make URL path not clash?

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

.cargo/deny.toml

@@ -0,0 +1,35 @@
+[licenses]
+allow = ["Apache-2.0", "MIT", "MPL-2.0", "Unicode-3.0"]
+
+[licenses.private]
+ignore = true
+
+[bans]
+multiple-versions = "allow"
+wildcards = "deny"
+[bans.workspace-dependencies]
+duplicates = "deny"
+include-path-dependencies = true
+unused = "deny"
+
+# No non-FIPS compliant dependencies
+[[bans.deny]]
+name = "native-tls"
+[[bans.deny]]
+name = "openssl"
+[[bans.deny]]
+name = "openssl-sys"
+[[bans.deny]]
+name = "ring"
+[[bans.features]]
+allow = [
+  "alloc",
+  "aws-lc-sys",
+  "default",
+  "fips",
+  "prebuilt-nasm",
+  "ring-io",
+  "ring-sig-verify",
+]
+name = "aws-lc-rs"
+exact = true

.cargo/rustfmt.toml

@@ -0,0 +1,16 @@
+comment_width = 100
+format_code_in_doc_comments = true
+format_strings = true
+group_imports = "StdExternalCrate"
+hex_literal_case = "Lower"
+imports_granularity = "Crate"
+max_width = 100
+newline_style = "Unix"
+normalize_comments = true
+normalize_doc_attributes = true
+reorder_impl_items = true
+style_edition = "2024"
+use_field_init_shorthand = true
+use_try_shorthand = true
+where_single_line = true
+wrap_comments = true

.github/actions/cherry-pick/action.yml

@@ -115,20 +115,13 @@ runs:
       shell: bash
       env:
         GITHUB_TOKEN: ${{ inputs.token }}
+        PR_NUMBER: ${{ steps.should_run.outputs.pr_number }}
+        REASON: ${{ steps.should_run.outputs.reason }}
       run: |
         set -e -o pipefail
-        PR_NUMBER="${{ steps.should_run.outputs.pr_number }}"
-
-        # Get PR details
-        PR_DATA=$(gh api repos/${{ github.repository }}/pulls/$PR_NUMBER)
-        PR_TITLE=$(echo "$PR_DATA" | jq -r '.title')
-        PR_AUTHOR=$(echo "$PR_DATA" | jq -r '.user.login')
-
-        echo "pr_title=$PR_TITLE" >> $GITHUB_OUTPUT
-        echo "pr_author=$PR_AUTHOR" >> $GITHUB_OUTPUT
 
         # Determine which labels to process
-        if [ "${{ steps.should_run.outputs.reason }}" = "label_added_to_merged_pr" ]; then
+        if [ "${REASON}" = "label_added_to_merged_pr" ]; then
           # Only process the specific label that was just added
           if [ "${{ github.event_name }}" = "issues" ]; then
             LABEL_NAME="${{ github.event.label.name }}"
@@ -152,13 +145,13 @@ runs:
       shell: bash
       env:
         GITHUB_TOKEN: ${{ inputs.token }}
+        PR_NUMBER: '${{ steps.should_run.outputs.pr_number }}'
+        COMMIT_SHA: '${{ steps.should_run.outputs.merge_commit_sha }}'
+        PR_TITLE: ${{ github.event.pull_request.title }}
+        PR_AUTHOR: ${{ github.event.pull_request.user.login }}
+        LABELS: '${{ steps.pr_details.outputs.labels }}'
       run: |
         set -e -o pipefail
-        PR_NUMBER='${{ steps.should_run.outputs.pr_number }}'
-        COMMIT_SHA='${{ steps.should_run.outputs.merge_commit_sha }}'
-        PR_TITLE='${{ steps.pr_details.outputs.pr_title }}'
-        PR_AUTHOR='${{ steps.pr_details.outputs.pr_author }}'
-        LABELS='${{ steps.pr_details.outputs.labels }}'
 
         echo "Processing PR #$PR_NUMBER (reason: ${{ steps.should_run.outputs.reason }})"
         echo "Found backport labels: $LABELS"

.github/actions/setup/action.yml

@@ -4,7 +4,7 @@ description: "Setup authentik testing environment"
 inputs:
   dependencies:
     description: "List of dependencies to setup"
-    default: "system,python,node,go,runtime"
+    default: "system,python,rust,node,go,runtime"
   postgresql_version:
     description: "Optional postgresql image tag"
     default: "16"
@@ -22,7 +22,7 @@ runs:
         sudo rm -rf /usr/local/lib/android
     - name: Install uv
       if: ${{ contains(inputs.dependencies, 'python') }}
-      uses: astral-sh/setup-uv@eac588ad8def6316056a12d4907a9d4d84ff7a3b # v5
+      uses: astral-sh/setup-uv@37802adc94f370d6bfd71619e3f0bf239e1f3b78 # v5
       with:
         enable-cache: true
     - name: Setup python
@@ -34,17 +34,46 @@ runs:
       if: ${{ contains(inputs.dependencies, 'python') }}
       shell: bash
       run: uv sync --all-extras --dev --frozen
-    - name: Setup node
+    - name: Setup rust (stable)
+      if: ${{ contains(inputs.dependencies, 'rust') && !contains(inputs.dependencies, 'rust-nightly') }}
+      uses: actions-rust-lang/setup-rust-toolchain@150fca883cd4034361b621bd4e6a9d34e5143606 # v1
+      with:
+        rustflags: ""
+    - name: Setup rust (nightly)
+      if: ${{ contains(inputs.dependencies, 'rust-nightly') }}
+      uses: actions-rust-lang/setup-rust-toolchain@150fca883cd4034361b621bd4e6a9d34e5143606 # v1
+      with:
+        toolchain: nightly
+        components: rustfmt
+        rustflags: ""
+    - name: Setup rust dependencies
+      if: ${{ contains(inputs.dependencies, 'rust') }}
+      uses: taiki-e/install-action@06203676c62f0d3c765be3f2fcfbebbcb02d09f5 # v2
+      with:
+        tool: cargo-deny cargo-machete cargo-llvm-cov nextest
+    - name: Setup node (web)
       if: ${{ contains(inputs.dependencies, 'node') }}
-      uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v4
+      uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v4
       with:
         node-version-file: web/package.json
         cache: "npm"
         cache-dependency-path: web/package-lock.json
-        registry-url: 'https://registry.npmjs.org'
+        registry-url: "https://registry.npmjs.org"
+    - name: Setup node (root)
+      if: ${{ contains(inputs.dependencies, 'node') }}
+      uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v4
+      with:
+        node-version-file: package.json
+        cache: "npm"
+        cache-dependency-path: package-lock.json
+        registry-url: "https://registry.npmjs.org"
+    - name: Install Node deps
+      if: ${{ contains(inputs.dependencies, 'node') }}
+      shell: bash
+      run: npm ci
     - name: Setup go
       if: ${{ contains(inputs.dependencies, 'go') }}
-      uses: actions/setup-go@7a3fe6cf4cb3a834922a1244abfce67bcef6a0c5 # v5
+      uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v5
       with:
         go-version-file: "go.mod"
     - name: Setup docker cache
@@ -58,7 +87,7 @@ runs:
       run: |
         export PSQL_TAG=${{ inputs.postgresql_version }}
         docker compose -f .github/actions/setup/compose.yml up -d
-        cd web && npm i
+        cd web && npm ci
     - name: Generate config
       if: ${{ contains(inputs.dependencies, 'python') }}
       shell: uv run python {0}

.github/actions/test-results/action.yml

@@ -2,18 +2,22 @@ name: "Process test results"
 description: Convert test results to JUnit, add them to GitHub Actions and codecov
 
 inputs:
+  files:
+    description: Comma-separated explicit list of files to upload
   flags:
     description: Codecov flags
 
 runs:
   using: "composite"
   steps:
-    - uses: codecov/codecov-action@671740ac38dd9b0130fbe1cec585b89eea48d3de # v5
+    - uses: codecov/codecov-action@1af58845a975a7985b0beb0cbe6fbbb71a41dbad # v5
       with:
+        files: ${{ inputs.files }}
         flags: ${{ inputs.flags }}
         use_oidc: true
-    - uses: codecov/codecov-action@671740ac38dd9b0130fbe1cec585b89eea48d3de # v5
+    - uses: codecov/codecov-action@1af58845a975a7985b0beb0cbe6fbbb71a41dbad # v5
       with:
+        files: ${{ inputs.files }}
         flags: ${{ inputs.flags }}
         use_oidc: true
         report_type: test_results

.github/codespell-dictionary.txt

@@ -1 +0,0 @@
-authentic->authentik

.github/codespell-words.txt

@@ -1,32 +0,0 @@
-akadmin
-asgi
-assertIn
-authentik
-authn
-crate
-docstrings
-entra
-goauthentik
-gunicorn
-hass
-jwe
-jwks
-keypair
-keypairs
-kubernetes
-oidc
-ontext
-openid
-passwordless
-plex
-saml
-scim
-singed
-slo
-sso
-totp
-traefik
-# https://github.com/codespell-project/codespell/issues/1224
-upToDate
-warmup
-webauthn

.github/dependabot.yml

@@ -38,6 +38,21 @@ updates:
 
   #endregion
 
+  #region Rust
+
+  - package-ecosystem: rust-toolchain
+    directory: "/"
+    schedule:
+      interval: daily
+      time: "04:00"
+    open-pull-requests-limit: 10
+    commit-message:
+      prefix: "core:"
+    labels:
+      - dependencies
+
+  #endregion
+
   #region Web
 
   - package-ecosystem: npm
@@ -234,7 +249,7 @@ updates:
 
   - package-ecosystem: docker
     directories:
-      - /
+      - /lifecycle/container
       - /website
     schedule:
       interval: daily

.github/workflows/_reusable-docker-build-single.yml

@@ -43,8 +43,8 @@ jobs:
       contents: read
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v5
-      - uses: docker/setup-qemu-action@c7c53464625b32c7a7e944ae62b3e17d2b600130 # v3.7.0
-      - uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3
+      - uses: docker/setup-qemu-action@ce360397dd3f832beb865e1373c09c0e9f86d70a # v4.0.0
+      - uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0
       - name: prepare variables
         uses: ./.github/actions/docker-push-variables
         id: ev
@@ -56,23 +56,23 @@ jobs:
           release: ${{ inputs.release }}
       - name: Login to Docker Hub
         if: ${{ inputs.registry_dockerhub }}
-        uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3
+        uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0
         with:
           username: ${{ secrets.DOCKER_CORP_USERNAME }}
           password: ${{ secrets.DOCKER_CORP_PASSWORD }}
       - name: Login to GitHub Container Registry
         if: ${{ inputs.registry_ghcr }}
-        uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3
+        uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0
         with:
           registry: ghcr.io
           username: ${{ github.repository_owner }}
           password: ${{ secrets.GITHUB_TOKEN }}
-      - uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v5
+      - uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v5
         with:
           node-version-file: web/package.json
           cache: "npm"
           cache-dependency-path: web/package-lock.json
-      - uses: actions/setup-go@7a3fe6cf4cb3a834922a1244abfce67bcef6a0c5 # v6
+      - uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6
         with:
           go-version-file: "go.mod"
       - name: Generate API Clients
@@ -80,7 +80,7 @@ jobs:
           make gen-client-ts
           make gen-client-go
       - name: Build Docker Image
-        uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6
+        uses: docker/build-push-action@d08e5c354a6adb9ed34480a06d141179aa583294 # v7.0.0
         id: push
         with:
           context: .
@@ -95,7 +95,7 @@ jobs:
           platforms: linux/${{ inputs.image_arch }}
           cache-from: type=registry,ref=${{ steps.ev.outputs.attestImageNames }}:buildcache-${{ inputs.image_arch }}
           cache-to: ${{ steps.ev.outputs.cacheTo }}
-      - uses: actions/attest-build-provenance@96278af6caaf10aea03fd8d33a09a777ca52d62f # v3
+      - uses: actions/attest-build-provenance@a2bbfa25375fe432b6a289bc6b6cd05ecd0c4c32 # v3
         id: attest
         if: ${{ steps.ev.outputs.shouldPush == 'true' }}
         with:

.github/workflows/_reusable-docker-build.yml

@@ -79,25 +79,25 @@ jobs:
           image-name: ${{ inputs.image_name }}
       - name: Login to Docker Hub
         if: ${{ inputs.registry_dockerhub }}
-        uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3
+        uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0
         with:
           username: ${{ secrets.DOCKER_CORP_USERNAME }}
           password: ${{ secrets.DOCKER_CORP_PASSWORD }}
       - name: Login to GitHub Container Registry
         if: ${{ inputs.registry_ghcr }}
-        uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3
+        uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0
         with:
           registry: ghcr.io
           username: ${{ github.repository_owner }}
           password: ${{ secrets.GITHUB_TOKEN }}
-      - uses: int128/docker-manifest-create-action@1a059c021f1d5e9f2bd39de745d5dd3a0ef6df90 # v2
+      - uses: int128/docker-manifest-create-action@8aac06098a12365ccdf99372dcfb453ccce8a0b0 # v2
         id: build
         with:
           tags: ${{ matrix.tag }}
           sources: |
             ${{ steps.ev.outputs.attestImageNames }}@${{ needs.build-server-amd64.outputs.image-digest }}
             ${{ steps.ev.outputs.attestImageNames }}@${{ needs.build-server-arm64.outputs.image-digest }}
-      - uses: actions/attest-build-provenance@96278af6caaf10aea03fd8d33a09a777ca52d62f # v3
+      - uses: actions/attest-build-provenance@a2bbfa25375fe432b6a289bc6b6cd05ecd0c4c32 # v3
         id: attest
         with:
           subject-name: ${{ steps.ev.outputs.attestImageNames }}

.github/workflows/api-ts-publish.yml

@@ -18,14 +18,14 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - id: generate_token
-        uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf # v2
+        uses: actions/create-github-app-token@f8d387b68d61c58ab83c6c016672934102569859 # v2
         with:
           app-id: ${{ secrets.GH_APP_ID }}
-          private-key: ${{ secrets.GH_APP_PRIVATE_KEY }}
+          private-key: ${{ secrets.GH_APP_PRIV_KEY }}
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v5
         with:
           token: ${{ steps.generate_token.outputs.token }}
-      - uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v5
+      - uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v5
         with:
           node-version-file: web/package.json
           registry-url: "https://registry.npmjs.org"

.github/workflows/ci-api-docs.yml

@@ -33,7 +33,7 @@ jobs:
 
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v5
-      - uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v5
+      - uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v5
         with:
           node-version-file: website/package.json
           cache: "npm"
@@ -41,7 +41,7 @@ jobs:
       - working-directory: website/
         name: Install Dependencies
         run: npm ci
-      - uses: actions/cache@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v4
+      - uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v4
         with:
           path: |
             ${{ github.workspace }}/website/api/.docusaurus
@@ -55,7 +55,7 @@ jobs:
         env:
           NODE_ENV: production
         run: npm run build -w api
-      - uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v4
+      - uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v4
         with:
           name: api-docs
           path: website/api/build
@@ -67,11 +67,11 @@ jobs:
       - build
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v5
-      - uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v5
+      - uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v5
         with:
           name: api-docs
           path: website/api/build
-      - uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v5
+      - uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v5
         with:
           node-version-file: website/package.json
           cache: "npm"

.github/workflows/ci-aws-cfn.yml

@@ -24,7 +24,7 @@ jobs:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v5
       - name: Setup authentik env
         uses: ./.github/actions/setup
-      - uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v5
+      - uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v5
         with:
           node-version-file: lifecycle/aws/package.json
           cache: "npm"

.github/workflows/ci-docs.yml

@@ -36,7 +36,7 @@ jobs:
       NODE_ENV: production
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v5
-      - uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v5
+      - uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v5
         with:
           node-version-file: website/package.json
           cache: "npm"
@@ -53,7 +53,7 @@ jobs:
       NODE_ENV: production
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v5
-      - uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v5
+      - uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v5
         with:
           node-version-file: website/package.json
           cache: "npm"
@@ -77,9 +77,9 @@ jobs:
         with:
           ref: ${{ github.event.pull_request.head.sha }}
       - name: Set up QEMU
-        uses: docker/setup-qemu-action@c7c53464625b32c7a7e944ae62b3e17d2b600130 # v3.7.0
+        uses: docker/setup-qemu-action@ce360397dd3f832beb865e1373c09c0e9f86d70a # v4.0.0
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3
+        uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0
       - name: prepare variables
         uses: ./.github/actions/docker-push-variables
         id: ev
@@ -89,14 +89,14 @@ jobs:
           image-name: ghcr.io/goauthentik/dev-docs
       - name: Login to Container Registry
         if: ${{ steps.ev.outputs.shouldPush == 'true' }}
-        uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3
+        uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0
         with:
           registry: ghcr.io
           username: ${{ github.repository_owner }}
           password: ${{ secrets.GITHUB_TOKEN }}
       - name: Build Docker Image
         id: push
-        uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6
+        uses: docker/build-push-action@d08e5c354a6adb9ed34480a06d141179aa583294 # v7.0.0
         with:
           tags: ${{ steps.ev.outputs.imageTags }}
           file: website/Dockerfile
@@ -105,7 +105,7 @@ jobs:
           context: .
           cache-from: type=registry,ref=ghcr.io/goauthentik/dev-docs:buildcache
           cache-to: ${{ steps.ev.outputs.shouldPush == 'true' && 'type=registry,ref=ghcr.io/goauthentik/dev-docs:buildcache,mode=max' || '' }}
-      - uses: actions/attest-build-provenance@96278af6caaf10aea03fd8d33a09a777ca52d62f # v3
+      - uses: actions/attest-build-provenance@a2bbfa25375fe432b6a289bc6b6cd05ecd0c4c32 # v3
         id: attest
         if: ${{ steps.ev.outputs.shouldPush == 'true' }}
         with:

.github/workflows/ci-main-daily.yml

@@ -6,6 +6,10 @@ on:
   schedule:
     # Every night at 3am
     - cron: "0 3 * * *"
+  pull_request:
+    paths:
+      # Needs to refer to itself
+      - .github/workflows/ci-main-daily.yml
 
 jobs:
   test-container:
@@ -15,14 +19,14 @@ jobs:
       matrix:
         version:
           - docs
-          - version-2025-4
-          - version-2025-2
+          - version-2025-12
+          - version-2025-10
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v5
       - run: |
           current="$(pwd)"
           dir="/tmp/authentik/${{ matrix.version }}"
-          mkdir -p $dir
-          cd $dir
-          wget https://${{ matrix.version }}.goauthentik.io/compose.yml
-          ${current}/scripts/test_docker.sh
+          mkdir -p "${dir}/lifecycle/container"
+          cd "${dir}"
+          wget "https://${{ matrix.version }}.goauthentik.io/docker-compose.yml" -O "${dir}/lifecycle/container/compose.yml"
+          "${current}/scripts/test_docker.sh"

