
+        # extremely expensive. The time limit is an upper-bound estimate, so using
+        # the total count (without policy filtering) is a safe overestimate.
+        total_count = type.objects.count()
+        num_pages = math.ceil(total_count / self.sync_page_size) if total_count > 0 else 1
         page_timeout_ms = timedelta_from_string(self.sync_page_timeout).total_seconds() * 1000
         return int(num_pages * page_timeout_ms * 1.5)
 

authentik/outposts/controllers/k8s/base.py

@@ -1,10 +1,12 @@
 """Base Kubernetes Reconciler"""
 
 import re
+import ssl
 from dataclasses import asdict
 from json import dumps
 from typing import TYPE_CHECKING, TypeVar
 
+import urllib3
 from dacite.core import from_dict
 from django.http import HttpResponseNotFound
 from django.utils.text import slugify
@@ -41,7 +43,11 @@ class KubernetesObjectReconciler[T]:
     def __init__(self, controller: KubernetesController):
         self.controller = controller
         self.namespace = controller.outpost.config.kubernetes_namespace
+        self.kubernetes_disable_x509_strict = (
+            controller.outpost.config.kubernetes_disable_x509_strict
+        )
         self.logger = get_logger().bind(type=self.__class__.__name__)
+        self.api_client = self.k8s_client()
 
     def get_patch(self):
         """Get any patches that apply to this CRD"""
@@ -92,7 +98,7 @@ class KubernetesObjectReconciler[T]:
         reference = self.get_reference_object()
         patch = self.get_patch()
         try:
-            json = ApiClient().sanitize_for_serialization(reference)
+            json = self.api_client.sanitize_for_serialization(reference)
         # Custom objects will not be known to the clients openapi types
         except AttributeError:
             json = asdict(reference)
@@ -106,7 +112,7 @@ class KubernetesObjectReconciler[T]:
         mock_response.data = dumps(ref)
 
         try:
-            result = ApiClient().deserialize(mock_response, reference.__class__.__name__)
+            result = self.api_client.deserialize(mock_response, reference.__class__.__name__)
         # Custom objects will not be known to the clients openapi types
         except AttributeError:
             result = from_dict(reference.__class__, data=ref)
@@ -186,7 +192,7 @@ class KubernetesObjectReconciler[T]:
         patch = self.get_patch()
         if patch is not None:
             try:
-                current_json = ApiClient().sanitize_for_serialization(current)
+                current_json = self.api_client.sanitize_for_serialization(current)
             except AttributeError:
                 current_json = asdict(current)
             try:
@@ -226,3 +232,26 @@ class KubernetesObjectReconciler[T]:
             },
             **kwargs,
         )
+
+    def k8s_client(self) -> ApiClient:
+        """Get Kubernetes API client"""
+        api_client = ApiClient()
+        if self.kubernetes_disable_x509_strict:
+            self.logger.warning("Disabling strict X.509 certificate verification")
+            # Relax OpenSSL TLS validation to support legacy root CA certificates
+            # (e.g. from Kubernetes <= 1.16) which may not satisfy the stricter
+            # VERIFY_X509_STRICT flags enforced by default in Python 3.13+.
+            # See https://github.com/kubernetes-client/python/issues/2394
+            ctx = ssl.create_default_context()
+            ctx.verify_flags = ctx.verify_flags & ~ssl.VERIFY_X509_STRICT
+
+            # We need to recreate the pool manager with the new SSL context
+            # We try to preserve existing pool manager arguments
+            pool_args = api_client.rest_client.pool_manager.connection_pool_kw
+
+            api_client.rest_client.pool_manager = urllib3.PoolManager(
+                num_pools=4,
+                ssl_context=ctx,
+                **pool_args,
+            )
+        return api_client

authentik/outposts/models.py

@@ -81,6 +81,7 @@ class OutpostConfig:
     kubernetes_disabled_components: list[str] = field(default_factory=list)
     kubernetes_image_pull_secrets: list[str] = field(default_factory=list)
     kubernetes_json_patches: dict[str, list[dict[str, Any]]] | None = field(default=None)
+    kubernetes_disable_x509_strict: bool = field(default=False)
 
 
 class OutpostModel(Model):

authentik/policies/api/bindings.py

@@ -57,9 +57,11 @@ class PolicyBindingSerializer(ModelSerializer):
         required=True,
     )
 
-    policy_obj = PolicySerializer(required=False, read_only=True, source="policy")
-    group_obj = PartialGroupSerializer(required=False, read_only=True, source="group")
-    user_obj = PartialUserSerializer(required=False, read_only=True, source="user")
+    policy_obj = PolicySerializer(required=False, allow_null=True, read_only=True, source="policy")
+    group_obj = PartialGroupSerializer(
+        required=False, allow_null=True, read_only=True, source="group"
+    )
+    user_obj = PartialUserSerializer(required=False, allow_null=True, read_only=True, source="user")
 
     class Meta:
         model = PolicyBinding

authentik/policies/event_matcher/api.py

@@ -40,18 +40,14 @@ class EventMatcherPolicySerializer(PolicySerializer):
             and attrs["client_ip"] == ""
             and attrs["app"] == ""
             and attrs["model"] == ""
+            and attrs["query"] == ""
         ):
             raise ValidationError(_("At least one criteria must be set."))
         return super().validate(attrs)
 
     class Meta:
         model = EventMatcherPolicy
-        fields = PolicySerializer.Meta.fields + [
-            "action",
-            "client_ip",
-            "app",
-            "model",
-        ]
+        fields = PolicySerializer.Meta.fields + ["action", "client_ip", "app", "model", "query"]
 
 
 class EventMatcherPolicyViewSet(UsedByMixin, ModelViewSet):

authentik/policies/event_matcher/migrations/0027_eventmatcherpolicy_query.py

@@ -0,0 +1,18 @@
+# Generated by Django 5.2.12 on 2026-04-12 19:06
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ("authentik_policies_event_matcher", "0026_alter_eventmatcherpolicy_action"),
+    ]
+
+    operations = [
+        migrations.AddField(
+            model_name="eventmatcherpolicy",
+            name="query",
+            field=models.TextField(default=None, null=True),
+        ),
+    ]

authentik/policies/event_matcher/models.py

@@ -4,9 +4,11 @@ from itertools import chain
 
 from django.db import models
 from django.utils.translation import gettext as _
+from djangoql.queryset import apply_search
 from rest_framework.serializers import BaseSerializer
 from structlog.stdlib import get_logger
 
+from authentik.api.search.ql import BaseSchema
 from authentik.events.models import Event, EventAction
 from authentik.policies.models import Policy
 from authentik.policies.types import PolicyRequest, PolicyResult
@@ -17,6 +19,10 @@ LOGGER = get_logger()
 class EventMatcherPolicy(Policy):
     """Passes when Event matches selected criteria."""
 
+    query = models.TextField(
+        null=True,
+        default=None,
+    )
     action = models.TextField(
         choices=EventAction.choices,
         null=True,
@@ -69,6 +75,7 @@ class EventMatcherPolicy(Policy):
         matches: list[PolicyResult] = []
         messages = []
         checks = [
+            self.passes_query,
             self.passes_action,
             self.passes_client_ip,
             self.passes_app,
@@ -90,6 +97,20 @@ class EventMatcherPolicy(Policy):
         result.source_results = matches
         return result
 
+    def passes_query(self, request: PolicyRequest, event: Event) -> PolicyResult | None:
+        """Check AKQL query"""
+        if not self.query:
+            return None
+        from authentik.events.api.events import EventViewSet
+
+        class InlineSchema(BaseSchema):
+            def get_fields(self, model):
+                return EventViewSet().get_ql_fields()
+
+        print(Event.objects.filter(pk=event.pk))
+        qs = apply_search(Event.objects.filter(pk=event.pk), self.query, InlineSchema)
+        return PolicyResult(qs.exists(), "Query matched.")
+
     def passes_action(self, request: PolicyRequest, event: Event) -> PolicyResult | None:
         """Check if `self.action` matches"""
         if self.action is None:

authentik/policies/event_matcher/tests.py

@@ -101,3 +101,14 @@ class TestEventMatcherPolicy(TestCase):
         policy: EventMatcherPolicy = EventMatcherPolicy.objects.create(client_ip="1.2.3.4")
         response = policy.passes(request)
         self.assertFalse(response.passing)
+
+    def test_match_query(self):
+        """Test match query"""
+        event = Event.new(EventAction.LOGIN)
+        event.save()
+        request = PolicyRequest(get_anonymous_user())
+        request.context["event"] = event
+        policy: EventMatcherPolicy = EventMatcherPolicy.objects.create(query='action = "login"')
+        response = policy.passes(request)
+        self.assertTrue(response.passing)
+        self.assertTupleEqual(response.messages, ("Query matched.",))

authentik/providers/oauth2/api/providers.py

@@ -27,6 +27,7 @@ from authentik.providers.oauth2.models import (
     AccessToken,
     OAuth2Provider,
     RedirectURIMatchingMode,
+    RedirectURIType,
     ScopeMapping,
 )
 from authentik.rbac.decorators import permission_required
@@ -37,6 +38,9 @@ class RedirectURISerializer(PassiveSerializer):
 
     matching_mode = ChoiceField(choices=RedirectURIMatchingMode.choices)
     url = CharField()
+    redirect_uri_type = ChoiceField(
+        choices=RedirectURIType.choices, default=RedirectURIType.AUTHORIZATION, required=False
+    )
 
 
 class OAuth2ProviderSerializer(ProviderSerializer):

authentik/providers/oauth2/models.py

@@ -97,6 +97,11 @@ class RedirectURIMatchingMode(models.TextChoices):
     REGEX = "regex", _("Regular Expression URL matching")
 
