release: 2021.8.3

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

.bumpversion.cfg

@@ -1,5 +1,5 @@
 [bumpversion]
-current_version = 2021.8.2
+current_version = 2021.8.3
 tag = True
 commit = True
 parse = (?P<major>\d+)\.(?P<minor>\d+)\.(?P<patch>\d+)\-?(?P<release>.*)

.github/workflows/release.yml

@@ -33,14 +33,14 @@ jobs:
         with:
           push: ${{ github.event_name == 'release' }}
           tags: |
-            beryju/authentik:2021.8.2,
+            beryju/authentik:2021.8.3,
             beryju/authentik:latest,
-            ghcr.io/goauthentik/server:2021.8.2,
+            ghcr.io/goauthentik/server:2021.8.3,
             ghcr.io/goauthentik/server:latest
           platforms: linux/amd64,linux/arm64
           context: .
       - name: Building Docker Image (stable)
-        if: ${{ github.event_name == 'release' && !contains('2021.8.2', 'rc') }}
+        if: ${{ github.event_name == 'release' && !contains('2021.8.3', 'rc') }}
         run: |
           docker pull beryju/authentik:latest
           docker tag beryju/authentik:latest beryju/authentik:stable
@@ -75,14 +75,14 @@ jobs:
         with:
           push: ${{ github.event_name == 'release' }}
           tags: |
-            beryju/authentik-proxy:2021.8.2,
+            beryju/authentik-proxy:2021.8.3,
             beryju/authentik-proxy:latest,
-            ghcr.io/goauthentik/proxy:2021.8.2,
+            ghcr.io/goauthentik/proxy:2021.8.3,
             ghcr.io/goauthentik/proxy:latest
           file: proxy.Dockerfile
           platforms: linux/amd64,linux/arm64
       - name: Building Docker Image (stable)
-        if: ${{ github.event_name == 'release' && !contains('2021.8.2', 'rc') }}
+        if: ${{ github.event_name == 'release' && !contains('2021.8.3', 'rc') }}
         run: |
           docker pull beryju/authentik-proxy:latest
           docker tag beryju/authentik-proxy:latest beryju/authentik-proxy:stable
@@ -117,14 +117,14 @@ jobs:
         with:
           push: ${{ github.event_name == 'release' }}
           tags: |
-            beryju/authentik-ldap:2021.8.2,
+            beryju/authentik-ldap:2021.8.3,
             beryju/authentik-ldap:latest,
-            ghcr.io/goauthentik/ldap:2021.8.2,
+            ghcr.io/goauthentik/ldap:2021.8.3,
             ghcr.io/goauthentik/ldap:latest
           file: ldap.Dockerfile
           platforms: linux/amd64,linux/arm64
       - name: Building Docker Image (stable)
-        if: ${{ github.event_name == 'release' && !contains('2021.8.2', 'rc') }}
+        if: ${{ github.event_name == 'release' && !contains('2021.8.3', 'rc') }}
         run: |
           docker pull beryju/authentik-ldap:latest
           docker tag beryju/authentik-ldap:latest beryju/authentik-ldap:stable
@@ -175,7 +175,7 @@ jobs:
           SENTRY_PROJECT: authentik
           SENTRY_URL: https://sentry.beryju.org
         with:
-          version: authentik@2021.8.2
+          version: authentik@2021.8.3
           environment: beryjuorg-prod
           sourcemaps: './web/dist'
           url_prefix: '~/static/dist'