.github/workflows/ci-main.yml

@@ -28,20 +28,46 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        job:
-          - bandit
-          - black
-          - codespell
-          - pending-migrations
-          - ruff
-          - mypy
+        include:
+          - job: bandit
+            deps: python
+          - job: black
+            deps: python
+          - job: spellcheck
+            deps: node
+          - job: pending-migrations
+            deps: python,runtime
+          - job: ruff
+            deps: python
+          - job: mypy
+            deps: python
+          - job: cargo-deny
+            deps: rust
+          - job: cargo-machete
+            deps: rust
+          - job: clippy
+            deps: rust
+          - job: rustfmt
+            deps: rust-nightly
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v5
       - name: Setup authentik env
         uses: ./.github/actions/setup
+        with:
+          dependencies: ${{ matrix.deps }}
       - name: run job
-        run: uv run make ci-${{ matrix.job }}
+        run: make ci-lint-${{ matrix.job }}
+  test-gen-build:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v5
+      - name: Setup authentik env
+        uses: ./.github/actions/setup
+      - name: generate schema
+        run: make migrate gen-build
+      - name: ensure schema is up-to-date
+        run: git diff --exit-code -- schema.yml blueprints/schema.json
   test-migrations:
     runs-on: ubuntu-latest
     steps:
@@ -160,7 +186,7 @@ jobs:
       - name: Setup authentik env
         uses: ./.github/actions/setup
       - name: Create k8s Kind Cluster
-        uses: helm/kind-action@92086f6be054225fa813e0a4b13787fc9088faab # v1.13.0
+        uses: helm/kind-action@ef37e7f390d99f746eb8b610417061a60e82a6cc # v1.14.0
       - name: run integration
         run: |
           uv run coverage run manage.py test tests/integration
@@ -205,7 +231,7 @@ jobs:
         run: |
           docker compose -f tests/e2e/compose.yml up -d --quiet-pull
       - id: cache-web
-        uses: actions/cache@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v4
+        uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v4
         with:
           path: web/dist
           key: ${{ runner.os }}-web-${{ hashFiles('web/package-lock.json', 'package-lock.json', 'web/src/**', 'web/packages/sfe/src/**') }}-b
@@ -248,7 +274,7 @@ jobs:
         run: |
           docker compose -f tests/openid_conformance/compose.yml up -d --quiet-pull
       - id: cache-web
-        uses: actions/cache@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v4
+        uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v4
         with:
           path: web/dist
           key: ${{ runner.os }}-web-${{ hashFiles('web/package-lock.json', 'web/src/**', 'web/packages/sfe/src/**') }}-b
@@ -269,14 +295,38 @@ jobs:
         with:
           flags: conformance
       - if: ${{ !cancelled() }}
-        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6
+        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
         with:
           name: conformance-certification-${{ matrix.job.name }}
           path: tests/openid_conformance/exports/
+  test-rust:
+    runs-on: ubuntu-latest
+    timeout-minutes: 30
+    steps:
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v5
+      - name: Setup authentik env
+        uses: ./.github/actions/setup
+        with:
+          dependencies: rust
+      - name: run tests
+        run: |
+          cargo llvm-cov --no-report nextest --workspace
+          cargo llvm-cov report --codecov --output-path target/llvm-cov-target/rust.json
+      - uses: ./.github/actions/test-results
+        if: ${{ always() }}
+        with:
+          files: target/llvm-cov-target/rust.json
+          flags: rust
+      - if: ${{ !cancelled() }}
+        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
+        with:
+          name: test-rust
+          path: target/llvm-cov-target/rust.json
   ci-core-mark:
     if: always()
     needs:
       - lint
+      - test-gen-build
       - test-migrations
       - test-migrations-from-stable
       - test-unittest

.github/workflows/ci-outpost.yml

@@ -22,7 +22,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v5
-      - uses: actions/setup-go@7a3fe6cf4cb3a834922a1244abfce67bcef6a0c5 # v6
+      - uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6
         with:
           go-version-file: "go.mod"
       - name: Prepare and generate API
@@ -43,7 +43,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v5
-      - uses: actions/setup-go@7a3fe6cf4cb3a834922a1244abfce67bcef6a0c5 # v6
+      - uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6
         with:
           go-version-file: "go.mod"
       - name: Setup authentik env
@@ -90,9 +90,9 @@ jobs:
         with:
           ref: ${{ github.event.pull_request.head.sha }}
       - name: Set up QEMU
-        uses: docker/setup-qemu-action@c7c53464625b32c7a7e944ae62b3e17d2b600130 # v3.7.0
+        uses: docker/setup-qemu-action@ce360397dd3f832beb865e1373c09c0e9f86d70a # v4.0.0
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3
+        uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0
       - name: prepare variables
         uses: ./.github/actions/docker-push-variables
         id: ev
@@ -102,7 +102,7 @@ jobs:
           image-name: ghcr.io/goauthentik/dev-${{ matrix.type }}
       - name: Login to Container Registry
         if: ${{ steps.ev.outputs.shouldPush == 'true' }}
-        uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3
+        uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0
         with:
           registry: ghcr.io
           username: ${{ github.repository_owner }}
@@ -111,7 +111,7 @@ jobs:
         run: make gen-client-go
       - name: Build Docker Image
         id: push
-        uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6
+        uses: docker/build-push-action@d08e5c354a6adb9ed34480a06d141179aa583294 # v7.0.0
         with:
           tags: ${{ steps.ev.outputs.imageTags }}
           file: lifecycle/container/${{ matrix.type }}.Dockerfile
@@ -122,7 +122,7 @@ jobs:
           context: .
           cache-from: type=registry,ref=ghcr.io/goauthentik/dev-${{ matrix.type }}:buildcache
           cache-to: ${{ steps.ev.outputs.shouldPush == 'true' && format('type=registry,ref=ghcr.io/goauthentik/dev-{0}:buildcache,mode=max', matrix.type) || '' }}
-      - uses: actions/attest-build-provenance@96278af6caaf10aea03fd8d33a09a777ca52d62f # v3
+      - uses: actions/attest-build-provenance@a2bbfa25375fe432b6a289bc6b6cd05ecd0c4c32 # v3
         id: attest
         if: ${{ steps.ev.outputs.shouldPush == 'true' }}
         with:
@@ -148,10 +148,10 @@ jobs:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v5
         with:
           ref: ${{ github.event.pull_request.head.sha }}
-      - uses: actions/setup-go@7a3fe6cf4cb3a834922a1244abfce67bcef6a0c5 # v6
+      - uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6
         with:
           go-version-file: "go.mod"
-      - uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v5
+      - uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v5
         with:
           node-version-file: web/package.json
           cache: "npm"

.github/workflows/ci-web.yml

@@ -32,7 +32,7 @@ jobs:
             project: web
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v5
-      - uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v5
+      - uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v5
         with:
           node-version-file: ${{ matrix.project }}/package.json
           cache: "npm"
@@ -49,7 +49,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v5
-      - uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v5
+      - uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v5
         with:
           node-version-file: web/package.json
           cache: "npm"
@@ -77,7 +77,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v5
-      - uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v5
+      - uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v5
         with:
           node-version-file: web/package.json
           cache: "npm"

.github/workflows/gen-image-compress.yml

@@ -29,16 +29,16 @@ jobs:
        github.event.pull_request.head.repo.full_name == github.repository)
     steps:
       - id: generate_token
-        uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf # v2
+        uses: actions/create-github-app-token@f8d387b68d61c58ab83c6c016672934102569859 # v2
         with:
           app-id: ${{ secrets.GH_APP_ID }}
-          private-key: ${{ secrets.GH_APP_PRIVATE_KEY }}
+          private-key: ${{ secrets.GH_APP_PRIV_KEY }}
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v5
         with:
           token: ${{ steps.generate_token.outputs.token }}
       - name: Compress images
         id: compress
-        uses: calibreapp/image-actions@d9c8ee5c3dc52ae4622c82ead88d658f4b16b65f # main
+        uses: calibreapp/image-actions@03c976c29803442fc4040a9de5509669e7759b81 # main
         with:
           GITHUB_TOKEN: ${{ steps.generate_token.outputs.token }}
           compressOnly: ${{ github.event_name != 'pull_request' }}

.github/workflows/gen-update-webauthn-mds.yml

@@ -16,10 +16,10 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - id: generate_token
-        uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf # v2
+        uses: actions/create-github-app-token@f8d387b68d61c58ab83c6c016672934102569859 # v2
         with:
           app-id: ${{ secrets.GH_APP_ID }}
-          private-key: ${{ secrets.GH_APP_PRIVATE_KEY }}
+          private-key: ${{ secrets.GH_APP_PRIV_KEY }}
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v5
         with:
           token: ${{ steps.generate_token.outputs.token }}

.github/workflows/gh-cherry-pick.yml

@@ -10,11 +10,11 @@ jobs:
     steps:
       - id: app-token
         name: Generate app token
-        uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf # v2
+        uses: actions/create-github-app-token@f8d387b68d61c58ab83c6c016672934102569859 # v2
         if: ${{ env.GH_APP_ID != '' }}
         with:
           app-id: ${{ secrets.GH_APP_ID }}
-          private-key: ${{ secrets.GH_APP_PRIVATE_KEY }}
+          private-key: ${{ secrets.GH_APP_PRIV_KEY }}
         env:
           GH_APP_ID: ${{ secrets.GH_APP_ID }}
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v5

.github/workflows/gh-ghcr-retention.yml

@@ -16,10 +16,10 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - id: generate_token
-        uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf # v2
+        uses: actions/create-github-app-token@f8d387b68d61c58ab83c6c016672934102569859 # v2
         with:
           app-id: ${{ secrets.GH_APP_ID }}
-          private-key: ${{ secrets.GH_APP_PRIVATE_KEY }}
+          private-key: ${{ secrets.GH_APP_PRIV_KEY }}
       - name: Delete 'dev' containers older than a week
         uses: snok/container-retention-policy@3b0972b2276b171b212f8c4efbca59ebba26eceb # v3.0.1
         with:

.github/workflows/packages-npm-publish.yml

@@ -29,18 +29,19 @@ jobs:
           - packages/eslint-config
           - packages/prettier-config
           - packages/docusaurus-config
+          - packages/logger-js
           - packages/esbuild-plugin-live-reload
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v5
         with:
           fetch-depth: 2
-      - uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v5
+      - uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v5
         with:
           node-version-file: ${{ matrix.package }}/package.json
           registry-url: "https://registry.npmjs.org"
       - name: Get changed files
         id: changed-files
-        uses: tj-actions/changed-files@8cba46e29c11878d930bca7870bb54394d3e8b21 # 24d32ffd492484c1d75e0c0b894501ddb9d30d62
+        uses: tj-actions/changed-files@22103cc46bda19c2b464ffe86db46df6922fd323 # 24d32ffd492484c1d75e0c0b894501ddb9d30d62
         with:
           files: |
             ${{ matrix.package }}/package.json

.github/workflows/release-branch-off.yml

@@ -29,10 +29,10 @@ jobs:
     steps:
       - id: app-token
         name: Generate app token
-        uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf # v2
+        uses: actions/create-github-app-token@f8d387b68d61c58ab83c6c016672934102569859 # v2
         with:
           app-id: ${{ secrets.GH_APP_ID }}
-          private-key: ${{ secrets.GH_APP_PRIVATE_KEY }}
+          private-key: ${{ secrets.GH_APP_PRIV_KEY }}
       - name: Checkout main
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v5
         with:
@@ -57,10 +57,10 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - id: generate_token
-        uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf # v2
+        uses: actions/create-github-app-token@f8d387b68d61c58ab83c6c016672934102569859 # v2
         with:
           app-id: ${{ secrets.GH_APP_ID }}
-          private-key: ${{ secrets.GH_APP_PRIVATE_KEY }}
+          private-key: ${{ secrets.GH_APP_PRIV_KEY }}
       - name: Checkout main
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v5
         with:

.github/workflows/release-publish.yml

@@ -33,9 +33,9 @@ jobs:
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v5
       - name: Set up QEMU
-        uses: docker/setup-qemu-action@c7c53464625b32c7a7e944ae62b3e17d2b600130 # v3.7.0
+        uses: docker/setup-qemu-action@ce360397dd3f832beb865e1373c09c0e9f86d70a # v4.0.0
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3
+        uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0
       - name: prepare variables
         uses: ./.github/actions/docker-push-variables
         id: ev
@@ -44,21 +44,21 @@ jobs:
         with:
           image-name: ghcr.io/goauthentik/docs
       - name: Login to GitHub Container Registry
-        uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3
+        uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0
         with:
           registry: ghcr.io
           username: ${{ github.repository_owner }}
           password: ${{ secrets.GITHUB_TOKEN }}
       - name: Build Docker Image
         id: push
-        uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6
+        uses: docker/build-push-action@d08e5c354a6adb9ed34480a06d141179aa583294 # v7.0.0
         with:
           tags: ${{ steps.ev.outputs.imageTags }}
           file: website/Dockerfile
           push: true
           platforms: linux/amd64,linux/arm64
           context: .
-      - uses: actions/attest-build-provenance@96278af6caaf10aea03fd8d33a09a777ca52d62f # v3
+      - uses: actions/attest-build-provenance@a2bbfa25375fe432b6a289bc6b6cd05ecd0c4c32 # v3
         id: attest
         if: true
         with:
@@ -84,18 +84,18 @@ jobs:
           - rac
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v5
-      - uses: actions/setup-go@7a3fe6cf4cb3a834922a1244abfce67bcef6a0c5 # v6
+      - uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6
         with:
           go-version-file: "go.mod"
-      - uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v5
+      - uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v5
         with:
           node-version-file: web/package.json
           cache: "npm"
           cache-dependency-path: web/package-lock.json
       - name: Set up QEMU
-        uses: docker/setup-qemu-action@c7c53464625b32c7a7e944ae62b3e17d2b600130 # v3.7.0
+        uses: docker/setup-qemu-action@ce360397dd3f832beb865e1373c09c0e9f86d70a # v4.0.0
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3
+        uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0
       - name: prepare variables
         uses: ./.github/actions/docker-push-variables
         id: ev
@@ -108,18 +108,18 @@ jobs:
           make gen-client-ts
           make gen-client-go
       - name: Docker Login Registry
-        uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3
+        uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0
         with:
           username: ${{ secrets.DOCKER_CORP_USERNAME }}
           password: ${{ secrets.DOCKER_CORP_PASSWORD }}
       - name: Login to GitHub Container Registry
-        uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3
+        uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0
         with:
           registry: ghcr.io
           username: ${{ github.repository_owner }}
           password: ${{ secrets.GITHUB_TOKEN }}
       - name: Build Docker Image
-        uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6
+        uses: docker/build-push-action@d08e5c354a6adb9ed34480a06d141179aa583294 # v7.0.0
         id: push
         with:
           push: true
@@ -129,7 +129,7 @@ jobs:
           file: lifecycle/container/${{ matrix.type }}.Dockerfile
           platforms: linux/amd64,linux/arm64
           context: .
-      - uses: actions/attest-build-provenance@96278af6caaf10aea03fd8d33a09a777ca52d62f # v3
+      - uses: actions/attest-build-provenance@a2bbfa25375fe432b6a289bc6b6cd05ecd0c4c32 # v3
         id: attest
         with:
           subject-name: ${{ steps.ev.outputs.attestImageNames }}
@@ -152,18 +152,25 @@ jobs:
         goarch: [amd64, arm64]
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v5
-      - uses: actions/setup-go@7a3fe6cf4cb3a834922a1244abfce67bcef6a0c5 # v6
+      - uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6
         with:
           go-version-file: "go.mod"
-      - uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v5
+      - uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v5
         with:
           node-version-file: web/package.json
           cache: "npm"
           cache-dependency-path: web/package-lock.json
-      - name: Build web
+      - name: Install web dependencies
         working-directory: web/
         run: |
           npm ci
+      - name: Generate API Clients
+        run: |
+          make gen-client-ts
+          make gen-client-go
+      - name: Build web
+        working-directory: web/
+        run: |
           npm run build-proxy
       - name: Build outpost
         run: |
@@ -173,7 +180,7 @@ jobs:
           export CGO_ENABLED=0
           go build -tags=outpost_static_embed -v -o ./authentik-outpost-${{ matrix.type }}_${{ matrix.goos }}_${{ matrix.goarch }} ./cmd/${{ matrix.type }}
       - name: Upload binaries to release
-        uses: svenstaro/upload-release-action@6b7fa9f267e90b50a19fef07b3596790bb941741 # v2
+        uses: svenstaro/upload-release-action@29e53e917877a24fad85510ded594ab3c9ca12de # v2
         with:
           repo_token: ${{ secrets.GITHUB_TOKEN }}
           file: ./authentik-outpost-${{ matrix.type }}_${{ matrix.goos }}_${{ matrix.goarch }}
@@ -210,12 +217,12 @@ jobs:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v5
       - name: Run test suite in final docker images
         run: |
-          echo "PG_PASS=$(openssl rand 32 | base64 -w 0)" >> .env
-          echo "AUTHENTIK_SECRET_KEY=$(openssl rand 32 | base64 -w 0)" >> .env
-          docker compose pull -q
-          docker compose up --no-start
-          docker compose start postgresql
-          docker compose run -u root server test-all
+          echo "PG_PASS=$(openssl rand 32 | base64 -w 0)" >> lifecycle/container/.env
+          echo "AUTHENTIK_SECRET_KEY=$(openssl rand 32 | base64 -w 0)" >> lifecycle/container/.env
+          docker compose -f lifecycle/container/compose.yml pull -q
+          docker compose -f lifecycle/container/compose.yml up --no-start
+          docker compose -f lifecycle/container/compose.yml start postgresql
+          docker compose -f lifecycle/container/compose.yml run -u root server test-all
   sentry-release:
     needs:
       - build-server

.github/workflows/release-tag.yml

@@ -67,10 +67,10 @@ jobs:
     steps:
       - id: app-token
         name: Generate app token
-        uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf # v2
+        uses: actions/create-github-app-token@f8d387b68d61c58ab83c6c016672934102569859 # v2
         with:
           app-id: ${{ secrets.GH_APP_ID }}
-          private-key: ${{ secrets.GH_APP_PRIVATE_KEY }}
+          private-key: ${{ secrets.GH_APP_PRIV_KEY }}
       - id: get-user-id
         name: Get GitHub app user ID
         run: echo "user-id=$(gh api "/users/${{ steps.app-token.outputs.app-slug }}[bot]" --jq .id)" >> "$GITHUB_OUTPUT"
@@ -91,11 +91,12 @@ jobs:
           # ID from https://api.github.com/users/authentik-automation[bot]
           git config --global user.name '${{ steps.app-token.outputs.app-slug }}[bot]'
           git config --global user.email '${{ steps.get-user-id.outputs.user-id }}+${{ steps.app-token.outputs.app-slug }}[bot]@users.noreply.github.com'
+          git pull
           git commit -a -m "release: ${{ inputs.version }}" --allow-empty
           git tag "version/${{ inputs.version }}" HEAD -m "version/${{ inputs.version }}"
           git push --follow-tags
       - name: Create Release
-        uses: softprops/action-gh-release@a06a81a03ee405af7f2048a818ed3f03bbf83c7b # v2.5.0
+        uses: softprops/action-gh-release@153bb8e04406b158c6c84fc1615b65b24149a1fe # v2.6.1
         with:
           token: "${{ steps.app-token.outputs.token }}"
           tag_name: "version/${{ inputs.version }}"
@@ -114,10 +115,10 @@ jobs:
     steps:
       - id: app-token
         name: Generate app token
-        uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf # v2
+        uses: actions/create-github-app-token@f8d387b68d61c58ab83c6c016672934102569859 # v2
         with:
           app-id: ${{ secrets.GH_APP_ID }}
-          private-key: ${{ secrets.GH_APP_PRIVATE_KEY }}
+          private-key: ${{ secrets.GH_APP_PRIV_KEY }}
           repositories: helm
       - id: get-user-id
         name: Get GitHub app user ID
@@ -156,10 +157,10 @@ jobs:
     steps:
       - id: app-token
         name: Generate app token
-        uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf # v2
+        uses: actions/create-github-app-token@f8d387b68d61c58ab83c6c016672934102569859 # v2
         with:
           app-id: ${{ secrets.GH_APP_ID }}
-          private-key: ${{ secrets.GH_APP_PRIVATE_KEY }}
+          private-key: ${{ secrets.GH_APP_PRIV_KEY }}
           repositories: version
       - id: get-user-id
         name: Get GitHub app user ID
@@ -174,21 +175,25 @@ jobs:
         if: "${{ inputs.release_reason == 'feature' }}"
         run: |
           changelog_url="https://docs.goauthentik.io/docs/releases/${{ needs.check-inputs.outputs.major_version }}"
+          reason="${{ inputs.release_reason }}"
           jq \
             --arg version "${{ inputs.version }}" \
             --arg changelog "See ${changelog_url}" \
             --arg changelog_url "${changelog_url}" \
-            '.stable.version = $version | .stable.changelog = $changelog | .stable.changelog_url = $changelog_url' version.json > version.new.json
+            --arg reason "${reason}" \
+            '.stable.version = $version | .stable.changelog = $changelog | .stable.changelog_url = $changelog_url | .stable.reason = $reason' version.json > version.new.json
           mv version.new.json version.json
       - name: Bump version
         if: "${{ inputs.release_reason != 'feature' }}"
         run: |
           changelog_url="https://docs.goauthentik.io/docs/releases/${{ needs.check-inputs.outputs.major_version }}#fixed-in-$(echo -n ${{ inputs.version}} | sed 's/\.//g')"
+          reason="${{ inputs.release_reason }}"
           jq \
             --arg version "${{ inputs.version }}" \
             --arg changelog "See ${changelog_url}" \
             --arg changelog_url "${changelog_url}" \
-            '.stable.version = $version | .stable.changelog = $changelog | .stable.changelog_url = $changelog_url' version.json > version.new.json
+            --arg reason "${reason}" \
+            '.stable.version = $version | .stable.changelog = $changelog | .stable.changelog_url = $changelog_url | .stable.reason = $reason' version.json > version.new.json
           mv version.new.json version.json
       - name: Create pull request
         uses: peter-evans/create-pull-request@c0f553fe549906ede9cf27b5156039d195d2ece0 # v7

