web: Tidy timestamps.

* Translate web/xliff/en.xlf in pt_BR

100% translated source file: 'web/xliff/en.xlf'
on 'pt_BR'.

* Translate web/xliff/en.xlf in pt_BR

100% translated source file: 'web/xliff/en.xlf'
on 'pt_BR'.

* Translate web/xliff/en.xlf in pt_BR

100% translated source file: 'web/xliff/en.xlf'
on 'pt_BR'.

* Translate web/xliff/en.xlf in pt_BR

100% translated source file: 'web/xliff/en.xlf'
on 'pt_BR'.

---------

Co-authored-by: transifex-integration[bot] <43880903+transifex-integration[bot]@users.noreply.github.com>

.github/actions/cherry-pick/action.yml

@@ -179,7 +179,7 @@ runs:
             fi
 
             # Create a unique branch name for the cherry-pick
-            CHERRY_PICK_BRANCH="cherry-pick-${PR_NUMBER}-to-${TARGET_BRANCH}"
+            CHERRY_PICK_BRANCH="cherry-pick/${PR_NUMBER}-to-${TARGET_BRANCH}"
 
             # Check if a cherry-pick PR already exists
             EXISTING_PR=$(gh pr list --head "$CHERRY_PICK_BRANCH" --json number --jq '.[0].number' 2>/dev/null || echo "")
@@ -201,7 +201,7 @@ runs:
               git push origin "$CHERRY_PICK_BRANCH"
 
               # Create PR for the cherry-pick
-              CHERRY_PICK_TITLE="$PR_TITLE (cherry-pick #$PR_NUMBER)"
+              CHERRY_PICK_TITLE="$PR_TITLE (cherry-pick #$PR_NUMBER to $TARGET_BRANCH)"
               CHERRY_PICK_BODY="Cherry-pick of #$PR_NUMBER to \`$TARGET_BRANCH\` branch.
 
         **Original PR:** #$PR_NUMBER
@@ -236,7 +236,7 @@ runs:
               git push origin "$CHERRY_PICK_BRANCH"
 
               # Create PR with conflict notice
-              CONFLICT_TITLE="$PR_TITLE (backport of #$PR_NUMBER)"
+              CONFLICT_TITLE="$PR_TITLE (cherry-pick #$PR_NUMBER to $TARGET_BRANCH)"
               CONFLICT_BODY="⚠️ **This cherry-pick has conflicts that require manual resolution.**
 
         Cherry-pick of #$PR_NUMBER to \`$TARGET_BRANCH\` branch.

.github/actions/docker-push-variables/push_vars.py

@@ -2,16 +2,28 @@
 
 import os
 from json import dumps
+from sys import exit as sysexit
 from time import time
 
 from authentik import authentik_version
 
+
+def must_or_fail(input: str | None, error: str) -> str:
+    if not input:
+        print(f"::error::{error}")
+        sysexit(1)
+    return input
+
+
 # Decide if we should push the image or not
 should_push = True
 if len(os.environ.get("DOCKER_USERNAME", "")) < 1:
     # Don't push if we don't have DOCKER_USERNAME, i.e. no secrets are available
     should_push = False
-if os.environ.get("GITHUB_REPOSITORY").lower() == "goauthentik/authentik-internal":
+if (
+    must_or_fail(os.environ.get("GITHUB_REPOSITORY"), "Repo required").lower()
+    == "goauthentik/authentik-internal"
+):
     # Don't push on the internal repo
     should_push = False
 
@@ -20,13 +32,16 @@ if os.environ.get("GITHUB_HEAD_REF", "") != "":
     branch_name = os.environ["GITHUB_HEAD_REF"]
 safe_branch_name = branch_name.replace("refs/heads/", "").replace("/", "-").replace("'", "-")
 
-image_names = os.getenv("IMAGE_NAME").split(",")
+image_names = must_or_fail(os.getenv("IMAGE_NAME"), "Image name required").split(",")
 image_arch = os.getenv("IMAGE_ARCH") or None
 
 is_pull_request = bool(os.getenv("PR_HEAD_SHA"))
 is_release = "dev" not in image_names[0]
 
-sha = os.environ["GITHUB_SHA"] if not is_pull_request else os.getenv("PR_HEAD_SHA")
+sha = must_or_fail(
+    os.environ["GITHUB_SHA"] if not is_pull_request else os.getenv("PR_HEAD_SHA"),
+    "could not determine SHA",
+)
 
 # 2042.1.0 or 2042.1.0-rc1
 version = authentik_version()
@@ -58,7 +73,7 @@ else:
 image_main_tag = image_tags[0].split(":")[-1]
 
 
-def get_attest_image_names(image_with_tags: list[str]):
+def get_attest_image_names(image_with_tags: list[str]) -> str:
     """Attestation only for GHCR"""
     image_tags = []
     for image_name in set(name.split(":")[0] for name in image_with_tags):
@@ -82,7 +97,6 @@ if os.getenv("RELEASE", "false").lower() == "true":
     image_build_args = [f"VERSION={os.getenv('REF')}"]
 else:
     image_build_args = [f"GIT_BUILD_HASH={sha}"]
-image_build_args = "\n".join(image_build_args)
 
 with open(os.environ["GITHUB_OUTPUT"], "a+", encoding="utf-8") as _output:
     print(f"shouldPush={str(should_push).lower()}", file=_output)
@@ -95,4 +109,4 @@ with open(os.environ["GITHUB_OUTPUT"], "a+", encoding="utf-8") as _output:
     print(f"imageMainTag={image_main_tag}", file=_output)
     print(f"imageMainName={image_tags[0]}", file=_output)
     print(f"cacheTo={cache_to}", file=_output)
-    print(f"imageBuildArgs={image_build_args}", file=_output)
+    print(f"imageBuildArgs={"\n".join(image_build_args)}", file=_output)

.github/workflows/_reusable-docker-build-single.yml

@@ -72,6 +72,13 @@ jobs:
         run: |
           mkdir -p ./gen-ts-api
           mkdir -p ./gen-go-api
+      - name: Setup node
+        if: ${{ !inputs.release }}
+        uses: actions/setup-node@v4
+        with:
+          node-version-file: web/package.json
+          cache: "npm"
+          cache-dependency-path: web/package-lock.json
       - name: generate ts client
         if: ${{ !inputs.release }}
         run: make gen-client-ts

.github/workflows/ci-main.yml

@@ -34,6 +34,7 @@ jobs:
           - codespell
           - pending-migrations
           - ruff
+          - mypy
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v5

.github/workflows/packages-npm-publish.yml

@@ -35,7 +35,7 @@ jobs:
           registry-url: "https://registry.npmjs.org"
       - name: Get changed files
         id: changed-files
-        uses: tj-actions/changed-files@ed68ef82c095e0d48ec87eccea555d944a631a4c
+        uses: tj-actions/changed-files@24d32ffd492484c1d75e0c0b894501ddb9d30d62
         with:
           files: |
             ${{ matrix.package }}/package.json

.vscode/settings.json

@@ -1,4 +1,16 @@
 {
+    "[css]": {
+        "editor.minimap.markSectionHeaderRegex": "#\\bregion\\s*(?<separator>-?)\\s*(?<label>.*)\\*/$"
+    },
+    "[makefile]": {
+        "editor.minimap.markSectionHeaderRegex": "^#{25}\n##\\s\\s*(?<separator>-?)\\s*(?<label>[^\n]*)\n#{25}$"
+    },
+    "[dockerfile]": {
+        "editor.minimap.markSectionHeaderRegex": "\\bStage\\s*\\d:(?<separator>-?)\\s*(?<label>.*)$"
+    },
+    "[jsonc]": {
+        "editor.minimap.markSectionHeaderRegex": "#\\bregion\\s*(?<separator>-?)\\s*(?<label>.*)$"
+    },
     "todo-tree.tree.showCountsInTree": true,
     "todo-tree.tree.showBadges": true,
     "yaml.customTags": [

Dockerfile

@@ -76,7 +76,7 @@ RUN --mount=type=secret,id=GEOIPUPDATE_ACCOUNT_ID \
     /bin/sh -c "GEOIPUPDATE_LICENSE_KEY_FILE=/run/secrets/GEOIPUPDATE_LICENSE_KEY /usr/bin/entry.sh || echo 'Failed to get GeoIP database, disabling'; exit 0"
 
 # Stage 4: Download uv
-FROM ghcr.io/astral-sh/uv:0.8.15 AS uv
+FROM ghcr.io/astral-sh/uv:0.8.22 AS uv
 # Stage 5: Base python image
 FROM ghcr.io/goauthentik/fips-python:3.13.7-slim-trixie-fips AS python-base
 

Makefile

@@ -193,6 +193,7 @@ gen-client-ts: gen-clean-ts  ## Build and install the authentik API for Typescri
 		--git-repo-id authentik \
 		--git-user-id goauthentik
 
+	cd ${PWD}/${GEN_API_TS} && npm i
 	cd ${PWD}/${GEN_API_TS} && npm link
 	cd ${PWD}/web && npm link @goauthentik/api
 
@@ -238,34 +239,30 @@ node-install:  ## Install the necessary libraries to build Node.js packages
 #########################
 
 web-build: node-install  ## Build the Authentik UI
-	cd web && npm run build
+	npm run --prefix web build
 
 web: web-lint-fix web-lint web-check-compile  ## Automatically fix formatting issues in the Authentik UI source code, lint the code, and compile it
 
 web-test: ## Run tests for the Authentik UI
-	cd web && npm run test
+	npm run --prefix web test
 
 web-watch:  ## Build and watch the Authentik UI for changes, updating automatically
-	rm -rf web/dist/
-	mkdir web/dist/
-	touch web/dist/.gitkeep
-	cd web && npm run watch
-
+	npm run --prefix web watch
 web-storybook-watch:  ## Build and run the storybook documentation server
-	cd web && npm run storybook
+	npm run --prefix web storybook
 
 web-lint-fix:
-	cd web && npm run prettier
+	npm run --prefix web prettier
 
 web-lint:
-	cd web && npm run lint
-	cd web && npm run lit-analyse
+	npm run --prefix web lint
+	npm run --prefix web lit-analyse
 
 web-check-compile:
-	cd web && npm run tsc
+	npm run --prefix web tsc
 
 web-i18n-extract:
-	cd web && npm run extract-locales
+	npm run --prefix web extract-locales
 
 #########################
 ## Docs
@@ -277,31 +274,31 @@ docs-install:
 	npm ci --prefix website
 
 docs-lint-fix: lint-codespell
-	npm run prettier --prefix website
+	npm run --prefix website prettier
 
 docs-build:
-	npm run build --prefix website
+	npm run --prefix website build
 
 docs-watch:  ## Build and watch the topics documentation
-	npm run start --prefix website
+	npm run --prefix website start
 
 integrations: docs-lint-fix integrations-build ## Fix formatting issues in the integrations source code, lint the code, and compile it
 
 integrations-build:
-	npm run build --prefix website -w integrations
+	npm run --prefix website -w integrations build
 
 integrations-watch:  ## Build and watch the Integrations documentation
-	npm run start --prefix website -w integrations
+	npm run --prefix website -w integrations start
 
 docs-api-build:
-	npm run build --prefix website -w api
+	npm run --prefix website -w api build
 
 docs-api-watch:  ## Build and watch the API documentation
-	npm run build:api --prefix website -w api
-	npm run start --prefix website -w api
+	npm run --prefix website -w api build:api
+	npm run --prefix website -w api start
 
 docs-api-clean: ## Clean generated API documentation
-	npm run build:api:clean --prefix website -w api
+	npm run --prefix website -w api build:api:clean
 
 #########################
 ## Docker
@@ -324,6 +321,9 @@ ci--meta-debug:
 	python -V
 	node --version
 
+ci-mypy: ci--meta-debug
+	uv run mypy --strict $(PY_SOURCES)
+
 ci-black: ci--meta-debug
 	uv run black --check $(PY_SOURCES)
 

README.md

@@ -9,7 +9,6 @@
 [![GitHub Workflow Status](https://img.shields.io/github/actions/workflow/status/goauthentik/authentik/ci-outpost.yml?branch=main&label=outpost%20build&style=for-the-badge)](https://github.com/goauthentik/authentik/actions/workflows/ci-outpost.yml)
 [![GitHub Workflow Status](https://img.shields.io/github/actions/workflow/status/goauthentik/authentik/ci-web.yml?branch=main&label=web%20build&style=for-the-badge)](https://github.com/goauthentik/authentik/actions/workflows/ci-web.yml)
 [![Code Coverage](https://img.shields.io/codecov/c/gh/goauthentik/authentik?style=for-the-badge)](https://codecov.io/gh/goauthentik/authentik)
-![Docker pulls](https://img.shields.io/docker/pulls/authentik/server.svg?style=for-the-badge)
 ![Latest version](https://img.shields.io/docker/v/authentik/server?sort=semver&style=for-the-badge)
 [![](https://img.shields.io/badge/Help%20translate-transifex-blue?style=for-the-badge)](https://www.transifex.com/authentik/authentik/)
 

authentik/api/schema.py

@@ -1,5 +1,8 @@
 """Error Response schema, from https://github.com/axnsan12/drf-yasg/issues/224"""
 
+from collections.abc import Callable
+from typing import Any
+
 from django.utils.translation import gettext_lazy as _
 from drf_spectacular.generators import SchemaGenerator
 from drf_spectacular.plumbing import (
@@ -8,6 +11,7 @@ from drf_spectacular.plumbing import (
     build_basic_type,
     build_object_type,
 )
+from drf_spectacular.renderers import OpenApiJsonRenderer
 from drf_spectacular.settings import spectacular_settings
 from drf_spectacular.types import OpenApiTypes
 from rest_framework.settings import api_settings
@@ -15,34 +19,28 @@ from rest_framework.settings import api_settings
 from authentik.api.apps import AuthentikAPIConfig
 from authentik.api.pagination import PAGINATION_COMPONENT_NAME, PAGINATION_SCHEMA
 
-
-def build_standard_type(obj, **kwargs):
-    """Build a basic type with optional add owns."""
-    schema = build_basic_type(obj)
-    schema.update(kwargs)
-    return schema
-
-
 GENERIC_ERROR = build_object_type(
     description=_("Generic API Error"),
     properties={
-        "detail": build_standard_type(OpenApiTypes.STR),
-        "code": build_standard_type(OpenApiTypes.STR),
+        "detail": build_basic_type(OpenApiTypes.STR),
+        "code": build_basic_type(OpenApiTypes.STR),
     },
     required=["detail"],
 )
 VALIDATION_ERROR = build_object_type(
     description=_("Validation Error"),
     properties={
-        api_settings.NON_FIELD_ERRORS_KEY: build_array_type(build_standard_type(OpenApiTypes.STR)),
-        "code": build_standard_type(OpenApiTypes.STR),
+        api_settings.NON_FIELD_ERRORS_KEY: build_array_type(build_basic_type(OpenApiTypes.STR)),
+        "code": build_basic_type(OpenApiTypes.STR),
     },
     required=[],
     additionalProperties={},
 )
 
 
-def create_component(generator: SchemaGenerator, name, schema, type_=ResolvedComponent.SCHEMA):
+def create_component(
+    generator: SchemaGenerator, name: str, schema: Any, type_=ResolvedComponent.SCHEMA
+) -> ResolvedComponent:
     """Register a component and return a reference to it."""
     component = ResolvedComponent(
         name=name,
@@ -54,7 +52,18 @@ def create_component(generator: SchemaGenerator, name, schema, type_=ResolvedCom
     return component
 
