Merge branch 'main' into dev

* main: (29 commits)
  website/integrations: aws: cleanup (#10355)
  web: bump API Client version (#10389)
  web/flows: Simplified flow executor (#10296)
  website/docs: sources: ldap: remove extra example (#10387)
  website/docs: add new content from old PR #9524 (#10158)
  stages/authenticator_validate: fix friendly_name being required (#10382)
  core: bump go api client (#10383)
  web: bump API Client version (#10381)
  outposts: make refresh interval configurable (#10138)
  core, web: update translations (#10378)
  web: bump @sentry/browser from 8.13.0 to 8.14.0 in /web in the sentry group (#10379)
  core: bump goauthentik.io/api/v3 from 3.2024060.3 to 3.2024060.4 (#10380)
  sources/oauth: fix link not being saved (#10374)
  website/docs: update postgres on docker: fix backtick (#10372)
  website/integrations: apache guacamole: cleanup doc page (#10354)
  web: bump API Client version (#10371)
  Revert "core: applications api: add option to only list apps with launch url (#10336)" (#10370)
  web: bump @wdio/cli from 8.39.0 to 8.39.1 in /web (#10362)
  core: bump goauthentik.io/api/v3 from 3.2024060.2 to 3.2024060.3 (#10356)
  website: bump react-tooltip from 5.27.0 to 5.27.1 in /website (#10357)
  ...

.github/dependabot.yml

@@ -21,7 +21,10 @@ updates:
     labels:
       - dependencies
   - package-ecosystem: npm
-    directory: "/web"
+    directories:
+      - "/web"
+      - "/tests/wdio"
+      - "/web/sfe"
     schedule:
       interval: daily
       time: "04:00"
@@ -30,7 +33,6 @@ updates:
     open-pull-requests-limit: 10
     commit-message:
       prefix: "web:"
-    # TODO: deduplicate these groups
     groups:
       sentry:
         patterns:
@@ -56,38 +58,6 @@ updates:
         patterns:
           - "@rollup/*"
           - "rollup-*"
-  - package-ecosystem: npm
-    directory: "/tests/wdio"
-    schedule:
-      interval: daily
-      time: "04:00"
-    labels:
-      - dependencies
-    open-pull-requests-limit: 10
-    commit-message:
-      prefix: "web:"
-    # TODO: deduplicate these groups
-    groups:
-      sentry:
-        patterns:
-          - "@sentry/*"
-          - "@spotlightjs/*"
-      babel:
-        patterns:
-          - "@babel/*"
-          - "babel-*"
-      eslint:
-        patterns:
-          - "@typescript-eslint/*"
-          - "eslint"
-          - "eslint-*"
-      storybook:
-        patterns:
-          - "@storybook/*"
-          - "*storybook*"
-      esbuild:
-        patterns:
-          - "@esbuild/*"
       wdio:
         patterns:
           - "@wdio/*"

.github/workflows/api-ts-publish.yml

@@ -31,7 +31,12 @@ jobs:
         env:
           NODE_AUTH_TOKEN: ${{ secrets.NPM_PUBLISH_TOKEN }}
       - name: Upgrade /web
-        working-directory: web/
+        working-directory: web
+        run: |
+          export VERSION=`node -e 'console.log(require("../gen-ts-api/package.json").version)'`
+          npm i @goauthentik/api@$VERSION
+      - name: Upgrade /web/sfe
+        working-directory: web/sfe
         run: |
           export VERSION=`node -e 'console.log(require("../gen-ts-api/package.json").version)'`
           npm i @goauthentik/api@$VERSION

.github/workflows/ci-main.yml

@@ -219,7 +219,7 @@ jobs:
         with:
           ref: ${{ github.event.pull_request.head.sha }}
       - name: Set up QEMU
-        uses: docker/setup-qemu-action@v3.0.0
+        uses: docker/setup-qemu-action@v3.1.0
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@v3
       - name: prepare variables