 
+class RedirectURIType(models.TextChoices):
+    AUTHORIZATION = "authorization", _("Authorization")
+    LOGOUT = "logout", _("Logout")
+
+
 class OAuth2LogoutMethod(models.TextChoices):
     """OAuth2/OIDC Logout methods"""
 
@@ -110,6 +115,7 @@ class RedirectURI:
 
     matching_mode: RedirectURIMatchingMode
     url: str
+    redirect_uri_type: RedirectURIType = RedirectURIType.AUTHORIZATION
 
 
 class ResponseTypes(models.TextChoices):
@@ -220,7 +226,6 @@ class OAuth2Provider(WebfingerProvider, Provider):
             "Frontchannel uses iframes in your browser"
         ),
     )
-
     include_claims_in_id_token = models.BooleanField(
         default=True,
         verbose_name=_("Include claims in id_token"),
@@ -343,7 +348,12 @@ class OAuth2Provider(WebfingerProvider, Provider):
                 from_dict(
                     RedirectURI,
                     entry,
-                    config=Config(type_hooks={RedirectURIMatchingMode: RedirectURIMatchingMode}),
+                    config=Config(
+                        type_hooks={
+                            RedirectURIMatchingMode: RedirectURIMatchingMode,
+                            RedirectURIType: RedirectURIType,
+                        }
+                    ),
                 )
             )
         return uris
@@ -355,10 +365,24 @@ class OAuth2Provider(WebfingerProvider, Provider):
             cleansed.append(asdict(entry))
         self._redirect_uris = cleansed
 
+    @property
+    def authorization_redirect_uris(self) -> list[RedirectURI]:
+        return [
+            uri
+            for uri in self.redirect_uris
+            if uri.redirect_uri_type == RedirectURIType.AUTHORIZATION
+        ]
+
+    @property
+    def post_logout_redirect_uris(self) -> list[RedirectURI]:
+        return [
+            uri for uri in self.redirect_uris if uri.redirect_uri_type == RedirectURIType.LOGOUT
+        ]
+
     @property
     def launch_url(self) -> str | None:
         """Guess launch_url based on first redirect_uri"""
-        redirects = self.redirect_uris
+        redirects = self.authorization_redirect_uris
         if len(redirects) < 1:
             return None
         main_url = redirects[0].url

authentik/providers/oauth2/signals.py

@@ -1,13 +1,13 @@
-from urllib.parse import parse_qs, urlencode, urlparse, urlunparse
-
 from django.db.models.signals import post_save, pre_delete
 from django.dispatch import receiver
 from structlog.stdlib import get_logger
 
-from authentik.common.oauth.constants import PLAN_CONTEXT_OIDC_LOGOUT_IFRAME_SESSIONS
+from authentik.common.oauth.constants import (
+    OAUTH2_BINDING,
+    PLAN_CONTEXT_OIDC_LOGOUT_IFRAME_SESSIONS,
+)
 from authentik.core.models import AuthenticatedSession, User
 from authentik.flows.models import in_memory_stage
-from authentik.outposts.tasks import hash_session_key
 from authentik.providers.iframe_logout import IframeLogoutStageView
 from authentik.providers.oauth2.models import (
     AccessToken,
@@ -16,6 +16,7 @@ from authentik.providers.oauth2.models import (
     RefreshToken,
 )
 from authentik.providers.oauth2.tasks import backchannel_logout_notification_dispatch
+from authentik.providers.oauth2.utils import build_frontchannel_logout_url
 from authentik.stages.user_logout.models import UserLogoutStage
 from authentik.stages.user_logout.stage import flow_pre_user_logout
 
@@ -51,43 +52,22 @@ def handle_flow_pre_user_logout(sender, request, user, executor, **kwargs):
         LOGGER.debug("No sessions requiring IFrame frontchannel logout")
         return
 
+    session_key = auth_session.session.session_key if auth_session.session else None
     oidc_sessions = []
 
     for token in oidc_access_tokens:
-        # Parse the logout URI and add query parameters
-        parsed_url = urlparse(token.provider.logout_uri)
-
-        query_params = {}
-        query_params["iss"] = token.provider.get_issuer(request)
-        if auth_session.session:
-            query_params["sid"] = hash_session_key(auth_session.session.session_key)
-
-        # Combine existing query params with new ones
-        if parsed_url.query:
-            existing_params = parse_qs(parsed_url.query, keep_blank_values=True)
-            for key, value in existing_params.items():
-                if key not in query_params:
-                    query_params[key] = value[0] if len(value) == 1 else value
-
-        # Build the final URL with query parameters
-        logout_url = urlunparse(
-            (
-                parsed_url.scheme,
-                parsed_url.netloc,
-                parsed_url.path,
-                parsed_url.params,
-                urlencode(query_params),
-                parsed_url.fragment,
+        logout_url = build_frontchannel_logout_url(token.provider, request, session_key)
+        if logout_url:
+            oidc_sessions.append(
+                {
+                    "url": logout_url,
+                    "provider_name": token.provider.name,
+                    "binding": OAUTH2_BINDING,
+                    "provider_type": (
+                        f"{token.provider._meta.app_label}.{token.provider._meta.model_name}"
+                    ),
+                }
             )
-        )
-
-        logout_data = {
-            "url": logout_url,
-            "provider_name": token.provider.name,
-            "binding": "redirect",
-            "provider_type": "oidc",
-        }
-        oidc_sessions.append(logout_data)
 
     if oidc_sessions:
         executor.plan.context[PLAN_CONTEXT_OIDC_LOGOUT_IFRAME_SESSIONS] = oidc_sessions

authentik/providers/oauth2/tests/test_authorize.py

@@ -141,26 +141,6 @@ class TestAuthorize(OAuthTestCase):
             OAuthAuthorizationParams.from_request(request)
         self.assertEqual(cm.exception.cause, "redirect_uri_forbidden_scheme")
 
-    def test_invalid_redirect_uri_empty(self):
-        """test missing/invalid redirect URI"""
-        provider = OAuth2Provider.objects.create(
-            name=generate_id(),
-            client_id="test",
-            authorization_flow=create_test_flow(),
-            redirect_uris=[],
-        )
-        request = self.factory.get(
-            "/",
-            data={
-                "response_type": "code",
-                "client_id": "test",
-                "redirect_uri": "+",
-            },
-        )
-        OAuthAuthorizationParams.from_request(request)
-        provider.refresh_from_db()
-        self.assertEqual(provider.redirect_uris, [RedirectURI(RedirectURIMatchingMode.STRICT, "+")])
-
     def test_invalid_redirect_uri_regex(self):
         """test missing/invalid redirect URI"""
         OAuth2Provider.objects.create(
@@ -394,7 +374,7 @@ class TestAuthorize(OAuthTestCase):
                     "nonce": generate_id(),
                 },
             )
-            token: AccessToken = AccessToken.objects.filter(user=user).first()
+            token = AccessToken.objects.filter(user=user).first()
             expires = timedelta_from_string(provider.access_token_validity).total_seconds()
             self.assertEqual(
                 response.url,
@@ -466,7 +446,7 @@ class TestAuthorize(OAuthTestCase):
                 },
             )
             self.assertEqual(response.status_code, 302)
-            token: AccessToken = AccessToken.objects.filter(user=user).first()
+            token = AccessToken.objects.filter(user=user).first()
             expires = timedelta_from_string(provider.access_token_validity).total_seconds()
             jwt = self.validate_jwe(token, provider)
             self.assertEqual(jwt["amr"], ["pwd"])
@@ -565,7 +545,7 @@ class TestAuthorize(OAuthTestCase):
         response = self.client.get(
             reverse("authentik_api:flow-executor", kwargs={"flow_slug": flow.slug}),
         )
-        token: AccessToken = AccessToken.objects.filter(user=user).first()
+        token = AccessToken.objects.filter(user=user).first()
         self.assertIsNotNone(token)
         self.assertJSONEqual(
             response.content.decode(),

authentik/providers/oauth2/tests/test_backchannel_logout.py

@@ -4,22 +4,19 @@ from unittest.mock import Mock, patch
 
 import jwt
 from django.test import RequestFactory
-from django.utils import timezone
 from dramatiq.results.errors import ResultFailure
 from requests import Response
 from requests.exceptions import HTTPError, Timeout
 