 
-def postprocess_schema_responses(result, generator: SchemaGenerator, **kwargs):
+def preprocess_schema_exclude_non_api(endpoints: list[tuple[str, Any, Any, Callable]], **kwargs):
+    """Filter out all API Views which are not mounted under /api"""
+    return [
+        (path, path_regex, method, callback)
+        for path, path_regex, method, callback in endpoints
+        if path.startswith("/" + AuthentikAPIConfig.mountpoint)
+    ]
+
+
+def postprocess_schema_responses(
+    result: dict[str, Any], generator: SchemaGenerator, **kwargs
+) -> dict[str, Any]:
     """Workaround to set a default response for endpoints.
     Workaround suggested at
     <https://github.com/tfranzel/drf-spectacular/issues/119#issuecomment-656970357>
@@ -104,10 +113,81 @@ def postprocess_schema_responses(result, generator: SchemaGenerator, **kwargs):
     return result
 
 
-def preprocess_schema_exclude_non_api(endpoints, **kwargs):
-    """Filter out all API Views which are not mounted under /api"""
-    return [
-        (path, path_regex, method, callback)
-        for path, path_regex, method, callback in endpoints
-        if path.startswith("/" + AuthentikAPIConfig.mountpoint)
-    ]
+def postprocess_schema_pagination(
+    result: dict[str, Any], generator: SchemaGenerator, **kwargs
+) -> dict[str, Any]:
+    """Optimise pagination parameters, instead of redeclaring parameters for each endpoint
+    declare them globally and refer to them"""
+    to_replace = {
+        "ordering": create_component(
+            generator,
+            "QueryPaginationOrdering",
+            {
+                "name": "ordering",
+                "required": False,
+                "in": "query",
+                "description": "Which field to use when ordering the results.",
+                "schema": {"type": "string"},
+            },
+            ResolvedComponent.PARAMETER,
+        ),
+        "page": create_component(
+            generator,
+            "QueryPaginationPage",
+            {
+                "name": "page",
+                "required": False,
+                "in": "query",
+                "description": "A page number within the paginated result set.",
+                "schema": {"type": "integer"},
+            },
+            ResolvedComponent.PARAMETER,
+        ),
+        "page_size": create_component(
+            generator,
+            "QueryPaginationPageSize",
+            {
+                "name": "page_size",
+                "required": False,
+                "in": "query",
+                "description": "Number of results to return per page.",
+                "schema": {"type": "integer"},
+            },
+            ResolvedComponent.PARAMETER,
+        ),
+        "search": create_component(
+            generator,
+            "QuerySearch",
+            {
+                "name": "search",
+                "required": False,
+                "in": "query",
+                "description": "A search term.",
+                "schema": {"type": "string"},
+            },
+            ResolvedComponent.PARAMETER,
+        ),
+    }
+    for path in result["paths"].values():
+        for method in path.values():
+            for idx, param in enumerate(method.get("parameters", [])):
+                for replace_name, replace_ref in to_replace.items():
+                    if param["name"] == replace_name:
+                        method["parameters"][idx] = replace_ref.ref
+    return result
+
+
+def postprocess_schema_remove_unused(
+    result: dict[str, Any], generator: SchemaGenerator, **kwargs
+) -> dict[str, Any]:
+    """Remove unused components"""
+    # To check if the schema is used, render it to JSON and then substring check that
+    # less efficient than walking through the tree but a lot simpler and no
+    # possibility that we miss something
+    raw = OpenApiJsonRenderer().render(result, renderer_context={}).decode()
+    for key in result["components"][ResolvedComponent.SCHEMA].keys():
+        if raw.count(key) > 1:
+            continue
+        del generator.registry._components[(key, ResolvedComponent.SCHEMA)]
+    result["components"] = generator.registry.build(spectacular_settings.APPEND_COMPONENTS)
+    return result

authentik/blueprints/v1/importer.py

@@ -76,6 +76,7 @@ from authentik.providers.scim.models import SCIMProviderGroup, SCIMProviderUser
 from authentik.rbac.models import Role
 from authentik.sources.scim.models import SCIMSourceGroup, SCIMSourceUser
 from authentik.stages.authenticator_webauthn.models import WebAuthnDeviceType
+from authentik.stages.consent.models import UserConsent
 from authentik.tasks.models import Task
 from authentik.tenants.models import Tenant
 
@@ -135,6 +136,7 @@ def excluded_models() -> list[type[Model]]:
         EndpointDeviceConnection,
         DeviceToken,
         StreamEvent,
+        UserConsent,
     )
 
 

authentik/brands/models.py

@@ -113,7 +113,7 @@ class Brand(SerializerModel):
         try:
             return self.attributes.get("settings", {}).get("locale", "")
 
-        except Exception as exc:
+        except Exception as exc:  # noqa
             LOGGER.warning("Failed to get default locale", exc=exc)
             return ""
 

authentik/core/api/groups.py

@@ -29,8 +29,8 @@ from authentik.rbac.api.roles import RoleSerializer
 from authentik.rbac.decorators import permission_required
 
 
-class GroupMemberSerializer(ModelSerializer):
-    """Stripped down user serializer to show relevant users for groups"""
+class PartialUserSerializer(ModelSerializer):
+    """Partial User Serializer, does not include child relations."""
 
     attributes = JSONDictField(required=False)
     uid = CharField(read_only=True)
@@ -94,11 +94,11 @@ class GroupSerializer(ModelSerializer):
             return True
         return str(request.query_params.get("include_children", "false")).lower() == "true"
 
-    @extend_schema_field(GroupMemberSerializer(many=True))
-    def get_users_obj(self, instance: Group) -> list[GroupMemberSerializer] | None:
+    @extend_schema_field(PartialUserSerializer(many=True))
+    def get_users_obj(self, instance: Group) -> list[PartialUserSerializer] | None:
         if not self._should_include_users:
             return None
-        return GroupMemberSerializer(instance.users, many=True).data
+        return PartialUserSerializer(instance.users, many=True).data
 
     @extend_schema_field(GroupChildSerializer(many=True))
     def get_children_obj(self, instance: Group) -> list[GroupChildSerializer] | None:
@@ -295,7 +295,7 @@ class GroupViewSet(UsedByMixin, ModelViewSet):
     @extend_schema(
         request=UserAccountSerializer,
         responses={
-            204: OpenApiResponse(description="User added"),
+            204: OpenApiResponse(description="User removed"),
             404: OpenApiResponse(description="User not found"),
         },
     )
@@ -307,7 +307,7 @@ class GroupViewSet(UsedByMixin, ModelViewSet):
         permission_classes=[],
     )
     def remove_user(self, request: Request, pk: str) -> Response:
-        """Add user to group"""
+        """Remove user from group"""
         group: Group = self.get_object()
         user: User = (
             get_objects_for_user(request.user, "authentik_core.view_user")

authentik/core/api/property_mappings.py

@@ -171,7 +171,7 @@ class PropertyMappingViewSet(
         except PropertyMappingExpressionException as exc:
             response_data["result"] = exception_to_string(exc.exc)
             response_data["successful"] = False
-        except Exception as exc:
+        except Exception as exc:  # noqa
             response_data["result"] = exception_to_string(exc)
             response_data["successful"] = False
         response = PropertyMappingTestResultSerializer(response_data)

authentik/core/api/users.py

@@ -97,8 +97,8 @@ class ParamUserSerializer(PassiveSerializer):
     user = PrimaryKeyRelatedField(queryset=User.objects.all().exclude_anonymous(), required=False)
 
 
-class UserGroupSerializer(ModelSerializer):
-    """Simplified Group Serializer for user's groups"""
+class PartialGroupSerializer(ModelSerializer):
+    """Partial Group Serializer, does not include child relations."""
 
     attributes = JSONDictField(required=False)
     parent_name = CharField(source="parent.name", read_only=True, allow_null=True)
@@ -143,11 +143,11 @@ class UserSerializer(ModelSerializer):
             return True
         return str(request.query_params.get("include_groups", "true")).lower() == "true"
 
-    @extend_schema_field(UserGroupSerializer(many=True))
-    def get_groups_obj(self, instance: User) -> list[UserGroupSerializer] | None:
+    @extend_schema_field(PartialGroupSerializer(many=True))
+    def get_groups_obj(self, instance: User) -> list[PartialGroupSerializer] | None:
         if not self._should_include_groups:
             return None
-        return UserGroupSerializer(instance.ak_groups, many=True).data
+        return PartialGroupSerializer(instance.ak_groups, many=True).data
 
     def __init__(self, *args, **kwargs):
         super().__init__(*args, **kwargs)
@@ -719,7 +719,7 @@ class UserViewSet(UsedByMixin, ModelViewSet):
         return Response(status=204)
 
     @extend_schema(
-        request=OpenApiTypes.NONE,
+        request=None,
         responses={
             "204": OpenApiResponse(description="Successfully ended impersonation"),
         },

authentik/core/management/commands/dev_server.py

@@ -1,6 +1,6 @@
 """custom runserver command"""
 
-from typing import TextIO
+from io import StringIO
 
 from daphne.management.commands.runserver import Command as RunServer
 from daphne.server import Server
@@ -33,4 +33,4 @@ class Command(RunServer):
         super().__init__(*args, **kwargs)
         # Redirect standard stdout banner from Daphne into the void
         # as there are a couple more steps that happen before startup is fully done
-        self.stdout = TextIO()
+        self.stdout = StringIO()

authentik/core/management/commands/shell.py

@@ -99,7 +99,7 @@ class Command(BaseCommand):
         else:
             try:
                 hook()
-            except Exception:
+            except Exception:  # noqa
                 # Match the behavior of the cpython shell where an error in
                 # sys.__interactivehook__ prints a warning and the exception
                 # and continues.

authentik/core/migrations/0051_group_authentik_c_is_supe_1e5a97_idx.py

@@ -0,0 +1,18 @@
+# Generated by Django 5.1.12 on 2025-09-25 13:39
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ("authentik_core", "0050_user_last_updated_and_more"),
+        ("authentik_rbac", "0006_alter_role_options"),
+    ]
+
+    operations = [
+        migrations.AddIndex(
+            model_name="group",
+            index=models.Index(fields=["is_superuser"], name="authentik_c_is_supe_1e5a97_idx"),
+        ),
+    ]

authentik/core/models.py

@@ -114,15 +114,21 @@ class AttributesMixin(models.Model):
 
     def update_attributes(self, properties: dict[str, Any]):
         """Update fields and attributes, but correctly by merging dicts"""
+        needs_update = False
         for key, value in properties.items():
             if key == "attributes":
                 continue
-            setattr(self, key, value)
+            if getattr(self, key, None) != value:
+                setattr(self, key, value)
+                needs_update = True
         final_attributes = {}
         MERGE_LIST_UNIQUE.merge(final_attributes, self.attributes)
         MERGE_LIST_UNIQUE.merge(final_attributes, properties.get("attributes", {}))
-        self.attributes = final_attributes
-        self.save()
+        if self.attributes != final_attributes:
+            self.attributes = final_attributes
+            needs_update = True
+        if needs_update:
+            self.save()
 
     @classmethod
     def update_or_create_attributes(
@@ -200,7 +206,10 @@ class Group(SerializerModel, AttributesMixin):
                 "parent",
             ),
         )
-        indexes = [models.Index(fields=["name"])]
+        indexes = (
+            models.Index(fields=["name"]),
+            models.Index(fields=["is_superuser"]),
+        )
         verbose_name = _("Group")
         verbose_name_plural = _("Groups")
         permissions = [
@@ -400,7 +409,7 @@ class User(SerializerModel, GuardianUserMixin, AttributesMixin, AbstractUser):
         try:
             return self.attributes.get("settings", {}).get("locale", "")
 
-        except Exception as exc:
+        except Exception as exc:  # noqa
             LOGGER.warning("Failed to get default locale", exc=exc)
         if request:
             return request.brand.locale
@@ -581,7 +590,7 @@ class Application(SerializerModel, PolicyBindingModel):
             try:
                 return url % user.__dict__
 
-            except Exception as exc:
+            except Exception as exc:  # noqa
                 LOGGER.warning("Failed to format launch url", exc=exc)
                 return url
         return url
@@ -777,7 +786,7 @@ class Source(ManagedModel, SerializerModel, PolicyBindingModel):
                 "slug": self.slug,
             }
 
-        except Exception as exc:
+        except Exception as exc:  # noqa
             LOGGER.warning("Failed to template user path", exc=exc, source=self)
             return User.default_path()
 

authentik/core/signals.py

@@ -2,10 +2,9 @@
 
 from django.contrib.auth.signals import user_logged_in
 from django.core.cache import cache
-from django.core.signals import Signal
 from django.db.models import Model
 from django.db.models.signals import post_delete, post_save, pre_save
-from django.dispatch import receiver
+from django.dispatch import Signal, receiver
 from django.http.request import HttpRequest
 from structlog.stdlib import get_logger
 

authentik/core/tasks.py

@@ -14,6 +14,7 @@ from authentik.core.models import (
     ExpiringModel,
     User,
 )
+from authentik.lib.utils.db import chunked_queryset
 from authentik.tasks.models import Task
 
 LOGGER = get_logger()
@@ -28,7 +29,7 @@ def clean_expired_models():
             cls.objects.all().exclude(expiring=False).exclude(expiring=True, expires__gt=now())
         )
         amount = objects.count()
-        for obj in objects:
+        for obj in chunked_queryset(objects):
             obj.expire_action()
         LOGGER.debug("Expired models", model=cls, amount=amount)
         self.info(f"Expired {amount} {cls._meta.verbose_name_plural}")

authentik/core/templates/if/admin.html

@@ -8,6 +8,7 @@
 {% endblock %}
 
 {% block body %}
+<ak-skip-to-content></ak-skip-to-content>
 <ak-message-container alignment="bottom"></ak-message-container>
 <ak-interface-admin>
     <ak-loading></ak-loading>

authentik/core/templates/if/user.html

@@ -8,6 +8,7 @@
 {% endblock %}
 
 {% block body %}
+<ak-skip-to-content></ak-skip-to-content>
 <ak-message-container></ak-message-container>
 <ak-interface-user>
     <ak-loading></ak-loading>

authentik/core/templates/login/base_full.html

@@ -45,6 +45,7 @@
 {% block body %}
 <div class="pf-c-background-image">
 </div>
+<ak-skip-to-content></ak-skip-to-content>
 <ak-message-container></ak-message-container>
 <div class="pf-c-login stacked">
     <div class="ak-login-container">

authentik/crypto/models.py

@@ -20,6 +20,11 @@ from authentik.lib.models import CreatedUpdatedModel, SerializerModel
 LOGGER = get_logger()
 
 
+def fingerprint_sha256(cert: Certificate) -> str:
+    """Get SHA256 Fingerprint of certificate"""
+    return hexlify(cert.fingerprint(hashes.SHA256()), ":").decode("utf-8")
+
+
 class CertificateKeyPair(SerializerModel, ManagedModel, CreatedUpdatedModel):
     """CertificateKeyPair that can be used for signing or encrypting if `key_data`
     is set, otherwise it can be used to verify remote data."""
@@ -82,7 +87,7 @@ class CertificateKeyPair(SerializerModel, ManagedModel, CreatedUpdatedModel):
     @property
     def fingerprint_sha256(self) -> str:
         """Get SHA256 Fingerprint of certificate_data"""
-        return hexlify(self.certificate.fingerprint(hashes.SHA256()), ":").decode("utf-8")
+        return fingerprint_sha256(self.certificate)
 
