From 602aed674b5bee14745858313e2f0c82c0326c06 Mon Sep 17 00:00:00 2001
From: Jens Langhammer <jens.langhammer@beryju.org>
Date: Wed, 28 Jul 2021 12:26:50 +0200
Subject: [PATCH 01/24] web/admin: fully remove response cloning due to errors

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
---
 web/src/api/Sentry.ts | 10 +---------
 1 file changed, 1 insertion(+), 9 deletions(-)

diff --git a/web/src/api/Sentry.ts b/web/src/api/Sentry.ts
index 462114c0..84dc572a 100644
--- a/web/src/api/Sentry.ts
+++ b/web/src/api/Sentry.ts
@@ -33,15 +33,7 @@ export function configureSentry(canDoPpi: boolean = false): Promise<Config> {
                         }
                     }
                     if (hint.originalException instanceof Response) {
-                        const response = hint.originalException as Response;
-                        // We only care about server errors
-                        if (response.status < 500) {
-                            return null;
-                        }
-                        // Need to clone the response, otherwise the .text() and .json() can't be re-used
-                        const resCopy = response.clone();
-                        const body = await resCopy.json();
-                        event.message = `${response.status} ${response.url}: ${JSON.stringify(body)}`
+                        return null;
                     }
                     if (event.exception) {
                         me().then(user => {

From affafc31cfefb7eaeea34d15903618de14c3d79f Mon Sep 17 00:00:00 2001
From: Jens Langhammer <jens.langhammer@beryju.org>
Date: Wed, 28 Jul 2021 12:47:52 +0200
Subject: [PATCH 02/24] sources/ldap: improve ms-ad password complexity
 checking

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
---
 authentik/sources/ldap/password.py | 20 +++++++++++---------
 1 file changed, 11 insertions(+), 9 deletions(-)

diff --git a/authentik/sources/ldap/password.py b/authentik/sources/ldap/password.py
index 24c064cf..6a5d4960 100644
--- a/authentik/sources/ldap/password.py
+++ b/authentik/sources/ldap/password.py
@@ -105,15 +105,17 @@ class LDAPPasswordChanger:
         if len(user_attributes["sAMAccountName"]) >= 3:
             if password.lower() in user_attributes["sAMAccountName"].lower():
                 return False
-        display_name_tokens = split(
-            RE_DISPLAYNAME_SEPARATORS, user_attributes["displayName"]
-        )
-        for token in display_name_tokens:
-            # Ignore tokens under 3 chars
-            if len(token) < 3:
-                continue
-            if token.lower() in password.lower():
-                return False
+        # No display name set, can't check any further
+        if len(user_attributes["displayName"]) < 1:
+            return True
+        for display_name in user_attributes["displayName"]:
+            display_name_tokens = split(RE_DISPLAYNAME_SEPARATORS, display_name)
+            for token in display_name_tokens:
+                # Ignore tokens under 3 chars
+                if len(token) < 3:
+                    continue
+                if token.lower() in password.lower():
+                    return False
         return True
 
     def ad_password_complexity(

From a3981dd3cdc9d81b5db52c4fd1ee3340d874df51 Mon Sep 17 00:00:00 2001
From: Jens Langhammer <jens.langhammer@beryju.org>
Date: Wed, 28 Jul 2021 16:08:06 +0200
Subject: [PATCH 03/24] providers/proxy: fix hosts for ingress not being
 compared correctly

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
---
 .../proxy/controllers/k8s/ingress.py          |  6 +-
 tests/integration/test_proxy_kubernetes.py    | 55 +++++++++++++++----
 2 files changed, 48 insertions(+), 13 deletions(-)

diff --git a/authentik/providers/proxy/controllers/k8s/ingress.py b/authentik/providers/proxy/controllers/k8s/ingress.py
index 401db2e8..2cb2153b 100644
--- a/authentik/providers/proxy/controllers/k8s/ingress.py
+++ b/authentik/providers/proxy/controllers/k8s/ingress.py
@@ -60,12 +60,12 @@ class IngressReconciler(KubernetesObjectReconciler[NetworkingV1beta1Ingress]):
         expected_hosts.sort()
         expected_hosts_tls.sort()
 