.github/workflows/repo-stale.yml

@@ -15,11 +15,11 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - id: generate_token
-        uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf # v2
+        uses: actions/create-github-app-token@f8d387b68d61c58ab83c6c016672934102569859 # v2
         with:
           app-id: ${{ secrets.GH_APP_ID }}
-          private-key: ${{ secrets.GH_APP_PRIVATE_KEY }}
-      - uses: actions/stale@997185467fa4f803885201cee163a9f38240193d # v10
+          private-key: ${{ secrets.GH_APP_PRIV_KEY }}
+      - uses: actions/stale@b5d41d4e1d5dceea10e7104786b73624c18a190f # v10
         with:
           repo-token: ${{ steps.generate_token.outputs.token }}
           days-before-stale: 60

.github/workflows/translation-extract-compile.yml

@@ -21,10 +21,10 @@ jobs:
     steps:
       - id: generate_token
         if: ${{ github.event_name != 'pull_request' }}
-        uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf # v2
+        uses: actions/create-github-app-token@f8d387b68d61c58ab83c6c016672934102569859 # v2
         with:
           app-id: ${{ secrets.GH_APP_ID }}
-          private-key: ${{ secrets.GH_APP_PRIVATE_KEY }}
+          private-key: ${{ secrets.GH_APP_PRIV_KEY }}
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v5
         if: ${{ github.event_name != 'pull_request' }}
         with:

.gitignore

@@ -15,6 +15,9 @@ media
 
 node_modules
 
+.cspellcache
+cspell-report.*
+
 # If your build process includes running collectstatic, then you probably don't need or want to include staticfiles/
 # in your Git repository. Update and uncomment the following line accordingly.
 # <django-project-name>/staticfiles/
@@ -192,6 +195,24 @@ pyvenv.cfg
 pip-selfcheck.json
 
 # End of https://www.gitignore.io/api/python,django
+
+# Created by https://www.toptal.com/developers/gitignore/api/rust
+# Edit at https://www.toptal.com/developers/gitignore?templates=rust
+
+### Rust ###
+# Generated by Cargo
+# will have compiled files and executables
+debug/
+target/
+
+# These are backup files generated by rustfmt
+**/*.rs.bk
+
+# MSVC Windows builds of rustc generate these, which store debugging information
+*.pdb
+
+# End of https://www.toptal.com/developers/gitignore/api/rust
+
 /static/
 local.env.yml
 

.vscode/settings.json

@@ -14,6 +14,10 @@
     "[xml]": {
         "editor.minimap.markSectionHeaderRegex": "<!--\\s*#\\bregion\\s*(?<separator>-?)\\s*(?<label>.*)\\s*-->"
     },
+    "files.associations": {
+        // The built-in "ignore" language gives us enough syntax highlighting to make these files readable.
+        "**/dictionaries/*.txt": "ignore"
+    },
     "todo-tree.tree.showCountsInTree": true,
     "todo-tree.tree.showBadges": true,
     "yaml.customTags": [
@@ -49,13 +53,9 @@
             "ignoreCase": false
         }
     ],
-    "go.testFlags": [
-        "-count=1"
-    ],
+    "go.testFlags": ["-count=1"],
     "go.testEnvVars": {
         "WORKSPACE_DIR": "${workspaceFolder}"
     },
-    "github-actions.workflows.pinned.workflows": [
-        ".github/workflows/ci-main.yml"
-    ]
+    "github-actions.workflows.pinned.workflows": [".github/workflows/ci-main.yml"]
 }

CODEOWNERS

@@ -3,6 +3,7 @@
 # Backend
 authentik/                              @goauthentik/backend
 blueprints/                             @goauthentik/backend
+src/                                    @goauthentik/backend
 cmd/                                    @goauthentik/backend
 internal/                               @goauthentik/backend
 lifecycle/                              @goauthentik/backend
@@ -11,8 +12,12 @@ scripts/                                @goauthentik/backend
 tests/                                  @goauthentik/backend
 pyproject.toml                          @goauthentik/backend
 uv.lock                                 @goauthentik/backend
+Cargo.toml                              @goauthentik/backend
+Cargo.lock                              @goauthentik/backend
 go.mod                                  @goauthentik/backend
 go.sum                                  @goauthentik/backend
+.cargo/                                 @goauthentik/backend
+rust-toolchain.toml                     @goauthentik/backend
 # Infrastructure
 .github/                                @goauthentik/infrastructure
 lifecycle/aws/                          @goauthentik/infrastructure
@@ -34,6 +39,7 @@ packages/docusaurus-config              @goauthentik/frontend
 packages/esbuild-plugin-live-reload     @goauthentik/frontend
 packages/eslint-config                  @goauthentik/frontend
 packages/prettier-config                @goauthentik/frontend
+packages/logger-js                      @goauthentik/frontend
 packages/tsconfig                       @goauthentik/frontend
 # Web
 web/                                    @goauthentik/frontend

Cargo.lock

@@ -0,0 +1,271 @@
+# This file is automatically @generated by Cargo.
+# It is not intended for manual editing.
+version = 4
+
+[[package]]
+name = "aho-corasick"
+version = "1.1.4"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "ddd31a130427c27518df266943a5308ed92d4b226cc639f5a8f1002816174301"
+dependencies = [
+ "memchr",
+]
+
+[[package]]
+name = "anstream"
+version = "1.0.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "824a212faf96e9acacdbd09febd34438f8f711fb84e09a8916013cd7815ca28d"
+dependencies = [
+ "anstyle",
+ "anstyle-parse",
+ "anstyle-query",
+ "anstyle-wincon",
+ "colorchoice",
+ "is_terminal_polyfill",
+ "utf8parse",
+]
+
+[[package]]
+name = "anstyle"
+version = "1.0.14"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "940b3a0ca603d1eade50a4846a2afffd5ef57a9feac2c0e2ec2e14f9ead76000"
+
+[[package]]
+name = "anstyle-parse"
+version = "1.0.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "52ce7f38b242319f7cabaa6813055467063ecdc9d355bbb4ce0c68908cd8130e"
+dependencies = [
+ "utf8parse",
+]
+
+[[package]]
+name = "anstyle-query"
+version = "1.1.5"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "40c48f72fd53cd289104fc64099abca73db4166ad86ea0b4341abe65af83dadc"
+dependencies = [
+ "windows-sys",
+]
+
+[[package]]
+name = "anstyle-wincon"
+version = "3.0.11"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "291e6a250ff86cd4a820112fb8898808a366d8f9f58ce16d1f538353ad55747d"
+dependencies = [
+ "anstyle",
+ "once_cell_polyfill",
+ "windows-sys",
+]
+
+[[package]]
+name = "clap"
+version = "4.6.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "b193af5b67834b676abd72466a96c1024e6a6ad978a1f484bd90b85c94041351"
+dependencies = [
+ "clap_builder",
+ "clap_derive",
+]
+
+[[package]]
+name = "clap_builder"
+version = "4.6.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "714a53001bf66416adb0e2ef5ac857140e7dc3a0c48fb28b2f10762fc4b5069f"
+dependencies = [
+ "anstream",
+ "anstyle",
+ "clap_lex",
+ "strsim",
+]
+
+[[package]]
+name = "clap_derive"
+version = "4.6.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "1110bd8a634a1ab8cb04345d8d878267d57c3cf1b38d91b71af6686408bbca6a"
+dependencies = [
+ "heck",
+ "proc-macro2",
+ "quote",
+ "syn",
+]
+
+[[package]]
+name = "clap_lex"
+version = "1.1.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "c8d4a3bb8b1e0c1050499d1815f5ab16d04f0959b233085fb31653fbfc9d98f9"
+
+[[package]]
+name = "colorchoice"
+version = "1.0.5"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "1d07550c9036bf2ae0c684c4297d503f838287c83c53686d05370d0e139ae570"
+
+[[package]]
+name = "colored"
+version = "3.1.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "faf9468729b8cbcea668e36183cb69d317348c2e08e994829fb56ebfdfbaac34"
+dependencies = [
+ "windows-sys",
+]
+
+[[package]]
+name = "docsmg"
+version = "0.0.0"
+dependencies = [
+ "clap",
+ "colored",
+ "dotenvy",
+ "eyre",
+ "regex",
+]
+
+[[package]]
+name = "dotenvy"
+version = "0.15.7"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "1aaf95b3e5c8f23aa320147307562d361db0ae0d51242340f558153b4eb2439b"
+
+[[package]]
+name = "eyre"
+version = "0.6.12"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "7cd915d99f24784cdc19fd37ef22b97e3ff0ae756c7e492e9fbfe897d61e2aec"
+dependencies = [
+ "indenter",
+ "once_cell",
+]
+
+[[package]]
+name = "heck"
+version = "0.5.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "2304e00983f87ffb38b55b444b5e3b60a884b5d30c0fca7d82fe33449bbe55ea"
+
+[[package]]
+name = "indenter"
+version = "0.3.4"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "964de6e86d545b246d84badc0fef527924ace5134f30641c203ef52ba83f58d5"
+
+[[package]]
+name = "is_terminal_polyfill"
+version = "1.70.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "a6cb138bb79a146c1bd460005623e142ef0181e3d0219cb493e02f7d08a35695"
+
+[[package]]
+name = "memchr"
+version = "2.8.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "f8ca58f447f06ed17d5fc4043ce1b10dd205e060fb3ce5b979b8ed8e59ff3f79"
+
+[[package]]
+name = "once_cell"
+version = "1.21.4"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "9f7c3e4beb33f85d45ae3e3a1792185706c8e16d043238c593331cc7cd313b50"
+
+[[package]]
+name = "once_cell_polyfill"
+version = "1.70.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "384b8ab6d37215f3c5301a95a4accb5d64aa607f1fcb26a11b5303878451b4fe"
+
+[[package]]
+name = "proc-macro2"
+version = "1.0.106"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "8fd00f0bb2e90d81d1044c2b32617f68fcb9fa3bb7640c23e9c748e53fb30934"
+dependencies = [
+ "unicode-ident",
+]
+
+[[package]]
+name = "quote"
+version = "1.0.45"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "41f2619966050689382d2b44f664f4bc593e129785a36d6ee376ddf37259b924"
+dependencies = [
+ "proc-macro2",
+]
+
+[[package]]
+name = "regex"
+version = "1.12.3"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "e10754a14b9137dd7b1e3e5b0493cc9171fdd105e0ab477f51b72e7f3ac0e276"
+dependencies = [
+ "aho-corasick",
+ "memchr",
+ "regex-automata",
+ "regex-syntax",
+]
+
+[[package]]
+name = "regex-automata"
+version = "0.4.14"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "6e1dd4122fc1595e8162618945476892eefca7b88c52820e74af6262213cae8f"
+dependencies = [
+ "aho-corasick",
+ "memchr",
+ "regex-syntax",
+]
+
+[[package]]
+name = "regex-syntax"
+version = "0.8.10"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "dc897dd8d9e8bd1ed8cdad82b5966c3e0ecae09fb1907d58efaa013543185d0a"
+
+[[package]]
+name = "strsim"
+version = "0.11.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "7da8b5736845d9f2fcb837ea5d9e2628564b3b043a70948a3f0b778838c5fb4f"
+
+[[package]]
+name = "syn"
+version = "2.0.117"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "e665b8803e7b1d2a727f4023456bbbbe74da67099c585258af0ad9c5013b9b99"
+dependencies = [
+ "proc-macro2",
+ "quote",
+ "unicode-ident",
+]
+
+[[package]]
+name = "unicode-ident"
+version = "1.0.24"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "e6e4313cd5fcd3dad5cafa179702e2b244f760991f45397d14d4ebf38247da75"
+
+[[package]]
+name = "utf8parse"
+version = "0.2.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "06abde3611657adf66d383f00b093d7faecc7fa57071cce2578660c9f1010821"
+
+[[package]]
+name = "windows-link"
+version = "0.2.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "f0805222e57f7521d6a62e36fa9163bc891acd422f971defe97d64e70d0a4fe5"
+
+[[package]]
+name = "windows-sys"
+version = "0.61.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "ae137229bcbd6cdf0f7b80a31df61766145077ddf49416a728b02cb3921ff3fc"
+dependencies = [
+ "windows-link",
+]

Cargo.toml

@@ -0,0 +1,133 @@
+[workspace]
+members = ["website/scripts/docsmg"]
+resolver = "3"
+
+[workspace.package]
+authors = ["authentik Team <hello@goauthentik.io>"]
+edition = "2024"
+readme = "README.md"
+homepage = "https://goauthentik.io"
+repository = "https://github.com/goauthentik/authentik.git"
+license-file = "LICENSE"
+publish = false
+
+[workspace.dependencies]
+clap = { version = "4.5.59", features = ["derive", "env"] }
+colored = "3.1.1"
+dotenvy = "0.15.7"
+eyre = "0.6.12"
+regex = "1.12.3"
+
+[profile.dev.package.backtrace]
+opt-level = 3
+
+[profile.release]
+lto = true
+debug = 2
+
+[workspace.lints.rust]
+ambiguous_negative_literals = "warn"
+closure_returning_async_block = "warn"
+macro_use_extern_crate = "deny"
+# must_not_suspend = "deny", unstable see https://github.com/rust-lang/rust/issues/83310
+non_ascii_idents = "deny"
+redundant_imports = "warn"
+semicolon_in_expressions_from_macros = "warn"
+trivial_casts = "warn"
+trivial_numeric_casts = "warn"
+unit_bindings = "warn"
+unreachable_pub = "warn"
+unsafe_code = "deny"
+unused_extern_crates = "warn"
+unused_import_braces = "warn"
+unused_lifetimes = "warn"
+unused_macro_rules = "warn"
+unused_qualifications = "warn"
+
+[workspace.lints.rustdoc]
+unescaped_backticks = "warn"
+
+[workspace.lints.clippy]
+### enable all lints
+cargo = { priority = -1, level = "warn" }
+complexity = { priority = -1, level = "warn" }
+correctness = { priority = -1, level = "warn" }
+nursery = { priority = -1, level = "warn" }
+pedantic = { priority = -1, level = "warn" }
+perf = { priority = -1, level = "warn" }
+# Those are too restrictive and disabled by default, however we enable some below
+# restriction = { priority = -1, level = "warn" }
+style = { priority = -1, level = "warn" }
+suspicious = { priority = -1, level = "warn" }
+### and disable the ones we don't want
+### pedantic group
+redundant_closure_for_method_calls = "allow"
+too_many_lines = "allow"
+### nursery
+redundant_pub_crate = "allow"
+option_if_let_else = "allow"
+### restriction group
+allow_attributes = "warn"
+allow_attributes_without_reason = "warn"
+as_conversions = "warn"
+as_pointer_underscore = "warn"
+as_underscore = "warn"
+assertions_on_result_states = "warn"
+clone_on_ref_ptr = "warn"
+create_dir = "warn"
+dbg_macro = "warn"
+default_numeric_fallback = "warn"
+disallowed_script_idents = "warn"
+doc_paragraphs_missing_punctuation = "warn"
+empty_drop = "warn"
+empty_enum_variants_with_brackets = "warn"
+empty_structs_with_brackets = "warn"
+error_impl_error = "warn"
+exit = "warn"
+filetype_is_file = "warn"
+float_cmp_const = "warn"
+fn_to_numeric_cast_any = "warn"
+get_unwrap = "warn"
+if_then_some_else_none = "warn"
+impl_trait_in_params = "warn"
+infinite_loop = "warn"
+lossy_float_literal = "warn"
+map_with_unused_argument_over_ranges = "warn"
+mem_forget = "warn"
+missing_asserts_for_indexing = "warn"
+missing_trait_methods = "warn"
+mixed_read_write_in_expression = "warn"
+mutex_atomic = "warn"
+mutex_integer = "warn"
+needless_raw_strings = "warn"
+non_zero_suggestions = "warn"
+panic_in_result_fn = "warn"
+pathbuf_init_then_push = "warn"
+print_stdout = "warn"
+rc_buffer = "warn"
+redundant_test_prefix = "warn"
+redundant_type_annotations = "warn"
+ref_patterns = "warn"
+renamed_function_params = "warn"
+rest_pat_in_fully_bound_structs = "warn"
+return_and_then = "warn"
+same_name_method = "warn"
+semicolon_inside_block = "warn"
+str_to_string = "warn"
+string_add = "warn"
+suspicious_xor_used_as_pow = "warn"
+tests_outside_test_module = "warn"
+todo = "warn"
+try_err = "warn"
+undocumented_unsafe_blocks = "warn"
+unimplemented = "warn"
+unnecessary_safety_comment = "warn"
+unnecessary_safety_doc = "warn"
+unnecessary_self_imports = "warn"
+unneeded_field_pattern = "warn"
+unseparated_literal_suffix = "warn"
+unused_result_ok = "warn"
+unused_trait_names = "warn"
+unwrap_in_result = "warn"
+unwrap_used = "warn"
+verbose_file_reads = "warn"

Makefile

@@ -23,6 +23,7 @@ BREW_LDFLAGS :=
 BREW_CPPFLAGS :=
 BREW_PKG_CONFIG_PATH :=
 
+CARGO := cargo
 UV := uv
 
 # For macOS users, add the libxml2 installed from brew libxmlsec1 to the build path
@@ -69,22 +70,26 @@ help:  ## Show this help
 		sort
 	@echo ""
 
-go-test:
+go-test:  ## Run the golang tests
 	go test -timeout 0 -v -race -cover ./...
 