     @property
     def fingerprint_sha1(self) -> str:

authentik/crypto/tests.py

@@ -27,7 +27,7 @@ class TestCrypto(APITestCase):
     def test_model_private(self):
         """Test model private key"""
         cert = CertificateKeyPair.objects.create(
-            name="test",
+            name=generate_id(),
             certificate_data="foo",
             key_data="foo",
         )
@@ -271,7 +271,7 @@ class TestCrypto(APITestCase):
         keypair = create_test_cert()
         provider = OAuth2Provider.objects.create(
             name=generate_id(),
-            client_id="test",
+            client_id=generate_id(),
             client_secret=generate_key(),
             authorization_flow=create_test_flow(),
             redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "http://localhost")],
@@ -303,7 +303,7 @@ class TestCrypto(APITestCase):
         keypair = create_test_cert()
         OAuth2Provider.objects.create(
             name=generate_id(),
-            client_id="test",
+            client_id=generate_id(),
             client_secret=generate_key(),
             authorization_flow=create_test_flow(),
             redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "http://localhost")],

authentik/enterprise/providers/google_workspace/api/groups.py

@@ -4,7 +4,7 @@ from rest_framework import mixins
 from rest_framework.viewsets import GenericViewSet
 
 from authentik.core.api.used_by import UsedByMixin
-from authentik.core.api.users import UserGroupSerializer
+from authentik.core.api.users import PartialGroupSerializer
 from authentik.core.api.utils import ModelSerializer
 from authentik.enterprise.providers.google_workspace.models import GoogleWorkspaceProviderGroup
 from authentik.lib.sync.outgoing.api import OutgoingSyncConnectionCreateMixin
@@ -13,7 +13,7 @@ from authentik.lib.sync.outgoing.api import OutgoingSyncConnectionCreateMixin
 class GoogleWorkspaceProviderGroupSerializer(ModelSerializer):
     """GoogleWorkspaceProviderGroup Serializer"""
 
-    group_obj = UserGroupSerializer(source="group", read_only=True)
+    group_obj = PartialGroupSerializer(source="group", read_only=True)
 
     class Meta:
 

authentik/enterprise/providers/google_workspace/api/users.py

@@ -3,7 +3,7 @@
 from rest_framework import mixins
 from rest_framework.viewsets import GenericViewSet
 
-from authentik.core.api.groups import GroupMemberSerializer
+from authentik.core.api.groups import PartialUserSerializer
 from authentik.core.api.used_by import UsedByMixin
 from authentik.core.api.utils import ModelSerializer
 from authentik.enterprise.providers.google_workspace.models import GoogleWorkspaceProviderUser
@@ -13,7 +13,7 @@ from authentik.lib.sync.outgoing.api import OutgoingSyncConnectionCreateMixin
 class GoogleWorkspaceProviderUserSerializer(ModelSerializer):
     """GoogleWorkspaceProviderUser Serializer"""
 
-    user_obj = GroupMemberSerializer(source="user", read_only=True)
+    user_obj = PartialUserSerializer(source="user", read_only=True)
 
     class Meta:
 

authentik/enterprise/providers/microsoft_entra/api/groups.py

@@ -4,7 +4,7 @@ from rest_framework import mixins
 from rest_framework.viewsets import GenericViewSet
 
 from authentik.core.api.used_by import UsedByMixin
-from authentik.core.api.users import UserGroupSerializer
+from authentik.core.api.users import PartialGroupSerializer
 from authentik.core.api.utils import ModelSerializer
 from authentik.enterprise.providers.microsoft_entra.models import MicrosoftEntraProviderGroup
 from authentik.lib.sync.outgoing.api import OutgoingSyncConnectionCreateMixin
@@ -13,7 +13,7 @@ from authentik.lib.sync.outgoing.api import OutgoingSyncConnectionCreateMixin
 class MicrosoftEntraProviderGroupSerializer(ModelSerializer):
     """MicrosoftEntraProviderGroup Serializer"""
 
-    group_obj = UserGroupSerializer(source="group", read_only=True)
+    group_obj = PartialGroupSerializer(source="group", read_only=True)
 
     class Meta:
 

authentik/enterprise/providers/microsoft_entra/api/users.py

@@ -3,7 +3,7 @@
 from rest_framework import mixins
 from rest_framework.viewsets import GenericViewSet
 
-from authentik.core.api.groups import GroupMemberSerializer
+from authentik.core.api.groups import PartialUserSerializer
 from authentik.core.api.used_by import UsedByMixin
 from authentik.core.api.utils import ModelSerializer
 from authentik.enterprise.providers.microsoft_entra.models import MicrosoftEntraProviderUser
@@ -13,7 +13,7 @@ from authentik.lib.sync.outgoing.api import OutgoingSyncConnectionCreateMixin
 class MicrosoftEntraProviderUserSerializer(ModelSerializer):
     """MicrosoftEntraProviderUser Serializer"""
 
-    user_obj = GroupMemberSerializer(source="user", read_only=True)
+    user_obj = PartialUserSerializer(source="user", read_only=True)
 
     class Meta:
 

authentik/enterprise/providers/radius/api.py

@@ -0,0 +1,14 @@
+from django.utils.translation import gettext as _
+from rest_framework.exceptions import ValidationError
+
+from authentik.crypto.models import CertificateKeyPair
+from authentik.enterprise.license import LicenseKey
+
+
+class RadiusProviderSerializerMixin:
+
+    def validate_certificate(self, cert: CertificateKeyPair) -> CertificateKeyPair:
+        if cert:
+            if not LicenseKey.cached_summary().status.is_valid:
+                raise ValidationError(_("Enterprise is required to use EAP-TLS."))
+        return cert

authentik/enterprise/providers/radius/apps.py

@@ -0,0 +1,9 @@
+from authentik.enterprise.apps import EnterpriseConfig
+
+
+class AuthentikEnterpriseProviderRadiusConfig(EnterpriseConfig):
+
+    name = "authentik.enterprise.providers.radius"
+    label = "authentik_enterprise_providers_radius"
+    verbose_name = "authentik Enterprise.Providers.Radius"
+    default = True

authentik/enterprise/providers/scim/api.py

@@ -0,0 +1,14 @@
+from django.utils.translation import gettext as _
+from rest_framework.exceptions import ValidationError
+
+from authentik.enterprise.license import LicenseKey
+from authentik.providers.scim.models import SCIMAuthenticationMode
+
+
+class SCIMProviderSerializerMixin:
+
+    def validate_auth_mode(self, auth_mode: SCIMAuthenticationMode) -> SCIMAuthenticationMode:
+        if auth_mode == SCIMAuthenticationMode.OAUTH:
+            if not LicenseKey.cached_summary().status.is_valid:
+                raise ValidationError(_("Enterprise is required to use the OAuth mode."))
+        return auth_mode

authentik/enterprise/providers/scim/apps.py

@@ -0,0 +1,9 @@
+from authentik.enterprise.apps import EnterpriseConfig
+
+
+class AuthentikEnterpriseProviderSCIMConfig(EnterpriseConfig):
+
+    name = "authentik.enterprise.providers.scim"
+    label = "authentik_enterprise_providers_scim"
+    verbose_name = "authentik Enterprise.Providers.SCIM"
+    default = True

authentik/enterprise/providers/scim/auth_oauth2.py

@@ -0,0 +1,80 @@
+from datetime import timedelta
+from typing import TYPE_CHECKING
+
+from django.utils.timezone import now
+from requests import Request, RequestException
+from structlog.stdlib import get_logger
+
+from authentik.providers.scim.clients.exceptions import SCIMRequestException
+from authentik.sources.oauth.clients.oauth2 import OAuth2Client
+from authentik.sources.oauth.models import OAuthSource, UserOAuthSourceConnection
+
+if TYPE_CHECKING:
+    from authentik.providers.scim.models import SCIMProvider
+
+
+class SCIMOAuthException(SCIMRequestException):
+    """Exceptions related to OAuth operations for SCIM requests"""
+
+
+class SCIMOAuthAuth:
+
+    def __init__(self, provider: "SCIMProvider"):
+        self.provider = provider
+        self.user = provider.auth_oauth_user
+        self.connection = self.get_connection()
+        self.logger = get_logger().bind()
+
+    def retrieve_token(self):
+        if not self.provider.auth_oauth:
+            return None
+        source: OAuthSource = self.provider.auth_oauth
+        client = OAuth2Client(source, None)
+        access_token_url = source.source_type.access_token_url or ""
+        if source.source_type.urls_customizable and source.access_token_url:
+            access_token_url = source.access_token_url
+        data = client.get_access_token_args(None, None)
+        data["grant_type"] = "password"
+        data.update(self.provider.auth_oauth_params)
+        try:
+            response = client.do_request(
+                "POST",
+                access_token_url,
+                auth=client.get_access_token_auth(),
+                data=data,
+                headers=client._default_headers,
+            )
+            response.raise_for_status()
+            body = response.json()
+            if "error" in body:
+                self.logger.info("Failed to get new OAuth token", error=body["error"])
+                raise SCIMOAuthException(response, body["error"])
+            return body
+        except RequestException as exc:
+            raise SCIMOAuthException(exc.response, message="Failed to get OAuth token") from exc
+
+    def get_connection(self):
+        token = UserOAuthSourceConnection.objects.filter(
+            source=self.provider.auth_oauth, user=self.user, expires__gt=now()
+        ).first()
+        if token and token.access_token:
+            return token
+        token = self.retrieve_token()
+        access_token = token["access_token"]
+        expires_in = int(token.get("expires_in", 0))
+        token, _ = UserOAuthSourceConnection.objects.update_or_create(
+            source=self.provider.auth_oauth,
+            user=self.user,
+            defaults={
+                "access_token": access_token,
+                "expires": now() + timedelta(seconds=expires_in),
+            },
+        )
+        return token
+
+    def __call__(self, request: Request) -> Request:
+        if not self.connection.is_valid:
+            self.logger.info("OAuth token expired, renewing token")
+            self.connection = self.get_connection()
+        request.headers["Authorization"] = f"Bearer {self.connection.access_token}"
+        return request

authentik/enterprise/providers/scim/signals.py

@@ -0,0 +1,30 @@
+from django.db.models import Model
+from django.db.models.signals import post_save
+from django.dispatch import receiver
+
+from authentik.core.models import USER_PATH_SYSTEM_PREFIX, User, UserTypes
+from authentik.events.middleware import audit_ignore
+from authentik.providers.scim.models import SCIMAuthenticationMode, SCIMProvider
+
+USER_PATH_PROVIDERS_SCIM = USER_PATH_SYSTEM_PREFIX + "/providers/scim"
+
+
+@receiver(post_save, sender=SCIMProvider)
+def scim_provider_post_save(sender: type[Model], instance: SCIMProvider, created: bool, **__):
+    """Create service account before provider is saved"""
+    identifier = f"ak-providers-scim-{instance.pk}"
+    with audit_ignore():
+        if instance.auth_mode == SCIMAuthenticationMode.OAUTH:
+            user, user_created = User.objects.update_or_create(
+                username=identifier,
+                defaults={
+                    "name": f"SCIM Provider {instance.name} Service-Account",
+                    "type": UserTypes.INTERNAL_SERVICE_ACCOUNT,
+                    "path": USER_PATH_PROVIDERS_SCIM,
+                },
+            )
+            if created or user_created:
+                instance.auth_oauth_user = user
+                instance.save()
+        elif instance.auth_mode == SCIMAuthenticationMode.TOKEN:
+            User.objects.filter(username=identifier).delete()

authentik/enterprise/providers/scim/tests.py

@@ -0,0 +1,193 @@
+"""SCIM OAuth tests"""
+
+from base64 import b64encode
+from datetime import timedelta
+from unittest.mock import MagicMock, PropertyMock, patch
+
+from django.urls import reverse
+from django.utils.timezone import now
+from requests_mock import Mocker
+from rest_framework.test import APITestCase
+
+from authentik.blueprints.tests import apply_blueprint
+from authentik.core.models import Application, Group, User
+from authentik.core.tests.utils import create_test_admin_user
+from authentik.enterprise.license import LicenseKey
+from authentik.enterprise.models import License
+from authentik.enterprise.tests.test_license import expiry_valid
+from authentik.lib.generators import generate_id
+from authentik.providers.scim.models import SCIMAuthenticationMode, SCIMMapping, SCIMProvider
+from authentik.sources.oauth.models import OAuthSource, UserOAuthSourceConnection
+from authentik.tenants.models import Tenant
+
+
+class SCIMOAuthTests(APITestCase):
+    """SCIM User tests"""
+
+    @apply_blueprint("system/providers-scim.yaml")
+    def setUp(self) -> None:
+        # Delete all users and groups as the mocked HTTP responses only return one ID
+        # which will cause errors with multiple users
+        Tenant.objects.update(avatars="none")
+        User.objects.all().exclude_anonymous().delete()
+        Group.objects.all().delete()
+        self.source = OAuthSource.objects.create(
+            name=generate_id(),
+            slug=generate_id(),
+            access_token_url="http://localhost/token",  # nosec
+            consumer_key=generate_id(),
+            consumer_secret=generate_id(),
+            provider_type="openidconnect",
+        )
+        self.provider = SCIMProvider.objects.create(
+            name=generate_id(),
+            url="https://localhost",
+            auth_mode=SCIMAuthenticationMode.OAUTH,
+            auth_oauth=self.source,
+            auth_oauth_params={
+                "foo": "bar",
+            },
+            exclude_users_service_account=True,
+        )
+        self.app: Application = Application.objects.create(
+            name=generate_id(),
+            slug=generate_id(),
+        )
+        self.app.backchannel_providers.add(self.provider)
+        self.provider.property_mappings.add(
+            SCIMMapping.objects.get(managed="goauthentik.io/providers/scim/user")
+        )
+        self.provider.property_mappings_group.add(
+            SCIMMapping.objects.get(managed="goauthentik.io/providers/scim/group")
+        )
+
+    def test_retrieve_token(self):
+        """Test token retrieval"""
+        with Mocker() as mocker:
+            token = generate_id()
+            mocker.post("http://localhost/token", json={"access_token": token, "expires_in": 3600})
+            self.provider.scim_auth()
+        conn = UserOAuthSourceConnection.objects.filter(
+            source=self.source,
+            user=self.provider.auth_oauth_user,
+        ).first()
+        self.assertIsNotNone(conn)
+        self.assertTrue(conn.is_valid)
+        auth = (
+            b64encode(
+                b":".join((self.source.consumer_key.encode(), self.source.consumer_secret.encode()))
+            )
+            .strip()
+            .decode()
+        )
+        self.assertEqual(
+            mocker.request_history[0].headers["Authorization"],
+            f"Basic {auth}",
+        )
+        self.assertEqual(mocker.request_history[0].body, "grant_type=password&foo=bar")
+
+    def test_existing_token(self):
+        """Test existing token"""
+        UserOAuthSourceConnection.objects.create(
+            source=self.source,
+            user=self.provider.auth_oauth_user,
+            access_token=generate_id(),
+            expires=now() + timedelta(hours=3),
+        )
+        with Mocker() as mocker:
+            self.provider.scim_auth()
+            self.assertEqual(len(mocker.request_history), 0)
+
+    @Mocker()
+    def test_user_create(self, mock: Mocker):
+        """Test user creation"""
+        scim_id = generate_id()
+        token = generate_id()
+        mock.post("http://localhost/token", json={"access_token": token, "expires_in": 3600})
+        mock.get(
+            "https://localhost/ServiceProviderConfig",
+            json={},
+        )
+        mock.post(
+            "https://localhost/Users",
+            json={
+                "id": scim_id,
+            },
+        )
+        uid = generate_id()
+        user = User.objects.create(
+            username=uid,
+            name=f"{uid} {uid}",
+            email=f"{uid}@goauthentik.io",
+        )
+        self.assertEqual(mock.call_count, 3)
+        self.assertEqual(mock.request_history[1].method, "GET")
+        self.assertEqual(mock.request_history[2].method, "POST")
+        self.assertJSONEqual(
+            mock.request_history[2].body,
+            {
+                "schemas": ["urn:ietf:params:scim:schemas:core:2.0:User"],
+                "active": True,
+                "emails": [
+                    {
+                        "primary": True,
+                        "type": "other",
+                        "value": f"{uid}@goauthentik.io",
+                    }
+                ],
+                "externalId": user.uid,
+                "name": {
+                    "familyName": uid,
+                    "formatted": f"{uid} {uid}",
+                    "givenName": uid,
+                },
+                "displayName": f"{uid} {uid}",
+                "userName": uid,
+            },
+        )
+
+    @patch(
+        "authentik.enterprise.license.LicenseKey.validate",
+        MagicMock(
+            return_value=LicenseKey(
+                aud="",
+                exp=expiry_valid,
+                name=generate_id(),
+                internal_users=100,
+                external_users=100,
+            )
+        ),
+    )
+    def test_api_create(self):
+        License.objects.create(key=generate_id())
+        self.client.force_login(create_test_admin_user())
+        res = self.client.post(
+            reverse("authentik_api:scimprovider-list"),
+            {
+                "name": generate_id(),
+                "url": "http://localhost",
+                "auth_mode": "oauth",
+                "auth_oauth": str(self.source.pk),
+            },
+        )
+        self.assertEqual(res.status_code, 201)
+
+    @patch(
+        "authentik.enterprise.models.LicenseUsageStatus.is_valid",
+        PropertyMock(return_value=False),
+    )
+    def test_api_create_no_license(self):
+        self.client.force_login(create_test_admin_user())
+        res = self.client.post(
+            reverse("authentik_api:scimprovider-list"),
+            {
+                "name": generate_id(),
+                "url": "http://localhost",
+                "auth_mode": "oauth",
+                "auth_oauth": str(self.source.pk),
+            },
+        )
+        self.assertEqual(res.status_code, 400)
+        self.assertJSONEqual(
+            res.content, {"auth_mode": ["Enterprise is required to use the OAuth mode."]}
+        )