-        have_hosts = [rule.host for rule in reference.spec.rules]
+        have_hosts = [rule.host for rule in current.spec.rules]
         have_hosts.sort()
 
         have_hosts_tls = []
-        for tls_config in reference.spec.tls:
-            if tls_config:
+        for tls_config in current.spec.tls:
+            if tls_config and tls_config.hosts:
                 have_hosts_tls += tls_config.hosts
         have_hosts_tls.sort()
 
diff --git a/tests/integration/test_proxy_kubernetes.py b/tests/integration/test_proxy_kubernetes.py
index 11b31969..ba498fda 100644
--- a/tests/integration/test_proxy_kubernetes.py
+++ b/tests/integration/test_proxy_kubernetes.py
@@ -1,20 +1,36 @@
 """Test Controllers"""
+from typing import Optional
+
 import yaml
 from django.test import TestCase
+from structlog.stdlib import get_logger
 
 from authentik.flows.models import Flow
+from authentik.outposts.controllers.kubernetes import KubernetesController
 from authentik.outposts.models import KubernetesServiceConnection, Outpost, OutpostType
 from authentik.outposts.tasks import outpost_local_connection
+from authentik.providers.proxy.controllers.k8s.ingress import IngressReconciler
 from authentik.providers.proxy.controllers.kubernetes import ProxyKubernetesController
-from authentik.providers.proxy.models import ProxyProvider
+from authentik.providers.proxy.models import ProxyMode, ProxyProvider
+
+LOGGER = get_logger()
 
 
 class TestProxyKubernetes(TestCase):
     """Test Controllers"""
 
+    controller: Optional[KubernetesController]
+
     def setUp(self):
         # Ensure that local connection have been created
         outpost_local_connection()
+        self.controller = None
+
+    def tearDown(self) -> None:
+        if self.controller:
+            for log in self.controller.down_with_logs():
+                LOGGER.info(log)
+        return super().tearDown()
 
     def test_kubernetes_controller_static(self):
         """Test Kubernetes Controller"""
@@ -33,18 +49,26 @@ class TestProxyKubernetes(TestCase):
         outpost.providers.add(provider)
         outpost.save()
 
-        controller = ProxyKubernetesController(outpost, service_connection)
-        manifest = controller.get_static_deployment()
+        self.controller = ProxyKubernetesController(outpost, service_connection)
+        manifest = self.controller.get_static_deployment()
         self.assertEqual(len(list(yaml.load_all(manifest, Loader=yaml.SafeLoader))), 4)
 
-    def test_kubernetes_controller_deploy(self):
-        """Test Kubernetes Controller"""
+    def test_kubernetes_controller_ingress(self):
+        """Test Kubernetes Controller's Ingress"""
         provider: ProxyProvider = ProxyProvider.objects.create(
             name="test",
             internal_host="http://localhost",
-            external_host="http://localhost",
+            external_host="https://localhost",
             authorization_flow=Flow.objects.first(),
         )
+        provider2: ProxyProvider = ProxyProvider.objects.create(
+            name="test2",
+            internal_host="http://otherhost",
+            external_host="https://otherhost",
+            mode=ProxyMode.FORWARD_SINGLE,
+            authorization_flow=Flow.objects.first(),
+        )
+
         service_connection = KubernetesServiceConnection.objects.first()
         outpost: Outpost = Outpost.objects.create(
             name="test",
@@ -52,8 +76,19 @@ class TestProxyKubernetes(TestCase):
             service_connection=service_connection,
         )
         outpost.providers.add(provider)
-        outpost.save()
 
-        controller = ProxyKubernetesController(outpost, service_connection)
-        controller.up()
-        controller.down()
+        self.controller = ProxyKubernetesController(outpost, service_connection)
+
+        ingress_rec = IngressReconciler(self.controller)
+        ingress = ingress_rec.retrieve()
+
+        self.assertEqual(len(ingress.spec.rules), 1)
+        self.assertEqual(ingress.spec.rules[0].host, "localhost")
+
+        # add provider, check again
+        outpost.providers.add(provider2)
+        ingress = ingress_rec.retrieve()
+
+        self.assertEqual(len(ingress.spec.rules), 2)
+        self.assertEqual(ingress.spec.rules[0].host, "localhost")
+        self.assertEqual(ingress.spec.rules[1].host, "otherhost")

