root: add flake

Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space>

.github/actions/cherry-pick/action.yml

@@ -115,13 +115,20 @@ runs:
       shell: bash
       env:
         GITHUB_TOKEN: ${{ inputs.token }}
-        PR_NUMBER: ${{ steps.should_run.outputs.pr_number }}
-        REASON: ${{ steps.should_run.outputs.reason }}
       run: |
         set -e -o pipefail
+        PR_NUMBER="${{ steps.should_run.outputs.pr_number }}"
+
+        # Get PR details
+        PR_DATA=$(gh api repos/${{ github.repository }}/pulls/$PR_NUMBER)
+        PR_TITLE=$(echo "$PR_DATA" | jq -r '.title')
+        PR_AUTHOR=$(echo "$PR_DATA" | jq -r '.user.login')
+
+        echo "pr_title=$PR_TITLE" >> $GITHUB_OUTPUT
+        echo "pr_author=$PR_AUTHOR" >> $GITHUB_OUTPUT
 
         # Determine which labels to process
-        if [ "${REASON}" = "label_added_to_merged_pr" ]; then
+        if [ "${{ steps.should_run.outputs.reason }}" = "label_added_to_merged_pr" ]; then
           # Only process the specific label that was just added
           if [ "${{ github.event_name }}" = "issues" ]; then
             LABEL_NAME="${{ github.event.label.name }}"
@@ -145,13 +152,13 @@ runs:
       shell: bash
       env:
         GITHUB_TOKEN: ${{ inputs.token }}
-        PR_NUMBER: '${{ steps.should_run.outputs.pr_number }}'
-        COMMIT_SHA: '${{ steps.should_run.outputs.merge_commit_sha }}'
-        PR_TITLE: ${{ github.event.pull_request.title }}
-        PR_AUTHOR: ${{ github.event.pull_request.user.login }}
-        LABELS: '${{ steps.pr_details.outputs.labels }}'
       run: |
         set -e -o pipefail
+        PR_NUMBER='${{ steps.should_run.outputs.pr_number }}'
+        COMMIT_SHA='${{ steps.should_run.outputs.merge_commit_sha }}'
+        PR_TITLE='${{ steps.pr_details.outputs.pr_title }}'
+        PR_AUTHOR='${{ steps.pr_details.outputs.pr_author }}'
+        LABELS='${{ steps.pr_details.outputs.labels }}'
 
         echo "Processing PR #$PR_NUMBER (reason: ${{ steps.should_run.outputs.reason }})"
         echo "Found backport labels: $LABELS"

.github/actions/setup/action.yml

@@ -8,11 +8,6 @@ inputs:
   postgresql_version:
     description: "Optional postgresql image tag"
     default: "16"
-  working-directory:
-    description: |
-      Optional working directory if this repo isn't in the root of the actions workspace.
-      When set, needs to contain a trailing slash
-    default: ""
 
 runs:
   using: "composite"
@@ -23,53 +18,50 @@ runs:
       run: |
         sudo apt-get remove --purge man-db
         sudo apt-get update
-        sudo apt-get install --no-install-recommends -y libpq-dev openssl libxmlsec1-dev pkg-config gettext krb5-multidev libkrb5-dev heimdal-multidev libclang-dev krb5-kdc krb5-user krb5-admin-server
+        sudo apt-get install --no-install-recommends -y libpq-dev openssl libxmlsec1-dev pkg-config gettext libkrb5-dev krb5-kdc krb5-user krb5-admin-server
         sudo rm -rf /usr/local/lib/android
     - name: Install uv
       if: ${{ contains(inputs.dependencies, 'python') }}
-      uses: astral-sh/setup-uv@ed21f2f24f8dd64503750218de024bcf64c7250a # v5
+      uses: astral-sh/setup-uv@681c641aba71e4a1c380be3ab5e12ad51f415867 # v5
       with:
         enable-cache: true
     - name: Setup python
       if: ${{ contains(inputs.dependencies, 'python') }}
       uses: actions/setup-python@83679a892e2d95755f2dac6acb0bfd1e9ac5d548 # v5
       with:
-        python-version-file: "${{ inputs.working-directory }}pyproject.toml"
+        python-version-file: "pyproject.toml"
     - name: Install Python deps
       if: ${{ contains(inputs.dependencies, 'python') }}
       shell: bash
-      working-directory: ${{ inputs.working-directory }}
       run: uv sync --all-extras --dev --frozen
     - name: Setup node
       if: ${{ contains(inputs.dependencies, 'node') }}
       uses: actions/setup-node@395ad3262231945c25e8478fd5baf05154b1d79f # v4
       with:
-        node-version-file: ${{ inputs.working-directory }}web/package.json
+        node-version-file: web/package.json
         cache: "npm"
-        cache-dependency-path: ${{ inputs.working-directory }}web/package-lock.json
+        cache-dependency-path: web/package-lock.json
         registry-url: 'https://registry.npmjs.org'
     - name: Setup go
       if: ${{ contains(inputs.dependencies, 'go') }}
       uses: actions/setup-go@4dc6199c7b1a012772edbd06daecab0f50c9053c # v5
       with:
-        go-version-file: "${{ inputs.working-directory }}go.mod"
+        go-version-file: "go.mod"
     - name: Setup docker cache
       if: ${{ contains(inputs.dependencies, 'runtime') }}
       uses: AndreKurait/docker-cache@0fe76702a40db986d9663c24954fc14c6a6031b7
       with:
-        key: docker-images-${{ runner.os }}-${{ hashFiles('.github/actions/setup/docker-compose.yml', 'Makefile') }}-${{ inputs.postgresql_version }}
+        key: docker-images-${{ runner.os }}-${{ hashFiles('.github/actions/setup/compose.yml', 'Makefile') }}-${{ inputs.postgresql_version }}
     - name: Setup dependencies
       if: ${{ contains(inputs.dependencies, 'runtime') }}
       shell: bash
-      working-directory: ${{ inputs.working-directory }}
       run: |
         export PSQL_TAG=${{ inputs.postgresql_version }}
-        docker compose -f .github/actions/setup/docker-compose.yml up -d
-        cd web && npm ci
+        docker compose -f .github/actions/setup/compose.yml up -d
+        cd web && npm i
     - name: Generate config
       if: ${{ contains(inputs.dependencies, 'python') }}
       shell: uv run python {0}
-      working-directory: ${{ inputs.working-directory }}
       run: |
         from authentik.lib.generators import generate_id
         from yaml import safe_dump

.github/actions/setup/compose.yml

@@ -2,7 +2,7 @@ services:
   postgresql:
     image: docker.io/library/postgres:${PSQL_TAG:-16}
     volumes:
-      - db-data:/var/lib/postgresql
+      - db-data:/var/lib/postgresql/data
     command: "-c log_statement=all"
     environment:
       POSTGRES_USER: authentik
@@ -11,11 +11,6 @@ services:
     ports:
       - 5432:5432
     restart: always
-  redis:
-    image: docker.io/library/redis:7
-    ports:
-      - 6379:6379
-    restart: always
   s3:
     container_name: s3
     image: docker.io/zenko/cloudserver

.github/actions/test-results/action.yml

@@ -12,11 +12,11 @@ runs:
       with:
         flags: ${{ inputs.flags }}
         use_oidc: true
-    - uses: codecov/test-results-action@47f89e9acb64b76debcd5ea40642d25a4adced9f # v1
+    - uses: codecov/codecov-action@671740ac38dd9b0130fbe1cec585b89eea48d3de # v5
       with:
         flags: ${{ inputs.flags }}
-        file: unittest.xml
         use_oidc: true
+        report_type: test_results
     - name: PostgreSQL Logs
       shell: bash
       run: |

.github/workflows/_reusable-docker-build-single.yml

@@ -44,7 +44,7 @@ jobs:
     steps:
       - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v5
       - uses: docker/setup-qemu-action@c7c53464625b32c7a7e944ae62b3e17d2b600130 # v3.7.0
-      - uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3
+      - uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3
       - name: prepare variables
         uses: ./.github/actions/docker-push-variables
         id: ev
@@ -78,18 +78,14 @@ jobs:
           node-version-file: web/package.json
           cache: "npm"
           cache-dependency-path: web/package-lock.json
-      - uses: actions/setup-go@7a3fe6cf4cb3a834922a1244abfce67bcef6a0c5 # v6
-        with:
-          go-version-file: "go.mod"
-      - name: Generate API Clients
-        run: |
-          make gen-client-ts
-          make gen-client-go
+      - name: generate ts client
+        run: make gen-client-ts
       - name: Build Docker Image
         uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6
         id: push
         with:
           context: .
+          file: lifecycle/container/Dockerfile
           push: ${{ steps.ev.outputs.shouldPush == 'true' }}
           secrets: |
             GEOIPUPDATE_ACCOUNT_ID=${{ secrets.GEOIPUPDATE_ACCOUNT_ID }}
@@ -100,7 +96,7 @@ jobs:
           platforms: linux/${{ inputs.image_arch }}
           cache-from: type=registry,ref=${{ steps.ev.outputs.attestImageNames }}:buildcache-${{ inputs.image_arch }}
           cache-to: ${{ steps.ev.outputs.cacheTo }}
-      - uses: actions/attest-build-provenance@977bb373ede98d70efdf65b84cb5f73e068dcc2a # v3
+      - uses: actions/attest-build-provenance@00014ed6ed5efc5b1ab7f7f34a39eb55d41aa4f8 # v3
         id: attest
         if: ${{ steps.ev.outputs.shouldPush == 'true' }}
         with:

.github/workflows/_reusable-docker-build.yml

@@ -90,14 +90,14 @@ jobs:
           registry: ghcr.io
           username: ${{ github.repository_owner }}
           password: ${{ secrets.GITHUB_TOKEN }}
-      - uses: int128/docker-manifest-create-action@b60433fd4312d7a64a56d769b76ebe3f45cf36b4 # v2
+      - uses: int128/docker-manifest-create-action@6cdd53a8337cd50bc3ef8c7016579d8d460edd94 # v2
         id: build
         with:
           tags: ${{ matrix.tag }}
           sources: |
             ${{ steps.ev.outputs.attestImageNames }}@${{ needs.build-server-amd64.outputs.image-digest }}
             ${{ steps.ev.outputs.attestImageNames }}@${{ needs.build-server-arm64.outputs.image-digest }}
-      - uses: actions/attest-build-provenance@977bb373ede98d70efdf65b84cb5f73e068dcc2a # v3
+      - uses: actions/attest-build-provenance@00014ed6ed5efc5b1ab7f7f34a39eb55d41aa4f8 # v3
         id: attest
         with:
           subject-name: ${{ steps.ev.outputs.attestImageNames }}

.github/workflows/api-ts-publish.yml

@@ -21,7 +21,7 @@ jobs:
         uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf # v2
         with:
           app-id: ${{ secrets.GH_APP_ID }}
-          private-key: ${{ secrets.GH_APP_PRIV_KEY }}
+          private-key: ${{ secrets.GH_APP_PRIVATE_KEY }}
       - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v5
         with:
           token: ${{ steps.generate_token.outputs.token }}

.github/workflows/ci-api-docs.yml

@@ -41,7 +41,7 @@ jobs:
       - working-directory: website/
         name: Install Dependencies
         run: npm ci
-      - uses: actions/cache@a7833574556fa59680c1b7cb190c1735db73ebf0 # v4
+      - uses: actions/cache@9255dc7a253b0ccc959486e2bca901246202afeb # v4
         with:
           path: |
             ${{ github.workspace }}/website/api/.docusaurus
@@ -55,7 +55,7 @@ jobs:
         env:
           NODE_ENV: production
         run: npm run build -w api
-      - uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v4
+      - uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v4
         with:
           name: api-docs
           path: website/api/build
@@ -67,7 +67,7 @@ jobs:
       - build
     steps:
       - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v5
-      - uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v5
+      - uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v5
         with:
           name: api-docs
           path: website/api/build

.github/workflows/ci-docs.yml

@@ -75,7 +75,7 @@ jobs:
       - name: Set up QEMU
         uses: docker/setup-qemu-action@c7c53464625b32c7a7e944ae62b3e17d2b600130 # v3.7.0
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3
+        uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3
       - name: prepare variables
         uses: ./.github/actions/docker-push-variables
         id: ev
@@ -101,7 +101,7 @@ jobs:
           context: .
           cache-from: type=registry,ref=ghcr.io/goauthentik/dev-docs:buildcache
           cache-to: ${{ steps.ev.outputs.shouldPush == 'true' && 'type=registry,ref=ghcr.io/goauthentik/dev-docs:buildcache,mode=max' || '' }}
-      - uses: actions/attest-build-provenance@977bb373ede98d70efdf65b84cb5f73e068dcc2a # v3
+      - uses: actions/attest-build-provenance@00014ed6ed5efc5b1ab7f7f34a39eb55d41aa4f8 # v3
         id: attest
         if: ${{ steps.ev.outputs.shouldPush == 'true' }}
         with:

.github/workflows/ci-main-daily.yml

@@ -24,5 +24,5 @@ jobs:
           dir="/tmp/authentik/${{ matrix.version }}"
           mkdir -p $dir
           cd $dir
-          wget https://${{ matrix.version }}.goauthentik.io/docker-compose.yml
+          wget https://${{ matrix.version }}.goauthentik.io/compose.yml
           ${current}/scripts/test_docker.sh

.github/workflows/ci-main.yml

@@ -84,7 +84,7 @@ jobs:
           # Current version family based on
           current_version_family=$(cat internal/constants/VERSION | grep -vE -- 'rc[0-9]+$' || true)
           if [[ -n $current_version_family ]]; then
-              prev_stable="version/${current_version_family}"
+              prev_stable=$current_version_family
           fi
           echo "::notice::Checking out ${prev_stable} as stable version..."
           git checkout ${prev_stable}
@@ -95,10 +95,7 @@ jobs:
         with:
           postgresql_version: ${{ matrix.psql }}
       - name: run migrations to stable
-        run: |
-          docker ps
-          docker logs setup-postgresql-1
-          uv run python -m lifecycle.migrate
+        run: uv run python -m lifecycle.migrate
       - name: checkout current code
         run: |
           set -x
@@ -196,15 +193,17 @@ jobs:
             glob: tests/e2e/test_source_scim*
           - name: flows
             glob: tests/e2e/test_flows*
+          - name: endpoints
+            glob: tests/e2e/test_endpoints_*
     steps:
       - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v5
       - name: Setup authentik env
         uses: ./.github/actions/setup
       - name: Setup e2e env (chrome, etc)
         run: |
-          docker compose -f tests/e2e/docker-compose.yml up -d --quiet-pull
+          docker compose -f tests/e2e/compose.yml up -d --quiet-pull
       - id: cache-web
-        uses: actions/cache@a7833574556fa59680c1b7cb190c1735db73ebf0 # v4
+        uses: actions/cache@9255dc7a253b0ccc959486e2bca901246202afeb # v4
         with:
           path: web/dist
           key: ${{ runner.os }}-web-${{ hashFiles('web/package-lock.json', 'package-lock.json', 'web/src/**', 'web/packages/sfe/src/**') }}-b
@@ -224,11 +223,60 @@ jobs:
         if: ${{ always() }}
         with:
           flags: e2e
+  test-openid-conformance:
+    name: test-openid-conformance (${{ matrix.job.name }})
+    runs-on: ubuntu-latest
+    timeout-minutes: 30
+    strategy:
+      fail-fast: false
+      matrix:
+        job:
+          - name: basic
+            glob: tests/openid_conformance/test_basic.py
+          - name: implicit
+            glob: tests/openid_conformance/test_implicit.py
+    steps:
+      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v5
+      - name: Setup authentik env
+        uses: ./.github/actions/setup
+      - name: Setup e2e env (chrome, etc)
+        run: |
+          docker compose -f tests/e2e/compose.yml up -d --quiet-pull
+      - name: Setup conformance suite
+        run: |
+          docker compose -f tests/openid_conformance/compose.yml up -d --quiet-pull
+      - id: cache-web
+        uses: actions/cache@9255dc7a253b0ccc959486e2bca901246202afeb # v4
+        with:
+          path: web/dist
+          key: ${{ runner.os }}-web-${{ hashFiles('web/package-lock.json', 'web/src/**', 'web/packages/sfe/src/**') }}-b
+      - name: prepare web ui
+        if: steps.cache-web.outputs.cache-hit != 'true'
+        working-directory: web
+        run: |
+          npm ci
+          make -C .. gen-client-ts
+          npm run build
+          npm run build:sfe
+      - name: run conformance
+        run: |
+          uv run coverage run manage.py test ${{ matrix.job.glob }}
+          uv run coverage xml
+      - uses: ./.github/actions/test-results
+        if: ${{ always() }}
+        with:
+          flags: conformance
+      - if: ${{ !cancelled() }}
+        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6
+        with:
+          name: conformance-certification-${{ matrix.job.name }}
+          path: tests/openid_conformance/exports/
   ci-core-mark:
     if: always()
     needs:
       - lint
       - test-migrations
+      - test-migrations-from-stable
       - test-unittest
       - test-integration
       - test-e2e

.github/workflows/ci-outpost.yml

@@ -92,7 +92,7 @@ jobs:
       - name: Set up QEMU
         uses: docker/setup-qemu-action@c7c53464625b32c7a7e944ae62b3e17d2b600130 # v3.7.0
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3
+        uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3
       - name: prepare variables
         uses: ./.github/actions/docker-push-variables
         id: ev
@@ -114,7 +114,7 @@ jobs:
         uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6
         with:
           tags: ${{ steps.ev.outputs.imageTags }}
-          file: ${{ matrix.type }}.Dockerfile
+          file: lifecycle/container/${{ matrix.type }}.Dockerfile
           push: ${{ steps.ev.outputs.shouldPush == 'true' }}
           build-args: |
             GIT_BUILD_HASH=${{ steps.ev.outputs.sha }}
@@ -122,7 +122,7 @@ jobs:
           context: .
           cache-from: type=registry,ref=ghcr.io/goauthentik/dev-${{ matrix.type }}:buildcache
           cache-to: ${{ steps.ev.outputs.shouldPush == 'true' && format('type=registry,ref=ghcr.io/goauthentik/dev-{0}:buildcache,mode=max', matrix.type) || '' }}
-      - uses: actions/attest-build-provenance@977bb373ede98d70efdf65b84cb5f73e068dcc2a # v3
+      - uses: actions/attest-build-provenance@00014ed6ed5efc5b1ab7f7f34a39eb55d41aa4f8 # v3
         id: attest
         if: ${{ steps.ev.outputs.shouldPush == 'true' }}
         with:

.github/workflows/gen-image-compress.yml

@@ -32,7 +32,7 @@ jobs:
         uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf # v2
         with:
           app-id: ${{ secrets.GH_APP_ID }}
-          private-key: ${{ secrets.GH_APP_PRIV_KEY }}
+          private-key: ${{ secrets.GH_APP_PRIVATE_KEY }}
       - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v5
         with:
           token: ${{ steps.generate_token.outputs.token }}

.github/workflows/gen-update-webauthn-mds.yml

@@ -19,7 +19,7 @@ jobs:
         uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf # v2
         with:
           app-id: ${{ secrets.GH_APP_ID }}
-          private-key: ${{ secrets.GH_APP_PRIV_KEY }}
+          private-key: ${{ secrets.GH_APP_PRIVATE_KEY }}
       - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v5
         with:
           token: ${{ steps.generate_token.outputs.token }}

.github/workflows/gh-cherry-pick.yml

@@ -14,7 +14,7 @@ jobs:
         if: ${{ env.GH_APP_ID != '' }}
         with:
           app-id: ${{ secrets.GH_APP_ID }}
-          private-key: ${{ secrets.GH_APP_PRIV_KEY }}
+          private-key: ${{ secrets.GH_APP_PRIVATE_KEY }}
         env:
           GH_APP_ID: ${{ secrets.GH_APP_ID }}
       - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v5

.github/workflows/gh-ghcr-retention.yml

@@ -19,7 +19,7 @@ jobs:
         uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf # v2
         with:
           app-id: ${{ secrets.GH_APP_ID }}
-          private-key: ${{ secrets.GH_APP_PRIV_KEY }}
+          private-key: ${{ secrets.GH_APP_PRIVATE_KEY }}
       - name: Delete 'dev' containers older than a week
         uses: snok/container-retention-policy@3b0972b2276b171b212f8c4efbca59ebba26eceb # v3.0.1
         with:

.github/workflows/release-branch-off.yml

@@ -32,7 +32,7 @@ jobs:
         uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf # v2
         with:
           app-id: ${{ secrets.GH_APP_ID }}
-          private-key: ${{ secrets.GH_APP_PRIV_KEY }}
+          private-key: ${{ secrets.GH_APP_PRIVATE_KEY }}
       - name: Checkout main
         uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v5
         with:
@@ -60,7 +60,7 @@ jobs:
         uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf # v2
         with:
           app-id: ${{ secrets.GH_APP_ID }}
-          private-key: ${{ secrets.GH_APP_PRIV_KEY }}
+          private-key: ${{ secrets.GH_APP_PRIVATE_KEY }}
       - name: Checkout main
         uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v5
         with:

.github/workflows/release-publish.yml

@@ -35,7 +35,7 @@ jobs:
       - name: Set up QEMU
         uses: docker/setup-qemu-action@c7c53464625b32c7a7e944ae62b3e17d2b600130 # v3.7.0
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3
+        uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3
       - name: prepare variables
         uses: ./.github/actions/docker-push-variables
         id: ev
@@ -58,7 +58,7 @@ jobs:
           push: true
           platforms: linux/amd64,linux/arm64
           context: .
-      - uses: actions/attest-build-provenance@977bb373ede98d70efdf65b84cb5f73e068dcc2a # v3
+      - uses: actions/attest-build-provenance@00014ed6ed5efc5b1ab7f7f34a39eb55d41aa4f8 # v3
         id: attest
         if: true
         with:
@@ -87,15 +87,10 @@ jobs:
       - uses: actions/setup-go@4dc6199c7b1a012772edbd06daecab0f50c9053c # v6
         with:
           go-version-file: "go.mod"
-      - uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v5
-        with:
-          node-version-file: web/package.json
-          cache: "npm"
-          cache-dependency-path: web/package-lock.json
       - name: Set up QEMU
         uses: docker/setup-qemu-action@c7c53464625b32c7a7e944ae62b3e17d2b600130 # v3.7.0
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3
+        uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3
       - name: prepare variables
         uses: ./.github/actions/docker-push-variables
         id: ev
@@ -103,10 +98,10 @@ jobs:
           DOCKER_USERNAME: ${{ secrets.DOCKER_CORP_USERNAME }}
         with:
           image-name: ghcr.io/goauthentik/${{ matrix.type }},authentik/${{ matrix.type }}
-      - name: Generate API Clients
+      - name: make empty clients
         run: |
-          make gen-client-ts
-          make gen-client-go
+          mkdir -p ./gen-ts-api
+          mkdir -p ./gen-go-api
       - name: Docker Login Registry
         uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3
         with:
@@ -126,10 +121,10 @@ jobs:
           build-args: |
             VERSION=${{ github.ref }}
           tags: ${{ steps.ev.outputs.imageTags }}
-          file: ${{ matrix.type }}.Dockerfile
+          file: lifecycle/container/${{ matrix.type }}.Dockerfile
           platforms: linux/amd64,linux/arm64
           context: .
-      - uses: actions/attest-build-provenance@977bb373ede98d70efdf65b84cb5f73e068dcc2a # v3
+      - uses: actions/attest-build-provenance@00014ed6ed5efc5b1ab7f7f34a39eb55d41aa4f8 # v3
         id: attest
         with:
           subject-name: ${{ steps.ev.outputs.attestImageNames }}
@@ -160,21 +155,11 @@ jobs:
           node-version-file: web/package.json
           cache: "npm"
           cache-dependency-path: web/package-lock.json
-      - name: Install web dependencies
-        working-directory: web/
-        run: |
-          npm ci
-      - name: Generate API Clients
-        run: |
-          make gen-client-ts
-          make gen-client-go
       - name: Build web
         working-directory: web/
         run: |
+          npm ci
           npm run build-proxy
-      - name: Build API client
-        run: |
-          make gen-client-go
       - name: Build outpost
         run: |
           set -x
@@ -247,7 +232,7 @@ jobs:
           container=$(docker container create ${{ steps.ev.outputs.imageMainName }})
           docker cp ${container}:web/ .
       - name: Create a Sentry.io release
-        uses: getsentry/action-release@128c5058bbbe93c8e02147fe0a9c713f166259a6 # v3
+        uses: getsentry/action-release@dab6548b3c03c4717878099e43782cf5be654289 # v3
         continue-on-error: true
         env:
           SENTRY_AUTH_TOKEN: ${{ secrets.SENTRY_AUTH_TOKEN }}

.github/workflows/release-tag.yml

@@ -55,8 +55,6 @@ jobs:
       - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v5
         with:
           ref: "version-${{ needs.check-inputs.outputs.major_version }}"
-      - name: Setup authentik env
-        uses: ./.github/actions/setup
       - run: make test-docker
   bump-authentik:
     name: Bump authentik version
@@ -70,7 +68,7 @@ jobs:
         uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf # v2
         with:
           app-id: ${{ secrets.GH_APP_ID }}
-          private-key: ${{ secrets.GH_APP_PRIV_KEY }}
+          private-key: ${{ secrets.GH_APP_PRIVATE_KEY }}
       - id: get-user-id
         name: Get GitHub app user ID
         run: echo "user-id=$(gh api "/users/${{ steps.app-token.outputs.app-slug }}[bot]" --jq .id)" >> "$GITHUB_OUTPUT"
@@ -91,7 +89,6 @@ jobs:
           # ID from https://api.github.com/users/authentik-automation[bot]
           git config --global user.name '${{ steps.app-token.outputs.app-slug }}[bot]'
           git config --global user.email '${{ steps.get-user-id.outputs.user-id }}+${{ steps.app-token.outputs.app-slug }}[bot]@users.noreply.github.com'
-          git pull
           git commit -a -m "release: ${{ inputs.version }}" --allow-empty
           git tag "version/${{ inputs.version }}" HEAD -m "version/${{ inputs.version }}"
           git push --follow-tags
@@ -118,7 +115,7 @@ jobs:
         uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf # v2
         with:
           app-id: ${{ secrets.GH_APP_ID }}
-          private-key: ${{ secrets.GH_APP_PRIV_KEY }}
+          private-key: ${{ secrets.GH_APP_PRIVATE_KEY }}
           repositories: helm
       - id: get-user-id
         name: Get GitHub app user ID
@@ -160,7 +157,7 @@ jobs:
         uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf # v2
         with:
           app-id: ${{ secrets.GH_APP_ID }}
-          private-key: ${{ secrets.GH_APP_PRIV_KEY }}
+          private-key: ${{ secrets.GH_APP_PRIVATE_KEY }}
           repositories: version
       - id: get-user-id
         name: Get GitHub app user ID

.github/workflows/repo-stale.yml

@@ -18,7 +18,7 @@ jobs:
         uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf # v2
         with:
           app-id: ${{ secrets.GH_APP_ID }}
-          private-key: ${{ secrets.GH_APP_PRIV_KEY }}
+          private-key: ${{ secrets.GH_APP_PRIVATE_KEY }}
       - uses: actions/stale@997185467fa4f803885201cee163a9f38240193d # v10
         with:
           repo-token: ${{ steps.generate_token.outputs.token }}

.github/workflows/translation-extract-compile.yml

@@ -24,7 +24,7 @@ jobs:
         uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf # v2
         with:
           app-id: ${{ secrets.GH_APP_ID }}
-          private-key: ${{ secrets.GH_APP_PRIV_KEY }}
+          private-key: ${{ secrets.GH_APP_PRIVATE_KEY }}
       - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v5
         if: ${{ github.event_name != 'pull_request' }}
         with:

.gitignore

@@ -211,4 +211,5 @@ source_docs/
 /vendor/
 
 ### Docker ###
-docker-compose.override.yml
+tests/openid_conformance/exports/*.zip
+compose.override.yml

CODEOWNERS

@@ -16,10 +16,8 @@ go.sum                                  @goauthentik/backend
 # Infrastructure
 .github/                                @goauthentik/infrastructure
 lifecycle/aws/                          @goauthentik/infrastructure
-Dockerfile                              @goauthentik/infrastructure
-*Dockerfile                             @goauthentik/infrastructure
+lifecycle/container/                    @goauthentik/infrastructure
 .dockerignore                           @goauthentik/infrastructure
-docker-compose.yml                      @goauthentik/infrastructure
 Makefile                                @goauthentik/infrastructure
 .editorconfig                           @goauthentik/infrastructure
 CODEOWNERS                              @goauthentik/infrastructure

Makefile

@@ -9,6 +9,13 @@ NPM_VERSION = $(shell python -m scripts.generate_semver)
 PY_SOURCES = authentik packages tests scripts lifecycle .github
 DOCKER_IMAGE ?= "authentik:test"
 
+UNAME_S := $(shell uname -s)
+ifeq ($(UNAME_S),Darwin)
+	SED_INPLACE = sed -i ''
+else
+	SED_INPLACE = sed -i
+endif
+
 GEN_API_TS = gen-ts-api
 GEN_API_PY = gen-py-api
 GEN_API_GO = gen-go-api
@@ -119,11 +126,11 @@ bump:  ## Bump authentik version. Usage: make bump version=20xx.xx.xx
 ifndef version
 	$(error Usage: make bump version=20xx.xx.xx )
 endif
-	$(eval current_version := $(shell cat ${PWD}/internal/constants/VERSION))
-	sed -i 's/^version = ".*"/version = "$(version)"/' pyproject.toml
-	sed -i 's/^VERSION = ".*"/VERSION = "$(version)"/' authentik/__init__.py
+	$(SED_INPLACE) 's/^version = ".*"/version = "$(version)"/' pyproject.toml
+	$(SED_INPLACE) 's/^VERSION = ".*"/VERSION = "$(version)"/' authentik/__init__.py
 	$(MAKE) gen-build gen-compose aws-cfn
-	sed -i "s/\"${current_version}\"/\"$(version)\"/" ${PWD}/package.json ${PWD}/package-lock.json ${PWD}/web/package.json ${PWD}/web/package-lock.json
+	npm version --no-git-tag-version --allow-same-version $(version)
+	cd ${PWD}/web && npm version --no-git-tag-version --allow-same-version $(version)
 	echo -n $(version) > ${PWD}/internal/constants/VERSION
 
 #########################
@@ -134,14 +141,10 @@ gen-build:  ## Extract the schema from the database
 	AUTHENTIK_DEBUG=true \
 		AUTHENTIK_TENANTS__ENABLED=true \
 		AUTHENTIK_OUTPOSTS__DISABLE_EMBEDDED_OUTPOST=true \
-		uv run ak make_blueprint_schema --file blueprints/schema.json
-	AUTHENTIK_DEBUG=true \
-		AUTHENTIK_TENANTS__ENABLED=true \
-		AUTHENTIK_OUTPOSTS__DISABLE_EMBEDDED_OUTPOST=true \
-		uv run ak spectacular --file schema.yml
+		uv run ak build_schema
 
 gen-compose:
-	uv run scripts/generate_docker_compose.py
+	uv run scripts/generate_compose.py
 
 gen-changelog:  ## (Release) generate the changelog based from the commits since the last tag
 	git log --pretty=format:" - %s" $(shell git describe --tags $(shell git rev-list --tags --max-count=1))...$(shell git branch --show-current) | sort > changelog.md
@@ -149,14 +152,14 @@ gen-changelog:  ## (Release) generate the changelog based from the commits since
 
 gen-diff:  ## (Release) generate the changelog diff between the current schema and the last tag
 	git show $(shell git describe --tags $(shell git rev-list --tags --max-count=1)):schema.yml > schema-old.yml
-	docker compose -f scripts/api/docker-compose.yml run --rm --user "${UID}:${GID}" diff \
+	docker compose -f scripts/api/compose.yml run --rm --user "${UID}:${GID}" diff \
 		--markdown \
 		/local/diff.md \
 		/local/schema-old.yml \
 		/local/schema.yml
 	rm schema-old.yml
-	sed -i 's/{/{/g' diff.md
-	sed -i 's/}/}/g' diff.md
+	$(SED_INPLACE) 's/{/{/g' diff.md
+	$(SED_INPLACE) 's/}/}/g' diff.md
 	npx prettier --write diff.md
 
 gen-clean-ts:  ## Remove generated API client for TypeScript
@@ -172,7 +175,7 @@ gen-clean-go:  ## Remove generated API client for Go
 gen-clean: gen-clean-ts gen-clean-go gen-clean-py  ## Remove generated API clients
 
 gen-client-ts: gen-clean-ts  ## Build and install the authentik API for Typescript into the authentik UI Application
-	docker compose -f scripts/api/docker-compose.yml run --rm --user "${UID}:${GID}" gen \
+	docker compose -f scripts/api/compose.yml run --rm --user "${UID}:${GID}" gen \
 		generate \
 		-i /local/schema.yml \
 		-g typescript-fetch \
@@ -188,15 +191,24 @@ gen-client-ts: gen-clean-ts  ## Build and install the authentik API for Typescri
 
 gen-client-py: gen-clean-py ## Build and install the authentik API for Python
 	mkdir -p ${PWD}/${GEN_API_PY}
+ifeq ($(wildcard ${PWD}/${GEN_API_PY}/.*),)
 	git clone --depth 1 https://github.com/goauthentik/client-python.git ${PWD}/${GEN_API_PY}
+else
+	cd ${PWD}/${GEN_API_PY} && git pull
+endif
 	cp ${PWD}/schema.yml ${PWD}/${GEN_API_PY}
 	make -C ${PWD}/${GEN_API_PY} build version=${NPM_VERSION}
 
-gen-client-go: gen-clean-go  ## Build and install the authentik API for Golang
+gen-client-go:  ## Build and install the authentik API for Golang
 	mkdir -p ${PWD}/${GEN_API_GO}
+ifeq ($(wildcard ${PWD}/${GEN_API_GO}/.*),)
 	git clone --depth 1 https://github.com/goauthentik/client-go.git ${PWD}/${GEN_API_GO}
+else
+	cd ${PWD}/${GEN_API_GO} && git reset --hard
+	cd ${PWD}/${GEN_API_GO} && git pull
+endif
 	cp ${PWD}/schema.yml ${PWD}/${GEN_API_GO}
-	make -C ${PWD}/${GEN_API_GO} build version=${NPM_VERSION}
+	make -C ${PWD}/${GEN_API_GO} build
 	go mod edit -replace goauthentik.io/api/v3=./${GEN_API_GO}
 
 gen-dev-config:  ## Generate a local development config file
@@ -284,7 +296,7 @@ docs-api-clean: ## Clean generated API documentation
 
 docker:  ## Build a docker image of the current source tree
 	mkdir -p ${GEN_API_TS}
-	DOCKER_BUILDKIT=1 docker build . --progress plain --tag ${DOCKER_IMAGE}
+	DOCKER_BUILDKIT=1 docker build . -f lifecycle/container/Dockerfile --progress plain --tag ${DOCKER_IMAGE}
 
 test-docker:
 	BUILD=true ${PWD}/scripts/test_docker.sh

SECURITY.md

@@ -20,8 +20,8 @@ Even if the issue is not a CVE, we still greatly appreciate your help in hardeni
 
 | Version    | Supported  |
 | ---------- | ---------- |
+| 2025.8.x   | ✅         |
 | 2025.10.x  | ✅         |
-| 2025.12.x  | ✅         |
 
 ## Reporting a Vulnerability
 

authentik/__init__.py

@@ -3,7 +3,7 @@
 from functools import lru_cache
 from os import environ
 
-VERSION = "2025.12.4"
+VERSION = "2026.2.0-rc1"
 ENV_GIT_HASH_KEY = "GIT_BUILD_HASH"
 
 

authentik/admin/files/api.py

@@ -1,3 +1,5 @@
+import mimetypes
+
 from django.db.models import Q
 from django.utils.translation import gettext as _
 from drf_spectacular.utils import extend_schema
@@ -10,14 +12,13 @@ from rest_framework.request import Request
 from rest_framework.response import Response
 from rest_framework.views import APIView
 
-from authentik.admin.files.backends.base import get_content_type
 from authentik.admin.files.fields import FileField as AkFileField
 from authentik.admin.files.manager import get_file_manager
 from authentik.admin.files.usage import FileApiUsage
 from authentik.admin.files.validation import validate_upload_file_name
 from authentik.api.validation import validate
 from authentik.core.api.used_by import DeleteAction, UsedBySerializer
-from authentik.core.api.utils import PassiveSerializer, ThemedUrlsSerializer
+from authentik.core.api.utils import PassiveSerializer
 from authentik.events.models import Event, EventAction
 from authentik.lib.utils.reflection import get_apps
 from authentik.rbac.permissions import HasPermission
@@ -25,6 +26,11 @@ from authentik.rbac.permissions import HasPermission
 MAX_FILE_SIZE_BYTES = 25 * 1024 * 1024  # 25MB
 
 
+def get_mime_from_filename(filename: str) -> str:
+    mime_type, _ = mimetypes.guess_type(filename)
+    return mime_type or "application/octet-stream"
+
+
 class FileView(APIView):
     pagination_class = None
     parser_classes = [MultiPartParser]
@@ -47,7 +53,6 @@ class FileView(APIView):
         name = CharField()
         mime_type = CharField()
         url = CharField()
-        themed_urls = ThemedUrlsSerializer(required=False, allow_null=True)
 
     @extend_schema(
         parameters=[FileListParameters],
@@ -75,9 +80,8 @@ class FileView(APIView):
             FileView.FileListSerializer(
                 data={
                     "name": file,
-                    "url": manager.file_url(file, request),
-                    "mime_type": get_content_type(file),
-                    "themed_urls": manager.themed_urls(file, request),
+                    "url": manager.file_url(file),
+                    "mime_type": get_mime_from_filename(file),
                 }
             )
             for file in files
@@ -146,7 +150,7 @@ class FileView(APIView):
                 "pk": name,
                 "name": name,
                 "usage": usage.value,
-                "mime_type": get_content_type(name),
+                "mime_type": get_mime_from_filename(name),
             },
         ).from_http(request)
 

authentik/admin/files/backends/base.py

@@ -1,4 +1,3 @@
-import mimetypes
 from collections.abc import Callable, Generator, Iterator
 from typing import cast
 
@@ -11,32 +10,6 @@ from authentik.admin.files.usage import FileUsage
 CACHE_PREFIX = "goauthentik.io/admin/files"
 LOGGER = get_logger()
 
-# Theme variable placeholder for theme-specific files like logo-%(theme)s.png
-THEME_VARIABLE = "%(theme)s"
-
-
-def get_content_type(name: str) -> str:
-    """Get MIME type for a file based on its extension."""
-    content_type, _ = mimetypes.guess_type(name)
-    return content_type or "application/octet-stream"
-
-
-def get_valid_themes() -> list[str]:
-    """Get valid themes that can be substituted for %(theme)s."""
-    from authentik.brands.api import Themes
-
-    return [t.value for t in Themes if t != Themes.AUTOMATIC]
-
-
-def has_theme_variable(name: str) -> bool:
-    """Check if filename contains %(theme)s variable."""
-    return THEME_VARIABLE in name
-
-
-def substitute_theme(name: str, theme: str) -> str:
-    """Replace %(theme)s with the given theme."""
-    return name.replace(THEME_VARIABLE, theme)
-
 
 class Backend:
     """
@@ -102,29 +75,6 @@ class Backend:
         """
         raise NotImplementedError
 
-    def themed_urls(
-        self,
-        name: str,
-        request: HttpRequest | None = None,
-    ) -> dict[str, str] | None:
-        """
-        Get URLs for each theme variant when filename contains %(theme)s.
-
-        Args:
-            name: File path potentially containing %(theme)s
-            request: Optional Django HttpRequest for URL building
-
-        Returns:
-            Dict mapping theme to URL if %(theme)s present, None otherwise
-        """
-        if not has_theme_variable(name):
-            return None
-
-        return {
-            theme: self.file_url(substitute_theme(name, theme), request, use_cache=True)
-            for theme in get_valid_themes()
-        }
-
 
 class ManageableBackend(Backend):
     """

authentik/admin/files/backends/file.py

@@ -45,13 +45,8 @@ class FileBackend(ManageableBackend):
 