-from authentik.core.models import Application, AuthenticatedSession, Session
+from authentik.core.models import Application
 from authentik.core.tests.utils import create_test_admin_user, create_test_flow
 from authentik.lib.generators import generate_id
 from authentik.providers.oauth2.id_token import hash_session_key
 from authentik.providers.oauth2.models import (
-    AccessToken,
     OAuth2LogoutMethod,
     OAuth2Provider,
     RedirectURI,
     RedirectURIMatchingMode,
-    RefreshToken,
 )
 from authentik.providers.oauth2.tasks import send_backchannel_logout_request
 from authentik.providers.oauth2.tests.utils import OAuthTestCase
@@ -45,52 +42,6 @@ class TestBackChannelLogout(OAuthTestCase):
         self.app.provider = self.provider
         self.app.save()
 
-    def _create_session(self, session_key=None):
-        """Create a session with the given key or a generated one"""
-        session_key = session_key or f"session-{generate_id()}"
-        session = Session.objects.create(
-            session_key=session_key,
-            expires=timezone.now() + timezone.timedelta(hours=1),
-            last_ip="255.255.255.255",
-        )
-        auth_session = AuthenticatedSession.objects.create(
-            session=session,
-            user=self.user,
-        )
-        return auth_session
-
-    def _create_token(
-        self, provider, user, session=None, token_type="access", token_id=None
-    ):  # nosec
-        """Create a token of the specified type"""
-        token_id = token_id or f"{token_type}-token-{generate_id()}"
-        kwargs = {
-            "provider": provider,
-            "user": user,
-            "session": session,
-            "token": token_id,
-            "_id_token": "{}",
-            "auth_time": timezone.now(),
-        }
-
-        if token_type == "access":  # nosec
-            return AccessToken.objects.create(**kwargs)
-        else:  # refresh
-            return RefreshToken.objects.create(**kwargs)
-
-    def _create_provider(self, name=None):
-        """Create an OAuth2 provider"""
-        name = name or f"provider-{generate_id()}"
-        provider = OAuth2Provider.objects.create(
-            name=name,
-            authorization_flow=create_test_flow(),
-            redirect_uris=[
-                RedirectURI(RedirectURIMatchingMode.STRICT, f"http://{name}/callback"),
-            ],
-            signing_key=self.keypair,
-        )
-        return provider
-
     def _create_logout_token(
         self,
         provider: OAuth2Provider | None = None,

authentik/providers/oauth2/tests/test_end_session.py

@@ -0,0 +1,263 @@
+"""Test OAuth2 End Session (RP-Initiated Logout) implementation"""
+
+from django.test import RequestFactory
+from django.urls import reverse
+
+from authentik.core.models import Application
+from authentik.core.tests.utils import create_test_admin_user, create_test_brand, create_test_flow
+from authentik.lib.generators import generate_id
+from authentik.providers.oauth2.models import (
+    OAuth2Provider,
+    RedirectURI,
+    RedirectURIMatchingMode,
+    RedirectURIType,
+)
+from authentik.providers.oauth2.tests.utils import OAuthTestCase
+from authentik.providers.oauth2.views.end_session import EndSessionView
+
+
+class TestEndSessionView(OAuthTestCase):
+    """Test EndSessionView validation"""
+
+    def setUp(self) -> None:
+        super().setUp()
+        self.user = create_test_admin_user()
+        self.invalidation_flow = create_test_flow()
+        self.app = Application.objects.create(name=generate_id(), slug="test-app")
+        self.provider = OAuth2Provider.objects.create(
+            name=generate_id(),
+            authorization_flow=create_test_flow(),
+            invalidation_flow=self.invalidation_flow,
+            redirect_uris=[
+                RedirectURI(
+                    RedirectURIMatchingMode.STRICT,
+                    "http://testserver/callback",
+                    RedirectURIType.AUTHORIZATION,
+                ),
+                RedirectURI(
+                    RedirectURIMatchingMode.STRICT,
+                    "http://testserver/logout",
+                    RedirectURIType.LOGOUT,
+                ),
+                RedirectURI(
+                    RedirectURIMatchingMode.REGEX,
+                    r"https://.*\.example\.com/logout",
+                    RedirectURIType.LOGOUT,
+                ),
+            ],
+        )
+        self.app.provider = self.provider
+        self.app.save()
+        # Ensure brand has an invalidation flow
+        self.brand = create_test_brand()
+        self.brand.flow_invalidation = self.invalidation_flow
+        self.brand.save()
+
+    def test_post_logout_redirect_uri_strict_match(self):
+        """Test strict URI matching redirects to flow"""
+        self.client.force_login(self.user)
+        response = self.client.get(
+            reverse(
+                "authentik_providers_oauth2:end-session",
+                kwargs={"application_slug": self.app.slug},
+            ),
+            {"post_logout_redirect_uri": "http://testserver/logout"},
+            HTTP_HOST=self.brand.domain,
+        )
+        # Should redirect to the invalidation flow
+        self.assertEqual(response.status_code, 302)
+        self.assertIn(self.invalidation_flow.slug, response.url)
+
+    def test_post_logout_redirect_uri_strict_no_match(self):
+        """Test strict URI not matching still proceeds with flow (no redirect URI in context)"""
+        self.client.force_login(self.user)
+        invalid_uri = "http://testserver/other"
+        response = self.client.get(
+            reverse(
+                "authentik_providers_oauth2:end-session",
+                kwargs={"application_slug": self.app.slug},
+            ),
+            {"post_logout_redirect_uri": invalid_uri},
+            HTTP_HOST=self.brand.domain,
+        )
+        # Should still redirect to flow, but invalid URI should not be in response
+        self.assertEqual(response.status_code, 302)
+        self.assertNotIn(invalid_uri, response.url)
+
+    def test_post_logout_redirect_uri_regex_match(self):
+        """Test regex URI matching redirects to flow"""
+        self.client.force_login(self.user)
+        response = self.client.get(
+            reverse(
+                "authentik_providers_oauth2:end-session",
+                kwargs={"application_slug": self.app.slug},
+            ),
+            {"post_logout_redirect_uri": "https://app.example.com/logout"},
+            HTTP_HOST=self.brand.domain,
+        )
+        # Should redirect to the invalidation flow
+        self.assertEqual(response.status_code, 302)
+        self.assertIn(self.invalidation_flow.slug, response.url)
+
+    def test_post_logout_redirect_uri_regex_no_match(self):
+        """Test regex URI not matching"""
+        self.client.force_login(self.user)
+        invalid_uri = "https://malicious.com/logout"
+        response = self.client.get(
+            reverse(
+                "authentik_providers_oauth2:end-session",
+                kwargs={"application_slug": self.app.slug},
+            ),
+            {"post_logout_redirect_uri": invalid_uri},
+            HTTP_HOST=self.brand.domain,
+        )
+        # Should still proceed to flow, but invalid URI should not be in response
+        self.assertEqual(response.status_code, 302)
+        self.assertNotIn(invalid_uri, response.url)
+
+    def test_state_parameter_appended_to_uri(self):
+        """Test state parameter is appended to validated redirect URI"""
+        factory = RequestFactory()
+        request = factory.get(
+            "/end-session/",
+            {
+                "post_logout_redirect_uri": "http://testserver/logout",
+                "state": "test-state-123",
+            },
+        )
+        request.user = self.user
+        request.brand = self.brand
+
+        view = EndSessionView()
+        view.request = request
+        view.kwargs = {"application_slug": self.app.slug}
+        view.resolve_provider_application()
+
+        self.assertIn("state=test-state-123", view.post_logout_redirect_uri)
+
+    def test_post_method(self):
+        """Test POST requests work same as GET"""
+        self.client.force_login(self.user)
+        response = self.client.post(
+            reverse(
+                "authentik_providers_oauth2:end-session",
+                kwargs={"application_slug": self.app.slug},
+            ),
+            {
+                "post_logout_redirect_uri": "http://testserver/logout",
+                "state": "xyz789",
+            },
+            HTTP_HOST=self.brand.domain,
+        )
+        self.assertEqual(response.status_code, 302)
+
+
+class TestEndSessionAPI(OAuthTestCase):
+    """Test End Session API functionality"""
+
+    def setUp(self) -> None:
+        super().setUp()
+        self.user = create_test_admin_user()
+        self.client.force_login(self.user)
+
+    def test_post_logout_redirect_uris_create(self):
+        """Test creating provider with post_logout redirect_uris"""
+        response = self.client.post(
+            reverse("authentik_api:oauth2provider-list"),
+            data={
+                "name": generate_id(),
+                "authorization_flow": create_test_flow().pk,
+                "invalidation_flow": create_test_flow().pk,
+                "redirect_uris": [
+                    {
+                        "matching_mode": "strict",
+                        "url": "http://testserver/callback",
+                        "redirect_uri_type": "authorization",
+                    },
+                    {
+                        "matching_mode": "strict",
+                        "url": "http://testserver/logout",
+                        "redirect_uri_type": "logout",
+                    },
+                    {
+                        "matching_mode": "regex",
+                        "url": "https://.*\\.example\\.com/logout",
+                        "redirect_uri_type": "logout",
+                    },
+                ],
+            },
+            content_type="application/json",
+        )
+        self.assertEqual(response.status_code, 201)
+        provider_data = response.json()
+        post_logout_uris = [
+            u for u in provider_data["redirect_uris"] if u["redirect_uri_type"] == "logout"
+        ]
+        self.assertEqual(len(post_logout_uris), 2)
+
+    def test_post_logout_redirect_uris_invalid_regex(self):
+        """Test that invalid regex patterns are rejected"""
+        response = self.client.post(
+            reverse("authentik_api:oauth2provider-list"),
+            data={
+                "name": generate_id(),
+                "authorization_flow": create_test_flow().pk,
+                "invalidation_flow": create_test_flow().pk,
+                "redirect_uris": [
+                    {
+                        "matching_mode": "strict",
+                        "url": "http://testserver/callback",
+                        "redirect_uri_type": "authorization",
+                    },
+                    {
+                        "matching_mode": "regex",
+                        "url": "**invalid**",
+                        "redirect_uri_type": "logout",
+                    },
+                ],
+            },
+            content_type="application/json",
+        )
+        self.assertEqual(response.status_code, 400)
+        self.assertIn("redirect_uris", response.json())
+
+    def test_post_logout_redirect_uris_update(self):
+        """Test updating redirect_uris with logout type"""
+        # First create a provider
+        provider = OAuth2Provider.objects.create(
+            name=generate_id(),
+            authorization_flow=create_test_flow(),
+            redirect_uris=[
+                RedirectURI(
+                    RedirectURIMatchingMode.STRICT,
+                    "http://testserver/callback",
+                    RedirectURIType.AUTHORIZATION,
+                ),
+            ],
+        )
+
+        # Update with post_logout redirect URIs
+        response = self.client.patch(
+            reverse("authentik_api:oauth2provider-detail", kwargs={"pk": provider.pk}),
+            data={
+                "redirect_uris": [
+                    {
+                        "matching_mode": "strict",
+                        "url": "http://testserver/callback",
+                        "redirect_uri_type": "authorization",
+                    },
+                    {
+                        "matching_mode": "strict",
+                        "url": "http://testserver/logout",
+                        "redirect_uri_type": "logout",
+                    },
+                ],
+            },
+            content_type="application/json",
+        )
+        self.assertEqual(response.status_code, 200)
+
+        # Verify the update
+        provider.refresh_from_db()
+        self.assertEqual(len(provider.post_logout_redirect_uris), 1)
+        self.assertEqual(provider.post_logout_redirect_uris[0].url, "http://testserver/logout")