From c8c7202c61bf3781ffb8278e41c8647e29c15170 Mon Sep 17 00:00:00 2001
From: Jens Langhammer <jens.langhammer@beryju.org>
Date: Wed, 28 Jul 2021 21:01:10 +0200
Subject: [PATCH 04/24] web/admin: fix LDAP Provider bind flow list being empty

closes #1192

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
---
 web/src/pages/providers/ldap/LDAPProviderForm.ts | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/web/src/pages/providers/ldap/LDAPProviderForm.ts b/web/src/pages/providers/ldap/LDAPProviderForm.ts
index e8d60844..44e30cae 100644
--- a/web/src/pages/providers/ldap/LDAPProviderForm.ts
+++ b/web/src/pages/providers/ldap/LDAPProviderForm.ts
@@ -54,7 +54,7 @@ export class LDAPProviderFormPage extends ModelForm<LDAPProvider, number> {
                 name="authorizationFlow">
                 <select class="pf-c-form-control">
                     ${until(tenant().then(t => {
-                        new FlowsApi(DEFAULT_CONFIG).flowsInstancesList({
+                        return new FlowsApi(DEFAULT_CONFIG).flowsInstancesList({
                             ordering: "pk",
                             designation: FlowsInstancesListDesignationEnum.Authentication,
                         }).then(flows => {

From 970655ab210e1a9f7c22a05d60c92e21da67f6c6 Mon Sep 17 00:00:00 2001
From: Jens Langhammer <jens.langhammer@beryju.org>
Date: Thu, 29 Jul 2021 21:06:40 +0200
Subject: [PATCH 05/24] ci: fix sentry sourcemap path

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
---
 .github/workflows/release.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 411be12e..db2ce859 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -179,4 +179,4 @@ jobs:
           version: authentik@2021.7.1
           environment: beryjuorg-prod
           sourcemaps: './web/dist'
-          url_prefix: /static/dist
+          url_prefix: '~/static/dist'

From a5c8caf909e9f9fba4e27f78dcc4fb46e00f01e6 Mon Sep 17 00:00:00 2001
From: Jens Langhammer <jens.langhammer@beryju.org>
Date: Thu, 29 Jul 2021 21:22:31 +0200
Subject: [PATCH 06/24] providers/oauth2: fix error when requesting jwks keys
 with no rs256 aet

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
---
 authentik/providers/oauth2/tests/test_jwks.py | 54 +++++++++++++++++++
 authentik/providers/oauth2/views/jwks.py      |  2 +-
 2 files changed, 55 insertions(+), 1 deletion(-)
 create mode 100644 authentik/providers/oauth2/tests/test_jwks.py

diff --git a/authentik/providers/oauth2/tests/test_jwks.py b/authentik/providers/oauth2/tests/test_jwks.py
new file mode 100644
index 00000000..cede1014
--- /dev/null
+++ b/authentik/providers/oauth2/tests/test_jwks.py
@@ -0,0 +1,54 @@
+"""JWKS tests"""
+import json
+
+from django.test import RequestFactory
+from django.urls.base import reverse
+from django.utils.encoding import force_str
+
+from authentik.core.models import Application
+from authentik.crypto.models import CertificateKeyPair
+from authentik.flows.models import Flow
+from authentik.providers.oauth2.models import OAuth2Provider
+from authentik.providers.oauth2.tests.utils import OAuthTestCase
+
+
+class TestJWKS(OAuthTestCase):
+    """Test JWKS view"""
+
+    def setUp(self) -> None:
+        super().setUp()
+        self.factory = RequestFactory()
+
+    def test_rs256(self):
+        """Test JWKS request with RS256"""
+        provider = OAuth2Provider.objects.create(
+            name="test",
+            client_id="test",
+            authorization_flow=Flow.objects.first(),
+            redirect_uris="http://local.invalid",
+            rsa_key=CertificateKeyPair.objects.first(),
+        )
+        app = Application.objects.create(name="test", slug="test", provider=provider)
+        response = self.client.get(
+            reverse(
+                "authentik_providers_oauth2:jwks", kwargs={"application_slug": app.slug}
+            )
+        )
+        body = json.loads(force_str(response.content))
+        self.assertEqual(len(body["keys"]), 1)
+
+    def test_hs256(self):
+        """Test JWKS request with HS256"""
+        provider = OAuth2Provider.objects.create(
+            name="test",
+            client_id="test",
+            authorization_flow=Flow.objects.first(),
+            redirect_uris="http://local.invalid",
+        )
+        app = Application.objects.create(name="test", slug="test", provider=provider)
+        response = self.client.get(
+            reverse(
+                "authentik_providers_oauth2:jwks", kwargs={"application_slug": app.slug}
+            )
+        )
+        self.assertJSONEqual(force_str(response.content), {})
diff --git a/authentik/providers/oauth2/views/jwks.py b/authentik/providers/oauth2/views/jwks.py
index 14bc9001..a1d0fe56 100644
--- a/authentik/providers/oauth2/views/jwks.py
+++ b/authentik/providers/oauth2/views/jwks.py
@@ -30,7 +30,7 @@ class JWKSView(View):
 
         response_data = {}
 
-        if provider.jwt_alg == JWTAlgorithms.RS256:
+        if provider.jwt_alg == JWTAlgorithms.RS256 and provider.rsa_key:
             public_key: RSAPublicKey = provider.rsa_key.private_key.public_key()
             public_numbers = public_key.public_numbers()
             response_data["keys"] = [