authentik/enterprise/search/settings.py

@@ -1,6 +1,8 @@
 SPECTACULAR_SETTINGS = {
     "POSTPROCESSING_HOOKS": [
         "authentik.api.schema.postprocess_schema_responses",
+        "authentik.api.schema.postprocess_schema_pagination",
+        "authentik.api.schema.postprocess_schema_remove_unused",
         "authentik.enterprise.search.schema.postprocess_schema_search_autocomplete",
         "drf_spectacular.hooks.postprocess_schema_enums",
     ],

authentik/enterprise/settings.py

@@ -5,6 +5,8 @@ TENANT_APPS = [
     "authentik.enterprise.policies.unique_password",
     "authentik.enterprise.providers.google_workspace",
     "authentik.enterprise.providers.microsoft_entra",
+    "authentik.enterprise.providers.radius",
+    "authentik.enterprise.providers.scim",
     "authentik.enterprise.providers.ssf",
     "authentik.enterprise.search",
     "authentik.enterprise.stages.authenticator_endpoint_gdtc",

authentik/enterprise/stages/authenticator_endpoint_gdtc/migrations/0002_alter_authenticatorendpointgdtcstage_friendly_name.py

@@ -0,0 +1,19 @@
+# Generated by Django 5.1.12 on 2025-09-08 19:43
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ("authentik_stages_authenticator_endpoint_gdtc", "0001_initial"),
+    ]
+
+    operations = [
+        migrations.AlterField(
+            model_name="authenticatorendpointgdtcstage",
+            name="friendly_name",
+            field=models.TextField(blank=True, default=""),
+            preserve_default=False,
+        ),
+    ]

authentik/enterprise/stages/mtls/stage.py

@@ -7,6 +7,8 @@ from cryptography.x509 import (
     Certificate,
     NameOID,
     ObjectIdentifier,
+    RFC822Name,
+    SubjectAlternativeName,
     UnsupportedGeneralNameType,
     load_pem_x509_certificate,
 )
@@ -15,7 +17,7 @@ from django.utils.translation import gettext_lazy as _
 
 from authentik.brands.models import Brand
 from authentik.core.models import User
-from authentik.crypto.models import CertificateKeyPair
+from authentik.crypto.models import CertificateKeyPair, fingerprint_sha256
 from authentik.enterprise.stages.mtls.models import (
     CertAttributes,
     MutualTLSStage,
@@ -137,7 +139,7 @@ class MTLSStageView(ChallengeStageView):
             case CertAttributes.COMMON_NAME:
                 cert_attr = self.get_cert_attribute(cert, NameOID.COMMON_NAME)
             case CertAttributes.EMAIL:
-                cert_attr = self.get_cert_attribute(cert, NameOID.EMAIL_ADDRESS)
+                cert_attr = self.get_cert_email(cert)
         match stage.user_attribute:
             case UserAttributes.USERNAME:
                 user_attr = "username"
@@ -171,7 +173,7 @@ class MTLSStageView(ChallengeStageView):
         self.executor.plan.context.setdefault(PLAN_CONTEXT_PROMPT, {})
         self.executor.plan.context[PLAN_CONTEXT_PROMPT].update(
             {
-                "email": self.get_cert_attribute(cert, NameOID.EMAIL_ADDRESS),
+                "email": self.get_cert_email(cert),
                 "name": self.get_cert_attribute(cert, NameOID.COMMON_NAME),
             }
         )
@@ -183,6 +185,13 @@ class MTLSStageView(ChallengeStageView):
             return None
         return str(attr[0].value)
 
+    def get_cert_email(self, cert: Certificate) -> str | None:
+        ext = cert.extensions.get_extension_for_class(SubjectAlternativeName)
+        _cert_attr = ext.value.get_values_for_type(RFC822Name)
+        if len(_cert_attr) < 1:
+            return None
+        return str(_cert_attr[0])
+
     def dispatch(self, request, *args, **kwargs):
         stage: MutualTLSStage = self.executor.current_stage
         certs = [
@@ -210,6 +219,7 @@ class MTLSStageView(ChallengeStageView):
         if not cert and stage.mode == TLSMode.OPTIONAL:
             self.logger.info("No certificate given, continuing")
             return self.executor.stage_ok()
+        self.logger.debug("Received certificate", cert=fingerprint_sha256(cert))
         existing_user = self.check_if_user(cert)
         if self.executor.flow.designation == FlowDesignation.ENROLLMENT:
             self.enroll_prepare_user(cert)

authentik/events/context_processors/asn.py

@@ -19,7 +19,7 @@ if TYPE_CHECKING:
 class ASNDict(TypedDict):
     """ASN Details"""
 
-    asn: int
+    asn: int | None
     as_org: str | None
     network: str | None
 
@@ -60,7 +60,7 @@ class ASNContextProcessor(MMDBContextProcessor):
             except (GeoIP2Error, ValueError):
                 return None
 
-    def asn_to_dict(self, asn: ASN | None) -> ASNDict:
+    def asn_to_dict(self, asn: ASN | None) -> ASNDict | dict:
         """Convert ASN to dict"""
         if not asn:
             return {}

authentik/events/context_processors/geoip.py

@@ -19,10 +19,10 @@ if TYPE_CHECKING:
 class GeoIPDict(TypedDict):
     """GeoIP Details"""
 
-    continent: str
-    country: str
-    lat: float
-    long: float
+    continent: str | None
+    country: str | None
+    lat: float | None
+    long: float | None
     city: str
 
 
@@ -61,7 +61,7 @@ class GeoIPContextProcessor(MMDBContextProcessor):
             except (GeoIP2Error, ValueError):
                 return None
 
-    def city_to_dict(self, city: City | None) -> GeoIPDict:
+    def city_to_dict(self, city: City | None) -> GeoIPDict | dict:
         """Convert City to dict"""
         if not city:
             return {}

authentik/events/middleware.py

@@ -197,7 +197,8 @@ class AuditMiddleware:
             return
         if _CTX_IGNORE.get():
             return
-        if request.request_id != _CTX_REQUEST.get().request_id:
+        current_request = _CTX_REQUEST.get()
+        if current_request is None or request.request_id != current_request.request_id:
             return
         user = self.get_user(request)
 
@@ -212,7 +213,8 @@ class AuditMiddleware:
             return
         if _CTX_IGNORE.get():
             return
-        if request.request_id != _CTX_REQUEST.get().request_id:
+        current_request = _CTX_REQUEST.get()
+        if current_request is None or request.request_id != current_request.request_id:
             return
         user = self.get_user(request)
 
@@ -239,7 +241,8 @@ class AuditMiddleware:
             return
         if _CTX_IGNORE.get():
             return
-        if request.request_id != _CTX_REQUEST.get().request_id:
+        current_request = _CTX_REQUEST.get()
+        if current_request is None or request.request_id != current_request.request_id:
             return
         user = self.get_user(request)
 

authentik/events/migrations/0013_delete_systemtask.py

@@ -0,0 +1,16 @@
+# Generated by Django 5.1.11 on 2025-07-28 15:05
+
+from django.db import migrations
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ("authentik_events", "0012_notificationtransport_email_subject_prefix_and_more"),
+    ]
+
+    operations = [
+        migrations.DeleteModel(
+            name="SystemTask",
+        ),
+    ]

authentik/events/models.py

@@ -632,45 +632,3 @@ class NotificationWebhookMapping(PropertyMapping):
     class Meta:
         verbose_name = _("Webhook Mapping")
         verbose_name_plural = _("Webhook Mappings")
-
-
-class TaskStatus(models.TextChoices):
-    """DEPRECATED do not use"""
-
-    UNKNOWN = "unknown"
-    SUCCESSFUL = "successful"
-    WARNING = "warning"
-    ERROR = "error"
-
-
-class SystemTask(ExpiringModel):
-    """DEPRECATED do not use"""
-
-    uuid = models.UUIDField(primary_key=True, editable=False, default=uuid4)
-    name = models.TextField()
-    uid = models.TextField(null=True)
-
-    start_timestamp = models.DateTimeField(default=now)
-    finish_timestamp = models.DateTimeField(default=now)
-    duration = models.FloatField(default=0)
-
-    status = models.TextField(choices=TaskStatus.choices)
-
-    description = models.TextField(null=True)
-    messages = models.JSONField()
-
-    task_call_module = models.TextField()
-    task_call_func = models.TextField()
-    task_call_args = models.JSONField(default=list)
-    task_call_kwargs = models.JSONField(default=dict)
-
-    def __str__(self) -> str:
-        return f"System Task {self.name}"
-
-    class Meta:
-        unique_together = (("name", "uid"),)
-        default_permissions = ()
-        permissions = ()
-        verbose_name = _("System Task")
-        verbose_name_plural = _("System Tasks")
-        indexes = ExpiringModel.Meta.indexes

authentik/events/tasks.py

@@ -16,6 +16,7 @@ from authentik.events.models import (
     NotificationRule,
     NotificationTransport,
 )
+from authentik.lib.utils.db import chunked_queryset
 from authentik.policies.engine import PolicyEngine
 from authentik.policies.models import PolicyBinding, PolicyEngineMode
 from authentik.tasks.models import Task
@@ -123,7 +124,8 @@ def gdpr_cleanup(user_pk: int):
     """cleanup events from gdpr_compliance"""
     events = Event.objects.filter(user__pk=user_pk)
     LOGGER.debug("GDPR cleanup, removing events from user", events=events.count())
-    events.delete()
+    for event in chunked_queryset(events):
+        event.delete()
 
 
 @actor(description=_("Cleanup seen notifications and notifications whose event expired."))

authentik/flows/api/bindings.py

@@ -46,5 +46,5 @@ class FlowStageBindingViewSet(UsedByMixin, ModelViewSet):
     serializer_class = FlowStageBindingSerializer
     filterset_fields = "__all__"
     search_fields = ["stage__name"]
-    ordering = ["order"]
-    ordering_fields = ["order", "stage__name"]
+    ordering = ["order", "pk"]
+    ordering_fields = ["order", "stage__name", "target__uuid", "pk"]

authentik/flows/models.py

@@ -291,7 +291,7 @@ class ConfigurableStage(models.Model):
 class FriendlyNamedStage(models.Model):
     """Abstract base class for a Stage that can have a user friendly name configured."""
 
-    friendly_name = models.TextField(null=True)
+    friendly_name = models.TextField(blank=True)
 
     class Meta:
         abstract = True

authentik/flows/stage.py

@@ -160,7 +160,7 @@ class ChallengeStageView(StageView):
                 "user": self.get_pending_user(for_display=True),
             }
 
-        except Exception as exc:
+        except Exception as exc:  # noqa
             self.logger.warning("failed to template title", exc=exc)
             return self.executor.flow.title
 
@@ -286,6 +286,12 @@ class SessionEndStage(ChallengeStageView):
     that the user is likely to take after signing out of a provider."""
 
     def get_challenge(self, *args, **kwargs) -> Challenge:
+        if not self.request.user.is_authenticated:
+            return RedirectChallenge(
+                data={
+                    "to": reverse("authentik_core:root-redirect"),
+                },
+            )
         application: Application | None = self.executor.plan.context.get(PLAN_CONTEXT_APPLICATION)
         data = {
             "component": "ak-stage-session-end",

authentik/flows/templates/if/flow.html

@@ -27,6 +27,7 @@ window.authentik.flow = {
 {% endblock %}
 
 {% block body %}
+<ak-skip-to-content></ak-skip-to-content>
 <ak-message-container></ak-message-container>
 <ak-flow-executor flowSlug="{{ flow.slug }}">
     <ak-loading></ak-loading>

authentik/flows/views/executor.py

@@ -198,7 +198,7 @@ class FlowExecutorView(APIView):
                 # if the cached plan is from an older version, it might have different attributes
                 # in which case we just delete the plan and invalidate everything
                 next_binding = self.plan.next(self.request)
-            except Exception as exc:
+            except Exception as exc:  # noqa
                 self._logger.warning(
                     "f(exec): found incompatible flow plan, invalidating run", exc=exc
                 )
@@ -288,7 +288,7 @@ class FlowExecutorView(APIView):
                 span.set_data("authentik Flow", self.flow.slug)
                 stage_response = self.current_stage_view.dispatch(request)
                 return to_stage_response(request, stage_response)
-        except Exception as exc:
+        except Exception as exc:  # noqa
             return self.handle_exception(exc)
 
     @extend_schema(
@@ -339,7 +339,7 @@ class FlowExecutorView(APIView):
                 span.set_data("authentik Flow", self.flow.slug)
                 stage_response = self.current_stage_view.dispatch(request)
                 return to_stage_response(request, stage_response)
-        except Exception as exc:
+        except Exception as exc:  # noqa
             return self.handle_exception(exc)
 
     def _initiate_plan(self) -> FlowPlan:
@@ -351,7 +351,7 @@ class FlowExecutorView(APIView):
             # there are no issues with the class we might've gotten
             # from the cache. If there are errors, just delete all cached flows
             _ = plan.has_stages
-        except Exception:
+        except Exception:  # noqa
             keys = cache.keys(f"{CACHE_PREFIX}*")
             cache.delete_many(keys)
             return self._initiate_plan()

authentik/lib/debug.py

@@ -19,7 +19,7 @@ def start_debug_server(**kwargs) -> bool:
         )
         return False
 
