fix some issues?

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

.github/actions/docker-push-variables/push_vars.py

@@ -2,16 +2,28 @@
 
 import os
 from json import dumps
+from sys import exit as sysexit
 from time import time
 
 from authentik import authentik_version
 
+
+def must_or_fail(input: str | None, error: str) -> str:
+    if not input:
+        print(f"::error::{error}")
+        sysexit(1)
+    return input
+
+
 # Decide if we should push the image or not
 should_push = True
 if len(os.environ.get("DOCKER_USERNAME", "")) < 1:
     # Don't push if we don't have DOCKER_USERNAME, i.e. no secrets are available
     should_push = False
-if os.environ.get("GITHUB_REPOSITORY").lower() == "goauthentik/authentik-internal":
+if (
+    must_or_fail(os.environ.get("GITHUB_REPOSITORY"), "Repo required").lower()
+    == "goauthentik/authentik-internal"
+):
     # Don't push on the internal repo
     should_push = False
 
@@ -20,13 +32,16 @@ if os.environ.get("GITHUB_HEAD_REF", "") != "":
     branch_name = os.environ["GITHUB_HEAD_REF"]
 safe_branch_name = branch_name.replace("refs/heads/", "").replace("/", "-").replace("'", "-")
 
-image_names = os.getenv("IMAGE_NAME").split(",")
+image_names = must_or_fail(os.getenv("IMAGE_NAME"), "Image name required").split(",")
 image_arch = os.getenv("IMAGE_ARCH") or None
 
 is_pull_request = bool(os.getenv("PR_HEAD_SHA"))
 is_release = "dev" not in image_names[0]
 
-sha = os.environ["GITHUB_SHA"] if not is_pull_request else os.getenv("PR_HEAD_SHA")
+sha = must_or_fail(
+    os.environ["GITHUB_SHA"] if not is_pull_request else os.getenv("PR_HEAD_SHA"),
+    "could not determine SHA",
+)
 
 # 2042.1.0 or 2042.1.0-rc1
 version = authentik_version()
@@ -58,7 +73,7 @@ else:
 image_main_tag = image_tags[0].split(":")[-1]
 
 
-def get_attest_image_names(image_with_tags: list[str]):
+def get_attest_image_names(image_with_tags: list[str]) -> str:
     """Attestation only for GHCR"""
     image_tags = []
     for image_name in set(name.split(":")[0] for name in image_with_tags):
@@ -82,7 +97,6 @@ if os.getenv("RELEASE", "false").lower() == "true":
     image_build_args = [f"VERSION={os.getenv('REF')}"]
 else:
     image_build_args = [f"GIT_BUILD_HASH={sha}"]
-image_build_args = "\n".join(image_build_args)
 
 with open(os.environ["GITHUB_OUTPUT"], "a+", encoding="utf-8") as _output:
     print(f"shouldPush={str(should_push).lower()}", file=_output)
@@ -95,4 +109,4 @@ with open(os.environ["GITHUB_OUTPUT"], "a+", encoding="utf-8") as _output:
     print(f"imageMainTag={image_main_tag}", file=_output)
     print(f"imageMainName={image_tags[0]}", file=_output)
     print(f"cacheTo={cache_to}", file=_output)
-    print(f"imageBuildArgs={image_build_args}", file=_output)
+    print(f"imageBuildArgs={"\n".join(image_build_args)}", file=_output)

.github/actions/setup/action.yml

@@ -8,6 +8,9 @@ inputs:
   postgresql_version:
     description: "Optional postgresql image tag"
     default: "16"
+  profiles:
+    description: "Extra profiles of supporting services to start"
+    default: ""
 
 runs:
   using: "composite"
@@ -55,21 +58,13 @@ runs:
       shell: bash
       run: |
         export PSQL_TAG=${{ inputs.postgresql_version }}
+        export COMPOSE_PROFILES=${{ inputs.profiles }}
         docker compose -f .github/actions/setup/docker-compose.yml up -d
         cd web && npm ci
     - name: Generate config
       if: ${{ contains(inputs.dependencies, 'python') }}
-      shell: uv run python {0}
+      shell: bash
+      env:
+        PROFILES: ${{ inputs.profiles }}
       run: |
-        from authentik.lib.generators import generate_id
-        from yaml import safe_dump
-
-        with open("local.env.yml", "w") as _config:
-            safe_dump(
-                {
-                    "log_level": "debug",
-                    "secret_key": generate_id(),
-                },
-                _config,
-                default_flow_style=False,
-            )
+        uv run python3 ${{ github.action_path }}/ci_config.py

.github/actions/setup/ci_config.py

@@ -0,0 +1,18 @@
+from os import getenv
+from typing import Any
+
+from yaml import safe_dump
+
+from authentik.lib.generators import generate_id
+
+config: dict[str, Any] = {
+    "log_level": "debug",
+    "secret_key": generate_id(),
+}
+
+profiles = getenv("PROFILES")
+if profiles and "postgres_replica" in profiles:
+    config["postgresql"] = {"read_replicas": {"0": {"host": "localhost", "port": 5433}}}
+
+with open("local.env.yml", "w") as _config:
+    safe_dump(config, _config, default_flow_style=False)

.github/actions/setup/docker-compose.yml

@@ -1,8 +1,17 @@
 services:
-  postgresql:
+  redis:
+    image: docker.io/library/redis:7
+    ports:
+      - 6379:6379
+    restart: always
+
+  postgres:
     image: docker.io/library/postgres:${PSQL_TAG:-16}
     volumes:
       - db-data:/var/lib/postgresql/data
+      - ./primary/00-replication.sql:/docker-entrypoint-initdb.d/00-replication.sql
+      - ./primary/01-replication-hba.sh:/docker-entrypoint-initdb.d/01-replication-hba.sh
+    command: postgres -c 'wal_level=replica' -c 'max_wal_senders=10' -c 'max_replication_slots=10' -c 'listen_addresses=*'
     environment:
       POSTGRES_USER: authentik
       POSTGRES_PASSWORD: "EK-5jnKfjrGRm<77"
@@ -10,12 +19,34 @@ services:
     ports:
       - 5432:5432
     restart: always
-  redis:
-    image: docker.io/library/redis:7
+    healthcheck:
+      test: ["CMD-SHELL", "pg_isready -U $${POSTGRES_USER}"]
+      interval: 5s
+      timeout: 5s
+      retries: 5
+
+  postgres_replica:
+    profiles:
+      - postgres_replica
+    image: docker.io/library/postgres:${PSQL_TAG:-16}
+    environment:
+      POSTGRES_USER: authentik
+      POSTGRES_PASSWORD: "EK-5jnKfjrGRm<77"
+      POSTGRES_DB: authentik
     ports:
-      - 6379:6379
-    restart: always
+      - "5433:5432"
+    volumes:
+      - db-data-replica:/var/lib/postgresql/data
+      - ./replica:/replica
+    command: /replica/start.sh
+    healthcheck:
+      test: ["CMD-SHELL", "pg_isready -U $${POSTGRES_USER}"]
+      interval: 5s
+      timeout: 5s
+      retries: 5
 
 volumes:
   db-data:
     driver: local
+  db-data-replica:
+    driver: local

.github/actions/setup/primary/00-replication.sql

@@ -0,0 +1,9 @@
+-- Create replication role if it doesn't exist
+DO $$ BEGIN
+    IF NOT EXISTS (SELECT FROM pg_catalog.pg_roles WHERE rolname = 'replica') THEN
+        CREATE ROLE replica WITH REPLICATION LOGIN PASSWORD 'EK-5jnKfjrGRm<77';
+    END IF;
+END $$;
+
+-- Create replication slot if it doesn't exist
+SELECT pg_create_physical_replication_slot('replica_slot', true);

.github/actions/setup/primary/01-replication-hba.sh

@@ -0,0 +1,3 @@
+#!/bin/bash
+set -euxo pipefail
+echo "host replication all all scram-sha-256" >> /var/lib/postgresql/data/pg_hba.conf

.github/actions/setup/replica/start.sh

@@ -0,0 +1,9 @@
+#!/bin/bash
+set -euxo pipefail
+echo 'Waiting for primary to be ready...'
+while ! pg_isready -h postgres -p 5432 -U replica; do sleep 1; done;
+echo 'Primary is ready, starting replica...'
+rm -rf /var/lib/postgresql/data/* 2>/dev/null || true
+PGPASSWORD=${POSTGRES_PASSWORD} pg_basebackup -h postgres -U replica -D /var/lib/postgresql/data -Fp -Xs -R -P
+echo 'Replication setup complete, starting PostgreSQL...'
+docker-entrypoint.sh postgres

.github/workflows/ci-main.yml

@@ -34,6 +34,7 @@ jobs:
           - codespell
           - pending-migrations
           - ruff
+          - mypy
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v5
@@ -66,7 +67,6 @@ jobs:
       fail-fast: false
       matrix:
         psql:
-          - 15-alpine
           - 16-alpine
           - 17-alpine
         run_id: [1, 2, 3, 4, 5]
@@ -113,7 +113,7 @@ jobs:
         run: |
           uv run make ci-test
   test-unittest:
-    name: test-unittest - PostgreSQL ${{ matrix.psql }} - Run ${{ matrix.run_id }}/5
+    name: test-unittest - PostgreSQL ${{ matrix.psql }} (${{ matrix.profiles }}) - Run ${{ matrix.run_id }}/5
     runs-on: ubuntu-latest
     timeout-minutes: 20
     needs: test-make-seed
@@ -121,9 +121,11 @@ jobs:
       fail-fast: false
       matrix:
         psql:
-          - 15-alpine
           - 16-alpine
           - 17-alpine
+        profiles:
+          - ""
+          - postgres_replica
         run_id: [1, 2, 3, 4, 5]
     steps:
       - uses: actions/checkout@v5
@@ -131,6 +133,7 @@ jobs:
         uses: ./.github/actions/setup
         with:
           postgresql_version: ${{ matrix.psql }}
+          profiles: ${{ matrix.profiles }}
       - name: run unittest
         env:
           CI_TEST_SEED: ${{ needs.test-make-seed.outputs.seed }}

.github/workflows/packages-npm-publish.yml

@@ -35,7 +35,7 @@ jobs:
           registry-url: "https://registry.npmjs.org"
       - name: Get changed files
         id: changed-files
-        uses: tj-actions/changed-files@ed68ef82c095e0d48ec87eccea555d944a631a4c
+        uses: tj-actions/changed-files@24d32ffd492484c1d75e0c0b894501ddb9d30d62
         with:
           files: |
             ${{ matrix.package }}/package.json

.vscode/settings.json

@@ -1,4 +1,16 @@
 {
+    "[css]": {
+        "editor.minimap.markSectionHeaderRegex": "#\\bregion\\s*(?<separator>-?)\\s*(?<label>.*)\\*/$"
+    },
+    "[makefile]": {
+        "editor.minimap.markSectionHeaderRegex": "^#{25}\n##\\s\\s*(?<separator>-?)\\s*(?<label>[^\n]*)\n#{25}$"
+    },
+    "[dockerfile]": {
+        "editor.minimap.markSectionHeaderRegex": "\\bStage\\s*\\d:(?<separator>-?)\\s*(?<label>.*)$"
+    },
+    "[jsonc]": {
+        "editor.minimap.markSectionHeaderRegex": "#\\bregion\\s*(?<separator>-?)\\s*(?<label>.*)$"
+    },
     "todo-tree.tree.showCountsInTree": true,
     "todo-tree.tree.showBadges": true,
     "yaml.customTags": [

Dockerfile

@@ -76,7 +76,7 @@ RUN --mount=type=secret,id=GEOIPUPDATE_ACCOUNT_ID \
     /bin/sh -c "GEOIPUPDATE_LICENSE_KEY_FILE=/run/secrets/GEOIPUPDATE_LICENSE_KEY /usr/bin/entry.sh || echo 'Failed to get GeoIP database, disabling'; exit 0"
 
 # Stage 4: Download uv
-FROM ghcr.io/astral-sh/uv:0.8.15 AS uv
+FROM ghcr.io/astral-sh/uv:0.8.22 AS uv
 # Stage 5: Base python image
 FROM ghcr.io/goauthentik/fips-python:3.13.7-slim-trixie-fips AS python-base
 

Makefile

@@ -193,6 +193,7 @@ gen-client-ts: gen-clean-ts  ## Build and install the authentik API for Typescri
 		--git-repo-id authentik \
 		--git-user-id goauthentik
 
+	cd ${PWD}/${GEN_API_TS} && npm i
 	cd ${PWD}/${GEN_API_TS} && npm link
 	cd ${PWD}/web && npm link @goauthentik/api
 
@@ -238,34 +239,30 @@ node-install:  ## Install the necessary libraries to build Node.js packages
 #########################
 
 web-build: node-install  ## Build the Authentik UI
-	cd web && npm run build
+	npm run --prefix web build
 
 web: web-lint-fix web-lint web-check-compile  ## Automatically fix formatting issues in the Authentik UI source code, lint the code, and compile it
 
 web-test: ## Run tests for the Authentik UI
-	cd web && npm run test
+	npm run --prefix web test
 
 web-watch:  ## Build and watch the Authentik UI for changes, updating automatically
-	rm -rf web/dist/
-	mkdir web/dist/
-	touch web/dist/.gitkeep
-	cd web && npm run watch
-
+	npm run --prefix web watch
 web-storybook-watch:  ## Build and run the storybook documentation server
-	cd web && npm run storybook
+	npm run --prefix web storybook
 
 web-lint-fix:
-	cd web && npm run prettier
+	npm run --prefix web prettier
 
 web-lint:
-	cd web && npm run lint
-	cd web && npm run lit-analyse
+	npm run --prefix web lint
+	npm run --prefix web lit-analyse
 
 web-check-compile:
-	cd web && npm run tsc
+	npm run --prefix web tsc
 
 web-i18n-extract:
-	cd web && npm run extract-locales
+	npm run --prefix web extract-locales
 
 #########################
 ## Docs
@@ -277,31 +274,31 @@ docs-install:
 	npm ci --prefix website
 
 docs-lint-fix: lint-codespell
-	npm run prettier --prefix website
+	npm run --prefix website prettier
 
 docs-build:
-	npm run build --prefix website
+	npm run --prefix website build
 
 docs-watch:  ## Build and watch the topics documentation
-	npm run start --prefix website
+	npm run --prefix website start
 
 integrations: docs-lint-fix integrations-build ## Fix formatting issues in the integrations source code, lint the code, and compile it
 
 integrations-build:
-	npm run build --prefix website -w integrations
+	npm run --prefix website -w integrations build
 
 integrations-watch:  ## Build and watch the Integrations documentation
-	npm run start --prefix website -w integrations
+	npm run --prefix website -w integrations start
 
 docs-api-build:
-	npm run build --prefix website -w api
+	npm run --prefix website -w api build
 
 docs-api-watch:  ## Build and watch the API documentation
-	npm run build:api --prefix website -w api
-	npm run start --prefix website -w api
+	npm run --prefix website -w api build:api
+	npm run --prefix website -w api start
 
 docs-api-clean: ## Clean generated API documentation
-	npm run build:api:clean --prefix website -w api
+	npm run --prefix website -w api build:api:clean
 
 #########################
 ## Docker
@@ -324,6 +321,9 @@ ci--meta-debug:
 	python -V
 	node --version
 
+ci-mypy: ci--meta-debug
+	uv run mypy --strict $(PY_SOURCES)
+
 ci-black: ci--meta-debug
 	uv run black --check $(PY_SOURCES)
 

README.md

@@ -9,7 +9,6 @@
 [![GitHub Workflow Status](https://img.shields.io/github/actions/workflow/status/goauthentik/authentik/ci-outpost.yml?branch=main&label=outpost%20build&style=for-the-badge)](https://github.com/goauthentik/authentik/actions/workflows/ci-outpost.yml)
 [![GitHub Workflow Status](https://img.shields.io/github/actions/workflow/status/goauthentik/authentik/ci-web.yml?branch=main&label=web%20build&style=for-the-badge)](https://github.com/goauthentik/authentik/actions/workflows/ci-web.yml)
 [![Code Coverage](https://img.shields.io/codecov/c/gh/goauthentik/authentik?style=for-the-badge)](https://codecov.io/gh/goauthentik/authentik)
-![Docker pulls](https://img.shields.io/docker/pulls/authentik/server.svg?style=for-the-badge)
 ![Latest version](https://img.shields.io/docker/v/authentik/server?sort=semver&style=for-the-badge)
 [![](https://img.shields.io/badge/Help%20translate-transifex-blue?style=for-the-badge)](https://www.transifex.com/authentik/authentik/)
 

authentik/api/schema.py

@@ -104,6 +104,68 @@ def postprocess_schema_responses(result, generator: SchemaGenerator, **kwargs):
     return result
 
 
+def postprocess_schema_pagination(result, generator: SchemaGenerator, **kwargs):
+    to_replace = {
+        "ordering": create_component(
+            generator,
+            "QueryPaginationOrdering",
+            {
+                "name": "ordering",
+                "required": False,
+                "in": "query",
+                "description": "Which field to use when ordering the results.",
+                "schema": {"type": "string"},
+            },
+            ResolvedComponent.PARAMETER,
+        ),
+        "page": create_component(
+            generator,
+            "QueryPaginationPage",
+            {
+                "name": "page",
+                "required": False,
+                "in": "query",
+                "description": "A page number within the paginated result set.",
+                "schema": {"type": "integer"},
+            },
+            ResolvedComponent.PARAMETER,
+        ),
+        "page_size": create_component(
+            generator,
+            "QueryPaginationPageSize",
+            {
+                "name": "page_size",
+                "required": False,
+                "in": "query",
+                "description": "Number of results to return per page.",
+                "schema": {"type": "integer"},
+            },
+            ResolvedComponent.PARAMETER,
+        ),
+        "search": create_component(
+            generator,
+            "QuerySearch",
+            {
+                "name": "search",
+                "required": False,
+                "in": "query",
+                "description": "A search term.",
+                "schema": {"type": "string"},
+            },
+            ResolvedComponent.PARAMETER,
+        ),
+    }
+    for path in result["paths"].values():
+        for method in path.values():
+            # print(method["parameters"])
+            for idx, param in enumerate(method.get("parameters", [])):
+                for replace_name, replace_ref in to_replace.items():
+                    if param["name"] == replace_name:
+                        method["parameters"][idx] = replace_ref.ref
+            # print(method["parameters"])
+    return result
+
+
 def preprocess_schema_exclude_non_api(endpoints, **kwargs):
     """Filter out all API Views which are not mounted under /api"""
     return [

authentik/blueprints/v1/importer.py

@@ -76,6 +76,7 @@ from authentik.providers.scim.models import SCIMProviderGroup, SCIMProviderUser
 from authentik.rbac.models import Role
 from authentik.sources.scim.models import SCIMSourceGroup, SCIMSourceUser
 from authentik.stages.authenticator_webauthn.models import WebAuthnDeviceType
+from authentik.stages.consent.models import UserConsent
 from authentik.tasks.models import Task
 from authentik.tenants.models import Tenant
 