authentik/providers/oauth2/tests/test_introspect.py

@@ -14,6 +14,7 @@ from authentik.lib.generators import generate_id
 from authentik.providers.oauth2.id_token import IDToken
 from authentik.providers.oauth2.models import (
     AccessToken,
+    ClientTypes,
     OAuth2Provider,
     RedirectURI,
     RedirectURIMatchingMode,
@@ -43,7 +44,7 @@ class TesOAuth2Introspection(OAuthTestCase):
 
     def test_introspect_refresh(self):
         """Test introspect"""
-        token: RefreshToken = RefreshToken.objects.create(
+        token = RefreshToken.objects.create(
             provider=self.provider,
             user=self.user,
             token=generate_id(),
@@ -75,7 +76,7 @@ class TesOAuth2Introspection(OAuthTestCase):
 
     def test_introspect_access(self):
         """Test introspect"""
-        token: AccessToken = AccessToken.objects.create(
+        token = AccessToken.objects.create(
             provider=self.provider,
             user=self.user,
             token=generate_id(),
@@ -130,7 +131,7 @@ class TesOAuth2Introspection(OAuthTestCase):
         )
         auth = b64encode(f"{provider.client_id}:{provider.client_secret}".encode()).decode()
 
-        token: AccessToken = AccessToken.objects.create(
+        token = AccessToken.objects.create(
             provider=self.provider,
             user=self.user,
             token=generate_id(),
@@ -169,3 +170,76 @@ class TesOAuth2Introspection(OAuthTestCase):
                 "active": False,
             },
         )
+
+    def test_introspect_provider_public(self):
+        """Test introspect"""
+        self.provider.client_type = ClientTypes.PUBLIC
+        self.provider.save()
+        token = AccessToken.objects.create(
+            provider=self.provider,
+            user=self.user,
+            token=generate_id(),
+            auth_time=timezone.now(),
+            _scope="openid user profile",
+            _id_token=json.dumps(
+                asdict(
+                    IDToken("foo", "bar"),
+                )
+            ),
+        )
+        res = self.client.post(
+            reverse("authentik_providers_oauth2:token-introspection"),
+            HTTP_AUTHORIZATION=f"Basic {self.auth}",
+            data={"token": token.token},
+        )
+        self.assertEqual(res.status_code, 200)
+        self.assertJSONEqual(
+            res.content.decode(),
+            {
+                "active": False,
+            },
+        )
+
+    def test_introspect_provider_fed(self):
+        """Test introspect with federation. self.provider is a confidential
+        client and other_provider is a public client."""
+        other_provider = OAuth2Provider.objects.create(
+            name=generate_id(),
+            authorization_flow=create_test_flow(),
+            redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "")],
+            signing_key=create_test_cert(),
+            client_type=ClientTypes.PUBLIC,
+        )
+        Application.objects.create(name=generate_id(), slug=generate_id(), provider=other_provider)
+
+        other_provider.jwt_federation_providers.add(self.provider)
+
+        token = AccessToken.objects.create(
+            provider=other_provider,
+            user=self.user,
+            token=generate_id(),
+            auth_time=timezone.now(),
+            _scope="openid user profile",
+            _id_token=json.dumps(
+                asdict(
+                    IDToken("foo", "bar"),
+                )
+            ),
+        )
+        res = self.client.post(
+            reverse("authentik_providers_oauth2:token-introspection"),
+            HTTP_AUTHORIZATION=f"Basic {self.auth}",
+            data={"token": token.token},
+        )
+        self.assertEqual(res.status_code, 200)
+        self.assertJSONEqual(
+            res.content.decode(),
+            {
+                "acr": ACR_AUTHENTIK_DEFAULT,
+                "sub": "bar",
+                "iss": "foo",
+                "active": True,
+                "client_id": other_provider.client_id,
+                "scope": " ".join(token.scope),
+            },
+        )

authentik/providers/oauth2/tests/test_revoke.py

@@ -46,7 +46,7 @@ class TesOAuth2Revoke(OAuthTestCase):
 
     def test_revoke_refresh(self):
         """Test revoke"""
-        token: RefreshToken = RefreshToken.objects.create(
+        token = RefreshToken.objects.create(
             provider=self.provider,
             user=self.user,
             token=generate_id(),
@@ -69,7 +69,7 @@ class TesOAuth2Revoke(OAuthTestCase):
 
     def test_revoke_access(self):
         """Test revoke"""
-        token: AccessToken = AccessToken.objects.create(
+        token = AccessToken.objects.create(
             provider=self.provider,
             user=self.user,
             token=generate_id(),
@@ -105,7 +105,19 @@ class TesOAuth2Revoke(OAuthTestCase):
         """Test revoke (invalid auth)"""
         res = self.client.post(
             reverse("authentik_providers_oauth2:token-revoke"),
-            HTTP_AUTHORIZATION="Basic fqewr",
+            HTTP_AUTHORIZATION="Basic aaa",
+            data={
+                "token": generate_id(),
+            },
+        )
+        self.assertEqual(res.status_code, 401)
+
+    def test_revoke_invalid_auth_secret(self):
+        """Test revoke (invalid secret)"""
+        invalid_auth = b64encode(f"{self.provider.client_id}:aaa".encode()).decode()
+        res = self.client.post(
+            reverse("authentik_providers_oauth2:token-revoke"),
+            HTTP_AUTHORIZATION=f"Basic {invalid_auth}",
             data={
                 "token": generate_id(),
             },
@@ -116,7 +128,7 @@ class TesOAuth2Revoke(OAuthTestCase):
         """Test revoke public client"""
         self.provider.client_type = ClientTypes.PUBLIC
         self.provider.save()
-        token: AccessToken = AccessToken.objects.create(
+        token = AccessToken.objects.create(
             provider=self.provider,
             user=self.user,
             token=generate_id(),
@@ -220,3 +232,74 @@ class TesOAuth2Revoke(OAuthTestCase):
         self.assertEqual(AccessToken.objects.including_expired().all().count(), 0)
         self.assertEqual(RefreshToken.objects.including_expired().all().count(), 0)
         self.assertEqual(DeviceToken.objects.including_expired().all().count(), 0)
+
+    def test_revoke_provider_fed(self):
+        """Test revoke with federation. self.provider is a confidential
+        client and other_provider is a public client."""
+        other_provider = OAuth2Provider.objects.create(
+            name=generate_id(),
+            authorization_flow=create_test_flow(),
+            redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "")],
+            signing_key=create_test_cert(),
+            client_type=ClientTypes.PUBLIC,
+        )
+        Application.objects.create(name=generate_id(), slug=generate_id(), provider=other_provider)
+
+        other_provider.jwt_federation_providers.add(self.provider)
+
+        token = AccessToken.objects.create(
+            provider=other_provider,
+            user=self.user,
+            token=generate_id(),
+            auth_time=timezone.now(),
+            _scope="openid user profile",
+            _id_token=json.dumps(
+                asdict(
+                    IDToken("foo", "bar"),
+                )
+            ),
+        )
+        res = self.client.post(
+            reverse("authentik_providers_oauth2:token-revoke"),
+            HTTP_AUTHORIZATION=f"Basic {self.auth}",
+            data={"token": token.token},
+        )
+        self.assertEqual(res.status_code, 200)
+        self.assertJSONEqual(res.content.decode(), {})
+
+    def test_revoke_provider_fed_public(self):
+        """Test revoke with federation. self.provider is a public
+        client and other_provider is a public client."""
+        self.provider.client_type = ClientTypes.PUBLIC
+        self.provider.save()
+        other_provider = OAuth2Provider.objects.create(
+            name=generate_id(),
+            authorization_flow=create_test_flow(),
+            redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "")],
+            signing_key=create_test_cert(),
+            client_type=ClientTypes.PUBLIC,
+        )
+        Application.objects.create(name=generate_id(), slug=generate_id(), provider=other_provider)
+
+        other_provider.jwt_federation_providers.add(self.provider)
+
+        token = AccessToken.objects.create(
+            provider=other_provider,
+            user=self.user,
+            token=generate_id(),
+            auth_time=timezone.now(),
+            _scope="openid user profile",
+            _id_token=json.dumps(
+                asdict(
+                    IDToken("foo", "bar"),
+                )
+            ),
+        )
+        auth_public = b64encode(f"{self.provider.client_id}:{generate_id()}".encode()).decode()
+        res = self.client.post(
+            reverse("authentik_providers_oauth2:token-revoke"),
+            HTTP_AUTHORIZATION=f"Basic {auth_public}",
+            data={"token": token.token},
+        )
+        self.assertEqual(res.status_code, 200)
+        self.assertTrue(AccessToken.objects.filter(token=token.token).exists())