     @property
     def manageable(self) -> bool:
-        # Check _base_dir (the mount point, e.g. /data) rather than base_path
-        # (which includes usage/schema subdirs, e.g. /data/media/public).
-        # The subdirectories are created on first file write via mkdir(parents=True)
-        # in save_file(), so requiring them to exist beforehand would prevent
-        # file creation on fresh installs.
         return (
-            self._base_dir.exists()
+            self.base_path.exists()
             and (self._base_dir.is_mount() or (self._base_dir / self.usage.value).is_mount())
             or (settings.DEBUG or settings.TEST)
         )

authentik/admin/files/backends/passthrough.py

@@ -46,25 +46,3 @@ class PassthroughBackend(Backend):
     ) -> str:
         """Return the URL as-is for passthrough files."""
         return name
-
-    def themed_urls(
-        self,
-        name: str,
-        request: HttpRequest | None = None,
-    ) -> dict[str, str] | None:
-        """Support themed URLs for external URLs with %(theme)s placeholder.
-
-        If the external URL contains %(theme)s, substitute it for each theme.
-        We can't verify that themed variants exist at the external location,
-        but we trust the user to provide valid URLs.
-        """
-        from authentik.admin.files.backends.base import (
-            get_valid_themes,
-            has_theme_variable,
-            substitute_theme,
-        )
-
-        if not has_theme_variable(name):
-            return None
-
-        return {theme: substitute_theme(name, theme) for theme in get_valid_themes()}

authentik/admin/files/backends/s3.py

@@ -9,7 +9,7 @@ from botocore.exceptions import ClientError
 from django.db import connection
 from django.http.request import HttpRequest
 
-from authentik.admin.files.backends.base import ManageableBackend, get_content_type
+from authentik.admin.files.backends.base import ManageableBackend
 from authentik.admin.files.usage import FileUsage
 from authentik.lib.config import CONFIG
 from authentik.lib.utils.time import timedelta_from_string
@@ -173,22 +173,7 @@ class S3Backend(ManageableBackend):
             if custom_domain:
                 parsed = urlsplit(url)
                 scheme = "https" if use_https else "http"
-                path = parsed.path
-
-                # When using path-style addressing, the presigned URL contains the bucket
-                # name in the path (e.g., /bucket-name/key). Since custom_domain must
-                # include the bucket name (per docs), strip it from the path to avoid
-                # duplication. See: https://github.com/goauthentik/authentik/issues/19521
-                # Check with trailing slash to ensure exact bucket name match
-                if path.startswith(f"/{self.bucket_name}/"):
-                    path = path.removeprefix(f"/{self.bucket_name}")
-
-                # Normalize to avoid double slashes
-                custom_domain = custom_domain.rstrip("/")
-                if not path.startswith("/"):
-                    path = f"/{path}"
-
-                url = f"{scheme}://{custom_domain}{path}?{parsed.query}"
+                url = f"{scheme}://{custom_domain}{parsed.path}?{parsed.query}"
 
             return url
 
@@ -204,7 +189,6 @@ class S3Backend(ManageableBackend):
             Key=f"{self.base_path}/{name}",
             Body=content,
             ACL="private",
-            ContentType=get_content_type(name),
         )
 
     @contextmanager
@@ -220,7 +204,6 @@ class S3Backend(ManageableBackend):
                 Key=f"{self.base_path}/{name}",
                 ExtraArgs={
                     "ACL": "private",
-                    "ContentType": get_content_type(name),
                 },
             )
 

authentik/admin/files/backends/tests/test_file_backend.py

@@ -165,31 +165,3 @@ class TestFileBackend(FileTestFileBackendMixin, TestCase):
     def test_file_exists_false(self):
         """Test file_exists returns False for nonexistent file"""
         self.assertFalse(self.backend.file_exists("does_not_exist.txt"))
-
-    def test_themed_urls_without_theme_variable(self):
-        """Test themed_urls returns None when filename has no %(theme)s"""
-        file_name = "logo.png"
-        result = self.backend.themed_urls(file_name)
-        self.assertIsNone(result)
-
-    def test_themed_urls_with_theme_variable(self):
-        """Test themed_urls returns dict of URLs for each theme"""
-        file_name = "logo-%(theme)s.png"
-        result = self.backend.themed_urls(file_name)
-
-        self.assertIsInstance(result, dict)
-        self.assertIn("light", result)
-        self.assertIn("dark", result)
-
-        # Check URLs contain the substituted theme
-        self.assertIn("logo-light.png", result["light"])
-        self.assertIn("logo-dark.png", result["dark"])
-
-    def test_themed_urls_multiple_theme_variables(self):
-        """Test themed_urls with multiple %(theme)s in path"""
-        file_name = "%(theme)s/logo-%(theme)s.svg"
-        result = self.backend.themed_urls(file_name)
-
-        self.assertIsInstance(result, dict)
-        self.assertIn("light/logo-light.svg", result["light"])
-        self.assertIn("dark/logo-dark.svg", result["dark"])

authentik/admin/files/backends/tests/test_s3_backend.py

@@ -110,106 +110,3 @@ class TestS3Backend(FileTestS3BackendMixin, TestCase):
         """Test S3Backend with REPORTS usage"""
         self.assertEqual(self.reports_s3_backend.usage, FileUsage.REPORTS)
         self.assertEqual(self.reports_s3_backend.base_path, "reports/public")
-
-    @CONFIG.patch("storage.s3.secure_urls", True)
-    @CONFIG.patch("storage.s3.addressing_style", "path")
-    def test_file_url_custom_domain_with_bucket_no_duplicate(self):
-        """Test file_url doesn't duplicate bucket name when custom_domain includes bucket.
-
-        Regression test for https://github.com/goauthentik/authentik/issues/19521
-
-        When using:
-        - Path-style addressing (bucket name goes in URL path, not subdomain)
-        - Custom domain that includes the bucket name (e.g., s3.example.com/bucket-name)
-
-        The bucket name should NOT appear twice in the final URL.
-
-        Example of the bug:
-        - custom_domain = "s3.example.com/authentik-media"
-        - boto3 presigned URL = "http://s3.example.com/authentik-media/media/public/file.png?..."
-        - Buggy result = "https://s3.example.com/authentik-media/authentik-media/media/public/file.png?..."
-        """
-        bucket_name = self.media_s3_bucket_name
-
-        # Custom domain includes the bucket name
-        custom_domain = f"localhost:8020/{bucket_name}"
-
-        with CONFIG.patch("storage.media.s3.custom_domain", custom_domain):
-            url = self.media_s3_backend.file_url("application-icons/test.svg", use_cache=False)
-
-        # The bucket name should appear exactly once in the URL path, not twice
-        bucket_occurrences = url.count(bucket_name)
-        self.assertEqual(
-            bucket_occurrences,
-            1,
-            f"Bucket name '{bucket_name}' appears {bucket_occurrences} times in URL, expected 1. "
-            f"URL: {url}",
-        )
-
-    def test_themed_urls_without_theme_variable(self):
-        """Test themed_urls returns None when filename has no %(theme)s"""
-        result = self.media_s3_backend.themed_urls("logo.png")
-        self.assertIsNone(result)
-
-    def test_themed_urls_with_theme_variable(self):
-        """Test themed_urls returns dict of presigned URLs for each theme"""
-        result = self.media_s3_backend.themed_urls("logo-%(theme)s.png")
-
-        self.assertIsInstance(result, dict)
-        self.assertIn("light", result)
-        self.assertIn("dark", result)
-
-        # Check URLs are valid presigned URLs with correct file paths
-        self.assertIn("logo-light.png", result["light"])
-        self.assertIn("logo-dark.png", result["dark"])
-        self.assertIn("X-Amz-Signature=", result["light"])
-        self.assertIn("X-Amz-Signature=", result["dark"])
-
-    def test_themed_urls_multiple_theme_variables(self):
-        """Test themed_urls with multiple %(theme)s in path"""
-        result = self.media_s3_backend.themed_urls("%(theme)s/logo-%(theme)s.svg")
-
-        self.assertIsInstance(result, dict)
-        self.assertIn("light/logo-light.svg", result["light"])
-        self.assertIn("dark/logo-dark.svg", result["dark"])
-
-    def test_save_file_sets_content_type_svg(self):
-        """Test save_file sets correct ContentType for SVG files"""
-        self.media_s3_backend.save_file("test.svg", b"<svg></svg>")
-
-        response = self.media_s3_backend.client.head_object(
-            Bucket=self.media_s3_bucket_name,
-            Key="media/public/test.svg",
-        )
-        self.assertEqual(response["ContentType"], "image/svg+xml")
-
-    def test_save_file_sets_content_type_png(self):
-        """Test save_file sets correct ContentType for PNG files"""
-        self.media_s3_backend.save_file("test.png", b"\x89PNG\r\n\x1a\n")
-
-        response = self.media_s3_backend.client.head_object(
-            Bucket=self.media_s3_bucket_name,
-            Key="media/public/test.png",
-        )
-        self.assertEqual(response["ContentType"], "image/png")
-
-    def test_save_file_stream_sets_content_type(self):
-        """Test save_file_stream sets correct ContentType"""
-        with self.media_s3_backend.save_file_stream("test.css") as f:
-            f.write(b"body { color: red; }")
-
-        response = self.media_s3_backend.client.head_object(
-            Bucket=self.media_s3_bucket_name,
-            Key="media/public/test.css",
-        )
-        self.assertEqual(response["ContentType"], "text/css")
-
-    def test_save_file_unknown_extension_octet_stream(self):
-        """Test save_file sets octet-stream for unknown extensions"""
-        self.media_s3_backend.save_file("test.unknownext123", b"data")
-
-        response = self.media_s3_backend.client.head_object(
-            Bucket=self.media_s3_bucket_name,
-            Key="media/public/test.unknownext123",
-        )
-        self.assertEqual(response["ContentType"], "application/octet-stream")

authentik/admin/files/manager.py

@@ -88,28 +88,6 @@ class FileManager:
         LOGGER.warning(f"Could not find file backend for file: {name}")
         return ""
 
-    def themed_urls(
-        self,
-        name: str | None,
-        request: HttpRequest | Request | None = None,
-    ) -> dict[str, str] | None:
-        """
-        Get URLs for each theme variant when filename contains %(theme)s.
-
-        Returns dict mapping theme to URL if %(theme)s present, None otherwise.
-        """
-        if not name:
-            return None
-
-        if isinstance(request, Request):
-            request = request._request
-
-        for backend in self.backends:
-            if backend.supports_file(name):
-                return backend.themed_urls(name, request)
-
-        return None
-
     def _check_manageable(self) -> None:
         if not self.manageable:
             raise ImproperlyConfigured("No file management backend configured.")

authentik/admin/files/tests/test_api.py

@@ -5,6 +5,7 @@ from io import BytesIO
 from django.test import TestCase
 from django.urls import reverse
 
+from authentik.admin.files.api import get_mime_from_filename
 from authentik.admin.files.manager import FileManager
 from authentik.admin.files.tests.utils import FileTestFileBackendMixin
 from authentik.admin.files.usage import FileUsage
@@ -93,9 +94,8 @@ class TestFileAPI(FileTestFileBackendMixin, TestCase):
         self.assertIn(
             {
                 "name": "/static/authentik/sources/ldap.png",
-                "url": "http://testserver/static/authentik/sources/ldap.png",
+                "url": "/static/authentik/sources/ldap.png",
                 "mime_type": "image/png",
-                "themed_urls": None,
             },
             response.data,
         )
@@ -129,9 +129,8 @@ class TestFileAPI(FileTestFileBackendMixin, TestCase):
         self.assertIn(
             {
                 "name": "/static/authentik/sources/ldap.png",
-                "url": "http://testserver/static/authentik/sources/ldap.png",
+                "url": "/static/authentik/sources/ldap.png",
                 "mime_type": "image/png",
-                "themed_urls": None,
             },
             response.data,
         )
@@ -201,64 +200,30 @@ class TestFileAPI(FileTestFileBackendMixin, TestCase):
         self.assertEqual(response.status_code, 400)
         self.assertIn("field is required", str(response.data))
 
-    def test_list_files_includes_themed_urls_none(self):
-        """Test listing files includes themed_urls as None for non-themed files"""
-        manager = FileManager(FileUsage.MEDIA)
-        file_name = "test-no-theme.png"
-        manager.save_file(file_name, b"test content")
 
-        response = self.client.get(
-            reverse("authentik_api:files", query={"search": file_name, "manageableOnly": "true"})
-        )
+class TestGetMimeFromFilename(TestCase):
+    """Test get_mime_from_filename function"""
 
-        self.assertEqual(response.status_code, 200)
-        file_entry = next((f for f in response.data if f["name"] == file_name), None)
-        self.assertIsNotNone(file_entry)
-        self.assertIn("themed_urls", file_entry)
-        self.assertIsNone(file_entry["themed_urls"])
+    def test_image_png(self):
+        """Test PNG image MIME type"""
+        self.assertEqual(get_mime_from_filename("test.png"), "image/png")
 
-        manager.delete_file(file_name)
+    def test_image_jpeg(self):
+        """Test JPEG image MIME type"""
+        self.assertEqual(get_mime_from_filename("test.jpg"), "image/jpeg")
 
-    def test_list_files_includes_themed_urls_dict(self):
-        """Test listing files includes themed_urls as dict for themed files"""
-        manager = FileManager(FileUsage.MEDIA)
-        file_name = "logo-%(theme)s.svg"
-        manager.save_file("logo-light.svg", b"<svg>light</svg>")
-        manager.save_file("logo-dark.svg", b"<svg>dark</svg>")
-        manager.save_file(file_name, b"<svg>placeholder</svg>")
+    def test_image_svg(self):
+        """Test SVG image MIME type"""
+        self.assertEqual(get_mime_from_filename("test.svg"), "image/svg+xml")
 
-        response = self.client.get(
-            reverse("authentik_api:files", query={"search": "%(theme)s", "manageableOnly": "true"})
-        )
+    def test_text_plain(self):
+        """Test text file MIME type"""
+        self.assertEqual(get_mime_from_filename("test.txt"), "text/plain")
 
-        self.assertEqual(response.status_code, 200)
-        file_entry = next((f for f in response.data if f["name"] == file_name), None)
-        self.assertIsNotNone(file_entry)
-        self.assertIn("themed_urls", file_entry)
-        self.assertIsInstance(file_entry["themed_urls"], dict)
-        self.assertIn("light", file_entry["themed_urls"])
-        self.assertIn("dark", file_entry["themed_urls"])
+    def test_unknown_extension(self):
+        """Test unknown extension returns octet-stream"""
+        self.assertEqual(get_mime_from_filename("test.unknown"), "application/octet-stream")
 
-        manager.delete_file(file_name)
-        manager.delete_file("logo-light.svg")
-        manager.delete_file("logo-dark.svg")
-
-    def test_upload_file_with_theme_variable(self):
-        """Test uploading file with %(theme)s in name"""
-        manager = FileManager(FileUsage.MEDIA)
-        file_name = "brand-logo-%(theme)s.svg"
-        file_content = b"<svg></svg>"
-
-        response = self.client.post(
-            reverse("authentik_api:files"),
-            {
-                "file": BytesIO(file_content),
-                "name": file_name,
-                "usage": FileUsage.MEDIA.value,
-            },
-            format="multipart",
-        )
-
-        self.assertEqual(response.status_code, 200)
-        self.assertTrue(manager.file_exists(file_name))
-        manager.delete_file(file_name)
+    def test_no_extension(self):
+        """Test no extension returns octet-stream"""
+        self.assertEqual(get_mime_from_filename("test"), "application/octet-stream")

authentik/admin/files/tests/test_manager.py

@@ -1,7 +1,6 @@
 """Test file service layer"""
 
 from unittest import skipUnless
-from urllib.parse import urlparse
 
 from django.http import HttpRequest
 from django.test import TestCase
@@ -105,71 +104,3 @@ class TestResolveFileUrlS3Backend(FileTestS3BackendMixin, TestCase):
 
         # S3 URLs should be returned as-is (already absolute)
         self.assertTrue(result.startswith("http://s3.test:8080/test"))
-
-
-class TestThemedUrls(FileTestFileBackendMixin, TestCase):
-    """Test FileManager.themed_urls method"""
-
-    def test_themed_urls_none_path(self):
-        """Test themed_urls returns None for None path"""
-        manager = FileManager(FileUsage.MEDIA)
-        result = manager.themed_urls(None)
-        self.assertIsNone(result)
-
-    def test_themed_urls_empty_path(self):
-        """Test themed_urls returns None for empty path"""
-        manager = FileManager(FileUsage.MEDIA)
-        result = manager.themed_urls("")
-        self.assertIsNone(result)
-
-    def test_themed_urls_no_theme_variable(self):
-        """Test themed_urls returns None when no %(theme)s in path"""
-        manager = FileManager(FileUsage.MEDIA)
-        result = manager.themed_urls("logo.png")
-        self.assertIsNone(result)
-
-    def test_themed_urls_with_theme_variable(self):
-        """Test themed_urls returns dict of URLs for each theme"""
-        manager = FileManager(FileUsage.MEDIA)
-        result = manager.themed_urls("logo-%(theme)s.png")
-
-        self.assertIsInstance(result, dict)
-        self.assertIn("light", result)
-        self.assertIn("dark", result)
-        self.assertIn("logo-light.png", result["light"])
-        self.assertIn("logo-dark.png", result["dark"])
-
-    def test_themed_urls_with_request(self):
-        """Test themed_urls builds absolute URLs with request"""
-        mock_request = HttpRequest()
-        mock_request.META = {
-            "HTTP_HOST": "example.com",
-            "SERVER_NAME": "example.com",
-        }
-
-        manager = FileManager(FileUsage.MEDIA)
-        result = manager.themed_urls("logo-%(theme)s.svg", mock_request)
-
-        self.assertIsInstance(result, dict)
-        light_url = urlparse(result["light"])
-        dark_url = urlparse(result["dark"])
-        self.assertEqual(light_url.scheme, "http")
-        self.assertEqual(light_url.netloc, "example.com")
-        self.assertEqual(dark_url.scheme, "http")
-        self.assertEqual(dark_url.netloc, "example.com")
-
-    def test_themed_urls_passthrough_with_theme_variable(self):
-        """Test themed_urls returns dict for passthrough URLs with %(theme)s"""
-        manager = FileManager(FileUsage.MEDIA)
-        # External URLs with %(theme)s should return themed URLs
-        result = manager.themed_urls("https://example.com/logo-%(theme)s.png")
-        self.assertIsInstance(result, dict)
-        self.assertEqual(result["light"], "https://example.com/logo-light.png")
-        self.assertEqual(result["dark"], "https://example.com/logo-dark.png")
-
-    def test_themed_urls_passthrough_without_theme_variable(self):
-        """Test themed_urls returns None for passthrough URLs without %(theme)s"""
-        manager = FileManager(FileUsage.MEDIA)
-        # External URLs without %(theme)s should return None
-        result = manager.themed_urls("https://example.com/logo.png")
-        self.assertIsNone(result)

authentik/admin/files/tests/test_validation.py

@@ -62,10 +62,10 @@ class TestSanitizeFilePath(TestCase):
             "test@file.png",  # @
             "test#file.png",  # #
             "test$file.png",  # $
-            "test%file.png",  # % (but %(theme)s is allowed)
+            "test%file.png",  # %
             "test&file.png",  # &
             "test*file.png",  # *
-            "test(file).png",  # parentheses (but %(theme)s is allowed)
+            "test(file).png",  # parentheses
             "test[file].png",  # brackets
             "test{file}.png",  # braces
         ]
@@ -108,30 +108,3 @@ class TestSanitizeFilePath(TestCase):
 
         with self.assertRaises(ValidationError):
             validate_file_name(path)
-
-    def test_sanitize_theme_variable_valid(self):
-        """Test sanitizing filename with %(theme)s variable"""
-        # These should all be valid
-        validate_file_name("logo-%(theme)s.png")
-        validate_file_name("brand/logo-%(theme)s.svg")
-        validate_file_name("images/icon-%(theme)s.png")
-        validate_file_name("%(theme)s/logo.png")
-        validate_file_name("brand/%(theme)s/logo.png")
-
-    def test_sanitize_theme_variable_multiple(self):
-        """Test sanitizing filename with multiple %(theme)s variables"""
-        validate_file_name("%(theme)s/logo-%(theme)s.png")
-
-    def test_sanitize_theme_variable_invalid_format(self):
-        """Test that partial or malformed theme variables are rejected"""
-        invalid_paths = [
-            "test%(theme.png",  # missing )s
-            "test%theme)s.png",  # missing (
-            "test%(themes).png",  # wrong variable name
-            "test%(THEME)s.png",  # wrong case
-            "test%()s.png",  # empty variable name
-        ]
-
-        for path in invalid_paths:
-            with self.assertRaises(ValidationError):
-                validate_file_name(path)

authentik/admin/files/validation.py

@@ -4,7 +4,6 @@ from pathlib import PurePosixPath
 from django.core.exceptions import ValidationError
 from django.utils.translation import gettext as _
 