@@ -135,6 +136,7 @@ def excluded_models() -> list[type[Model]]:
         EndpointDeviceConnection,
         DeviceToken,
         StreamEvent,
+        UserConsent,
     )
 
 

authentik/brands/models.py

@@ -113,7 +113,7 @@ class Brand(SerializerModel):
         try:
             return self.attributes.get("settings", {}).get("locale", "")
 
-        except Exception as exc:
+        except Exception as exc:  # noqa
             LOGGER.warning("Failed to get default locale", exc=exc)
             return ""
 

authentik/core/api/groups.py

@@ -295,7 +295,7 @@ class GroupViewSet(UsedByMixin, ModelViewSet):
     @extend_schema(
         request=UserAccountSerializer,
         responses={
-            204: OpenApiResponse(description="User added"),
+            204: OpenApiResponse(description="User removed"),
             404: OpenApiResponse(description="User not found"),
         },
     )
@@ -307,7 +307,7 @@ class GroupViewSet(UsedByMixin, ModelViewSet):
         permission_classes=[],
     )
     def remove_user(self, request: Request, pk: str) -> Response:
-        """Add user to group"""
+        """Remove user from group"""
         group: Group = self.get_object()
         user: User = (
             get_objects_for_user(request.user, "authentik_core.view_user")

authentik/core/api/property_mappings.py

@@ -171,7 +171,7 @@ class PropertyMappingViewSet(
         except PropertyMappingExpressionException as exc:
             response_data["result"] = exception_to_string(exc.exc)
             response_data["successful"] = False
-        except Exception as exc:
+        except Exception as exc:  # noqa
             response_data["result"] = exception_to_string(exc)
             response_data["successful"] = False
         response = PropertyMappingTestResultSerializer(response_data)

authentik/core/management/commands/dev_server.py

@@ -1,6 +1,6 @@
 """custom runserver command"""
 
-from typing import TextIO
+from io import StringIO
 
 from daphne.management.commands.runserver import Command as RunServer
 from daphne.server import Server
@@ -33,4 +33,4 @@ class Command(RunServer):
         super().__init__(*args, **kwargs)
         # Redirect standard stdout banner from Daphne into the void
         # as there are a couple more steps that happen before startup is fully done
-        self.stdout = TextIO()
+        self.stdout = StringIO()

authentik/core/management/commands/shell.py

@@ -99,7 +99,7 @@ class Command(BaseCommand):
         else:
             try:
                 hook()
-            except Exception:
+            except Exception:  # noqa
                 # Match the behavior of the cpython shell where an error in
                 # sys.__interactivehook__ prints a warning and the exception
                 # and continues.

authentik/core/models.py

@@ -114,15 +114,21 @@ class AttributesMixin(models.Model):
 
     def update_attributes(self, properties: dict[str, Any]):
         """Update fields and attributes, but correctly by merging dicts"""
+        needs_update = False
         for key, value in properties.items():
             if key == "attributes":
                 continue
-            setattr(self, key, value)
+            if getattr(self, key, None) != value:
+                setattr(self, key, value)
+                needs_update = True
         final_attributes = {}
         MERGE_LIST_UNIQUE.merge(final_attributes, self.attributes)
         MERGE_LIST_UNIQUE.merge(final_attributes, properties.get("attributes", {}))
-        self.attributes = final_attributes
-        self.save()
+        if self.attributes != final_attributes:
+            self.attributes = final_attributes
+            needs_update = True
+        if needs_update:
+            self.save()
 
     @classmethod
     def update_or_create_attributes(
@@ -400,7 +406,7 @@ class User(SerializerModel, GuardianUserMixin, AttributesMixin, AbstractUser):
         try:
             return self.attributes.get("settings", {}).get("locale", "")
 
-        except Exception as exc:
+        except Exception as exc:  # noqa
             LOGGER.warning("Failed to get default locale", exc=exc)
         if request:
             return request.brand.locale
@@ -581,7 +587,7 @@ class Application(SerializerModel, PolicyBindingModel):
             try:
                 return url % user.__dict__
 
-            except Exception as exc:
+            except Exception as exc:  # noqa
                 LOGGER.warning("Failed to format launch url", exc=exc)
                 return url
         return url
@@ -777,7 +783,7 @@ class Source(ManagedModel, SerializerModel, PolicyBindingModel):
                 "slug": self.slug,
             }
 
-        except Exception as exc:
+        except Exception as exc:  # noqa
             LOGGER.warning("Failed to template user path", exc=exc, source=self)
             return User.default_path()
 

authentik/core/signals.py

@@ -2,10 +2,9 @@
 
 from django.contrib.auth.signals import user_logged_in
 from django.core.cache import cache
-from django.core.signals import Signal
 from django.db.models import Model
 from django.db.models.signals import post_delete, post_save, pre_save
-from django.dispatch import receiver
+from django.dispatch import Signal, receiver
 from django.http.request import HttpRequest
 from structlog.stdlib import get_logger
 

authentik/core/tasks.py

@@ -14,6 +14,7 @@ from authentik.core.models import (
     ExpiringModel,
     User,
 )
+from authentik.lib.utils.db import chunked_queryset
 from authentik.tasks.models import Task
 
 LOGGER = get_logger()
@@ -28,7 +29,7 @@ def clean_expired_models():
             cls.objects.all().exclude(expiring=False).exclude(expiring=True, expires__gt=now())
         )
         amount = objects.count()
-        for obj in objects:
+        for obj in chunked_queryset(objects):
             obj.expire_action()
         LOGGER.debug("Expired models", model=cls, amount=amount)
         self.info(f"Expired {amount} {cls._meta.verbose_name_plural}")

authentik/enterprise/providers/radius/api.py

@@ -0,0 +1,14 @@
+from django.utils.translation import gettext as _
+from rest_framework.exceptions import ValidationError
+
+from authentik.crypto.models import CertificateKeyPair
+from authentik.enterprise.license import LicenseKey
+
+
+class RadiusProviderSerializerMixin:
+
+    def validate_certificate(self, cert: CertificateKeyPair) -> CertificateKeyPair:
+        if cert:
+            if not LicenseKey.cached_summary().status.is_valid:
+                raise ValidationError(_("Enterprise is required to use EAP-TLS."))
+        return cert

authentik/enterprise/providers/radius/apps.py

@@ -0,0 +1,9 @@
+from authentik.enterprise.apps import EnterpriseConfig
+
+
+class AuthentikEnterpriseProviderRadiusConfig(EnterpriseConfig):
+
+    name = "authentik.enterprise.providers.radius"
+    label = "authentik_enterprise_providers_radius"
+    verbose_name = "authentik Enterprise.Providers.Radius"
+    default = True

authentik/enterprise/providers/scim/api.py

@@ -0,0 +1,14 @@
+from django.utils.translation import gettext as _
+from rest_framework.exceptions import ValidationError
+
+from authentik.enterprise.license import LicenseKey
+from authentik.providers.scim.models import SCIMAuthenticationMode
+
+
+class SCIMProviderSerializerMixin:
+
+    def validate_auth_mode(self, auth_mode: SCIMAuthenticationMode) -> SCIMAuthenticationMode:
+        if auth_mode == SCIMAuthenticationMode.OAUTH:
+            if not LicenseKey.cached_summary().status.is_valid:
+                raise ValidationError(_("Enterprise is required to use the OAuth mode."))
+        return auth_mode

authentik/enterprise/providers/scim/apps.py

@@ -0,0 +1,9 @@
+from authentik.enterprise.apps import EnterpriseConfig
+
+
+class AuthentikEnterpriseProviderSCIMConfig(EnterpriseConfig):
+
+    name = "authentik.enterprise.providers.scim"
+    label = "authentik_enterprise_providers_scim"
+    verbose_name = "authentik Enterprise.Providers.SCIM"
+    default = True

authentik/enterprise/providers/scim/auth_oauth2.py

@@ -0,0 +1,80 @@
+from datetime import timedelta
+from typing import TYPE_CHECKING
+
+from django.utils.timezone import now
+from requests import Request, RequestException
+from structlog.stdlib import get_logger
+
+from authentik.providers.scim.clients.exceptions import SCIMRequestException
+from authentik.sources.oauth.clients.oauth2 import OAuth2Client
+from authentik.sources.oauth.models import OAuthSource, UserOAuthSourceConnection
+
+if TYPE_CHECKING:
+    from authentik.providers.scim.models import SCIMProvider
+
+
+class SCIMOAuthException(SCIMRequestException):
+    """Exceptions related to OAuth operations for SCIM requests"""
+
+
+class SCIMOAuthAuth:
+
+    def __init__(self, provider: "SCIMProvider"):
+        self.provider = provider
+        self.user = provider.auth_oauth_user
+        self.connection = self.get_connection()
+        self.logger = get_logger().bind()
+
+    def retrieve_token(self):
+        if not self.provider.auth_oauth:
+            return None
+        source: OAuthSource = self.provider.auth_oauth
+        client = OAuth2Client(source, None)
+        access_token_url = source.source_type.access_token_url or ""
+        if source.source_type.urls_customizable and source.access_token_url:
+            access_token_url = source.access_token_url
+        data = client.get_access_token_args(None, None)
+        data["grant_type"] = "password"
+        data.update(self.provider.auth_oauth_params)
+        try:
+            response = client.do_request(
+                "POST",
+                access_token_url,
+                auth=client.get_access_token_auth(),
+                data=data,
+                headers=client._default_headers,
+            )
+            response.raise_for_status()
+            body = response.json()
+            if "error" in body:
+                self.logger.info("Failed to get new OAuth token", error=body["error"])
+                raise SCIMOAuthException(response, body["error"])
+            return body
+        except RequestException as exc:
+            raise SCIMOAuthException(exc.response, message="Failed to get OAuth token") from exc
+
+    def get_connection(self):
+        token = UserOAuthSourceConnection.objects.filter(
+            source=self.provider.auth_oauth, user=self.user, expires__gt=now()
+        ).first()
+        if token and token.access_token:
+            return token
+        token = self.retrieve_token()
+        access_token = token["access_token"]
+        expires_in = int(token.get("expires_in", 0))
+        token, _ = UserOAuthSourceConnection.objects.update_or_create(
+            source=self.provider.auth_oauth,
+            user=self.user,
+            defaults={
+                "access_token": access_token,
+                "expires": now() + timedelta(seconds=expires_in),
+            },
+        )
+        return token
+
+    def __call__(self, request: Request) -> Request:
+        if not self.connection.is_valid:
+            self.logger.info("OAuth token expired, renewing token")
+            self.connection = self.get_connection()
+        request.headers["Authorization"] = f"Bearer {self.connection.access_token}"
+        return request

authentik/enterprise/providers/scim/signals.py

@@ -0,0 +1,30 @@
+from django.db.models import Model
+from django.db.models.signals import post_save
+from django.dispatch import receiver
+
+from authentik.core.models import USER_PATH_SYSTEM_PREFIX, User, UserTypes
+from authentik.events.middleware import audit_ignore
+from authentik.providers.scim.models import SCIMAuthenticationMode, SCIMProvider
+
+USER_PATH_PROVIDERS_SCIM = USER_PATH_SYSTEM_PREFIX + "/providers/scim"
+
+
+@receiver(post_save, sender=SCIMProvider)
+def scim_provider_post_save(sender: type[Model], instance: SCIMProvider, created: bool, **__):
+    """Create service account before provider is saved"""
+    identifier = f"ak-providers-scim-{instance.pk}"
+    with audit_ignore():
+        if instance.auth_mode == SCIMAuthenticationMode.OAUTH:
+            user, user_created = User.objects.update_or_create(
+                username=identifier,
+                defaults={
+                    "name": f"SCIM Provider {instance.name} Service-Account",
+                    "type": UserTypes.INTERNAL_SERVICE_ACCOUNT,
+                    "path": USER_PATH_PROVIDERS_SCIM,
+                },
+            )
+            if created or user_created:
+                instance.auth_oauth_user = user
+                instance.save()
+        elif instance.auth_mode == SCIMAuthenticationMode.TOKEN:
+            User.objects.filter(username=identifier).delete()

authentik/enterprise/providers/scim/tests.py

@@ -0,0 +1,193 @@
+"""SCIM OAuth tests"""
+
+from base64 import b64encode
+from datetime import timedelta
+from unittest.mock import MagicMock, PropertyMock, patch
+
+from django.urls import reverse
+from django.utils.timezone import now
+from requests_mock import Mocker
+from rest_framework.test import APITestCase
+
+from authentik.blueprints.tests import apply_blueprint
+from authentik.core.models import Application, Group, User
+from authentik.core.tests.utils import create_test_admin_user
+from authentik.enterprise.license import LicenseKey
+from authentik.enterprise.models import License
+from authentik.enterprise.tests.test_license import expiry_valid
+from authentik.lib.generators import generate_id
+from authentik.providers.scim.models import SCIMAuthenticationMode, SCIMMapping, SCIMProvider
+from authentik.sources.oauth.models import OAuthSource, UserOAuthSourceConnection
+from authentik.tenants.models import Tenant
+
+
+class SCIMOAuthTests(APITestCase):
+    """SCIM User tests"""
+
+    @apply_blueprint("system/providers-scim.yaml")
+    def setUp(self) -> None:
+        # Delete all users and groups as the mocked HTTP responses only return one ID
+        # which will cause errors with multiple users
+        Tenant.objects.update(avatars="none")
+        User.objects.all().exclude_anonymous().delete()
+        Group.objects.all().delete()
+        self.source = OAuthSource.objects.create(
+            name=generate_id(),
+            slug=generate_id(),
+            access_token_url="http://localhost/token",  # nosec
+            consumer_key=generate_id(),
+            consumer_secret=generate_id(),
+            provider_type="openidconnect",
+        )
+        self.provider = SCIMProvider.objects.create(
+            name=generate_id(),
+            url="https://localhost",
+            auth_mode=SCIMAuthenticationMode.OAUTH,
+            auth_oauth=self.source,
+            auth_oauth_params={
+                "foo": "bar",
+            },
+            exclude_users_service_account=True,
+        )
+        self.app: Application = Application.objects.create(
+            name=generate_id(),
+            slug=generate_id(),
+        )
+        self.app.backchannel_providers.add(self.provider)
+        self.provider.property_mappings.add(
+            SCIMMapping.objects.get(managed="goauthentik.io/providers/scim/user")
+        )
+        self.provider.property_mappings_group.add(
+            SCIMMapping.objects.get(managed="goauthentik.io/providers/scim/group")
+        )
+
+    def test_retrieve_token(self):
+        """Test token retrieval"""
+        with Mocker() as mocker:
+            token = generate_id()
+            mocker.post("http://localhost/token", json={"access_token": token, "expires_in": 3600})
+            self.provider.scim_auth()
+        conn = UserOAuthSourceConnection.objects.filter(
+            source=self.source,
+            user=self.provider.auth_oauth_user,
+        ).first()
+        self.assertIsNotNone(conn)
+        self.assertTrue(conn.is_valid)
+        auth = (
+            b64encode(
+                b":".join((self.source.consumer_key.encode(), self.source.consumer_secret.encode()))
+            )
+            .strip()
+            .decode()
+        )
+        self.assertEqual(
+            mocker.request_history[0].headers["Authorization"],
+            f"Basic {auth}",
+        )
+        self.assertEqual(mocker.request_history[0].body, "grant_type=password&foo=bar")
+
+    def test_existing_token(self):
+        """Test existing token"""
+        UserOAuthSourceConnection.objects.create(
+            source=self.source,
+            user=self.provider.auth_oauth_user,
+            access_token=generate_id(),
+            expires=now() + timedelta(hours=3),
+        )
+        with Mocker() as mocker:
+            self.provider.scim_auth()
+            self.assertEqual(len(mocker.request_history), 0)
+
+    @Mocker()
+    def test_user_create(self, mock: Mocker):
+        """Test user creation"""
+        scim_id = generate_id()
+        token = generate_id()
+        mock.post("http://localhost/token", json={"access_token": token, "expires_in": 3600})
+        mock.get(
+            "https://localhost/ServiceProviderConfig",
+            json={},
+        )
+        mock.post(
+            "https://localhost/Users",
+            json={
+                "id": scim_id,
+            },
+        )
+        uid = generate_id()
+        user = User.objects.create(
+            username=uid,
+            name=f"{uid} {uid}",
+            email=f"{uid}@goauthentik.io",
+        )
+        self.assertEqual(mock.call_count, 3)
+        self.assertEqual(mock.request_history[1].method, "GET")
+        self.assertEqual(mock.request_history[2].method, "POST")
+        self.assertJSONEqual(
+            mock.request_history[2].body,
+            {
+                "schemas": ["urn:ietf:params:scim:schemas:core:2.0:User"],
+                "active": True,
+                "emails": [
+                    {
+                        "primary": True,
+                        "type": "other",
+                        "value": f"{uid}@goauthentik.io",
+                    }
+                ],
+                "externalId": user.uid,
+                "name": {
+                    "familyName": uid,
+                    "formatted": f"{uid} {uid}",
+                    "givenName": uid,
+                },
+                "displayName": f"{uid} {uid}",
+                "userName": uid,
+            },
+        )
+
+    @patch(
+        "authentik.enterprise.license.LicenseKey.validate",
+        MagicMock(
+            return_value=LicenseKey(
+                aud="",
+                exp=expiry_valid,
+                name=generate_id(),
+                internal_users=100,
+                external_users=100,
+            )
+        ),
+    )
+    def test_api_create(self):
+        License.objects.create(key=generate_id())
+        self.client.force_login(create_test_admin_user())
+        res = self.client.post(
+            reverse("authentik_api:scimprovider-list"),
+            {
+                "name": generate_id(),
+                "url": "http://localhost",
+                "auth_mode": "oauth",
+                "auth_oauth": str(self.source.pk),
+            },
+        )
+        self.assertEqual(res.status_code, 201)
+
+    @patch(
+        "authentik.enterprise.models.LicenseUsageStatus.is_valid",
+        PropertyMock(return_value=False),
+    )
+    def test_api_create_no_license(self):
+        self.client.force_login(create_test_admin_user())
+        res = self.client.post(
+            reverse("authentik_api:scimprovider-list"),
+            {
+                "name": generate_id(),
+                "url": "http://localhost",
+                "auth_mode": "oauth",
+                "auth_oauth": str(self.source.pk),
+            },
+        )
+        self.assertEqual(res.status_code, 400)
+        self.assertJSONEqual(
+            res.content, {"auth_mode": ["Enterprise is required to use the OAuth mode."]}
+        )