authentik/providers/oauth2/tests/test_token.py

@@ -1,12 +1,15 @@
 """Test token view"""
 
 from base64 import b64encode
+from datetime import timedelta
 from json import dumps
 from urllib.parse import quote
 
 from django.test import RequestFactory
 from django.urls import reverse
 from django.utils import timezone
+from django.utils.timezone import now
+from freezegun import freeze_time
 
 from authentik.blueprints.tests import apply_blueprint
 from authentik.common.oauth.constants import (
@@ -99,7 +102,7 @@ class TestToken(OAuthTestCase):
         )
         header = b64encode(f"{provider.client_id}:{provider.client_secret}".encode()).decode()
         user = create_test_admin_user()
-        token: RefreshToken = RefreshToken.objects.create(
+        token = RefreshToken.objects.create(
             provider=provider,
             user=user,
             token=generate_id(),
@@ -156,7 +159,7 @@ class TestToken(OAuthTestCase):
             },
             HTTP_AUTHORIZATION=f"Basic {header}",
         )
-        access: AccessToken = AccessToken.objects.filter(user=user, provider=provider).first()
+        access = AccessToken.objects.filter(user=user, provider=provider).first()
         self.assertJSONEqual(
             response.content.decode(),
             {
@@ -198,7 +201,7 @@ class TestToken(OAuthTestCase):
             HTTP_AUTHORIZATION=f"Basic {header}",
         )
         self.assertEqual(response.status_code, 200)
-        access: AccessToken = AccessToken.objects.filter(user=user, provider=provider).first()
+        access = AccessToken.objects.filter(user=user, provider=provider).first()
         self.validate_jwe(access, provider)
 
     @apply_blueprint("system/providers-oauth2.yaml")
@@ -225,7 +228,7 @@ class TestToken(OAuthTestCase):
         self.app.save()
         header = b64encode(f"{provider.client_id}:{provider.client_secret}".encode()).decode()
         user = create_test_admin_user()
-        token: RefreshToken = RefreshToken.objects.create(
+        token = RefreshToken.objects.create(
             provider=provider,
             user=user,
             token=generate_id(),
@@ -245,10 +248,8 @@ class TestToken(OAuthTestCase):
         )
         self.assertEqual(response["Access-Control-Allow-Credentials"], "true")
         self.assertEqual(response["Access-Control-Allow-Origin"], "http://local.invalid")
-        access: AccessToken = AccessToken.objects.filter(user=user, provider=provider).first()
-        refresh: RefreshToken = RefreshToken.objects.filter(
-            user=user, provider=provider, revoked=False
-        ).first()
+        access = AccessToken.objects.filter(user=user, provider=provider).first()
+        refresh = RefreshToken.objects.filter(user=user, provider=provider, revoked=False).first()
         self.assertJSONEqual(
             response.content.decode(),
             {
@@ -285,7 +286,7 @@ class TestToken(OAuthTestCase):
         )
         header = b64encode(f"{provider.client_id}:{provider.client_secret}".encode()).decode()
         user = create_test_admin_user()
-        token: RefreshToken = RefreshToken.objects.create(
+        token = RefreshToken.objects.create(
             provider=provider,
             user=user,
             token=generate_id(),
@@ -303,10 +304,8 @@ class TestToken(OAuthTestCase):
             HTTP_AUTHORIZATION=f"Basic {header}",
             HTTP_ORIGIN="http://another.invalid",
         )
-        access: AccessToken = AccessToken.objects.filter(user=user, provider=provider).first()
-        refresh: RefreshToken = RefreshToken.objects.filter(
-            user=user, provider=provider, revoked=False
-        ).first()
+        access = AccessToken.objects.filter(user=user, provider=provider).first()
+        refresh = RefreshToken.objects.filter(user=user, provider=provider, revoked=False).first()
         self.assertNotIn("Access-Control-Allow-Credentials", response)
         self.assertNotIn("Access-Control-Allow-Origin", response)
         self.assertJSONEqual(
@@ -347,7 +346,7 @@ class TestToken(OAuthTestCase):
         self.app.save()
         header = b64encode(f"{provider.client_id}:{provider.client_secret}".encode()).decode()
         user = create_test_admin_user()
-        token: RefreshToken = RefreshToken.objects.create(
+        token = RefreshToken.objects.create(
             provider=provider,
             user=user,
             token=generate_id(),
@@ -365,9 +364,7 @@ class TestToken(OAuthTestCase):
             },
             HTTP_AUTHORIZATION=f"Basic {header}",
         )
-        new_token: RefreshToken = (
-            RefreshToken.objects.filter(user=user).exclude(pk=token.pk).first()
-        )
+        new_token = RefreshToken.objects.filter(user=user).exclude(pk=token.pk).first()
         # Post again with initial token -> get new refresh token
         # and revoke old one
         response = self.client.post(
@@ -395,7 +392,11 @@ class TestToken(OAuthTestCase):
 
     @apply_blueprint("system/providers-oauth2.yaml")
     def test_refresh_token_view_threshold(self):
-        """test request param"""
+        """refresh token threshold
+
+        threshold set to 1 hour, refresh token expires in 2 hours.
+        First request should not return a new refresh token, second request
+        has a fake time 1 hours in the future which should return a new access token"""
         provider = OAuth2Provider.objects.create(
             name=generate_id(),
             authorization_flow=create_test_flow(),
@@ -418,13 +419,14 @@ class TestToken(OAuthTestCase):
         self.app.save()
         header = b64encode(f"{provider.client_id}:{provider.client_secret}".encode()).decode()
         user = create_test_admin_user()
-        token: RefreshToken = RefreshToken.objects.create(
+        token = RefreshToken.objects.create(
             provider=provider,
             user=user,
             token=generate_id(),
             _id_token=dumps({}),
             auth_time=timezone.now(),
             _scope="offline_access",
+            expires=now() + timedelta(hours=2),
         )
         response = self.client.post(
             reverse("authentik_providers_oauth2:token"),
@@ -436,9 +438,7 @@ class TestToken(OAuthTestCase):
             HTTP_AUTHORIZATION=f"Basic {header}",
             HTTP_ORIGIN="http://local.invalid",
         )
-        self.assertEqual(response["Access-Control-Allow-Credentials"], "true")
-        self.assertEqual(response["Access-Control-Allow-Origin"], "http://local.invalid")
-        access: AccessToken = AccessToken.objects.filter(user=user, provider=provider).first()
+        access = AccessToken.objects.filter(user=user, provider=provider).first()
         self.assertJSONEqual(
             response.content.decode(),
             {
@@ -453,6 +453,34 @@ class TestToken(OAuthTestCase):
         )
         self.validate_jwt(access, provider)
 
+        with freeze_time(now() + timedelta(hours=1, minutes=10)):
+            response = self.client.post(
+                reverse("authentik_providers_oauth2:token"),
+                data={
+                    "grant_type": GRANT_TYPE_REFRESH_TOKEN,
+                    "refresh_token": token.token,
+                    "redirect_uri": "http://local.invalid",
+                },
+                HTTP_AUTHORIZATION=f"Basic {header}",
+                HTTP_ORIGIN="http://local.invalid",
+            )
+            access = AccessToken.objects.filter(user=user, provider=provider).first()
+            refresh = RefreshToken.objects.filter(user=user, provider=provider).last()
+            self.assertJSONEqual(
+                response.content.decode(),
+                {
+                    "access_token": access.token,
+                    "token_type": TOKEN_TYPE,
+                    "expires_in": 3600,
+                    "id_token": provider.encode(
+                        access.id_token.to_dict(),
+                    ),
+                    "scope": "offline_access",
+                    "refresh_token": refresh.token,
+                },
+            )
+            self.validate_jwt(access, provider)
+
     @apply_blueprint("system/providers-oauth2.yaml")
     def test_scope_claim_override_via_property_mapping(self):
         """Test that property mappings can override the scope claim in access tokens.
@@ -500,7 +528,7 @@ class TestToken(OAuthTestCase):
         )
         self.assertEqual(response.status_code, 200)
 