+rust-test:  ## Run the Rust tests
+	$(CARGO) nextest run --workspace
+
 test: ## Run the server tests and produce a coverage report (locally)
 	$(UV) run coverage run manage.py test --keepdb $(or $(filter-out $@,$(MAKECMDGOALS)),authentik)
 	$(UV) run coverage html
 	$(UV) run coverage report
 
-lint-fix: lint-codespell  ## Lint and automatically fix errors in the python source code. Reports spelling errors.
+lint-fix:  ## Lint and automatically fix errors in the python source code. Reports spelling errors.
 	$(UV) run black $(PY_SOURCES)
 	$(UV) run ruff check --fix $(PY_SOURCES)
+	$(CARGO) +nightly fmt --all -- --config-path .cargo/rustfmt.toml
 
-lint-codespell:  ## Reports spelling errors.
-	$(UV) run codespell -w
+lint-spellcheck:  ## Reports spelling errors.
+	npm run lint:spellcheck
 
-lint: ci-bandit ci-mypy ## Lint the python and golang sources
+lint: ci-lint-bandit ci-lint-mypy ci-lint-cargo-deny ci-lint-cargo-machete  ## Lint the python and golang sources
 	golangci-lint run -v
 
 core-install:
@@ -148,11 +153,11 @@ bump:  ## Bump authentik version. Usage: make bump version=20xx.xx.xx
 ifndef version
 	$(error Usage: make bump version=20xx.xx.xx )
 endif
-	$(SED_INPLACE) 's/^version = ".*"/version = "$(version)"/' pyproject.toml
-	$(SED_INPLACE) 's/^VERSION = ".*"/VERSION = "$(version)"/' authentik/__init__.py
+	$(eval current_version := $(shell cat ${PWD}/internal/constants/VERSION))
+	$(SED_INPLACE) 's/^version = ".*"/version = "$(version)"/' ${PWD}/pyproject.toml
+	$(SED_INPLACE) 's/^VERSION = ".*"/VERSION = "$(version)"/' ${PWD}/authentik/__init__.py
 	$(MAKE) gen-build gen-compose aws-cfn
-	npm version --no-git-tag-version --allow-same-version $(version)
-	cd ${PWD}/web && npm version --no-git-tag-version --allow-same-version $(version)
+	$(SED_INPLACE) "s/\"${current_version}\"/\"$(version)\"/" ${PWD}/package.json ${PWD}/package-lock.json ${PWD}/web/package.json ${PWD}/web/package-lock.json
 	echo -n $(version) > ${PWD}/internal/constants/VERSION
 
 #########################
@@ -168,12 +173,22 @@ gen-build:  ## Extract the schema from the database
 gen-compose:
 	$(UV) run scripts/generate_compose.py
 
-gen-changelog:  ## (Release) generate the changelog based from the commits since the last tag
-	git log --pretty=format:" - %s" $(shell git describe --tags $(shell git rev-list --tags --max-count=1))...$(shell git branch --show-current) | sort > changelog.md
+gen-changelog:  ## (Release) generate the changelog based from the commits since the last version
+# These are best-effort guesses based on commit messages
+	$(eval last_version := $(shell git tag --list 'version/*' --sort 'version:refname' | grep -vE 'rc\d+$$' | tail -1))
+	$(eval current_commit := $(shell git rev-parse HEAD))
+	git log --pretty=format:"- %s" $(shell git merge-base ${last_version} ${current_commit})...${current_commit} > merged_to_current
+	git log --pretty=format:"- %s" $(shell git merge-base ${last_version} ${current_commit})...${last_version} > merged_to_last
+	grep -Eo 'cherry-pick (#\d+)' merged_to_last | cut -d ' ' -f 2 | sed 's/.*/(&)$$/' > cherry_picked_to_last
+	grep -vf cherry_picked_to_last merged_to_current | sort > changelog.md
+	rm merged_to_current
+	rm merged_to_last
+	rm cherry_picked_to_last
 	npx prettier --write changelog.md
 
-gen-diff:  ## (Release) generate the changelog diff between the current schema and the last tag
-	git show $(shell git describe --tags $(shell git rev-list --tags --max-count=1)):schema.yml > schema-old.yml
+gen-diff:  ## (Release) generate the changelog diff between the current schema and the last version
+	$(eval last_version := $(shell git tag --list 'version/*' --sort 'version:refname' | grep -vE 'rc\d+$$' | tail -1))
+	git show ${last_version}:schema.yml > schema-old.yml
 	docker compose -f scripts/api/compose.yml run --rm --user "${UID}:${GID}" diff \
 		--markdown \
 		/local/diff.md \
@@ -276,7 +291,7 @@ docs: docs-lint-fix docs-build  ## Automatically fix formatting issues in the Au
 docs-install:
 	npm ci --prefix website
 
-docs-lint-fix: lint-codespell
+docs-lint-fix: lint-spellcheck
 	npm run --prefix website prettier
 
 docs-build:
@@ -321,27 +336,40 @@ test-docker:
 # which makes the YAML File a lot smaller
 
 ci--meta-debug:
-	$(UV) run python -V
-	node --version
+	$(UV) run python -V || echo "No python installed"
+	$(CARGO) --version || echo "No rust installed"
+	node --version || echo "No node installed"
 
-ci-mypy: ci--meta-debug
+ci-lint-mypy: ci--meta-debug
 	$(UV) run mypy --strict $(PY_SOURCES)
 
-ci-black: ci--meta-debug
+ci-lint-black: ci--meta-debug
 	$(UV) run black --check $(PY_SOURCES)
 
-ci-ruff: ci--meta-debug
+ci-lint-ruff: ci--meta-debug
 	$(UV) run ruff check $(PY_SOURCES)
 
-ci-codespell: ci--meta-debug
-	$(UV) run codespell -s
+ci-lint-spellcheck: ci--meta-debug
+	npm run lint:spellcheck
 
-ci-bandit: ci--meta-debug
+ci-lint-bandit: ci--meta-debug
 	$(UV) run bandit -c pyproject.toml -r $(PY_SOURCES) -iii
 
-ci-pending-migrations: ci--meta-debug
+ci-lint-pending-migrations: ci--meta-debug
 	$(UV) run ak makemigrations --check
 
+ci-lint-cargo-deny: ci--meta-debug
+	$(CARGO) deny --locked --workspace check --config .cargo/deny.toml
+
+ci-lint-cargo-machete: ci--meta-debug
+	$(CARGO) machete
+
+ci-lint-rustfmt: ci--meta-debug
+	$(CARGO) +nightly fmt --all --check -- --config-path .cargo/rustfmt.toml
+
+ci-lint-clippy: ci--meta-debug
+	$(CARGO) clippy --workspace -- -D warnings
+
 ci-test: ci--meta-debug
 	$(UV) run coverage run manage.py test --keepdb authentik
 	$(UV) run coverage report

SECURITY.md

@@ -20,8 +20,8 @@ Even if the issue is not a CVE, we still greatly appreciate your help in hardeni
 
 | Version    | Supported  |
 | ---------- | ---------- |
-| 2025.10.x  | ✅         |
 | 2025.12.x  | ✅         |
+| 2026.2.x   | ✅         |
 
 ## Reporting a Vulnerability
 

authentik/__init__.py

@@ -3,7 +3,7 @@
 from functools import lru_cache
 from os import environ
 
-VERSION = "2026.2.0-rc1"
+VERSION = "2026.5.0-rc1"
 ENV_GIT_HASH_KEY = "GIT_BUILD_HASH"
 
 

authentik/admin/files/backends/base.py

@@ -94,7 +94,7 @@ class Backend:
 
         Args:
             file_path: Relative file path
-            request: Optional Django HttpRequest for fully qualifed URL building
+            request: Optional Django HttpRequest for fully qualified URL building
             use_cache: whether to retrieve the URL from cache
 
         Returns:

authentik/admin/files/backends/s3.py

@@ -100,13 +100,25 @@ class S3Backend(ManageableBackend):
             f"storage.{self.usage.value}.{self.name}.addressing_style",
             CONFIG.get(f"storage.{self.name}.addressing_style", "auto"),
         )
+        signature_version = CONFIG.get(
+            f"storage.{self.usage.value}.{self.name}.signature_version",
+            CONFIG.get(f"storage.{self.name}.signature_version", "s3v4"),
+        )
+        # Keep signature_version pass-through and let boto3/botocore handle it.
+        # In boto3's S3 configuration docs, `s3v4` (default) and deprecated `s3`
+        # are the documented values:
+        # https://github.com/boto/boto3/blob/791a3e8f36d83664a47b4281a0586b3546cef3ec/docs/source/guide/configuration.rst?plain=1#L398-L407
+        # Botocore also supports additional signer names, so we intentionally do
+        # not enforce a restricted allowlist here.
 
         return self.session.client(
             "s3",
             endpoint_url=endpoint_url,
             use_ssl=use_ssl,
             region_name=region_name,
-            config=Config(signature_version="s3v4", s3={"addressing_style": addressing_style}),
+            config=Config(
+                signature_version=signature_version, s3={"addressing_style": addressing_style}
+            ),
         )
 
     @property

authentik/admin/files/backends/tests/test_s3_backend.py

@@ -1,5 +1,6 @@
 from unittest import skipUnless
 
+from botocore.exceptions import UnsupportedSignatureVersionError
 from django.test import TestCase
 
 from authentik.admin.files.tests.utils import FileTestS3BackendMixin, s3_test_server_available
@@ -81,6 +82,27 @@ class TestS3Backend(FileTestS3BackendMixin, TestCase):
         self.assertIn("X-Amz-Signature=", url)
         self.assertIn("test.png", url)
 
+    def test_client_signature_version_default_v4(self):
+        """Test S3 client defaults to v4 signature when not configured."""
+        self.assertEqual(self.media_s3_backend.client.meta.config.signature_version, "s3v4")
+
+    @CONFIG.patch("storage.s3.signature_version", "s3")
+    def test_client_signature_version_global_override(self):
+        """Test S3 client respects globally configured signature version."""
+        self.assertEqual(self.media_s3_backend.client.meta.config.signature_version, "s3")
+
+    @CONFIG.patch("storage.s3.signature_version", "s3v4")
+    @CONFIG.patch("storage.media.s3.signature_version", "s3")
+    def test_client_signature_version_media_override(self):
+        """Test usage-specific signature version takes precedence over global."""
+        self.assertEqual(self.media_s3_backend.client.meta.config.signature_version, "s3")
+
+    @CONFIG.patch("storage.media.s3.signature_version", "not-a-real-signature")
+    def test_client_signature_version_unsupported(self):
+        """Test unsupported signature version raises botocore error."""
+        with self.assertRaises(UnsupportedSignatureVersionError):
+            self.media_s3_backend.file_url("test.png", use_cache=False)
+
     @CONFIG.patch("storage.s3.bucket_name", "test-bucket")
     def test_file_exists_true(self):
         """Test file_exists returns True for existing file"""

authentik/api/schema.py

@@ -71,7 +71,7 @@ def postprocess_schema_responses(
 def postprocess_schema_query_params(
     result: dict[str, Any], generator: SchemaGenerator, **kwargs
 ) -> dict[str, Any]:
-    """Optimise pagination parameters, instead of redeclaring parameters for each endpoint
+    """Optimize pagination parameters, instead of redeclaring parameters for each endpoint
     declare them globally and refer to them"""
     LOGGER.debug("Deduplicating query parameters")
     for path in result["paths"].values():

authentik/api/tests/test_schema.py

@@ -1,6 +1,8 @@
 """Schema generation tests"""
 
 from pathlib import Path
+from tempfile import gettempdir
+from uuid import uuid4
 
 from django.core.management import call_command
 from django.urls import reverse
@@ -29,15 +31,14 @@ class TestSchemaGeneration(APITestCase):
 
     def test_build_schema(self):
         """Test schema build command"""
-        blueprint_file = Path("blueprints/schema.json")
-        api_file = Path("schema.yml")
-        blueprint_file.unlink()
-        api_file.unlink()
+        tmp = Path(gettempdir())
+        blueprint_file = tmp / f"{str(uuid4())}.json"
+        api_file = tmp / f"{str(uuid4())}.yml"
         with (
             CONFIG.patch("debug", True),
             CONFIG.patch("tenants.enabled", True),
             CONFIG.patch("outposts.disable_embedded_outpost", True),
         ):
-            call_command("build_schema")
+            call_command("build_schema", blueprint_file=blueprint_file, api_file=api_file)
         self.assertTrue(blueprint_file.exists())
         self.assertTrue(api_file.exists())

authentik/blueprints/v1/importer.py

@@ -272,7 +272,7 @@ class Importer:
             and entry.state != BlueprintEntryDesiredState.MUST_CREATED
         ):
             self.logger.debug(
-                "Initialise serializer with instance",
+                "Initialize serializer with instance",
                 model=model,
                 instance=model_instance,
                 pk=model_instance.pk,
@@ -290,7 +290,7 @@ class Importer:
             )
         else:
             self.logger.debug(
-                "Initialised new serializer instance",
+                "Initialized new serializer instance",
                 model=model,
                 **cleanse_dict(updated_identifiers),
             )

authentik/core/api/applications.py

@@ -25,6 +25,7 @@ from authentik.core.api.providers import ProviderSerializer
 from authentik.core.api.used_by import UsedByMixin
 from authentik.core.api.users import UserSerializer
 from authentik.core.api.utils import ModelSerializer, ThemedUrlsSerializer
+from authentik.core.apps import AppAccessWithoutBindings
 from authentik.core.models import Application, User
 from authentik.events.logs import LogEventSerializer, capture_logs
 from authentik.policies.api.exec import PolicyTestResultSerializer
@@ -154,15 +155,16 @@ class ApplicationViewSet(UsedByMixin, ModelViewSet):
         return queryset
 
     def _get_allowed_applications(
-        self, pagined_apps: Iterator[Application], user: User | None = None
+        self, paginated_apps: Iterator[Application], user: User | None = None
     ) -> list[Application]:
         applications = []
         request = self.request._request
         if user:
             request = copy(request)
             request.user = user
-        for application in pagined_apps:
+        for application in paginated_apps:
             engine = PolicyEngine(application, request.user, request)
+            engine.empty_result = AppAccessWithoutBindings.get()
             engine.build()
             if engine.passing:
                 applications.append(application)
@@ -220,6 +222,7 @@ class ApplicationViewSet(UsedByMixin, ModelViewSet):
             if not for_user:
                 raise ValidationError({"for_user": "User not found"})
         engine = PolicyEngine(application, for_user, request)
+        engine.empty_result = AppAccessWithoutBindings.get()
         engine.use_cache = False
         with capture_logs() as logs:
             engine.build()
@@ -239,11 +242,6 @@ class ApplicationViewSet(UsedByMixin, ModelViewSet):
 
     @extend_schema(
         parameters=[
-            OpenApiParameter(
-                name="superuser_full_list",
-                location=OpenApiParameter.QUERY,
-                type=OpenApiTypes.BOOL,
-            ),
             OpenApiParameter(
                 name="for_user",
                 location=OpenApiParameter.QUERY,
@@ -254,18 +252,17 @@ class ApplicationViewSet(UsedByMixin, ModelViewSet):
                 location=OpenApiParameter.QUERY,
                 type=OpenApiTypes.BOOL,
             ),
-        ]
+        ],
+        responses={
+            200: ApplicationSerializer(many=True),
+        },
+        operation_id="core_applications_accessible_list",
     )
-    def list(self, request: Request) -> Response:
-        """Custom list method that checks Policy based access instead of guardian"""
+    @action(methods=["GET"], detail=False, url_path="@accessible")
+    def accessible(self, request: Request) -> Response:
+        """Get applications accessible for user"""
         should_cache = request.query_params.get("search", "") == ""
 
-        superuser_full_list = (
-            str(request.query_params.get("superuser_full_list", "false")).lower() == "true"
-        )
-        if superuser_full_list and request.user.is_superuser:
-            return super().list(request)
-
         only_with_launch_url = str(
             request.query_params.get("only_with_launch_url", "false")
         ).lower()

authentik/core/apps.py

@@ -1,7 +1,20 @@
 """authentik core app config"""
 
+from django.utils.translation import gettext_lazy as _
+
 from authentik.blueprints.apps import ManagedAppConfig
 from authentik.tasks.schedules.common import ScheduleSpec
+from authentik.tenants.flags import Flag
+
+
+class AppAccessWithoutBindings(Flag[bool], key="core_default_app_access"):
+
+    default = True
+    visibility = "none"
+    description = _(
+        "Configure if applications without any policy/group/user bindings "
+        "should be accessible to any user."
+    )
 
 
 class AuthentikCoreConfig(ManagedAppConfig):

authentik/core/models.py

@@ -1,5 +1,7 @@
 """authentik core models"""
 
+import re
+import traceback
 from datetime import datetime, timedelta
 from enum import StrEnum
 from hashlib import sha256
@@ -15,7 +17,6 @@ from django.contrib.sessions.base_session import AbstractBaseSession
 from django.core.validators import validate_slug
 from django.db import models
 from django.db.models import Q, QuerySet, options
-from django.db.models.constants import LOOKUP_SEP
 from django.http import HttpRequest
 from django.utils.functional import cached_property
 from django.utils.timezone import now
@@ -43,6 +44,7 @@ from authentik.lib.models import (
     DomainlessFormattedURLValidator,
     SerializerModel,
 )
+from authentik.lib.utils.inheritance import get_deepest_child
 from authentik.lib.utils.time import timedelta_from_string
 from authentik.policies.models import PolicyBindingModel
 from authentik.rbac.models import Role
@@ -528,23 +530,35 @@ class User(SerializerModel, AttributesMixin, AbstractUser):
             "default: in 30 days). See authentik logs for every will invocation of this "
             "deprecation."
         )
+        stacktrace = traceback.format_stack()
+        # The last line is this function, the next-to-last line is its caller
+        cause = stacktrace[-2] if len(stacktrace) > 1 else "Unknown, see stacktrace in logs"
+        if search := re.search(r'"(.*?)"', cause):
+            cause = f"Property mapping or Expression policy named {search.group(1)}"
+
         LOGGER.warning(
             "deprecation used",
             message=message_logger,
             deprecation=deprecation,
             replacement=replacement,
+            cause=cause,
+            stacktrace=stacktrace,
         )
         if not Event.filter_not_expired(
-            action=EventAction.CONFIGURATION_WARNING, context__deprecation=deprecation
+            action=EventAction.CONFIGURATION_WARNING,
+            context__deprecation=deprecation,
+            context__cause=cause,
         ).exists():
             event = Event.new(
                 EventAction.CONFIGURATION_WARNING,
                 deprecation=deprecation,
                 replacement=replacement,
                 message=message_event,
+                cause=cause,
             )
             event.expires = datetime.now() + timedelta(days=30)
             event.save()
+
         return self.groups
 
     def set_password(self, raw_password, signal=True, sender=None, request=None):
@@ -789,25 +803,7 @@ class Application(SerializerModel, PolicyBindingModel):
         """Get casted provider instance. Needs Application queryset with_provider"""
         if not self.provider:
             return None
-
-        candidates = []
-        base_class = Provider
-        for subclass in base_class.objects.get_queryset()._get_subclasses_recurse(base_class):
-            parent = self.provider
-            for level in subclass.split(LOOKUP_SEP):
-                try:
-                    parent = getattr(parent, level)
-                except AttributeError:
-                    break
-            if parent in candidates:
-                continue
-            idx = subclass.count(LOOKUP_SEP)
-            if type(parent) is not base_class:
-                idx += 1
-            candidates.insert(idx, parent)
-        if not candidates:
-            return None
-        return candidates[-1]
+        return get_deepest_child(self.provider)
 
     def backchannel_provider_for[T: Provider](self, provider_type: type[T], **kwargs) -> T | None:
         """Get Backchannel provider for a specific type"""
@@ -1119,7 +1115,11 @@ class ExpiringModel(models.Model):
         default the object is deleted. This is less efficient compared
         to bulk deleting objects, but classes like Token() need to change
         values instead of being deleted."""
-        return self.delete(*args, **kwargs)
+        try:
+            return self.delete(*args, **kwargs)
+        except self.DoesNotExist:
+            # Object has already been deleted, so this should be fine
+            return None
 
     @classmethod
     def filter_not_expired(cls, **kwargs) -> QuerySet[Self]:

authentik/core/signals.py

@@ -24,7 +24,8 @@ from authentik.root.ws.consumer import build_device_group
 
 # Arguments: user: User, password: str
 password_changed = Signal()
-# Arguments: credentials: dict[str, any], request: HttpRequest, stage: Stage
+# Arguments: credentials: dict[str, any], request: HttpRequest,
+#            stage: Stage, context: dict[str, any]
 login_failed = Signal()
 
 LOGGER = get_logger()

authentik/core/templates/base/skeleton.html

@@ -21,6 +21,10 @@
         {% block head_before %}
         {% endblock %}
 
+        {% block interface_stylesheet %}
+        <link rel="stylesheet" type="text/css" href="{% versioned_script 'dist/styles/interface-%v.css' %}" />
+        {% endblock %}
+
         {% include "base/theme.html" %}
 
         <style data-id="brand-css">{{ brand_css }}</style>

authentik/core/templates/base/theme.html

@@ -1,8 +1,6 @@
 {% load static %}
 {% load authentik_core %}
 
-<link rel="stylesheet" type="text/css" href="{% versioned_script 'dist/styles/interface-%v.css' %}" />
-
 {% if ui_theme == "dark" %}
   <meta name="color-scheme" content="dark" />
   <meta name="theme-color" content="#18191a">

authentik/core/templates/login/base_full.html

@@ -44,19 +44,24 @@
                                 {% endblock %}
                             </div>
                         </main>
-                        <footer aria-label="Site footer" class="pf-c-login__footer pf-m-dark">
-                            <ul class="pf-c-list pf-m-inline">
-                                {% for link in footer_links %}
-                                <li>
-                                    <a href="{{ link.href }}">{{ link.name }}</a>
-                                </li>
-                                {% endfor %}
-                                <li>
-                                    <span>
-                                        {% trans 'Powered by authentik' %}
-                                    </span>
-                                </li>
-                            </ul>
+                        <footer
+                            name="site-footer"
+                            aria-label="{% trans 'Site footer' %}"
+                            class="pf-c-login__footer pf-m-dark">
+                            <div name="flow-links" aria-label="{% trans 'Flow links' %}">
+                                <ul class="pf-c-list pf-m-inline" part="list">
+                                    {% for link in footer_links %}
+                                    <li part="list-item">
+                                        <a part="list-item-link" href="{{ link.href }}">{{ link.name }}</a>
+                                    </li>
+                                    {% endfor %}
+                                    <li part="list-item">
+                                        <span>
+                                            {% trans 'Powered by authentik' %}
+                                        </span>
+                                    </li>
+                                </ul>
+                            </div>
                         </footer>
                     </div>
                 </div>

authentik/core/tests/test_applications_api.py

@@ -80,10 +80,10 @@ class TestApplicationsAPI(APITestCase):
         self.assertEqual(body["passing"], False)
         self.assertEqual(body["messages"], ["dummy"])
 