From 4c41948e75c49acce73b5ebf5bbe9e2d0838bc69 Mon Sep 17 00:00:00 2001
From: Jens Langhammer <jens.langhammer@beryju.org>
Date: Thu, 29 Jul 2021 18:49:08 +0200
Subject: [PATCH 07/24] e2e: fix broken selenium by locking images

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
---
 tests/e2e/ci.docker-compose.yml | 2 +-
 tests/e2e/docker-compose.yml    | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/tests/e2e/ci.docker-compose.yml b/tests/e2e/ci.docker-compose.yml
index a996a342..5be532db 100644
--- a/tests/e2e/ci.docker-compose.yml
+++ b/tests/e2e/ci.docker-compose.yml
@@ -2,7 +2,7 @@ version: '3.7'
 
 services:
   chrome:
-    image: selenium/standalone-chrome:3.141
+    image: selenium/standalone-chrome:3.141.59-20210713
     volumes:
       - /dev/shm:/dev/shm
     network_mode: host
diff --git a/tests/e2e/docker-compose.yml b/tests/e2e/docker-compose.yml
index 7f92cba9..968e0d35 100644
--- a/tests/e2e/docker-compose.yml
+++ b/tests/e2e/docker-compose.yml
@@ -2,7 +2,7 @@ version: '3.7'
 
 services:
   chrome:
-    image: selenium/standalone-chrome-debug:3.141
+    image: selenium/standalone-chrome-debug:3.141.59-20210713
     volumes:
       - /dev/shm:/dev/shm
     network_mode: host

From fb6e8ca1ebf3f55b7c9447244bd5ba573c89426c Mon Sep 17 00:00:00 2001
From: Jens Langhammer <jens.langhammer@beryju.org>
Date: Thu, 29 Jul 2021 22:42:56 +0200
Subject: [PATCH 08/24] events: remove default result for MonitoredTasks, only
 save when result was set

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
---
 authentik/events/monitored_tasks.py | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/authentik/events/monitored_tasks.py b/authentik/events/monitored_tasks.py
index 30da8bf4..ebb31d87 100644
--- a/authentik/events/monitored_tasks.py
+++ b/authentik/events/monitored_tasks.py
@@ -114,7 +114,7 @@ class MonitoredTask(Task):
     # For tasks that should only be listed if they failed, set this to False
     save_on_success: bool
 
-    _result: TaskResult
+    _result: Optional[TaskResult]
 
     _uid: Optional[str]
 
@@ -122,7 +122,7 @@ class MonitoredTask(Task):
         super().__init__(*args, **kwargs)
         self.save_on_success = True
         self._uid = None
-        self._result = TaskResult(status=TaskResultStatus.ERROR, messages=[])
+        self._result = None
         self.result_timeout_hours = 6
         self.start = default_timer()
 
@@ -140,7 +140,7 @@ class MonitoredTask(Task):
     ):
         if not self._result.uid:
             self._result.uid = self._uid
-        if self.save_on_success:
+        if self.save_on_success and self._result:
             TaskInfo(
                 task_name=self.__name__,
                 task_description=self.__doc__,

From a4fd58a0dbe8f50f497c300066e756e4476a3f37 Mon Sep 17 00:00:00 2001
From: Jens Langhammer <jens.langhammer@beryju.org>
Date: Fri, 30 Jul 2021 09:36:09 +0200
Subject: [PATCH 09/24] events: ensure fallback result is set for on_failure

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
---
 authentik/events/monitored_tasks.py | 35 ++++++++++++++++-------------
 1 file changed, 20 insertions(+), 15 deletions(-)