-from authentik.admin.files.backends.base import THEME_VARIABLE
 from authentik.admin.files.backends.passthrough import PassthroughBackend
 from authentik.admin.files.backends.static import StaticBackend
 from authentik.admin.files.usage import FileUsage
@@ -40,17 +39,12 @@ def validate_upload_file_name(
     if not name:
         raise ValidationError(_("File name cannot be empty"))
 
-    # Allow %(theme)s placeholder for theme-specific files
-    # Replace with placeholder for validation, then check the result
-    name_for_validation = name.replace(THEME_VARIABLE, "theme")
-
-    # Same regex is used in the frontend as well (with %(theme)s handling)
-    if not re.match(r"^[a-zA-Z0-9._/-]+$", name_for_validation):
+    # Same regex is used in the frontend as well
+    if not re.match(r"^[a-zA-Z0-9._/-]+$", name):
         raise ValidationError(
             _(
                 "File name can only contain letters (a-z, A-Z), numbers (0-9), "
-                "dots (.), hyphens (-), underscores (_), forward slashes (/), "
-                "and the placeholder %(theme)s for theme-specific files"
+                "dots (.), hyphens (-), underscores (_), and forward slashes (/)"
             )
         )
 

authentik/api/management/commands/build_schema.py

@@ -0,0 +1,45 @@
+from json import dumps
+
+from django.core.management.base import BaseCommand, no_translations
+from drf_spectacular.drainage import GENERATOR_STATS
+from drf_spectacular.generators import SchemaGenerator
+from drf_spectacular.renderers import OpenApiYamlRenderer
+from drf_spectacular.validation import validate_schema
+from structlog.stdlib import get_logger
+
+from authentik.blueprints.v1.schema import SchemaBuilder
+
+
+class Command(BaseCommand):
+
+    def __init__(self, *args, **kwargs):
+        super().__init__(*args, **kwargs)
+        self.logger = get_logger()
+
+    def add_arguments(self, parser):
+        parser.add_argument("--blueprint-file", type=str, default="blueprints/schema.json")
+        parser.add_argument("--api-file", type=str, default="schema.yml")
+
+    @no_translations
+    def handle(self, *args, blueprint_file: str, api_file: str, **options):
+        self.build_blueprint(blueprint_file)
+        self.build_api(api_file)
+
+    def build_blueprint(self, file: str):
+        self.logger.debug("Building blueprint schema...", file=file)
+        blueprint_builder = SchemaBuilder()
+        blueprint_builder.build()
+        with open(file, "w") as _schema:
+            _schema.write(
+                dumps(blueprint_builder.schema, indent=4, default=SchemaBuilder.json_default)
+            )
+
+    def build_api(self, file: str):
+        self.logger.debug("Building API schema...", file=file)
+        generator = SchemaGenerator()
+        schema = generator.get_schema(request=None, public=True)
+        GENERATOR_STATS.emit_summary()
+        validate_schema(schema)
+        output = OpenApiYamlRenderer().render(schema, renderer_context={})
+        with open(file, "wb") as f:
+            f.write(output)

authentik/api/tests/test_schema.py

@@ -1,9 +1,14 @@
 """Schema generation tests"""
 
+from pathlib import Path
+
+from django.core.management import call_command
 from django.urls import reverse
 from rest_framework.test import APITestCase
 from yaml import safe_load
 
+from authentik.lib.config import CONFIG
+
 
 class TestSchemaGeneration(APITestCase):
     """Generic admin tests"""
@@ -21,3 +26,18 @@ class TestSchemaGeneration(APITestCase):
             reverse("authentik_api:schema-browser"),
         )
         self.assertEqual(response.status_code, 200)
+
+    def test_build_schema(self):
+        """Test schema build command"""
+        blueprint_file = Path("blueprints/schema.json")
+        api_file = Path("schema.yml")
+        blueprint_file.unlink()
+        api_file.unlink()
+        with (
+            CONFIG.patch("debug", True),
+            CONFIG.patch("tenants.enabled", True),
+            CONFIG.patch("outposts.disable_embedded_outpost", True),
+        ):
+            call_command("build_schema")
+        self.assertTrue(blueprint_file.exists())
+        self.assertTrue(api_file.exists())

authentik/blueprints/v1/importer.py

@@ -15,7 +15,6 @@ from django.db.models import Model
 from django.db.models.query_utils import Q
 from django.db.transaction import atomic
 from django.db.utils import IntegrityError
-from django_channels_postgres.models import GroupChannel, Message
 from guardian.models import RoleObjectPermission, UserObjectPermission
 from rest_framework.exceptions import ValidationError
 from rest_framework.serializers import BaseSerializer, Serializer
@@ -41,55 +40,17 @@ from authentik.core.models import (
     User,
     UserSourceConnection,
 )
-from authentik.endpoints.connectors.agent.models import (
-    AgentDeviceConnection,
-    AppleNonce,
-    DeviceAuthenticationToken,
-)
-from authentik.endpoints.connectors.agent.models import (
-    DeviceToken as EndpointDeviceToken,
-)
-from authentik.endpoints.models import Connector, Device, DeviceConnection, DeviceFactSnapshot
+from authentik.endpoints.models import Connector
 from authentik.enterprise.license import LicenseKey
-from authentik.enterprise.models import LicenseUsage
-from authentik.enterprise.providers.google_workspace.models import (
-    GoogleWorkspaceProviderGroup,
-    GoogleWorkspaceProviderUser,
-)
-from authentik.enterprise.providers.microsoft_entra.models import (
-    MicrosoftEntraProviderGroup,
-    MicrosoftEntraProviderUser,
-)
-from authentik.enterprise.providers.ssf.models import StreamEvent
-from authentik.enterprise.stages.authenticator_endpoint_gdtc.models import (
-    EndpointDevice,
-    EndpointDeviceConnection,
-)
 from authentik.events.logs import LogEvent, capture_logs
 from authentik.events.utils import cleanse_dict
-from authentik.flows.models import FlowToken, Stage
-from authentik.lib.models import SerializerModel
+from authentik.flows.models import Stage
+from authentik.lib.models import InternallyManagedMixin, SerializerModel
 from authentik.lib.sentry import SentryIgnoredException
 from authentik.lib.utils.reflection import get_apps
 from authentik.outposts.models import OutpostServiceConnection
 from authentik.policies.models import Policy, PolicyBindingModel
-from authentik.policies.reputation.models import Reputation
-from authentik.providers.oauth2.models import (
-    AccessToken,
-    AuthorizationCode,
-    DeviceToken,
-    RefreshToken,
-)
-from authentik.providers.proxy.models import ProxySession
-from authentik.providers.rac.models import ConnectionToken
-from authentik.providers.saml.models import SAMLSession
-from authentik.providers.scim.models import SCIMProviderGroup, SCIMProviderUser
 from authentik.rbac.models import Role
-from authentik.sources.scim.models import SCIMSourceGroup, SCIMSourceUser
-from authentik.stages.authenticator_webauthn.models import WebAuthnDeviceType
-from authentik.stages.consent.models import UserConsent
-from authentik.tasks.models import Task, TaskLog
-from authentik.tenants.models import Tenant
 
 # Context set when the serializer is created in a blueprint context
 # Update website/docs/customize/blueprints/v1/models.md when used
@@ -125,49 +86,16 @@ def excluded_models() -> list[type[Model]]:
         # Classes that have other dependencies
         Session,
         AuthenticatedSession,
-        # Classes which are only internally managed
-        # FIXME: these shouldn't need to be explicitly listed, but rather based off of a mixin
-        FlowToken,
-        LicenseUsage,
-        SCIMProviderGroup,
-        SCIMProviderUser,
-        Tenant,
-        Task,
-        TaskLog,
-        ConnectionToken,
-        AuthorizationCode,
-        AccessToken,
-        RefreshToken,
-        ProxySession,
-        Reputation,
-        WebAuthnDeviceType,
-        SCIMSourceUser,
-        SCIMSourceGroup,
-        GoogleWorkspaceProviderUser,
-        GoogleWorkspaceProviderGroup,
-        MicrosoftEntraProviderUser,
-        MicrosoftEntraProviderGroup,
-        EndpointDevice,
-        EndpointDeviceConnection,
-        EndpointDeviceToken,
-        Device,
-        DeviceConnection,
-        DeviceAuthenticationToken,
-        AppleNonce,
-        AgentDeviceConnection,
-        DeviceFactSnapshot,
-        DeviceToken,
-        StreamEvent,
-        UserConsent,
-        SAMLSession,
-        Message,
-        GroupChannel,
     )
 
 
 def is_model_allowed(model: type[Model]) -> bool:
     """Check if model is allowed"""
-    return model not in excluded_models() and issubclass(model, SerializerModel | BaseMetaModel)
+    return (
+        model not in excluded_models()
+        and issubclass(model, SerializerModel | BaseMetaModel)
+        and not issubclass(model, InternallyManagedMixin)
+    )
 
 
 class DoRollback(SentryIgnoredException):

authentik/blueprints/v1/schema.py

@@ -1,9 +1,7 @@
 """Generate JSON Schema for blueprints"""
 
-from json import dumps
 from typing import Any
 
-from django.core.management.base import BaseCommand, no_translations
 from django.db.models import Model, fields
 from django.db.models.fields.related import OneToOneField
 from drf_jsonschema_serializer.convert import converter, field_to_converter
@@ -40,13 +38,12 @@ class PrimaryKeyRelatedFieldConverter:
         return {"type": "integer"}
 
 
-class Command(BaseCommand):
+class SchemaBuilder:
     """Generate JSON Schema for blueprints"""
 
     schema: dict
 
-    def __init__(self, *args, **kwargs):
-        super().__init__(*args, **kwargs)
+    def __init__(self):
         self.schema = {
             "$schema": "http://json-schema.org/draft-07/schema",
             "$id": "https://goauthentik.io/blueprints/schema.json",
@@ -93,16 +90,6 @@ class Command(BaseCommand):
             "$defs": {"blueprint_entry": {"oneOf": []}},
         }
 
-    def add_arguments(self, parser):
-        parser.add_argument("--file", type=str)
-
-    @no_translations
-    def handle(self, *args, file: str, **options):
-        """Generate JSON Schema for blueprints"""
-        self.build()
-        with open(file, "w") as _schema:
-            _schema.write(dumps(self.schema, indent=4, default=Command.json_default))
-
     @staticmethod
     def json_default(value: Any) -> Any:
         """Helper that handles gettext_lazy strings that JSON doesn't handle"""
@@ -124,7 +111,7 @@ class Command(BaseCommand):
                 try:
                     serializer_class = model_instance.serializer
                 except NotImplementedError as exc:
-                    raise NotImplementedError(model_instance) from exc
+                    raise ValueError(f"SerializerModel not implemented by {model}") from exc
             serializer = serializer_class(
                 context={
                     SERIALIZER_CONTEXT_BLUEPRINT: False,

authentik/brands/api.py

@@ -6,12 +6,7 @@ from django.db import models
 from drf_spectacular.utils import extend_schema, extend_schema_field
 from rest_framework.decorators import action
 from rest_framework.exceptions import ValidationError
-from rest_framework.fields import (
-    CharField,
-    ChoiceField,
-    ListField,
-    SerializerMethodField,
-)
+from rest_framework.fields import CharField, ChoiceField, ListField, SerializerMethodField
 from rest_framework.filters import OrderingFilter, SearchFilter
 from rest_framework.permissions import AllowAny
 from rest_framework.request import Request
@@ -21,7 +16,7 @@ from rest_framework.viewsets import ModelViewSet
 
 from authentik.brands.models import Brand
 from authentik.core.api.used_by import UsedByMixin
-from authentik.core.api.utils import ModelSerializer, PassiveSerializer, ThemedUrlsSerializer
+from authentik.core.api.utils import ModelSerializer, PassiveSerializer
 from authentik.rbac.filters import SecretKeyFilter
 from authentik.tenants.api.settings import FlagJSONField
 from authentik.tenants.flags import Flag
@@ -95,9 +90,7 @@ class CurrentBrandSerializer(PassiveSerializer):
     matched_domain = CharField(source="domain")
     branding_title = CharField()
     branding_logo = CharField(source="branding_logo_url")
-    branding_logo_themed_urls = ThemedUrlsSerializer(read_only=True, allow_null=True)
     branding_favicon = CharField(source="branding_favicon_url")
-    branding_favicon_themed_urls = ThemedUrlsSerializer(read_only=True, allow_null=True)
     branding_custom_css = CharField()
     ui_footer_links = ListField(
         child=FooterLinkSerializer(),

authentik/brands/models.py

@@ -89,26 +89,14 @@ class Brand(SerializerModel):
         """Get branding_logo URL"""
         return get_file_manager(FileUsage.MEDIA).file_url(self.branding_logo)
 
-    def branding_logo_themed_urls(self) -> dict[str, str] | None:
-        """Get themed URLs for branding_logo if it contains %(theme)s"""
-        return get_file_manager(FileUsage.MEDIA).themed_urls(self.branding_logo)
-
     def branding_favicon_url(self) -> str:
         """Get branding_favicon URL"""
         return get_file_manager(FileUsage.MEDIA).file_url(self.branding_favicon)
 
-    def branding_favicon_themed_urls(self) -> dict[str, str] | None:
-        """Get themed URLs for branding_favicon if it contains %(theme)s"""
-        return get_file_manager(FileUsage.MEDIA).themed_urls(self.branding_favicon)
-
     def branding_default_flow_background_url(self) -> str:
         """Get branding_default_flow_background URL"""
         return get_file_manager(FileUsage.MEDIA).file_url(self.branding_default_flow_background)
 
-    def branding_default_flow_background_themed_urls(self) -> dict[str, str] | None:
-        """Get themed URLs for branding_default_flow_background if it contains %(theme)s"""
-        return get_file_manager(FileUsage.MEDIA).themed_urls(self.branding_default_flow_background)
-
     @property
     def serializer(self) -> type[Serializer]:
         from authentik.brands.api import BrandSerializer

authentik/brands/tests.py

@@ -6,6 +6,7 @@ from django.urls import reverse
 from rest_framework.test import APITestCase
 
 from authentik.blueprints.tests import apply_blueprint
+from authentik.brands.api import Themes
 from authentik.brands.models import Brand
 from authentik.core.models import Application
 from authentik.core.tests.utils import create_test_admin_user, create_test_brand
@@ -34,14 +35,12 @@ class TestBrands(APITestCase):
             self.client.get(reverse("authentik_api:brand-current")).content.decode(),
             {
                 "branding_logo": "/static/dist/assets/icons/icon_left_brand.svg",
-                "branding_logo_themed_urls": None,
                 "branding_favicon": "/static/dist/assets/icons/icon.png",
-                "branding_favicon_themed_urls": None,
                 "branding_title": "authentik",
                 "branding_custom_css": "",
                 "matched_domain": brand.domain,
                 "ui_footer_links": [],
-                "ui_theme": "automatic",
+                "ui_theme": Themes.AUTOMATIC,
                 "default_locale": "",
                 "flags": self.default_flags,
             },
@@ -56,14 +55,12 @@ class TestBrands(APITestCase):
             ).content.decode(),
             {
                 "branding_logo": "/static/dist/assets/icons/icon_left_brand.svg",
-                "branding_logo_themed_urls": None,
                 "branding_favicon": "/static/dist/assets/icons/icon.png",
-                "branding_favicon_themed_urls": None,
                 "branding_title": "custom",
                 "branding_custom_css": "",
                 "matched_domain": "bar.baz",
                 "ui_footer_links": [],
-                "ui_theme": "automatic",
+                "ui_theme": Themes.AUTOMATIC,
                 "default_locale": "",
                 "flags": self.default_flags,
             },
@@ -75,14 +72,12 @@ class TestBrands(APITestCase):
             self.client.get(reverse("authentik_api:brand-current")).content.decode(),
             {
                 "branding_logo": "/static/dist/assets/icons/icon_left_brand.svg",
-                "branding_logo_themed_urls": None,
                 "branding_favicon": "/static/dist/assets/icons/icon.png",
-                "branding_favicon_themed_urls": None,
                 "branding_title": "authentik",
                 "branding_custom_css": "",
                 "matched_domain": "fallback",
                 "ui_footer_links": [],
-                "ui_theme": "automatic",
+                "ui_theme": Themes.AUTOMATIC,
                 "default_locale": "",
                 "flags": self.default_flags,
             },
@@ -99,14 +94,12 @@ class TestBrands(APITestCase):
             response,
             {
                 "branding_logo": "/static/dist/assets/icons/icon_left_brand.svg",
-                "branding_logo_themed_urls": None,
                 "branding_favicon": "/static/dist/assets/icons/icon.png",
-                "branding_favicon_themed_urls": None,
                 "branding_title": "authentik",
                 "branding_custom_css": "",
                 "matched_domain": "authentik-default",
                 "ui_footer_links": [],
-                "ui_theme": "automatic",
+                "ui_theme": Themes.AUTOMATIC,
                 "default_locale": "",
                 "flags": self.default_flags,
             },
@@ -124,14 +117,12 @@ class TestBrands(APITestCase):
             response,
             {
                 "branding_logo": "/static/dist/assets/icons/icon_left_brand.svg",
-                "branding_logo_themed_urls": None,
                 "branding_favicon": "/static/dist/assets/icons/icon.png",
-                "branding_favicon_themed_urls": None,
                 "branding_title": "authentik",
                 "branding_custom_css": "",
                 "matched_domain": "authentik-default",
                 "ui_footer_links": [],
-                "ui_theme": "automatic",
+                "ui_theme": Themes.AUTOMATIC,
                 "default_locale": "",
                 "flags": self.default_flags,
             },
@@ -142,14 +133,12 @@ class TestBrands(APITestCase):
             ).content.decode(),
             {
                 "branding_logo": "/static/dist/assets/icons/icon_left_brand.svg",
-                "branding_logo_themed_urls": None,
                 "branding_favicon": "/static/dist/assets/icons/icon.png",
-                "branding_favicon_themed_urls": None,
                 "branding_title": "custom",
                 "branding_custom_css": "",
                 "matched_domain": "bar.baz",
                 "ui_footer_links": [],
-                "ui_theme": "automatic",
+                "ui_theme": Themes.AUTOMATIC,
                 "default_locale": "",
                 "flags": self.default_flags,
             },
@@ -165,14 +154,12 @@ class TestBrands(APITestCase):
             ).content.decode(),
             {
                 "branding_logo": "/static/dist/assets/icons/icon_left_brand.svg",
-                "branding_logo_themed_urls": None,
                 "branding_favicon": "/static/dist/assets/icons/icon.png",
-                "branding_favicon_themed_urls": None,
                 "branding_title": "custom-strong",
                 "branding_custom_css": "",
                 "matched_domain": "foo.bar.baz",
                 "ui_footer_links": [],
-                "ui_theme": "automatic",
+                "ui_theme": Themes.AUTOMATIC,
                 "default_locale": "",
                 "flags": self.default_flags,
             },
@@ -188,14 +175,12 @@ class TestBrands(APITestCase):
             ).content.decode(),
             {
                 "branding_logo": "/static/dist/assets/icons/icon_left_brand.svg",
-                "branding_logo_themed_urls": None,
                 "branding_favicon": "/static/dist/assets/icons/icon.png",
-                "branding_favicon_themed_urls": None,
                 "branding_title": "custom-weak",
                 "branding_custom_css": "",
                 "matched_domain": "bar.baz",
                 "ui_footer_links": [],
-                "ui_theme": "automatic",
+                "ui_theme": Themes.AUTOMATIC,
                 "default_locale": "",
                 "flags": self.default_flags,
             },
@@ -271,14 +256,12 @@ class TestBrands(APITestCase):
             self.client.get(reverse("authentik_api:brand-current")).content.decode(),
             {
                 "branding_logo": "https://goauthentik.io/img/icon.png",
-                "branding_logo_themed_urls": None,
                 "branding_favicon": "https://goauthentik.io/img/icon.png",
-                "branding_favicon_themed_urls": None,
                 "branding_title": "authentik",
                 "branding_custom_css": "",
                 "matched_domain": brand.domain,
                 "ui_footer_links": [],
-                "ui_theme": "automatic",
+                "ui_theme": Themes.AUTOMATIC,
                 "default_locale": "",
                 "flags": self.default_flags,
             },

authentik/core/api/applications.py

@@ -24,7 +24,7 @@ from authentik.blueprints.v1.importer import SERIALIZER_CONTEXT_BLUEPRINT
 from authentik.core.api.providers import ProviderSerializer
 from authentik.core.api.used_by import UsedByMixin
 from authentik.core.api.users import UserSerializer
-from authentik.core.api.utils import ModelSerializer, ThemedUrlsSerializer
+from authentik.core.api.utils import ModelSerializer
 from authentik.core.models import Application, User
 from authentik.events.logs import LogEventSerializer, capture_logs
 from authentik.policies.api.exec import PolicyTestResultSerializer
@@ -53,9 +53,6 @@ class ApplicationSerializer(ModelSerializer):
     )
 
     meta_icon_url = ReadOnlyField(source="get_meta_icon")
-    meta_icon_themed_urls = ThemedUrlsSerializer(
-        source="get_meta_icon_themed_urls", read_only=True, allow_null=True
-    )
 
     def get_launch_url(self, app: Application) -> str | None:
         """Allow formatting of launch URL"""
@@ -105,7 +102,6 @@ class ApplicationSerializer(ModelSerializer):
             "meta_launch_url",
             "meta_icon",
             "meta_icon_url",
-            "meta_icon_themed_urls",
             "meta_description",
             "meta_publisher",
             "policy_engine_mode",

authentik/core/api/groups.py

@@ -85,7 +85,6 @@ class GroupSerializer(ModelSerializer):
         source="roles",
         required=False,
     )
-    inherited_roles_obj = SerializerMethodField(allow_null=True)
     num_pk = IntegerField(read_only=True)
 