authentik/enterprise/search/settings.py

@@ -1,6 +1,7 @@
 SPECTACULAR_SETTINGS = {
     "POSTPROCESSING_HOOKS": [
         "authentik.api.schema.postprocess_schema_responses",
+        "authentik.api.schema.postprocess_schema_pagination",
         "authentik.enterprise.search.schema.postprocess_schema_search_autocomplete",
         "drf_spectacular.hooks.postprocess_schema_enums",
     ],

authentik/enterprise/settings.py

@@ -5,6 +5,8 @@ TENANT_APPS = [
     "authentik.enterprise.policies.unique_password",
     "authentik.enterprise.providers.google_workspace",
     "authentik.enterprise.providers.microsoft_entra",
+    "authentik.enterprise.providers.radius",
+    "authentik.enterprise.providers.scim",
     "authentik.enterprise.providers.ssf",
     "authentik.enterprise.search",
     "authentik.enterprise.stages.authenticator_endpoint_gdtc",

authentik/enterprise/stages/authenticator_endpoint_gdtc/migrations/0002_alter_authenticatorendpointgdtcstage_friendly_name.py

@@ -0,0 +1,19 @@
+# Generated by Django 5.1.12 on 2025-09-08 19:43
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ("authentik_stages_authenticator_endpoint_gdtc", "0001_initial"),
+    ]
+
+    operations = [
+        migrations.AlterField(
+            model_name="authenticatorendpointgdtcstage",
+            name="friendly_name",
+            field=models.TextField(blank=True, default=""),
+            preserve_default=False,
+        ),
+    ]

authentik/events/context_processors/asn.py

@@ -19,7 +19,7 @@ if TYPE_CHECKING:
 class ASNDict(TypedDict):
     """ASN Details"""
 
-    asn: int
+    asn: int | None
     as_org: str | None
     network: str | None
 
@@ -60,7 +60,7 @@ class ASNContextProcessor(MMDBContextProcessor):
             except (GeoIP2Error, ValueError):
                 return None
 
-    def asn_to_dict(self, asn: ASN | None) -> ASNDict:
+    def asn_to_dict(self, asn: ASN | None) -> ASNDict | dict:
         """Convert ASN to dict"""
         if not asn:
             return {}

authentik/events/context_processors/geoip.py

@@ -19,10 +19,10 @@ if TYPE_CHECKING:
 class GeoIPDict(TypedDict):
     """GeoIP Details"""
 
-    continent: str
-    country: str
-    lat: float
-    long: float
+    continent: str | None
+    country: str | None
+    lat: float | None
+    long: float | None
     city: str
 
 
@@ -61,7 +61,7 @@ class GeoIPContextProcessor(MMDBContextProcessor):
             except (GeoIP2Error, ValueError):
                 return None
 
-    def city_to_dict(self, city: City | None) -> GeoIPDict:
+    def city_to_dict(self, city: City | None) -> GeoIPDict | dict:
         """Convert City to dict"""
         if not city:
             return {}

authentik/events/middleware.py

@@ -197,7 +197,8 @@ class AuditMiddleware:
             return
         if _CTX_IGNORE.get():
             return
-        if request.request_id != _CTX_REQUEST.get().request_id:
+        current_request = _CTX_REQUEST.get()
+        if current_request is None or request.request_id != current_request.request_id:
             return
         user = self.get_user(request)
 
@@ -212,7 +213,8 @@ class AuditMiddleware:
             return
         if _CTX_IGNORE.get():
             return
-        if request.request_id != _CTX_REQUEST.get().request_id:
+        current_request = _CTX_REQUEST.get()
+        if current_request is None or request.request_id != current_request.request_id:
             return
         user = self.get_user(request)
 
@@ -239,7 +241,8 @@ class AuditMiddleware:
             return
         if _CTX_IGNORE.get():
             return
-        if request.request_id != _CTX_REQUEST.get().request_id:
+        current_request = _CTX_REQUEST.get()
+        if current_request is None or request.request_id != current_request.request_id:
             return
         user = self.get_user(request)
 

authentik/events/migrations/0013_delete_systemtask.py

@@ -0,0 +1,16 @@
+# Generated by Django 5.1.11 on 2025-07-28 15:05
+
+from django.db import migrations
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ("authentik_events", "0012_notificationtransport_email_subject_prefix_and_more"),
+    ]
+
+    operations = [
+        migrations.DeleteModel(
+            name="SystemTask",
+        ),
+    ]

authentik/events/models.py

@@ -632,45 +632,3 @@ class NotificationWebhookMapping(PropertyMapping):
     class Meta:
         verbose_name = _("Webhook Mapping")
         verbose_name_plural = _("Webhook Mappings")
-
-
-class TaskStatus(models.TextChoices):
-    """DEPRECATED do not use"""
-
-    UNKNOWN = "unknown"
-    SUCCESSFUL = "successful"
-    WARNING = "warning"
-    ERROR = "error"
-
-
-class SystemTask(ExpiringModel):
-    """DEPRECATED do not use"""
-
-    uuid = models.UUIDField(primary_key=True, editable=False, default=uuid4)
-    name = models.TextField()
-    uid = models.TextField(null=True)
-
-    start_timestamp = models.DateTimeField(default=now)
-    finish_timestamp = models.DateTimeField(default=now)
-    duration = models.FloatField(default=0)
-
-    status = models.TextField(choices=TaskStatus.choices)
-
-    description = models.TextField(null=True)
-    messages = models.JSONField()
-
-    task_call_module = models.TextField()
-    task_call_func = models.TextField()
-    task_call_args = models.JSONField(default=list)
-    task_call_kwargs = models.JSONField(default=dict)
-
-    def __str__(self) -> str:
-        return f"System Task {self.name}"
-
-    class Meta:
-        unique_together = (("name", "uid"),)
-        default_permissions = ()
-        permissions = ()
-        verbose_name = _("System Task")
-        verbose_name_plural = _("System Tasks")
-        indexes = ExpiringModel.Meta.indexes

authentik/events/tasks.py

@@ -16,6 +16,7 @@ from authentik.events.models import (
     NotificationRule,
     NotificationTransport,
 )
+from authentik.lib.utils.db import chunked_queryset
 from authentik.policies.engine import PolicyEngine
 from authentik.policies.models import PolicyBinding, PolicyEngineMode
 from authentik.tasks.models import Task
@@ -123,7 +124,8 @@ def gdpr_cleanup(user_pk: int):
     """cleanup events from gdpr_compliance"""
     events = Event.objects.filter(user__pk=user_pk)
     LOGGER.debug("GDPR cleanup, removing events from user", events=events.count())
-    events.delete()
+    for event in chunked_queryset(events):
+        event.delete()
 
 
 @actor(description=_("Cleanup seen notifications and notifications whose event expired."))

authentik/flows/models.py

@@ -291,7 +291,7 @@ class ConfigurableStage(models.Model):
 class FriendlyNamedStage(models.Model):
     """Abstract base class for a Stage that can have a user friendly name configured."""
 
-    friendly_name = models.TextField(null=True)
+    friendly_name = models.TextField(blank=True)
 
     class Meta:
         abstract = True

authentik/flows/stage.py

@@ -160,7 +160,7 @@ class ChallengeStageView(StageView):
                 "user": self.get_pending_user(for_display=True),
             }
 
-        except Exception as exc:
+        except Exception as exc:  # noqa
             self.logger.warning("failed to template title", exc=exc)
             return self.executor.flow.title
 

authentik/flows/views/executor.py

@@ -198,7 +198,7 @@ class FlowExecutorView(APIView):
                 # if the cached plan is from an older version, it might have different attributes
                 # in which case we just delete the plan and invalidate everything
                 next_binding = self.plan.next(self.request)
-            except Exception as exc:
+            except Exception as exc:  # noqa
                 self._logger.warning(
                     "f(exec): found incompatible flow plan, invalidating run", exc=exc
                 )
@@ -288,7 +288,7 @@ class FlowExecutorView(APIView):
                 span.set_data("authentik Flow", self.flow.slug)
                 stage_response = self.current_stage_view.dispatch(request)
                 return to_stage_response(request, stage_response)
-        except Exception as exc:
+        except Exception as exc:  # noqa
             return self.handle_exception(exc)
 
     @extend_schema(
@@ -339,7 +339,7 @@ class FlowExecutorView(APIView):
                 span.set_data("authentik Flow", self.flow.slug)
                 stage_response = self.current_stage_view.dispatch(request)
                 return to_stage_response(request, stage_response)
-        except Exception as exc:
+        except Exception as exc:  # noqa
             return self.handle_exception(exc)
 
     def _initiate_plan(self) -> FlowPlan:
@@ -351,7 +351,7 @@ class FlowExecutorView(APIView):
             # there are no issues with the class we might've gotten
             # from the cache. If there are errors, just delete all cached flows
             _ = plan.has_stages
-        except Exception:
+        except Exception:  # noqa
             keys = cache.keys(f"{CACHE_PREFIX}*")
             cache.delete_many(keys)
             return self._initiate_plan()

authentik/lib/config.py

@@ -444,6 +444,10 @@ def django_db_config(config: ConfigLoader | None = None) -> dict:
             f"postgresql.read_replicas.{replica}.conn_options", default={}
         )
         _database["OPTIONS"].update(replica_conn_options)
+        _database["TEST"] = {
+            "MIRROR": "default",
+            "NAME": config.get("postgresql.test.name"),
+        }
 
         db[f"replica_{replica}"] = _database
     return db

authentik/lib/logging.py

@@ -43,7 +43,9 @@ def structlog_configure():
             structlog.stdlib.PositionalArgumentsFormatter(),
             structlog.processors.TimeStamper(fmt="iso", utc=False),
             structlog.processors.StackInfoRenderer(),
-            structlog.processors.dict_tracebacks,
+            structlog.processors.ExceptionRenderer(
+                structlog.processors.ExceptionDictTransformer(show_locals=CONFIG.get_bool("debug"))
+            ),
             structlog.stdlib.ProcessorFormatter.wrap_for_formatter,
         ],
         logger_factory=structlog.stdlib.LoggerFactory(),
@@ -65,7 +67,14 @@ def get_logger_config():
             "json": {
                 "()": structlog.stdlib.ProcessorFormatter,
                 "processor": structlog.processors.JSONRenderer(sort_keys=True),
-                "foreign_pre_chain": LOG_PRE_CHAIN + [structlog.processors.dict_tracebacks],
+                "foreign_pre_chain": LOG_PRE_CHAIN
+                + [
+                    structlog.processors.ExceptionRenderer(
+                        structlog.processors.ExceptionDictTransformer(
+                            show_locals=CONFIG.get_bool("debug")
+                        )
+                    ),
+                ],
             },
             "console": {
                 "()": structlog.stdlib.ProcessorFormatter,

authentik/lib/utils/db.py

@@ -0,0 +1,29 @@
+"""authentik database utilities"""
+
+import gc
+
+from django.db import reset_queries
+from django.db.models import QuerySet
+
+
+def chunked_queryset(queryset: QuerySet, chunk_size: int = 1_000):
+    if not queryset.exists():
+        return []
+
+    def get_chunks(qs: QuerySet):
+        qs = qs.order_by("pk")
+        pks = qs.values_list("pk", flat=True)
+        start_pk = pks[0]
+        while True:
+            try:
+                end_pk = pks.filter(pk__gte=start_pk)[chunk_size]
+            except IndexError:
+                break
+            yield qs.filter(pk__gte=start_pk, pk__lt=end_pk)
+            start_pk = end_pk
+        yield qs.filter(pk__gte=start_pk)
+
+    for chunk in get_chunks(queryset):
+        reset_queries()
+        gc.collect()
+        yield from chunk.iterator()

authentik/lib/utils/reflection.py

@@ -6,6 +6,7 @@ from pathlib import Path
 from tempfile import gettempdir
 
 from django.conf import settings
+from django.utils.module_loading import import_string
 
 from authentik.lib.config import CONFIG
 
@@ -62,3 +63,13 @@ def get_env() -> str:
     if "AK_APPLIANCE" in os.environ:
         return os.environ["AK_APPLIANCE"]
     return "custom"
+
+
+def ConditionalInheritance(path: str):
+    """Conditionally inherit from a class, intended for things like authentik.enterprise,
+    without which authentik should still be able to run"""
+    try:
+        cls = import_string(path)
+        return cls
+    except ModuleNotFoundError:
+        return object

authentik/policies/expression/evaluator.py

@@ -71,7 +71,7 @@ class PolicyEvaluator(BaseEvaluator):
             # PolicyExceptions should be propagated back to the process,
             # which handles recording and returning a correct result
             raise exc
-        except Exception as exc:
+        except Exception as exc:  # noqa
             LOGGER.warning("Expression error", exc=exc)
             return PolicyResult(False, str(exc))
         else:

authentik/policies/process.py

@@ -144,6 +144,6 @@ class PolicyProcess(PROCESS_CLASS):
         """Task wrapper to run policy checking"""
         try:
             self.connection.send(self.profiling_wrapper())
-        except Exception as exc:
+        except Exception as exc:  # noqa
             LOGGER.warning("Policy failed to run", exc=exc)
             self.connection.send(PolicyResult(False, str(exc)))

authentik/providers/oauth2/views/userinfo.py

@@ -60,7 +60,7 @@ class UserInfoView(View):
         for scope in scopes:
             if scope in special_scope_map:
                 scope_descriptions.append(
-                    PermissionDict(id=scope, name=str(special_scope_map[scope]))
+                    PermissionDict(id=str(scope), name=str(special_scope_map[scope]))
                 )
         return scope_descriptions
 

authentik/providers/radius/api/providers.py

@@ -23,13 +23,19 @@ from authentik.core.models import Application
 from authentik.events.models import Event, EventAction
 from authentik.lib.expression.exceptions import ControlFlowException
 from authentik.lib.sync.mapper import PropertyMappingManager
+from authentik.lib.utils.reflection import ConditionalInheritance
 from authentik.policies.api.exec import PolicyTestResultSerializer
 from authentik.policies.engine import PolicyEngine
 from authentik.policies.types import PolicyResult
 from authentik.providers.radius.models import RadiusProvider, RadiusProviderPropertyMapping
 
 
-class RadiusProviderSerializer(ProviderSerializer):
+class RadiusProviderSerializer(
+    ConditionalInheritance(
+        "authentik.enterprise.providers.radius.api.RadiusProviderSerializerMixin"
+    ),
+    ProviderSerializer,
+):
     """RadiusProvider Serializer"""
 
     outpost_set = ListField(child=CharField(), read_only=True, source="outpost_set.all")
@@ -43,6 +49,7 @@ class RadiusProviderSerializer(ProviderSerializer):
             "shared_secret",
             "outpost_set",
             "mfa_support",
+            "certificate",
         ]
         extra_kwargs = ProviderSerializer.Meta.extra_kwargs
 
@@ -78,6 +85,7 @@ class RadiusOutpostConfigSerializer(ModelSerializer):
             "client_networks",
             "shared_secret",
             "mfa_support",
+            "certificate",
         ]
 
 

authentik/providers/radius/migrations/0005_radiusprovider_certificate.py

@@ -0,0 +1,25 @@
+# Generated by Django 5.1.11 on 2025-07-20 17:20
+
+import django.db.models.deletion
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ("authentik_crypto", "0004_alter_certificatekeypair_name"),
+        ("authentik_providers_radius", "0004_alter_radiusproviderpropertymapping_options"),
+    ]
+
+    operations = [
+        migrations.AddField(
+            model_name="radiusprovider",
+            name="certificate",
+            field=models.ForeignKey(
+                default=None,
+                null=True,
+                on_delete=django.db.models.deletion.CASCADE,
+                to="authentik_crypto.certificatekeypair",
+            ),
+        ),
+    ]

authentik/providers/radius/models.py

@@ -1,11 +1,14 @@
 """Radius Provider"""
 
+from collections.abc import Iterable
+
 from django.db import models
 from django.templatetags.static import static
 from django.utils.translation import gettext_lazy as _
 from rest_framework.serializers import Serializer
 
 from authentik.core.models import PropertyMapping, Provider
+from authentik.crypto.models import CertificateKeyPair
 from authentik.lib.generators import generate_id
 from authentik.outposts.models import OutpostModel
 
@@ -38,6 +41,10 @@ class RadiusProvider(OutpostModel, Provider):
         ),
     )
 