-    listen: str = CONFIG.get("listen.listen_debug_py", "127.0.0.1:9901")
+    listen: str = CONFIG.get("listen.debug_py", "127.0.0.1:9901")
     host, _, port = listen.rpartition(":")
     try:
         debugpy.listen((host, int(port)), **kwargs)  # nosec

authentik/lib/default.yml

@@ -31,14 +31,14 @@ postgresql:
   #   host: replica1.example.com
 
 listen:
-  listen_http: 0.0.0.0:9000
-  listen_https: 0.0.0.0:9443
-  listen_ldap: 0.0.0.0:3389
-  listen_ldaps: 0.0.0.0:6636
-  listen_radius: 0.0.0.0:1812
-  listen_metrics: 0.0.0.0:9300
-  listen_debug: 0.0.0.0:9900
-  listen_debug_py: 0.0.0.0:9901
+  http: 0.0.0.0:9000
+  https: 0.0.0.0:9443
+  ldap: 0.0.0.0:3389
+  ldaps: 0.0.0.0:6636
+  radius: 0.0.0.0:1812
+  metrics: 0.0.0.0:9300
+  debug: 0.0.0.0:9900
+  debug_py: 0.0.0.0:9901
   trusted_proxy_cidrs:
     - 127.0.0.0/8
     - 10.0.0.0/8
@@ -152,7 +152,7 @@ worker:
   processes: 1
   threads: 2
   consumer_listen_timeout: "seconds=30"
-  task_max_retries: 20
+  task_max_retries: 5
   task_default_time_limit: "minutes=10"
   lock_purge_interval: "minutes=1"
   task_purge_interval: "days=1"

authentik/lib/logging.py

@@ -43,7 +43,9 @@ def structlog_configure():
             structlog.stdlib.PositionalArgumentsFormatter(),
             structlog.processors.TimeStamper(fmt="iso", utc=False),
             structlog.processors.StackInfoRenderer(),
-            structlog.processors.dict_tracebacks,
+            structlog.processors.ExceptionRenderer(
+                structlog.processors.ExceptionDictTransformer(show_locals=CONFIG.get_bool("debug"))
+            ),
             structlog.stdlib.ProcessorFormatter.wrap_for_formatter,
         ],
         logger_factory=structlog.stdlib.LoggerFactory(),
@@ -65,7 +67,14 @@ def get_logger_config():
             "json": {
                 "()": structlog.stdlib.ProcessorFormatter,
                 "processor": structlog.processors.JSONRenderer(sort_keys=True),
-                "foreign_pre_chain": LOG_PRE_CHAIN + [structlog.processors.dict_tracebacks],
+                "foreign_pre_chain": LOG_PRE_CHAIN
+                + [
+                    structlog.processors.ExceptionRenderer(
+                        structlog.processors.ExceptionDictTransformer(
+                            show_locals=CONFIG.get_bool("debug")
+                        )
+                    ),
+                ],
             },
             "console": {
                 "()": structlog.stdlib.ProcessorFormatter,

authentik/lib/utils/db.py

@@ -0,0 +1,29 @@
+"""authentik database utilities"""
+
+import gc
+
+from django.db import reset_queries
+from django.db.models import QuerySet
+
+
+def chunked_queryset(queryset: QuerySet, chunk_size: int = 1_000):
+    if not queryset.exists():
+        return []
+
+    def get_chunks(qs: QuerySet):
+        qs = qs.order_by("pk")
+        pks = qs.values_list("pk", flat=True)
+        start_pk = pks[0]
+        while True:
+            try:
+                end_pk = pks.filter(pk__gte=start_pk)[chunk_size]
+            except IndexError:
+                break
+            yield qs.filter(pk__gte=start_pk, pk__lt=end_pk)
+            start_pk = end_pk
+        yield qs.filter(pk__gte=start_pk)
+
+    for chunk in get_chunks(queryset):
+        reset_queries()
+        gc.collect()
+        yield from chunk.iterator()

authentik/lib/utils/errors.py

@@ -4,9 +4,11 @@ from traceback import extract_tb
 
 from structlog.tracebacks import ExceptionDictTransformer
 
+from authentik.lib.config import CONFIG
 from authentik.lib.utils.reflection import class_to_path
 
 TRACEBACK_HEADER = "Traceback (most recent call last):"
+_exception_transformer = ExceptionDictTransformer(show_locals=CONFIG.get_bool("debug"))
 
 
 def exception_to_string(exc: Exception) -> str:
@@ -23,4 +25,4 @@ def exception_to_string(exc: Exception) -> str:
 
 def exception_to_dict(exc: Exception) -> dict:
     """Format exception as a dictionary"""
-    return ExceptionDictTransformer()((type(exc), exc, exc.__traceback__))
+    return _exception_transformer((type(exc), exc, exc.__traceback__))

authentik/lib/utils/reflection.py

@@ -6,6 +6,7 @@ from pathlib import Path
 from tempfile import gettempdir
 
 from django.conf import settings
+from django.utils.module_loading import import_string
 
 from authentik.lib.config import CONFIG
 
@@ -62,3 +63,13 @@ def get_env() -> str:
     if "AK_APPLIANCE" in os.environ:
         return os.environ["AK_APPLIANCE"]
     return "custom"
+
+
+def ConditionalInheritance(path: str):
+    """Conditionally inherit from a class, intended for things like authentik.enterprise,
+    without which authentik should still be able to run"""
+    try:
+        cls = import_string(path)
+        return cls
+    except ModuleNotFoundError:
+        return object

authentik/outposts/controllers/kubernetes.py

@@ -13,6 +13,7 @@ from urllib3.exceptions import HTTPError
 from yaml import dump_all
 
 from authentik.events.logs import LogEvent, capture_logs
+from authentik.lib.utils.reflection import class_to_path
 from authentik.outposts.controllers.base import BaseClient, BaseController, ControllerException
 from authentik.outposts.controllers.k8s.base import KubernetesObjectReconciler
 from authentik.outposts.controllers.k8s.deployment import DeploymentReconciler
@@ -105,7 +106,7 @@ class KubernetesController(BaseController):
                         LogEvent(
                             log_level="info",
                             event=f"{reconcile_key.title()}: Disabled",
-                            logger=str(type(self)),
+                            logger=class_to_path(self.__class__),
                         )
                     )
                     continue
@@ -144,7 +145,7 @@ class KubernetesController(BaseController):
                         LogEvent(
                             log_level="info",
                             event=f"{reconcile_key.title()}: Disabled",
-                            logger=str(type(self)),
+                            logger=class_to_path(self.__class__),
                         )
                     )
                     continue

authentik/outposts/models.py

@@ -357,7 +357,7 @@ class Outpost(ScheduledModel, SerializerModel, ManagedModel):
                             message=(
                                 "While setting the permissions for the service-account, a "
                                 "permission was not found: Check "
-                                "https://goauthentik.io/docs/troubleshooting/missing_permission"
+                                "https://docs.goauthentik.io/troubleshooting/missing_permission"
                             ),
                         ).with_exception(exc).set_user(user).save()
                 else:

authentik/policies/api/bindings.py

@@ -10,9 +10,9 @@ from rest_framework.serializers import PrimaryKeyRelatedField
 from rest_framework.viewsets import ModelViewSet
 from structlog.stdlib import get_logger
 
-from authentik.core.api.groups import GroupSerializer
+from authentik.core.api.groups import PartialUserSerializer
 from authentik.core.api.used_by import UsedByMixin
-from authentik.core.api.users import UserSerializer
+from authentik.core.api.users import PartialGroupSerializer
 from authentik.core.api.utils import ModelSerializer
 from authentik.policies.api.policies import PolicySerializer
 from authentik.policies.models import PolicyBinding, PolicyBindingModel
@@ -61,8 +61,8 @@ class PolicyBindingSerializer(ModelSerializer):
     )
 
     policy_obj = PolicySerializer(required=False, read_only=True, source="policy")
-    group_obj = GroupSerializer(required=False, read_only=True, source="group")
-    user_obj = UserSerializer(required=False, read_only=True, source="user")
+    group_obj = PartialGroupSerializer(required=False, read_only=True, source="group")
+    user_obj = PartialUserSerializer(required=False, read_only=True, source="user")
 
     class Meta:
         model = PolicyBinding
@@ -124,4 +124,5 @@ class PolicyBindingViewSet(UsedByMixin, ModelViewSet):
     serializer_class = PolicyBindingSerializer
     search_fields = ["policy__name"]
     filterset_class = PolicyBindingFilter
-    ordering = ["target", "order"]
+    ordering = ["order", "pk"]
+    ordering_fields = ["order", "target__uuid", "pk"]

authentik/policies/expression/evaluator.py

@@ -71,7 +71,7 @@ class PolicyEvaluator(BaseEvaluator):
             # PolicyExceptions should be propagated back to the process,
             # which handles recording and returning a correct result
             raise exc
-        except Exception as exc:
+        except Exception as exc:  # noqa
             LOGGER.warning("Expression error", exc=exc)
             return PolicyResult(False, str(exc))
         else:

authentik/policies/process.py

@@ -144,6 +144,6 @@ class PolicyProcess(PROCESS_CLASS):
         """Task wrapper to run policy checking"""
         try:
             self.connection.send(self.profiling_wrapper())
-        except Exception as exc:
+        except Exception as exc:  # noqa
             LOGGER.warning("Policy failed to run", exc=exc)
             self.connection.send(PolicyResult(False, str(exc)))

authentik/providers/oauth2/api/providers.py

@@ -66,6 +66,7 @@ class OAuth2ProviderSerializer(ProviderSerializer):
             "access_code_validity",
             "access_token_validity",
             "refresh_token_validity",
+            "refresh_token_threshold",
             "include_claims_in_id_token",
             "signing_key",
             "encryption_key",

authentik/providers/oauth2/migrations/0030_oauth2provider_refresh_token_threshold.py

@@ -0,0 +1,23 @@
+# Generated by Django 5.1.12 on 2025-09-25 15:26
+
+import authentik.lib.utils.time
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ("authentik_providers_oauth2", "0029_oauth2provider__backchannel_logout_uris"),
+    ]
+
+    operations = [
+        migrations.AddField(
+            model_name="oauth2provider",
+            name="refresh_token_threshold",
+            field=models.TextField(
+                default="seconds=0",
+                help_text="When refreshing a token, if the refresh token is valid for less than this duration, it will be renewed. When set to seconds=0, token will always be renewed. (Format: hours=1;minutes=2;seconds=3).",
+                validators=[authentik.lib.utils.time.timedelta_string_validator],
+            ),
+        ),
+    ]

authentik/providers/oauth2/models.py

@@ -238,6 +238,16 @@ class OAuth2Provider(WebfingerProvider, Provider):
             "(Format: hours=1;minutes=2;seconds=3)."
         ),
     )
+    refresh_token_threshold = models.TextField(
+        default="seconds=0",
+        validators=[timedelta_string_validator],
+        help_text=_(
+            "When refreshing a token, if the refresh token is valid for less than "
+            "this duration, it will be renewed. "
+            "When set to seconds=0, token will always be renewed. "
+            "(Format: hours=1;minutes=2;seconds=3)."
+        ),
+    )
 
     sub_mode = models.TextField(
         choices=SubModes.choices,

authentik/providers/oauth2/tests/test_token.py

@@ -376,3 +376,63 @@ class TestToken(OAuthTestCase):
         )
         self.assertEqual(response.status_code, 400)
         self.assertTrue(Event.objects.filter(action=EventAction.SUSPICIOUS_REQUEST).exists())
+
+    @apply_blueprint("system/providers-oauth2.yaml")
+    def test_refresh_token_view_threshold(self):
+        """test request param"""
+        provider = OAuth2Provider.objects.create(
+            name=generate_id(),
+            authorization_flow=create_test_flow(),
+            redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "http://local.invalid")],
+            signing_key=self.keypair,
+            refresh_token_threshold="hours=1",  # nosec
+        )
+        provider.property_mappings.set(
+            ScopeMapping.objects.filter(
+                managed__in=[
+                    "goauthentik.io/providers/oauth2/scope-openid",
+                    "goauthentik.io/providers/oauth2/scope-email",
+                    "goauthentik.io/providers/oauth2/scope-profile",
+                    "goauthentik.io/providers/oauth2/scope-offline_access",
+                ]
+            )
+        )
+        # Needs to be assigned to an application for iss to be set
+        self.app.provider = provider
+        self.app.save()
+        header = b64encode(f"{provider.client_id}:{provider.client_secret}".encode()).decode()
+        user = create_test_admin_user()
+        token: RefreshToken = RefreshToken.objects.create(
+            provider=provider,
+            user=user,
+            token=generate_id(),
+            _id_token=dumps({}),
+            auth_time=timezone.now(),
+            _scope="offline_access",
+        )
+        response = self.client.post(
+            reverse("authentik_providers_oauth2:token"),
+            data={
+                "grant_type": GRANT_TYPE_REFRESH_TOKEN,
+                "refresh_token": token.token,
+                "redirect_uri": "http://local.invalid",
+            },
+            HTTP_AUTHORIZATION=f"Basic {header}",
+            HTTP_ORIGIN="http://local.invalid",
+        )
+        self.assertEqual(response["Access-Control-Allow-Credentials"], "true")
+        self.assertEqual(response["Access-Control-Allow-Origin"], "http://local.invalid")
+        access: AccessToken = AccessToken.objects.filter(user=user, provider=provider).first()
+        self.assertJSONEqual(
+            response.content.decode(),
+            {
+                "access_token": access.token,
+                "token_type": TOKEN_TYPE,
+                "expires_in": 3600,
+                "id_token": provider.encode(
+                    access.id_token.to_dict(),
+                ),
+                "scope": "offline_access",
+            },
+        )
+        self.validate_jwt(access, provider)

authentik/providers/oauth2/tests/test_token_cc_user_pw.py

@@ -8,7 +8,12 @@ from jwt import decode
 
 from authentik.blueprints.tests import apply_blueprint
 from authentik.core.models import Application, Group, Token, TokenIntents, UserTypes
-from authentik.core.tests.utils import create_test_admin_user, create_test_cert, create_test_flow
+from authentik.core.tests.utils import (
+    create_test_admin_user,
+    create_test_cert,
+    create_test_flow,
+    create_test_user,
+)
 from authentik.policies.models import PolicyBinding
 from authentik.providers.oauth2.constants import (
     GRANT_TYPE_CLIENT_CREDENTIALS,
@@ -182,6 +187,47 @@ class TestTokenClientCredentialsUserNamePassword(OAuthTestCase):
         self.assertEqual(jwt["given_name"], self.user.name)
         self.assertEqual(jwt["preferred_username"], self.user.username)
 