diff --git a/authentik/events/monitored_tasks.py b/authentik/events/monitored_tasks.py
index ebb31d87..162fa73a 100644
--- a/authentik/events/monitored_tasks.py
+++ b/authentik/events/monitored_tasks.py
@@ -138,25 +138,30 @@ class MonitoredTask(Task):
     def after_return(
         self, status, retval, task_id, args: list[Any], kwargs: dict[str, Any], einfo
     ):
-        if not self._result.uid:
-            self._result.uid = self._uid
-        if self.save_on_success and self._result:
-            TaskInfo(
-                task_name=self.__name__,
-                task_description=self.__doc__,
-                start_timestamp=self.start,
-                finish_timestamp=default_timer(),
-                finish_time=datetime.now(),
-                result=self._result,
-                task_call_module=self.__module__,
-                task_call_func=self.__name__,
-                task_call_args=args,
-                task_call_kwargs=kwargs,
-            ).save(self.result_timeout_hours)
+        if self._result:
+            if not self._result.uid:
+                self._result.uid = self._uid
+            if self.save_on_success:
+                TaskInfo(
+                    task_name=self.__name__,
+                    task_description=self.__doc__,
+                    start_timestamp=self.start,
+                    finish_timestamp=default_timer(),
+                    finish_time=datetime.now(),
+                    result=self._result,
+                    task_call_module=self.__module__,
+                    task_call_func=self.__name__,
+                    task_call_args=args,
+                    task_call_kwargs=kwargs,
+                ).save(self.result_timeout_hours)
         return super().after_return(status, retval, task_id, args, kwargs, einfo=einfo)
 
     # pylint: disable=too-many-arguments
     def on_failure(self, exc, task_id, args, kwargs, einfo):
+        if not self._result:
+            self._result = TaskResult(
+                status=TaskResultStatus.ERROR, messages=[str(exc)]
+            )
         if not self._result.uid:
             self._result.uid = self._uid
         TaskInfo(

From 0cb4d64b576f90b2020460f22566bcc96f59bc9a Mon Sep 17 00:00:00 2001
From: Jens Langhammer <jens.langhammer@beryju.org>
Date: Fri, 30 Jul 2021 09:39:24 +0200
Subject: [PATCH 10/24] stages/email: fix error when re-requesting email after
 token has expired

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
---
 authentik/stages/email/stage.py | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/authentik/stages/email/stage.py b/authentik/stages/email/stage.py
index f706502a..6c94e8ed 100644
--- a/authentik/stages/email/stage.py
+++ b/authentik/stages/email/stage.py
@@ -67,10 +67,15 @@ class EmailStageView(ChallengeStageView):
             "user": pending_user,
             "identifier": f"ak-email-stage-{current_stage.name}-{pending_user}",
         }
-        tokens = Token.filter_not_expired(**token_filters)
+        # Don't check for validity here, we only care if the token exists
+        tokens = Token.objects.filter(**token_filters)
         if not tokens.exists():
             return Token.objects.create(expires=now() + valid_delta, **token_filters)
-        return tokens.first()
+        token = tokens.first()
+        # Check if token is expired and rotate key if so
+        if token.is_expired:
+            token.expire_action()
+        return token
 
     def send_email(self):
         """Helper function that sends the actual email. Implies that you've

From 7ecd57ecff3a3c3124fa0f12dad27dfc28b080ba Mon Sep 17 00:00:00 2001
From: Jens Langhammer <jens.langhammer@beryju.org>
Date: Sat, 31 Jul 2021 21:57:33 +0200
Subject: [PATCH 11/24] outpost: bump timer for periodic config reloads

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
---
 internal/outpost/ak/api_ws.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/internal/outpost/ak/api_ws.go b/internal/outpost/ak/api_ws.go
index 767f032f..6bdc41fc 100644
--- a/internal/outpost/ak/api_ws.go
+++ b/internal/outpost/ak/api_ws.go
@@ -116,7 +116,7 @@ func (ac *APIController) startWSHealth() {
 
 func (ac *APIController) startIntervalUpdater() {
 	logger := ac.logger.WithField("loop", "interval-updater")
-	ticker := time.NewTicker(time.Second * 150)
+	ticker := time.NewTicker(5 * time.Minute)
 	for ; true; <-ticker.C {
 		err := ac.Server.Refresh()
 		if err != nil {

From dc0d715885fb07b4991ae47cc5a52d5559e0f520 Mon Sep 17 00:00:00 2001
From: Jens Langhammer <jens.langhammer@beryju.org>
Date: Sun, 1 Aug 2021 11:47:22 +0200
Subject: [PATCH 12/24] web/admin: add UI to copy invitation link

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
---
 web/src/locales/en.po                         |  9 +++
 web/src/locales/pseudo-LOCALE.po              |  9 +++
 .../stages/invitation/InvitationListLink.ts   | 67 +++++++++++++++++++
 .../stages/invitation/InvitationListPage.ts   | 15 +++++
 4 files changed, 100 insertions(+)
 create mode 100644 web/src/pages/stages/invitation/InvitationListLink.ts

diff --git a/web/src/locales/en.po b/web/src/locales/en.po
index 9db36b6e..06701eaf 100644
--- a/web/src/locales/en.po
+++ b/web/src/locales/en.po
@@ -2080,6 +2080,10 @@ msgstr "Link to a user with identical email address. Can have security implicati
 msgid "Link to a user with identical username address. Can have security implications when a username is used with another source."
 msgstr "Link to a user with identical username address. Can have security implications when a username is used with another source."
 