-        access: AccessToken = AccessToken.objects.filter(user=user, provider=provider).first()
+        access = AccessToken.objects.filter(user=user, provider=provider).first()
         jwt_data = self.validate_jwt(access, provider)
 
         # The scope should be the custom value from the property mapping,

authentik/providers/oauth2/tests/test_userinfo.py

@@ -40,7 +40,7 @@ class TestUserinfo(OAuthTestCase):
         self.app.provider = self.provider
         self.app.save()
         self.user = create_test_admin_user()
-        self.token: AccessToken = AccessToken.objects.create(
+        self.token = AccessToken.objects.create(
             provider=self.provider,
             user=self.user,
             token=generate_id(),

authentik/providers/oauth2/utils.py

@@ -7,7 +7,7 @@ from binascii import Error
 from hashlib import sha256
 from hmac import compare_digest
 from typing import Any
-from urllib.parse import unquote, urlparse
+from urllib.parse import parse_qs, unquote, urlencode, urlparse, urlunparse
 
 from django.http import HttpRequest, HttpResponse, JsonResponse
 from django.http.response import HttpResponseRedirect
@@ -267,3 +267,32 @@ def create_logout_token(
         payload["sid"] = hash_session_key(session_key)
     # Encode the token
     return provider.encode(payload, jwt_type="logout+jwt")
+
+
+def build_frontchannel_logout_url(
+    provider: OAuth2Provider,
+    request: HttpRequest,
+    session_key: str | None = None,
+) -> str | None:
+    """Build frontchannel logout URL with iss and sid parameters.
+
+    Returns None if provider doesn't have a logout_uri configured.
+    """
+    if not provider.logout_uri:
+        return None
+
+    parsed_url = urlparse(provider.logout_uri)
+
+    query_params = {"iss": provider.get_issuer(request)}
+    if session_key:
+        query_params["sid"] = hash_session_key(session_key)
+
+    # Preserve existing query params
+    if parsed_url.query:
+        existing_params = parse_qs(parsed_url.query, keep_blank_values=True)
+        for key, value in existing_params.items():
+            if key not in query_params:
+                query_params[key] = value[0] if len(value) == 1 else value
+
+    parsed_url = parsed_url._replace(query=urlencode(query_params))
+    return urlunparse(parsed_url)

authentik/providers/oauth2/views/authorize.py

@@ -18,6 +18,7 @@ from django.utils.translation import gettext as _
 from structlog.stdlib import get_logger
 
 from authentik.common.oauth.constants import (
+    FORBIDDEN_URI_SCHEMES,
     PKCE_METHOD_PLAIN,
     PKCE_METHOD_S256,
     PROMPT_CONSENT,
@@ -58,7 +59,6 @@ from authentik.providers.oauth2.models import (
     AuthorizationCode,
     GrantTypes,
     OAuth2Provider,
-    RedirectURI,
     RedirectURIMatchingMode,
     ResponseMode,
     ResponseTypes,
@@ -78,7 +78,6 @@ PLAN_CONTEXT_PARAMS = "goauthentik.io/providers/oauth2/params"
 SESSION_KEY_LAST_LOGIN_UID = "authentik/providers/oauth2/last_login_uid"
 
 ALLOWED_PROMPT_PARAMS = {PROMPT_NONE, PROMPT_CONSENT, PROMPT_LOGIN}
-FORBIDDEN_URI_SCHEMES = {"javascript", "data", "vbscript"}
 
 
 @dataclass(slots=True)
@@ -191,19 +190,11 @@ class OAuthAuthorizationParams:
 
     def check_redirect_uri(self):
         """Redirect URI validation."""
-        allowed_redirect_urls = self.provider.redirect_uris
+        allowed_redirect_urls = self.provider.authorization_redirect_uris
         if not self.redirect_uri:
             LOGGER.warning("Missing redirect uri.")
             raise RedirectUriError("", allowed_redirect_urls).with_cause("redirect_uri_missing")
 
-        if len(allowed_redirect_urls) < 1:
-            LOGGER.info("Setting redirect for blank redirect_uris", redirect=self.redirect_uri)
-            self.provider.redirect_uris = [
-                RedirectURI(RedirectURIMatchingMode.STRICT, self.redirect_uri)
-            ]
-            self.provider.save()
-            allowed_redirect_urls = self.provider.redirect_uris
-
         match_found = False
         for allowed in allowed_redirect_urls:
             if allowed.matching_mode == RedirectURIMatchingMode.STRICT:

authentik/providers/oauth2/views/end_session.py

@@ -1,20 +1,42 @@
 """oauth2 provider end_session Views"""
 
+from re import fullmatch
+from urllib.parse import quote, urlparse
+
 from django.http import Http404, HttpRequest, HttpResponse
 from django.shortcuts import get_object_or_404
 
-from authentik.core.models import Application
+from authentik.common.oauth.constants import (
+    FORBIDDEN_URI_SCHEMES,
+    OAUTH2_BINDING,
+    PLAN_CONTEXT_OIDC_LOGOUT_IFRAME_SESSIONS,
+    PLAN_CONTEXT_POST_LOGOUT_REDIRECT_URI,
+)
+from authentik.core.models import Application, AuthenticatedSession
 from authentik.flows.models import Flow, in_memory_stage
-from authentik.flows.planner import PLAN_CONTEXT_APPLICATION, FlowPlanner
+from authentik.flows.planner import (
+    PLAN_CONTEXT_APPLICATION,
+    FlowPlanner,
+)
 from authentik.flows.stage import SessionEndStage
 from authentik.flows.views.executor import SESSION_KEY_PLAN
-from authentik.policies.views import PolicyAccessView
+from authentik.lib.views import bad_request_message
+from authentik.policies.views import PolicyAccessView, RequestValidationError
+from authentik.providers.iframe_logout import IframeLogoutStageView
+from authentik.providers.oauth2.models import (
+    AccessToken,
+    OAuth2LogoutMethod,
+    RedirectURIMatchingMode,
+)
+from authentik.providers.oauth2.tasks import send_backchannel_logout_request
+from authentik.providers.oauth2.utils import build_frontchannel_logout_url
 
 
 class EndSessionView(PolicyAccessView):
-    """Redirect to application's provider's invalidation flow"""
+    """OIDC RP-Initiated Logout endpoint"""
 
     flow: Flow
+    post_logout_redirect_uri: str | None
 
     def resolve_provider_application(self):
         self.application = get_object_or_404(Application, slug=self.kwargs["application_slug"])
@@ -25,6 +47,38 @@ class EndSessionView(PolicyAccessView):
         if not self.flow:
             raise Http404
 