Pipfile.lock

@@ -122,19 +122,19 @@
         },
         "boto3": {
             "hashes": [
-                "sha256:4dc7e346e92c01e8a997daa58a4c990151841d2d2962067325d963f665c7287a",
-                "sha256:79b7e6e0167def749352968ed6eb96954d9e2dd1dca8f297f122414753ce73a3"
+                "sha256:542336dda9a728c250cf24aea6d87454136d9d6f3d8a84ec5a737a7edba3b932",
+                "sha256:9bf2a281a6df9f8948d3d322d532d03a1039f57a049a1aa2b72b4a28c9627013"
             ],
             "index": "pypi",
-            "version": "==1.18.29"
+            "version": "==1.18.30"
         },
         "botocore": {
             "hashes": [
-                "sha256:1f16998b4f5a88e6844196feee7fa5eef6b36034d377f9845c7df12b8803b3be",
-                "sha256:fec924f63b40bd29b522fa109ecbc45f16eedcbeb22b68c6c79773c22a552b16"
+                "sha256:26ab09126dd05c968fbbcb894a1d623355e6119ff6d4a2bf5d292e3ad7cdd628",
+                "sha256:9b0b3dbc144178e2b803097abcc95712a03b8dde5a02e4335ac870bc6c129dd9"
             ],
             "markers": "python_version >= '3.6'",
-            "version": "==1.21.29"
+            "version": "==1.21.30"
         },
         "cachetools": {
             "hashes": [
@@ -1582,7 +1582,7 @@
                 "sha256:9c2ea1e62d871267b78307fe511c0838ba0da28698c5732d54e2790bf3ba9899",
                 "sha256:e17d6e2b81095c9db0a03a8025a957f334d6ea30b26f9ec70805411e5c7c81f2"
             ],
-            "markers": "python_version < '4' and python_full_version >= '3.6.1'",
+            "markers": "python_version < '4.0' and python_full_version >= '3.6.1'",
             "version": "==5.9.3"
         },
         "lazy-object-proxy": {
@@ -1758,49 +1758,49 @@
         },
         "regex": {
             "hashes": [
-                "sha256:03840a07a402576b8e3a6261f17eb88abd653ad4e18ec46ef10c9a63f8c99ebd",
-                "sha256:06ba444bbf7ede3890a912bd4904bb65bf0da8f0d8808b90545481362c978642",
-                "sha256:1f9974826aeeda32a76648fc677e3125ade379869a84aa964b683984a2dea9f1",
-                "sha256:330836ad89ff0be756b58758878409f591d4737b6a8cef26a162e2a4961c3321",
-                "sha256:38600fd58c2996829480de7d034fb2d3a0307110e44dae80b6b4f9b3d2eea529",
-                "sha256:3a195e26df1fbb40ebee75865f9b64ba692a5824ecb91c078cc665b01f7a9a36",
-                "sha256:41acdd6d64cd56f857e271009966c2ffcbd07ec9149ca91f71088574eaa4278a",
-                "sha256:45f97ade892ace20252e5ccecdd7515c7df5feeb42c3d2a8b8c55920c3551c30",
-                "sha256:4b0c211c55d4aac4309c3209833c803fada3fc21cdf7b74abedda42a0c9dc3ce",
-                "sha256:5d5209c3ba25864b1a57461526ebde31483db295fc6195fdfc4f8355e10f7376",
-                "sha256:615fb5a524cffc91ab4490b69e10ae76c1ccbfa3383ea2fad72e54a85c7d47dd",
-                "sha256:61e734c2bcb3742c3f454dfa930ea60ea08f56fd1a0eb52d8cb189a2f6be9586",
-                "sha256:640ccca4d0a6fcc6590f005ecd7b16c3d8f5d52174e4854f96b16f34c39d6cb7",
-                "sha256:6dbd51c3db300ce9d3171f4106da18fe49e7045232630fe3d4c6e37cb2b39ab9",
-                "sha256:71a904da8c9c02aee581f4452a5a988c3003207cb8033db426f29e5b2c0b7aea",
-                "sha256:8021dee64899f993f4b5cca323aae65aabc01a546ed44356a0965e29d7893c94",
-                "sha256:8b8d551f1bd60b3e1c59ff55b9e8d74607a5308f66e2916948cafd13480b44a3",
-                "sha256:93f9f720081d97acee38a411e861d4ce84cbc8ea5319bc1f8e38c972c47af49f",
-                "sha256:96f0c79a70642dfdf7e6a018ebcbea7ea5205e27d8e019cad442d2acfc9af267",
-                "sha256:9966337353e436e6ba652814b0a957a517feb492a98b8f9d3b6ba76d22301dcc",
-                "sha256:a34ba9e39f8269fd66ab4f7a802794ffea6d6ac500568ec05b327a862c21ce23",
-                "sha256:a49f85f0a099a5755d0a2cc6fc337e3cb945ad6390ec892332c691ab0a045882",
-                "sha256:a795829dc522227265d72b25d6ee6f6d41eb2105c15912c230097c8f5bfdbcdc",
-                "sha256:a89ca4105f8099de349d139d1090bad387fe2b208b717b288699ca26f179acbe",
-                "sha256:ac95101736239260189f426b1e361dc1b704513963357dc474beb0f39f5b7759",
-                "sha256:ae87ab669431f611c56e581679db33b9a467f87d7bf197ac384e71e4956b4456",
-                "sha256:b091dcfee169ad8de21b61eb2c3a75f9f0f859f851f64fdaf9320759a3244239",
-                "sha256:b511c6009d50d5c0dd0bab85ed25bc8ad6b6f5611de3a63a59786207e82824bb",
-                "sha256:b79dc2b2e313565416c1e62807c7c25c67a6ff0a0f8d83a318df464555b65948",
-                "sha256:bca14dfcfd9aae06d7d8d7e105539bd77d39d06caaae57a1ce945670bae744e0",
-                "sha256:c835c30f3af5c63a80917b72115e1defb83de99c73bc727bddd979a3b449e183",
-                "sha256:ccd721f1d4fc42b541b633d6e339018a08dd0290dc67269df79552843a06ca92",
-                "sha256:d6c2b1d78ceceb6741d703508cd0e9197b34f6bf6864dab30f940f8886e04ade",
-                "sha256:d6ec4ae13760ceda023b2e5ef1f9bc0b21e4b0830458db143794a117fdbdc044",
-                "sha256:d8b623fc429a38a881ab2d9a56ef30e8ea20c72a891c193f5ebbddc016e083ee",
-                "sha256:ea9753d64cba6f226947c318a923dadaf1e21cd8db02f71652405263daa1f033",
-                "sha256:ebbceefbffae118ab954d3cd6bf718f5790db66152f95202ebc231d58ad4e2c2",
-                "sha256:ecb6e7c45f9cd199c10ec35262b53b2247fb9a408803ed00ee5bb2b54aa626f5",
-                "sha256:ef9326c64349e2d718373415814e754183057ebc092261387a2c2f732d9172b2",
-                "sha256:f93a9d8804f4cec9da6c26c8cfae2c777028b4fdd9f49de0302e26e00bb86504",
-                "sha256:faf08b0341828f6a29b8f7dd94d5cf8cc7c39bfc3e67b78514c54b494b66915a"
+                "sha256:0696eb934dee723e3292056a2c046ddb1e4dd3887685783a9f4af638e85dee76",
+                "sha256:105122fa63da98d8456d5026bc6ac5a1399fd82fa6bad22c6ea641b1572c9142",
+                "sha256:116c277774f84266044e889501fe79cfd293a8b4336b7a5e89b9f20f1e5a9f21",
+                "sha256:12eaf0bbe568bd62e6cade7937e0bf01a2a4cef49a82f4fd204401e78409e158",
+                "sha256:1401cfa4320691cbd91191ec678735c727dee674d0997b0902a5a38ad482faf5",
+                "sha256:19acdb8831a4e3b03b23369db43178d8fee1f17b99c83af6cd907886f76bd9d4",
+                "sha256:208851a2f8dd31e468f0b5aa6c94433975bd67a107a4e7da3bdda947c9f85e25",
+                "sha256:24d68499a27b2d93831fde4a9b84ea5b19e0ab141425fbc9ab1e5b4dad179df7",
+                "sha256:2778c6cb379d804e429cc8e627392909e60db5152b42c695c37ae5757aae50ae",
+                "sha256:2a0a5e323cf86760784ce2b91d8ab5ea09d0865d6ef4da0151e03d15d097b24e",
+                "sha256:2d9cbe0c755ab8b6f583169c0783f7278fc6b195e423b09c5a8da6f858025e96",
+                "sha256:2de1429e4eeab799c168a4f6e6eecdf30fcaa389bba4039cc8a065d6b7aad647",
+                "sha256:32753eda8d413ce4f208cfe01dd61171a78068a6f5d5f38ccd751e00585cdf1d",
+                "sha256:3ee8ad16a35c45a5bab098e39020ecb6fec3b0e700a9d88983d35cbabcee79c8",
+                "sha256:4f03fc0a25122cdcbf39136510d4ea7627f732206892db522adf510bc03b8c67",
+                "sha256:4f3e36086d6631ceaf468503f96a3be0d247caef0660c9452fb1b0c055783851",
+                "sha256:503c1ba0920a46a1844363725215ef44d59fcac2bd2c03ae3c59aa9d08d29bd6",
+                "sha256:507861cf3d97a86fbe26ea6cc04660ae028b9e4080b8290e28b99547b4e15d89",
+                "sha256:56ae6e3cf0506ec0c40b466e31f41ee7a7149a2b505ae0ee50edd9043b423d27",
+                "sha256:6530b7b9505123cdea40a2301225183ca65f389bc6129f0c225b9b41680268d8",
+                "sha256:6729914dd73483cd1c8aaace3ac082436fc98b0072743ac136eaea0b3811d42f",
+                "sha256:7406dd2e44c7cfb4680c0a45a03264381802c67890cf506c147288f04c67177d",
+                "sha256:7684016b73938ca12d160d2907d141f06b7597bd17d854e32bb7588be01afa1d",
+                "sha256:7db58ad61f3f6ea393aaf124d774ee0c58806320bc85c06dc9480f5c7219c250",
+                "sha256:83946ca9278b304728b637bc8d8200ab1663a79de85e47724594917aeed0e892",
+                "sha256:84057cfae5676f456b03970eb78b7e182fddc80c2daafd83465a3d6ca9ff8dbf",
+                "sha256:862b6164e9a38b5c495be2c2854e75fd8af12c5be4c61dc9b42d255980d7e907",
+                "sha256:8ddb4f9ce6bb388ecc97b4b3eb37e786f05d7d5815e8822e0d87a3dbd7100649",
+                "sha256:92eb03f47427fea452ff6956d11f5d5a3f22a048c90a0f34fa223e6badab6c85",
+                "sha256:a5f3bc727fea58f21d99c22e6d4fca652dc11dbc2a1e7cfc4838cd53b2e3691f",
+                "sha256:a6180dbf5945b27e9420e1b58c3cacfc79ad5278bdad3ea35109f5680fbe16d1",
+                "sha256:b158f673ae6a6523f13704f70aa7e4ce875f91e379bece4362c89db18db189d5",
+                "sha256:cd45b4542134de63e7b9dd653e0a2d7d47ffed9615e3637c27ca5f6b78ea68bb",
+                "sha256:d2404336fd16788ea757d4218a2580de60adb052d9888031e765320be8884309",
+                "sha256:db888d4fb33a2fd54b57ac55d5015e51fa849f0d8592bd799b4e47f83bd04e00",
+                "sha256:dde0ac721c7c5bfa5f9fc285e811274dec3c392f2c1225f7d07ca98a8187ca84",
+                "sha256:de0d06ccbc06af5bf93bddec10f4f80275c5d74ea6d28b456931f3955f58bc8c",
+                "sha256:e02dad60e3e8442eefd28095e99b2ac98f2b8667167493ac6a2f3aadb5d84a17",
+                "sha256:e960fe211496333b2f7e36badf4c22a919d740386681f79139ee346b403d1ca1",
+                "sha256:e9700c52749cb3e90c98efd72b730c97b7e4962992fca5fbcaf1363be8e3b849",
+                "sha256:ee318974a1fdacba1701bc9e552e9015788d6345416364af6fa987424ff8df53"
             ],
-            "version": "==2021.8.21"
+            "version": "==2021.8.27"
         },
         "requests": {
             "hashes": [