-    def test_list(self):
-        """Test list operation without superuser_full_list"""
+    def test_list_accessible(self):
+        """Test list operation without"""
         self.client.force_login(self.user)
-        response = self.client.get(reverse("authentik_api:application-list"))
+        response = self.client.get(reverse("authentik_api:application-accessible"))
         self.assertJSONEqual(
             response.content.decode(),
             {
@@ -136,12 +136,10 @@ class TestApplicationsAPI(APITestCase):
             },
         )
 
-    def test_list_superuser_full_list(self):
-        """Test list operation with superuser_full_list"""
+    def test_list_rbac(self):
+        """Test list operation"""
         self.client.force_login(self.user)
-        response = self.client.get(
-            reverse("authentik_api:application-list") + "?superuser_full_list=true"
-        )
+        response = self.client.get(reverse("authentik_api:application-list"))
         self.assertJSONEqual(
             response.content.decode(),
             {

authentik/core/tests/test_interface_views.py

@@ -0,0 +1,101 @@
+"""Test interface view redirect behavior by user type"""
+
+from django.test import TestCase
+from django.urls import reverse
+
+from authentik.brands.models import Brand
+from authentik.core.models import Application, UserTypes
+from authentik.core.tests.utils import create_test_brand, create_test_user
+
+
+class TestInterfaceRedirects(TestCase):
+    """Test RootRedirectView and BrandDefaultRedirectView redirect logic by user type"""
+
+    def setUp(self):
+        self.app = Application.objects.create(name="test-app", slug="test-app")
+        self.brand: Brand = create_test_brand(default_application=self.app)
+
+    def _assert_redirects_to_app(self, url_name: str, user_type: UserTypes):
+        user = create_test_user(type=user_type)
+        self.client.force_login(user)
+        response = self.client.get(reverse(f"authentik_core:{url_name}"))
+        self.assertRedirects(
+            response,
+            reverse(
+                "authentik_core:application-launch", kwargs={"application_slug": self.app.slug}
+            ),
+            fetch_redirect_response=False,
+        )
+
+    def _assert_no_redirect(self, url_name: str, user_type: UserTypes):
+        """Internal users should not be redirected away."""
+        user = create_test_user(type=user_type)
+        self.client.force_login(user)
+        response = self.client.get(reverse(f"authentik_core:{url_name}"))
+        # Internal users get a 200 (rendered template) or redirect to if-user, not to the app
+        app_url = reverse(
+            "authentik_core:application-launch", kwargs={"application_slug": self.app.slug}
+        )
+        self.assertNotEqual(response.get("Location"), app_url)
+
+    # --- RootRedirectView ---
+
+    def test_root_redirect_external_user(self):
+        """External users are redirected to the default app from root"""
+        self._assert_redirects_to_app("root-redirect", UserTypes.EXTERNAL)
+
+    def test_root_redirect_service_account(self):
+        """Service accounts are redirected to the default app from root"""
+        self._assert_redirects_to_app("root-redirect", UserTypes.SERVICE_ACCOUNT)
+
+    def test_root_redirect_internal_service_account(self):
+        """Internal service accounts are redirected to the default app from root"""
+        self._assert_redirects_to_app("root-redirect", UserTypes.INTERNAL_SERVICE_ACCOUNT)
+
+    def test_root_redirect_internal_user(self):
+        """Internal users are NOT redirected to the app from root"""
+        self._assert_no_redirect("root-redirect", UserTypes.INTERNAL)
+
+    # --- BrandDefaultRedirectView (if/user/) ---
+
+    def test_if_user_external_user(self):
+        """External users are redirected to the default app from if/user/"""
+        self._assert_redirects_to_app("if-user", UserTypes.EXTERNAL)
+
+    def test_if_user_service_account(self):
+        """Service accounts are redirected to the default app from if/user/"""
+        self._assert_redirects_to_app("if-user", UserTypes.SERVICE_ACCOUNT)
+
+    def test_if_user_internal_service_account(self):
+        """Internal service accounts are redirected to the default app from if/user/"""
+        self._assert_redirects_to_app("if-user", UserTypes.INTERNAL_SERVICE_ACCOUNT)
+
+    def test_if_user_internal_user(self):
+        """Internal users are NOT redirected to the app from if/user/"""
+        self._assert_no_redirect("if-user", UserTypes.INTERNAL)
+
+    # --- BrandDefaultRedirectView (if/admin/) ---
+
+    def test_if_admin_service_account(self):
+        """Service accounts are redirected to the default app from if/admin/"""
+        self._assert_redirects_to_app("if-admin", UserTypes.SERVICE_ACCOUNT)
+
+    def test_if_admin_internal_service_account(self):
+        """Internal service accounts are redirected to the default app from if/admin/"""
+        self._assert_redirects_to_app("if-admin", UserTypes.INTERNAL_SERVICE_ACCOUNT)
+
+    def test_if_admin_internal_user(self):
+        """Internal users are NOT redirected to the app from if/admin/"""
+        self._assert_no_redirect("if-admin", UserTypes.INTERNAL)
+
+    # --- No default app set ---
+
+    def test_service_account_no_default_app_access_denied(self):
+        """Service accounts get access denied when no default app is configured"""
+        self.brand.default_application = None
+        self.brand.save()
+        user = create_test_user(type=UserTypes.SERVICE_ACCOUNT)
+        self.client.force_login(user)
+        response = self.client.get(reverse("authentik_core:if-user"))
+        self.assertEqual(response.status_code, 200)
+        self.assertIn(b"Interface can only be accessed by internal users", response.content)

authentik/core/tests/test_property_mapping_api.py

@@ -63,7 +63,7 @@ class TestPropertyMappingAPI(APITestCase):
             PropertyMappingSerializer().validate_expression("/")
 
     def test_types(self):
-        """Test PropertyMappigns's types endpoint"""
+        """Test PropertyMapping's types endpoint"""
         response = self.client.get(
             reverse("authentik_api:propertymapping-types"),
         )

authentik/core/views/interface.py

@@ -26,7 +26,11 @@ class RootRedirectView(RedirectView):
     query_string = True
 
     def redirect_to_app(self, request: HttpRequest):
-        if request.user.is_authenticated and request.user.type == UserTypes.EXTERNAL:
+        if request.user.is_authenticated and request.user.type in (
+            UserTypes.EXTERNAL,
+            UserTypes.SERVICE_ACCOUNT,
+            UserTypes.INTERNAL_SERVICE_ACCOUNT,
+        ):
             brand: Brand = request.brand
             if brand.default_application:
                 return redirect(
@@ -62,7 +66,11 @@ class BrandDefaultRedirectView(InterfaceView):
     """By default redirect to default app"""
 
     def dispatch(self, request: HttpRequest, *args: Any, **kwargs: Any) -> HttpResponse:
-        if request.user.is_authenticated and request.user.type == UserTypes.EXTERNAL:
+        if request.user.is_authenticated and request.user.type in (
+            UserTypes.EXTERNAL,
+            UserTypes.SERVICE_ACCOUNT,
+            UserTypes.INTERNAL_SERVICE_ACCOUNT,
+        ):
             brand: Brand = request.brand
             if brand.default_application:
                 return redirect(

authentik/crypto/models.py

@@ -78,7 +78,7 @@ def generate_key_id_legacy(key_data: str) -> str:
     """Generate Key ID using MD5 (legacy format for backwards compatibility)."""
     if not key_data:
         return ""
-    return md5(key_data.encode("utf-8")).hexdigest()  # nosec
+    return md5(key_data.encode("utf-8"), usedforsecurity=False).hexdigest()  # nosec
 
 
 class CertificateKeyPair(SerializerModel, ManagedModel, CreatedUpdatedModel):

authentik/endpoints/api/stages.py

@@ -1,8 +1,11 @@
+from django.utils.translation import gettext_lazy as _
+from rest_framework.exceptions import ValidationError
 from rest_framework.viewsets import ModelViewSet
 
 from authentik.core.api.used_by import UsedByMixin
 from authentik.endpoints.api.connectors import ConnectorSerializer
-from authentik.endpoints.models import EndpointStage
+from authentik.endpoints.controller import Capabilities
+from authentik.endpoints.models import Connector, EndpointStage
 from authentik.flows.api.stages import StageSerializer
 
 
@@ -11,6 +14,13 @@ class EndpointStageSerializer(StageSerializer):
 
     connector_obj = ConnectorSerializer(source="connector", read_only=True)
 
+    def validate_connector(self, connector: Connector) -> Connector:
+        conn: Connector = Connector.objects.get_subclass(pk=connector.pk)
+        controller = conn.controller(conn)
+        if Capabilities.STAGE_ENDPOINTS not in controller.capabilities():
+            raise ValidationError(_("Selected connector is not compatible with this stage."))
+        return connector
+
     class Meta:
         model = EndpointStage
         fields = StageSerializer.Meta.fields + [

authentik/endpoints/connectors/agent/controller.py

@@ -8,7 +8,7 @@ from rest_framework.fields import CharField
 
 from authentik.core.api.utils import PassiveSerializer
 from authentik.endpoints.connectors.agent.models import AgentConnector, EnrollmentToken
-from authentik.endpoints.controller import BaseController
+from authentik.endpoints.controller import BaseController, Capabilities
 from authentik.endpoints.facts import OSFamily
 
 
@@ -48,8 +48,8 @@ class AgentConnectorController(BaseController[AgentConnector]):
     def vendor_identifier() -> str:
         return "goauthentik.io/platform"
 
-    def supported_enrollment_methods(self):
-        return []
+    def capabilities(self) -> list[Capabilities]:
+        return [Capabilities.STAGE_ENDPOINTS]
 
     def generate_mdm_config(
         self, target_platform: OSFamily, request: HttpRequest, token: EnrollmentToken

authentik/endpoints/connectors/agent/tests/test_stage.py

@@ -1,5 +1,6 @@
 from hashlib import sha256
 from json import loads
+from unittest.mock import PropertyMock, patch
 
 from django.urls import reverse
 from jwt import encode
@@ -232,3 +233,43 @@ class TestEndpointStage(FlowTestCase):
         plan = plan()
         self.assertNotIn(PLAN_CONTEXT_AGENT_ENDPOINT_CHALLENGE, plan.context)
         self.assertEqual(plan.context[PLAN_CONTEXT_DEVICE], self.device)
+
+    def test_endpoint_stage_connector_no_stage_optional(self):
+        flow = create_test_flow()
+        stage = EndpointStage.objects.create(connector=self.connector, mode=StageMode.OPTIONAL)
+        FlowStageBinding.objects.create(stage=stage, target=flow, order=0)
+
+        with patch(
+            "authentik.endpoints.connectors.agent.models.AgentConnector.stage",
+            PropertyMock(return_value=None),
+        ):
+            with self.assertFlowFinishes() as plan:
+                res = self.client.get(
+                    reverse("authentik_api:flow-executor", kwargs={"flow_slug": flow.slug}),
+                )
+                self.assertStageRedirects(res, reverse("authentik_core:root-redirect"))
+            plan = plan()
+            self.assertNotIn(PLAN_CONTEXT_AGENT_ENDPOINT_CHALLENGE, plan.context)
+            self.assertNotIn(PLAN_CONTEXT_DEVICE, plan.context)
+
+    def test_endpoint_stage_connector_no_stage_required(self):
+        flow = create_test_flow()
+        stage = EndpointStage.objects.create(connector=self.connector, mode=StageMode.REQUIRED)
+        FlowStageBinding.objects.create(stage=stage, target=flow, order=0)
+
+        with patch(
+            "authentik.endpoints.connectors.agent.models.AgentConnector.stage",
+            PropertyMock(return_value=None),
+        ):
+            with self.assertFlowFinishes() as plan:
+                res = self.client.get(
+                    reverse("authentik_api:flow-executor", kwargs={"flow_slug": flow.slug}),
+                )
+                self.assertStageResponse(
+                    res,
+                    component="ak-stage-access-denied",
+                    error_message="Invalid stage configuration",
+                )
+            plan = plan()
+            self.assertNotIn(PLAN_CONTEXT_AGENT_ENDPOINT_CHALLENGE, plan.context)
+            self.assertNotIn(PLAN_CONTEXT_DEVICE, plan.context)

authentik/endpoints/controller.py

@@ -8,13 +8,15 @@ from authentik.lib.sentry import SentryIgnoredException
 MERGED_VENDOR = "goauthentik.io/@merged"
 
 
-class EnrollmentMethods(models.TextChoices):
+class Capabilities(models.TextChoices):
     # Automatically enrolled through user action
-    AUTOMATIC_USER = "automatic_user"
+    ENROLL_AUTOMATIC_USER = "enroll_automatic_user"
     # Automatically enrolled through connector integration
-    AUTOMATIC_API = "automatic_api"
+    ENROLL_AUTOMATIC_API = "enroll_automatic_api"
     # Manually enrolled with user interaction (user scanning a QR code for example)
-    MANUAL_USER = "manual_user"
+    ENROLL_MANUAL_USER = "enroll_manual_user"
+    # Supported for use with Endpoints stage
+    STAGE_ENDPOINTS = "stage_endpoints"
 
 
 class ConnectorSyncException(SentryIgnoredException):
@@ -34,7 +36,7 @@ class BaseController[T: "Connector"]:
     def vendor_identifier() -> str:
         raise NotImplementedError
 
-    def supported_enrollment_methods(self) -> list[EnrollmentMethods]:
+    def capabilities(self) -> list[Capabilities]:
         return []
 
     def stage_view_enrollment(self) -> StageView | None:
@@ -42,3 +44,6 @@ class BaseController[T: "Connector"]:
 
     def stage_view_authentication(self) -> StageView | None:
         return None
+
+    def sync_endpoints(self):
+        raise NotImplementedError

authentik/endpoints/facts.py

@@ -63,7 +63,7 @@ class OperatingSystemSerializer(Serializer):
             "Operating System version, must always be the version number but may contain build name"
         ),
     )
-    arch = CharField(required=True)
+    arch = CharField(required=False)
 
 
 class NetworkInterfaceSerializer(Serializer):

authentik/endpoints/models.py

@@ -162,8 +162,11 @@ class Connector(ScheduledModel, SerializerModel):
 
     @property
     def schedule_specs(self) -> list[ScheduleSpec]:
+        from authentik.endpoints.controller import Capabilities
         from authentik.endpoints.tasks import endpoints_sync
 
+        if Capabilities.ENROLL_AUTOMATIC_API not in self.controller(self).capabilities():
+            return []
         return [
             ScheduleSpec(
                 actor=endpoints_sync,

authentik/endpoints/stage.py

@@ -1,4 +1,4 @@
-from authentik.endpoints.models import EndpointStage
+from authentik.endpoints.models import EndpointStage, StageMode
 from authentik.flows.stage import StageView
 
 PLAN_CONTEXT_ENDPOINT_CONNECTOR = "endpoint_connector"
@@ -6,15 +6,24 @@ PLAN_CONTEXT_ENDPOINT_CONNECTOR = "endpoint_connector"
 
 class EndpointStageView(StageView):
 
-    def _get_inner(self):
+    def _get_inner(self) -> StageView | None:
         stage: EndpointStage = self.executor.current_stage
         inner_stage: type[StageView] | None = stage.connector.stage
         if not inner_stage:
-            return self.executor.stage_ok()
+            return None
         return inner_stage(self.executor, request=self.request)
 
     def dispatch(self, request, *args, **kwargs):
-        return self._get_inner().dispatch(request, *args, **kwargs)
+        inner = self._get_inner()
+        if inner is None:
+            stage: EndpointStage = self.executor.current_stage
+            if stage.mode == StageMode.OPTIONAL:
+                return self.executor.stage_ok()
+            else:
+                return self.executor.stage_invalid("Invalid stage configuration")
+        return inner.dispatch(request, *args, **kwargs)
 
     def cleanup(self):
-        return self._get_inner().cleanup()
+        inner = self._get_inner()
+        if inner is not None:
+            return inner.cleanup()

authentik/endpoints/tasks.py

@@ -6,7 +6,7 @@ from django.utils.translation import gettext_lazy as _
 from dramatiq.actor import actor
 from structlog.stdlib import get_logger
 
-from authentik.endpoints.controller import EnrollmentMethods
+from authentik.endpoints.controller import Capabilities
 from authentik.endpoints.models import Connector
 
 LOGGER = get_logger()
@@ -21,7 +21,7 @@ def endpoints_sync(connector_pk: Any):
         return
     controller = connector.controller
     ctrl = controller(connector)
-    if EnrollmentMethods.AUTOMATIC_API not in ctrl.supported_enrollment_methods():
+    if Capabilities.ENROLL_AUTOMATIC_API not in ctrl.capabilities():
         return
     LOGGER.info("Syncing connector", connector=connector.name)
     ctrl.sync_endpoints()

authentik/endpoints/tests/test_api.py

@@ -0,0 +1,41 @@
+from django.urls import reverse
+from rest_framework.test import APITestCase
+
+from authentik.core.tests.utils import create_test_admin_user
+from authentik.endpoints.connectors.agent.models import AgentConnector
+from authentik.endpoints.models import StageMode
+from authentik.enterprise.endpoints.connectors.fleet.models import FleetConnector
+from authentik.lib.generators import generate_id
+
+
+class TestAPI(APITestCase):
+    def setUp(self):
+        self.user = create_test_admin_user()
+        self.client.force_login(self.user)
+
+    def test_endpoint_stage_agent(self):
+        connector = AgentConnector.objects.create(name=generate_id())
+        res = self.client.post(
+            reverse("authentik_api:stages-endpoint-list"),
+            data={
+                "name": generate_id(),
+                "connector": str(connector.pk),
+                "mode": StageMode.REQUIRED,
+            },
+        )
+        self.assertEqual(res.status_code, 201)
+
+    def test_endpoint_stage_fleet(self):
+        connector = FleetConnector.objects.create(name=generate_id())
+        res = self.client.post(
+            reverse("authentik_api:stages-endpoint-list"),
+            data={
+                "name": generate_id(),
+                "connector": str(connector.pk),
+                "mode": StageMode.REQUIRED,
+            },
+        )
+        self.assertEqual(res.status_code, 400)
+        self.assertJSONEqual(
+            res.content, {"connector": ["Selected connector is not compatible with this stage."]}
+        )

authentik/endpoints/tests/test_tasks.py

@@ -0,0 +1,35 @@
+from unittest.mock import PropertyMock, patch
+
+from rest_framework.test import APITestCase
+
+from authentik.endpoints.controller import BaseController, Capabilities
+from authentik.endpoints.models import Connector
+from authentik.endpoints.tasks import endpoints_sync
+from authentik.lib.generators import generate_id
+
+
+class TestEndpointTasks(APITestCase):
+    def test_agent_sync(self):
+        class controller(BaseController):
+            def capabilities(self):
+                return [Capabilities.ENROLL_AUTOMATIC_API]
+
+            def sync_endpoints(self):
+                pass
+
+        with patch.object(Connector, "controller", PropertyMock(return_value=controller)):
+            connector = Connector.objects.create(name=generate_id())
+            self.assertEqual(len(connector.schedule_specs), 1)
+
+            endpoints_sync.send(connector.pk).get_result(block=True)
+
+    def test_agent_no_sync(self):
+        class controller(BaseController):
+            def capabilities(self):
+                return []
+
+        with patch.object(Connector, "controller", PropertyMock(return_value=controller)):
+            connector = Connector.objects.create(name=generate_id())
+            self.assertEqual(len(connector.schedule_specs), 0)
+
+            endpoints_sync.send(connector.pk).get_result(block=True)

authentik/enterprise/audit/apps.py

@@ -1,6 +1,7 @@
 """Enterprise app config"""
 
 from django.conf import settings
+from django.utils.translation import gettext_lazy as _
 
 from authentik.enterprise.apps import EnterpriseConfig
 from authentik.tenants.flags import Flag
@@ -9,6 +10,9 @@ from authentik.tenants.flags import Flag
 class AuditIncludeExpandedDiff(Flag[bool], key="enterprise_audit_include_expanded_diff"):
     default = False
     visibility = "none"
+    description = _(
+        "Include additional information in audit logs, may incur a performance penalty."
+    )
 
 
 class AuthentikEnterpriseAuditConfig(EnterpriseConfig):

authentik/enterprise/endpoints/connectors/agent/views/auth_interactive.py

@@ -3,6 +3,7 @@ from hmac import compare_digest
 
 from django.http import Http404, HttpRequest, HttpResponse, HttpResponseBadRequest, QueryDict
 