+    certificate = models.ForeignKey(
+        CertificateKeyPair, on_delete=models.CASCADE, default=None, null=True
+    )
+
     @property
     def launch_url(self) -> str | None:
         """Radius never has a launch URL"""
@@ -57,6 +64,12 @@ class RadiusProvider(OutpostModel, Provider):
 
         return RadiusProviderSerializer
 
+    def get_required_objects(self) -> Iterable[models.Model | str]:
+        required = [self, "authentik_stages_mtls.pass_outpost_certificate"]
+        if self.certificate is not None:
+            required.append(self.certificate)
+        return required
+
     def __str__(self):
         return f"Radius Provider {self.name}"
 

authentik/providers/saml/processors/assertion.py

@@ -239,32 +239,33 @@ class AssertionProcessor:
                 ).from_http(self.http_request)
                 LOGGER.warning("Failed to evaluate property mapping", exc=exc)
                 return name_id
-        if name_id.attrib["Format"] == SAML_NAME_ID_FORMAT_EMAIL:
+        if self.auth_n_request.name_id_policy == SAML_NAME_ID_FORMAT_EMAIL:
             name_id.text = self.http_request.user.email
             return name_id
-        if name_id.attrib["Format"] in [
+        if self.auth_n_request.name_id_policy in [
             SAML_NAME_ID_FORMAT_PERSISTENT,
             SAML_NAME_ID_FORMAT_UNSPECIFIED,
         ]:
             name_id.text = persistent
             return name_id
-        if name_id.attrib["Format"] == SAML_NAME_ID_FORMAT_X509:
+        if self.auth_n_request.name_id_policy == SAML_NAME_ID_FORMAT_X509:
             # This attribute is statically set by the LDAP source
             name_id.text = self.http_request.user.attributes.get(
                 LDAP_DISTINGUISHED_NAME, persistent
             )
             return name_id
-        if name_id.attrib["Format"] == SAML_NAME_ID_FORMAT_WINDOWS:
+        if self.auth_n_request.name_id_policy == SAML_NAME_ID_FORMAT_WINDOWS:
             # This attribute is statically set by the LDAP source
             name_id.text = self.http_request.user.attributes.get("upn", persistent)
             return name_id
-        if name_id.attrib["Format"] == SAML_NAME_ID_FORMAT_TRANSIENT:
+        if self.auth_n_request.name_id_policy == SAML_NAME_ID_FORMAT_TRANSIENT:
             # Use the hash of the user's session, which changes every session
             session_key: str = self.http_request.session.session_key
             name_id.text = sha256(session_key.encode()).hexdigest()
             return name_id
         raise UnsupportedNameIDFormat(
-            f"Assertion contains NameID with unsupported format {name_id.attrib['Format']}."
+            "Assertion contains NameID with unsupported "
+            f"format {self.auth_n_request.name_id_policy}."
         )
 
     def get_assertion_subject(self) -> Element:

authentik/providers/scim/api/providers.py

@@ -5,11 +5,15 @@ from rest_framework.viewsets import ModelViewSet
 from authentik.core.api.providers import ProviderSerializer
 from authentik.core.api.used_by import UsedByMixin
 from authentik.lib.sync.outgoing.api import OutgoingSyncProviderStatusMixin
+from authentik.lib.utils.reflection import ConditionalInheritance
 from authentik.providers.scim.models import SCIMProvider
 from authentik.providers.scim.tasks import scim_sync, scim_sync_objects
 
 
-class SCIMProviderSerializer(ProviderSerializer):
+class SCIMProviderSerializer(
+    ConditionalInheritance("authentik.enterprise.providers.scim.api.SCIMProviderSerializerMixin"),
+    ProviderSerializer,
+):
     """SCIMProvider Serializer"""
 
     class Meta:
@@ -28,6 +32,9 @@ class SCIMProviderSerializer(ProviderSerializer):
             "url",
             "verify_certificates",
             "token",
+            "auth_mode",
+            "auth_oauth",
+            "auth_oauth_params",
             "compatibility_mode",
             "exclude_users_service_account",
             "filter_group",

authentik/providers/scim/clients/auth.py

@@ -0,0 +1,16 @@
+from typing import TYPE_CHECKING
+
+from requests import Request
+
+if TYPE_CHECKING:
+    from authentik.providers.scim.models import SCIMProvider
+
+
+class SCIMTokenAuth:
+
+    def __init__(self, provider: "SCIMProvider"):
+        self.provider = provider
+
+    def __call__(self, request: Request) -> Request:
+        request.headers["Authorization"] = f"Bearer {self.provider.token}"
+        return request

authentik/providers/scim/clients/base.py

@@ -35,7 +35,6 @@ class SCIMClient[TModel: "Model", TConnection: "Model", TSchema: "BaseModel"](
     """SCIM Client"""
 
     base_url: str
-    token: str
 
     _session: Session
     _config: ServiceProviderConfiguration
@@ -45,12 +44,12 @@ class SCIMClient[TModel: "Model", TConnection: "Model", TSchema: "BaseModel"](
         self._session = get_http_session()
         self._session.verify = provider.verify_certificates
         self.provider = provider
+        self.auth = provider.scim_auth()
         # Remove trailing slashes as we assume the URL doesn't have any
         base_url = provider.url
         if base_url.endswith("/"):
             base_url = base_url[:-1]
         self.base_url = base_url
-        self.token = provider.token
         self._config = self.get_service_provider_config()
 
     def _request(self, method: str, path: str, **kwargs) -> dict:
@@ -62,8 +61,8 @@ class SCIMClient[TModel: "Model", TConnection: "Model", TSchema: "BaseModel"](
                 method,
                 f"{self.base_url}{path}",
                 **kwargs,
+                auth=self.auth,
                 headers={
-                    "Authorization": f"Bearer {self.token}",
                     "Accept": "application/scim+json",
                     "Content-Type": "application/scim+json",
                 },

authentik/providers/scim/clients/users.py

@@ -72,7 +72,8 @@ class SCIMUserClient(SCIMClient[User, SCIMProviderUser, SCIMUserSchema]):
                 if not self._config.filter.supported:
                     raise exc
                 users = self._request(
-                    "GET", f"/Users?{urlencode({'filter': f'userName eq {scim_user.userName}'})}"
+                    "GET",
+                    f"/Users?{urlencode({'filter': f'userName eq \"{scim_user.userName}\"'})}",
                 )
                 users_res = users.get("Resources", [])
                 if len(users_res) < 1:

authentik/providers/scim/migrations/0014_scimprovider_auth_mode_scimprovider_auth_oauth_and_more.py

@@ -0,0 +1,59 @@
+# Generated by Django 5.1.12 on 2025-09-23 12:31
+
+import django.db.models.deletion
+from django.conf import settings
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ("authentik_providers_scim", "0013_scimprovidergroup_attributes_and_more"),
+        ("authentik_sources_oauth", "0011_useroauthsourceconnection_expires"),
+        migrations.swappable_dependency(settings.AUTH_USER_MODEL),
+    ]
+
+    operations = [
+        migrations.AddField(
+            model_name="scimprovider",
+            name="auth_mode",
+            field=models.TextField(
+                choices=[("token", "Token"), ("oauth", "OAuth")], default="token"
+            ),
+        ),
+        migrations.AddField(
+            model_name="scimprovider",
+            name="auth_oauth",
+            field=models.ForeignKey(
+                default=None,
+                help_text="OAuth Source used for authentication",
+                null=True,
+                on_delete=django.db.models.deletion.SET_DEFAULT,
+                to="authentik_sources_oauth.oauthsource",
+            ),
+        ),
+        migrations.AddField(
+            model_name="scimprovider",
+            name="auth_oauth_params",
+            field=models.JSONField(
+                blank=True,
+                default=dict,
+                help_text="Additional OAuth parameters, such as grant_type",
+            ),
+        ),
+        migrations.AddField(
+            model_name="scimprovider",
+            name="auth_oauth_user",
+            field=models.ForeignKey(
+                default=None,
+                null=True,
+                on_delete=django.db.models.deletion.CASCADE,
+                to=settings.AUTH_USER_MODEL,
+            ),
+        ),
+        migrations.AlterField(
+            model_name="scimprovider",
+            name="token",
+            field=models.TextField(blank=True, help_text="Authentication token"),
+        ),
+    ]

authentik/providers/scim/models.py

@@ -8,12 +8,17 @@ from django.db.models import QuerySet
 from django.templatetags.static import static
 from django.utils.translation import gettext_lazy as _
 from dramatiq.actor import Actor
+from requests.auth import AuthBase
 from rest_framework.serializers import Serializer
+from structlog.stdlib import get_logger
 
 from authentik.core.models import BackchannelProvider, Group, PropertyMapping, User, UserTypes
 from authentik.lib.models import SerializerModel
 from authentik.lib.sync.outgoing.base import BaseOutgoingSyncClient
 from authentik.lib.sync.outgoing.models import OutgoingSyncProvider
+from authentik.providers.scim.clients.auth import SCIMTokenAuth
+
+LOGGER = get_logger()
 
 
 class SCIMProviderUser(SerializerModel):
@@ -60,6 +65,13 @@ class SCIMProviderGroup(SerializerModel):
         return f"SCIM Provider Group {self.group_id} to {self.provider_id}"
 
 
+class SCIMAuthenticationMode(models.TextChoices):
+    """SCIM authentication modes"""
+
+    TOKEN = "token", _("Token")
+    OAUTH = "oauth", _("OAuth")
+
+
 class SCIMCompatibilityMode(models.TextChoices):
     """SCIM compatibility mode"""
 
@@ -78,7 +90,26 @@ class SCIMProvider(OutgoingSyncProvider, BackchannelProvider):
     )
 
     url = models.TextField(help_text=_("Base URL to SCIM requests, usually ends in /v2"))
-    token = models.TextField(help_text=_("Authentication token"))
+
+    auth_mode = models.TextField(
+        choices=SCIMAuthenticationMode.choices, default=SCIMAuthenticationMode.TOKEN
+    )
+
+    token = models.TextField(help_text=_("Authentication token"), blank=True)
+    auth_oauth = models.ForeignKey(
+        "authentik_sources_oauth.OAuthSource",
+        on_delete=models.SET_DEFAULT,
+        default=None,
+        null=True,
+        help_text=_("OAuth Source used for authentication"),
+    )
+    auth_oauth_params = models.JSONField(
+        blank=True, default=dict, help_text=_("Additional OAuth parameters, such as grant_type")
+    )
+    auth_oauth_user = models.ForeignKey(
+        "authentik_core.User", on_delete=models.CASCADE, default=None, null=True
+    )
+
     verify_certificates = models.BooleanField(default=True)
 
     property_mappings_group = models.ManyToManyField(
@@ -96,6 +127,16 @@ class SCIMProvider(OutgoingSyncProvider, BackchannelProvider):
         help_text=_("Alter authentik behavior for vendor-specific SCIM implementations."),
     )
 
+    def scim_auth(self) -> AuthBase:
+        if self.auth_mode == SCIMAuthenticationMode.OAUTH:
+            try:
+                from authentik.enterprise.providers.scim.auth_oauth2 import SCIMOAuthAuth
+
+                return SCIMOAuthAuth(self)
+            except ImportError:
+                LOGGER.warning("Failed to import SCIM OAuth Client")
+        return SCIMTokenAuth(self)
+
     @property
     def icon_url(self) -> str | None:
         return static("authentik/sources/scim.png")

authentik/rbac/middleware.py

@@ -61,7 +61,8 @@ class InitialPermissionsMiddleware:
     ):
         if not created:
             return
-        if request.request_id != _CTX_REQUEST.get().request_id:
+        current_request = _CTX_REQUEST.get()
+        if current_request is None or request.request_id != current_request.request_id:
             return
         user: User = request.user
         if not user or user.is_anonymous:

authentik/recovery/management/commands/create_recovery_key.py

@@ -3,6 +3,7 @@
 from datetime import timedelta
 from getpass import getuser
 
+from django.utils.timesince import timesince
 from django.utils.timezone import now
 from django.utils.translation import gettext as _
 
@@ -16,25 +17,38 @@ class Command(TenantCommand):
 
     help = _("Create a Key which can be used to restore access to authentik.")
 
+    def format_duration_message(self, duration: int) -> str:
+        """Format duration in minutes to a human-readable message"""
+        current_time = now()
+        future_time = current_time + timedelta(minutes=duration)
+
+        # fyi a non-breaking space is returned by timesince
+        return timesince(current_time, future_time)
+
     def add_arguments(self, parser):
         parser.add_argument(
             "duration",
-            default=1,
-            action="store",
-            help="How long the token is valid for (in years).",
+            nargs="?",
+            default=60,
+            type=int,
+            help="How long the token is valid for (in minutes). Default: 60 minutes (1 hour).",
         )
         parser.add_argument("user", action="store", help="Which user the Token gives access to.")
 
     def handle_per_tenant(self, *args, **options):
         """Create Token used to recover access"""
-        duration = int(options.get("duration", 1))
-        expiry = now() + timedelta(days=duration * 365.2425)
+        duration = int(options.get("duration", 60))
+        expiry = now() + timedelta(minutes=duration)
         user = User.objects.filter(username=options.get("user")).first()
         if not user:
             self.stderr.write(f"User '{options.get('user')}' not found.")
             return
         _, url = create_recovery_token(user, expiry, getuser())
+
+        duration_msg = self.format_duration_message(duration)
+
         self.stdout.write(
             f"Store this link safely, as it will allow anyone to access authentik as {user}."
         )
+        self.stdout.write(f"This recovery token is valid for {duration_msg}.")
         self.stdout.write(url)

authentik/recovery/tests.py

@@ -1,10 +1,12 @@
 """recovery tests"""
 
+from datetime import timedelta
 from io import StringIO
 
 from django.core.management import call_command
 from django.test import TestCase
 from django.urls import reverse
+from django.utils.timezone import now
 from django_tenants.utils import get_public_schema_name
 
 from authentik.core.models import Token, TokenIntents, User
@@ -22,20 +24,21 @@ class TestRecovery(TestCase):
         self.assertEqual(len(Token.objects.filter(intent=TokenIntents.INTENT_RECOVERY)), 0)
         call_command(
             "create_recovery_key",
-            "1",
+            "5",
             self.user.username,
             schema=get_public_schema_name(),
             stdout=out,
         )
         token = Token.objects.get(intent=TokenIntents.INTENT_RECOVERY, user=self.user)
         self.assertIn(token.key, out.getvalue())
+        self.assertIn("valid for 5\xa0minutes", out.getvalue())
         self.assertEqual(len(Token.objects.filter(intent=TokenIntents.INTENT_RECOVERY)), 1)
 
     def test_create_key_invalid(self):
         """Test creation of a new key (invalid)"""
         out = StringIO()
         self.assertEqual(len(Token.objects.filter(intent=TokenIntents.INTENT_RECOVERY)), 0)
-        call_command("create_recovery_key", "1", "foo", schema=get_public_schema_name(), stderr=out)
+        call_command("create_recovery_key", "5", "foo", schema=get_public_schema_name(), stderr=out)
         self.assertIn("not found", out.getvalue())
 
     def test_recovery_view(self):
@@ -43,7 +46,7 @@ class TestRecovery(TestCase):
         out = StringIO()
         call_command(
             "create_recovery_key",
-            "1",
+            "10",
             self.user.username,
             schema=get_public_schema_name(),
             stdout=out,
@@ -71,3 +74,116 @@ class TestRecovery(TestCase):
         )
         self.assertIn("successfully added to", out.getvalue())
         self.assertTrue(self.user.is_superuser)
+
+    def test_create_key_default_duration(self):
+        """Test creation of a new key with default duration (60 minutes)"""
+        out = StringIO()
+        before_creation = now()
+        call_command(
+            "create_recovery_key",
+            self.user.username,
+            schema=get_public_schema_name(),
+            stdout=out,
+        )
+        after_creation = now()
+
+        token = Token.objects.get(intent=TokenIntents.INTENT_RECOVERY, user=self.user)
+        self.assertIn(token.key, out.getvalue())
+        self.assertIn("valid for 1\xa0hour", out.getvalue())
+
+        # Verify the token expires in approximately 60 minutes (default)
+        expected_expiry_min = before_creation + timedelta(minutes=60)
+        expected_expiry_max = after_creation + timedelta(minutes=60)
+        self.assertGreaterEqual(token.expires, expected_expiry_min)
+        self.assertLessEqual(token.expires, expected_expiry_max)
+
+    def test_create_key_custom_duration(self):
+        """Test creation of a new key with custom duration"""
+        out = StringIO()
+        custom_duration = 120  # 2 hours
+        before_creation = now()
+
+        call_command(
+            "create_recovery_key",
+            str(custom_duration),
+            self.user.username,
+            schema=get_public_schema_name(),
+            stdout=out,
+        )
+        after_creation = now()
+
+        token = Token.objects.get(intent=TokenIntents.INTENT_RECOVERY, user=self.user)
+        self.assertIn(token.key, out.getvalue())
+        self.assertIn("valid for 2\xa0hours", out.getvalue())
+
+        # Verify the token expires in approximately the custom duration
+        expected_expiry_min = before_creation + timedelta(minutes=custom_duration)
+        expected_expiry_max = after_creation + timedelta(minutes=custom_duration)
+        self.assertGreaterEqual(token.expires, expected_expiry_min)
+        self.assertLessEqual(token.expires, expected_expiry_max)
+
+    def test_create_key_short_duration(self):
+        """Test creation of a new key with very short duration (1 minute)"""
+        out = StringIO()
+        short_duration = 1
+        before_creation = now()
+
+        call_command(
+            "create_recovery_key",
+            str(short_duration),
+            self.user.username,
+            schema=get_public_schema_name(),
+            stdout=out,
+        )
+        after_creation = now()
+
+        token = Token.objects.get(intent=TokenIntents.INTENT_RECOVERY, user=self.user)
+        self.assertIn(token.key, out.getvalue())
+        self.assertIn("valid for 1\xa0minute", out.getvalue())
+
+        # Verify the token expires in approximately 1 minute
+        expected_expiry_min = before_creation + timedelta(minutes=short_duration)
+        expected_expiry_max = after_creation + timedelta(minutes=short_duration)
+        self.assertGreaterEqual(token.expires, expected_expiry_min)
+        self.assertLessEqual(token.expires, expected_expiry_max)
+
+    def test_create_key_duration_validation(self):
+        """Test that the duration is correctly converted to minutes"""
+        # Test various durations to ensure they're calculated correctly
+        test_cases = [1, 5, 30, 60, 120, 1440]  # 1min, 5min, 30min, 1hr, 2hr, 24hr
+
+        for duration in test_cases:
+            with self.subTest(duration=duration):
+                out = StringIO()
+                before_creation = now()
+
+                call_command(
+                    "create_recovery_key",
+                    str(duration),
+                    self.user.username,
+                    schema=get_public_schema_name(),
+                    stdout=out,
+                )
+                after_creation = now()
+
+                token = Token.objects.get(intent=TokenIntents.INTENT_RECOVERY, user=self.user)
+
+                # Verify the token expires in approximately the specified duration
+                expected_expiry_min = before_creation + timedelta(minutes=duration)
+                expected_expiry_max = after_creation + timedelta(minutes=duration)
+                self.assertGreaterEqual(token.expires, expected_expiry_min)
+                self.assertLessEqual(token.expires, expected_expiry_max)
+
+                # Clean up for next iteration
+                token.delete()
+
+    def test_create_key_help_text(self):
+        """Test that the help text correctly indicates minutes"""
+        from authentik.recovery.management.commands.create_recovery_key import Command
+
+        command = Command()
+        # Check that the help text mentions minutes
+        parser = command.create_parser("test", "create_recovery_key")
+        help_text = parser.format_help()
+        self.assertIn("minutes", help_text.lower())
+        self.assertNotIn("years", help_text.lower())