authentik/__init__.py

@@ -1,3 +1,3 @@
 """authentik"""
-__version__ = "2021.8.2"
+__version__ = "2021.8.3"
 ENV_GIT_HASH_KEY = "GIT_BUILD_HASH"

authentik/outposts/controllers/docker.py

@@ -29,7 +29,9 @@ class DockerController(BaseController):
             raise ControllerException from exc
 
     def _get_labels(self) -> dict[str, str]:
-        return {}
+        return {
+            "io.goauthentik.outpost-uuid": self.outpost.pk.hex,
+        }
 
     def _get_env(self) -> dict[str, str]:
         return {
@@ -49,6 +51,17 @@ class DockerController(BaseController):
                 return True
         return False
 
+    def _comp_labels(self, container: Container) -> bool:
+        """Check if container's labels is equal to what we would set. Return true if container needs
+        to be rebuilt."""
+        should_be = self._get_labels()
+        for key, expected_value in should_be.items():
+            if key not in container.labels:
+                return True
+            if container.labels[key] != expected_value:
+                return True
+        return False
+
     def _comp_ports(self, container: Container) -> bool:
         """Check that the container has the correct ports exposed. Return true if container needs
         to be rebuilt."""
@@ -92,9 +105,11 @@ class DockerController(BaseController):
                 "environment": self._get_env(),
                 "labels": self._get_labels(),
                 "restart_policy": {"Name": "unless-stopped"},
+                "network": self.outpost.config.docker_network,
             }
             if settings.TEST:
                 del container_args["ports"]
+                del container_args["network"]
                 container_args["network_mode"] = "host"
             return (
                 self.client.containers.create(**container_args),
@@ -133,6 +148,11 @@ class DockerController(BaseController):
                 self.logger.info("Container has outdated config, re-creating...")
                 self.down()
                 return self.up(depth + 1)
+            # Check that container values match our values
+            if self._comp_labels(container):
+                self.logger.info("Container has outdated labels, re-creating...")
+                self.down()
+                return self.up(depth + 1)
             if (
                 container.attrs.get("HostConfig", {})
                 .get("RestartPolicy", {})

authentik/outposts/controllers/k8s/base.py

@@ -3,10 +3,11 @@ from typing import TYPE_CHECKING, Generic, TypeVar
 
 from django.utils.text import slugify
 from kubernetes.client import V1ObjectMeta
+from kubernetes.client.exceptions import ApiException, OpenApiException
 from kubernetes.client.models.v1_deployment import V1Deployment
 from kubernetes.client.models.v1_pod import V1Pod
-from kubernetes.client.rest import ApiException
 from structlog.stdlib import get_logger
+from urllib3.exceptions import HTTPError
 
 from authentik import __version__
 from authentik.lib.sentry import SentryIgnoredException
@@ -72,8 +73,9 @@ class KubernetesObjectReconciler(Generic[T]):
         try:
             try:
                 current = self.retrieve()
-            except ApiException as exc:
-                if exc.status == 404:
+            except (OpenApiException, HTTPError) as exc:
+                # pylint: disable=no-member
+                if isinstance(exc, ApiException) and exc.status == 404:
                     self.logger.debug("Failed to get current, triggering recreate")
                     raise NeedsRecreate from exc
                 self.logger.debug("Other unhandled error", exc=exc)
@@ -104,8 +106,9 @@ class KubernetesObjectReconciler(Generic[T]):
             current = self.retrieve()
             self.delete(current)
             self.logger.debug("Removing")
-        except ApiException as exc:
-            if exc.status == 404:
+        except (OpenApiException, HTTPError) as exc:
+            # pylint: disable=no-member
+            if isinstance(exc, ApiException) and exc.status == 404:
                 self.logger.debug("Failed to get current, assuming non-existant")
                 return
             self.logger.debug("Other unhandled error", exc=exc)

authentik/outposts/controllers/kubernetes.py

@@ -3,8 +3,9 @@ from io import StringIO
 from typing import Type
 
 from kubernetes.client.api_client import ApiClient
-from kubernetes.client.exceptions import ApiException
+from kubernetes.client.exceptions import OpenApiException
 from structlog.testing import capture_logs
+from urllib3.exceptions import HTTPError
 from yaml import dump_all
 
 from authentik.outposts.controllers.base import BaseController, ControllerException
@@ -12,7 +13,7 @@ from authentik.outposts.controllers.k8s.base import KubernetesObjectReconciler
 from authentik.outposts.controllers.k8s.deployment import DeploymentReconciler
 from authentik.outposts.controllers.k8s.secret import SecretReconciler
 from authentik.outposts.controllers.k8s.service import ServiceReconciler
-from authentik.outposts.models import KubernetesServiceConnection, Outpost
+from authentik.outposts.models import KubernetesServiceConnection, Outpost, ServiceConnectionInvalid
 
 
 class KubernetesController(BaseController):
@@ -40,7 +41,7 @@ class KubernetesController(BaseController):
                 reconciler = self.reconcilers[reconcile_key](self)
                 reconciler.up()
 