+from authentik.common.oauth.constants import QS_LOGIN_HINT
 from authentik.endpoints.connectors.agent.auth import (
     agent_auth_issue_token,
     check_device_policies,
@@ -14,7 +15,7 @@ from authentik.enterprise.policy import EnterprisePolicyAccessView
 from authentik.flows.exceptions import FlowNonApplicableException
 from authentik.flows.models import in_memory_stage
 from authentik.flows.planner import PLAN_CONTEXT_DEVICE, FlowPlanner
-from authentik.flows.stage import StageView
+from authentik.flows.stage import PLAN_CONTEXT_PENDING_USER_IDENTIFIER, StageView
 from authentik.providers.oauth2.utils import HttpResponseRedirectScheme
 
 QS_AGENT_IA_TOKEN = "ak-auth-ia-token"  # nosec
@@ -64,14 +65,14 @@ class AgentInteractiveAuth(EnterprisePolicyAccessView):
 
         planner = FlowPlanner(self.connector.authorization_flow)
         planner.allow_empty_flows = True
+        context = {
+            PLAN_CONTEXT_DEVICE: self.device,
+            PLAN_CONTEXT_DEVICE_AUTH_TOKEN: self.auth_token,
+        }
+        if QS_LOGIN_HINT in request.GET:
+            context[PLAN_CONTEXT_PENDING_USER_IDENTIFIER] = request.GET[QS_LOGIN_HINT]
         try:
-            plan = planner.plan(
-                self.request,
-                {
-                    PLAN_CONTEXT_DEVICE: self.device,
-                    PLAN_CONTEXT_DEVICE_AUTH_TOKEN: self.auth_token,
-                },
-            )
+            plan = planner.plan(self.request, context)
         except FlowNonApplicableException:
             return self.handle_no_permission_authenticated()
         plan.append_stage(in_memory_stage(AgentAuthFulfillmentStage))
@@ -84,7 +85,6 @@ class AgentInteractiveAuth(EnterprisePolicyAccessView):
 
 
 class AgentAuthFulfillmentStage(StageView):
-
     def get(self, request: HttpRequest, *args, **kwargs) -> HttpResponse:
         device: Device = self.executor.plan.context.pop(PLAN_CONTEXT_DEVICE)
         auth_token: DeviceAuthenticationToken = self.executor.plan.context.pop(

authentik/enterprise/endpoints/connectors/fleet/controller.py

@@ -6,7 +6,7 @@ from requests import RequestException
 from rest_framework.exceptions import ValidationError
 
 from authentik.core.models import User
-from authentik.endpoints.controller import BaseController, ConnectorSyncException, EnrollmentMethods
+from authentik.endpoints.controller import BaseController, Capabilities, ConnectorSyncException
 from authentik.endpoints.facts import (
     DeviceFacts,
     OSFamily,
@@ -43,8 +43,8 @@ class FleetController(BaseController[DBC]):
     def vendor_identifier() -> str:
         return "fleetdm.com"
 
-    def supported_enrollment_methods(self) -> list[EnrollmentMethods]:
-        return [EnrollmentMethods.AUTOMATIC_API]
+    def capabilities(self) -> list[Capabilities]:
+        return [Capabilities.ENROLL_AUTOMATIC_API]
 
     def _url(self, path: str) -> str:
         return f"{self.connector.url}{path}"

authentik/enterprise/endpoints/connectors/google_chrome/api.py

@@ -0,0 +1,42 @@
+"""GoogleChromeConnector API Views"""
+
+from django.urls import reverse
+from rest_framework.fields import SerializerMethodField
+from rest_framework.request import Request
+from rest_framework.viewsets import ModelViewSet
+
+from authentik.core.api.used_by import UsedByMixin
+from authentik.endpoints.api.connectors import ConnectorSerializer
+from authentik.enterprise.api import EnterpriseRequiredMixin
+from authentik.enterprise.endpoints.connectors.google_chrome.models import GoogleChromeConnector
+
+
+class GoogleChromeConnectorSerializer(EnterpriseRequiredMixin, ConnectorSerializer):
+    """GoogleChromeConnector Serializer"""
+
+    chrome_url = SerializerMethodField()
+
+    def get_chrome_url(self, _: GoogleChromeConnector) -> str | None:
+        """Full URL to be used in Google Workspace configuration"""
+        request: Request = self.context.get("request", None)
+        if not request:
+            return True
+        return request.build_absolute_uri(
+            reverse("authentik_endpoints_connectors_google_chrome:chrome")
+        )
+
+    class Meta:
+        model = GoogleChromeConnector
+        fields = ConnectorSerializer.Meta.fields + ["credentials", "chrome_url"]
+
+
+class GoogleChromeConnectorViewSet(UsedByMixin, ModelViewSet):
+    """GoogleChromeConnector Viewset"""
+
+    queryset = GoogleChromeConnector.objects.all()
+    serializer_class = GoogleChromeConnectorSerializer
+    filterset_fields = [
+        "name",
+    ]
+    search_fields = ["name"]
+    ordering = ["name"]

authentik/enterprise/endpoints/connectors/google_chrome/apps.py

@@ -0,0 +1,13 @@
+"""authentik Endpoint app config"""
+
+from authentik.enterprise.apps import EnterpriseConfig
+
+
+class AuthentikEndpointsConnectorGoogleChromeAppConfig(EnterpriseConfig):
+    """authentik endpoint config"""
+
+    name = "authentik.enterprise.endpoints.connectors.google_chrome"
+    label = "authentik_endpoints_connectors_google_chrome"
+    verbose_name = "authentik Enterprise.Endpoints.Connectors.Google Chrome"
+    default = True
+    mountpoint = "endpoints/google/"

authentik/enterprise/endpoints/connectors/google_chrome/controller.py

@@ -0,0 +1,116 @@
+from json import dumps, loads
+
+from django.http import HttpRequest, HttpResponseRedirect
+from django.urls import reverse
+from googleapiclient.discovery import build
+
+from authentik.endpoints.controller import BaseController, Capabilities
+from authentik.endpoints.facts import DeviceFacts, OSFamily
+from authentik.endpoints.models import Device, DeviceConnection
+from authentik.enterprise.endpoints.connectors.google_chrome.google_schema import (
+    DeviceSignals,
+    VerifyChallengeResponseResult,
+)
+from authentik.enterprise.endpoints.connectors.google_chrome.models import GoogleChromeConnector
+from authentik.policies.utils import delete_none_values
+
+# Header we get from chrome that initiates verified access
+HEADER_DEVICE_TRUST = "X-Device-Trust"
+# Header we send to the client with the challenge
+HEADER_ACCESS_CHALLENGE = "X-Verified-Access-Challenge"
+# Header we get back from the client that we verify with google
+HEADER_ACCESS_CHALLENGE_RESPONSE = "X-Verified-Access-Challenge-Response"
+# Header value for x-device-trust that initiates the flow
+DEVICE_TRUST_VERIFIED_ACCESS = "VerifiedAccess"
+
+
+class GoogleChromeController(BaseController[GoogleChromeConnector]):
+
+    def __init__(self, connector):
+        super().__init__(connector)
+        self.google_client = build(
+            "verifiedaccess",
+            "v2",
+            cache_discovery=False,
+            **connector.google_credentials(),
+        )
+
+    @staticmethod
+    def vendor_identifier() -> str:
+        return "chrome.google.com"
+
+    def capabilities(self) -> list[Capabilities]:
+        return [Capabilities.STAGE_ENDPOINTS, Capabilities.ENROLL_AUTOMATIC_USER]
+
+    def generate_challenge(self, request: HttpRequest) -> HttpResponseRedirect:
+        challenge = self.google_client.challenge().generate().execute()
+        res = HttpResponseRedirect(
+            request.build_absolute_uri(
+                reverse("authentik_endpoints_connectors_google_chrome:chrome")
+            )
+        )
+        res[HEADER_ACCESS_CHALLENGE] = dumps(challenge)
+        return res
+
+    def validate_challenge(self, response: str) -> Device:
+        response = VerifyChallengeResponseResult(
+            self.google_client.challenge().verify(body=loads(response)).execute()
+        )
+        # Remove deprecated string representation of deviceSignals
+        response.pop("deviceSignal", None)
+        signals = DeviceSignals(response["deviceSignals"])
+        device, _ = Device.objects.update_or_create(
+            identifier=signals["serialNumber"],
+            defaults={
+                "name": signals["hostname"],
+            },
+        )
+        conn, _ = DeviceConnection.objects.update_or_create(
+            device=device,
+            connector=self.connector,
+        )
+        conn.create_snapshot(self.convert_data(signals))
+        return device
+
+    def convert_os_family(self, family) -> OSFamily:
+        return {
+            "CHROME_OS": OSFamily.linux,
+            "CHROMIUM_OS": OSFamily.linux,
+            "WINDOWS": OSFamily.windows,
+            "MAC_OS_X": OSFamily.macOS,
+            "LINUX": OSFamily.linux,
+        }.get(family, OSFamily.other)
+
+    def convert_data(self, raw_signals: DeviceSignals):
+        data = {
+            "os": delete_none_values(
+                {
+                    "family": self.convert_os_family(raw_signals["operatingSystem"]),
+                    "version": raw_signals["osVersion"],
+                }
+            ),
+            "disks": [],
+            "network": delete_none_values(
+                {
+                    "hostname": raw_signals["hostname"],
+                    "interfaces": [],
+                    "firewall_enabled": raw_signals["osFirewall"] == "OS_FIREWALL_ENABLED",
+                },
+            ),
+            "hardware": delete_none_values(
+                {
+                    "model": raw_signals["deviceModel"],
+                    "manufacturer": raw_signals["deviceManufacturer"],
+                    "serial": raw_signals["serialNumber"],
+                }
+            ),
+            "vendor": {
+                self.vendor_identifier(): {
+                    "agent_version": raw_signals["browserVersion"],
+                    "raw": raw_signals,
+                },
+            },
+        }
+        facts = DeviceFacts(data=data)
+        facts.is_valid(raise_exception=True)
+        return facts.validated_data

authentik/enterprise/endpoints/connectors/google_chrome/google_schema.py

@@ -0,0 +1,129 @@
+from typing import Literal, TypedDict
+
+# Based on https://github.com/henribru/google-api-python-client-stubs/blob/master/googleapiclient-stubs/_apis/verifiedaccess/v2/schemas.pyi
+
+
+class Antivirus(TypedDict, total=False):
+    state: Literal["STATE_UNSPECIFIED", "MISSING", "DISABLED", "ENABLED"]
+
+
+class Challenge(TypedDict, total=False):
+    challenge: str
+
+
+class CrowdStrikeAgent(TypedDict, total=False):
+    agentId: str
+    customerId: str
+
+
+class DeviceSignals(TypedDict, total=False):
+    allowScreenLock: bool
+    antivirus: Antivirus
+    browserVersion: str
+    builtInDnsClientEnabled: bool
+    chromeRemoteDesktopAppBlocked: bool
+    crowdStrikeAgent: CrowdStrikeAgent
+    deviceAffiliationIds: list[str]
+    deviceEnrollmentDomain: str
+    deviceManufacturer: str
+    deviceModel: str
+    diskEncryption: Literal[
+        "DISK_ENCRYPTION_UNSPECIFIED",
+        "DISK_ENCRYPTION_UNKNOWN",
+        "DISK_ENCRYPTION_DISABLED",
+        "DISK_ENCRYPTION_ENCRYPTED",
+    ]
+    displayName: str
+    hostname: str
+    imei: list[str]
+    macAddresses: list[str]
+    meid: list[str]
+    operatingSystem: Literal[
+        "OPERATING_SYSTEM_UNSPECIFIED",
+        "CHROME_OS",
+        "CHROMIUM_OS",
+        "WINDOWS",
+        "MAC_OS_X",
+        "LINUX",
+    ]
+    osFirewall: Literal[
+        "OS_FIREWALL_UNSPECIFIED",
+        "OS_FIREWALL_UNKNOWN",
+        "OS_FIREWALL_DISABLED",
+        "OS_FIREWALL_ENABLED",
+    ]
+    osVersion: str
+    passwordProtectionWarningTrigger: Literal[
+        "PASSWORD_PROTECTION_WARNING_TRIGGER_UNSPECIFIED",
+        "POLICY_UNSET",
+        "PASSWORD_PROTECTION_OFF",
+        "PASSWORD_REUSE",
+        "PHISHING_REUSE",
+    ]
+    profileAffiliationIds: list[str]
+    profileEnrollmentDomain: str
+    realtimeUrlCheckMode: Literal[
+        "REALTIME_URL_CHECK_MODE_UNSPECIFIED",
+        "REALTIME_URL_CHECK_MODE_DISABLED",
+        "REALTIME_URL_CHECK_MODE_ENABLED_MAIN_FRAME",
+    ]
+    safeBrowsingProtectionLevel: Literal[
+        "SAFE_BROWSING_PROTECTION_LEVEL_UNSPECIFIED", "INACTIVE", "STANDARD", "ENHANCED"
+    ]
+    screenLockSecured: Literal[
+        "SCREEN_LOCK_SECURED_UNSPECIFIED",
+        "SCREEN_LOCK_SECURED_UNKNOWN",
+        "SCREEN_LOCK_SECURED_DISABLED",
+        "SCREEN_LOCK_SECURED_ENABLED",
+    ]
+    secureBootMode: Literal[
+        "SECURE_BOOT_MODE_UNSPECIFIED",
+        "SECURE_BOOT_MODE_UNKNOWN",
+        "SECURE_BOOT_MODE_DISABLED",
+        "SECURE_BOOT_MODE_ENABLED",
+    ]
+    serialNumber: str
+    siteIsolationEnabled: bool
+    systemDnsServers: list[str]
+    thirdPartyBlockingEnabled: bool
+    trigger: Literal["TRIGGER_UNSPECIFIED", "TRIGGER_BROWSER_NAVIGATION", "TRIGGER_LOGIN_SCREEN"]
+    windowsMachineDomain: str
+    windowsUserDomain: str
+
+
+class Empty(TypedDict, total=False): ...
+
+
+class VerifyChallengeResponseRequest(TypedDict, total=False):
+    challengeResponse: str
+    expectedIdentity: str
+
+
+class VerifyChallengeResponseResult(TypedDict, total=False):
+    attestedDeviceId: str
+    customerId: str
+    deviceEnrollmentId: str
+    devicePermanentId: str
+    deviceSignal: str
+    deviceSignals: DeviceSignals
+    keyTrustLevel: Literal[
+        "KEY_TRUST_LEVEL_UNSPECIFIED",
+        "CHROME_OS_VERIFIED_MODE",
+        "CHROME_OS_DEVELOPER_MODE",
+        "CHROME_BROWSER_HW_KEY",
+        "CHROME_BROWSER_OS_KEY",
+        "CHROME_BROWSER_NO_KEY",
+    ]
+    profileCustomerId: str
+    profileKeyTrustLevel: Literal[
+        "KEY_TRUST_LEVEL_UNSPECIFIED",
+        "CHROME_OS_VERIFIED_MODE",
+        "CHROME_OS_DEVELOPER_MODE",
+        "CHROME_BROWSER_HW_KEY",
+        "CHROME_BROWSER_OS_KEY",
+        "CHROME_BROWSER_NO_KEY",
+    ]
+    profilePermanentId: str
+    signedPublicKeyAndChallenge: str
+    virtualDeviceId: str
+    virtualProfileId: str

authentik/enterprise/endpoints/connectors/google_chrome/migrations/0001_initial.py

@@ -0,0 +1,38 @@
+# Generated by Django 5.2.11 on 2026-03-01 18:38
+
+import django.db.models.deletion
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    initial = True
+
+    dependencies = [
+        ("authentik_endpoints", "0004_deviceaccessgroup_attributes"),
+    ]
+
+    operations = [
+        migrations.CreateModel(
+            name="GoogleChromeConnector",
+            fields=[
+                (
+                    "connector_ptr",
+                    models.OneToOneField(
+                        auto_created=True,
+                        on_delete=django.db.models.deletion.CASCADE,
+                        parent_link=True,
+                        primary_key=True,
+                        serialize=False,
+                        to="authentik_endpoints.connector",
+                    ),
+                ),
+                ("credentials", models.JSONField()),
+            ],
+            options={
+                "verbose_name": "Google Device Trust Connector",
+                "verbose_name_plural": "Google Device Trust Connectors",
+            },
+            bases=("authentik_endpoints.connector",),
+        ),
+    ]

authentik/enterprise/endpoints/connectors/google_chrome/models.py

@@ -0,0 +1,69 @@
+"""Endpoint stage"""
+
+from typing import TYPE_CHECKING
+
+from django.db import models
+from django.templatetags.static import static
+from django.utils.translation import gettext_lazy as _
+from google.oauth2.service_account import Credentials
+from rest_framework.serializers import BaseSerializer
+
+from authentik.endpoints.models import Connector
+from authentik.flows.stage import StageView
+
+if TYPE_CHECKING:
+    from authentik.enterprise.endpoints.connectors.google_chrome.controller import (
+        GoogleChromeController,
+    )
+
+
+class GoogleChromeConnector(Connector):
+    """Verify Google Chrome Device Trust connection for the user's browser."""
+
+    credentials = models.JSONField()
+
+    def google_credentials(self):
+        return {
+            "credentials": Credentials.from_service_account_info(
+                self.credentials, scopes=["https://www.googleapis.com/auth/verifiedaccess"]
+            ),
+        }
+
+    @property
+    def icon_url(self):
+        return static("authentik/sources/google.svg")
+
+    @property
+    def serializer(self) -> type[BaseSerializer]:
+        from authentik.enterprise.endpoints.connectors.google_chrome.api import (
+            GoogleChromeConnectorSerializer,
+        )
+
+        return GoogleChromeConnectorSerializer
+
+    @property
+    def stage(self) -> type[StageView] | None:
+        from authentik.enterprise.endpoints.connectors.google_chrome.stage import (
+            GoogleChromeStageView,
+        )
+
+        return GoogleChromeStageView
+
+    @property
+    def controller(self) -> type[GoogleChromeController]:
+        from authentik.enterprise.endpoints.connectors.google_chrome.controller import (
+            GoogleChromeController,
+        )
+
+        return GoogleChromeController
+
+    @property
+    def component(self) -> str:
+        return "ak-endpoints-connector-gdtc-form"
+
+    def __str__(self) -> str:
+        return f"Google Device Trust Connector {self.name}"
+
+    class Meta:
+        verbose_name = _("Google Device Trust Connector")
+        verbose_name_plural = _("Google Device Trust Connectors")

authentik/enterprise/endpoints/connectors/google_chrome/stage.py

@@ -0,0 +1,32 @@
+from django.http import HttpResponse
+from django.urls import reverse
+from django.utils.translation import gettext as _
+
+from authentik.flows.challenge import (
+    Challenge,
+    ChallengeResponse,
+    FrameChallenge,
+    FrameChallengeResponse,
+)
+from authentik.flows.stage import ChallengeStageView
+
+
+class GoogleChromeStageView(ChallengeStageView):
+    """Endpoint stage"""
+
+    response_class = FrameChallengeResponse
+
+    def get_challenge(self, *args, **kwargs) -> Challenge:
+        return FrameChallenge(
+            data={
+                "component": "xak-flow-frame",
+                "url": self.request.build_absolute_uri(
+                    reverse("authentik_endpoints_connectors_google_chrome:chrome")
+                ),
+                "loading_overlay": True,
+                "loading_text": _("Verifying your browser..."),
+            }
+        )
+
+    def challenge_valid(self, response: ChallengeResponse) -> HttpResponse:
+        return self.executor.stage_ok()

authentik/enterprise/endpoints/connectors/google_chrome/tests/fixtures/host_macos.json