     @property
@@ -109,13 +108,6 @@ class GroupSerializer(ModelSerializer):
             return True
         return str(request.query_params.get("include_parents", "false")).lower() == "true"
 
-    @property
-    def _should_include_inherited_roles(self) -> bool:
-        request: Request = self.context.get("request", None)
-        if not request:
-            return True
-        return str(request.query_params.get("include_inherited_roles", "false")).lower() == "true"
-
     @extend_schema_field(PartialUserSerializer(many=True))
     def get_users_obj(self, instance: Group) -> list[PartialUserSerializer] | None:
         if not self._should_include_users:
@@ -134,15 +126,6 @@ class GroupSerializer(ModelSerializer):
             return None
         return RelatedGroupSerializer(instance.parents, many=True).data
 
-    @extend_schema_field(RoleSerializer(many=True))
-    def get_inherited_roles_obj(self, instance: Group) -> list | None:
-        """Return only inherited roles from ancestor groups (excludes direct roles)"""
-        if not self._should_include_inherited_roles:
-            return None
-        direct_role_pks = instance.roles.values_list("pk", flat=True)
-        inherited_roles = instance.all_roles().exclude(pk__in=direct_role_pks)
-        return RoleSerializer(inherited_roles, many=True).data
-
     def validate_is_superuser(self, superuser: bool):
         """Ensure that the user creating this group has permissions to set the superuser flag"""
         request: Request = self.context.get("request", None)
@@ -184,7 +167,6 @@ class GroupSerializer(ModelSerializer):
             "attributes",
             "roles",
             "roles_obj",
-            "inherited_roles_obj",
             "children",
             "children_obj",
         ]
@@ -307,7 +289,6 @@ class GroupViewSet(UsedByMixin, ModelViewSet):
             OpenApiParameter("include_users", bool, default=True),
             OpenApiParameter("include_children", bool, default=False),
             OpenApiParameter("include_parents", bool, default=False),
-            OpenApiParameter("include_inherited_roles", bool, default=False),
         ]
     )
     def list(self, request, *args, **kwargs):
@@ -318,7 +299,6 @@ class GroupViewSet(UsedByMixin, ModelViewSet):
             OpenApiParameter("include_users", bool, default=True),
             OpenApiParameter("include_children", bool, default=False),
             OpenApiParameter("include_parents", bool, default=False),
-            OpenApiParameter("include_inherited_roles", bool, default=False),
         ]
     )
     def retrieve(self, request, *args, **kwargs):

authentik/core/api/providers.py

@@ -18,14 +18,10 @@ from authentik.core.models import Provider
 class ProviderSerializer(ModelSerializer, MetaNameSerializer):
     """Provider Serializer"""
 
-    assigned_application_slug = ReadOnlyField(source="application.slug", allow_null=True)
-    assigned_application_name = ReadOnlyField(source="application.name", allow_null=True)
-    assigned_backchannel_application_slug = ReadOnlyField(
-        source="backchannel_application.slug", allow_null=True
-    )
-    assigned_backchannel_application_name = ReadOnlyField(
-        source="backchannel_application.name", allow_null=True
-    )
+    assigned_application_slug = ReadOnlyField(source="application.slug")
+    assigned_application_name = ReadOnlyField(source="application.name")
+    assigned_backchannel_application_slug = ReadOnlyField(source="backchannel_application.slug")
+    assigned_backchannel_application_name = ReadOnlyField(source="backchannel_application.name")
 
     component = SerializerMethodField()
 

authentik/core/api/sources.py

@@ -14,7 +14,7 @@ from structlog.stdlib import get_logger
 
 from authentik.core.api.object_types import TypesMixin
 from authentik.core.api.used_by import UsedByMixin
-from authentik.core.api.utils import MetaNameSerializer, ModelSerializer, ThemedUrlsSerializer
+from authentik.core.api.utils import MetaNameSerializer, ModelSerializer
 from authentik.core.models import GroupSourceConnection, Source, UserSourceConnection
 from authentik.core.types import UserSettingSerializer
 from authentik.policies.engine import PolicyEngine
@@ -28,7 +28,6 @@ class SourceSerializer(ModelSerializer, MetaNameSerializer):
     managed = ReadOnlyField()
     component = SerializerMethodField()
     icon_url = ReadOnlyField()
-    icon_themed_urls = ThemedUrlsSerializer(read_only=True, allow_null=True)
 
     def get_component(self, obj: Source) -> str:
         """Get object component so that we know how to edit the object"""
@@ -58,7 +57,6 @@ class SourceSerializer(ModelSerializer, MetaNameSerializer):
             "user_path_template",
             "icon",
             "icon_url",
-            "icon_themed_urls",
         ]
 
 

authentik/core/api/tokens.py

@@ -4,7 +4,6 @@ from typing import Any
 
 from django.utils.timezone import now
 from drf_spectacular.utils import OpenApiResponse, extend_schema
-from guardian.shortcuts import get_anonymous_user
 from rest_framework.decorators import action
 from rest_framework.exceptions import ValidationError
 from rest_framework.fields import CharField
@@ -76,8 +75,7 @@ class TokenSerializer(ManagedSerializer, ModelSerializer):
                 except ValueError:
                     pass
 
-            expires = attrs.get("expires")
-            if expires is not None and expires > max_token_lifetime_dt:
+            if "expires" in attrs and attrs.get("expires") > max_token_lifetime_dt:
                 raise ValidationError(
                     {
                         "expires": (
@@ -146,12 +144,6 @@ class TokenViewSet(UsedByMixin, ModelViewSet):
     owner_field = "user"
     rbac_allow_create_without_perm = True
 
-    def get_queryset(self):
-        user = self.request.user if self.request else get_anonymous_user()
-        if user.is_superuser:
-            return super().get_queryset()
-        return super().get_queryset().filter(user=user.pk)
-
     def perform_create(self, serializer: TokenSerializer):
         if not self.request.user.is_superuser:
             instance = serializer.save(

authentik/core/api/utils.py

@@ -127,10 +127,3 @@ class LinkSerializer(PassiveSerializer):
     """Returns a single link"""
 
     link = CharField()
-
-
-class ThemedUrlsSerializer(PassiveSerializer):
-    """Themed URLs - maps theme names to URLs for light and dark themes"""
-
-    light = CharField(required=False, allow_null=True)
-    dark = CharField(required=False, allow_null=True)

authentik/core/middleware.py

@@ -8,7 +8,7 @@ from uuid import uuid4
 from django.contrib.auth import logout
 from django.contrib.auth.models import AnonymousUser
 from django.core.exceptions import ImproperlyConfigured
-from django.http import HttpRequest, HttpResponse, HttpResponseBadRequest
+from django.http import HttpRequest, HttpResponse
 from django.utils.deprecation import MiddlewareMixin
 from django.utils.functional import SimpleLazyObject
 from django.utils.translation import override
@@ -47,7 +47,7 @@ async def aget_user(request):
 
 
 class AuthenticationMiddleware(MiddlewareMixin):
-    def process_request(self, request: HttpRequest) -> HttpResponseBadRequest | None:
+    def process_request(self, request):
         if not hasattr(request, "session"):
             raise ImproperlyConfigured(
                 "The Django authentication middleware requires session "
@@ -62,8 +62,7 @@ class AuthenticationMiddleware(MiddlewareMixin):
         user = request.user
         if user and user.is_authenticated and not user.is_active:
             logout(request)
-            return HttpResponseBadRequest()
-        return None
+            raise AssertionError()
 
 
 class ImpersonateMiddleware:

authentik/core/models.py

@@ -713,15 +713,9 @@ class Application(SerializerModel, PolicyBindingModel):
 
         return get_file_manager(FileUsage.MEDIA).file_url(self.meta_icon)
 
-    @property
-    def get_meta_icon_themed_urls(self) -> dict[str, str] | None:
-        """Get themed URLs for meta_icon if it contains %(theme)s"""
-        if not self.meta_icon:
-            return None
-
-        return get_file_manager(FileUsage.MEDIA).themed_urls(self.meta_icon)
-
-    def get_launch_url(self, user: User | None = None, user_data: dict | None = None) -> str | None:
+    def get_launch_url(
+        self, user: Optional["User"] = None, user_data: dict | None = None
+    ) -> str | None:
         """Get launch URL if set, otherwise attempt to get launch URL based on provider.
 
         Args:
@@ -935,14 +929,6 @@ class Source(ManagedModel, SerializerModel, PolicyBindingModel):
 
         return get_file_manager(FileUsage.MEDIA).file_url(self.icon)
 
-    @property
-    def icon_themed_urls(self) -> dict[str, str] | None:
-        """Get themed URLs for icon if it contains %(theme)s"""
-        if not self.icon:
-            return None
-
-        return get_file_manager(FileUsage.MEDIA).themed_urls(self.icon)
-
     def get_user_path(self) -> str:
         """Get user path, fallback to default for formatting errors"""
         try:

authentik/core/signals.py

@@ -24,8 +24,7 @@ from authentik.root.ws.consumer import build_device_group
 
 # Arguments: user: User, password: str
 password_changed = Signal()
-# Arguments: credentials: dict[str, any], request: HttpRequest,
-#            stage: Stage, context: dict[str, any]
+# Arguments: credentials: dict[str, any], request: HttpRequest, stage: Stage
 login_failed = Signal()
 
 LOGGER = get_logger()

authentik/core/templates/base/theme.html

@@ -10,23 +10,15 @@
   {% elif ui_theme == "light" %}
   <meta name="color-scheme" content="light" />
   <meta name="theme-color" content="#ffffff">
-  {% else %}
+{% else %}
   <script data-id="theme-script">
     "use strict";
 
     (function () {
         try {
-            /* Ignore older theme names */
-            let locallyStoredTheme = window.localStorage?.getItem("theme") || null;
-            if (typeof locallyStoredTheme === "string") {
-                locallyStoredTheme = locallyStoredTheme.trim();
-            }
-            if (!(["auto", "light", "dark"].includes(locallyStoredTheme))) {
-                locallyStoredTheme = null;
-            }
-            
             const initialThemeChoice =
-                new URLSearchParams(window.location.search).get("theme") || locallyStoredTheme;
+                new URLSearchParams(window.location.search).get("theme") ||
+                window.localStorage?.getItem("theme");
 
             const themeChoice =
                 initialThemeChoice || document.documentElement.dataset.themeChoice || "auto";

authentik/core/tests/test_applications_api.py

@@ -107,8 +107,6 @@ class TestApplicationsAPI(APITestCase):
                         "provider_obj": {
                             "assigned_application_name": "allowed",
                             "assigned_application_slug": "allowed",
-                            "assigned_backchannel_application_name": None,
-                            "assigned_backchannel_application_slug": None,
                             "authentication_flow": None,
                             "invalidation_flow": None,
                             "authorization_flow": str(self.provider.authorization_flow.pk),
@@ -127,7 +125,6 @@ class TestApplicationsAPI(APITestCase):
                         "open_in_new_tab": True,
                         "meta_icon": "",
                         "meta_icon_url": None,
-                        "meta_icon_themed_urls": None,
                         "meta_description": "",
                         "meta_publisher": "",
                         "policy_engine_mode": "any",
@@ -165,8 +162,6 @@ class TestApplicationsAPI(APITestCase):
                         "provider_obj": {
                             "assigned_application_name": "allowed",
                             "assigned_application_slug": "allowed",
-                            "assigned_backchannel_application_name": None,
-                            "assigned_backchannel_application_slug": None,
                             "authentication_flow": None,
                             "invalidation_flow": None,
                             "authorization_flow": str(self.provider.authorization_flow.pk),
@@ -185,7 +180,6 @@ class TestApplicationsAPI(APITestCase):
                         "open_in_new_tab": True,
                         "meta_icon": "",
                         "meta_icon_url": None,
-                        "meta_icon_themed_urls": None,
                         "meta_description": "",
                         "meta_publisher": "",
                         "policy_engine_mode": "any",
@@ -195,7 +189,6 @@ class TestApplicationsAPI(APITestCase):
                         "meta_description": "",
                         "meta_icon": "",
                         "meta_icon_url": None,
-                        "meta_icon_themed_urls": None,
                         "meta_launch_url": "",
                         "open_in_new_tab": False,
                         "meta_publisher": "",

authentik/core/tests/test_source_property_mappings.py

@@ -5,9 +5,10 @@ from django.test import TestCase
 from authentik.core.models import Group, PropertyMapping, Source, User
 from authentik.core.sources.mapper import SourceMapper
 from authentik.lib.generators import generate_id
+from authentik.lib.models import InternallyManagedMixin
 
 
-class ProxySource(Source):
+class ProxySource(InternallyManagedMixin, Source):
     @property
     def property_mapping_type(self):
         return PropertyMapping

authentik/core/tests/test_token_api.py

@@ -183,16 +183,16 @@ class TestTokenAPI(APITestCase):
         self.assertEqual(len(body["results"]), 1)
         self.assertEqual(body["results"][0]["identifier"], token_should.identifier)
 
-    def test_list_admin(self):
-        """Test Token List (Test with admin auth)"""
+    def test_list_with_permission(self):
+        """Test Token List (Test with `view_token` permission)"""
         Token.objects.all().delete()
-        self.client.force_login(self.admin)
         token_should: Token = Token.objects.create(
             identifier="test", expiring=False, user=self.user
         )
         token_should_not: Token = Token.objects.create(
             identifier="test-2", expiring=False, user=get_anonymous_user()
         )
+        self.user.assign_perms_to_managed_role("authentik_core.view_token")
         response = self.client.get(reverse("authentik_api:token-list"))
         body = loads(response.content)
         self.assertEqual(len(body["results"]), 2)

authentik/crypto/api.py

@@ -1,7 +1,5 @@
 """Crypto API Views"""
 
-from datetime import datetime
-
 from cryptography.hazmat.backends import default_backend
 from cryptography.hazmat.primitives.serialization import load_pem_private_key
 from cryptography.x509 import load_pem_x509_certificate
@@ -15,14 +13,12 @@ from drf_spectacular.utils import (
     OpenApiParameter,
     OpenApiResponse,
     extend_schema,
-    extend_schema_field,
 )
 from rest_framework.decorators import action
 from rest_framework.exceptions import ValidationError
 from rest_framework.fields import (
     CharField,
     ChoiceField,
-    DateTimeField,
     IntegerField,
     SerializerMethodField,
 )
@@ -51,59 +47,15 @@ LOGGER = get_logger()
 class CertificateKeyPairSerializer(ModelSerializer):
     """CertificateKeyPair Serializer"""
 
-    fingerprint_sha256 = SerializerMethodField()
-    fingerprint_sha1 = SerializerMethodField()
-
-    cert_expiry = SerializerMethodField()
-    cert_subject = SerializerMethodField()
     private_key_available = SerializerMethodField()
-    key_type = SerializerMethodField()
 
     certificate_download_url = SerializerMethodField()
     private_key_download_url = SerializerMethodField()
 
-    @property
-    def _should_include_details(self) -> bool:
-        request: Request = self.context.get("request", None)
-        if not request:
-            return True
-        return str(request.query_params.get("include_details", "true")).lower() == "true"
-
-    def get_fingerprint_sha256(self, instance: CertificateKeyPair) -> str | None:
-        "Get certificate Hash (SHA256)"
-        if not self._should_include_details:
-            return None
-        return instance.fingerprint_sha256
-
-    def get_fingerprint_sha1(self, instance: CertificateKeyPair) -> str | None:
-        "Get certificate Hash (SHA1)"
-        if not self._should_include_details:
-            return None
-        return instance.fingerprint_sha1
-
-    def get_cert_expiry(self, instance: CertificateKeyPair) -> datetime | None:
-        "Get certificate expiry"
-        if not self._should_include_details:
-            return None
-        return DateTimeField().to_representation(instance.certificate.not_valid_after_utc)
-
-    def get_cert_subject(self, instance: CertificateKeyPair) -> str | None:
-        """Get certificate subject as full rfc4514"""
-        if not self._should_include_details:
-            return None
-        return instance.certificate.subject.rfc4514_string()
-
     def get_private_key_available(self, instance: CertificateKeyPair) -> bool:
         """Show if this keypair has a private key configured or not"""
         return instance.key_data != "" and instance.key_data is not None
 
-    @extend_schema_field(ChoiceField(choices=KeyType.choices, allow_null=True))
-    def get_key_type(self, instance: CertificateKeyPair) -> str | None:
-        """Get the key algorithm type from the certificate's public key"""
-        if not self._should_include_details:
-            return None
-        return instance.key_type
-
     def get_certificate_download_url(self, instance: CertificateKeyPair) -> str:
         """Get URL to download certificate"""
         return (
@@ -175,6 +127,11 @@ class CertificateKeyPairSerializer(ModelSerializer):
             "managed": {"read_only": True},
             "key_data": {"write_only": True},
             "certificate_data": {"write_only": True},
+            "fingerprint_sha256": {"read_only": True},
+            "fingerprint_sha1": {"read_only": True},
+            "cert_expiry": {"read_only": True},
+            "cert_subject": {"read_only": True},
+            "key_type": {"read_only": True},
         }
 
 
@@ -216,17 +173,12 @@ class CertificateKeyPairFilter(FilterSet):
         return queryset.exclude(key_data__exact="")
 
     def filter_key_type(self, queryset, name, value):  # pragma: no cover
-        """Filter certificates by key type using the public key from the certificate"""
+        """Filter certificates by key type using the stored database field"""
         if not value:
             return queryset
 