+#: src/pages/stages/invitation/InvitationListLink.ts
+msgid "Link to use the invitation."
+msgstr "Link to use the invitation."
+
 #: src/pages/sources/oauth/OAuthSourceForm.ts
 #: src/pages/sources/plex/PlexSourceForm.ts
 msgid "Link users on unique identifier"
@@ -2168,6 +2172,7 @@ msgstr "Loading"
 #: src/pages/stages/identification/IdentificationStageForm.ts
 #: src/pages/stages/identification/IdentificationStageForm.ts
 #: src/pages/stages/identification/IdentificationStageForm.ts
+#: src/pages/stages/invitation/InvitationListLink.ts
 #: src/pages/stages/password/PasswordStageForm.ts
 #: src/pages/stages/prompt/PromptStageForm.ts
 #: src/pages/stages/prompt/PromptStageForm.ts
@@ -3263,6 +3268,10 @@ msgstr "Select a provider that this application should use. Alternatively, creat
 msgid "Select all rows"
 msgstr "Select all rows"
 
+#: src/pages/stages/invitation/InvitationListLink.ts
+msgid "Select an enrollment flow"
+msgstr "Select an enrollment flow"
+
 #: src/flows/stages/authenticator_validate/AuthenticatorValidateStage.ts
 msgid "Select an identification method."
 msgstr "Select an identification method."
diff --git a/web/src/locales/pseudo-LOCALE.po b/web/src/locales/pseudo-LOCALE.po
index 88e11913..caf2014d 100644
--- a/web/src/locales/pseudo-LOCALE.po
+++ b/web/src/locales/pseudo-LOCALE.po
@@ -2072,6 +2072,10 @@ msgstr ""
 msgid "Link to a user with identical username address. Can have security implications when a username is used with another source."
 msgstr ""
 
+#: src/pages/stages/invitation/InvitationListLink.ts
+msgid "Link to use the invitation."
+msgstr ""
+
 #: src/pages/sources/oauth/OAuthSourceForm.ts
 #: src/pages/sources/plex/PlexSourceForm.ts
 msgid "Link users on unique identifier"
@@ -2160,6 +2164,7 @@ msgstr ""
 #: src/pages/stages/identification/IdentificationStageForm.ts
 #: src/pages/stages/identification/IdentificationStageForm.ts
 #: src/pages/stages/identification/IdentificationStageForm.ts
+#: src/pages/stages/invitation/InvitationListLink.ts
 #: src/pages/stages/password/PasswordStageForm.ts
 #: src/pages/stages/prompt/PromptStageForm.ts
 #: src/pages/stages/prompt/PromptStageForm.ts
@@ -3255,6 +3260,10 @@ msgstr ""
 msgid "Select all rows"
 msgstr ""
 