.github/workflows/ci-outpost.yml

@@ -76,7 +76,7 @@ jobs:
         with:
           ref: ${{ github.event.pull_request.head.sha }}
       - name: Set up QEMU
-        uses: docker/setup-qemu-action@v3.0.0
+        uses: docker/setup-qemu-action@v3.1.0
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@v3
       - name: prepare variables

.github/workflows/ci-web.yml

@@ -26,6 +26,10 @@ jobs:
           - web
           - tests/wdio
         include:
+          - command: tsc
+            project: web
+            extra_setup: |
+              cd sfe/ && npm ci
           - command: lit-analyse
             project: web
             extra_setup: |

.github/workflows/release-publish.yml

@@ -14,7 +14,7 @@ jobs:
     steps:
       - uses: actions/checkout@v4
       - name: Set up QEMU
-        uses: docker/setup-qemu-action@v3.0.0
+        uses: docker/setup-qemu-action@v3.1.0
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@v3
       - name: prepare variables
@@ -68,7 +68,7 @@ jobs:
         with:
           go-version-file: "go.mod"
       - name: Set up QEMU
-        uses: docker/setup-qemu-action@v3.0.0
+        uses: docker/setup-qemu-action@v3.1.0
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@v3
       - name: prepare variables

Dockerfile

@@ -30,16 +30,22 @@ WORKDIR /work/web
 
 RUN --mount=type=bind,target=/work/web/package.json,src=./web/package.json \
     --mount=type=bind,target=/work/web/package-lock.json,src=./web/package-lock.json \
+    --mount=type=bind,target=/work/web/sfe/package.json,src=./web/sfe/package.json \
+    --mount=type=bind,target=/work/web/sfe/package-lock.json,src=./web/sfe/package-lock.json \
     --mount=type=bind,target=/work/web/scripts,src=./web/scripts \
     --mount=type=cache,id=npm-web,sharing=shared,target=/root/.npm \
+    npm ci --include=dev && \
+    cd sfe && \
     npm ci --include=dev
 
 COPY ./package.json /work
 COPY ./web /work/web/
 COPY ./website /work/website/
 COPY ./gen-ts-api /work/web/node_modules/@goauthentik/api
 
-RUN npm run build
+RUN npm run build && \
+    cd sfe && \
+    npm run build
 
 # Stage 3: Build go proxy
 FROM --platform=${BUILDPLATFORM} mcr.microsoft.com/oss/go/microsoft/golang:1.22-fips-bookworm AS go-builder

authentik/brands/api.py

@@ -24,7 +24,7 @@
 class FooterLinkSerializer(PassiveSerializer):
     """Links returned in Config API"""
 
-    href = CharField(read_only=True)
+    href = CharField(read_only=True, allow_null=True)
     name = CharField(read_only=True)
 
 

authentik/core/api/applications.py

@@ -147,13 +147,6 @@ def _get_allowed_applications(
                 applications.append(application)
         return applications
 
-    def _filter_applications_with_launch_url(self, pagined_apps: Iterator[Application]) -> list[Application]:
-        applications = []
-        for app in pagined_apps:
-            if app.get_launch_url():
-                applications.append(app)
-        return applications
-
     @extend_schema(
         parameters=[
             OpenApiParameter(
@@ -211,11 +204,6 @@ def check_access(self, request: Request, slug: str) -> Response:
                 location=OpenApiParameter.QUERY,
                 type=OpenApiTypes.INT,
             ),
-            OpenApiParameter(
-                name="only_with_launch_url",
-                location=OpenApiParameter.QUERY,
-                type=OpenApiTypes.BOOL,
-            ),
         ]
     )
     def list(self, request: Request) -> Response:
@@ -228,8 +216,6 @@ def list(self, request: Request) -> Response:
         if superuser_full_list and request.user.is_superuser:
             return super().list(request)
 