         # value is a list of KeyType enum values from MultipleChoiceFilter
-        filtered_pks = []
-        for cert in queryset:
-            if cert.key_type in value:
-                filtered_pks.append(cert.pk)
-
-        return queryset.filter(pk__in=filtered_pks)
+        return queryset.filter(key_type__in=value)
 
     class Meta:
         model = CertificateKeyPair
@@ -263,7 +215,6 @@ class CertificateKeyPairViewSet(UsedByMixin, ModelViewSet):
                     "Can be specified multiple times (e.g. '?key_type=rsa&key_type=ec')"
                 ),
             ),
-            OpenApiParameter("include_details", bool, default=True),
         ]
     )
     def list(self, request, *args, **kwargs):

authentik/crypto/migrations/0006_certificatekeypair_cert_expiry_and_more.py

@@ -0,0 +1,120 @@
+# Generated by Django 5.2.9 on 2025-12-09 06:22
+
+from hashlib import md5
+
+from cryptography.hazmat.backends import default_backend
+from cryptography.x509 import load_pem_x509_certificate
+from django.db import migrations, models
+
+from authentik.crypto.signals import extract_certificate_metadata
+from authentik.lib.migrations import progress_bar
+
+
+def backfill_certificate_metadata(apps, schema_editor):  # noqa: ARG001
+    """Backfill certificate metadata and kid for existing records."""
+
+    db_alias = schema_editor.connection.alias
+    CertificateKeyPair = apps.get_model("authentik_crypto", "CertificateKeyPair")
+
+    print("\nStoring extra data about certificates, this might take a couple of minutes...")
+    for cert in progress_bar(CertificateKeyPair.objects.using(db_alias).all()):
+        updated_fields = []
+
+        if cert.certificate_data:
+            try:
+                certificate = load_pem_x509_certificate(
+                    cert.certificate_data.encode("utf-8"), default_backend()
+                )
+                metadata = extract_certificate_metadata(certificate)
+
+                cert.key_type = metadata["key_type"]
+                cert.cert_expiry = metadata["cert_expiry"]
+                cert.cert_subject = metadata["cert_subject"]
+                cert.fingerprint_sha256 = metadata["fingerprint_sha256"]
+                cert.fingerprint_sha1 = metadata["fingerprint_sha1"]
+                updated_fields.extend(
+                    [
+                        "key_type",
+                        "cert_expiry",
+                        "cert_subject",
+                        "fingerprint_sha256",
+                        "fingerprint_sha1",
+                    ]
+                )
+            except (ValueError, TypeError, AttributeError):
+                pass
+
+        # Backfill kid with MD5 for backwards compatibility
+        if cert.key_data:
+            cert.kid = md5(cert.key_data.encode("utf-8"), usedforsecurity=False).hexdigest()
+            updated_fields.append("kid")
+
+        if updated_fields:
+            cert.save(update_fields=updated_fields, using=db_alias)
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ("authentik_crypto", "0005_alter_certificatekeypair_options"),
+    ]
+
+    operations = [
+        migrations.AddField(
+            model_name="certificatekeypair",
+            name="cert_expiry",
+            field=models.DateTimeField(blank=True, help_text="Certificate expiry date", null=True),
+        ),
+        migrations.AddField(
+            model_name="certificatekeypair",
+            name="cert_subject",
+            field=models.TextField(
+                blank=True, help_text="Certificate subject as RFC4514 string", null=True
+            ),
+        ),
+        migrations.AddField(
+            model_name="certificatekeypair",
+            name="fingerprint_sha1",
+            field=models.CharField(
+                blank=True,
+                help_text="SHA1 fingerprint of the certificate",
+                max_length=59,
+                null=True,
+            ),
+        ),
+        migrations.AddField(
+            model_name="certificatekeypair",
+            name="fingerprint_sha256",
+            field=models.CharField(
+                blank=True,
+                help_text="SHA256 fingerprint of the certificate",
+                max_length=95,
+                null=True,
+            ),
+        ),
+        migrations.AddField(
+            model_name="certificatekeypair",
+            name="key_type",
+            field=models.CharField(
+                blank=True,
+                choices=[
+                    ("rsa", "RSA"),
+                    ("ec", "Elliptic Curve"),
+                    ("dsa", "DSA"),
+                    ("ed25519", "Ed25519"),
+                    ("ed448", "Ed448"),
+                ],
+                help_text="Key algorithm type detected from the certificate's public key",
+                max_length=16,
+                null=True,
+            ),
+        ),
+        migrations.AddField(
+            model_name="certificatekeypair",
+            name="kid",
+            field=models.CharField(
+                blank=True, help_text="Key ID generated from private key", max_length=128, null=True
+            ),
+        ),
+        migrations.RunPython(backfill_certificate_metadata, migrations.RunPython.noop),
+    ]

authentik/crypto/models.py

@@ -1,7 +1,8 @@
 """authentik crypto models"""
 
+from base64 import urlsafe_b64encode
 from binascii import hexlify
-from hashlib import md5
+from hashlib import md5, sha512
 from ssl import PEM_FOOTER, PEM_HEADER
 from textwrap import wrap
 from uuid import uuid4
@@ -47,6 +48,39 @@ def fingerprint_sha256(cert: Certificate) -> str:
     return hexlify(cert.fingerprint(hashes.SHA256()), ":").decode("utf-8")
 
 
+def detect_key_type(certificate: Certificate) -> str | None:
+    """Detect the key algorithm type by parsing the certificate's public key"""
+    try:
+        public_key = certificate.public_key()
+        if isinstance(public_key, RSAPublicKey):
+            return KeyType.RSA
+        if isinstance(public_key, EllipticCurvePublicKey):
+            return KeyType.EC
+        if isinstance(public_key, DSAPublicKey):
+            return KeyType.DSA
+        if isinstance(public_key, Ed25519PublicKey):
+            return KeyType.ED25519
+        if isinstance(public_key, Ed448PublicKey):
+            return KeyType.ED448
+    except (ValueError, TypeError, AttributeError) as exc:
+        LOGGER.warning("Failed to detect key type", exc=exc)
+    return None
+
+
+def generate_key_id(key_data: str) -> str:
+    """Generate Key ID using SHA512 + urlsafe_b64encode."""
+    if not key_data:
+        return ""
+    return urlsafe_b64encode(sha512(key_data.encode("utf-8")).digest()).decode("utf-8").rstrip("=")
+
+
+def generate_key_id_legacy(key_data: str) -> str:
+    """Generate Key ID using MD5 (legacy format for backwards compatibility)."""
+    if not key_data:
+        return ""
+    return md5(key_data.encode("utf-8")).hexdigest()  # nosec
+
+
 class CertificateKeyPair(SerializerModel, ManagedModel, CreatedUpdatedModel):
     """CertificateKeyPair that can be used for signing or encrypting if `key_data`
     is set, otherwise it can be used to verify remote data."""
@@ -62,6 +96,41 @@ class CertificateKeyPair(SerializerModel, ManagedModel, CreatedUpdatedModel):
         blank=True,
         default="",
     )
+    key_type = models.CharField(
+        max_length=16,
+        choices=KeyType.choices,
+        null=True,
+        blank=True,
+        help_text=_("Key algorithm type detected from the certificate's public key"),
+    )
+    cert_expiry = models.DateTimeField(
+        null=True,
+        blank=True,
+        help_text=_("Certificate expiry date"),
+    )
+    cert_subject = models.TextField(
+        null=True,
+        blank=True,
+        help_text=_("Certificate subject as RFC4514 string"),
+    )
+    fingerprint_sha256 = models.CharField(
+        max_length=95,
+        null=True,
+        blank=True,
+        help_text=_("SHA256 fingerprint of the certificate"),
+    )
+    fingerprint_sha1 = models.CharField(
+        max_length=59,
+        null=True,
+        blank=True,
+        help_text=_("SHA1 fingerprint of the certificate"),
+    )
+    kid = models.CharField(
+        max_length=128,
+        null=True,
+        blank=True,
+        help_text=_("Key ID generated from private key"),
+    )
 
     _cert: Certificate | None = None
     _private_key: PrivateKeyTypes | None = None
@@ -106,41 +175,6 @@ class CertificateKeyPair(SerializerModel, ManagedModel, CreatedUpdatedModel):
                 return None
         return self._private_key
 
-    @property
-    def fingerprint_sha256(self) -> str:
-        """Get SHA256 Fingerprint of certificate_data"""
-        return fingerprint_sha256(self.certificate)
-
-    @property
-    def fingerprint_sha1(self) -> str:
-        """Get SHA1 Fingerprint of certificate_data"""
-        return hexlify(self.certificate.fingerprint(hashes.SHA1()), ":").decode("utf-8")  # nosec
-
-    @property
-    def kid(self):
-        """Get Key ID used for JWKS"""
-        return (
-            md5(self.key_data.encode("utf-8"), usedforsecurity=False).hexdigest()
-            if self.key_data
-            else ""
-        )  # nosec
-
-    @property
-    def key_type(self) -> str | None:
-        """Get the key algorithm type from the certificate's public key"""
-        public_key = self.certificate.public_key()
-        if isinstance(public_key, RSAPublicKey):
-            return KeyType.RSA
-        if isinstance(public_key, EllipticCurvePublicKey):
-            return KeyType.EC
-        if isinstance(public_key, DSAPublicKey):
-            return KeyType.DSA
-        if isinstance(public_key, Ed25519PublicKey):
-            return KeyType.ED25519
-        if isinstance(public_key, Ed448PublicKey):
-            return KeyType.ED448
-        return None
-
     def __str__(self) -> str:
         return f"Certificate-Key Pair {self.name}"
 

authentik/crypto/signals.py

@@ -0,0 +1,70 @@
+"""authentik crypto signals"""
+
+from binascii import hexlify
+from datetime import datetime
+from ssl import CertificateError
+
+from cryptography.hazmat.primitives import hashes
+from cryptography.x509 import Certificate
+from django.db.models.signals import pre_save
+from django.dispatch import receiver
+from structlog.stdlib import get_logger
+
+from authentik.crypto.models import (
+    CertificateKeyPair,
+    detect_key_type,
+    fingerprint_sha256,
+    generate_key_id,
+    generate_key_id_legacy,
+)
+
+LOGGER = get_logger()
+
+
+def extract_certificate_metadata(certificate: Certificate) -> dict[str, str | datetime]:
+    """Extract all metadata fields from a certificate."""
+    metadata = {}
+
+    try:
+        metadata["key_type"] = detect_key_type(certificate)
+        metadata["cert_expiry"] = certificate.not_valid_after_utc
+        metadata["cert_subject"] = certificate.subject.rfc4514_string()
+        metadata["fingerprint_sha256"] = fingerprint_sha256(certificate)
+        metadata["fingerprint_sha1"] = hexlify(
+            certificate.fingerprint(hashes.SHA1()), ":"  # nosec
+        ).decode("utf-8")
+    except (ValueError, TypeError, AttributeError) as exc:
+        raise CertificateError(f"Invalid certificate metadata: {exc}") from exc
+
+    return metadata
+
+
+@receiver(pre_save, sender="authentik_crypto.CertificateKeyPair")
+def certificate_key_pair_pre_save(
+    sender: type[CertificateKeyPair], instance: CertificateKeyPair, **_
+):
+    """Automatically populate certificate metadata fields before saving"""
+
+    # Only extract metadata if certificate_data is present
+    if not instance.certificate_data:
+        return
+
+    try:
+        metadata = extract_certificate_metadata(instance.certificate)
+    except (CertificateError, ValueError, TypeError, AttributeError) as exc:
+        LOGGER.warning("Failed to extract certificate metadata", exc=exc)
+        return
+
+    instance.key_type = metadata["key_type"]
+    instance.cert_expiry = metadata["cert_expiry"]
+    instance.cert_subject = metadata["cert_subject"]
+    instance.fingerprint_sha256 = metadata["fingerprint_sha256"]
+    instance.fingerprint_sha1 = metadata["fingerprint_sha1"]
+
+    # Generate kid if not set, or regenerate if key_data has changed
+    # Preserve existing kid (MD5 or SHA512) if it matches the current key_data
+    if instance.key_data:
+        new_kid = generate_key_id(instance.key_data)
+        legacy_kid = generate_key_id_legacy(instance.key_data)
+        if instance.kid not in (new_kid, legacy_kid):
+            instance.kid = new_kid

authentik/crypto/tests.py

@@ -20,7 +20,7 @@ from authentik.core.tests.utils import (
 )
 from authentik.crypto.api import CertificateKeyPairSerializer
 from authentik.crypto.builder import CertificateBuilder
-from authentik.crypto.models import CertificateKeyPair
+from authentik.crypto.models import CertificateKeyPair, generate_key_id, generate_key_id_legacy
 from authentik.crypto.tasks import MANAGED_DISCOVERED, certificate_discovery
 from authentik.lib.config import CONFIG
 from authentik.lib.generators import generate_id, generate_key
@@ -173,21 +173,24 @@ class TestCrypto(APITestCase):
         self.assertEqual(api_cert["fingerprint_sha1"], cert.fingerprint_sha1)
         self.assertEqual(api_cert["fingerprint_sha256"], cert.fingerprint_sha256)
 
-    def test_list_without_details(self):
-        """Test API List (no details)"""
+    def test_list_always_includes_details(self):
+        """Test API List always includes certificate details"""
         cert = create_test_cert()
         self.client.force_login(create_test_admin_user())
         response = self.client.get(
             reverse(
                 "authentik_api:certificatekeypair-list",
             ),
-            data={"name": cert.name, "include_details": False},
+            data={"name": cert.name},
         )
         self.assertEqual(response.status_code, 200)
         body = loads(response.content.decode())
         api_cert = [x for x in body["results"] if x["name"] == cert.name][0]
-        self.assertEqual(api_cert["fingerprint_sha1"], None)
-        self.assertEqual(api_cert["fingerprint_sha256"], None)
+        # All details should now always be included
+        self.assertEqual(api_cert["fingerprint_sha1"], cert.fingerprint_sha1)
+        self.assertEqual(api_cert["fingerprint_sha256"], cert.fingerprint_sha256)
+        self.assertIsNotNone(api_cert["cert_expiry"])
+        self.assertIsNotNone(api_cert["cert_subject"])
 
     def test_certificate_download(self):
         """Test certificate export (download)"""
@@ -426,3 +429,114 @@ class TestCrypto(APITestCase):
             self.assertEqual(
                 1, final_count, "Should not create duplicate cert for same private key"
             )
+
+    def test_metadata_extraction_with_cert_and_key(self):
+        """Test that metadata is extracted when creating keypair with certificate and key"""
+        cert = create_test_cert()
+
+        # Verify all metadata fields are populated
+        self.assertIsNotNone(cert.key_type)
+        self.assertIsNotNone(cert.cert_expiry)
+        self.assertIsNotNone(cert.cert_subject)
+        self.assertIsNotNone(cert.fingerprint_sha256)
+        self.assertIsNotNone(cert.fingerprint_sha1)
+
+        # Verify kid is generated using SHA512 for new records
+        self.assertIsNotNone(cert.kid)
+        self.assertEqual(cert.kid, generate_key_id(cert.key_data))
+
+    def test_metadata_extraction_without_key(self):
+        """Test that metadata is extracted when creating keypair without private key"""
+        builder = CertificateBuilder(generate_id())
+        builder.build(subject_alt_names=[], validity_days=3)
+
+        # Create keypair with only certificate, no key
+        cert = CertificateKeyPair.objects.create(
+            name=generate_id(),
+            certificate_data=builder.certificate,
+            key_data="",
+        )
+
+        # Verify certificate metadata fields are populated
+        self.assertIsNotNone(cert.key_type)
+        self.assertIsNotNone(cert.cert_expiry)
+        self.assertIsNotNone(cert.cert_subject)
+        self.assertIsNotNone(cert.fingerprint_sha256)
+        self.assertIsNotNone(cert.fingerprint_sha1)
+
+        # Verify kid is empty when no key_data
+        self.assertEqual(cert.kid, None)
+
+    def test_metadata_extraction_invalid_cert(self):
+        """Test that invalid certificate data doesn't crash, just skips metadata"""
+        cert = CertificateKeyPair.objects.create(
+            name=generate_id(),
+            certificate_data="invalid certificate data",
+            key_data="",
+        )
+
+        # Verify metadata fields are None for invalid cert
+        self.assertIsNone(cert.key_type)
+        self.assertIsNone(cert.cert_expiry)
+        self.assertIsNone(cert.cert_subject)
+        self.assertIsNone(cert.fingerprint_sha256)
+        self.assertIsNone(cert.fingerprint_sha1)
+        self.assertIsNone(cert.kid)
+
+    def test_kid_legacy_preservation(self):
+        """Test that legacy MD5 kid is preserved when key_data hasn't changed"""
+        cert = create_test_cert()
+
+        # Simulate a legacy MD5 kid (as if backfilled from old system)
+        legacy_kid = generate_key_id_legacy(cert.key_data)
+        CertificateKeyPair.objects.filter(pk=cert.pk).update(kid=legacy_kid)
+        cert.refresh_from_db()
+        self.assertEqual(cert.kid, legacy_kid)
+
+        # Save the cert again (e.g., name change) - kid should be preserved
+        cert.name = generate_id()
+        cert.save()
+        cert.refresh_from_db()
+
+        self.assertEqual(cert.kid, legacy_kid)
+
+    def test_kid_regenerated_on_key_change(self):
+        """Test that kid is regenerated when key_data changes"""
+        cert = create_test_cert()
+        original_kid = cert.kid
+
+        # Generate a new key and update the keypair
+        builder = CertificateBuilder(generate_id())
+        builder.build(subject_alt_names=[], validity_days=3)
+
+        cert.key_data = builder.private_key
+        cert.certificate_data = builder.certificate
+        cert.save()
+        cert.refresh_from_db()
+
+        # Kid should be regenerated for the new key
+        self.assertNotEqual(cert.kid, original_kid)
+        self.assertEqual(cert.kid, generate_key_id(cert.key_data))
+
+    def test_kid_regenerated_on_key_change_from_legacy(self):
+        """Test that kid is regenerated from legacy MD5 when key_data changes"""
+        cert = create_test_cert()
+
+        # Simulate a legacy MD5 kid
+        legacy_kid = generate_key_id_legacy(cert.key_data)
+        CertificateKeyPair.objects.filter(pk=cert.pk).update(kid=legacy_kid)
+        cert.refresh_from_db()
+        self.assertEqual(cert.kid, legacy_kid)
+
+        # Generate a new key and update the keypair
+        builder = CertificateBuilder(generate_id())
+        builder.build(subject_alt_names=[], validity_days=3)
+
+        cert.key_data = builder.private_key
+        cert.certificate_data = builder.certificate
+        cert.save()
+        cert.refresh_from_db()
+
+        # Kid should now be SHA512 for the new key
+        self.assertNotEqual(cert.kid, legacy_kid)
+        self.assertEqual(cert.kid, generate_key_id(cert.key_data))

authentik/endpoints/api/stages.py

@@ -3,10 +3,11 @@ from rest_framework.viewsets import ModelViewSet
 from authentik.core.api.used_by import UsedByMixin
 from authentik.endpoints.api.connectors import ConnectorSerializer
 from authentik.endpoints.models import EndpointStage
+from authentik.enterprise.api import EnterpriseRequiredMixin
 from authentik.flows.api.stages import StageSerializer
 
 
-class EndpointStageSerializer(StageSerializer):
+class EndpointStageSerializer(EnterpriseRequiredMixin, StageSerializer):
     """EndpointStage Serializer"""
 
     connector_obj = ConnectorSerializer(source="connector", read_only=True)

authentik/endpoints/connectors/agent/api/agent.py

@@ -1,4 +1,3 @@
-from django.db import models
 from rest_framework.fields import (
     BooleanField,
     CharField,
@@ -15,12 +14,6 @@ from authentik.endpoints.models import Device
 from authentik.lib.utils.time import timedelta_from_string
 from authentik.providers.oauth2.views.jwks import JWKSView
 
-try:
-    from authentik.enterprise.models import LicenseUsageStatus
-except ImportError:
-
-    class LicenseUsageStatus(models.TextChoices): ...
-
 
 class AgentConfigSerializer(PassiveSerializer):
 
@@ -36,7 +29,6 @@ class AgentConfigSerializer(PassiveSerializer):
     auth_terminate_session_on_expiry = BooleanField()
 
     system_config = SerializerMethodField()
-    license_status = SerializerMethodField(required=False, allow_null=True)
 
     def get_device_id(self, instance: AgentConnector) -> str:
         device: Device = self.context["device"]
@@ -62,14 +54,6 @@ class AgentConfigSerializer(PassiveSerializer):
     def get_system_config(self, instance: AgentConnector) -> ConfigSerializer:
         return ConfigView.get_config(self.context["request"]).data
 