-        except ApiException as exc:
+        except (OpenApiException, HTTPError, ServiceConnectionInvalid) as exc:
             raise ControllerException(str(exc)) from exc
 
     def up_with_logs(self) -> list[str]:
@@ -55,7 +56,7 @@ class KubernetesController(BaseController):
                     reconciler.up()
                 all_logs += [f"{reconcile_key.title()}: {x['event']}" for x in logs]
             return all_logs
-        except ApiException as exc:
+        except (OpenApiException, HTTPError, ServiceConnectionInvalid) as exc:
             raise ControllerException(str(exc)) from exc
 
     def down(self):
@@ -65,7 +66,7 @@ class KubernetesController(BaseController):
                 self.logger.debug("Tearing down object", name=reconcile_key)
                 reconciler.down()
 
-        except ApiException as exc:
+        except (OpenApiException, HTTPError, ServiceConnectionInvalid) as exc:
             raise ControllerException(str(exc)) from exc
 
     def down_with_logs(self) -> list[str]:
@@ -80,7 +81,7 @@ class KubernetesController(BaseController):
                     reconciler.down()
                 all_logs += [f"{reconcile_key.title()}: {x['event']}" for x in logs]
             return all_logs
-        except ApiException as exc:
+        except (OpenApiException, HTTPError, ServiceConnectionInvalid) as exc:
             raise ControllerException(str(exc)) from exc
 
     def get_static_deployment(self) -> str:

authentik/outposts/models.py

@@ -56,6 +56,7 @@ class ServiceConnectionInvalid(SentryIgnoredException):
 
 
 @dataclass
+# pylint: disable=too-many-instance-attributes
 class OutpostConfig:
     """Configuration an outpost uses to configure it self"""
 
@@ -67,8 +68,10 @@ class OutpostConfig:
     log_level: str = CONFIG.y("log_level")
     error_reporting_enabled: bool = CONFIG.y_bool("error_reporting.enabled")
     error_reporting_environment: str = CONFIG.y("error_reporting.environment", "customer")
-
     object_naming_template: str = field(default="ak-outpost-%(name)s")
+
+    docker_network: Optional[str] = field(default=None)
+
     kubernetes_replicas: int = field(default=1)
     kubernetes_namespace: str = field(default_factory=get_namespace)
     kubernetes_ingress_annotations: dict[str, str] = field(default_factory=dict)
@@ -362,7 +365,7 @@ class Outpost(ManagedModel):
                     )
                     try:
                         assign_perm(code_name, user, model_or_perm)
-                    except Permission.DoesNotExist as exc:
+                    except (Permission.DoesNotExist, AttributeError) as exc:
                         LOGGER.warning(
                             "permission doesn't exist",
                             code_name=code_name,

authentik/providers/proxy/controllers/docker.py

@@ -22,13 +22,13 @@ class ProxyDockerController(DockerController):
         for proxy_provider in ProxyProvider.objects.filter(outpost__in=[self.outpost]):
             proxy_provider: ProxyProvider
             external_host_name = urlparse(proxy_provider.external_host)
-            hosts.append(f"`{external_host_name}`")
+            hosts.append(f"`{external_host_name.netloc}`")
         traefik_name = f"ak-outpost-{self.outpost.pk.hex}"
-        return {
-            "traefik.enable": "true",
-            f"traefik.http.routers.{traefik_name}-router.rule": f"Host({','.join(hosts)})",
-            f"traefik.http.routers.{traefik_name}-router.tls": "true",
-            f"traefik.http.routers.{traefik_name}-router.service": f"{traefik_name}-service",
-            f"traefik.http.services.{traefik_name}-service.loadbalancer.healthcheck.path": "/",
-            f"traefik.http.services.{traefik_name}-service.loadbalancer.server.port": "4180",
-        }
+        labels = super()._get_labels()
+        labels["traefik.enable"] = "true"
+        labels[f"traefik.http.routers.{traefik_name}-router.rule"] = f"Host({','.join(hosts)})"
+        labels[f"traefik.http.routers.{traefik_name}-router.tls"] = "true"
+        labels[f"traefik.http.routers.{traefik_name}-router.service"] = f"{traefik_name}-service"
+        labels[f"traefik.http.services.{traefik_name}-service.loadbalancer.healthcheck.path"] = "/"
+        labels[f"traefik.http.services.{traefik_name}-service.loadbalancer.server.port"] = "4180"
+        return labels

authentik/stages/identification/stage.py

@@ -96,7 +96,9 @@ class IdentificationChallengeResponse(ChallengeResponse):
             # No password stage select, don't validate the password
             return attrs
 
-        password = attrs["password"]
+        password = attrs.get("password", None)
+        if not password:
+            LOGGER.warning("Password not set for ident+auth attempt")
         try:
             user = authenticate(
                 self.stage.request,

authentik/stages/password/stage.py

@@ -32,9 +32,7 @@ PLAN_CONTEXT_METHOD_ARGS = "auth_method_args"
 SESSION_INVALID_TRIES = "user_invalid_tries"
 
 
-def authenticate(
-    request: HttpRequest, backends: list[str], **credentials: dict[str, Any]
-) -> Optional[User]:
+def authenticate(request: HttpRequest, backends: list[str], **credentials: Any) -> Optional[User]:
     """If the given credentials are valid, return a User object.
 