@@ -0,0 +1,36 @@
+{
+    "devicePermanentId": "6f30327d-e436-4f7a-9f89-c37a7b6bf408",
+    "keyTrustLevel": "CHROME_BROWSER_HW_KEY",
+    "virtualDeviceId": "Z5DDF07GK6",
+    "customerId": "qewrqer",
+    "deviceSignals": {
+        "deviceManufacturer": "Apple Inc.",
+        "deviceModel": "MacBookPro18,1",
+        "operatingSystem": "MAC_OS_X",
+        "osVersion": "26.2.0",
+        "displayName": "jens-mac-vm",
+        "diskEncryption": "DISK_ENCRYPTION_ENCRYPTED",
+        "serialNumber": "Z5DDF07GK6",
+        "osFirewall": "OS_FIREWALL_DISABLED",
+        "systemDnsServers": [
+            "10.120.20.250:53"
+        ],
+        "hostname": "jens-mac-vm.lab.beryju.org",
+        "macAddresses": [
+            "f4:d4:88:79:07:0e"
+        ],
+        "screenLockSecured": "SCREEN_LOCK_SECURED_ENABLED",
+        "deviceEnrollmentDomain": "beryju.org",
+        "browserVersion": "145.0.7632.76",
+        "deviceAffiliationIds": [
+            "qewrqer"
+        ],
+        "builtInDnsClientEnabled": true,
+        "chromeRemoteDesktopAppBlocked": false,
+        "safeBrowsingProtectionLevel": "STANDARD",
+        "siteIsolationEnabled": true,
+        "passwordProtectionWarningTrigger": "POLICY_UNSET",
+        "realtimeUrlCheckMode": "REALTIME_URL_CHECK_MODE_DISABLED",
+        "trigger": "TRIGGER_BROWSER_NAVIGATION"
+    }
+}

authentik/enterprise/endpoints/connectors/google_chrome/tests/test_controller.py

@@ -0,0 +1,67 @@
+from json import dumps
+from unittest.mock import MagicMock, patch
+
+from django.urls import reverse
+from rest_framework.test import APITestCase
+
+from authentik.core.tests.utils import RequestFactory
+from authentik.endpoints.facts import OSFamily
+from authentik.endpoints.models import Device
+from authentik.enterprise.endpoints.connectors.google_chrome.controller import (
+    HEADER_ACCESS_CHALLENGE,
+    GoogleChromeController,
+)
+from authentik.enterprise.endpoints.connectors.google_chrome.models import GoogleChromeConnector
+from authentik.enterprise.providers.google_workspace.clients.test_http import MockHTTP
+from authentik.lib.generators import generate_id
+from authentik.lib.tests.utils import load_fixture
+
+
+class TestGoogleChromeConnector(APITestCase):
+    def setUp(self):
+        self.connector = GoogleChromeConnector.objects.create(
+            name=generate_id(),
+            credentials={},
+        )
+        self.factory = RequestFactory()
+        self.api_key = generate_id()
+
+    def test_generate_challenge(self):
+        req = self.factory.get("/")
+        challenge = generate_id()
+        http = MockHTTP()
+        http.add_response(
+            f"https://verifiedaccess.googleapis.com/v2/challenge:generate?key={self.api_key}&alt=json",
+            {"challenge": challenge},
+            method="POST",
+        )
+        with patch(
+            "authentik.enterprise.endpoints.connectors.google_chrome.models.GoogleChromeConnector.google_credentials",
+            MagicMock(return_value={"developerKey": self.api_key, "http": http}),
+        ):
+            controller = GoogleChromeController(self.connector)
+            res = controller.generate_challenge(req)
+            self.assertEqual(
+                res["Location"],
+                req.build_absolute_uri(
+                    reverse("authentik_endpoints_connectors_google_chrome:chrome")
+                ),
+            )
+            self.assertEqual(res.headers[HEADER_ACCESS_CHALLENGE], dumps({"challenge": challenge}))
+
+    def test_validate_challenge(self):
+        http = MockHTTP()
+        http.add_response(
+            f"https://verifiedaccess.googleapis.com/v2/challenge:verify?key={self.api_key}&alt=json",
+            load_fixture("fixtures/host_macos.json"),
+            method="POST",
+        )
+        with patch(
+            "authentik.enterprise.endpoints.connectors.google_chrome.models.GoogleChromeConnector.google_credentials",
+            MagicMock(return_value={"developerKey": self.api_key, "http": http}),
+        ):
+            controller = GoogleChromeController(self.connector)
+            controller.validate_challenge(dumps("{}"))
+        device = Device.objects.get(identifier="Z5DDF07GK6")
+        self.assertIsNotNone(device)
+        self.assertEqual(device.cached_facts.data["os"]["family"], OSFamily.macOS)

authentik/enterprise/endpoints/connectors/google_chrome/tests/test_view.py

@@ -0,0 +1,91 @@
+from json import dumps
+from unittest.mock import MagicMock, patch
+
+from django.urls import reverse
+
+from authentik.core.tests.utils import RequestFactory, create_test_flow
+from authentik.endpoints.models import Device, EndpointStage
+from authentik.enterprise.endpoints.connectors.google_chrome.models import GoogleChromeConnector
+from authentik.enterprise.providers.google_workspace.clients.test_http import MockHTTP
+from authentik.flows.models import FlowStageBinding
+from authentik.flows.planner import PLAN_CONTEXT_DEVICE
+from authentik.flows.tests import FlowTestCase
+from authentik.lib.generators import generate_id
+from authentik.lib.tests.utils import load_fixture
+
+
+class TestChromeDTCView(FlowTestCase):
+    def setUp(self):
+        self.flow = create_test_flow()
+        self.connector = GoogleChromeConnector.objects.create(
+            name=generate_id(),
+            credentials={},
+        )
+        self.factory = RequestFactory()
+        self.api_key = generate_id()
+        self.stage = EndpointStage.objects.create(
+            name=generate_id(),
+            connector=self.connector,
+        )
+        FlowStageBinding.objects.create(
+            target=self.flow,
+            stage=self.stage,
+            order=0,
+        )
+
+    def test_dtc_generate_verify(self):
+        res = self.client.get(
+            reverse("authentik_api:flow-executor", kwargs={"flow_slug": self.flow.slug}),
+        )
+        self.assertStageResponse(
+            res,
+            self.flow,
+            component="xak-flow-frame",
+            url="http://testserver/endpoints/google/chrome/",
+        )
+
+        challenge = generate_id()
+        http = MockHTTP()
+        http.add_response(
+            f"https://verifiedaccess.googleapis.com/v2/challenge:generate?key={self.api_key}&alt=json",
+            {"challenge": challenge},
+            method="POST",
+        )
+        http.add_response(
+            f"https://verifiedaccess.googleapis.com/v2/challenge:verify?key={self.api_key}&alt=json",
+            load_fixture("fixtures/host_macos.json"),
+            method="POST",
+        )
+        with patch(
+            "authentik.enterprise.endpoints.connectors.google_chrome.models.GoogleChromeConnector.google_credentials",
+            MagicMock(return_value={"developerKey": self.api_key, "http": http}),
+        ):
+            # Generate challenge
+            res = self.client.get(
+                reverse("authentik_endpoints_connectors_google_chrome:chrome"),
+                HTTP_X_DEVICE_TRUST="VerifiedAccess",
+            )
+            self.assertEqual(res.status_code, 302)
+            self.assertEqual(
+                res.headers["X-Verified-Access-Challenge"],
+                dumps({"challenge": challenge}),
+            )
+
+            # Validate challenge
+            res = self.client.get(
+                reverse("authentik_endpoints_connectors_google_chrome:chrome"),
+                HTTP_X_VERIFIED_ACCESS_CHALLENGE_RESPONSE=dumps({}),
+            )
+            self.assertEqual(res.status_code, 200)
+        device = Device.objects.get(identifier="Z5DDF07GK6")
+        self.assertIsNotNone(device)
+
+        # Continue flow
+        with self.assertFlowFinishes() as plan:
+            res = self.client.post(
+                reverse("authentik_api:flow-executor", kwargs={"flow_slug": self.flow.slug}),
+            )
+            self.assertStageRedirects(res, "/")
+        plan = plan()
+        plan_device = plan.context[PLAN_CONTEXT_DEVICE]
+        self.assertEqual(device.pk, plan_device.pk)

authentik/enterprise/endpoints/connectors/google_chrome/urls.py

@@ -0,0 +1,16 @@
+"""API URLs"""
+
+from django.urls import path
+
+from authentik.enterprise.endpoints.connectors.google_chrome.api import GoogleChromeConnectorViewSet
+from authentik.enterprise.endpoints.connectors.google_chrome.views.dtc import (
+    GoogleChromeDeviceTrustConnector,
+)
+
+urlpatterns = [
+    path("chrome/", GoogleChromeDeviceTrustConnector.as_view(), name="chrome"),
+]
+
+api_urlpatterns = [
+    ("endpoints/google_chrome/connectors", GoogleChromeConnectorViewSet),
+]

authentik/enterprise/endpoints/connectors/google_chrome/views/dtc.py

@@ -0,0 +1,46 @@
+from typing import Any
+
+from django.http import HttpRequest, HttpResponse, HttpResponseBadRequest
+from django.template.response import TemplateResponse
+from django.utils.decorators import method_decorator
+from django.views import View
+from django.views.decorators.clickjacking import xframe_options_sameorigin
+
+from authentik.endpoints.models import EndpointStage
+from authentik.enterprise.endpoints.connectors.google_chrome.controller import (
+    HEADER_ACCESS_CHALLENGE_RESPONSE,
+    HEADER_DEVICE_TRUST,
+    GoogleChromeController,
+)
+from authentik.enterprise.endpoints.connectors.google_chrome.models import GoogleChromeConnector
+from authentik.flows.planner import PLAN_CONTEXT_DEVICE, FlowPlan
+from authentik.flows.views.executor import SESSION_KEY_PLAN
+
+
+@method_decorator(xframe_options_sameorigin, name="dispatch")
+class GoogleChromeDeviceTrustConnector(View):
+    """Google Chrome Device-trust connector based endpoint authenticator"""
+
+    def get_flow_plan(self) -> FlowPlan:
+        flow_plan: FlowPlan = self.request.session[SESSION_KEY_PLAN]
+        return flow_plan
+
+    def setup(self, request: HttpRequest, *args: Any, **kwargs: Any) -> None:
+        super().setup(request, *args, **kwargs)
+        stage: EndpointStage = self.get_flow_plan().bindings[0].stage
+        connector = GoogleChromeConnector.objects.filter(pk=stage.connector_id).first()
+        if not connector:
+            return HttpResponseBadRequest()
+        self.controller: GoogleChromeController = connector.controller(connector)
+
+    def get(self, request: HttpRequest) -> HttpResponse:
+        x_device_trust = request.headers.get(HEADER_DEVICE_TRUST)
+        x_access_challenge_response = request.headers.get(HEADER_ACCESS_CHALLENGE_RESPONSE)
+        if x_device_trust == "VerifiedAccess" and x_access_challenge_response is None:
+            return self.controller.generate_challenge(request)
+        if x_access_challenge_response:
+            device = self.controller.validate_challenge(x_access_challenge_response)
+            flow_plan = self.get_flow_plan()
+            flow_plan.context[PLAN_CONTEXT_DEVICE] = device
+            self.request.session[SESSION_KEY_PLAN] = flow_plan
+        return TemplateResponse(request, "flows/frame-submit.html")

authentik/enterprise/license.py

@@ -15,6 +15,7 @@ from django.core.cache import cache
 from django.db.models.query import QuerySet
 from django.utils.timezone import now
 from jwt import PyJWTError, decode, get_unverified_header
+from jwt.algorithms import ECAlgorithm
 from rest_framework.exceptions import ValidationError
 from rest_framework.fields import (
     ChoiceField,
@@ -109,13 +110,20 @@ class LicenseKey:
             intermediate.verify_directly_issued_by(get_licensing_key())
         except InvalidSignature, TypeError, ValueError, Error:
             raise ValidationError("Unable to verify license") from None
+        _validate_curve_original = ECAlgorithm._validate_curve
         try:
+            # authentik's license are generated with `algorithm="ES512"` and signed with
+            # a key of curve `secp384r1`. Starting with version 2.11.0, pyjwt enforces the spec, see
+            # https://github.com/jpadilla/pyjwt/commit/5b8622773358e56d3d3c0a9acf404809ff34433a
+            # authentik will change its license generation to `algorithm="ES384"` in 2026.
+            # TODO: remove this when the last incompatible license runs out.
+            ECAlgorithm._validate_curve = lambda *_: True
             body = from_dict(
                 LicenseKey,
                 decode(
                     jwt,
                     our_cert.public_key(),
-                    algorithms=["ES512"],
+                    algorithms=["ES384", "ES512"],
                     audience=get_license_aud(),
                     options={"verify_exp": check_expiry, "verify_signature": check_expiry},
                 ),
@@ -125,6 +133,8 @@ class LicenseKey:
             if unverified["aud"] != get_license_aud():
                 raise ValidationError("Invalid Install ID in license") from None
             raise ValidationError("Unable to verify license") from None
+        finally:
+            ECAlgorithm._validate_curve = _validate_curve_original
         return body
 
     @staticmethod

authentik/enterprise/lifecycle/api/iterations.py

@@ -1,11 +1,11 @@
-from datetime import date
+from datetime import datetime
 
 from django.db.models import BooleanField as ModelBooleanField
 from django.db.models import Case, Q, Value, When
 from django_filters.rest_framework import BooleanFilter, FilterSet
-from drf_spectacular.utils import extend_schema, extend_schema_field
+from drf_spectacular.utils import extend_schema
 from rest_framework.decorators import action
-from rest_framework.fields import DateField, IntegerField, SerializerMethodField
+from rest_framework.fields import IntegerField, SerializerMethodField
 from rest_framework.mixins import CreateModelMixin
 from rest_framework.request import Request
 from rest_framework.response import Response
@@ -21,6 +21,7 @@ from authentik.enterprise.lifecycle.utils import (
     ReviewerUserSerializer,
     admin_link_for_model,
     parse_content_type,
+    start_of_day,
 )
 from authentik.lib.utils.time import timedelta_from_string
 
@@ -67,13 +68,13 @@ class LifecycleIterationSerializer(EnterpriseRequiredMixin, ModelSerializer):
     def get_object_admin_url(self, iteration: LifecycleIteration) -> str:
         return admin_link_for_model(iteration.object)
 
-    @extend_schema_field(DateField())
-    def get_grace_period_end(self, iteration: LifecycleIteration) -> date:
-        return iteration.opened_on + timedelta_from_string(iteration.rule.grace_period)
+    def get_grace_period_end(self, iteration: LifecycleIteration) -> datetime:
+        return start_of_day(
+            iteration.opened_on + timedelta_from_string(iteration.rule.grace_period)
+        )
 
-    @extend_schema_field(DateField())
-    def get_next_review_date(self, iteration: LifecycleIteration):
-        return iteration.opened_on + timedelta_from_string(iteration.rule.interval)
+    def get_next_review_date(self, iteration: LifecycleIteration) -> datetime:
+        return start_of_day(iteration.opened_on + timedelta_from_string(iteration.rule.interval))
 
     def get_user_can_review(self, iteration: LifecycleIteration) -> bool:
         return iteration.user_can_review(self.context["request"].user)
@@ -102,7 +103,7 @@ class IterationViewSet(EnterpriseRequiredMixin, CreateModelMixin, GenericViewSet
                 default=Value(False),
                 output_field=ModelBooleanField(),
             )
-        )
+        ).distinct()
 
     @action(
         detail=False,

authentik/enterprise/lifecycle/migrations/0002_alter_lifecycleiteration_opened_on.py

@@ -0,0 +1,18 @@
+# Generated by Django 5.2.11 on 2026-02-13 09:33
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ("authentik_lifecycle", "0001_initial"),
+    ]
+
+    operations = [
+        migrations.AlterField(
+            model_name="lifecycleiteration",
+            name="opened_on",
+            field=models.DateTimeField(auto_now_add=True),
+        ),
+    ]

authentik/enterprise/lifecycle/models.py

@@ -1,3 +1,4 @@
+from datetime import timedelta
 from uuid import uuid4
 
 from django.contrib.contenttypes.fields import GenericForeignKey
@@ -13,7 +14,7 @@ from rest_framework.serializers import BaseSerializer
 
 from authentik.blueprints.models import ManagedModel
 from authentik.core.models import Group, User
-from authentik.enterprise.lifecycle.utils import link_for_model
+from authentik.enterprise.lifecycle.utils import link_for_model, start_of_day
 from authentik.events.models import Event, EventAction, NotificationSeverity, NotificationTransport
 from authentik.lib.models import SerializerModel
 from authentik.lib.utils.time import timedelta_from_string, timedelta_string_validator
@@ -98,7 +99,9 @@ class LifecycleRule(SerializerModel):
 
     def _get_newly_overdue_iterations(self) -> QuerySet[LifecycleIteration]:
         return self.lifecycleiteration_set.filter(
-            opened_on__lte=timezone.now() - timedelta_from_string(self.grace_period),
+            opened_on__lt=start_of_day(
+                timezone.now() + timedelta(days=1) - timedelta_from_string(self.grace_period)
+            ),
             state=ReviewState.PENDING,
         )
 
@@ -106,7 +109,9 @@ class LifecycleRule(SerializerModel):
         recent_iteration_ids = LifecycleIteration.objects.filter(
             content_type=self.content_type,
             object_id__isnull=False,
-            opened_on__gte=timezone.now() - timedelta_from_string(self.interval),
+            opened_on__gte=start_of_day(
+                timezone.now() + timedelta(days=1) - timedelta_from_string(self.interval)
+            ),
         ).values_list(Cast("object_id", output_field=self._get_pk_field()), flat=True)
 
         return self.get_objects().exclude(pk__in=recent_iteration_ids)
@@ -186,7 +191,7 @@ class LifecycleIteration(SerializerModel, ManagedModel):
     rule = models.ForeignKey(LifecycleRule, null=True, on_delete=models.SET_NULL)
 
     state = models.CharField(max_length=10, choices=ReviewState, default=ReviewState.PENDING)
-    opened_on = models.DateField(auto_now_add=True)
+    opened_on = models.DateTimeField(auto_now_add=True)
 
     class Meta:
         indexes = [models.Index(fields=["content_type", "opened_on"])]

authentik/enterprise/lifecycle/tests/test_models.py

@@ -1,3 +1,4 @@
+import datetime as dt
 from datetime import timedelta
 from unittest.mock import patch
 
@@ -319,7 +320,7 @@ class TestLifecycleModels(TestCase):
             content_type=content_type, object_id=str(app_one.pk), rule=rule_overdue
         )
         LifecycleIteration.objects.filter(pk=iteration.pk).update(
-            opened_on=(timezone.now().date() - timedelta(days=20))
+            opened_on=(timezone.now() - timedelta(days=20))
         )
 
         # Apply again to trigger overdue logic
@@ -383,7 +384,7 @@ class TestLifecycleModels(TestCase):
             content_type=content_type, object_id=str(app_overdue.pk), rule=rule_overdue
         )
         LifecycleIteration.objects.filter(pk=overdue_iteration.pk).update(
-            opened_on=(timezone.now().date() - timedelta(days=20))
+            opened_on=(timezone.now() - timedelta(days=20))
         )
 