-        only_with_launch_url = str(request.query_params.get("only_with_launch_url", "false")).lower()
-
         queryset = self._filter_queryset_for_list(self.get_queryset())
         paginator: Pagination = self.paginator
         paginated_apps = paginator.paginate_queryset(queryset, request)
@@ -265,10 +251,6 @@ def list(self, request: Request) -> Response:
                     allowed_applications,
                     timeout=86400,
                 )
-
-        if only_with_launch_url == "true":
-            allowed_applications = self._filter_applications_with_launch_url(allowed_applications)
-
         serializer = self.get_serializer(allowed_applications, many=True)
         return self.get_paginated_response(serializer.data)
 

authentik/core/models.py

@@ -1,7 +1,6 @@
 """authentik core models"""
 
 from datetime import datetime
-from functools import lru_cache
 from hashlib import sha256
 from typing import Any, Optional, Self
 from uuid import uuid4
@@ -476,10 +475,6 @@ def get_meta_icon(self) -> str | None:
             return self.meta_icon.name
         return self.meta_icon.url
 
-    # maxsize is set as 2 since that is called once to check
-    # if we should return applications with a launch URL
-    # and a second time to actually get the launch_url
-    @lru_cache(maxsize=2)
     def get_launch_url(self, user: Optional["User"] = None) -> str | None:
         """Get launch URL if set, otherwise attempt to get launch URL based on provider."""
         url = None

authentik/core/sources/flow_manager.py

@@ -309,7 +309,7 @@ def handle_existing_link(
         # When request isn't authenticated we jump straight to auth
         if not self.request.user.is_authenticated:
             return self.handle_auth(connection)
-        # Connection has already been saved
+        connection.save()
         Event.new(
             EventAction.SOURCE_LINKED,
             message="Linked Source",

authentik/core/templates/base/header_js.html

@@ -10,7 +10,7 @@
         versionSubdomain: "{{ version_subdomain }}",
         build: "{{ build }}",
     };
-    window.addEventListener("DOMContentLoaded", () => {
+    window.addEventListener("DOMContentLoaded", function () {
         {% for message in messages %}
         window.dispatchEvent(
             new CustomEvent("ak-message", {

authentik/core/templates/login/base_full.html

@@ -71,9 +71,9 @@ <h1 class="pf-c-title pf-m-3xl">
                 </li>
                 {% endfor %}
                 <li>
-                    <a rel="noopener noreferrer" target="_blank" href="https://goauthentik.io?utm_source=authentik">
+                    <span>
                         {% trans 'Powered by authentik' %}
-                    </a>
+                    </span>
                 </li>
             </ul>
         </footer>

authentik/core/urls.py

@@ -20,8 +20,9 @@
 from authentik.core.api.users import UserViewSet
 from authentik.core.views import apps
 from authentik.core.views.debug import AccessDeniedView
-from authentik.core.views.interface import FlowInterfaceView, InterfaceView
+from authentik.core.views.interface import InterfaceView
 from authentik.core.views.session import EndSessionView
+from authentik.flows.views.interface import FlowInterfaceView
 from authentik.root.asgi_middleware import SessionMiddleware
 from authentik.root.messages.consumer import MessageConsumer
 from authentik.root.middleware import ChannelsLoggingMiddleware
@@ -53,6 +54,8 @@
     ),
     path(
         "if/flow/<slug:flow_slug>/",
+        # FIXME: move this url to the flows app...also will cause all
+        # of the reverse calls to be adjusted
         ensure_csrf_cookie(FlowInterfaceView.as_view()),
         name="if-flow",
     ),

authentik/core/views/interface.py

@@ -3,15 +3,13 @@
 from json import dumps
 from typing import Any
 
-from django.shortcuts import get_object_or_404
 from django.views.generic.base import TemplateView
 from rest_framework.request import Request
 
 from authentik import get_build_hash
 from authentik.admin.tasks import LOCAL_VERSION
 from authentik.api.v3.config import ConfigView
 from authentik.brands.api import CurrentBrandSerializer
-from authentik.flows.models import Flow
 