+    def test_successful_two_tokens(self):
+        """test successful when two app passwords with the same key exist"""
+        Token.objects.create(
+            identifier="sa-token-two",
+            user=create_test_user(),
+            intent=TokenIntents.INTENT_APP_PASSWORD,
+            expiring=False,
+            key=self.token.key,
+        )
+
+        response = self.client.post(
+            reverse("authentik_providers_oauth2:token"),
+            {
+                "grant_type": GRANT_TYPE_CLIENT_CREDENTIALS,
+                "scope": f"{SCOPE_OPENID} {SCOPE_OPENID_EMAIL} {SCOPE_OPENID_PROFILE}",
+                "client_id": self.provider.client_id,
+                "username": "sa",
+                "password": self.token.key,
+            },
+        )
+        self.assertEqual(response.status_code, 200)
+        body = loads(response.content.decode())
+        self.assertEqual(body["token_type"], TOKEN_TYPE)
+        _, alg = self.provider.jwt_key
+        jwt = decode(
+            body["access_token"],
+            key=self.provider.signing_key.public_key,
+            algorithms=[alg],
+            audience=self.provider.client_id,
+        )
+        self.assertEqual(jwt["given_name"], self.user.name)
+        self.assertEqual(jwt["preferred_username"], self.user.username)
+        jwt = decode(
+            body["id_token"],
+            key=self.provider.signing_key.public_key,
+            algorithms=[alg],
+            audience=self.provider.client_id,
+        )
+        self.assertEqual(jwt["given_name"], self.user.name)
+        self.assertEqual(jwt["preferred_username"], self.user.username)
+
     def test_successful_password(self):
         """test successful (password grant)"""
         response = self.client.post(

authentik/providers/oauth2/views/token.py

@@ -340,7 +340,7 @@ class TokenParams:
         if not user:
             raise TokenError("invalid_grant")
         token: Token = Token.filter_not_expired(
-            key=password, intent=TokenIntents.INTENT_APP_PASSWORD
+            key=password, intent=TokenIntents.INTENT_APP_PASSWORD, user=user
         ).first()
         if not token or token.user.uid != user.uid:
             raise TokenError("invalid_grant")
@@ -684,32 +684,8 @@ class TokenView(View):
         )
         access_token.save()
 
-        refresh_token_expiry = now + timedelta_from_string(self.provider.refresh_token_validity)
-        refresh_token = RefreshToken(
-            user=self.params.refresh_token.user,
-            scope=self.params.refresh_token.scope,
-            expires=refresh_token_expiry,
-            provider=self.provider,
-            auth_time=self.params.refresh_token.auth_time,
-            session=self.params.refresh_token.session,
-        )
-        id_token = IDToken.new(
-            self.provider,
-            refresh_token,
-            self.request,
-        )
-        id_token.nonce = self.params.refresh_token.id_token.nonce
-        id_token.at_hash = access_token.at_hash
-        refresh_token.id_token = id_token
-        refresh_token.save()
-
-        # Mark old token as revoked
-        self.params.refresh_token.revoked = True
-        self.params.refresh_token.save()
-
-        return {
+        res = {
             "access_token": access_token.token,
-            "refresh_token": refresh_token.token,
             "token_type": TOKEN_TYPE,
             "scope": " ".join(access_token.scope),
             "expires_in": int(
@@ -718,6 +694,37 @@ class TokenView(View):
             "id_token": access_token.id_token.to_jwt(self.provider),
         }
 
+        refresh_token_threshold = timedelta_from_string(self.provider.refresh_token_threshold)
+        if (
+            refresh_token_threshold.total_seconds() == 0
+            or (now - self.params.refresh_token.expires) > refresh_token_threshold
+        ):
+            refresh_token_expiry = now + timedelta_from_string(self.provider.refresh_token_validity)
+            refresh_token = RefreshToken(
+                user=self.params.refresh_token.user,
+                scope=self.params.refresh_token.scope,
+                expires=refresh_token_expiry,
+                provider=self.provider,
+                auth_time=self.params.refresh_token.auth_time,
+                session=self.params.refresh_token.session,
+            )
+            id_token = IDToken.new(
+                self.provider,
+                refresh_token,
+                self.request,
+            )
+            id_token.nonce = self.params.refresh_token.id_token.nonce
+            id_token.at_hash = access_token.at_hash
+            refresh_token.id_token = id_token
+            refresh_token.save()
+
+            # Mark old token as revoked
+            self.params.refresh_token.revoked = True
+            self.params.refresh_token.save()
+            res["refresh_token"] = refresh_token.token
+
+        return res
+
     def create_client_credentials_response(self) -> dict[str, Any]:
         """See https://datatracker.ietf.org/doc/html/rfc6749#section-4.4"""
         now = timezone.now()

authentik/providers/oauth2/views/userinfo.py

@@ -60,7 +60,7 @@ class UserInfoView(View):
         for scope in scopes:
             if scope in special_scope_map:
                 scope_descriptions.append(
-                    PermissionDict(id=scope, name=str(special_scope_map[scope]))
+                    PermissionDict(id=str(scope), name=str(special_scope_map[scope]))
                 )
         return scope_descriptions
 

authentik/providers/rac/api/connection_tokens.py

@@ -3,7 +3,7 @@
 from rest_framework import mixins
 from rest_framework.viewsets import GenericViewSet
 
-from authentik.core.api.groups import GroupMemberSerializer
+from authentik.core.api.groups import PartialUserSerializer
 from authentik.core.api.used_by import UsedByMixin
 from authentik.core.api.utils import ModelSerializer
 from authentik.providers.rac.api.endpoints import EndpointSerializer
@@ -16,7 +16,7 @@ class ConnectionTokenSerializer(ModelSerializer):
 
     provider_obj = RACProviderSerializer(source="provider", read_only=True)
     endpoint_obj = EndpointSerializer(source="endpoint", read_only=True)
-    user = GroupMemberSerializer(source="session.user", read_only=True)
+    user = PartialUserSerializer(source="session.user", read_only=True)
 
     class Meta:
         model = ConnectionToken

authentik/providers/radius/api/providers.py

@@ -23,13 +23,19 @@ from authentik.core.models import Application
 from authentik.events.models import Event, EventAction
 from authentik.lib.expression.exceptions import ControlFlowException
 from authentik.lib.sync.mapper import PropertyMappingManager
+from authentik.lib.utils.reflection import ConditionalInheritance
 from authentik.policies.api.exec import PolicyTestResultSerializer
 from authentik.policies.engine import PolicyEngine
 from authentik.policies.types import PolicyResult
 from authentik.providers.radius.models import RadiusProvider, RadiusProviderPropertyMapping
 
 
-class RadiusProviderSerializer(ProviderSerializer):
+class RadiusProviderSerializer(
+    ConditionalInheritance(
+        "authentik.enterprise.providers.radius.api.RadiusProviderSerializerMixin"
+    ),
+    ProviderSerializer,
+):
     """RadiusProvider Serializer"""
 
     outpost_set = ListField(child=CharField(), read_only=True, source="outpost_set.all")
@@ -43,6 +49,7 @@ class RadiusProviderSerializer(ProviderSerializer):
             "shared_secret",
             "outpost_set",
             "mfa_support",
+            "certificate",
         ]
         extra_kwargs = ProviderSerializer.Meta.extra_kwargs
 
@@ -78,6 +85,7 @@ class RadiusOutpostConfigSerializer(ModelSerializer):
             "client_networks",
             "shared_secret",
             "mfa_support",
+            "certificate",
         ]
 
 

authentik/providers/radius/migrations/0005_radiusprovider_certificate.py

@@ -0,0 +1,25 @@
+# Generated by Django 5.1.11 on 2025-07-20 17:20
+
+import django.db.models.deletion
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ("authentik_crypto", "0004_alter_certificatekeypair_name"),
+        ("authentik_providers_radius", "0004_alter_radiusproviderpropertymapping_options"),
+    ]
+
+    operations = [
+        migrations.AddField(
+            model_name="radiusprovider",
+            name="certificate",
+            field=models.ForeignKey(
+                default=None,
+                null=True,
+                on_delete=django.db.models.deletion.CASCADE,
+                to="authentik_crypto.certificatekeypair",
+            ),
+        ),
+    ]

authentik/providers/radius/models.py

@@ -1,11 +1,14 @@
 """Radius Provider"""
 
+from collections.abc import Iterable
+
 from django.db import models
 from django.templatetags.static import static
 from django.utils.translation import gettext_lazy as _
 from rest_framework.serializers import Serializer
 
 from authentik.core.models import PropertyMapping, Provider
+from authentik.crypto.models import CertificateKeyPair
 from authentik.lib.generators import generate_id
 from authentik.outposts.models import OutpostModel
 
@@ -38,6 +41,10 @@ class RadiusProvider(OutpostModel, Provider):
         ),
     )
 
+    certificate = models.ForeignKey(
+        CertificateKeyPair, on_delete=models.CASCADE, default=None, null=True
+    )
+
     @property
     def launch_url(self) -> str | None:
         """Radius never has a launch URL"""
@@ -57,6 +64,12 @@ class RadiusProvider(OutpostModel, Provider):
 
         return RadiusProviderSerializer
 
+    def get_required_objects(self) -> Iterable[models.Model | str]:
+        required = [self, "authentik_stages_mtls.pass_outpost_certificate"]
+        if self.certificate is not None:
+            required.append(self.certificate)
+        return required
+
     def __str__(self):
         return f"Radius Provider {self.name}"
 

authentik/providers/saml/processors/assertion.py

@@ -239,32 +239,33 @@ class AssertionProcessor:
                 ).from_http(self.http_request)
                 LOGGER.warning("Failed to evaluate property mapping", exc=exc)
                 return name_id
-        if name_id.attrib["Format"] == SAML_NAME_ID_FORMAT_EMAIL:
+        if self.auth_n_request.name_id_policy == SAML_NAME_ID_FORMAT_EMAIL:
             name_id.text = self.http_request.user.email
             return name_id
-        if name_id.attrib["Format"] in [
+        if self.auth_n_request.name_id_policy in [
             SAML_NAME_ID_FORMAT_PERSISTENT,
             SAML_NAME_ID_FORMAT_UNSPECIFIED,
         ]:
             name_id.text = persistent
             return name_id
-        if name_id.attrib["Format"] == SAML_NAME_ID_FORMAT_X509:
+        if self.auth_n_request.name_id_policy == SAML_NAME_ID_FORMAT_X509:
             # This attribute is statically set by the LDAP source
             name_id.text = self.http_request.user.attributes.get(
                 LDAP_DISTINGUISHED_NAME, persistent
             )
             return name_id
-        if name_id.attrib["Format"] == SAML_NAME_ID_FORMAT_WINDOWS:
+        if self.auth_n_request.name_id_policy == SAML_NAME_ID_FORMAT_WINDOWS:
             # This attribute is statically set by the LDAP source
             name_id.text = self.http_request.user.attributes.get("upn", persistent)
             return name_id
-        if name_id.attrib["Format"] == SAML_NAME_ID_FORMAT_TRANSIENT:
+        if self.auth_n_request.name_id_policy == SAML_NAME_ID_FORMAT_TRANSIENT:
             # Use the hash of the user's session, which changes every session
             session_key: str = self.http_request.session.session_key
             name_id.text = sha256(session_key.encode()).hexdigest()
             return name_id
         raise UnsupportedNameIDFormat(
-            f"Assertion contains NameID with unsupported format {name_id.attrib['Format']}."
+            "Assertion contains NameID with unsupported "
+            f"format {self.auth_n_request.name_id_policy}."
         )
 
     def get_assertion_subject(self) -> Element:

authentik/providers/saml/tests/test_auth_n_request.py

@@ -97,6 +97,7 @@ class TestAuthNRequest(TestCase):
             pre_authentication_flow=create_test_flow(),
             signing_kp=self.cert,
             verification_kp=self.cert,
+            signed_assertion=True,
         )
 
     def test_signed_valid(self):
@@ -171,6 +172,7 @@ class TestAuthNRequest(TestCase):
         self.provider.sign_assertion = True
         self.provider.sign_response = True
         self.provider.save()
+        self.source.signed_response = True
         http_request = get_request("/")
 
         # First create an AuthNRequest

authentik/providers/scim/api/groups.py

@@ -4,7 +4,7 @@ from rest_framework import mixins
 from rest_framework.viewsets import GenericViewSet
 
 from authentik.core.api.used_by import UsedByMixin
-from authentik.core.api.users import UserGroupSerializer
+from authentik.core.api.users import PartialGroupSerializer
 from authentik.core.api.utils import ModelSerializer
 from authentik.lib.sync.outgoing.api import OutgoingSyncConnectionCreateMixin
 from authentik.providers.scim.models import SCIMProviderGroup
@@ -13,7 +13,7 @@ from authentik.providers.scim.models import SCIMProviderGroup
 class SCIMProviderGroupSerializer(ModelSerializer):
     """SCIMProviderGroup Serializer"""
 
-    group_obj = UserGroupSerializer(source="group", read_only=True)
+    group_obj = PartialGroupSerializer(source="group", read_only=True)
 
     class Meta:
 

authentik/providers/scim/api/providers.py

@@ -5,11 +5,15 @@ from rest_framework.viewsets import ModelViewSet
 from authentik.core.api.providers import ProviderSerializer
 from authentik.core.api.used_by import UsedByMixin
 from authentik.lib.sync.outgoing.api import OutgoingSyncProviderStatusMixin
+from authentik.lib.utils.reflection import ConditionalInheritance
 from authentik.providers.scim.models import SCIMProvider
 from authentik.providers.scim.tasks import scim_sync, scim_sync_objects
 
 
-class SCIMProviderSerializer(ProviderSerializer):
+class SCIMProviderSerializer(
+    ConditionalInheritance("authentik.enterprise.providers.scim.api.SCIMProviderSerializerMixin"),
+    ProviderSerializer,
+):
     """SCIMProvider Serializer"""
 
     class Meta:
@@ -28,6 +32,9 @@ class SCIMProviderSerializer(ProviderSerializer):
             "url",
             "verify_certificates",
             "token",
+            "auth_mode",
+            "auth_oauth",
+            "auth_oauth_params",
             "compatibility_mode",
             "exclude_users_service_account",
             "filter_group",

authentik/providers/scim/api/users.py

@@ -3,7 +3,7 @@
 from rest_framework import mixins
 from rest_framework.viewsets import GenericViewSet
 
-from authentik.core.api.groups import GroupMemberSerializer
+from authentik.core.api.groups import PartialUserSerializer
 from authentik.core.api.used_by import UsedByMixin
 from authentik.core.api.utils import ModelSerializer
 from authentik.lib.sync.outgoing.api import OutgoingSyncConnectionCreateMixin
@@ -13,7 +13,7 @@ from authentik.providers.scim.models import SCIMProviderUser
 class SCIMProviderUserSerializer(ModelSerializer):
     """SCIMProviderUser Serializer"""
 