-    def get_license_status(self, instance: AgentConnector) -> "LicenseUsageStatus":
-        try:
-            from authentik.enterprise.license import LicenseKey
-
-            return LicenseKey.cached_summary().status
-        except ModuleNotFoundError:
-            return None
-
 
 class EnrollSerializer(PassiveSerializer):
 

authentik/endpoints/connectors/agent/models.py

@@ -16,7 +16,7 @@ from authentik.endpoints.models import (
 )
 from authentik.flows.stage import StageView
 from authentik.lib.generators import generate_key
-from authentik.lib.models import SerializerModel
+from authentik.lib.models import InternallyManagedMixin, SerializerModel
 from authentik.lib.utils.time import timedelta_string_validator
 
 if TYPE_CHECKING:
@@ -97,7 +97,7 @@ class AgentDeviceUserBinding(DeviceUserBinding):
     apple_enclave_key_id = models.TextField()
 
 
-class DeviceToken(ExpiringModel):
+class DeviceToken(InternallyManagedMixin, ExpiringModel):
     """Per-device token used for authentication."""
 
     token_uuid = models.UUIDField(primary_key=True, default=uuid4)
@@ -143,7 +143,7 @@ class EnrollmentToken(ExpiringModel, SerializerModel):
         ]
 
 
-class DeviceAuthenticationToken(ExpiringModel):
+class DeviceAuthenticationToken(InternallyManagedMixin, ExpiringModel):
 
     identifier = models.UUIDField(default=uuid4, primary_key=True)
     device = models.ForeignKey(Device, on_delete=models.CASCADE)
@@ -160,7 +160,7 @@ class DeviceAuthenticationToken(ExpiringModel):
         verbose_name_plural = _("Device authentication tokens")
 
 
-class AppleNonce(ExpiringModel):
+class AppleNonce(InternallyManagedMixin, ExpiringModel):
     nonce = models.TextField()
     device_token = models.ForeignKey(DeviceToken, on_delete=models.CASCADE)
 

authentik/endpoints/connectors/agent/stage.py

@@ -1,5 +1,4 @@
 from datetime import timedelta
-from hashlib import sha256
 from hmac import compare_digest
 
 from django.http import HttpResponse
@@ -9,7 +8,7 @@ from rest_framework.exceptions import ValidationError
 from rest_framework.fields import CharField, IntegerField
 
 from authentik.crypto.models import CertificateKeyPair
-from authentik.endpoints.connectors.agent.models import DeviceAuthenticationToken, DeviceToken
+from authentik.endpoints.connectors.agent.models import DeviceToken
 from authentik.endpoints.models import Device, EndpointStage, StageMode
 from authentik.flows.challenge import (
     Challenge,
@@ -21,7 +20,6 @@ from authentik.lib.generators import generate_id
 from authentik.lib.utils.time import timedelta_from_string
 from authentik.providers.oauth2.models import JWTAlgorithms
 
-PLAN_CONTEXT_DEVICE_AUTH_TOKEN = "goauthentik.io/endpoints/device_auth_token"  # nosec
 PLAN_CONTEXT_AGENT_ENDPOINT_CHALLENGE = "goauthentik.io/endpoints/connectors/agent/challenge"
 QS_CHALLENGE = "challenge"
 QS_CHALLENGE_RESPONSE = "response"
@@ -87,36 +85,12 @@ class AuthenticatorEndpointStageView(ChallengeStageView):
     response_class = EndpointAgentChallengeResponse
 
     def get(self, request, *args, **kwargs):
-        # Check if we're in a device interactive auth flow, in which case we use that
-        # to prove which device is being used
-        if response := self.check_device_ia():
-            return response
         stage: EndpointStage = self.executor.current_stage
         keypair = CertificateKeyPair.objects.filter(pk=stage.connector.challenge_key_id).first()
         if not keypair:
             return self.executor.stage_ok()
         return super().get(request, *args, **kwargs)
 
-    def check_device_ia(self):
-        """Check if we're in a device interactive authentication flow, and if so,
-        there won't be a browser extension to talk to. However we can authenticate
-        on the DTH header"""
-        if PLAN_CONTEXT_DEVICE_AUTH_TOKEN not in self.executor.plan.context:
-            return None
-        auth_token: DeviceAuthenticationToken = self.executor.plan.context.get(
-            PLAN_CONTEXT_DEVICE_AUTH_TOKEN
-        )
-        device_token_hash = self.request.headers.get("X-Authentik-Platform-Auth-DTH")
-        if not device_token_hash:
-            return None
-        if not compare_digest(
-            device_token_hash, sha256(auth_token.device_token.key.encode()).hexdigest()
-        ):
-            return self.executor.stage_invalid("Invalid device token")
-        self.logger.debug("Setting device based on DTH header")
-        self.executor.plan.context[PLAN_CONTEXT_DEVICE] = auth_token.device
-        return self.executor.stage_ok()
-
     def get_challenge(self, *args, **kwargs) -> Challenge:
         stage: EndpointStage = self.executor.current_stage
         keypair = CertificateKeyPair.objects.get(pk=stage.connector.challenge_key_id)

authentik/endpoints/connectors/agent/tests/test_stage.py

@@ -1,6 +1,4 @@
-from hashlib import sha256
 from json import loads
-from unittest.mock import PropertyMock, patch
 
 from django.urls import reverse
 from jwt import encode
@@ -9,14 +7,10 @@ from authentik.core.tests.utils import create_test_cert, create_test_flow
 from authentik.endpoints.connectors.agent.models import (
     AgentConnector,
     AgentDeviceConnection,
-    DeviceAuthenticationToken,
     DeviceToken,
     EnrollmentToken,
 )
-from authentik.endpoints.connectors.agent.stage import (
-    PLAN_CONTEXT_AGENT_ENDPOINT_CHALLENGE,
-    PLAN_CONTEXT_DEVICE_AUTH_TOKEN,
-)
+from authentik.endpoints.connectors.agent.stage import PLAN_CONTEXT_AGENT_ENDPOINT_CHALLENGE
 from authentik.endpoints.models import Device, EndpointStage, StageMode
 from authentik.flows.models import FlowStageBinding
 from authentik.flows.planner import PLAN_CONTEXT_DEVICE
@@ -41,11 +35,6 @@ class TestEndpointStage(FlowTestCase):
             device=self.connection,
             key=generate_id(),
         )
-        self.device_auth_token = DeviceAuthenticationToken.objects.create(
-            device=self.device,
-            device_token=self.device_token,
-            connector=self.connector,
-        )
 
     def test_endpoint_stage(self):
         flow = create_test_flow()
@@ -205,71 +194,3 @@ class TestEndpointStage(FlowTestCase):
                 "response": [{"string": "Invalid challenge response", "code": "invalid"}]
             },
         )
-
-    def test_endpoint_stage_ia_dth(self):
-        """Test with DTH"""
-        flow = create_test_flow()
-        stage = EndpointStage.objects.create(connector=self.connector)
-        FlowStageBinding.objects.create(stage=stage, target=flow, order=0)
-
-        # Send an "invalid" request first, to populate the flow plan
-        res = self.client.get(
-            reverse("authentik_api:flow-executor", kwargs={"flow_slug": flow.slug}),
-        )
-        plan = self.get_flow_plan()
-        plan.context[PLAN_CONTEXT_DEVICE_AUTH_TOKEN] = DeviceAuthenticationToken.objects.get(
-            pk=self.device_auth_token.pk
-        )
-        self.set_flow_plan(plan)
-
-        with self.assertFlowFinishes() as plan:
-            res = self.client.get(
-                reverse("authentik_api:flow-executor", kwargs={"flow_slug": flow.slug}),
-                HTTP_X_AUTHENTIK_PLATFORM_AUTH_DTH=sha256(
-                    self.device_token.key.encode()
-                ).hexdigest(),
-            )
-            self.assertStageRedirects(res, reverse("authentik_core:root-redirect"))
-        plan = plan()
-        self.assertNotIn(PLAN_CONTEXT_AGENT_ENDPOINT_CHALLENGE, plan.context)
-        self.assertEqual(plan.context[PLAN_CONTEXT_DEVICE], self.device)
-
-    def test_endpoint_stage_connector_no_stage_optional(self):
-        flow = create_test_flow()
-        stage = EndpointStage.objects.create(connector=self.connector, mode=StageMode.OPTIONAL)
-        FlowStageBinding.objects.create(stage=stage, target=flow, order=0)
-
-        with patch(
-            "authentik.endpoints.connectors.agent.models.AgentConnector.stage",
-            PropertyMock(return_value=None),
-        ):
-            with self.assertFlowFinishes() as plan:
-                res = self.client.get(
-                    reverse("authentik_api:flow-executor", kwargs={"flow_slug": flow.slug}),
-                )
-                self.assertStageRedirects(res, reverse("authentik_core:root-redirect"))
-            plan = plan()
-            self.assertNotIn(PLAN_CONTEXT_AGENT_ENDPOINT_CHALLENGE, plan.context)
-            self.assertNotIn(PLAN_CONTEXT_DEVICE, plan.context)
-
-    def test_endpoint_stage_connector_no_stage_required(self):
-        flow = create_test_flow()
-        stage = EndpointStage.objects.create(connector=self.connector, mode=StageMode.REQUIRED)
-        FlowStageBinding.objects.create(stage=stage, target=flow, order=0)
-
-        with patch(
-            "authentik.endpoints.connectors.agent.models.AgentConnector.stage",
-            PropertyMock(return_value=None),
-        ):
-            with self.assertFlowFinishes() as plan:
-                res = self.client.get(
-                    reverse("authentik_api:flow-executor", kwargs={"flow_slug": flow.slug}),
-                )
-                self.assertStageResponse(
-                    res,
-                    component="ak-stage-access-denied",
-                    error_message="Invalid stage configuration",
-                )
-            plan = plan()
-            self.assertNotIn(PLAN_CONTEXT_AGENT_ENDPOINT_CHALLENGE, plan.context)
-            self.assertNotIn(PLAN_CONTEXT_DEVICE, plan.context)

authentik/endpoints/models.py

@@ -15,7 +15,7 @@ from authentik.core.models import AttributesMixin, ExpiringModel
 from authentik.flows.models import Stage
 from authentik.flows.stage import StageView
 from authentik.lib.merge import MERGE_LIST_UNIQUE
-from authentik.lib.models import InheritanceForeignKey, SerializerModel
+from authentik.lib.models import InheritanceForeignKey, InternallyManagedMixin, SerializerModel
 from authentik.lib.utils.time import timedelta_from_string, timedelta_string_validator
 from authentik.policies.models import PolicyBinding, PolicyBindingModel
 from authentik.tasks.schedules.common import ScheduleSpec
@@ -28,7 +28,7 @@ LOGGER = get_logger()
 DEVICE_FACTS_CACHE_TIMEOUT = 3600
 
 
-class Device(ExpiringModel, AttributesMixin, PolicyBindingModel):
+class Device(InternallyManagedMixin, ExpiringModel, AttributesMixin, PolicyBindingModel):
     device_uuid = models.UUIDField(default=uuid4, primary_key=True)
 
     name = models.TextField(unique=True)
@@ -86,7 +86,7 @@ class DeviceUserBinding(PolicyBinding):
         verbose_name_plural = _("Device User bindings")
 
 
-class DeviceConnection(SerializerModel):
+class DeviceConnection(InternallyManagedMixin, SerializerModel):
     device_connection_uuid = models.UUIDField(default=uuid4, primary_key=True)
     device = models.ForeignKey("Device", on_delete=models.CASCADE)
     connector = models.ForeignKey("Connector", on_delete=models.CASCADE)
@@ -115,7 +115,7 @@ class DeviceConnection(SerializerModel):
         verbose_name_plural = _("Device connections")
 
 
-class DeviceFactSnapshot(ExpiringModel, SerializerModel):
+class DeviceFactSnapshot(InternallyManagedMixin, ExpiringModel, SerializerModel):
     snapshot_id = models.UUIDField(primary_key=True, default=uuid4)
     connection = models.ForeignKey(DeviceConnection, on_delete=models.CASCADE)
     data = models.JSONField(default=dict)

authentik/endpoints/stage.py

@@ -1,4 +1,4 @@
-from authentik.endpoints.models import EndpointStage, StageMode
+from authentik.endpoints.models import EndpointStage
 from authentik.flows.stage import StageView
 
 PLAN_CONTEXT_ENDPOINT_CONNECTOR = "endpoint_connector"
@@ -6,24 +6,15 @@ PLAN_CONTEXT_ENDPOINT_CONNECTOR = "endpoint_connector"
 
 class EndpointStageView(StageView):
 
-    def _get_inner(self) -> StageView | None:
+    def _get_inner(self):
         stage: EndpointStage = self.executor.current_stage
         inner_stage: type[StageView] | None = stage.connector.stage
         if not inner_stage:
-            return None
+            return self.executor.stage_ok()
         return inner_stage(self.executor, request=self.request)
 
     def dispatch(self, request, *args, **kwargs):
-        inner = self._get_inner()
-        if inner is None:
-            stage: EndpointStage = self.executor.current_stage
-            if stage.mode == StageMode.OPTIONAL:
-                return self.executor.stage_ok()
-            else:
-                return self.executor.stage_invalid("Invalid stage configuration")
-        return inner.dispatch(request, *args, **kwargs)
+        return self._get_inner().dispatch(request, *args, **kwargs)
 
     def cleanup(self):
-        inner = self._get_inner()
-        if inner is not None:
-            return inner.cleanup()
+        return self._get_inner().cleanup()

authentik/endpoints/tests/test_facts.py

@@ -60,18 +60,20 @@ class TestEndpointFacts(APITestCase):
                 ]
             }
         )
-        self.assertCountEqual(
-            device.cached_facts.data["software"],
-            [
-                {
-                    "name": "software-a",
-                    "version": "1.2.3.4",
-                    "source": "package",
-                },
-                {
-                    "name": "software-b",
-                    "version": "5.6.7.8",
-                    "source": "package",
-                },
-            ],
+        self.assertEqual(
+            device.cached_facts.data,
+            {
+                "software": [
+                    {
+                        "name": "software-a",
+                        "version": "1.2.3.4",
+                        "source": "package",
+                    },
+                    {
+                        "name": "software-b",
+                        "version": "5.6.7.8",
+                        "source": "package",
+                    },
+                ]
+            },
         )

authentik/enterprise/endpoints/connectors/agent/views/auth_interactive.py

@@ -8,7 +8,6 @@ from authentik.endpoints.connectors.agent.auth import (
     check_device_policies,
 )
 from authentik.endpoints.connectors.agent.models import AgentConnector, DeviceAuthenticationToken
-from authentik.endpoints.connectors.agent.stage import PLAN_CONTEXT_DEVICE_AUTH_TOKEN
 from authentik.endpoints.models import Device
 from authentik.enterprise.policy import EnterprisePolicyAccessView
 from authentik.flows.exceptions import FlowNonApplicableException
@@ -17,6 +16,8 @@ from authentik.flows.planner import PLAN_CONTEXT_DEVICE, FlowPlanner
 from authentik.flows.stage import StageView
 from authentik.providers.oauth2.utils import HttpResponseRedirectScheme
 
+PLAN_CONTEXT_DEVICE_AUTH_TOKEN = "goauthentik.io/endpoints/device_auth_token"  # nosec
+
 QS_AGENT_IA_TOKEN = "ak-auth-ia-token"  # nosec
 
 

authentik/enterprise/license.py

@@ -115,7 +115,7 @@ class LicenseKey:
                 decode(
                     jwt,
                     our_cert.public_key(),
-                    algorithms=["ES384", "ES512"],
+                    algorithms=["ES512"],
                     audience=get_license_aud(),
                     options={"verify_exp": check_expiry, "verify_signature": check_expiry},
                 ),

authentik/enterprise/models.py

@@ -11,7 +11,7 @@ from django.utils.translation import gettext as _
 from rest_framework.serializers import BaseSerializer
 
 from authentik.core.models import ExpiringModel
-from authentik.lib.models import SerializerModel
+from authentik.lib.models import InternallyManagedMixin, SerializerModel
 
 if TYPE_CHECKING:
     from authentik.enterprise.license import LicenseKey
@@ -81,7 +81,7 @@ class LicenseUsageStatus(models.TextChoices):
         return self in [LicenseUsageStatus.VALID, LicenseUsageStatus.EXPIRY_SOON]
 
 
-class LicenseUsage(ExpiringModel):
+class LicenseUsage(InternallyManagedMixin, ExpiringModel):
     """a single license usage record"""
 
     expires = models.DateTimeField(default=usage_expiry)

authentik/enterprise/providers/google_workspace/clients/groups.py

@@ -44,13 +44,20 @@ class GoogleWorkspaceGroupClient(
             email=f"{slugify(obj.name)}@{self.provider.default_group_email_domain}",
         )
 
-    def delete(self, identifier: str):
+    def delete(self, obj: Group):
         """Delete group"""
-        GoogleWorkspaceProviderGroup.objects.filter(
-            provider=self.provider, google_id=identifier
-        ).delete()
-        if self.provider.group_delete_action == OutgoingSyncDeleteAction.DELETE:
-            return self._request(self.directory_service.groups().delete(groupKey=identifier))
+        google_group = GoogleWorkspaceProviderGroup.objects.filter(
+            provider=self.provider, group=obj
+        ).first()
+        if not google_group:
+            self.logger.debug("Group does not exist in Google, skipping")
+            return None
+        with transaction.atomic():
+            if self.provider.group_delete_action == OutgoingSyncDeleteAction.DELETE:
+                self._request(
+                    self.directory_service.groups().delete(groupKey=google_group.google_id)
+                )
+            google_group.delete()
 
     def create(self, group: Group):
         """Create group from scratch and create a connection object"""

authentik/enterprise/providers/google_workspace/clients/users.py

@@ -35,17 +35,28 @@ class GoogleWorkspaceUserClient(GoogleWorkspaceSyncClient[User, GoogleWorkspaceP
         """Convert authentik user"""
         return delete_none_values(super().to_schema(obj, connection, primaryEmail=obj.email))
 
-    def delete(self, identifier: str):
+    def delete(self, obj: User):
         """Delete user"""
-        GoogleWorkspaceProviderUser.objects.filter(
-            provider=self.provider, google_id=identifier
-        ).delete()
-        if self.provider.user_delete_action == OutgoingSyncDeleteAction.DELETE:
-            return self._request(self.directory_service.users().delete(userKey=identifier))
-        if self.provider.user_delete_action == OutgoingSyncDeleteAction.SUSPEND:
-            return self._request(
-                self.directory_service.users().update(userKey=identifier, body={"suspended": True})
-            )
+        google_user = GoogleWorkspaceProviderUser.objects.filter(
+            provider=self.provider, user=obj
+        ).first()
+        if not google_user:
+            self.logger.debug("User does not exist in Google, skipping")
+            return None
+        with transaction.atomic():
+            response = None
+            if self.provider.user_delete_action == OutgoingSyncDeleteAction.DELETE:
+                response = self._request(
+                    self.directory_service.users().delete(userKey=google_user.google_id)
+                )
+            elif self.provider.user_delete_action == OutgoingSyncDeleteAction.SUSPEND:
+                response = self._request(
+                    self.directory_service.users().update(
+                        userKey=google_user.google_id, body={"suspended": True}
+                    )
+                )
+            google_user.delete()
+        return response
 
     def create(self, user: User):
         """Create user from scratch and create a connection object"""

authentik/enterprise/providers/google_workspace/models.py

@@ -18,7 +18,7 @@ from authentik.core.models import (
     User,
     UserTypes,
 )
-from authentik.lib.models import SerializerModel
+from authentik.lib.models import InternallyManagedMixin, SerializerModel
 from authentik.lib.sync.outgoing.base import BaseOutgoingSyncClient
 from authentik.lib.sync.outgoing.models import OutgoingSyncDeleteAction, OutgoingSyncProvider
 
@@ -32,7 +32,7 @@ def default_scopes() -> list[str]:
     ]
 
 
-class GoogleWorkspaceProviderUser(SerializerModel):
+class GoogleWorkspaceProviderUser(InternallyManagedMixin, SerializerModel):
     """Mapping of a user and provider to a Google user ID"""
 
     id = models.UUIDField(primary_key=True, editable=False, default=uuid4)
@@ -58,7 +58,7 @@ class GoogleWorkspaceProviderUser(SerializerModel):
         return f"Google Workspace Provider User {self.user_id} to {self.provider_id}"
 