authentik/root/settings.py

@@ -175,6 +175,7 @@ SPECTACULAR_SETTINGS = {
         "SAMLNameIDPolicyEnum": "authentik.sources.saml.models.SAMLNameIDPolicy",
         "UserTypeEnum": "authentik.core.models.UserTypes",
         "UserVerificationEnum": "authentik.stages.authenticator_webauthn.models.UserVerification",
+        "SCIMAuthenticationModeEnum": "authentik.providers.scim.models.SCIMAuthenticationMode",
     },
     "ENUM_ADD_EXPLICIT_BLANK_NULL_CHOICE": False,
     "ENUM_GENERATE_CHOICE_DESCRIPTION": False,
@@ -183,6 +184,7 @@ SPECTACULAR_SETTINGS = {
     ],
     "POSTPROCESSING_HOOKS": [
         "authentik.api.schema.postprocess_schema_responses",
+        "authentik.api.schema.postprocess_schema_pagination",
         "drf_spectacular.hooks.postprocess_schema_enums",
     ],
 }
@@ -255,6 +257,7 @@ MIDDLEWARE = [
     "authentik.root.middleware.LoggingMiddleware",
     "authentik.root.middleware.ClientIPMiddleware",
     "authentik.stages.user_login.middleware.BoundSessionMiddleware",
+    "django.middleware.locale.LocaleMiddleware",
     "authentik.core.middleware.AuthenticationMiddleware",
     "authentik.core.middleware.RequestIDMiddleware",
     "authentik.brands.middleware.BrandMiddleware",

authentik/root/signals.py

@@ -1,7 +1,6 @@
 from datetime import timedelta
 
-from django.core.signals import Signal
-from django.dispatch import receiver
+from django.dispatch import Signal, receiver
 from django.utils.timezone import now
 from structlog.stdlib import get_logger
 

authentik/root/test_runner.py

@@ -8,6 +8,7 @@ from unittest.mock import patch
 import pytest
 from django.conf import settings
 from django.contrib.contenttypes.models import ContentType
+from django.test import TestCase as DjangoTestCase
 from django.test.runner import DiscoverRunner
 from structlog.stdlib import get_logger
 
@@ -20,6 +21,8 @@ from authentik.tasks.test import use_test_broker
 
 # globally set maxDiff to none to show full assert error
 TestCase.maxDiff = None
+# allow testing with read-replicas
+DjangoTestCase.databases = "__all__"
 
 
 def get_docker_tag() -> str:
@@ -63,6 +66,15 @@ class PytestTestRunner(DiscoverRunner):  # pragma: no cover
         settings.TEST = True
         settings.DRAMATIQ["test"] = True
 
+        # Set any other test databases's name to their test name early
+        # django does this itself, however only _after_ migrating the default alias
+        # which triggers some reads that might go to the read replica, which
+        # would be routed to the wrong database
+        for alias, db in settings.DATABASES.items():
+            if alias == "default":
+                continue
+            db["NAME"] = db["TEST"]["NAME"]
+
         # Test-specific configuration
         test_config = {
             "events.context_processors.geoip": "tests/GeoLite2-City-Test.mmdb",
@@ -177,6 +189,6 @@ class PytestTestRunner(DiscoverRunner):  # pragma: no cover
         with patch("guardian.shortcuts._get_ct_cached", patched__get_ct_cached):
             try:
                 return pytest.main(self.args)
-            except Exception as e:
+            except Exception as e:  # noqa
                 self.logger.error("Error running tests", error=str(e), test_files=self.args)
                 return 1

authentik/sources/oauth/api/source_connection.py

@@ -12,7 +12,7 @@ from authentik.sources.oauth.models import GroupOAuthSourceConnection, UserOAuth
 class UserOAuthSourceConnectionSerializer(UserSourceConnectionSerializer):
     class Meta(UserSourceConnectionSerializer.Meta):
         model = UserOAuthSourceConnection
-        fields = UserSourceConnectionSerializer.Meta.fields + ["access_token"]
+        fields = UserSourceConnectionSerializer.Meta.fields + ["access_token", "expires"]
         extra_kwargs = {
             **UserSourceConnectionSerializer.Meta.extra_kwargs,
             "access_token": {"write_only": True},

authentik/sources/oauth/clients/oauth2.py

@@ -59,13 +59,15 @@ class OAuth2Client(BaseOAuthClient):
         """Get client secret"""
         return self.source.consumer_secret
 
-    def get_access_token_args(self, callback: str, code: str) -> dict[str, Any]:
+    def get_access_token_args(self, callback: str | None, code: str | None) -> dict[str, Any]:
         args = {
-            "redirect_uri": callback,
-            "code": code,
             "grant_type": "authorization_code",
         }
-        if SESSION_KEY_OAUTH_PKCE in self.request.session:
+        if callback:
+            args["redirect_uri"] = callback
+        if code:
+            args["code"] = code
+        if self.request and SESSION_KEY_OAUTH_PKCE in self.request.session:
             args["code_verifier"] = self.request.session[SESSION_KEY_OAUTH_PKCE]
         if (
             self.source.source_type.authorization_code_auth_method

authentik/sources/oauth/migrations/0011_useroauthsourceconnection_expires.py

@@ -0,0 +1,19 @@
+# Generated by Django 5.1.12 on 2025-09-21 17:01
+
+import django.utils.timezone
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ("authentik_sources_oauth", "0010_oauthsource_authorization_code_auth_method"),
+    ]
+
+    operations = [
+        migrations.AddField(
+            model_name="useroauthsourceconnection",
+            name="expires",
+            field=models.DateTimeField(default=django.utils.timezone.now),
+        ),
+    ]

authentik/sources/oauth/models.py

@@ -5,6 +5,7 @@ from typing import TYPE_CHECKING
 from django.db import models
 from django.http.request import HttpRequest
 from django.urls import reverse
+from django.utils.timezone import now
 from django.utils.translation import gettext_lazy as _
 from rest_framework.serializers import Serializer
 
@@ -311,6 +312,11 @@ class UserOAuthSourceConnection(UserSourceConnection):
     """Authorized remote OAuth provider."""
 
     access_token = models.TextField(blank=True, null=True, default=None)
+    expires = models.DateTimeField(default=now)
+
+    @property
+    def is_valid(self):
+        return self.expires > now()
 
     @property
     def serializer(self) -> type[Serializer]:

authentik/sources/oauth/types/entra_id.py

@@ -96,7 +96,11 @@ class EntraIDType(SourceType):
         }
 
     def get_base_group_properties(self, source, group_id, **kwargs):
-        raw_group = kwargs["info"]["raw_groups"][group_id]
+        raw_groups = kwargs["info"]["raw_groups"]
+        if group_id in raw_groups:
+            name = raw_groups[group_id]["displayName"]
+        else:
+            name = group_id
         return {
-            "name": raw_group["displayName"],
+            "name": name,
         }

authentik/sources/oauth/views/callback.py

@@ -1,5 +1,6 @@
 """OAuth Callback Views"""
 
+from datetime import timedelta
 from json import JSONDecodeError
 from typing import Any
 
@@ -7,6 +8,7 @@ from django.conf import settings
 from django.contrib import messages
 from django.http import Http404, HttpRequest, HttpResponse
 from django.shortcuts import redirect
+from django.utils.timezone import now
 from django.utils.translation import gettext as _
 from django.views.generic import View
 from structlog.stdlib import get_logger
@@ -77,6 +79,7 @@ class OAuthCallback(OAuthClientMixin, View):
         return sfm.get_flow(
             raw_info=raw_info,
             access_token=self.token.get("access_token"),
+            expires=self.token.get("expires_in"),
         )
 
     def get_callback_url(self, source: OAuthSource) -> str:
@@ -119,8 +122,10 @@ class OAuthSourceFlowManager(SourceFlowManager):
         self,
         connection: UserOAuthSourceConnection,
         access_token: str | None = None,
+        expires_in: int | None = None,
         **_,
     ) -> UserOAuthSourceConnection:
         """Set the access_token on the connection"""
         connection.access_token = access_token
+        connection.expires = now() + timedelta(seconds=expires_in) if expires_in else now()
         return connection

authentik/sources/saml/exceptions.py

@@ -6,22 +6,39 @@ from authentik.lib.sentry import SentryIgnoredException
 class SAMLException(SentryIgnoredException):
     """Base SAML Exception"""
 
+    default_message = "An unspecified SAML error occurred."
+
+    def __str__(self):
+        if self.args:
+            return super().__str__()
+        return self.default_message
+
 
 class MissingSAMLResponse(SAMLException):
     """Exception raised when request does not contain SAML Response."""
 
+    default_message = "Request does not contain a SAML response."
+
 
 class UnsupportedNameIDFormat(SAMLException):
     """Exception raised when SAML Response contains NameID Format not supported."""
 
+    default_message = "The NameID Format in the SAML Response is not supported."
+
 
 class MismatchedRequestID(SAMLException):
     """Exception raised when the returned request ID doesn't match the saved ID."""
 
+    default_message = "The SAML Response ID does not match the original request ID."
+
 
 class InvalidEncryption(SAMLException):
-    """Encryption of XML Object is either missing or invalid"""
+    """Encryption of XML Object is either missing or invalid."""
+
+    default_message = "The encryption of the SAML object is either missing or invalid."
 
 
 class InvalidSignature(SAMLException):
-    """Signature of XML Object is either missing or invalid"""
+    """Signature of XML Object is either missing or invalid."""
+
+    default_message = "The signature of the SAML object is either missing or invalid."

authentik/stages/authenticator/util.py

@@ -2,7 +2,7 @@
 
 import random
 import string
-from binascii import unhexlify
+from binascii import Error, unhexlify
 from os import urandom
 
 from django.core.exceptions import ValidationError
@@ -42,7 +42,7 @@ def hex_validator(length=0):
                 value = value.encode()
 
             unhexlify(value)
-        except Exception:
+        except Error:
             raise ValidationError(f"{value} is not valid hex-encoded data.") from None
 
         if (length > 0) and (len(value) != length * 2):

authentik/stages/authenticator_duo/migrations/0007_alter_authenticatorduostage_friendly_name.py

@@ -0,0 +1,22 @@
+# Generated by Django 5.1.12 on 2025-09-08 19:43
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        (
+            "authentik_stages_authenticator_duo",
+            "0006_duodevice_created_duodevice_last_updated_and_more",
+        ),
+    ]
+
+    operations = [
+        migrations.AlterField(
+            model_name="authenticatorduostage",
+            name="friendly_name",
+            field=models.TextField(blank=True, default=""),
+            preserve_default=False,
+        ),
+    ]

authentik/stages/authenticator_email/migrations/0002_alter_authenticatoremailstage_friendly_name.py

@@ -0,0 +1,19 @@
+# Generated by Django 5.1.12 on 2025-09-08 19:43
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ("authentik_stages_authenticator_email", "0001_initial"),
+    ]
+
+    operations = [
+        migrations.AlterField(
+            model_name="authenticatoremailstage",
+            name="friendly_name",
+            field=models.TextField(blank=True, default=""),
+            preserve_default=False,
+        ),
+    ]

authentik/stages/authenticator_email/stage.py

@@ -142,6 +142,11 @@ class AuthenticatorEmailStageView(ChallengeStageView):
         user = self.get_pending_user()
 
         stage: AuthenticatorEmailStage = self.executor.current_stage
+        # For the moment we only allow one email device per user
+        if EmailDevice.objects.filter(Q(user=user), stage=stage.pk).exists():
+            return self.executor.stage_invalid(
+                _("The user already has an email address registered for MFA.")
+            )
         if SESSION_KEY_EMAIL_DEVICE not in self.request.session:
             device = EmailDevice(user=user, confirmed=False, stage=stage, name="Email Device")
             valid_secs: int = timedelta_from_string(stage.token_expiry).total_seconds()

authentik/stages/authenticator_email/tests.py

@@ -108,6 +108,17 @@ class TestAuthenticatorEmailStage(FlowTestCase):
     )
     def test_stage_submit(self):
         """Test stage email submission"""
+        # test fail because of existing device
+        response = self.client.get(
+            reverse("authentik_api:flow-executor", kwargs={"flow_slug": self.flow.slug}),
+        )
+        self.assertStageResponse(
+            response,
+            self.flow,
+            self.user,
+            component="ak-stage-access-denied",
+        )
+        self.device.delete()
         # Initialize the flow
         response = self.client.get(
             reverse("authentik_api:flow-executor", kwargs={"flow_slug": self.flow.slug}),
@@ -232,6 +243,7 @@ class TestAuthenticatorEmailStage(FlowTestCase):
     def test_challenge_generation(self):
         """Test challenge generation"""
         # Test with masked email
+        self.device.delete()
         response = self.client.get(
             reverse("authentik_api:flow-executor", kwargs={"flow_slug": self.flow.slug}),
         )

authentik/stages/authenticator_sms/migrations/0008_alter_authenticatorsmsstage_friendly_name.py

@@ -0,0 +1,22 @@
+# Generated by Django 5.1.12 on 2025-09-08 19:43
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        (
+            "authentik_stages_authenticator_sms",
+            "0007_smsdevice_created_smsdevice_last_updated_and_more",
+        ),
+    ]
+
+    operations = [
+        migrations.AlterField(
+            model_name="authenticatorsmsstage",
+            name="friendly_name",
+            field=models.TextField(blank=True, default=""),
+            preserve_default=False,
+        ),
+    ]

authentik/stages/authenticator_static/migrations/0011_alter_authenticatorstaticstage_friendly_name.py

@@ -0,0 +1,22 @@
+# Generated by Django 5.1.12 on 2025-09-08 19:43
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        (
+            "authentik_stages_authenticator_static",
+            "0010_staticdevice_created_staticdevice_last_updated_and_more",
+        ),
+    ]
+
+    operations = [
+        migrations.AlterField(
+            model_name="authenticatorstaticstage",
+            name="friendly_name",
+            field=models.TextField(blank=True, default=""),
+            preserve_default=False,
+        ),
+    ]

authentik/stages/authenticator_totp/migrations/0012_alter_authenticatortotpstage_friendly_name.py