     Customized version of django's authenticate, which accepts a list of backends"""

docker-compose.yml

@@ -21,7 +21,7 @@ services:
     networks:
       - internal
   server:
-    image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2021.8.2}
+    image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2021.8.3}
     restart: unless-stopped
     command: server
     environment:
@@ -44,7 +44,7 @@ services:
       - "0.0.0.0:9000:9000"
       - "0.0.0.0:9443:9443"
   worker:
-    image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2021.8.2}
+    image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2021.8.3}
     restart: unless-stopped
     command: worker
     networks:

go.mod

@@ -10,7 +10,7 @@ require (
 	github.com/go-ldap/ldap/v3 v3.4.1
 	github.com/go-openapi/analysis v0.20.1 // indirect
 	github.com/go-openapi/errors v0.20.0 // indirect
-	github.com/go-openapi/runtime v0.19.30
+	github.com/go-openapi/runtime v0.19.31
 	github.com/go-openapi/strfmt v0.20.2
 	github.com/go-openapi/swag v0.19.15 // indirect
 	github.com/go-openapi/validate v0.20.2 // indirect

go.sum

@@ -205,8 +205,8 @@ github.com/go-openapi/runtime v0.19.4/go.mod h1:X277bwSUBxVlCYR3r7xgZZGKVvBd/29g
 github.com/go-openapi/runtime v0.19.15/go.mod h1:dhGWCTKRXlAfGnQG0ONViOZpjfg0m2gUt9nTQPQZuoo=
 github.com/go-openapi/runtime v0.19.16/go.mod h1:5P9104EJgYcizotuXhEuUrzVc+j1RiSjahULvYmlv98=
 github.com/go-openapi/runtime v0.19.24/go.mod h1:Lm9YGCeecBnUUkFTxPC4s1+lwrkJ0pthx8YvyjCfkgk=
-github.com/go-openapi/runtime v0.19.30 h1:bVDeSf4HU9EMth+lHD1EthaHe1SFoUVPaUvQtkGS9g8=
-github.com/go-openapi/runtime v0.19.30/go.mod h1:BvrQtn6iVb2QmiVXRsFAm6ZCAZBpbVKFfN6QWCp582M=
+github.com/go-openapi/runtime v0.19.31 h1:GX+MgBxN12s/tQiHNJpvHDIoZiEXAz6j6Rqg0oJcnpg=
+github.com/go-openapi/runtime v0.19.31/go.mod h1:BvrQtn6iVb2QmiVXRsFAm6ZCAZBpbVKFfN6QWCp582M=
 github.com/go-openapi/spec v0.17.0/go.mod h1:XkF/MOi14NmjsfZ8VtAKf8pIlbZzyoTvZsdfssdxcBI=
 github.com/go-openapi/spec v0.18.0/go.mod h1:XkF/MOi14NmjsfZ8VtAKf8pIlbZzyoTvZsdfssdxcBI=
 github.com/go-openapi/spec v0.19.2/go.mod h1:sCxk3jxKgioEJikev4fgkNmwS+3kuYdJtcsZsD5zxMY=

internal/constants/constants.go

@@ -17,4 +17,4 @@ func OutpostUserAgent() string {
 	return fmt.Sprintf("authentik-outpost@%s (%s)", VERSION, BUILD())
 }
 
-const VERSION = "2021.8.2"
+const VERSION = "2021.8.3"

internal/outpost/flow.go

@@ -152,7 +152,9 @@ func (fe *FlowExecutor) solveFlowChallenge(depth int) (bool, error) {
 	responseReq := fe.api.FlowsApi.FlowsExecutorSolve(scsp.Context(), fe.flowSlug).Query(fe.Params.Encode())
 	switch ch.GetComponent() {
 	case string(StageIdentification):
-		responseReq = responseReq.FlowChallengeResponseRequest(api.IdentificationChallengeResponseRequestAsFlowChallengeResponseRequest(api.NewIdentificationChallengeResponseRequest(fe.getAnswer(StageIdentification))))
+		r := api.NewIdentificationChallengeResponseRequest(fe.getAnswer(StageIdentification))
+		r.SetPassword(fe.getAnswer(StagePassword))
+		responseReq = responseReq.FlowChallengeResponseRequest(api.IdentificationChallengeResponseRequestAsFlowChallengeResponseRequest(r))
 	case string(StagePassword):
 		responseReq = responseReq.FlowChallengeResponseRequest(api.PasswordChallengeResponseRequestAsFlowChallengeResponseRequest(api.NewPasswordChallengeResponseRequest(fe.getAnswer(StagePassword))))
 	case string(StageAuthenticatorValidate):

schema.yml

@@ -1,7 +1,7 @@
 openapi: 3.0.3
 info:
   title: authentik
-  version: 2021.8.2
+  version: 2021.8.3
   description: Making authentication simple.
   contact:
     email: hello@beryju.org