+#: src/pages/stages/invitation/InvitationListLink.ts
+msgid "Select an enrollment flow"
+msgstr ""
+
 #: src/flows/stages/authenticator_validate/AuthenticatorValidateStage.ts
 msgid "Select an identification method."
 msgstr ""
diff --git a/web/src/pages/stages/invitation/InvitationListLink.ts b/web/src/pages/stages/invitation/InvitationListLink.ts
new file mode 100644
index 00000000..052549bd
--- /dev/null
+++ b/web/src/pages/stages/invitation/InvitationListLink.ts
@@ -0,0 +1,67 @@
+import { t } from "@lingui/macro";
+import { CSSResult, customElement, html, LitElement, property, TemplateResult } from "lit-element";
+import { until } from "lit-html/directives/until";
+import PFForm from "@patternfly/patternfly/components/Form/form.css";
+import PFFormControl from "@patternfly/patternfly/components/FormControl/form-control.css";
+import AKGlobal from "../../../authentik.css";
+import PFBase from "@patternfly/patternfly/patternfly-base.css";
+import PFFlex from "@patternfly/patternfly/layouts/Flex/flex.css";
+import { FlowsApi, FlowsInstancesListDesignationEnum } from "authentik-api";
+import { DEFAULT_CONFIG } from "../../../api/Config";
+import PFDescriptionList from "@patternfly/patternfly/components/DescriptionList/description-list.css";
+
+@customElement("ak-stage-invitation-list-link")
+export class InvitationListLink extends LitElement {
+
+    @property()
+    invitation?: string
+
+    @property()
+    selectedFlow?: string;
+
+    static get styles(): CSSResult[] {
+        return [PFBase, PFForm, PFFormControl, PFFlex, PFDescriptionList, AKGlobal];
+    }
+
+    renderLink(): string {
+        return `${window.location.protocol}//${window.location.host}/if/flow/${this.selectedFlow}/?token=${this.invitation}`;
+    }
+
+    render(): TemplateResult {
+        return html`<dl class="pf-c-description-list pf-m-horizontal">
+            <div class="pf-c-description-list__group">
+                <dt class="pf-c-description-list__term">
+                    <span class="pf-c-description-list__text">${t`Select an enrollment flow`}</span>
+                </dt>
+                <dd class="pf-c-description-list__description">
+                    <div class="pf-c-description-list__text">
+                        <select class="pf-c-form-control" @change=${(ev: Event) => {
+                            const current = (ev.target as HTMLInputElement).value;
+                            this.selectedFlow = current;
+                        }}>
+                            ${until(new FlowsApi(DEFAULT_CONFIG).flowsInstancesList({
+                                ordering: "pk",
+                                designation: FlowsInstancesListDesignationEnum.Enrollment,
+                            }).then(flows => {
+                                return flows.results.map(flow => {
+                                    return html`<option value=${flow.slug} ?selected=${flow.slug === this.selectedFlow}>${flow.slug}</option>`;
+                                });
+                            }), html`<option>${t`Loading...`}</option>`)}
+                        </select>
+                    </div>
+                </dd>
+            </div>
+            <div class="pf-c-description-list__group">
+                <dt class="pf-c-description-list__term">
+                    <span class="pf-c-description-list__text">${t`Link to use the invitation.`}</span>
+                </dt>
+                <dd class="pf-c-description-list__description">
+                    <div class="pf-c-description-list__text">
+                        <input class="pf-c-form-control" readonly type="text" value=${this.renderLink()} />
+                    </div>
+                </dd>
+            </div>
+        </dl>`;
+    }
+
+}
diff --git a/web/src/pages/stages/invitation/InvitationListPage.ts b/web/src/pages/stages/invitation/InvitationListPage.ts
index ed351e4b..08dbb691 100644
--- a/web/src/pages/stages/invitation/InvitationListPage.ts
+++ b/web/src/pages/stages/invitation/InvitationListPage.ts
@@ -8,6 +8,7 @@ import "../../../elements/buttons/SpinnerButton";
 import "../../../elements/forms/DeleteForm";
 import "../../../elements/forms/ModalForm";
 import "./InvitationForm";
+import "./InvitationListLink";
 import { TableColumn } from "../../../elements/table/Table";
 import { PAGE_SIZE } from "../../../constants";
 import { Invitation, StagesApi } from "authentik-api";
@@ -15,6 +16,8 @@ import { DEFAULT_CONFIG } from "../../../api/Config";
 
 @customElement("ak-stage-invitation-list")
 export class InvitationListPage extends TablePage<Invitation> {
+    expandable = true;
+
     searchEnabled(): boolean {
         return true;
     }
@@ -75,6 +78,18 @@ export class InvitationListPage extends TablePage<Invitation> {
         ];
     }
 
+    renderExpanded(item: Invitation): TemplateResult {
+        return html`
+        <td role="cell" colspan="3">
+            <div class="pf-c-table__expandable-row-content">
+                <ak-stage-invitation-list-link invitation=${item.pk}></ak-stage-invitation-list-link>
+            </div>
+        </td>
+        <td></td>
+        <td></td>
+        <td></td>`;
+    }
+
     renderToolbar(): TemplateResult {
         return html`
         <ak-forms-modal>

From 16e6e4c3b7c5819d2b6a6ecd8b0eb7e59a611a88 Mon Sep 17 00:00:00 2001
From: Jens Langhammer <jens.langhammer@beryju.org>
Date: Sun, 1 Aug 2021 11:47:39 +0200
Subject: [PATCH 13/24] web/admin: add re-authenticate button for plex

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

#1205
---
 web/src/locales/en.po                        | 4 ++++
 web/src/locales/pseudo-LOCALE.po             | 4 ++++
 web/src/pages/sources/plex/PlexSourceForm.ts | 8 +++++++-
 3 files changed, 15 insertions(+), 1 deletion(-)

diff --git a/web/src/locales/en.po b/web/src/locales/en.po
index 06701eaf..5f5de231 100644
--- a/web/src/locales/en.po
+++ b/web/src/locales/en.po
@@ -3015,6 +3015,10 @@ msgstr "RSA-SHA384"
 msgid "RSA-SHA512"
 msgstr "RSA-SHA512"
 