@@ -0,0 +1,22 @@
+# Generated by Django 5.1.12 on 2025-09-08 19:43
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        (
+            "authentik_stages_authenticator_totp",
+            "0011_totpdevice_created_totpdevice_last_updated_and_more",
+        ),
+    ]
+
+    operations = [
+        migrations.AlterField(
+            model_name="authenticatortotpstage",
+            name="friendly_name",
+            field=models.TextField(blank=True, default=""),
+            preserve_default=False,
+        ),
+    ]

authentik/stages/authenticator_webauthn/mds/aaguid.json

@@ -161,5 +161,10 @@
         "name": "Microsoft Password Manager",
         "icon_dark": "data:image/svg+xml;base64,PHN2ZyB3aWR0aD0iMzIiIGhlaWdodD0iMzIiIHZpZXdCb3g9IjAgMCAzMiAzMiIgZmlsbD0ibm9uZSIgeG1sbnM9Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvc3ZnIj4KPHBhdGggZD0iTTE1IDIzVjI0QzE1IDI0LjU1MjMgMTQuNTUyMyAyNSAxNCAyNUgxMlYyNkMxMiAyNy4xMDQ2IDExLjEwNDYgMjggMTAgMjhINkM0Ljg5NTQzIDI4IDQgMjcuMTA0NiA0IDI2VjIzLjQxNDJDNCAyMi44ODM4IDQuMjEwNzEgMjIuMzc1MSA0LjU4NTc5IDIyTDEyLjMyNDQgMTQuMjYxNEMxMi4xMTMxIDEzLjU0MzQgMTIgMTIuNzg0MiAxMiAxMkMxMiA3LjU4MTcyIDE1LjU4MTcgNCAyMCA0QzI0LjQxODMgNCAyOCA3LjU4MTcyIDI4IDEyQzI4IDE2LjQxODMgMjQuNDE4MyAyMCAyMCAyMEgxOFYyMkMxOCAyMi41NTIzIDE3LjU1MjMgMjMgMTcgMjNIMTVaTTIyIDEyQzIzLjEwNDYgMTIgMjQgMTEuMTA0NiAyNCAxMEMyNCA4Ljg5NTQzIDIzLjEwNDYgOCAyMiA4QzIwLjg5NTQgOCAyMCA4Ljg5NTQzIDIwIDEwQzIwIDExLjEwNDYgMjAuODk1NCAxMiAyMiAxMloiIGZpbGw9InVybCgjcGFpbnQwX2xpbmVhcl8zMl8xMzcpIi8+CjxwYXRoIGQ9Ik0yNS40MDA0IDYuMDk4NjNDMjYuOTk3OCA3LjU2MTI2IDI4IDkuNjYzNDEgMjggMTJDMjggMTYuNDE4MyAyNC40MTgzIDIwIDIwIDIwSDE4VjIyQzE4IDIyLjU1MjMgMTcuNTUyMyAyMyAxNyAyM0gxNVYyNEMxNSAyNC41NTIzIDE0LjU1MjMgMjUgMTQgMjVIMTJWMjZDMTIgMjcuMTA0NiAxMS4xMDQ2IDI4IDEwIDI4SDZDNS4zMTk2IDI4IDQuNzIwNjYgMjcuNjU4OCA0LjM1OTM4IDI3LjEzOTZMMjAuMzU4NCAxMS4xMzk2QzIwLjcxOTYgMTEuNjU5IDIxLjMxOTQgMTIgMjIgMTJDMjMuMTA0NiAxMiAyNCAxMS4xMDQ2IDI0IDEwQzI0IDkuMzE5NCAyMy42NTkgOC43MTk2NSAyMy4xMzk2IDguMzU4NEwyNS40MDA0IDYuMDk4NjNaIiBmaWxsPSJ1cmwoI3BhaW50MV9yYWRpYWxfMzJfMTM3KSIvPgo8ZGVmcz4KPGxpbmVhckdyYWRpZW50IGlkPSJwYWludDBfbGluZWFyXzMyXzEzNyIgeDE9IjkuMzMzMzMiIHkxPSI4IiB4Mj0iMjYuNjY2NyIgeTI9IjI0IiBncmFkaWVudFVuaXRzPSJ1c2VyU3BhY2VPblVzZSI+CjxzdG9wIHN0b3AtY29sb3I9IiMyOUMzRkYiLz4KPHN0b3Agb2Zmc2V0PSIxIiBzdG9wLWNvbG9yPSIjMjA1MkNCIi8+CjwvbGluZWFyR3JhZGllbnQ+CjxyYWRpYWxHcmFkaWVudCBpZD0icGFpbnQxX3JhZGlhbF8zMl8xMzciIGN4PSIwIiBjeT0iMCIgcj0iMSIgZ3JhZGllbnRVbml0cz0idXNlclNwYWNlT25Vc2UiIGdyYWRpZW50VHJhbnNmb3JtPSJ0cmFuc2xhdGUoNC44Njc3OCAyMC44ODI2KSByb3RhdGUoNTEuNzkwMSkgc2NhbGUoMTcuMjE1NyAxOC41MDAxKSI+CjxzdG9wIHN0b3AtY29sb3I9IiMyMzZGRDkiLz4KPHN0b3Agb2Zmc2V0PSIwLjc2Nzc4MiIgc3RvcC1jb2xvcj0iIzIzNkZEOSIgc3RvcC1vcGFjaXR5PSIwIi8+CjwvcmFkaWFsR3JhZGllbnQ+CjwvZGVmcz4KPC9zdmc+Cg==",
         "icon_light": "data:image/svg+xml;base64,PHN2ZyB3aWR0aD0iMzIiIGhlaWdodD0iMzIiIHZpZXdCb3g9IjAgMCAzMiAzMiIgZmlsbD0ibm9uZSIgeG1sbnM9Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvc3ZnIj4KPHBhdGggZD0iTTE1IDIzVjI0QzE1IDI0LjU1MjMgMTQuNTUyMyAyNSAxNCAyNUgxMlYyNkMxMiAyNy4xMDQ2IDExLjEwNDYgMjggMTAgMjhINkM0Ljg5NTQzIDI4IDQgMjcuMTA0NiA0IDI2VjIzLjQxNDJDNCAyMi44ODM4IDQuMjEwNzEgMjIuMzc1MSA0LjU4NTc5IDIyTDEyLjMyNDQgMTQuMjYxNEMxMi4xMTMxIDEzLjU0MzQgMTIgMTIuNzg0MiAxMiAxMkMxMiA3LjU4MTcyIDE1LjU4MTcgNCAyMCA0QzI0LjQxODMgNCAyOCA3LjU4MTcyIDI4IDEyQzI4IDE2LjQxODMgMjQuNDE4MyAyMCAyMCAyMEgxOFYyMkMxOCAyMi41NTIzIDE3LjU1MjMgMjMgMTcgMjNIMTVaTTIyIDEyQzIzLjEwNDYgMTIgMjQgMTEuMTA0NiAyNCAxMEMyNCA4Ljg5NTQzIDIzLjEwNDYgOCAyMiA4QzIwLjg5NTQgOCAyMCA4Ljg5NTQzIDIwIDEwQzIwIDExLjEwNDYgMjAuODk1NCAxMiAyMiAxMloiIGZpbGw9InVybCgjcGFpbnQwX2xpbmVhcl8zMl8xMzcpIi8+CjxwYXRoIGQ9Ik0yNS40MDA0IDYuMDk4NjNDMjYuOTk3OCA3LjU2MTI2IDI4IDkuNjYzNDEgMjggMTJDMjggMTYuNDE4MyAyNC40MTgzIDIwIDIwIDIwSDE4VjIyQzE4IDIyLjU1MjMgMTcuNTUyMyAyMyAxNyAyM0gxNVYyNEMxNSAyNC41NTIzIDE0LjU1MjMgMjUgMTQgMjVIMTJWMjZDMTIgMjcuMTA0NiAxMS4xMDQ2IDI4IDEwIDI4SDZDNS4zMTk2IDI4IDQuNzIwNjYgMjcuNjU4OCA0LjM1OTM4IDI3LjEzOTZMMjAuMzU4NCAxMS4xMzk2QzIwLjcxOTYgMTEuNjU5IDIxLjMxOTQgMTIgMjIgMTJDMjMuMTA0NiAxMiAyNCAxMS4xMDQ2IDI0IDEwQzI0IDkuMzE5NCAyMy42NTkgOC43MTk2NSAyMy4xMzk2IDguMzU4NEwyNS40MDA0IDYuMDk4NjNaIiBmaWxsPSJ1cmwoI3BhaW50MV9yYWRpYWxfMzJfMTM3KSIvPgo8ZGVmcz4KPGxpbmVhckdyYWRpZW50IGlkPSJwYWludDBfbGluZWFyXzMyXzEzNyIgeDE9IjkuMzMzMzMiIHkxPSI4IiB4Mj0iMjYuNjY2NyIgeTI9IjI0IiBncmFkaWVudFVuaXRzPSJ1c2VyU3BhY2VPblVzZSI+CjxzdG9wIHN0b3AtY29sb3I9IiMyOUMzRkYiLz4KPHN0b3Agb2Zmc2V0PSIxIiBzdG9wLWNvbG9yPSIjMjA1MkNCIi8+CjwvbGluZWFyR3JhZGllbnQ+CjxyYWRpYWxHcmFkaWVudCBpZD0icGFpbnQxX3JhZGlhbF8zMl8xMzciIGN4PSIwIiBjeT0iMCIgcj0iMSIgZ3JhZGllbnRVbml0cz0idXNlclNwYWNlT25Vc2UiIGdyYWRpZW50VHJhbnNmb3JtPSJ0cmFuc2xhdGUoNC44Njc3OCAyMC44ODI2KSByb3RhdGUoNTEuNzkwMSkgc2NhbGUoMTcuMjE1NyAxOC41MDAxKSI+CjxzdG9wIHN0b3AtY29sb3I9IiMyMzZGRDkiLz4KPHN0b3Agb2Zmc2V0PSIwLjc2Nzc4MiIgc3RvcC1jb2xvcj0iIzIzNkZEOSIgc3RvcC1vcGFjaXR5PSIwIi8+CjwvcmFkaWFsR3JhZGllbnQ+CjwvZGVmcz4KPC9zdmc+Cg=="
+    },
+    "6d212b28-a2c1-4638-b375-5932070f62e9": {
+        "name": "initial",
+        "icon_dark": "data:image/svg+xml;base64,PHN2ZyB3aWR0aD0iMTAyNCIgaGVpZ2h0PSIxMDI0IiB2aWV3Qm94PSIwIDAgMTAyNCAxMDI0IiBmaWxsPSJub25lIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciPgo8cmVjdCB3aWR0aD0iMTAyNCIgaGVpZ2h0PSIxMDI0IiBmaWxsPSIjNTc3RkZGIi8+CjxwYXRoIGQ9Ik01MTIgMzk2QzU1Ni43MzUgMzk2IDU5MyAzNTkuNzM1IDU5MyAzMTVDNTkzIDI3MC4yNjUgNTU2LjczNSAyMzQgNTEyIDIzNEM0NjcuMjY1IDIzNCA0MzEgMjcwLjI2NSA0MzEgMzE1QzQzMSAzNTkuNzM1IDQ2Ny4yNjUgMzk2IDUxMiAzOTZaIiBzdHJva2U9IndoaXRlIiBzdHJva2Utd2lkdGg9IjE2Ii8+CjxwYXRoIGQ9Ik01OTAgNDU4SDQzNFY3OThINTkwVjQ1OFoiIGZpbGw9IndoaXRlIi8+Cjwvc3ZnPgo=",
+        "icon_light": "data:image/svg+xml;base64,PHN2ZyB3aWR0aD0iMTAyNCIgaGVpZ2h0PSIxMDI0IiB2aWV3Qm94PSIwIDAgMTAyNCAxMDI0IiBmaWxsPSJub25lIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciPgo8cmVjdCB3aWR0aD0iMTAyNCIgaGVpZ2h0PSIxMDI0IiBmaWxsPSIjNTc3RkZGIi8+CjxwYXRoIGQ9Ik01MTIgMzk2QzU1Ni43MzUgMzk2IDU5MyAzNTkuNzM1IDU5MyAzMTVDNTkzIDI3MC4yNjUgNTU2LjczNSAyMzQgNTEyIDIzNEM0NjcuMjY1IDIzNCA0MzEgMjcwLjI2NSA0MzEgMzE1QzQzMSAzNTkuNzM1IDQ2Ny4yNjUgMzk2IDUxMiAzOTZaIiBzdHJva2U9IndoaXRlIiBzdHJva2Utd2lkdGg9IjE2Ii8+CjxwYXRoIGQ9Ik01OTAgNDU4SDQzNFY3OThINTkwVjQ1OFoiIGZpbGw9IndoaXRlIi8+Cjwvc3ZnPgo="
     }
 }

authentik/stages/authenticator_webauthn/migrations/0014_alter_authenticatorwebauthnstage_friendly_name.py

@@ -0,0 +1,19 @@
+# Generated by Django 5.1.12 on 2025-09-08 19:43
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ("authentik_stages_authenticator_webauthn", "0013_authenticatorwebauthnstage_max_attempts"),
+    ]
+
+    operations = [
+        migrations.AlterField(
+            model_name="authenticatorwebauthnstage",
+            name="friendly_name",
+            field=models.TextField(blank=True, default=""),
+            preserve_default=False,
+        ),
+    ]

authentik/stages/identification/signals.py

@@ -1,6 +1,6 @@
 """authentik identification signals"""
 
-from django.core.signals import Signal
+from django.dispatch import Signal
 
 # Arguments: request: HttpRequest, uid_field: Value entered by user
 identification_failed = Signal()

authentik/stages/identification/stage.py

@@ -140,7 +140,7 @@ class IdentificationChallengeResponse(ChallengeResponse):
             # when `pretend` is enabled, continue regardless
             if current_stage.pretend_user_exists and not current_stage.password_stage:
                 return attrs
-            raise ValidationError("Failed to authenticate.")
+            raise ValidationError(_("Failed to authenticate."))
         self.pre_user = pre_user
 
         # Captcha check
@@ -171,7 +171,7 @@ class IdentificationChallengeResponse(ChallengeResponse):
                     password=password,
                 )
             if not user:
-                raise ValidationError("Failed to authenticate.")
+                raise ValidationError(_("Failed to authenticate."))
             self.pre_user = user
         except PermissionDenied as exc:
             raise ValidationError(str(exc)) from exc

authentik/stages/invitation/signals.py

@@ -1,6 +1,6 @@
 """authentik invitation signals"""
 
-from django.core.signals import Signal
+from django.dispatch import Signal
 
 # Arguments: request: HttpRequest, invitation: Invitation
 invitation_used = Signal()

authentik/stages/prompt/signals.py

@@ -1,6 +1,6 @@
 """authentik prompt stage signals"""
 
-from django.core.signals import Signal
+from django.dispatch import Signal
 
 # Arguments: password: str, plan_context: dict[str, Any]
 password_validate = Signal()

authentik/stages/user_write/signals.py

@@ -1,6 +1,6 @@
 """authentik user_write signals"""
 
-from django.core.signals import Signal
+from django.dispatch import Signal
 
 # Arguments: request: HttpRequest, user: User, data: dict[str, Any], created: bool
 user_write = Signal()

blueprints/example/sources-google-ldap-mappings.yaml

@@ -215,7 +215,7 @@ entries:
       expression: |
         return {
           "attributes": {
-            "homeDirectoy": ldap.get("homeDirectory"),
+            "homeDirectory": ldap.get("homeDirectory"),
           },
         }
   - identifiers:

blueprints/schema.json

@@ -3616,46 +3616,6 @@
                         }
                     }
                 },
-                {
-                    "type": "object",
-                    "required": [
-                        "model",
-                        "identifiers"
-                    ],
-                    "properties": {
-                        "model": {
-                            "const": "authentik_stages_consent.userconsent"
-                        },
-                        "id": {
-                            "type": "string"
-                        },
-                        "state": {
-                            "type": "string",
-                            "enum": [
-                                "absent",
-                                "created",
-                                "must_created",
-                                "present"
-                            ],
-                            "default": "present"
-                        },
-                        "conditions": {
-                            "type": "array",
-                            "items": {
-                                "type": "boolean"
-                            }
-                        },
-                        "permissions": {
-                            "$ref": "#/$defs/model_authentik_stages_consent.userconsent_permissions"
-                        },
-                        "attrs": {
-                            "$ref": "#/$defs/model_authentik_stages_consent.userconsent"
-                        },
-                        "identifiers": {
-                            "$ref": "#/$defs/model_authentik_stages_consent.userconsent"
-                        }
-                    }
-                },
                 {
                     "type": "object",
                     "required": [
@@ -6118,11 +6078,7 @@
                     "description": "Flow used by an authenticated user to configure this Stage. If empty, user will not be able to configure this stage."
                 },
                 "friendly_name": {
-                    "type": [
-                        "string",
-                        "null"
-                    ],
-                    "minLength": 1,
+                    "type": "string",
                     "title": "Friendly name"
                 },
                 "credentials": {
@@ -7409,6 +7365,8 @@
                         "authentik.enterprise.policies.unique_password",
                         "authentik.enterprise.providers.google_workspace",
                         "authentik.enterprise.providers.microsoft_entra",
+                        "authentik.enterprise.providers.radius",
+                        "authentik.enterprise.providers.scim",
                         "authentik.enterprise.providers.ssf",
                         "authentik.enterprise.search",
                         "authentik.enterprise.stages.authenticator_endpoint_gdtc",
@@ -7503,7 +7461,6 @@
                         "authentik_stages_authenticator_webauthn.webauthndevice",
                         "authentik_stages_captcha.captchastage",
                         "authentik_stages_consent.consentstage",
-                        "authentik_stages_consent.userconsent",
                         "authentik_stages_deny.denystage",
                         "authentik_stages_dummy.dummystage",
                         "authentik_stages_email.emailstage",
@@ -9022,6 +8979,11 @@
                     "type": "boolean",
                     "title": "MFA Support",
                     "description": "When enabled, code-based multi-factor authentication can be used by appending a semicolon and the TOTP code to the password. This should only be enabled if all users that will bind to this provider have a TOTP device configured, as otherwise a password may incorrectly be rejected if it contains a semicolon."
+                },
+                "certificate": {
+                    "type": "string",
+                    "format": "uuid",
+                    "title": "Certificate"
                 }
             },
             "required": []
@@ -9439,10 +9401,28 @@
                 },
                 "token": {
                     "type": "string",
-                    "minLength": 1,
                     "title": "Token",
                     "description": "Authentication token"
                 },
+                "auth_mode": {
+                    "type": "string",
+                    "enum": [
+                        "token",
+                        "oauth"
+                    ],
+                    "title": "Auth mode"
+                },
+                "auth_oauth": {
+                    "type": "integer",
+                    "title": "Auth oauth",
+                    "description": "OAuth Source used for authentication"
+                },
+                "auth_oauth_params": {
+                    "type": "object",
+                    "additionalProperties": true,
+                    "title": "Auth oauth params",
+                    "description": "Additional OAuth parameters, such as grant_type"
+                },
                 "compatibility_mode": {
                     "type": "string",
                     "enum": [
@@ -11234,6 +11214,11 @@
                     ],
                     "title": "Access token"
                 },
+                "expires": {
+                    "type": "string",
+                    "format": "date-time",
+                    "title": "Expires"
+                },
                 "icon": {
                     "type": "string",
                     "minLength": 1,
@@ -12165,11 +12150,7 @@
                     "description": "Flow used by an authenticated user to configure this Stage. If empty, user will not be able to configure this stage."
                 },
                 "friendly_name": {
-                    "type": [
-                        "string",
-                        "null"
-                    ],
-                    "minLength": 1,
+                    "type": "string",
                     "title": "Friendly name"
                 },
                 "client_id": {
@@ -12360,11 +12341,7 @@
                     "description": "Flow used by an authenticated user to configure this Stage. If empty, user will not be able to configure this stage."
                 },
                 "friendly_name": {
-                    "type": [
-                        "string",
-                        "null"
-                    ],
-                    "minLength": 1,
+                    "type": "string",
                     "title": "Friendly name"
                 },
                 "use_global_settings": {
@@ -12593,11 +12570,7 @@
                     "description": "Flow used by an authenticated user to configure this Stage. If empty, user will not be able to configure this stage."
                 },
                 "friendly_name": {
-                    "type": [
-                        "string",
-                        "null"
-                    ],
-                    "minLength": 1,
+                    "type": "string",
                     "title": "Friendly name"
                 },
                 "provider": {
@@ -12810,11 +12783,7 @@
                     "description": "Flow used by an authenticated user to configure this Stage. If empty, user will not be able to configure this stage."
                 },
                 "friendly_name": {
-                    "type": [
-                        "string",
-                        "null"
-                    ],
-                    "minLength": 1,
+                    "type": "string",
                     "title": "Friendly name"
                 },
                 "token_count": {
@@ -12994,11 +12963,7 @@
                     "description": "Flow used by an authenticated user to configure this Stage. If empty, user will not be able to configure this stage."
                 },
                 "friendly_name": {
-                    "type": [
-                        "string",
-                        "null"
-                    ],
-                    "minLength": 1,
+                    "type": "string",
                     "title": "Friendly name"
                 },
                 "digits": {
@@ -13353,11 +13318,7 @@
                     "description": "Flow used by an authenticated user to configure this Stage. If empty, user will not be able to configure this stage."
                 },
                 "friendly_name": {
-                    "type": [
-                        "string",
-                        "null"
-                    ],
-                    "minLength": 1,
+                    "type": "string",
                     "title": "Friendly name"
                 },
                 "user_verification": {
@@ -13763,187 +13724,6 @@
                 }
             }
         },
-        "model_authentik_stages_consent.userconsent": {
-            "type": "object",
-            "properties": {
-                "expires": {
-                    "type": [
-                        "string",
-                        "null"
-                    ],
-                    "format": "date-time",
-                    "title": "Expires"
-                },
-                "expiring": {
-                    "type": "boolean",
-                    "title": "Expiring"
-                },
-                "user": {
-                    "type": "object",
-                    "properties": {
-                        "username": {
-                            "type": "string",
-                            "maxLength": 150,
-                            "minLength": 1,
-                            "title": "Username"
-                        },
-                        "name": {
-                            "type": "string",
-                            "title": "Name",
-                            "description": "User's display name."
-                        },
-                        "is_active": {
-                            "type": "boolean",
-                            "title": "Active",
-                            "description": "Designates whether this user should be treated as active. Unselect this instead of deleting accounts."
-                        },
-                        "last_login": {
-                            "type": [
-                                "string",
-                                "null"
-                            ],
-                            "format": "date-time",
-                            "title": "Last login"
-                        },
-                        "groups": {
-                            "type": "array",
-                            "items": {
-                                "type": "string",
-                                "format": "uuid"
-                            },
-                            "title": "Groups"
-                        },
-                        "email": {
-                            "type": "string",
-                            "format": "email",
-                            "maxLength": 254,
-                            "title": "Email address"
-                        },
-                        "attributes": {
-                            "type": "object",
-                            "additionalProperties": true,
-                            "title": "Attributes"
-                        },
-                        "path": {
-                            "type": "string",
-                            "minLength": 1,
-                            "title": "Path"
-                        },
-                        "type": {
-                            "type": "string",
-                            "enum": [
-                                "internal",
-                                "external",
-                                "service_account",
-                                "internal_service_account"
-                            ],
-                            "title": "Type"
-                        }
-                    },
-                    "required": [
-                        "username",
-                        "name"
-                    ],
-                    "title": "User"
-                },
-                "application": {
-                    "type": "object",
-                    "properties": {
-                        "name": {
-                            "type": "string",
-                            "minLength": 1,
-                            "title": "Name",
-                            "description": "Application's display Name."
-                        },
-                        "slug": {
-                            "type": "string",
-                            "maxLength": 50,
-                            "minLength": 1,
-                            "pattern": "^[-a-zA-Z0-9_]+$",
-                            "title": "Slug",
-                            "description": "Internal application name, used in URLs."
-                        },
-                        "provider": {
-                            "type": "integer",
-                            "title": "Provider"
-                        },
-                        "backchannel_providers": {
-                            "type": "array",
-                            "items": {
-                                "type": "integer"
-                            },
-                            "title": "Backchannel providers"
-                        },
-                        "open_in_new_tab": {
-                            "type": "boolean",
-                            "title": "Open in new tab",
-                            "description": "Open launch URL in a new browser tab or window."
-                        },
-                        "meta_launch_url": {
-                            "type": "string",
-                            "title": "Meta launch url"
-                        },
-                        "meta_description": {
-                            "type": "string",
-                            "title": "Meta description"
-                        },
-                        "meta_publisher": {
-                            "type": "string",
-                            "title": "Meta publisher"
-                        },
-                        "policy_engine_mode": {
-                            "type": "string",
-                            "enum": [
-                                "all",
-                                "any"
-                            ],
-                            "title": "Policy engine mode"
-                        },
-                        "group": {
-                            "type": "string",
-                            "title": "Group"
-                        }
-                    },
-                    "required": [
-                        "name",
-                        "slug"
-                    ],
-                    "title": "Application"
-                },
-                "permissions": {
-                    "type": "string",
-                    "minLength": 1,
-                    "title": "Permissions"
-                }
-            },
-            "required": []
-        },
-        "model_authentik_stages_consent.userconsent_permissions": {
-            "type": "array",
-            "items": {
-                "type": "object",
-                "required": [
-                    "permission"
-                ],
-                "properties": {
-                    "permission": {
-                        "type": "string",
-                        "enum": [
-                            "add_userconsent",
-                            "change_userconsent",
-                            "delete_userconsent",
-                            "view_userconsent"
-                        ]
-                    },
-                    "user": {
-                        "type": "integer"
-                    },
-                    "role": {
-                        "type": "string"
-                    }
-                }
-            }
-        },
         "model_authentik_stages_deny.denystage": {
             "type": "object",
             "properties": {

go.mod

@@ -1,12 +1,15 @@
 module goauthentik.io
 
-go 1.24.0
+go 1.24.3
+
+toolchain go1.24.6
 
 require (
 	beryju.io/ldap v0.1.0
+	beryju.io/radius-eap v0.1.0
 	github.com/avast/retry-go/v4 v4.6.1
 	github.com/coreos/go-oidc/v3 v3.15.0
-	github.com/getsentry/sentry-go v0.35.1
+	github.com/getsentry/sentry-go v0.35.3
 	github.com/go-http-utils/etag v0.0.0-20161124023236-513ea8f21eb1
 	github.com/go-ldap/ldap/v3 v3.4.11
 	github.com/go-openapi/runtime v0.28.0
@@ -23,18 +26,18 @@ require (
 	github.com/nmcclain/asn1-ber v0.0.0-20170104154839-2661553a0484
 	github.com/pires/go-proxyproto v0.8.1
 	github.com/prometheus/client_golang v1.23.2
-	github.com/redis/go-redis/v9 v9.13.0
+	github.com/redis/go-redis/v9 v9.14.0
 	github.com/sethvargo/go-envconfig v1.3.0
 	github.com/sirupsen/logrus v1.9.3
 	github.com/spf13/cobra v1.10.1
 	github.com/stretchr/testify v1.11.1
 	github.com/wwt/guac v1.3.2
-	goauthentik.io/api/v3 v3.2025100.4
+	goauthentik.io/api/v3 v3.2025100.8
 	golang.org/x/exp v0.0.0-20230210204819-062eb4c674ab
 	golang.org/x/oauth2 v0.31.0
 	golang.org/x/sync v0.17.0
 	gopkg.in/yaml.v2 v2.4.0
-	layeh.com/radius v0.0.0-20210819152912-ad72663a72ab
+	layeh.com/radius v0.0.0-20231213012653-1006025d24f8
 )
 
 require (

go.sum

@@ -1,5 +1,7 @@
 beryju.io/ldap v0.1.0 h1:rPjGE3qR1Klbvn9N+iECWdzt/tK87XHgz8W5wZJg9B8=
 beryju.io/ldap v0.1.0/go.mod h1:sOrYV+ZlDTDu/IvIiEiuAaXzjcpMBE+XXr4V+NJ0pWI=
+beryju.io/radius-eap v0.1.0 h1:5M3HwkzH3nIEBcKDA2z5+sb4nCY3WdKL/SDDKTBvoqw=
+beryju.io/radius-eap v0.1.0/go.mod h1:yYtO59iyoLNEepdyp1gZ0i1tGdjPbrR2M/v5yOz7Fkc=
 github.com/Azure/go-ntlmssp v0.0.0-20221128193559-754e69321358 h1:mFRzDkZVAjdal+s7s0MwaRv9igoPqLRdzOLzw/8Xvq8=
 github.com/Azure/go-ntlmssp v0.0.0-20221128193559-754e69321358/go.mod h1:chxPXzSsl7ZWRAuOIE23GDNzjWuZquvFlgA8xmpunjU=
 github.com/alexbrainman/sspi v0.0.0-20231016080023-1a75b4708caa h1:LHTHcTQiSGT7VVbI0o4wBRNQIgn917usHWOd6VAffYI=
@@ -26,8 +28,8 @@ github.com/dgryski/go-rendezvous v0.0.0-20200823014737-9f7001d12a5f h1:lO4WD4F/r
 github.com/dgryski/go-rendezvous v0.0.0-20200823014737-9f7001d12a5f/go.mod h1:cuUVRXasLTGF7a8hSLbxyZXjz+1KgoB3wDUb6vlszIc=
 github.com/felixge/httpsnoop v1.0.3 h1:s/nj+GCswXYzN5v2DpNMuMQYe+0DDwt5WVCU6CWBdXk=
 github.com/felixge/httpsnoop v1.0.3/go.mod h1:m8KPJKqk1gH5J9DgRY2ASl2lWCfGKXixSwevea8zH2U=
-github.com/getsentry/sentry-go v0.35.1 h1:iopow6UVLE2aXu46xKVIs8Z9D/YZkJrHkgozrxa+tOQ=
-github.com/getsentry/sentry-go v0.35.1/go.mod h1:C55omcY9ChRQIUcVcGcs+Zdy4ZpQGvNJ7JYHIoSWOtE=
+github.com/getsentry/sentry-go v0.35.3 h1:u5IJaEqZyPdWqe/hKlBKBBnMTSxB/HenCqF3QLabeds=
+github.com/getsentry/sentry-go v0.35.3/go.mod h1:mdL49ixwT2yi57k5eh7mpnDyPybixPzlzEJFu0Z76QA=
 github.com/go-asn1-ber/asn1-ber v1.5.8-0.20250403174932-29230038a667 h1:BP4M0CvQ4S3TGls2FvczZtj5Re/2ZzkV9VwqPHH/3Bo=
 github.com/go-asn1-ber/asn1-ber v1.5.8-0.20250403174932-29230038a667/go.mod h1:hEBeB/ic+5LoWskz+yKT7vGhhPYkProFKoKdwZRWMe0=
 github.com/go-errors/errors v1.4.2 h1:J6MZopCL4uSllY1OfXM374weqZFFItUbrImctkmUxIA=
@@ -148,8 +150,8 @@ github.com/prometheus/common v0.66.1 h1:h5E0h5/Y8niHc5DlaLlWLArTQI7tMrsfQjHV+d9Z
 github.com/prometheus/common v0.66.1/go.mod h1:gcaUsgf3KfRSwHY4dIMXLPV0K/Wg1oZ8+SbZk/HH/dA=
 github.com/prometheus/procfs v0.16.1 h1:hZ15bTNuirocR6u0JZ6BAHHmwS1p8B4P6MRqxtzMyRg=
 github.com/prometheus/procfs v0.16.1/go.mod h1:teAbpZRB1iIAJYREa1LsoWUXykVXA1KlTmWl8x/U+Is=
-github.com/redis/go-redis/v9 v9.13.0 h1:PpmlVykE0ODh8P43U0HqC+2NXHXwG+GUtQyz+MPKGRg=
-github.com/redis/go-redis/v9 v9.13.0/go.mod h1:huWgSWd8mW6+m0VPhJjSSQ+d6Nh1VICQ6Q5lHuCH/Iw=
+github.com/redis/go-redis/v9 v9.14.0 h1:u4tNCjXOyzfgeLN+vAZaW1xUooqWDqVEsZN0U01jfAE=
+github.com/redis/go-redis/v9 v9.14.0/go.mod h1:huWgSWd8mW6+m0VPhJjSSQ+d6Nh1VICQ6Q5lHuCH/Iw=
 github.com/rogpeppe/go-internal v1.11.0 h1:cWPaGQEPrBb5/AsnsZesgZZ9yb1OQ+GOISoDNXVBh4M=
 github.com/rogpeppe/go-internal v1.11.0/go.mod h1:ddIwULY96R17DhadqLgMfk9H9tvdUzkipdSkR5nkCZA=
 github.com/russross/blackfriday/v2 v2.1.0/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM=
@@ -173,6 +175,7 @@ github.com/stretchr/testify v1.11.1 h1:7s2iGBzp5EwR7/aIZr8ao5+dra3wiQyKjjFuvgVKu
 github.com/stretchr/testify v1.11.1/go.mod h1:wZwfW3scLgRK+23gO65QZefKpKQRnfz6sD981Nm4B6U=
 github.com/wwt/guac v1.3.2 h1:sH6OFGa/1tBs7ieWBVlZe7t6F5JAOWBry/tqQL/Vup4=
 github.com/wwt/guac v1.3.2/go.mod h1:eKm+NrnK7A88l4UBEcYNpZQGMpZRryYKoz4D/0/n1C0=
+github.com/yuin/goldmark v1.4.13/go.mod h1:6yULJ656Px+3vBD8DxQVa3kxgyrAnzto9xy5taEt/CY=
 go.mongodb.org/mongo-driver v1.14.0 h1:P98w8egYRjYe3XDjxhYJagTokP/H6HzlsnojRgZRd80=
 go.mongodb.org/mongo-driver v1.14.0/go.mod h1:Vzb0Mk/pa7e6cWw85R4F/endUC3u0U9jGcNU603k65c=
 go.opentelemetry.io/otel v1.24.0 h1:0LAOdjNmQeSTzGBzduGe/rU4tZhMwL5rWgtp9Ku5Jfo=
@@ -187,32 +190,61 @@ go.uber.org/goleak v1.3.0 h1:2K3zAYmnTNqV73imy9J1T3WC+gmCePx2hEGkimedGto=
 go.uber.org/goleak v1.3.0/go.mod h1:CoHD4mav9JJNrW/WLlf7HGZPjdw8EucARQHekz1X6bE=
 go.yaml.in/yaml/v2 v2.4.2 h1:DzmwEr2rDGHl7lsFgAHxmNz/1NlQ7xLIrlN2h5d1eGI=
 go.yaml.in/yaml/v2 v2.4.2/go.mod h1:081UH+NErpNdqlCXm3TtEran0rJZGxAYx9hb/ELlsPU=
-goauthentik.io/api/v3 v3.2025100.4 h1:ordAECV5Imfd2DaPMHrAWa0Au+03cBYg09T3iOcjD9w=
-goauthentik.io/api/v3 v3.2025100.4/go.mod h1:82lqAz4jxzl6Cg0YDbhNtvvTG2rm6605ZhdJFnbbsl8=
+goauthentik.io/api/v3 v3.2025100.8 h1:Uc9NYSrbUVwcAIO4XRpf1DhnZRAU+QDwHaFuI+U5nlk=
+goauthentik.io/api/v3 v3.2025100.8/go.mod h1:82lqAz4jxzl6Cg0YDbhNtvvTG2rm6605ZhdJFnbbsl8=
 golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
-golang.org/x/crypto v0.0.0-20200709230013-948cd5f35899/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
+golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=
+golang.org/x/crypto v0.13.0/go.mod h1:y6Z2r+Rw4iayiXXAIxJIDAJ1zMW4yaTpebo8fPOliYc=
 golang.org/x/crypto v0.38.0 h1:jt+WWG8IZlBnVbomuhg2Mdq0+BBQaHbtqHEFEigjUV8=
 golang.org/x/crypto v0.38.0/go.mod h1:MvrbAqul58NNYPKnOra203SB9vpuZW0e+RRZV+Ggqjw=
 golang.org/x/exp v0.0.0-20230210204819-062eb4c674ab h1:628ME69lBm9C6JY2wXhAph/yjN3jezx1z7BIDLUwxjo=
 golang.org/x/exp v0.0.0-20230210204819-062eb4c674ab/go.mod h1:CxIveKay+FTh1D0yPZemJVgC/95VzuuOLq5Qi4xnoYc=
-golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
+golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4=
+golang.org/x/mod v0.8.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs=
+golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
+golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg=
+golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c=
+golang.org/x/net v0.6.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs=
+golang.org/x/net v0.10.0/go.mod h1:0qNGK6F8kojg2nk9dLZ2mShWaEBan6FAoqfSigmmuDg=
 golang.org/x/net v0.43.0 h1:lat02VYK2j4aLzMzecihNvTlJNQUq316m2Mr9rnM6YE=
 golang.org/x/net v0.43.0/go.mod h1:vhO1fvI4dGsIjh73sWfUVjj3N7CA9WkKJNQm2svM6Jg=
 golang.org/x/oauth2 v0.31.0 h1:8Fq0yVZLh4j4YA47vHKFTa9Ew5XIrCP8LC6UeNZnLxo=
 golang.org/x/oauth2 v0.31.0/go.mod h1:lzm5WQJQwKZ3nwavOZ3IS5Aulzxi68dUSgRHujetwEA=
+golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sync v0.1.0/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.17.0 h1:l60nONMj9l5drqw6jlhIELNv9I0A4OFgRsG9k2oT9Ug=
 golang.org/x/sync v0.17.0/go.mod h1:9KTHXmSnoGruLpwFjVSX0lNNA75CykiMECbovNTZqGI=
 golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
-golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20190422165155-953cdadca894/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.0.0-20220520151302-bc2c85ada10a/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.8.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.12.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.35.0 h1:vz1N37gP5bs89s7He8XuIYXpyY0+QlsKmzipCbUtyxI=
 golang.org/x/sys v0.35.0/go.mod h1:BJP2sWEmIv4KK5OTEluFJCKSidICx8ciO85XgH3Ak8k=
+golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
+golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
+golang.org/x/term v0.5.0/go.mod h1:jMB1sMXY+tzblOD4FWmEbocvup2/aLOaQEp7JmGp78k=
+golang.org/x/term v0.8.0/go.mod h1:xPskH00ivmX89bAKVGSKKtLOWNx2+17Eiy94tnKShWo=
+golang.org/x/term v0.12.0/go.mod h1:owVbMEjm3cBLCHdkQu9b1opXd4ETQWc3BhuQGKgXgvU=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
+golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ=
+golang.org/x/text v0.7.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8=
+golang.org/x/text v0.9.0/go.mod h1:e1OnstbJyHTd6l/uOt8jFFHp6TRDWZR/bV3emEE/zU8=
+golang.org/x/text v0.13.0/go.mod h1:TvPlkZtksWOMsz7fbANvkp4WM8x/WCo/om8BMLbz+aE=
 golang.org/x/text v0.28.0 h1:rhazDwis8INMIwQ4tpjLDzUhx6RlXqZNPEM0huQojng=
 golang.org/x/text v0.28.0/go.mod h1:U8nCwOR8jO/marOQ0QbDiOngZVEBB7MAiitBuMjXiNU=
 golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
+golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
+golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc=
+golang.org/x/tools v0.6.0/go.mod h1:Xwgl3UAJ/d3gWutnCtw505GrjyAbvKui8lOU390QaIU=
+golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 google.golang.org/protobuf v1.36.8 h1:xHScyCOEuuwZEc6UtSOvPbAT4zRh0xcNRYekJwfqyMc=
 google.golang.org/protobuf v1.36.8/go.mod h1:fuxRtAxBytpl4zzqUh6/eyUujkJdNiuEkXntxiD/uRU=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
@@ -223,5 +255,5 @@ gopkg.in/yaml.v2 v2.4.0/go.mod h1:RDklbk79AGWmwhnvt/jBztapEOGDOx6ZbXqjP6csGnQ=
 gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
 gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
-layeh.com/radius v0.0.0-20210819152912-ad72663a72ab h1:05KeMI4s7jEdIfHb7QCjUr5X2BRA0gjLZLZEmmjGNc4=
-layeh.com/radius v0.0.0-20210819152912-ad72663a72ab/go.mod h1:pFWM9De99EY9TPVyHIyA56QmoRViVck/x41WFkUlc9A=
+layeh.com/radius v0.0.0-20231213012653-1006025d24f8 h1:orYXpi6BJZdvgytfHH4ybOe4wHnLbbS71Cmd8mWdZjs=
+layeh.com/radius v0.0.0-20231213012653-1006025d24f8/go.mod h1:QRf+8aRqXc019kHkpcs/CTgyWXFzf+bxlsyuo2nAl1o=