-    user_obj = GroupMemberSerializer(source="user", read_only=True)
+    user_obj = PartialUserSerializer(source="user", read_only=True)
 
     class Meta:
 

authentik/providers/scim/clients/auth.py

@@ -0,0 +1,16 @@
+from typing import TYPE_CHECKING
+
+from requests import Request
+
+if TYPE_CHECKING:
+    from authentik.providers.scim.models import SCIMProvider
+
+
+class SCIMTokenAuth:
+
+    def __init__(self, provider: "SCIMProvider"):
+        self.provider = provider
+
+    def __call__(self, request: Request) -> Request:
+        request.headers["Authorization"] = f"Bearer {self.provider.token}"
+        return request

authentik/providers/scim/clients/base.py

@@ -35,7 +35,6 @@ class SCIMClient[TModel: "Model", TConnection: "Model", TSchema: "BaseModel"](
     """SCIM Client"""
 
     base_url: str
-    token: str
 
     _session: Session
     _config: ServiceProviderConfiguration
@@ -45,12 +44,12 @@ class SCIMClient[TModel: "Model", TConnection: "Model", TSchema: "BaseModel"](
         self._session = get_http_session()
         self._session.verify = provider.verify_certificates
         self.provider = provider
+        self.auth = provider.scim_auth()
         # Remove trailing slashes as we assume the URL doesn't have any
         base_url = provider.url
         if base_url.endswith("/"):
             base_url = base_url[:-1]
         self.base_url = base_url
-        self.token = provider.token
         self._config = self.get_service_provider_config()
 
     def _request(self, method: str, path: str, **kwargs) -> dict:
@@ -62,8 +61,8 @@ class SCIMClient[TModel: "Model", TConnection: "Model", TSchema: "BaseModel"](
                 method,
                 f"{self.base_url}{path}",
                 **kwargs,
+                auth=self.auth,
                 headers={
-                    "Authorization": f"Bearer {self.token}",
                     "Accept": "application/scim+json",
                     "Content-Type": "application/scim+json",
                 },
@@ -89,10 +88,11 @@ class SCIMClient[TModel: "Model", TConnection: "Model", TSchema: "BaseModel"](
     def get_service_provider_config(self):
         """Get Service provider config"""
         default_config = ServiceProviderConfiguration.default()
+        path = "/ServiceProviderConfig"
+        if self.provider.compatibility_mode == SCIMCompatibilityMode.SALESFORCE:
+            path = "/ServiceProviderConfigs"
         try:
-            config = ServiceProviderConfiguration.model_validate(
-                self._request("GET", "/ServiceProviderConfig")
-            )
+            config = ServiceProviderConfiguration.model_validate(self._request("GET", path))
             if self.provider.compatibility_mode == SCIMCompatibilityMode.AWS:
                 config.patch.supported = False
             if self.provider.compatibility_mode == SCIMCompatibilityMode.SLACK:

authentik/providers/scim/clients/users.py

@@ -72,7 +72,8 @@ class SCIMUserClient(SCIMClient[User, SCIMProviderUser, SCIMUserSchema]):
                 if not self._config.filter.supported:
                     raise exc
                 users = self._request(
-                    "GET", f"/Users?{urlencode({'filter': f'userName eq {scim_user.userName}'})}"
+                    "GET",
+                    f"/Users?{urlencode({'filter': f'userName eq \"{scim_user.userName}\"'})}",
                 )
                 users_res = users.get("Resources", [])
                 if len(users_res) < 1:

authentik/providers/scim/migrations/0014_scimprovider_auth_mode_scimprovider_auth_oauth_and_more.py

@@ -0,0 +1,59 @@
+# Generated by Django 5.1.12 on 2025-09-23 12:31
+
+import django.db.models.deletion
+from django.conf import settings
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ("authentik_providers_scim", "0013_scimprovidergroup_attributes_and_more"),
+        ("authentik_sources_oauth", "0011_useroauthsourceconnection_expires"),
+        migrations.swappable_dependency(settings.AUTH_USER_MODEL),
+    ]
+
+    operations = [
+        migrations.AddField(
+            model_name="scimprovider",
+            name="auth_mode",
+            field=models.TextField(
+                choices=[("token", "Token"), ("oauth", "OAuth")], default="token"
+            ),
+        ),
+        migrations.AddField(
+            model_name="scimprovider",
+            name="auth_oauth",
+            field=models.ForeignKey(
+                default=None,
+                help_text="OAuth Source used for authentication",
+                null=True,
+                on_delete=django.db.models.deletion.SET_DEFAULT,
+                to="authentik_sources_oauth.oauthsource",
+            ),
+        ),
+        migrations.AddField(
+            model_name="scimprovider",
+            name="auth_oauth_params",
+            field=models.JSONField(
+                blank=True,
+                default=dict,
+                help_text="Additional OAuth parameters, such as grant_type",
+            ),
+        ),
+        migrations.AddField(
+            model_name="scimprovider",
+            name="auth_oauth_user",
+            field=models.ForeignKey(
+                default=None,
+                null=True,
+                on_delete=django.db.models.deletion.CASCADE,
+                to=settings.AUTH_USER_MODEL,
+            ),
+        ),
+        migrations.AlterField(
+            model_name="scimprovider",
+            name="token",
+            field=models.TextField(blank=True, help_text="Authentication token"),
+        ),
+    ]

authentik/providers/scim/migrations/0015_alter_scimprovider_compatibility_mode.py

@@ -0,0 +1,32 @@
+# Generated by Django 5.1.12 on 2025-09-24 12:10
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        (
+            "authentik_providers_scim",
+            "0014_scimprovider_auth_mode_scimprovider_auth_oauth_and_more",
+        ),
+    ]
+
+    operations = [
+        migrations.AlterField(
+            model_name="scimprovider",
+            name="compatibility_mode",
+            field=models.CharField(
+                choices=[
+                    ("default", "Default"),
+                    ("aws", "AWS"),
+                    ("slack", "Slack"),
+                    ("sfdc", "Salesforce"),
+                ],
+                default="default",
+                help_text="Alter authentik behavior for vendor-specific SCIM implementations.",
+                max_length=30,
+                verbose_name="SCIM Compatibility Mode",
+            ),
+        ),
+    ]

authentik/providers/scim/models.py

@@ -8,12 +8,17 @@ from django.db.models import QuerySet
 from django.templatetags.static import static
 from django.utils.translation import gettext_lazy as _
 from dramatiq.actor import Actor
+from requests.auth import AuthBase
 from rest_framework.serializers import Serializer
+from structlog.stdlib import get_logger
 
 from authentik.core.models import BackchannelProvider, Group, PropertyMapping, User, UserTypes
 from authentik.lib.models import SerializerModel
 from authentik.lib.sync.outgoing.base import BaseOutgoingSyncClient
 from authentik.lib.sync.outgoing.models import OutgoingSyncProvider
+from authentik.providers.scim.clients.auth import SCIMTokenAuth
+
+LOGGER = get_logger()
 
 
 class SCIMProviderUser(SerializerModel):
@@ -60,12 +65,20 @@ class SCIMProviderGroup(SerializerModel):
         return f"SCIM Provider Group {self.group_id} to {self.provider_id}"
 
 
+class SCIMAuthenticationMode(models.TextChoices):
+    """SCIM authentication modes"""
+
+    TOKEN = "token", _("Token")
+    OAUTH = "oauth", _("OAuth")
+
+
 class SCIMCompatibilityMode(models.TextChoices):
     """SCIM compatibility mode"""
 
     DEFAULT = "default", _("Default")
     AWS = "aws", _("AWS")
     SLACK = "slack", _("Slack")
+    SALESFORCE = "sfdc", _("Salesforce")
 
 
 class SCIMProvider(OutgoingSyncProvider, BackchannelProvider):
@@ -78,7 +91,26 @@ class SCIMProvider(OutgoingSyncProvider, BackchannelProvider):
     )
 
     url = models.TextField(help_text=_("Base URL to SCIM requests, usually ends in /v2"))
-    token = models.TextField(help_text=_("Authentication token"))
+
+    auth_mode = models.TextField(
+        choices=SCIMAuthenticationMode.choices, default=SCIMAuthenticationMode.TOKEN
+    )
+
+    token = models.TextField(help_text=_("Authentication token"), blank=True)
+    auth_oauth = models.ForeignKey(
+        "authentik_sources_oauth.OAuthSource",
+        on_delete=models.SET_DEFAULT,
+        default=None,
+        null=True,
+        help_text=_("OAuth Source used for authentication"),
+    )
+    auth_oauth_params = models.JSONField(
+        blank=True, default=dict, help_text=_("Additional OAuth parameters, such as grant_type")
+    )
+    auth_oauth_user = models.ForeignKey(
+        "authentik_core.User", on_delete=models.CASCADE, default=None, null=True
+    )
+
     verify_certificates = models.BooleanField(default=True)
 
     property_mappings_group = models.ManyToManyField(
@@ -96,6 +128,16 @@ class SCIMProvider(OutgoingSyncProvider, BackchannelProvider):
         help_text=_("Alter authentik behavior for vendor-specific SCIM implementations."),
     )
 
+    def scim_auth(self) -> AuthBase:
+        if self.auth_mode == SCIMAuthenticationMode.OAUTH:
+            try:
+                from authentik.enterprise.providers.scim.auth_oauth2 import SCIMOAuthAuth
+
+                return SCIMOAuthAuth(self)
+            except ImportError:
+                LOGGER.warning("Failed to import SCIM OAuth Client")
+        return SCIMTokenAuth(self)
+
     @property
     def icon_url(self) -> str | None:
         return static("authentik/sources/scim.png")

authentik/rbac/api/rbac_assigned_by_users.py

@@ -1,5 +1,6 @@
 """common RBAC serializers"""
 
+from django.contrib.auth.models import Permission
 from django.db.models import Q, QuerySet
 from django.db.transaction import atomic
 from django_filters.filters import CharFilter, ChoiceFilter
@@ -15,9 +16,9 @@ from rest_framework.request import Request
 from rest_framework.response import Response
 from rest_framework.viewsets import GenericViewSet
 
-from authentik.core.api.groups import GroupMemberSerializer
+from authentik.core.api.groups import PartialUserSerializer
 from authentik.core.api.utils import ModelSerializer
-from authentik.core.models import User, UserTypes
+from authentik.core.models import Group, User, UserTypes
 from authentik.policies.event_matcher.models import model_choices
 from authentik.rbac.api.rbac import PermissionAssignResultSerializer, PermissionAssignSerializer
 from authentik.rbac.decorators import permission_required
@@ -37,15 +38,15 @@ class UserObjectPermissionSerializer(ModelSerializer):
         fields = ["id", "codename", "model", "app_label", "object_pk", "name"]
 
 
-class UserAssignedObjectPermissionSerializer(GroupMemberSerializer):
+class UserAssignedObjectPermissionSerializer(PartialUserSerializer):
     """Users assigned object permission serializer"""
 
     permissions = UserObjectPermissionSerializer(many=True, source="userobjectpermission_set")
     is_superuser = BooleanField()
 
     class Meta:
-        model = GroupMemberSerializer.Meta.model
-        fields = GroupMemberSerializer.Meta.fields + ["permissions", "is_superuser"]
+        model = PartialUserSerializer.Meta.model
+        fields = PartialUserSerializer.Meta.fields + ["permissions", "is_superuser"]
 
 
 class UserAssignedPermissionFilter(FilterSet):
@@ -54,26 +55,56 @@ class UserAssignedPermissionFilter(FilterSet):
     model = ChoiceFilter(choices=model_choices(), method="filter_model", required=True)
     object_pk = CharFilter(method="filter_object_pk")
 
+    def filter_queryset(self, queryset):
+        queryset = super().filter_queryset(queryset)
+        data = self.form.cleaned_data
+        model: str = data["model"]
+        object_pk: str | None = data.get("object_pk", None)
+        app, _, model = model.partition(".")
+
+        superuser_pks = (
+            Group.objects.filter(is_superuser=True).values_list("users", flat=True).distinct()
+        )
+
+        permissions = Permission.objects.filter(
+            content_type__app_label=app,
+            content_type__model=model,
+        )
+
+        user_pks_with_model_permission = (
+            permissions.order_by().values_list("user", flat=True).distinct()
+        )
+        user_pks_with_object_permission = []
+        if object_pk:
+            user_pks_with_object_permission = (
+                UserObjectPermission.objects.filter(
+                    permission__in=permissions,
+                    object_pk=object_pk,
+                )
+                .order_by()
+                .values_list("user", flat=True)
+                .distinct()
+            )
+
+        return queryset.filter(
+            Q(pk__in=superuser_pks)
+            | Q(pk__in=user_pks_with_model_permission)
+            | Q(pk__in=user_pks_with_object_permission)
+        )
+
     def filter_model(self, queryset: QuerySet, name, value: str) -> QuerySet:
         """Filter by object type"""
-        app, _, model = value.partition(".")
-        return queryset.filter(
-            Q(
-                user_permissions__content_type__app_label=app,
-                user_permissions__content_type__model=model,
-            )
-            | Q(
-                userobjectpermission__permission__content_type__app_label=app,
-                userobjectpermission__permission__content_type__model=model,
-            )
-            | Q(ak_groups__is_superuser=True)
-        ).distinct()
+        # Actual filtering is handled by the above method where both `model` and `object_pk` are
+        # available. Don't do anything here, this method is only left here to avoid overriding too
+        # much of filter_queryset.
+        return queryset
 
     def filter_object_pk(self, queryset: QuerySet, name, value: str) -> QuerySet:
         """Filter by object primary key"""
-        return queryset.filter(
-            Q(userobjectpermission__object_pk=value) | Q(ak_groups__is_superuser=True),
-        ).distinct()
+        # Actual filtering is handled by the above method where both `model` and `object_pk` are
+        # available. Don't do anything here, this method is only left here to avoid overriding too
+        # much of filter_queryset.
+        return queryset
 
 
 class UserAssignedPermissionViewSet(ListModelMixin, GenericViewSet):
@@ -83,7 +114,7 @@ class UserAssignedPermissionViewSet(ListModelMixin, GenericViewSet):
     ordering = ["username"]
     # The filtering is done in the filterset,
     # which has a required filter that does the heavy lifting
-    queryset = User.objects.all()
+    queryset = User.objects.all().prefetch_related("userobjectpermission_set")
     filterset_class = UserAssignedPermissionFilter
 
     @permission_required("authentik_core.assign_user_permissions")

authentik/rbac/middleware.py

@@ -61,7 +61,8 @@ class InitialPermissionsMiddleware:
     ):
         if not created:
             return
-        if request.request_id != _CTX_REQUEST.get().request_id:
+        current_request = _CTX_REQUEST.get()
+        if current_request is None or request.request_id != current_request.request_id:
             return
         user: User = request.user
         if not user or user.is_anonymous:

authentik/recovery/management/commands/create_recovery_key.py

@@ -3,6 +3,7 @@
 from datetime import timedelta
 from getpass import getuser
 
+from django.utils.timesince import timesince
 from django.utils.timezone import now
 from django.utils.translation import gettext as _
 
@@ -16,25 +17,38 @@ class Command(TenantCommand):
 
     help = _("Create a Key which can be used to restore access to authentik.")
 