web/package-lock.json

@@ -15,11 +15,11 @@
                 "@babel/preset-env": "^7.15.0",
                 "@babel/preset-typescript": "^7.15.0",
                 "@fortawesome/fontawesome-free": "^5.15.4",
-                "@goauthentik/api": "^2021.8.1-1629986812",
+                "@goauthentik/api": "^2021.8.2-1629997023",
                 "@lingui/cli": "^3.10.2",
                 "@lingui/core": "^3.10.4",
                 "@lingui/macro": "^3.10.2",
-                "@patternfly/patternfly": "^4.125.3",
+                "@patternfly/patternfly": "^4.132.2",
                 "@polymer/iron-form": "^3.0.1",
                 "@polymer/paper-input": "^3.2.1",
                 "@rollup/plugin-babel": "^5.3.0",
@@ -59,7 +59,7 @@
                 "rollup-plugin-terser": "^7.0.2",
                 "ts-lit-plugin": "^1.2.1",
                 "tslib": "^2.3.1",
-                "typescript": "^4.3.5",
+                "typescript": "^4.4.2",
                 "webcomponent-qr-code": "^1.0.5",
                 "yaml": "^1.10.2"
             }
@@ -1689,9 +1689,9 @@
             }
         },
         "node_modules/@goauthentik/api": {
-            "version": "2021.8.1-1629986812",
-            "resolved": "https://registry.npmjs.org/@goauthentik/api/-/api-2021.8.1-1629986812.tgz",
-            "integrity": "sha512-/wKkUjm6fTDpjhfp0LJlLA6HIFhMt96BdadMIFPRrRl/DWXcIdPzDJMioiteXRWwrRXC0a9fnxEC/xgFcjz7Bg=="
+            "version": "2021.8.2-1629997023",
+            "resolved": "https://registry.npmjs.org/@goauthentik/api/-/api-2021.8.2-1629997023.tgz",
+            "integrity": "sha512-j80ZOgU+ZP40WD6PGJzxYmVKeGEcNJLjRqAQDvVmdfxA1++O6Ul1hYk02kSrDpQRbjdqmuO3u3a9s/HHKEvkrw=="
         },
         "node_modules/@humanwhocodes/config-array": {
             "version": "0.5.0",
@@ -2071,9 +2071,9 @@
             }
         },
         "node_modules/@patternfly/patternfly": {
-            "version": "4.125.3",
-            "resolved": "https://registry.npmjs.org/@patternfly/patternfly/-/patternfly-4.125.3.tgz",
-            "integrity": "sha512-B0L3TFdFYsioV1loCsd3s3Y6eNV/9YjHQIlFnxF1KRgj+eVq0idKi1Mnq28eycKQgFi6ld3tEveMSxBsaw3R9A=="
+            "version": "4.132.2",
+            "resolved": "https://registry.npmjs.org/@patternfly/patternfly/-/patternfly-4.132.2.tgz",
+            "integrity": "sha512-66qBgIpwPPeTUMTUUO6Z73XApvNXxn3uFaXMeVa09viYGDKzEX3L1FIfc4VzVk2okhk/9KJIYYgxofeuGi5v6A=="
         },
         "node_modules/@polymer/font-roboto": {
             "version": "3.0.2",
@@ -8021,9 +8021,9 @@
             }
         },
         "node_modules/typescript": {
-            "version": "4.3.5",
-            "resolved": "https://registry.npmjs.org/typescript/-/typescript-4.3.5.tgz",
-            "integrity": "sha512-DqQgihaQ9cUrskJo9kIyW/+g0Vxsk8cDtZ52a3NGh0YNTfpUSArXSohyUGnvbPazEPLu398C0UxmKSOrPumUzA==",
+            "version": "4.4.2",
+            "resolved": "https://registry.npmjs.org/typescript/-/typescript-4.4.2.tgz",
+            "integrity": "sha512-gzP+t5W4hdy4c+68bfcv0t400HVJMMd2+H9B7gae1nQlBzCqvrXX+6GL/b3GAgyTH966pzrZ70/fRjwAtZksSQ==",
             "bin": {
                 "tsc": "bin/tsc",
                 "tsserver": "bin/tsserver"
@@ -9566,9 +9566,9 @@
             "integrity": "sha512-eYm8vijH/hpzr/6/1CJ/V/Eb1xQFW2nnUKArb3z+yUWv7HTwj6M7SP957oMjfZjAHU6qpoNc2wQvIxBLWYa/Jg=="
         },
         "@goauthentik/api": {
-            "version": "2021.8.1-1629986812",
-            "resolved": "https://registry.npmjs.org/@goauthentik/api/-/api-2021.8.1-1629986812.tgz",
-            "integrity": "sha512-/wKkUjm6fTDpjhfp0LJlLA6HIFhMt96BdadMIFPRrRl/DWXcIdPzDJMioiteXRWwrRXC0a9fnxEC/xgFcjz7Bg=="
+            "version": "2021.8.2-1629997023",
+            "resolved": "https://registry.npmjs.org/@goauthentik/api/-/api-2021.8.2-1629997023.tgz",
+            "integrity": "sha512-j80ZOgU+ZP40WD6PGJzxYmVKeGEcNJLjRqAQDvVmdfxA1++O6Ul1hYk02kSrDpQRbjdqmuO3u3a9s/HHKEvkrw=="
         },
         "@humanwhocodes/config-array": {
             "version": "0.5.0",
@@ -9847,9 +9847,9 @@
             }
         },
         "@patternfly/patternfly": {
-            "version": "4.125.3",
-            "resolved": "https://registry.npmjs.org/@patternfly/patternfly/-/patternfly-4.125.3.tgz",
-            "integrity": "sha512-B0L3TFdFYsioV1loCsd3s3Y6eNV/9YjHQIlFnxF1KRgj+eVq0idKi1Mnq28eycKQgFi6ld3tEveMSxBsaw3R9A=="
+            "version": "4.132.2",
+            "resolved": "https://registry.npmjs.org/@patternfly/patternfly/-/patternfly-4.132.2.tgz",
+            "integrity": "sha512-66qBgIpwPPeTUMTUUO6Z73XApvNXxn3uFaXMeVa09viYGDKzEX3L1FIfc4VzVk2okhk/9KJIYYgxofeuGi5v6A=="
         },
         "@polymer/font-roboto": {
             "version": "3.0.2",
@@ -14339,9 +14339,9 @@
             "integrity": "sha512-t0rzBq87m3fVcduHDUFhKmyyX+9eo6WQjZvf51Ea/M0Q7+T374Jp1aUiyUl0GKxp8M/OETVHSDvmkyPgvX+X2w=="
         },
         "typescript": {
-            "version": "4.3.5",
-            "resolved": "https://registry.npmjs.org/typescript/-/typescript-4.3.5.tgz",
-            "integrity": "sha512-DqQgihaQ9cUrskJo9kIyW/+g0Vxsk8cDtZ52a3NGh0YNTfpUSArXSohyUGnvbPazEPLu398C0UxmKSOrPumUzA=="
+            "version": "4.4.2",
+            "resolved": "https://registry.npmjs.org/typescript/-/typescript-4.4.2.tgz",
+            "integrity": "sha512-gzP+t5W4hdy4c+68bfcv0t400HVJMMd2+H9B7gae1nQlBzCqvrXX+6GL/b3GAgyTH966pzrZ70/fRjwAtZksSQ=="
         },
         "uglify-js": {
             "version": "3.14.1",

web/package.json

@@ -46,11 +46,11 @@
         "@babel/preset-env": "^7.15.0",
         "@babel/preset-typescript": "^7.15.0",
         "@fortawesome/fontawesome-free": "^5.15.4",
-        "@goauthentik/api": "^2021.8.1-1629986812",
+        "@goauthentik/api": "^2021.8.2-1629997023",
         "@lingui/cli": "^3.10.2",
         "@lingui/core": "^3.10.4",
         "@lingui/macro": "^3.10.2",
-        "@patternfly/patternfly": "^4.125.3",
+        "@patternfly/patternfly": "^4.132.2",
         "@polymer/iron-form": "^3.0.1",
         "@polymer/paper-input": "^3.2.1",
         "@rollup/plugin-babel": "^5.3.0",
@@ -90,7 +90,7 @@
         "rollup-plugin-terser": "^7.0.2",
         "ts-lit-plugin": "^1.2.1",
         "tslib": "^2.3.1",
-        "typescript": "^4.3.5",
+        "typescript": "^4.4.2",
         "webcomponent-qr-code": "^1.0.5",
         "yaml": "^1.10.2"
     }

web/src/constants.ts

@@ -3,7 +3,7 @@ export const SUCCESS_CLASS = "pf-m-success";
 export const ERROR_CLASS = "pf-m-danger";
 export const PROGRESS_CLASS = "pf-m-in-progress";
 export const CURRENT_CLASS = "pf-m-current";
-export const VERSION = "2021.8.2";
+export const VERSION = "2021.8.3";
 export const PAGE_SIZE = 20;
 export const TITLE_DEFAULT = "authentik";
 export const ROUTE_SEPARATOR = ";";

web/src/flows/FlowExecutor.ts

@@ -55,8 +55,33 @@ import { WebsocketClient } from "../common/ws";
 export class FlowExecutor extends LitElement implements StageHost {
     flowSlug: string;
 