internal/outpost/flow/executor.go

@@ -94,6 +94,10 @@ func NewFlowExecutor(ctx context.Context, flowSlug string, refConfig *api.Config
 	return fe
 }
 
+func (fe *FlowExecutor) AddHeader(name string, value string) {
+	fe.api.GetConfig().AddDefaultHeader(name, value)
+}
+
 func (fe *FlowExecutor) RoundTrip(req *http.Request) (*http.Response, error) {
 	res, err := fe.transport.RoundTrip(req)
 	if res != nil {

internal/outpost/radius/api.go

@@ -7,6 +7,7 @@ import (
 	"sort"
 	"strings"
 
+	"beryju.io/radius-eap/protocol"
 	log "github.com/sirupsen/logrus"
 	"goauthentik.io/internal/outpost/ak"
 )
@@ -41,26 +42,28 @@ func (rs *RadiusServer) Refresh() error {
 	if len(apiProviders) < 1 {
 		return errors.New("no radius provider defined")
 	}
-	providers := make([]*ProviderInstance, len(apiProviders))
-	for idx, provider := range apiProviders {
+	providers := make(map[int32]*ProviderInstance)
+	for _, provider := range apiProviders {
+		existing, ok := rs.providers[provider.Pk]
+		state := map[string]*protocol.State{}
+		if ok {
+			state = existing.eapState
+		}
 		logger := log.WithField("logger", "authentik.outpost.radius").WithField("provider", provider.Name)
-		providers[idx] = &ProviderInstance{
+		providers[provider.Pk] = &ProviderInstance{
 			SharedSecret:   []byte(provider.GetSharedSecret()),
 			ClientNetworks: parseCIDRs(provider.GetClientNetworks()),
 			MFASupport:     provider.GetMfaSupport(),
 			appSlug:        provider.ApplicationSlug,
 			flowSlug:       provider.AuthFlowSlug,
+			certId:         provider.GetCertificate(),
 			providerId:     provider.Pk,
 			s:              rs,
 			log:            logger,
+			eapState:       state,
 		}
 	}
 	rs.providers = providers
 	rs.log.Info("Update providers")
 	return nil
 }
-
-func (rs *RadiusServer) StartRadiusServer() error {
-	rs.log.WithField("listen", rs.s.Addr).Info("Starting radius server")
-	return rs.s.ListenAndServe()
-}

internal/outpost/radius/handler.go

@@ -1,12 +1,9 @@
 package radius
 
 import (
-	"bytes"
-	"crypto/hmac"
-	"crypto/md5"
 	"crypto/sha512"
 	"encoding/hex"
-	"errors"
+	"net"
 	"time"
 
 	"github.com/getsentry/sentry-go"
@@ -15,68 +12,18 @@ import (
 	log "github.com/sirupsen/logrus"
 
 	"goauthentik.io/internal/outpost/radius/metrics"
-	"goauthentik.io/internal/utils"
 	"layeh.com/radius"
 	"layeh.com/radius/rfc2869"
 )
 
-var (
-	ErrInvalidMessageAuthenticator = errors.New("invalid message authenticator")
-)
-
-type RadiusRequest struct {
-	*radius.Request
-	log  *log.Entry
-	id   string
-	span *sentry.Span
-	pi   *ProviderInstance
+type LogWriter struct {
+	w radius.ResponseWriter
+	l *log.Entry
 }
 
-func (r *RadiusRequest) Log() *log.Entry {
-	return r.log
-}
-
-func (r *RadiusRequest) RemoteAddr() string {
-	return utils.GetIP(r.Request.RemoteAddr)
-}
-
-func (r *RadiusRequest) ID() string {
-	return r.id
-}
-
-func (r *RadiusRequest) validateMessageAuthenticator() error {
-	mauth := rfc2869.MessageAuthenticator_Get(r.Packet)
-	hash := hmac.New(md5.New, r.Secret)
-	encode, err := r.MarshalBinary()
-	if err != nil {
-		return err
-	}
-	hash.Write(encode)
-	if bytes.Equal(mauth, hash.Sum(nil)) {
-		return ErrInvalidMessageAuthenticator
-	}
-	return nil
-}
-
-func (r *RadiusRequest) setMessageAuthenticator(rp *radius.Packet) error {
-	_ = rfc2869.MessageAuthenticator_Set(rp, make([]byte, 16))
-	hash := hmac.New(md5.New, rp.Secret)
-	encode, err := rp.MarshalBinary()
-	if err != nil {
-		return err
-	}
-	hash.Write(encode)
-	_ = rfc2869.MessageAuthenticator_Set(rp, hash.Sum(nil))
-	return nil
-}
-
-func (r *RadiusRequest) Reject() *radius.Packet {
-	res := r.Response(radius.CodeAccessReject)
-	err := r.setMessageAuthenticator(res)
-	if err != nil {
-		r.log.WithError(err).Warning("failed to set message authenticator")
-	}
-	return res
+func (lw LogWriter) Write(packet *radius.Packet) error {
+	lw.l.WithField("code", packet.Code.String()).Info("Radius Response")
+	return lw.w.Write(packet)
 }
 
 func (rs *RadiusServer) ServeRADIUS(w radius.ResponseWriter, r *radius.Request) {
@@ -84,7 +31,17 @@ func (rs *RadiusServer) ServeRADIUS(w radius.ResponseWriter, r *radius.Request)
 		sentry.WithTransactionName("authentik.providers.radius.connect"))
 	rid := uuid.New().String()
 	span.SetTag("request_uid", rid)
-	rl := rs.log.WithField("code", r.Code.String()).WithField("request", rid)
+	host, _, err := net.SplitHostPort(r.RemoteAddr.String())
+	if err != nil {
+		rs.log.WithError(err).Warning("Failed to get remote IP")
+		return
+	}
+	rl := rs.log.WithFields(log.Fields{
+		"code":    r.Code.String(),
+		"request": rid,
+		"ip":      host,
+		"id":      r.Identifier,
+	})
 	selectedApp := ""
 	defer func() {
 		span.Finish()
@@ -130,3 +87,14 @@ func (rs *RadiusServer) ServeRADIUS(w radius.ResponseWriter, r *radius.Request)
 		rs.Handle_AccessRequest(w, nr)
 	}
 }
+
+func (rs *RadiusServer) Handle_AccessRequest(w radius.ResponseWriter, r *RadiusRequest) {
+	eap := rfc2869.EAPMessage_Get(r.Packet)
+	if len(eap) > 0 {
+		rs.log.Trace("EAP request")
+		rs.Handle_AccessRequest_EAP(w, r)
+	} else {
+		rs.log.Trace("PAP request")
+		rs.Handle_AccessRequest_PAP(w, r)
+	}
+}

internal/outpost/radius/handler_eap.go

@@ -0,0 +1,135 @@
+package radius
+
+import (
+	"context"
+	ttls "crypto/tls"
+	"crypto/x509"
+	"encoding/base64"
+	"encoding/pem"
+	"errors"
+	"net/url"
+
+	eap "beryju.io/radius-eap"
+	"beryju.io/radius-eap/protocol"
+	"beryju.io/radius-eap/protocol/identity"
+	"beryju.io/radius-eap/protocol/legacy_nak"
+	"beryju.io/radius-eap/protocol/peap"
+	"beryju.io/radius-eap/protocol/tls"
+	log "github.com/sirupsen/logrus"
+	"goauthentik.io/internal/outpost/flow"
+	"goauthentik.io/internal/utils"
+	"layeh.com/radius"
+	"layeh.com/radius/rfc2869"
+)
+
+func (rs *RadiusServer) Handle_AccessRequest_EAP(w radius.ResponseWriter, r *RadiusRequest) {
+	er := rfc2869.EAPMessage_Get(r.Packet)
+	ep, err := eap.Decode(r.pi, er)
+	if err != nil {
+		rs.log.WithError(err).Warning("failed to parse EAP packet")
+		return
+	}
+	ep.HandleRadiusPacket(w, r.Request)
+}
+
+func (pi *ProviderInstance) GetEAPState(key string) *protocol.State {
+	return pi.eapState[key]
+}
+
+func (pi *ProviderInstance) SetEAPState(key string, state *protocol.State) {
+	pi.eapState[key] = state
+}
+
+func (pi *ProviderInstance) GetEAPSettings() protocol.Settings {
+	protocols := []protocol.ProtocolConstructor{
+		identity.Protocol,
+		legacy_nak.Protocol,
+	}
+
+	certId := pi.certId
+	if certId == "" {
+		return protocol.Settings{
+			Protocols: protocols,
+		}
+	}
+
+	cert := pi.s.cryptoStore.Get(certId)
+	if cert == nil {
+		return protocol.Settings{
+			Protocols: protocols,
+		}
+	}
+
+	return protocol.Settings{
+		Logger:    &logrusAdapter{entry: pi.log},
+		Protocols: append(protocols, tls.Protocol, peap.Protocol),
+		ProtocolPriority: []protocol.Type{
+			identity.TypeIdentity,
+			tls.TypeTLS,
+		},
+		ProtocolSettings: map[protocol.Type]interface{}{
+			tls.TypeTLS: tls.Settings{
+				Config: &ttls.Config{
+					Certificates: []ttls.Certificate{*cert},
+					ClientAuth:   ttls.RequireAnyClientCert,
+				},
+				HandshakeSuccessful: func(ctx protocol.Context, certs []*x509.Certificate) protocol.Status {
+					ident := ctx.GetProtocolState(identity.TypeIdentity).(*identity.State).Identity
+
+					ctx.Log().Debug("Starting authn flow")
+					pem := pem.EncodeToMemory(&pem.Block{
+						Type:  "CERTIFICATE",
+						Bytes: certs[0].Raw,
+					})
+
+					fe := flow.NewFlowExecutor(context.Background(), pi.flowSlug, pi.s.ac.Client.GetConfig(), log.Fields{
+						"client":   utils.GetIP(ctx.Packet().RemoteAddr),
+						"identity": ident,
+					})
+					fe.Answers[flow.StageIdentification] = ident
+					fe.DelegateClientIP(utils.GetIP(ctx.Packet().RemoteAddr))
+					fe.Params.Add("goauthentik.io/outpost/radius", "true")
+					fe.AddHeader("X-Authentik-Outpost-Certificate", url.QueryEscape(string(pem)))
+
+					passed, err := fe.Execute()
+					if err != nil {
+						ctx.Log().Warn("failed to execute flow", "error", err)
+						return protocol.StatusError
+					}
+					ctx.Log().Debug("Finished flow")
+					if !passed {
+						return protocol.StatusError
+					}
+					access, _, err := fe.ApiClient().OutpostsApi.OutpostsRadiusAccessCheck(context.Background(), pi.providerId).AppSlug(pi.appSlug).Execute()
+					if err != nil {
+						ctx.Log().Warn("failed to check access: %v", err)
+						return protocol.StatusError
+					}
+					if !access.Access.Passing {
+						ctx.Log().Info("Access denied for user")
+						return protocol.StatusError
+					}
+					if access.HasAttributes() {
+						ctx.AddResponseModifier(func(r, q *radius.Packet) error {
+							rawData, err := base64.StdEncoding.DecodeString(access.GetAttributes())
+							if err != nil {
+								ctx.Log().Warn("failed to decode attributes from core: %v", err)
+								return errors.New("attribute_decode_failed")
+							}
+							p, err := radius.Parse(rawData, pi.SharedSecret)
+							if err != nil {
+								ctx.Log().Warn("failed to parse attributes from core: %v", err)
+								return errors.New("attribute_parse_failed")
+							}
+							for _, attr := range p.Attributes {
+								r.Add(attr.Type, attr.Attribute)
+							}
+							return nil
+						})
+					}
+					return protocol.StatusSuccess
+				},
+			},
+		},
+	}
+}

internal/outpost/radius/handler_eap_log.go

@@ -0,0 +1,71 @@
+package radius
+
+import (
+	"beryju.io/radius-eap/protocol"
+	"github.com/sirupsen/logrus"
+)
+
+// Fields loosely represents key value pairs that adds context to log lines. The key has to be type of string, whereas
+// value can be an arbitrary object.
+type Fields []any
+
+// Iterator returns iterator that allows iterating over pair of elements representing field.
+// If number of elements is uneven, last element won't be included will be assumed as key with empty string value.
+// If key is not string, At will panic.
+func (f Fields) Iterator() *iter {
+	// We start from -2 as we iterate over two items per iteration and first iteration will advance iterator to 0.
+	return &iter{i: -2, f: f}
+}
+
+type iter struct {
+	f Fields
+	i int
+}
+
+func (i *iter) Next() bool {
+	if i.i >= len(i.f) {
+		return false
+	}
+
+	i.i += 2
+	return i.i < len(i.f)
+}
+
+func (i *iter) At() (k string, v any) {
+	if i.i < 0 || i.i >= len(i.f) {
+		return "", ""
+	}
+
+	if i.i+1 == len(i.f) {
+		// Non even number of elements, add empty string.
+		return i.f[i.i].(string), ""
+	}
+	return i.f[i.i].(string), i.f[i.i+1]
+}
+
+type logrusAdapter struct {
+	entry *logrus.Entry
+}
+
+func (l *logrusAdapter) Debug(format string, args ...interface{}) {
+	l.entry.Debugf(format, args...)
+}
+func (l *logrusAdapter) Info(format string, args ...interface{}) {
+	l.entry.Infof(format, args...)
+}
+func (l *logrusAdapter) Warn(format string, args ...interface{}) {
+	l.entry.Warnf(format, args...)
+}
+func (l *logrusAdapter) Error(format string, args ...interface{}) {
+	l.entry.Errorf(format, args...)
+}
+func (l *logrusAdapter) With(args ...interface{}) protocol.Logger {
+	f := make(map[string]any, len(args)/2)
+	i := Fields(args).Iterator()
+	for i.Next() {
+		k, v := i.At()
+		f[k] = v
+	}
+	e := l.entry.WithFields(f)
+	return &logrusAdapter{e}
+}

internal/outpost/radius/handler_pap.go

@@ -64,7 +64,7 @@ func (rs *RadiusServer) Handle_AccessRequest_PAP_Auth(r *RadiusRequest, username
 	return res, nil
 }
 
-func (rs *RadiusServer) Handle_AccessRequest(w radius.ResponseWriter, r *RadiusRequest) {
+func (rs *RadiusServer) Handle_AccessRequest_PAP(w radius.ResponseWriter, r *RadiusRequest) {
 	username := rfc2865.UserName_GetString(r.Packet)
 	password := rfc2865.UserPassword_GetString(r.Packet)
 	res, err := rs.Handle_AccessRequest_PAP_Auth(r, username, password)