+    def format_duration_message(self, duration: int) -> str:
+        """Format duration in minutes to a human-readable message"""
+        current_time = now()
+        future_time = current_time + timedelta(minutes=duration)
+
+        # fyi a non-breaking space is returned by timesince
+        return timesince(current_time, future_time)
+
     def add_arguments(self, parser):
         parser.add_argument(
             "duration",
-            default=1,
-            action="store",
-            help="How long the token is valid for (in years).",
+            nargs="?",
+            default=60,
+            type=int,
+            help="How long the token is valid for (in minutes). Default: 60 minutes (1 hour).",
         )
         parser.add_argument("user", action="store", help="Which user the Token gives access to.")
 
     def handle_per_tenant(self, *args, **options):
         """Create Token used to recover access"""
-        duration = int(options.get("duration", 1))
-        expiry = now() + timedelta(days=duration * 365.2425)
+        duration = int(options.get("duration", 60))
+        expiry = now() + timedelta(minutes=duration)
         user = User.objects.filter(username=options.get("user")).first()
         if not user:
             self.stderr.write(f"User '{options.get('user')}' not found.")
             return
         _, url = create_recovery_token(user, expiry, getuser())
+
+        duration_msg = self.format_duration_message(duration)
+
         self.stdout.write(
             f"Store this link safely, as it will allow anyone to access authentik as {user}."
         )
+        self.stdout.write(f"This recovery token is valid for {duration_msg}.")
         self.stdout.write(url)

authentik/recovery/tests.py

@@ -1,10 +1,12 @@
 """recovery tests"""
 
+from datetime import timedelta
 from io import StringIO
 
 from django.core.management import call_command
 from django.test import TestCase
 from django.urls import reverse
+from django.utils.timezone import now
 from django_tenants.utils import get_public_schema_name
 
 from authentik.core.models import Token, TokenIntents, User
@@ -22,20 +24,21 @@ class TestRecovery(TestCase):
         self.assertEqual(len(Token.objects.filter(intent=TokenIntents.INTENT_RECOVERY)), 0)
         call_command(
             "create_recovery_key",
-            "1",
+            "5",
             self.user.username,
             schema=get_public_schema_name(),
             stdout=out,
         )
         token = Token.objects.get(intent=TokenIntents.INTENT_RECOVERY, user=self.user)
         self.assertIn(token.key, out.getvalue())
+        self.assertIn("valid for 5\xa0minutes", out.getvalue())
         self.assertEqual(len(Token.objects.filter(intent=TokenIntents.INTENT_RECOVERY)), 1)
 
     def test_create_key_invalid(self):
         """Test creation of a new key (invalid)"""
         out = StringIO()
         self.assertEqual(len(Token.objects.filter(intent=TokenIntents.INTENT_RECOVERY)), 0)
-        call_command("create_recovery_key", "1", "foo", schema=get_public_schema_name(), stderr=out)
+        call_command("create_recovery_key", "5", "foo", schema=get_public_schema_name(), stderr=out)
         self.assertIn("not found", out.getvalue())
 
     def test_recovery_view(self):
@@ -43,7 +46,7 @@ class TestRecovery(TestCase):
         out = StringIO()
         call_command(
             "create_recovery_key",
-            "1",
+            "10",
             self.user.username,
             schema=get_public_schema_name(),
             stdout=out,
@@ -71,3 +74,116 @@ class TestRecovery(TestCase):
         )
         self.assertIn("successfully added to", out.getvalue())
         self.assertTrue(self.user.is_superuser)
+
+    def test_create_key_default_duration(self):
+        """Test creation of a new key with default duration (60 minutes)"""
+        out = StringIO()
+        before_creation = now()
+        call_command(
+            "create_recovery_key",
+            self.user.username,
+            schema=get_public_schema_name(),
+            stdout=out,
+        )
+        after_creation = now()
+
+        token = Token.objects.get(intent=TokenIntents.INTENT_RECOVERY, user=self.user)
+        self.assertIn(token.key, out.getvalue())
+        self.assertIn("valid for 1\xa0hour", out.getvalue())
+
+        # Verify the token expires in approximately 60 minutes (default)
+        expected_expiry_min = before_creation + timedelta(minutes=60)
+        expected_expiry_max = after_creation + timedelta(minutes=60)
+        self.assertGreaterEqual(token.expires, expected_expiry_min)
+        self.assertLessEqual(token.expires, expected_expiry_max)
+
+    def test_create_key_custom_duration(self):
+        """Test creation of a new key with custom duration"""
+        out = StringIO()
+        custom_duration = 120  # 2 hours
+        before_creation = now()
+
+        call_command(
+            "create_recovery_key",
+            str(custom_duration),
+            self.user.username,
+            schema=get_public_schema_name(),
+            stdout=out,
+        )
+        after_creation = now()
+
+        token = Token.objects.get(intent=TokenIntents.INTENT_RECOVERY, user=self.user)
+        self.assertIn(token.key, out.getvalue())
+        self.assertIn("valid for 2\xa0hours", out.getvalue())
+
+        # Verify the token expires in approximately the custom duration
+        expected_expiry_min = before_creation + timedelta(minutes=custom_duration)
+        expected_expiry_max = after_creation + timedelta(minutes=custom_duration)
+        self.assertGreaterEqual(token.expires, expected_expiry_min)
+        self.assertLessEqual(token.expires, expected_expiry_max)
+
+    def test_create_key_short_duration(self):
+        """Test creation of a new key with very short duration (1 minute)"""
+        out = StringIO()
+        short_duration = 1
+        before_creation = now()
+
+        call_command(
+            "create_recovery_key",
+            str(short_duration),
+            self.user.username,
+            schema=get_public_schema_name(),
+            stdout=out,
+        )
+        after_creation = now()
+
+        token = Token.objects.get(intent=TokenIntents.INTENT_RECOVERY, user=self.user)
+        self.assertIn(token.key, out.getvalue())
+        self.assertIn("valid for 1\xa0minute", out.getvalue())
+
+        # Verify the token expires in approximately 1 minute
+        expected_expiry_min = before_creation + timedelta(minutes=short_duration)
+        expected_expiry_max = after_creation + timedelta(minutes=short_duration)
+        self.assertGreaterEqual(token.expires, expected_expiry_min)
+        self.assertLessEqual(token.expires, expected_expiry_max)
+
+    def test_create_key_duration_validation(self):
+        """Test that the duration is correctly converted to minutes"""
+        # Test various durations to ensure they're calculated correctly
+        test_cases = [1, 5, 30, 60, 120, 1440]  # 1min, 5min, 30min, 1hr, 2hr, 24hr
+
+        for duration in test_cases:
+            with self.subTest(duration=duration):
+                out = StringIO()
+                before_creation = now()
+
+                call_command(
+                    "create_recovery_key",
+                    str(duration),
+                    self.user.username,
+                    schema=get_public_schema_name(),
+                    stdout=out,
+                )
+                after_creation = now()
+
+                token = Token.objects.get(intent=TokenIntents.INTENT_RECOVERY, user=self.user)
+
+                # Verify the token expires in approximately the specified duration
+                expected_expiry_min = before_creation + timedelta(minutes=duration)
+                expected_expiry_max = after_creation + timedelta(minutes=duration)
+                self.assertGreaterEqual(token.expires, expected_expiry_min)
+                self.assertLessEqual(token.expires, expected_expiry_max)
+
+                # Clean up for next iteration
+                token.delete()
+
+    def test_create_key_help_text(self):
+        """Test that the help text correctly indicates minutes"""
+        from authentik.recovery.management.commands.create_recovery_key import Command
+
+        command = Command()
+        # Check that the help text mentions minutes
+        parser = command.create_parser("test", "create_recovery_key")
+        help_text = parser.format_help()
+        self.assertIn("minutes", help_text.lower())
+        self.assertNotIn("years", help_text.lower())

authentik/root/settings.py

@@ -175,6 +175,7 @@ SPECTACULAR_SETTINGS = {
         "SAMLNameIDPolicyEnum": "authentik.sources.saml.models.SAMLNameIDPolicy",
         "UserTypeEnum": "authentik.core.models.UserTypes",
         "UserVerificationEnum": "authentik.stages.authenticator_webauthn.models.UserVerification",
+        "SCIMAuthenticationModeEnum": "authentik.providers.scim.models.SCIMAuthenticationMode",
     },
     "ENUM_ADD_EXPLICIT_BLANK_NULL_CHOICE": False,
     "ENUM_GENERATE_CHOICE_DESCRIPTION": False,
@@ -183,6 +184,8 @@ SPECTACULAR_SETTINGS = {
     ],
     "POSTPROCESSING_HOOKS": [
         "authentik.api.schema.postprocess_schema_responses",
+        "authentik.api.schema.postprocess_schema_pagination",
+        "authentik.api.schema.postprocess_schema_remove_unused",
         "drf_spectacular.hooks.postprocess_schema_enums",
     ],
 }
@@ -255,6 +258,7 @@ MIDDLEWARE = [
     "authentik.root.middleware.LoggingMiddleware",
     "authentik.root.middleware.ClientIPMiddleware",
     "authentik.stages.user_login.middleware.BoundSessionMiddleware",
+    "django.middleware.locale.LocaleMiddleware",
     "authentik.core.middleware.AuthenticationMiddleware",
     "authentik.core.middleware.RequestIDMiddleware",
     "authentik.brands.middleware.BrandMiddleware",
@@ -413,7 +417,10 @@ DRAMATIQ = {
         ("dramatiq.middleware.pipelines.Pipelines", {}),
         (
             "dramatiq.middleware.retries.Retries",
-            {"max_retries": CONFIG.get_int("worker.task_max_retries") if not TEST else 0},
+            {
+                "max_retries": CONFIG.get_int("worker.task_max_retries") if not TEST else 0,
+                "max_backoff": 60 * 60 * 1000,  # 1 hour
+            },
         ),
         ("dramatiq.results.middleware.Results", {"store_results": True}),
         ("django_dramatiq_postgres.middleware.CurrentTask", {}),

authentik/root/signals.py

@@ -1,7 +1,6 @@
 from datetime import timedelta
 
-from django.core.signals import Signal
-from django.dispatch import receiver
+from django.dispatch import Signal, receiver
 from django.utils.timezone import now
 from structlog.stdlib import get_logger
 

authentik/root/test_runner.py

@@ -177,6 +177,6 @@ class PytestTestRunner(DiscoverRunner):  # pragma: no cover
         with patch("guardian.shortcuts._get_ct_cached", patched__get_ct_cached):
             try:
                 return pytest.main(self.args)
-            except Exception as e:
+            except Exception as e:  # noqa
                 self.logger.error("Error running tests", error=str(e), test_files=self.args)
                 return 1

authentik/sources/oauth/api/source_connection.py

@@ -12,7 +12,7 @@ from authentik.sources.oauth.models import GroupOAuthSourceConnection, UserOAuth
 class UserOAuthSourceConnectionSerializer(UserSourceConnectionSerializer):
     class Meta(UserSourceConnectionSerializer.Meta):
         model = UserOAuthSourceConnection
-        fields = UserSourceConnectionSerializer.Meta.fields + ["access_token"]
+        fields = UserSourceConnectionSerializer.Meta.fields + ["access_token", "expires"]
         extra_kwargs = {
             **UserSourceConnectionSerializer.Meta.extra_kwargs,
             "access_token": {"write_only": True},

authentik/sources/oauth/clients/oauth2.py

@@ -59,13 +59,15 @@ class OAuth2Client(BaseOAuthClient):
         """Get client secret"""
         return self.source.consumer_secret
 
-    def get_access_token_args(self, callback: str, code: str) -> dict[str, Any]:
+    def get_access_token_args(self, callback: str | None, code: str | None) -> dict[str, Any]:
         args = {
-            "redirect_uri": callback,
-            "code": code,
             "grant_type": "authorization_code",
         }
-        if SESSION_KEY_OAUTH_PKCE in self.request.session:
+        if callback:
+            args["redirect_uri"] = callback
+        if code:
+            args["code"] = code
+        if self.request and SESSION_KEY_OAUTH_PKCE in self.request.session:
             args["code_verifier"] = self.request.session[SESSION_KEY_OAUTH_PKCE]
         if (
             self.source.source_type.authorization_code_auth_method

authentik/sources/oauth/migrations/0011_useroauthsourceconnection_expires.py

@@ -0,0 +1,19 @@
+# Generated by Django 5.1.12 on 2025-09-21 17:01
+
+import django.utils.timezone
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ("authentik_sources_oauth", "0010_oauthsource_authorization_code_auth_method"),
+    ]
+
+    operations = [
+        migrations.AddField(
+            model_name="useroauthsourceconnection",
+            name="expires",
+            field=models.DateTimeField(default=django.utils.timezone.now),
+        ),
+    ]

authentik/sources/oauth/models.py

@@ -5,6 +5,7 @@ from typing import TYPE_CHECKING
 from django.db import models
 from django.http.request import HttpRequest
 from django.urls import reverse
+from django.utils.timezone import now
 from django.utils.translation import gettext_lazy as _
 from rest_framework.serializers import Serializer
 
@@ -311,6 +312,11 @@ class UserOAuthSourceConnection(UserSourceConnection):
     """Authorized remote OAuth provider."""
 
     access_token = models.TextField(blank=True, null=True, default=None)
+    expires = models.DateTimeField(default=now)
+
+    @property
+    def is_valid(self):
+        return self.expires > now()
 
     @property
     def serializer(self) -> type[Serializer]:

authentik/sources/oauth/tests/test_views.py

@@ -1,10 +1,17 @@
 """OAuth Source tests"""
 
+from urllib.parse import parse_qs
+
 from django.urls import reverse
 from requests_mock import Mocker
 from rest_framework.test import APITestCase
 
+from authentik.core.models import User
 from authentik.core.tests.utils import create_test_admin_user
+from authentik.flows.planner import PLAN_CONTEXT_PENDING_USER, FlowPlan
+from authentik.flows.stage import PLAN_CONTEXT_PENDING_USER_IDENTIFIER
+from authentik.flows.views.executor import SESSION_KEY_PLAN
+from authentik.lib.generators import generate_id
 from authentik.sources.oauth.api.source import OAuthSourceSerializer
 from authentik.sources.oauth.models import OAuthSource
 
@@ -124,20 +131,68 @@ class TestOAuthSource(APITestCase):
             )
             self.assertFalse(serializer.is_valid())
 
-    def test_source_redirect(self):
-        """test redirect view"""
-        self.client.get(
+    def test_source_redirect_login_hint_user(self):
+        """test redirect view with login hint"""
+        user = User(email="foo@authentik.company")
+        session = self.client.session
+        plan = FlowPlan(generate_id())
+        plan.context[PLAN_CONTEXT_PENDING_USER] = user
+        session[SESSION_KEY_PLAN] = plan
+        session.save()
+
+        res = self.client.get(
             reverse(
                 "authentik_sources_oauth:oauth-client-login",
                 kwargs={"source_slug": self.source.slug},
             )
         )
+        self.assertEqual(res.status_code, 302)
+        qs = parse_qs(res.url)
+        self.assertEqual(qs["login_hint"], ["foo@authentik.company"])
+
+    def test_source_redirect_login_hint_user_identifier(self):
+        """test redirect view with login hint"""
+        session = self.client.session
+        plan = FlowPlan(generate_id())
+        plan.context[PLAN_CONTEXT_PENDING_USER_IDENTIFIER] = "foo@authentik.company"
+        session[SESSION_KEY_PLAN] = plan
+        session.save()
+
+        res = self.client.get(
+            reverse(
+                "authentik_sources_oauth:oauth-client-login",
+                kwargs={"source_slug": self.source.slug},
+            )
+        )
+        self.assertEqual(res.status_code, 302)
+        qs = parse_qs(res.url)
+        self.assertEqual(qs["login_hint"], ["foo@authentik.company"])
+
+    def test_source_redirect(self):
+        """test redirect view"""
+        res = self.client.get(
+            reverse(
+                "authentik_sources_oauth:oauth-client-login",
+                kwargs={"source_slug": self.source.slug},
+            )
+        )
+        self.assertEqual(res.status_code, 302)
+        qs = parse_qs(res.url)
+
+        session = self.client.session
+        state = session[f"oauth-client-{self.source.name}-request-state"]
+
+        self.assertEqual(qs["redirect_uri"], ["http://testserver/source/oauth/callback/test/"])
+        self.assertEqual(qs["response_type"], ["code"])
+        self.assertEqual(qs["state"], [state])
+        self.assertEqual(qs["scope"], ["email openid profile"])
 
     def test_source_callback(self):
         """test callback view"""
-        self.client.get(
+        res = self.client.get(
             reverse(
                 "authentik_sources_oauth:oauth-client-callback",
                 kwargs={"source_slug": self.source.slug},
             )
         )
+        self.assertEqual(res.status_code, 302)

authentik/sources/oauth/types/entra_id.py

@@ -96,7 +96,11 @@ class EntraIDType(SourceType):
         }
 
     def get_base_group_properties(self, source, group_id, **kwargs):
-        raw_group = kwargs["info"]["raw_groups"][group_id]
+        raw_groups = kwargs["info"]["raw_groups"]
+        if group_id in raw_groups:
+            name = raw_groups[group_id]["displayName"]
+        else:
+            name = group_id
         return {
-            "name": raw_group["displayName"],
+            "name": name,
         }