         # Apply overdue rule to mark iteration as overdue
@@ -667,3 +668,178 @@ class TestLifecycleModels(TestCase):
         reviewers = list(rule.get_reviewers())
         self.assertIn(explicit_reviewer, reviewers)
         self.assertIn(group_member, reviewers)
+
+
+class TestLifecycleDateBoundaries(TestCase):
+    """Verify that start_of_day normalization ensures correct overdue/due
+    detection regardless of exact task execution time within a day.
+
+    The daily task may run at any point during the day. The start_of_day
+    normalization in _get_newly_overdue_iterations and _get_newly_due_objects
+    ensures that the boundary is always at midnight, so millisecond variations
+    in task execution time do not affect results."""
+
+    def _create_rule_and_iteration(self, grace_period="days=1", interval="days=365"):
+        app = Application.objects.create(name=generate_id(), slug=generate_id())
+        content_type = ContentType.objects.get_for_model(Application)
+        rule = LifecycleRule.objects.create(
+            name=generate_id(),
+            content_type=content_type,
+            object_id=str(app.pk),
+            interval=interval,
+            grace_period=grace_period,
+        )
+        iteration = LifecycleIteration.objects.get(
+            content_type=content_type, object_id=str(app.pk), rule=rule
+        )
+        return app, rule, iteration
+
+    def test_overdue_iteration_opened_yesterday(self):
+        """grace_period=1 day: iteration opened yesterday at any time is overdue today."""
+        _, rule, iteration = self._create_rule_and_iteration(grace_period="days=1")
+        fixed_now = dt.datetime(2025, 6, 15, 14, 30, 0, tzinfo=dt.UTC)
+        for opened_on in [
+            dt.datetime(2025, 6, 14, 0, 0, 0, tzinfo=dt.UTC),
+            dt.datetime(2025, 6, 14, 12, 0, 0, tzinfo=dt.UTC),
+            dt.datetime(2025, 6, 14, 23, 59, 59, 999999, tzinfo=dt.UTC),
+        ]:
+            with self.subTest(opened_on=opened_on):
+                LifecycleIteration.objects.filter(pk=iteration.pk).update(
+                    opened_on=opened_on, state=ReviewState.PENDING
+                )
+                with patch("django.utils.timezone.now", return_value=fixed_now):
+                    self.assertIn(iteration, list(rule._get_newly_overdue_iterations()))
+
+    def test_not_overdue_iteration_opened_today(self):
+        """grace_period=1 day: iteration opened today at any time is NOT overdue."""
+        _, rule, iteration = self._create_rule_and_iteration(grace_period="days=1")
+        fixed_now = dt.datetime(2025, 6, 15, 14, 30, 0, tzinfo=dt.UTC)
+        for opened_on in [
+            dt.datetime(2025, 6, 15, 0, 0, 0, tzinfo=dt.UTC),
+            dt.datetime(2025, 6, 15, 14, 30, 0, tzinfo=dt.UTC),
+            dt.datetime(2025, 6, 15, 23, 59, 59, 999999, tzinfo=dt.UTC),
+        ]:
+            with self.subTest(opened_on=opened_on):
+                LifecycleIteration.objects.filter(pk=iteration.pk).update(
+                    opened_on=opened_on, state=ReviewState.PENDING
+                )
+                with patch("django.utils.timezone.now", return_value=fixed_now):
+                    self.assertNotIn(iteration, list(rule._get_newly_overdue_iterations()))
+
+    def test_overdue_independent_of_task_execution_time(self):
+        """Overdue detection gives the same result whether the task runs at 00:00:01 or 23:59:59."""
+        _, rule, iteration = self._create_rule_and_iteration(grace_period="days=1")
+        opened_on = dt.datetime(2025, 6, 14, 18, 0, 0, tzinfo=dt.UTC)
+        LifecycleIteration.objects.filter(pk=iteration.pk).update(
+            opened_on=opened_on, state=ReviewState.PENDING
+        )
+        for task_time in [
+            dt.datetime(2025, 6, 15, 0, 0, 1, tzinfo=dt.UTC),
+            dt.datetime(2025, 6, 15, 12, 0, 0, tzinfo=dt.UTC),
+            dt.datetime(2025, 6, 15, 23, 59, 59, tzinfo=dt.UTC),
+        ]:
+            with self.subTest(task_time=task_time):
+                with patch("django.utils.timezone.now", return_value=task_time):
+                    self.assertIn(iteration, list(rule._get_newly_overdue_iterations()))
+
+    def test_overdue_boundary_multi_day_grace_period(self):
+        """grace_period=30 days: overdue after 30 full days, not after 29."""
+        _, rule, iteration = self._create_rule_and_iteration(grace_period="days=30")
+        fixed_now = dt.datetime(2025, 6, 15, 14, 30, 0, tzinfo=dt.UTC)
+
+        # Opened 30 days ago (May 16), should go overdue
+        LifecycleIteration.objects.filter(pk=iteration.pk).update(
+            opened_on=dt.datetime(2025, 5, 16, 12, 0, 0, tzinfo=dt.UTC),
+            state=ReviewState.PENDING,
+        )
+        with patch("django.utils.timezone.now", return_value=fixed_now):
+            self.assertIn(iteration, list(rule._get_newly_overdue_iterations()))
+
+        # Opened 29 days ago (May 17), should NOT go overdue
+        LifecycleIteration.objects.filter(pk=iteration.pk).update(
+            opened_on=dt.datetime(2025, 5, 17, 12, 0, 0, tzinfo=dt.UTC),
+            state=ReviewState.PENDING,
+        )
+        with patch("django.utils.timezone.now", return_value=fixed_now):
+            self.assertNotIn(iteration, list(rule._get_newly_overdue_iterations()))
+
+    def test_due_object_iteration_opened_yesterday(self):
+        """interval=1 day: object with iteration opened yesterday is due for a new review."""
+        app, rule, iteration = self._create_rule_and_iteration(interval="days=1")
+        fixed_now = dt.datetime(2025, 6, 15, 14, 30, 0, tzinfo=dt.UTC)
+        for opened_on in [
+            dt.datetime(2025, 6, 14, 0, 0, 0, tzinfo=dt.UTC),
+            dt.datetime(2025, 6, 14, 12, 0, 0, tzinfo=dt.UTC),
+            dt.datetime(2025, 6, 14, 23, 59, 59, 999999, tzinfo=dt.UTC),
+        ]:
+            with self.subTest(opened_on=opened_on):
+                LifecycleIteration.objects.filter(pk=iteration.pk).update(opened_on=opened_on)
+                with patch("django.utils.timezone.now", return_value=fixed_now):
+                    self.assertIn(app, list(rule._get_newly_due_objects()))
+
+    def test_not_due_object_iteration_opened_today(self):
+        """interval=1 day: object with iteration opened today is NOT due."""
+        app, rule, iteration = self._create_rule_and_iteration(interval="days=1")
+        fixed_now = dt.datetime(2025, 6, 15, 14, 30, 0, tzinfo=dt.UTC)
+        for opened_on in [
+            dt.datetime(2025, 6, 15, 0, 0, 0, tzinfo=dt.UTC),
+            dt.datetime(2025, 6, 15, 14, 30, 0, tzinfo=dt.UTC),
+            dt.datetime(2025, 6, 15, 23, 59, 59, 999999, tzinfo=dt.UTC),
+        ]:
+            with self.subTest(opened_on=opened_on):
+                LifecycleIteration.objects.filter(pk=iteration.pk).update(opened_on=opened_on)
+                with patch("django.utils.timezone.now", return_value=fixed_now):
+                    self.assertNotIn(app, list(rule._get_newly_due_objects()))
+
+    def test_due_independent_of_task_execution_time(self):
+        """Due detection gives the same result whether the task runs at 00:00:01 or 23:59:59."""
+        app, rule, iteration = self._create_rule_and_iteration(interval="days=1")
+        opened_on = dt.datetime(2025, 6, 14, 18, 0, 0, tzinfo=dt.UTC)
+        LifecycleIteration.objects.filter(pk=iteration.pk).update(opened_on=opened_on)
+        for task_time in [
+            dt.datetime(2025, 6, 15, 0, 0, 1, tzinfo=dt.UTC),
+            dt.datetime(2025, 6, 15, 12, 0, 0, tzinfo=dt.UTC),
+            dt.datetime(2025, 6, 15, 23, 59, 59, tzinfo=dt.UTC),
+        ]:
+            with self.subTest(task_time=task_time):
+                with patch("django.utils.timezone.now", return_value=task_time):
+                    self.assertIn(app, list(rule._get_newly_due_objects()))
+
+    def test_due_boundary_multi_day_interval(self):
+        """interval=30 days: due after 30 full days, not after 29."""
+        app, rule, iteration = self._create_rule_and_iteration(interval="days=30")
+        fixed_now = dt.datetime(2025, 6, 15, 14, 30, 0, tzinfo=dt.UTC)
+
+        # Previous review opened 30 days ago (May 16), review is due for the object
+        LifecycleIteration.objects.filter(pk=iteration.pk).update(
+            opened_on=dt.datetime(2025, 5, 16, 12, 0, 0, tzinfo=dt.UTC)
+        )
+        with patch("django.utils.timezone.now", return_value=fixed_now):
+            self.assertIn(app, list(rule._get_newly_due_objects()))
+
+        # Previous review opened 29 days ago (May 17), new review is NOT due
+        LifecycleIteration.objects.filter(pk=iteration.pk).update(
+            opened_on=dt.datetime(2025, 5, 17, 12, 0, 0, tzinfo=dt.UTC)
+        )
+        with patch("django.utils.timezone.now", return_value=fixed_now):
+            self.assertNotIn(app, list(rule._get_newly_due_objects()))
+
+    def test_apply_overdue_at_boundary(self):
+        """apply() marks iteration overdue when grace period just expired,
+        regardless of what time the daily task runs."""
+        _, rule, iteration = self._create_rule_and_iteration(
+            grace_period="days=1", interval="days=365"
+        )
+        opened_on = dt.datetime(2025, 6, 14, 20, 0, 0, tzinfo=dt.UTC)
+        for task_time in [
+            dt.datetime(2025, 6, 15, 0, 0, 1, tzinfo=dt.UTC),
+            dt.datetime(2025, 6, 15, 23, 59, 59, tzinfo=dt.UTC),
+        ]:
+            with self.subTest(task_time=task_time):
+                LifecycleIteration.objects.filter(pk=iteration.pk).update(
+                    opened_on=opened_on, state=ReviewState.PENDING
+                )
+                with patch("django.utils.timezone.now", return_value=task_time):
+                    rule.apply()
+                iteration.refresh_from_db()
+                self.assertEqual(iteration.state, ReviewState.OVERDUE)

authentik/enterprise/lifecycle/utils.py

@@ -1,3 +1,4 @@
+from datetime import datetime
 from urllib import parse
 
 from django.contrib.contenttypes.models import ContentType
@@ -39,6 +40,10 @@ def link_for_model(model: Model) -> str:
     return f"{reverse("authentik_core:if-admin")}#{admin_link_for_model(model)}"
 
 
+def start_of_day(dt: datetime) -> datetime:
+    return dt.replace(hour=0, minute=0, second=0, microsecond=0)
+
+
 class ContentTypeField(ChoiceField):
     def __init__(self, **kwargs):
         super().__init__(choices=model_choices(), **kwargs)

authentik/enterprise/providers/google_workspace/tests/test_groups.py

@@ -331,7 +331,7 @@ class GoogleWorkspaceGroupTests(TestCase):
                 ).exists()
             )
             self.assertFalse(Event.objects.filter(action=EventAction.SYSTEM_EXCEPTION).exists())
-            self.assertEqual(len(http.requests()), 5)
+            self.assertEqual(len(http.requests()), 7)
 
     def test_sync_discover_multiple(self):
         """Test group discovery"""
@@ -372,7 +372,7 @@ class GoogleWorkspaceGroupTests(TestCase):
                 ).exists()
             )
             self.assertFalse(Event.objects.filter(action=EventAction.SYSTEM_EXCEPTION).exists())
-            self.assertEqual(len(http.requests()), 5)
+            self.assertEqual(len(http.requests()), 7)
             # Change response to trigger update
             http.add_response(
                 f"https://admin.googleapis.com/admin/directory/v1/groups?customer=my_customer&maxResults=500&orderBy=email&key={self.api_key}&alt=json",

authentik/enterprise/providers/google_workspace/tests/test_users.py

@@ -309,7 +309,7 @@ class GoogleWorkspaceUserTests(TestCase):
                 ).exists()
             )
             self.assertFalse(Event.objects.filter(action=EventAction.SYSTEM_EXCEPTION).exists())
-            self.assertEqual(len(http.requests()), 5)
+            self.assertEqual(len(http.requests()), 7)
 
     def test_sync_discover_multiple(self):
         """Test user discovery, running multiple times"""
@@ -352,7 +352,7 @@ class GoogleWorkspaceUserTests(TestCase):
                 ).exists()
             )
             self.assertFalse(Event.objects.filter(action=EventAction.SYSTEM_EXCEPTION).exists())
-            self.assertEqual(len(http.requests()), 5)
+            self.assertEqual(len(http.requests()), 7)
             # Change response, which will trigger a discovery update
             http.add_response(
                 f"https://admin.googleapis.com/admin/directory/v1/users?customer=my_customer&maxResults=500&orderBy=email&key={self.api_key}&alt=json",

authentik/enterprise/providers/microsoft_entra/clients/users.py

@@ -78,7 +78,8 @@ class MicrosoftEntraUserClient(MicrosoftEntraSyncClient[User, MicrosoftEntraProv
     def create(self, user: User):
         """Create user from scratch and create a connection object"""
         microsoft_user = self.to_schema(user, None)
-        self.check_email_valid(microsoft_user.user_principal_name)
+        if microsoft_user.user_principal_name:
+            self.check_email_valid(microsoft_user.user_principal_name)
         with transaction.atomic():
             try:
                 response = self._request(self.client.users.post(microsoft_user))
@@ -118,7 +119,8 @@ class MicrosoftEntraUserClient(MicrosoftEntraSyncClient[User, MicrosoftEntraProv
     def update(self, user: User, connection: MicrosoftEntraProviderUser):
         """Update existing user"""
         microsoft_user = self.to_schema(user, connection)
-        self.check_email_valid(microsoft_user.user_principal_name)
+        if microsoft_user.user_principal_name:
+            self.check_email_valid(microsoft_user.user_principal_name)
         response = self._request(
             self.client.users.by_user_id(connection.microsoft_id).patch(microsoft_user)
         )

authentik/enterprise/providers/ssf/tasks.py

@@ -8,6 +8,7 @@ from dramatiq.actor import actor
 from requests.exceptions import RequestException
 from structlog.stdlib import get_logger
 
+from authentik.core.apps import AppAccessWithoutBindings
 from authentik.core.models import User
 from authentik.enterprise.providers.ssf.models import (
     DeliveryMethods,
@@ -68,6 +69,7 @@ def _check_app_access(stream: Stream, event_data: dict) -> bool:
     if not user:
         return True
     engine = PolicyEngine(stream.provider.backchannel_application, user)
+    engine.empty_result = AppAccessWithoutBindings.get()
     engine.use_cache = False
     engine.build()
     return engine.passing

authentik/enterprise/providers/ws_federation/api/providers.py

@@ -5,6 +5,7 @@ from django.urls import reverse
 from rest_framework.fields import CharField, SerializerMethodField, URLField
 
 from authentik.core.api.providers import ProviderSerializer
+from authentik.core.models import Provider
 from authentik.enterprise.api import EnterpriseRequiredMixin
 from authentik.enterprise.providers.ws_federation.models import WSFederationProvider
 from authentik.enterprise.providers.ws_federation.processors.metadata import MetadataProcessor
@@ -18,6 +19,29 @@ class WSFederationProviderSerializer(EnterpriseRequiredMixin, SAMLProviderSerial
     wtrealm = CharField(source="audience")
     url_wsfed = SerializerMethodField()
 
+    def get_url_download_metadata(self, instance: WSFederationProvider) -> str:
+        """Get metadata download URL"""
+        if "request" not in self._context:
+            return ""
+        request: HttpRequest = self._context["request"]._request
+        try:
+            return request.build_absolute_uri(
+                reverse(
+                    "authentik_providers_ws_federation:metadata-download",
+                    kwargs={"application_slug": instance.application.slug},
+                )
+            )
+        except Provider.application.RelatedObjectDoesNotExist:
+            return request.build_absolute_uri(
+                reverse(
+                    "authentik_api:wsfederationprovider-metadata",
+                    kwargs={
+                        "pk": instance.pk,
+                    },
+                )
+                + "?download"
+            )
+
     def get_url_wsfed(self, instance: WSFederationProvider) -> str:
         """Get WS-Fed url"""
         if "request" not in self._context:

authentik/enterprise/providers/ws_federation/processors/sign_in.py

@@ -81,6 +81,8 @@ class SignInProcessor:
         self.sign_in_request = sign_in_request
         self.saml_processor = AssertionProcessor(self.provider, self.request, AuthNRequest())
         self.saml_processor.provider.audience = self.sign_in_request.wtrealm
+        if self.provider.signing_kp:
+            self.saml_processor.provider.sign_assertion = True
 
     def create_response_token(self):
         root = Element(f"{{{NS_WS_FED_TRUST}}}RequestSecurityTokenResponse", nsmap=NS_MAP)
@@ -148,7 +150,8 @@ class SignInProcessor:
     def response(self) -> dict[str, str]:
         root = self.create_response_token()
         assertion = root.xpath("//saml:Assertion", namespaces=NS_MAP)[0]
-        self.saml_processor._sign(assertion)
+        if self.provider.signing_kp:
+            self.saml_processor._sign(assertion)
         str_token = etree.tostring(root).decode("utf-8")  # nosec
         return delete_none_values(
             {

authentik/enterprise/providers/ws_federation/urls.py

@@ -3,7 +3,7 @@
 from django.urls import path
 
 from authentik.enterprise.providers.ws_federation.api.providers import WSFederationProviderViewSet
-from authentik.enterprise.providers.ws_federation.views import WSFedEntryView
+from authentik.enterprise.providers.ws_federation.views import MetadataDownload, WSFedEntryView
 
 urlpatterns = [
     path(
@@ -11,6 +11,12 @@ urlpatterns = [
         WSFedEntryView.as_view(),
         name="wsfed",
     ),
+    # Metadata
+    path(
+        "<slug:application_slug>/metadata/",
+        MetadataDownload.as_view(),
+        name="metadata-download",
+    ),
 ]
 
 api_urlpatterns = [

authentik/enterprise/providers/ws_federation/views.py

@@ -1,6 +1,8 @@
 from django.http import Http404, HttpRequest, HttpResponse
-from django.shortcuts import get_object_or_404
+from django.shortcuts import get_object_or_404, redirect
+from django.urls import reverse
 from django.utils.translation import gettext as _
+from django.views import View
 from structlog.stdlib import get_logger
 
 from authentik.core.models import Application, AuthenticatedSession
@@ -160,3 +162,24 @@ class WSFedFlowFinalView(ChallengeStageView):
                 "attrs": response,
             },
         )
+
+
+class MetadataDownload(View):
+    """Redirect to metadata download"""
+
+    def dispatch(self, request: HttpRequest, application_slug: str) -> HttpResponse:
+        app = Application.objects.filter(slug=application_slug).with_provider().first()
+        if not app:
+            raise Http404
+        provider = app.get_provider()
+        if not provider:
+            raise Http404
+        return redirect(
+            reverse(
+                "authentik_api:wsfederationprovider-metadata",
+                kwargs={
+                    "pk": provider.pk,
+                },
+            )
+            + "?download"
+        )

authentik/enterprise/settings.py

@@ -4,6 +4,7 @@ TENANT_APPS = [
     "authentik.enterprise.audit",
     "authentik.enterprise.endpoints.connectors.agent",
     "authentik.enterprise.endpoints.connectors.fleet",
+    "authentik.enterprise.endpoints.connectors.google_chrome",
     "authentik.enterprise.lifecycle",
     "authentik.enterprise.policies.unique_password",
     "authentik.enterprise.providers.google_workspace",

authentik/enterprise/stages/authenticator_endpoint_gdtc/views/dtc.py

@@ -9,6 +9,11 @@ from django.views import View
 from django.views.decorators.clickjacking import xframe_options_sameorigin
 from googleapiclient.discovery import build
 
+from authentik.enterprise.endpoints.connectors.google_chrome.controller import (
+    HEADER_ACCESS_CHALLENGE,
+    HEADER_ACCESS_CHALLENGE_RESPONSE,
+    HEADER_DEVICE_TRUST,
+)
 from authentik.enterprise.stages.authenticator_endpoint_gdtc.models import (
     AuthenticatorEndpointGDTCStage,
     EndpointDevice,
@@ -19,15 +24,6 @@ from authentik.flows.views.executor import SESSION_KEY_PLAN
 from authentik.stages.password.stage import PLAN_CONTEXT_METHOD, PLAN_CONTEXT_METHOD_ARGS
 from authentik.stages.user_login.stage import PLAN_CONTEXT_METHOD_ARGS_KNOWN_DEVICE
 
-# Header we get from chrome that initiates verified access
-HEADER_DEVICE_TRUST = "X-Device-Trust"
-# Header we send to the client with the challenge
-HEADER_ACCESS_CHALLENGE = "X-Verified-Access-Challenge"
-# Header we get back from the client that we verify with google
-HEADER_ACCESS_CHALLENGE_RESPONSE = "X-Verified-Access-Challenge-Response"
-# Header value for x-device-trust that initiates the flow
-DEVICE_TRUST_VERIFIED_ACCESS = "VerifiedAccess"
-
 PLAN_CONTEXT_METHOD_ARGS_ENDPOINTS = "endpoints"
 
 
@@ -94,4 +90,4 @@ class GoogleChromeDeviceTrustConnector(View):
                 PLAN_CONTEXT_METHOD_ARGS_KNOWN_DEVICE, True
             )
             request.session[SESSION_KEY_PLAN] = flow_plan
-        return TemplateResponse(request, "stages/authenticator_endpoint/google_chrome_dtc.html")
+        return TemplateResponse(request, "flows/frame-submit.html")

authentik/events/api/notification_transports.py

@@ -63,6 +63,7 @@ class NotificationTransportSerializer(ModelSerializer):
             "mode",
             "mode_verbose",
             "webhook_url",
+            "webhook_ca",
             "webhook_mapping_body",
             "webhook_mapping_headers",
             "email_subject_prefix",