+        # Parse end session parameters
+        query_dict = self.request.POST if self.request.method == "POST" else self.request.GET
+        state = query_dict.get("state")
+        request_redirect_uri = query_dict.get("post_logout_redirect_uri")
+        self.post_logout_redirect_uri = None
+
+        # Validate post_logout_redirect_uri against registered URIs
+        if request_redirect_uri:
+            if urlparse(request_redirect_uri).scheme in FORBIDDEN_URI_SCHEMES:
+                raise RequestValidationError(
+                    bad_request_message(
+                        self.request,
+                        "Forbidden URI scheme in post_logout_redirect_uri",
+                    )
+                )
+            for allowed in self.provider.post_logout_redirect_uris:
+                if allowed.matching_mode == RedirectURIMatchingMode.STRICT:
+                    if request_redirect_uri == allowed.url:
+                        self.post_logout_redirect_uri = request_redirect_uri
+                        break
+                elif allowed.matching_mode == RedirectURIMatchingMode.REGEX:
+                    if fullmatch(allowed.url, request_redirect_uri):
+                        self.post_logout_redirect_uri = request_redirect_uri
+                        break
+
+        # Append state to the redirect URI if both are present
+        if self.post_logout_redirect_uri and state:
+            separator = "&" if "?" in self.post_logout_redirect_uri else "?"
+            self.post_logout_redirect_uri = (
+                f"{self.post_logout_redirect_uri}{separator}state={quote(state, safe='')}"
+            )
+
     # If IFrame provider logout happens when a saml provider has redirect
     # logout enabled, the flow won't make it back without this dispatch
     def dispatch(self, request: HttpRequest, *args, **kwargs) -> HttpResponse:
@@ -44,11 +98,80 @@ class EndSessionView(PolicyAccessView):
         """Dispatch the flow planner for the invalidation flow"""
         planner = FlowPlanner(self.flow)
         planner.allow_empty_flows = True
-        plan = planner.plan(
-            request,
-            {
-                PLAN_CONTEXT_APPLICATION: self.application,
-            },
+
+        # Build flow context with logout parameters
+        context = {
+            PLAN_CONTEXT_APPLICATION: self.application,
+        }
+
+        # Get session info for logout notifications and token invalidation
+        auth_session = AuthenticatedSession.from_request(request, request.user)
+
+        # Add validated redirect URI (with state appended) to context if available
+        if self.post_logout_redirect_uri:
+            context[PLAN_CONTEXT_POST_LOGOUT_REDIRECT_URI] = self.post_logout_redirect_uri
+            # Invalidate tokens for this provider/session (RP-initiated logout:
+            # user stays logged into authentik, only this provider's tokens are revoked)
+            if request.user.is_authenticated and auth_session:
+                AccessToken.objects.filter(
+                    user=request.user,
+                    provider=self.provider,
+                    session=auth_session,
+                ).delete()
+        session_key = (
+            auth_session.session.session_key if auth_session and auth_session.session else None
         )
+
+        # Handle frontchannel logout
+        frontchannel_logout_url = None
+        if self.provider.logout_method == OAuth2LogoutMethod.FRONTCHANNEL:
+            frontchannel_logout_url = build_frontchannel_logout_url(
+                self.provider, request, session_key
+            )
+
+        # Handle backchannel logout
+        if (
+            self.provider.logout_method == OAuth2LogoutMethod.BACKCHANNEL
+            and self.provider.logout_uri
+        ):
+            # Find access token to get iss and sub for the logout token
+            access_token = AccessToken.objects.filter(
+                user=request.user,
+                provider=self.provider,
+                session=auth_session,
+            ).first()
+            if access_token and access_token.id_token:
+                send_backchannel_logout_request.send(
+                    self.provider.pk,
+                    access_token.id_token.iss,
+                    access_token.id_token.sub,
+                    session_key,
+                )
+                # Delete the token to prevent duplicate backchannel logout
+                # when UserLogoutStage triggers the session deletion signal
+                access_token.delete()
+
+        if frontchannel_logout_url:
+            context[PLAN_CONTEXT_OIDC_LOGOUT_IFRAME_SESSIONS] = [
+                {
+                    "url": frontchannel_logout_url,
+                    "provider_name": self.provider.name,
+                    "binding": OAUTH2_BINDING,
+                    "provider_type": (
+                        f"{self.provider._meta.app_label}.{self.provider._meta.model_name}"
+                    ),
+                }
+            ]
+
+        plan = planner.plan(request, context)
+
+        # Inject iframe logout stage if frontchannel logout is configured
+        if frontchannel_logout_url:
+            plan.insert_stage(in_memory_stage(IframeLogoutStageView))
+
         plan.append_stage(in_memory_stage(SessionEndStage))
         return plan.to_redirect(self.request, self.flow)
+
+    def post(self, request: HttpRequest, *args, **kwargs) -> HttpResponse:
+        """Handle POST requests for logout (same as GET per OIDC spec)"""
+        return self.get(request, *args, **kwargs)

authentik/providers/oauth2/views/introspection.py

@@ -2,6 +2,7 @@
 
 from dataclasses import dataclass, field
 
+from django.db.models import Q
 from django.http import HttpRequest, HttpResponse
 from django.utils.decorators import method_decorator
 from django.views import View
@@ -10,7 +11,7 @@ from structlog.stdlib import get_logger
 
 from authentik.providers.oauth2.errors import TokenIntrospectionError
 from authentik.providers.oauth2.id_token import IDToken
-from authentik.providers.oauth2.models import AccessToken, OAuth2Provider, RefreshToken
+from authentik.providers.oauth2.models import AccessToken, ClientTypes, OAuth2Provider, RefreshToken
 from authentik.providers.oauth2.utils import TokenResponse, authenticate_provider
 
 LOGGER = get_logger()
@@ -33,10 +34,7 @@ class TokenIntrospectionParams:
         self.id_token = self.token.id_token
 
         if not self.token.id_token:
-            LOGGER.debug(
-                "token not an authentication token",
-                token=self.token,
-            )
+            LOGGER.debug("token not an authentication token", token=self.token)
             raise TokenIntrospectionError()
 
     @staticmethod
@@ -45,14 +43,23 @@ class TokenIntrospectionParams:
         raw_token = request.POST.get("token")
         provider = authenticate_provider(request)
         if not provider:
+            LOGGER.info("Failed to authenticate introspection request")
+            raise TokenIntrospectionError
+        if provider.client_type != ClientTypes.CONFIDENTIAL:
+            LOGGER.info("Introspection request from public provider, denying.")
             raise TokenIntrospectionError
 
-        access_token = AccessToken.objects.filter(token=raw_token, provider=provider).first()
+        query = Q(
+            Q(provider=provider) | Q(provider__jwt_federation_providers__in=[provider]),
+            token=raw_token,
+        )
+
+        access_token = AccessToken.objects.filter(query).first()
         if access_token:
-            return TokenIntrospectionParams(access_token, provider)
-        refresh_token = RefreshToken.objects.filter(token=raw_token, provider=provider).first()
+            return TokenIntrospectionParams(access_token, access_token.provider)
+        refresh_token = RefreshToken.objects.filter(query).first()
         if refresh_token:
-            return TokenIntrospectionParams(refresh_token, provider)
+            return TokenIntrospectionParams(refresh_token, refresh_token.provider)
         LOGGER.debug("Token does not exist", token=raw_token)
         raise TokenIntrospectionError()
 

authentik/providers/oauth2/views/provider.py

@@ -74,6 +74,8 @@ class ProviderInfoView(View):
             ),
             "backchannel_logout_supported": True,
             "backchannel_logout_session_supported": True,
+            "frontchannel_logout_supported": True,
+            "frontchannel_logout_session_supported": True,
             "response_types_supported": [
                 ResponseTypes.CODE,
                 ResponseTypes.ID_TOKEN,

authentik/providers/oauth2/views/token.py

@@ -241,7 +241,7 @@ class TokenParams:
             raise TokenError("invalid_grant")
 
     def __check_redirect_uri(self, request: HttpRequest):
-        allowed_redirect_urls = self.provider.redirect_uris
+        allowed_redirect_urls = self.provider.authorization_redirect_uris
         # At this point, no provider should have a blank redirect_uri, in case they do
         # this will check an empty array and raise an error
 
@@ -719,7 +719,7 @@ class TokenView(View):
         refresh_token_threshold = timedelta_from_string(self.provider.refresh_token_threshold)
         if (
             refresh_token_threshold.total_seconds() == 0
-            or (now - self.params.refresh_token.expires) > refresh_token_threshold
+            or (self.params.refresh_token.expires - now) < refresh_token_threshold
         ):
             refresh_token_expiry = now + timedelta_from_string(self.provider.refresh_token_validity)
             refresh_token = RefreshToken(

authentik/providers/oauth2/views/token_revoke.py

@@ -2,6 +2,7 @@
 
 from dataclasses import dataclass
 
+from django.db.models import Q
 from django.http import Http404, HttpRequest, HttpResponse
 from django.utils.decorators import method_decorator
 from django.views import View
@@ -32,15 +33,25 @@ class TokenRevocationParams:
         raw_token = request.POST.get("token")
 
         provider, _, _ = provider_from_request(request)
-        if provider and provider.client_type == ClientTypes.CONFIDENTIAL:
-            provider = authenticate_provider(request)
         if not provider:
             raise TokenRevocationError("invalid_client")
+        # By default clients can only revoke their own tokens
+        query = Q(provider=provider, token=raw_token)
+        if provider.client_type == ClientTypes.CONFIDENTIAL:
+            provider = authenticate_provider(request)
+            if not provider:
+                raise TokenRevocationError("invalid_client")
+            # If the request is authenticated by a confidential provider, it can also
+            # revoke federated tokens
+            query = Q(
+                Q(provider=provider) | Q(provider__jwt_federation_providers__in=[provider]),
+                token=raw_token,
+            )
 
-        access_token = AccessToken.objects.filter(token=raw_token).first()
+        access_token = AccessToken.objects.filter(query).first()
         if access_token:
             return TokenRevocationParams(access_token, provider)
-        refresh_token = RefreshToken.objects.filter(token=raw_token).first()
+        refresh_token = RefreshToken.objects.filter(query).first()
         if refresh_token:
             return TokenRevocationParams(refresh_token, provider)
         LOGGER.debug("Token does not exist", token=raw_token)

authentik/providers/saml/api/providers.py

@@ -232,8 +232,8 @@ class SAMLProviderSerializer(ProviderSerializer):
 class SAMLMetadataSerializer(PassiveSerializer):
     """SAML Provider Metadata serializer"""
 
-    metadata = CharField(read_only=True)
-    download_url = CharField(read_only=True, required=False, allow_null=True)
+    metadata = CharField()
+    download_url = CharField(required=False, allow_null=True)
 
 
 class SAMLProviderImportSerializer(PassiveSerializer):
@@ -315,7 +315,7 @@ class SAMLProviderViewSet(UsedByMixin, ModelViewSet):
                 return response
             return Response({"metadata": metadata}, content_type="application/json")
         except Provider.application.RelatedObjectDoesNotExist:
-            return Response({"metadata": ""}, content_type="application/json")
+            raise Http404 from None
 