 
-class GoogleWorkspaceProviderGroup(SerializerModel):
+class GoogleWorkspaceProviderGroup(InternallyManagedMixin, SerializerModel):
     """Mapping of a group and provider to a Google group ID"""
 
     id = models.UUIDField(primary_key=True, editable=False, default=uuid4)
@@ -152,18 +152,6 @@ class GoogleWorkspaceProvider(OutgoingSyncProvider, BackchannelProvider):
             return Group.objects.all().order_by("pk")
         raise ValueError(f"Invalid type {type}")
 
-    @classmethod
-    def get_object_mappings(cls, obj: User | Group) -> list[tuple[str, str]]:
-        if isinstance(obj, User):
-            return list(
-                obj.googleworkspaceprovideruser_set.values_list("provider__pk", "google_id")
-            )
-        if isinstance(obj, Group):
-            return list(
-                obj.googleworkspaceprovidergroup_set.values_list("provider__pk", "google_id")
-            )
-        raise ValueError(f"Invalid type {type(obj)}")
-
     def google_credentials(self):
         return {
             "credentials": Credentials.from_service_account_info(

authentik/enterprise/providers/google_workspace/signals.py

@@ -2,7 +2,6 @@
 
 from authentik.enterprise.providers.google_workspace.models import GoogleWorkspaceProvider
 from authentik.enterprise.providers.google_workspace.tasks import (
-    google_workspace_sync_delete_dispatch,
     google_workspace_sync_direct_dispatch,
     google_workspace_sync_m2m_dispatch,
 )
@@ -11,6 +10,5 @@ from authentik.lib.sync.outgoing.signals import register_signals
 register_signals(
     GoogleWorkspaceProvider,
     task_sync_direct_dispatch=google_workspace_sync_direct_dispatch,
-    task_sync_delete_dispatch=google_workspace_sync_delete_dispatch,
     task_sync_m2m_dispatch=google_workspace_sync_m2m_dispatch,
 )

authentik/enterprise/providers/google_workspace/tasks.py

@@ -25,18 +25,6 @@ def google_workspace_sync_direct(*args, **kwargs):
     return sync_tasks.sync_signal_direct(*args, **kwargs)
 
 
-@actor(
-    description=_("Dispatch deletions for an object (user, group) for Google Workspace providers.")
-)
-def google_workspace_sync_delete_dispatch(*args, **kwargs):
-    return sync_tasks.sync_signal_delete_dispatch(google_workspace_sync_delete, *args, **kwargs)
-
-
-@actor(description=_("Delete an object (user, group) for Google Workspace provider."))
-def google_workspace_sync_delete(*args, **kwargs):
-    return sync_tasks.sync_signal_delete(*args, **kwargs)
-
-
 @actor(
     description=_(
         "Dispatch syncs for a direct object (user, group) for Google Workspace providers."

authentik/enterprise/providers/microsoft_entra/clients/groups.py

@@ -48,13 +48,18 @@ class MicrosoftEntraGroupClient(
         except TypeError as exc:
             raise StopSync(exc, obj) from exc
 
-    def delete(self, identifier: str):
+    def delete(self, obj: Group):
         """Delete group"""
-        MicrosoftEntraProviderGroup.objects.filter(
-            provider=self.provider, microsoft_id=identifier
-        ).delete()
-        if self.provider.group_delete_action == OutgoingSyncDeleteAction.DELETE:
-            return self._request(self.client.groups.by_group_id(identifier).delete())
+        microsoft_group = MicrosoftEntraProviderGroup.objects.filter(
+            provider=self.provider, group=obj
+        ).first()
+        if not microsoft_group:
+            self.logger.debug("Group does not exist in Microsoft, skipping")
+            return None
+        with transaction.atomic():
+            if self.provider.group_delete_action == OutgoingSyncDeleteAction.DELETE:
+                self._request(self.client.groups.by_group_id(microsoft_group.microsoft_id).delete())
+            microsoft_group.delete()
 
     def create(self, group: Group):
         """Create group from scratch and create a connection object"""

authentik/enterprise/providers/microsoft_entra/clients/users.py

@@ -43,17 +43,28 @@ class MicrosoftEntraUserClient(MicrosoftEntraSyncClient[User, MicrosoftEntraProv
         except TypeError as exc:
             raise StopSync(exc, obj) from exc
 
-    def delete(self, identifier: str):
+    def delete(self, obj: User):
         """Delete user"""
-        MicrosoftEntraProviderUser.objects.filter(
-            provider=self.provider, microsoft_id=identifier
-        ).delete()
-        if self.provider.user_delete_action == OutgoingSyncDeleteAction.DELETE:
-            return self._request(self.client.users.by_user_id(identifier).delete())
-        if self.provider.user_delete_action == OutgoingSyncDeleteAction.SUSPEND:
-            return self._request(
-                self.client.users.by_user_id(identifier).patch(MSUser(account_enabled=False))
-            )
+        microsoft_user = MicrosoftEntraProviderUser.objects.filter(
+            provider=self.provider, user=obj
+        ).first()
+        if not microsoft_user:
+            self.logger.debug("User does not exist in Microsoft, skipping")
+            return None
+        with transaction.atomic():
+            response = None
+            if self.provider.user_delete_action == OutgoingSyncDeleteAction.DELETE:
+                response = self._request(
+                    self.client.users.by_user_id(microsoft_user.microsoft_id).delete()
+                )
+            elif self.provider.user_delete_action == OutgoingSyncDeleteAction.SUSPEND:
+                response = self._request(
+                    self.client.users.by_user_id(microsoft_user.microsoft_id).patch(
+                        MSUser(account_enabled=False)
+                    )
+                )
+            microsoft_user.delete()
+        return response
 
     def get_select_fields(self) -> list[str]:
         """All fields that should be selected when we fetch user data."""

authentik/enterprise/providers/microsoft_entra/models.py

@@ -18,12 +18,12 @@ from authentik.core.models import (
     User,
     UserTypes,
 )
-from authentik.lib.models import SerializerModel
+from authentik.lib.models import InternallyManagedMixin, SerializerModel
 from authentik.lib.sync.outgoing.base import BaseOutgoingSyncClient
 from authentik.lib.sync.outgoing.models import OutgoingSyncDeleteAction, OutgoingSyncProvider
 
 
-class MicrosoftEntraProviderUser(SerializerModel):
+class MicrosoftEntraProviderUser(InternallyManagedMixin, SerializerModel):
     """Mapping of a user and provider to a Microsoft user ID"""
 
     id = models.UUIDField(primary_key=True, editable=False, default=uuid4)
@@ -49,7 +49,7 @@ class MicrosoftEntraProviderUser(SerializerModel):
         return f"Microsoft Entra Provider User {self.user_id} to {self.provider_id}"
 
 
-class MicrosoftEntraProviderGroup(SerializerModel):
+class MicrosoftEntraProviderGroup(InternallyManagedMixin, SerializerModel):
     """Mapping of a group and provider to a Microsoft group ID"""
 
     id = models.UUIDField(primary_key=True, editable=False, default=uuid4)
@@ -141,18 +141,6 @@ class MicrosoftEntraProvider(OutgoingSyncProvider, BackchannelProvider):
             return Group.objects.all().order_by("pk")
         raise ValueError(f"Invalid type {type}")
 
-    @classmethod
-    def get_object_mappings(cls, obj: User | Group) -> list[tuple[str, str]]:
-        if isinstance(obj, User):
-            return list(
-                obj.microsoftentraprovideruser_set.values_list("provider__pk", "microsoft_id")
-            )
-        if isinstance(obj, Group):
-            return list(
-                obj.microsoftentraprovidergroup_set.values_list("provider__pk", "microsoft_id")
-            )
-        raise ValueError(f"Invalid type {type(obj)}")
-
     def microsoft_credentials(self):
         return {
             "credentials": ClientSecretCredential(

authentik/enterprise/providers/microsoft_entra/signals.py

@@ -2,7 +2,6 @@
 
 from authentik.enterprise.providers.microsoft_entra.models import MicrosoftEntraProvider
 from authentik.enterprise.providers.microsoft_entra.tasks import (
-    microsoft_entra_sync_delete_dispatch,
     microsoft_entra_sync_direct_dispatch,
     microsoft_entra_sync_m2m_dispatch,
 )
@@ -11,6 +10,5 @@ from authentik.lib.sync.outgoing.signals import register_signals
 register_signals(
     MicrosoftEntraProvider,
     task_sync_direct_dispatch=microsoft_entra_sync_direct_dispatch,
-    task_sync_delete_dispatch=microsoft_entra_sync_delete_dispatch,
     task_sync_m2m_dispatch=microsoft_entra_sync_m2m_dispatch,
 )

authentik/enterprise/providers/microsoft_entra/tasks.py

@@ -32,18 +32,6 @@ def microsoft_entra_sync_direct_dispatch(*args, **kwargs):
     return sync_tasks.sync_signal_direct_dispatch(microsoft_entra_sync_direct, *args, **kwargs)
 
 
-@actor(description=_("Delete an object (user, group) for Microsoft Entra provider."))
-def microsoft_entra_sync_delete(*args, **kwargs):
-    return sync_tasks.sync_signal_delete(*args, **kwargs)
-
-
-@actor(
-    description=_("Dispatch deletions for an object (user, group) for Microsoft Entra providers.")
-)
-def microsoft_entra_sync_delete_dispatch(*args, **kwargs):
-    return sync_tasks.sync_signal_delete_dispatch(microsoft_entra_sync_delete, *args, **kwargs)
-
-
 @actor(description=_("Sync a related object (memberships) for Microsoft Entra provider."))
 def microsoft_entra_sync_m2m(*args, **kwargs):
     return sync_tasks.sync_signal_m2m(*args, **kwargs)

authentik/enterprise/providers/ssf/models.py

@@ -14,7 +14,7 @@ from jwt import encode
 
 from authentik.core.models import BackchannelProvider, ExpiringModel, Token
 from authentik.crypto.models import CertificateKeyPair
-from authentik.lib.models import CreatedUpdatedModel
+from authentik.lib.models import CreatedUpdatedModel, InternallyManagedMixin
 from authentik.lib.utils.time import timedelta_from_string, timedelta_string_validator
 from authentik.providers.oauth2.models import JWTAlgorithms, OAuth2Provider
 from authentik.tasks.models import TasksModel
@@ -153,7 +153,7 @@ class Stream(models.Model):
         return encode(data, key, algorithm=alg, headers=headers)
 
 
-class StreamEvent(CreatedUpdatedModel, ExpiringModel):
+class StreamEvent(InternallyManagedMixin, CreatedUpdatedModel, ExpiringModel):
     """Single stream event to be sent"""
 
     uuid = models.UUIDField(default=uuid4, primary_key=True, editable=False)

authentik/enterprise/stages/authenticator_endpoint_gdtc/models.py

@@ -11,7 +11,7 @@ from rest_framework.serializers import BaseSerializer, Serializer
 from authentik.core.types import UserSettingSerializer
 from authentik.flows.models import ConfigurableStage, FriendlyNamedStage, Stage
 from authentik.flows.stage import StageView
-from authentik.lib.models import DeprecatedMixin, SerializerModel
+from authentik.lib.models import DeprecatedMixin, InternallyManagedMixin, SerializerModel
 from authentik.stages.authenticator.models import Device
 
 
@@ -63,7 +63,7 @@ class AuthenticatorEndpointGDTCStage(DeprecatedMixin, ConfigurableStage, Friendl
         verbose_name_plural = _("Endpoint Authenticator Google Device Trust Connector Stages")
 
 
-class EndpointDevice(SerializerModel, Device):
+class EndpointDevice(InternallyManagedMixin, SerializerModel, Device):
     """Endpoint Device for a single user"""
 
     uuid = models.UUIDField(primary_key=True, default=uuid4)
@@ -91,7 +91,7 @@ class EndpointDevice(SerializerModel, Device):
         verbose_name_plural = _("Endpoint Devices")
 
 
-class EndpointDeviceConnection(models.Model):
+class EndpointDeviceConnection(InternallyManagedMixin, models.Model):
     device = models.ForeignKey(EndpointDevice, on_delete=models.CASCADE)
     stage = models.ForeignKey(AuthenticatorEndpointGDTCStage, on_delete=models.CASCADE)
 

authentik/events/middleware.py

@@ -19,6 +19,7 @@ from authentik.blueprints.v1.importer import excluded_models
 from authentik.core.models import Group, User
 from authentik.events.models import Event, EventAction, Notification
 from authentik.events.utils import model_to_dict
+from authentik.lib.models import InternallyManagedMixin
 from authentik.lib.sentry import should_ignore_exception
 from authentik.lib.utils.errors import exception_to_dict
 from authentik.stages.authenticator_static.models import StaticToken
@@ -40,7 +41,7 @@ _CTX_REQUEST = ContextVar[HttpRequest | None]("authentik_events_log_request", de
 
 def should_log_model(model: Model) -> bool:
     """Return true if operation on `model` should be logged"""
-    return model.__class__ not in IGNORED_MODELS
+    return model.__class__ not in IGNORED_MODELS and not isinstance(model, InternallyManagedMixin)
 
 
 def should_log_m2m(model: Model) -> bool:

authentik/events/signals.py

@@ -93,13 +93,11 @@ def on_login_failed(
     credentials: dict[str, str],
     request: HttpRequest,
     stage: Stage | None = None,
-    context: dict[str, Any] | None = None,
     **kwargs,
 ):
     """Failed Login, authentik custom event"""
     user = User.objects.filter(username=credentials.get("username")).first()
-    context = context or {}
-    Event.new(EventAction.LOGIN_FAILED, **credentials, stage=stage, **context).from_http(
+    Event.new(EventAction.LOGIN_FAILED, **credentials, stage=stage, **kwargs).from_http(
         request, user
     )
 

authentik/flows/api/flows.py

@@ -22,7 +22,6 @@ from authentik.core.api.utils import (
     LinkSerializer,
     ModelSerializer,
     PassiveSerializer,
-    ThemedUrlsSerializer,
 )
 from authentik.events.logs import LogEventSerializer
 from authentik.flows.api.flows_diagram import FlowDiagram, FlowDiagramSerializer
@@ -48,7 +47,6 @@ class FlowSerializer(ModelSerializer):
     """Flow Serializer"""
 
     background_url = ReadOnlyField()
-    background_themed_urls = ThemedUrlsSerializer(read_only=True, allow_null=True)
 
     cache_count = SerializerMethodField()
     export_url = SerializerMethodField()
@@ -72,7 +70,6 @@ class FlowSerializer(ModelSerializer):
             "designation",
             "background",
             "background_url",
-            "background_themed_urls",
             "stages",
             "policies",
             "cache_count",

authentik/flows/apps.py

@@ -29,12 +29,6 @@ class RefreshOtherFlowsAfterAuthentication(Flag[bool], key="flows_refresh_others
     visibility = "public"
 
 
-class ContinuousLogin(Flag[bool], key="flows_continuous_login"):
-
-    default = False
-    visibility = "public"
-
-
 class AuthentikFlowsConfig(ManagedAppConfig):
     """authentik flows app config"""
 

authentik/flows/auth.py

@@ -0,0 +1,18 @@
+from typing import cast
+
+from django.contrib.auth.models import AnonymousUser
+from rest_framework.authentication import BaseAuthentication
+from rest_framework.request import Request
+
+from authentik.flows.planner import PLAN_CONTEXT_PENDING_USER, FlowPlan
+from authentik.flows.views.executor import SESSION_KEY_PLAN
+
+
+class FlowActive(BaseAuthentication):
+    """Authenticate requests when a flow is currently active"""
+
+    def authenticate(self, request: Request):
+        plan = cast(FlowPlan | None, request.session.get(SESSION_KEY_PLAN))
+        if not plan:
+            return None
+        return (plan.context.get(PLAN_CONTEXT_PENDING_USER, AnonymousUser()), plan)

authentik/flows/challenge.py

@@ -11,7 +11,7 @@ from django.http import JsonResponse
 from rest_framework.fields import BooleanField, CharField, ChoiceField, DictField
 from rest_framework.request import Request
 
-from authentik.core.api.utils import PassiveSerializer, ThemedUrlsSerializer
+from authentik.core.api.utils import PassiveSerializer
 from authentik.lib.utils.errors import exception_to_string
 
 if TYPE_CHECKING:
@@ -44,7 +44,6 @@ class ContextualFlowInfo(PassiveSerializer):
 
     title = CharField(required=False, allow_blank=True)
     background = CharField(required=False)
-    background_themed_urls = ThemedUrlsSerializer(required=False, allow_null=True)
     cancel_url = CharField()
     layout = ChoiceField(choices=[(x.value, x.name) for x in FlowLayout])
 

authentik/flows/models.py

@@ -20,7 +20,7 @@ from authentik.core.models import Token
 from authentik.core.types import UserSettingSerializer
 from authentik.flows.challenge import FlowLayout
 from authentik.lib.config import CONFIG
-from authentik.lib.models import InheritanceForeignKey, SerializerModel
+from authentik.lib.models import InheritanceForeignKey, InternallyManagedMixin, SerializerModel
 from authentik.lib.utils.reflection import class_to_path
 from authentik.policies.models import PolicyBindingModel
 
@@ -196,15 +196,6 @@ class Flow(SerializerModel, PolicyBindingModel):
 
         return get_file_manager(FileUsage.MEDIA).file_url(self.background, request)
 
-    def background_themed_urls(self, request: HttpRequest | None = None) -> dict[str, str] | None:
-        """Get themed URLs for background if it contains %(theme)s"""
-        if not self.background:
-            if request:
-                return request.brand.branding_default_flow_background_themed_urls()
-            return None
-
-        return get_file_manager(FileUsage.MEDIA).themed_urls(self.background, request)
-
     stages = models.ManyToManyField(Stage, through="FlowStageBinding", blank=True)
 
     @property
@@ -310,7 +301,7 @@ class FriendlyNamedStage(models.Model):
         abstract = True
 
 
-class FlowToken(Token):
+class FlowToken(InternallyManagedMixin, Token):
     """Subclass of a standard Token, stores the currently active flow plan upon creation.
     Can be used to later resume a flow."""
 

authentik/flows/signals.py

@@ -38,7 +38,7 @@ def invalidate_flow_cache(sender, instance, **_):
     if isinstance(instance, Flow):
         total = delete_cache_prefix(f"{cache_key(instance)}*")
         LOGGER.debug("Invalidating Flow cache", flow=instance, len=total)
-    if isinstance(instance, FlowStageBinding) and instance.target_id:
+    if isinstance(instance, FlowStageBinding):
         total = delete_cache_prefix(f"{cache_key(instance.target)}*")
         LOGGER.debug("Invalidating Flow cache from FlowStageBinding", binding=instance, len=total)
     if isinstance(instance, Stage):

authentik/flows/stage.py

@@ -197,9 +197,6 @@ class ChallengeStageView(StageView):
                     data={
                         "title": self.format_title(),
                         "background": self.executor.flow.background_url(self.request),
-                        "background_themed_urls": self.executor.flow.background_themed_urls(
-                            self.request
-                        ),
                         "cancel_url": self.cancel_url,
                         "layout": self.executor.flow.layout,
                     }

authentik/flows/tests/__init__.py

@@ -51,11 +51,6 @@ class FlowTestCase(APITestCase):
     def get_flow_plan(self) -> FlowPlan | None:
         return self.client.session.get(SESSION_KEY_PLAN)
 
-    def set_flow_plan(self, plan: FlowPlan):
-        session = self.client.session
-        session[SESSION_KEY_PLAN] = plan
-        session.save()
-
     def assertStageRedirects(self, response: HttpResponse, to: str) -> dict[str, Any]:
         """Wrapper around assertStageResponse that checks for a redirect"""
         return self.assertStageResponse(response, component="xak-flow-redirect", to=to)

authentik/flows/tests/test_executor.py

@@ -734,7 +734,6 @@ class TestFlowExecutor(FlowTestCase):
             flow,
             flow_info={
                 "background": "/static/dist/assets/images/flow_background.jpg",
-                "background_themed_urls": None,
                 "cancel_url": "/flows/-/cancel/?next=%2Ffoo",
                 "layout": "stacked",
                 "title": flow.title,

authentik/flows/tests/test_inspector.py

@@ -51,7 +51,6 @@ class TestFlowInspector(APITestCase):
                 "enable_remember_me": False,
                 "flow_info": {
                     "background": "/static/dist/assets/images/flow_background.jpg",
-                    "background_themed_urls": None,
                     "cancel_url": reverse("authentik_flows:cancel"),
                     "title": flow.title,
                     "layout": "stacked",