+    private _challenge?: ChallengeTypes;
+
     @property({ attribute: false })
-    challenge?: ChallengeTypes;
+    set challenge(value: ChallengeTypes | undefined) {
+        this._challenge = value;
+        // Assign the location as soon as we get the challenge and *not* in the render function
+        // as the render function might be called multiple times, which will navigate multiple
+        // times and can invalidate oauth codes
+        if (value?.type === ChallengeChoices.Redirect) {
+            console.debug(
+                "authentik/flows: redirecting to url from server",
+                (value as RedirectChallenge).to,
+            );
+            window.location.assign((value as RedirectChallenge).to);
+        }
+        tenant().then((tenant) => {
+            if (value?.flowInfo?.title) {
+                document.title = `${value.flowInfo?.title} - ${tenant.brandingTitle}`;
+            } else {
+                document.title = tenant.brandingTitle || TITLE_DEFAULT;
+            }
+        });
+    }
+
+    get challenge(): ChallengeTypes | undefined {
+        return this._challenge;
+    }
 
     @property({ type: Boolean })
     loading = false;
@@ -95,16 +120,6 @@ export class FlowExecutor extends LitElement implements StageHost {
             });
     }
 
-    private postUpdate(): void {
-        tenant().then((tenant) => {
-            if (this.challenge?.flowInfo?.title) {
-                document.title = `${this.challenge.flowInfo?.title} - ${tenant.brandingTitle}`;
-            } else {
-                document.title = tenant.brandingTitle || TITLE_DEFAULT;
-            }
-        });
-    }
-
     submit(payload?: FlowChallengeResponseRequest): Promise<void> {
         if (!payload) return Promise.reject();
         if (!this.challenge) return Promise.reject();
@@ -119,7 +134,6 @@ export class FlowExecutor extends LitElement implements StageHost {
             })
             .then((data) => {
                 this.challenge = data;
-                this.postUpdate();
             })
             .catch((e: Error | Response) => {
                 this.errorMessage(e);
@@ -144,7 +158,6 @@ export class FlowExecutor extends LitElement implements StageHost {
                 if (this.challenge?.flowInfo?.background) {
                     this.setBackground(this.challenge.flowInfo.background);
                 }
-                this.postUpdate();
             })
             .catch((e: Error | Response) => {
                 // Catch JSON or Update errors
@@ -189,11 +202,6 @@ export class FlowExecutor extends LitElement implements StageHost {
         }
         switch (this.challenge.type) {
             case ChallengeChoices.Redirect:
-                console.debug(
-                    "authentik/flows: redirecting to url from server",
-                    (this.challenge as RedirectChallenge).to,
-                );
-                window.location.assign((this.challenge as RedirectChallenge).to);
                 return html`<ak-empty-state ?loading=${true} header=${t`Loading`}>
                 </ak-empty-state>`;
             case ChallengeChoices.Shell:

web/src/flows/stages/prompt/PromptStage.ts

@@ -64,13 +64,6 @@ export class PromptStage extends BaseStage<PromptChallenge, PromptChallengeRespo
                     placeholder="${prompt.placeholder}"
                     class="pf-c-form-control"
                     ?required=${prompt.required}>`;
-            case "checkbox":
-                return `<input
-                    type="checkbox"
-                    name="${prompt.fieldKey}"
-                    placeholder="${prompt.placeholder}"
-                    class="pf-c-form-control"
-                    ?required=${prompt.required}>`;
             case "date":
                 return `<input
                     type="date"
@@ -115,6 +108,22 @@ export class PromptStage extends BaseStage<PromptChallenge, PromptChallengeRespo
                     }}
                 >
                     ${this.challenge.fields.map((prompt) => {
+                        // Checkbox is rendered differently
+                        if (prompt.type === "checkbox") {
+                            return html`<div class="pf-c-check">
+                                <input
+                                    type="checkbox"
+                                    class="pf-c-check__input"
+                                    name="${prompt.fieldKey}"
+                                    ?checked=${prompt.placeholder !== ""}
+                                    ?required=${prompt.required}
+                                />
+                                <label class="pf-c-check__label">${prompt.label}</label>
+                                ${prompt.required
+                                    ? html`<p class="pf-c-form__helper-text">${t`Required.`}</p>`
+                                    : html``}
+                            </div>`;
+                        }
                         // Special types that aren't rendered in a wrapper
                         if (
                             prompt.type === "static" ||

web/src/pages/stages/prompt/PromptForm.ts

@@ -157,7 +157,7 @@ export class PromptForm extends ModelForm<Prompt, string> {
             <ak-form-element-horizontal label=${t`Order`} ?required=${true} name="order">
                 <input
                     type="number"
-                    value="${ifDefined(this.instance?.order)}"
+                    value="${first(this.instance?.order, 0)}"
                     class="pf-c-form-control"
                     required
                 />

website/docs/installation/docker-compose.md

@@ -12,9 +12,9 @@ This installation method is for test-setups and small-scale productive setups.
 
 ## Preparation
 
-Download the latest `docker-compose.yml` from [here](https://raw.githubusercontent.com/goauthentik/authentik/version/2021.8.2/docker-compose.yml). Place it in a directory of your choice.
+Download the latest `docker-compose.yml` from [here](https://raw.githubusercontent.com/goauthentik/authentik/version/2021.8.3/docker-compose.yml). Place it in a directory of your choice.
 
-To optionally deploy a different version run `echo AUTHENTIK_TAG=2021.8.2 >> .env`
+To optionally deploy a different version run `echo AUTHENTIK_TAG=2021.8.3 >> .env`
 
 If this is a fresh authentik install run the following commands to generate a password:
 

website/docs/outposts/manual-deploy-docker-compose.md

@@ -11,7 +11,7 @@ version: "3.5"
 
 services:
   authentik_proxy:
-    image: ghcr.io/goauthentik/proxy:2021.8.2
+    image: ghcr.io/goauthentik/proxy:2021.8.3
     ports:
       - 4180:4180
       - 4443:4443
@@ -21,7 +21,7 @@ services:
       AUTHENTIK_TOKEN: token-generated-by-authentik
   # Or, for the LDAP Outpost
   authentik_proxy:
-    image: ghcr.io/goauthentik/ldap:2021.8.2
+    image: ghcr.io/goauthentik/ldap:2021.8.3
     ports:
       - 389:3389
     environment:

website/docs/outposts/manual-deploy-kubernetes.md

@@ -14,7 +14,7 @@ metadata:
     app.kubernetes.io/instance: __OUTPOST_NAME__
     app.kubernetes.io/managed-by: goauthentik.io
     app.kubernetes.io/name: authentik-proxy
-    app.kubernetes.io/version: 2021.8.2
+    app.kubernetes.io/version: 2021.8.3
   name: authentik-outpost-api
 stringData:
   authentik_host: "__AUTHENTIK_URL__"
@@ -29,7 +29,7 @@ metadata:
     app.kubernetes.io/instance: __OUTPOST_NAME__
     app.kubernetes.io/managed-by: goauthentik.io
     app.kubernetes.io/name: authentik-proxy
-    app.kubernetes.io/version: 2021.8.2
+    app.kubernetes.io/version: 2021.8.3
   name: authentik-outpost
 spec:
   ports:
@@ -54,7 +54,7 @@ metadata:
     app.kubernetes.io/instance: __OUTPOST_NAME__
     app.kubernetes.io/managed-by: goauthentik.io
     app.kubernetes.io/name: authentik-proxy
-    app.kubernetes.io/version: 2021.8.2
+    app.kubernetes.io/version: 2021.8.3
   name: authentik-outpost
 spec:
   selector:
@@ -62,14 +62,14 @@ spec:
       app.kubernetes.io/instance: __OUTPOST_NAME__
       app.kubernetes.io/managed-by: goauthentik.io
       app.kubernetes.io/name: authentik-proxy
-      app.kubernetes.io/version: 2021.8.2
+      app.kubernetes.io/version: 2021.8.3
   template:
     metadata:
       labels:
         app.kubernetes.io/instance: __OUTPOST_NAME__
         app.kubernetes.io/managed-by: goauthentik.io
         app.kubernetes.io/name: authentik-proxy
-        app.kubernetes.io/version: 2021.8.2
+        app.kubernetes.io/version: 2021.8.3
     spec:
       containers:
         - env:
@@ -88,7 +88,7 @@ spec:
               secretKeyRef:
                 key: authentik_host_insecure
                 name: authentik-outpost-api
-        image: ghcr.io/goauthentik/proxy:2021.8.2
+        image: ghcr.io/goauthentik/proxy:2021.8.3
         name: proxy
         ports:
           - containerPort: 4180
@@ -110,7 +110,7 @@ metadata:
     app.kubernetes.io/instance: __OUTPOST_NAME__
     app.kubernetes.io/managed-by: goauthentik.io
     app.kubernetes.io/name: authentik-proxy
-    app.kubernetes.io/version: 2021.8.2
+    app.kubernetes.io/version: 2021.8.3
   name: authentik-outpost
 spec:
   rules:

website/docs/outposts/outposts.md

@@ -42,6 +42,11 @@ object_naming_template: ak-outpost-%(name)s
 ########################################
 # Kubernetes outpost specific settings
 ########################################
+# Network the outpost container should be connected to
+docker_network: null
+########################################
+# Kubernetes outpost specific settings
+########################################
 # Replica count for the deployment of the outpost
 kubernetes_replicas: 1
 # Namespace to deploy in, defaults to the same namespace authentik is deployed in (if available)

website/docs/policies/expression.mdx

@@ -56,19 +56,19 @@ Additionally, when the policy is executed from a flow, every variable from the f
 
 This includes the following:
 
-- `prompt_data`: Data which has been saved from a prompt stage or an external source.
-- `application`: The application the user is in the process of authorizing.
-- `pending_user`: The currently pending user, see [User](/docs/expressions/reference/user-object)
-- `auth_method`: Authentication method set (this value is set by password stages)
+- `context['prompt_data']`: Data which has been saved from a prompt stage or an external source.
+- `context['application']`: The application the user is in the process of authorizing.
+- `context['pending_user']`: The currently pending user, see [User](/docs/expressions/reference/user-object)
+- `context['auth_method']`: Authentication method set (this value is set by password stages)
 
-    Depending on method, `auth_method_args` is also set.
+    Depending on method, `context['auth_method_args']` is also set.
 
     Can be any of:
 
     - `password`: Standard password login
     - `app_password`: App passowrd (token)
 
-        Sets `auth_method_args` to
+        Sets `context['auth_method_args']` to
         ```json
         {
             "token": {
@@ -81,7 +81,7 @@ This includes the following:
         ```
     - `ldap`: LDAP bind authentication
 
-        Sets `auth_method_args` to
+        Sets `context['auth_method_args']` to
         ```json
         {
             "source": {} // Information about the source used

website/docs/releases/v2021.8.md

@@ -47,8 +47,8 @@ slug: "2021.8"
 - lib: move id and key generators to lib (#1286)
 - lifecycle: rename to ak
 - outpost: handle non-existant permission
-- outposts: add recursion limit for docker controller
-- outposts: add repair_permissions command
+- outpost: add recursion limit for docker controller
+- outpost: add repair_permissions command
 - root: add alias for akflow files
 - root: add ASGI Error handler
 - root: add License to NPM package
@@ -86,13 +86,25 @@ slug: "2021.8"
 - root: Require PG_PASS to be set (#1303)
 - web/admin: allow admins to create tokens
 
+## Fixed in 2021.8.2
+
+- root: fix login loop created by old settings stored in cache
+
+## Fixed in 2021.8.3
+
+- outpost: fix FlowExecutor not sending password for identification stage
+- outpost: fix generated traefik labels containing invalid hosts
+- outpost: make docker network configurable when using docker integration
+- web/flow: fix redirects to application being sent multiple times, causing issues with OAuth providers
+- web/flow: fix rendering of checkboxes in prompt stages
+
 ## Upgrading
 
 This release does not introduce any new requirements.
 
 ### docker-compose
 
-Download the docker-compose file for 2021.7 from [here](https://raw.githubusercontent.com/goauthentik/authentik/version-2021.7/docker-compose.yml). Afterwards, simply run `docker-compose up -d`.
+Download the docker-compose file for 2021.8 from [here](https://raw.githubusercontent.com/goauthentik/authentik/version-2021.8/docker-compose.yml). Afterwards, simply run `docker-compose up -d`.
 
 ### Kubernetes
 

website/package.json

@@ -12,8 +12,8 @@
         "serve": "docusaurus serve"
     },
     "dependencies": {
-        "@docusaurus/plugin-client-redirects": "2.0.0-beta.4",
-        "@docusaurus/preset-classic": "2.0.0-beta.4",
+        "@docusaurus/plugin-client-redirects": "2.0.0-beta.5",
+        "@docusaurus/preset-classic": "2.0.0-beta.5",
         "@mdx-js/react": "^1.6.22",
         "@sentry/react": "^6.11.0",
         "@sentry/tracing": "^6.11.0",

website/static/flows/login-2fa.akflow

@@ -22,7 +22,7 @@
                 "name": "test-not-app-password",
                 "execution_logging": false,
                 "bound_to": 1,
-                "expression": "return auth_method != \"app_password\""
+                "expression": "return context[\"auth_method\"] != \"app_password\""
             }
         },
         {