     @permission_required(
         None,

authentik/providers/saml/tests/test_api.py

@@ -157,7 +157,7 @@ class TestSAMLProviderAPI(APITestCase):
         response = self.client.get(
             reverse("authentik_api:samlprovider-metadata", kwargs={"pk": provider.pk}),
         )
-        self.assertEqual(200, response.status_code)
+        self.assertEqual(404, response.status_code)
         response = self.client.get(
             reverse("authentik_api:samlprovider-metadata", kwargs={"pk": "abc"}),
         )

authentik/providers/saml/tests/test_idp_logout.py

@@ -5,6 +5,10 @@ from unittest.mock import Mock
 
 from django.test import RequestFactory, TestCase
 
+from authentik.common.oauth.constants import (
+    OAUTH2_BINDING,
+    PLAN_CONTEXT_OIDC_LOGOUT_IFRAME_SESSIONS,
+)
 from authentik.common.saml.constants import (
     RSA_SHA256,
     SAML_NAME_ID_FORMAT_EMAIL,
@@ -17,6 +21,7 @@ from authentik.providers.iframe_logout import (
     IframeLogoutChallenge,
     IframeLogoutStageView,
 )
+from authentik.providers.oauth2.models import OAuth2Provider
 from authentik.providers.saml.models import SAMLLogoutMethods, SAMLProvider
 from authentik.providers.saml.native_logout import (
     NativeLogoutChallenge,
@@ -295,14 +300,14 @@ class TestIframeLogoutStageView(TestCase):
             },
         ]
         # OIDC sessions (pre-processed)
-        from authentik.common.oauth.constants import PLAN_CONTEXT_OIDC_LOGOUT_IFRAME_SESSIONS
-
         plan.context[PLAN_CONTEXT_OIDC_LOGOUT_IFRAME_SESSIONS] = [
             {
                 "url": "https://oidc.example.com/logout?iss=authentik&sid=abc123",
                 "provider_name": "oidc-provider",
-                "binding": "redirect",
-                "provider_type": "oidc",
+                "binding": OAUTH2_BINDING,
+                "provider_type": (
+                    f"{OAuth2Provider._meta.app_label}" f".{OAuth2Provider._meta.model_name}"
+                ),
             },
         ]
         stage_view = IframeLogoutStageView(

authentik/rbac/tests/test_api_permissions_roles.py

@@ -49,6 +49,7 @@ class TestRBACPermissionRoles(APITestCase):
         self.assertJSONEqual(
             res.content,
             {
+                "autocomplete": {},
                 "pagination": {
                     "next": 0,
                     "previous": 0,

authentik/root/settings.py

@@ -208,6 +208,7 @@ SPECTACULAR_SETTINGS = {
         "authentik.api.v3.schema.response.postprocess_schema_responses",
         "authentik.api.v3.schema.query.postprocess_schema_query_params",
         "authentik.api.v3.schema.cleanup.postprocess_schema_remove_unused",
+        "authentik.api.v3.schema.search.postprocess_schema_search_autocomplete",
         "authentik.api.v3.schema.enum.postprocess_schema_enums",
     ],
 }
@@ -215,10 +216,10 @@ SPECTACULAR_SETTINGS = {
 REST_FRAMEWORK = {
     "DEFAULT_PAGINATION_CLASS": "authentik.api.pagination.Pagination",
     "DEFAULT_FILTER_BACKENDS": [
+        "authentik.api.search.ql.QLSearch",
         "authentik.rbac.filters.ObjectFilter",
         "django_filters.rest_framework.DjangoFilterBackend",
         "rest_framework.filters.OrderingFilter",
-        "rest_framework.filters.SearchFilter",
     ],
     "DEFAULT_PERMISSION_CLASSES": ("authentik.rbac.permissions.ObjectPermissions",),
     "DEFAULT_AUTHENTICATION_CLASSES": (

authentik/root/test_plugin.py

@@ -1,12 +1,15 @@
 import math
 from os import environ
 from ssl import OPENSSL_VERSION
+from time import monotonic
+from typing import TextIO
 
 import pytest
 from cryptography.hazmat.backends.openssl.backend import backend
+from pytest import Config, Item, TerminalReporter
 
 from authentik import authentik_full_version
-from tests.e2e.utils import get_local_ip
+from tests.decorators import get_local_ip
 
 IS_CI = "CI" in environ
 
@@ -29,7 +32,7 @@ def pytest_report_header(*_, **__):
     ]
 
 
-def pytest_collection_modifyitems(config: pytest.Config, items: list[pytest.Item]) -> None:
+def pytest_collection_modifyitems(config: Config, items: list[Item]) -> None:
     current_id = int(environ.get("CI_RUN_ID", "0")) - 1
     total_ids = int(environ.get("CI_TOTAL_RUNS", "0"))
 
@@ -44,3 +47,38 @@ def pytest_collection_modifyitems(config: pytest.Config, items: list[pytest.Item
         config.hook.pytest_deselected(items=deselected_items)
         items[:] = items[start:end]
         print(f" Executing {start} - {end} tests")
+
+
+@pytest.hookimpl(trylast=True)
+def pytest_configure(config: Config):
+    # Replace the default terminal reporter
+    reporter = config.pluginmanager.get_plugin("terminalreporter")
+    if reporter:
+        config.pluginmanager.unregister(reporter)
+        config.pluginmanager.register(
+            RelativeTimeTerminalReporter(config),
+            "terminalreporter",
+        )
+
+
+class RelativeTimeTerminalReporter(TerminalReporter):
+    _start_time: None | float
+
+    def __init__(self, config: Config, file: TextIO | None = None):
+        super().__init__(config, file)
+        self._start_time = None
+
+    def pytest_runtest_logstart(self, nodeid, location):
+        # Set start time on the first test
+        if self._start_time is None:
+            self._start_time = monotonic()
+        super().pytest_runtest_logstart(nodeid, location)
+
+    def _locationline(self, nodeid, fspath, lineno, domain):
+        original = super()._locationline(nodeid, fspath, lineno, domain)
+        if self._start_time is None:
+            return original
+        elapsed = monotonic() - self._start_time
+        minutes, seconds = divmod(elapsed, 60)
+        timestamp = f"{int(minutes):02d}:{seconds:06.3f}"
+        return f"[+{timestamp}] {original}"

authentik/root/test_runner.py

@@ -69,8 +69,8 @@ class PytestTestRunner(DiscoverRunner):  # pragma: no cover
 
         # Test-specific configuration
         test_config = {
-            "events.context_processors.geoip": "tests/GeoLite2-City-Test.mmdb",
-            "events.context_processors.asn": "tests/GeoLite2-ASN-Test.mmdb",
+            "events.context_processors.geoip": "tests/geoip/GeoLite2-City-Test.mmdb",
+            "events.context_processors.asn": "tests/geoip/GeoLite2-ASN-Test.mmdb",
             "blueprints_dir": "./blueprints",
             "outposts.container_image_base": f"ghcr.io/goauthentik/dev-%(type)s:{get_docker_tag()}",
             "tenants.enabled": False,

authentik/sources/kerberos/models.py

@@ -168,7 +168,7 @@ class KerberosSource(IncomingSyncSource):
                 }
             ),
             name=self.name,
-            icon_url=self.icon_url,
+            icon_url=self.get_icon_url(request, use_cache=False) or self.icon_url,
             promoted=self.promoted,
         )
 

authentik/sources/ldap/api/connections.py

@@ -1,14 +1,15 @@
 """Source API Views"""
 
-
 from rest_framework.viewsets import ModelViewSet
 
+from authentik.core.api.groups import PartialUserSerializer
 from authentik.core.api.sources import (
     GroupSourceConnectionSerializer,
     GroupSourceConnectionViewSet,
     UserSourceConnectionSerializer,
     UserSourceConnectionViewSet,
 )
+from authentik.core.api.users import PartialGroupSerializer
 from authentik.sources.ldap.models import (
     GroupLDAPSourceConnection,
     UserLDAPSourceConnection,
@@ -16,8 +17,11 @@ from authentik.sources.ldap.models import (
 
 
 class UserLDAPSourceConnectionSerializer(UserSourceConnectionSerializer):
+    user_obj = PartialUserSerializer(source="user", read_only=True)
+
     class Meta(UserSourceConnectionSerializer.Meta):
         model = UserLDAPSourceConnection
+        fields = UserSourceConnectionSerializer.Meta.fields + ["user_obj"]
 
 
 class UserLDAPSourceConnectionViewSet(UserSourceConnectionViewSet, ModelViewSet):
@@ -26,8 +30,11 @@ class UserLDAPSourceConnectionViewSet(UserSourceConnectionViewSet, ModelViewSet)
 
 
 class GroupLDAPSourceConnectionSerializer(GroupSourceConnectionSerializer):
+    group_obj = PartialGroupSerializer(source="group", read_only=True)
+
     class Meta(GroupSourceConnectionSerializer.Meta):
         model = GroupLDAPSourceConnection
+        fields = GroupSourceConnectionSerializer.Meta.fields + ["group_obj"]
 
 
 class GroupLDAPSourceConnectionViewSet(GroupSourceConnectionViewSet, ModelViewSet):

authentik/sources/ldap/api/property_mappings.py

@@ -1,4 +1,3 @@
-
 from rest_framework.viewsets import ModelViewSet
 
 from authentik.core.api.property_mappings import PropertyMappingFilterSet, PropertyMappingSerializer