 
 class InterfaceView(TemplateView):
@@ -25,14 +23,3 @@ def get_context_data(self, **kwargs: Any) -> dict[str, Any]:
         kwargs["build"] = get_build_hash()
         kwargs["url_kwargs"] = self.kwargs
         return super().get_context_data(**kwargs)
-
-
-class FlowInterfaceView(InterfaceView):
-    """Flow interface"""
-
-    template_name = "if/flow.html"
-
-    def get_context_data(self, **kwargs: Any) -> dict[str, Any]:
-        kwargs["flow"] = get_object_or_404(Flow, slug=self.kwargs.get("flow_slug"))
-        kwargs["inspector"] = "inspector" in self.request.GET
-        return super().get_context_data(**kwargs)

authentik/flows/templates/if/flow-sfe.html

@@ -0,0 +1,54 @@
+{% load static %}
+{% load i18n %}
+{% load authentik_core %}
+
+<!DOCTYPE html>
+
+<html lang="en">
+    <head>
+        <meta charset="UTF-8">
+        <meta name="viewport" content="width=device-width, initial-scale=1, maximum-scale=1">
+        <title>{% block title %}{% trans title|default:brand.branding_title %}{% endblock %}</title>
+        <link rel="icon" href="{{ brand.branding_favicon }}">
+        <link rel="shortcut icon" href="{{ brand.branding_favicon }}">
+        {% block head_before %}
+        {% endblock %}
+        <link rel="stylesheet" type="text/css" href="{% static 'dist/sfe/bootstrap.min.css' %}">
+        <meta name="sentry-trace" content="{{ sentry_trace }}" />
+        {% include "base/header_js.html" %}
+        <style>
+          html,
+          body {
+            height: 100%;
+          }
+          body {
+            background-image: url("{{ flow.background_url }}");
+            background-repeat: no-repeat;
+            background-size: cover;
+          }
+          .card {
+            padding: 3rem;
+          }
+
+          .form-signin {
+            max-width: 330px;
+            padding: 1rem;
+          }
+
+          .form-signin .form-floating:focus-within {
+            z-index: 2;
+          }
+          .brand-icon {
+            max-width: 100%;
+          }
+        </style>
+    </head>
+    <body class="d-flex align-items-center py-4 bg-body-tertiary">
+      <div class="card m-auto">
+        <main class="form-signin w-100 m-auto" id="flow-sfe-container">
+        </main>
+        <span class="mt-3 mb-0 text-muted text-center">{% trans 'Powered by authentik' %}</span>
+      </div>
+      <script src="{% static 'dist/sfe/index.js' %}"></script>
+    </body>
+</html>

authentik/flows/views/interface.py

@@ -0,0 +1,41 @@
+"""Interface views"""
+
+from typing import Any
+
+from django.shortcuts import get_object_or_404
+from ua_parser.user_agent_parser import Parse
+
+from authentik.core.views.interface import InterfaceView
+from authentik.flows.models import Flow
+
+
+class FlowInterfaceView(InterfaceView):
+    """Flow interface"""
+
+    def get_context_data(self, **kwargs: Any) -> dict[str, Any]:
+        kwargs["flow"] = get_object_or_404(Flow, slug=self.kwargs.get("flow_slug"))
+        kwargs["inspector"] = "inspector" in self.request.GET
+        return super().get_context_data(**kwargs)
+
+    def compat_needs_sfe(self) -> bool:
+        """Check if we need to use the simplified flow executor for compatibility"""
+        ua = Parse(self.request.META.get("HTTP_USER_AGENT", ""))
+        if ua["user_agent"]["family"] == "IE":
+            return True
+        # Only use SFE for Edge 18 and older, after Edge 18 MS switched to chromium which supports
+        # the default flow executor
+        if (
+            ua["user_agent"]["family"] == "Edge"
+            and int(ua["user_agent"]["major"]) <= 18  # noqa: PLR2004
+        ):  # noqa: PLR2004
+            return True
+        # https://github.com/AzureAD/microsoft-authentication-library-for-objc
+        # Used by Microsoft Teams/Office on macOS, and also uses a very outdated browser engine
+        if "PKeyAuth" in ua["string"]:
+            return True
+        return False
+
+    def get_template_names(self) -> list[str]:
+        if self.compat_needs_sfe() or "sfe" in self.request.GET:
+            return ["if/flow-sfe.html"]
+        return ["if/flow.html"]