+#: src/pages/sources/plex/PlexSourceForm.ts
+msgid "Re-authenticate with plex"
+msgstr "Re-authenticate with plex"
+
 #: src/pages/flows/StageBindingForm.ts
 msgid "Re-evaluate policies"
 msgstr "Re-evaluate policies"
diff --git a/web/src/locales/pseudo-LOCALE.po b/web/src/locales/pseudo-LOCALE.po
index caf2014d..ed51dac9 100644
--- a/web/src/locales/pseudo-LOCALE.po
+++ b/web/src/locales/pseudo-LOCALE.po
@@ -3007,6 +3007,10 @@ msgstr ""
 msgid "RSA-SHA512"
 msgstr ""
 
+#: src/pages/sources/plex/PlexSourceForm.ts
+msgid "Re-authenticate with plex"
+msgstr ""
+
 #: src/pages/flows/StageBindingForm.ts
 msgid "Re-evaluate policies"
 msgstr ""
diff --git a/web/src/pages/sources/plex/PlexSourceForm.ts b/web/src/pages/sources/plex/PlexSourceForm.ts
index ecce835c..726a6fb2 100644
--- a/web/src/pages/sources/plex/PlexSourceForm.ts
+++ b/web/src/pages/sources/plex/PlexSourceForm.ts
@@ -85,7 +85,13 @@ export class PlexSourceForm extends ModelForm<PlexSource, string> {
                     ${t`Load servers`}
                 </button>`;
         }
-        return html`<ak-form-element-horizontal name="allowFriends">
+        return html`
+            <button class="pf-c-button pf-m-secondary" type="button" @click=${() => {
+                this.doAuth();
+            }}>
+                    ${t`Re-authenticate with plex`}
+            </button>
+            <ak-form-element-horizontal name="allowFriends">
                 <div class="pf-c-check">
                     <input type="checkbox" class="pf-c-check__input" ?checked=${first(this.instance?.allowFriends, true)}>
                     <label class="pf-c-check__label">

From a97f8421123d8309266b7cefbf297746199fc910 Mon Sep 17 00:00:00 2001
From: Jens Langhammer <jens.langhammer@beryju.org>
Date: Sun, 1 Aug 2021 12:24:52 +0200
Subject: [PATCH 14/24] sources/plex: add background task to monitor validity
 of plex token

closes #1205

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
---
 authentik/sources/plex/settings.py | 10 +++++++
 authentik/sources/plex/tasks.py    | 43 ++++++++++++++++++++++++++++++
 authentik/sources/plex/tests.py    | 18 +++++++++++++
 3 files changed, 71 insertions(+)
 create mode 100644 authentik/sources/plex/settings.py
 create mode 100644 authentik/sources/plex/tasks.py

diff --git a/authentik/sources/plex/settings.py b/authentik/sources/plex/settings.py
new file mode 100644
index 00000000..bfd5d194
--- /dev/null
+++ b/authentik/sources/plex/settings.py
@@ -0,0 +1,10 @@
+"""Plex source settings"""
+from celery.schedules import crontab
+
+CELERY_BEAT_SCHEDULE = {
+    "check_plex_token": {
+        "task": "authentik.sources.plex.tasks.check_plex_token_all",
+        "schedule": crontab(minute="31", hour="*/3"),
+        "options": {"queue": "authentik_scheduled"},
+    },
+}
diff --git a/authentik/sources/plex/tasks.py b/authentik/sources/plex/tasks.py
new file mode 100644
index 00000000..705d5382
--- /dev/null
+++ b/authentik/sources/plex/tasks.py
@@ -0,0 +1,43 @@
+"""Plex tasks"""
+from requests import RequestException
+
+from authentik.events.models import Event, EventAction
+from authentik.events.monitored_tasks import MonitoredTask, TaskResult, TaskResultStatus
+from authentik.root.celery import CELERY_APP
+from authentik.sources.plex.models import PlexSource
+from authentik.sources.plex.plex import PlexAuth
+
+
+@CELERY_APP.task()
+def check_plex_token_all():
+    """Check plex token for all plex sources"""
+    for source in PlexSource.objects.all():
+        check_plex_token.delay(source.slug)
+
+
+@CELERY_APP.task(bind=True, base=MonitoredTask)
+def check_plex_token(self: MonitoredTask, source_slug: int):
+    """Check the validity of a Plex source."""
+    sources = PlexSource.objects.filter(slug=source_slug)
+    if not sources.exists():
+        return
+    source: PlexSource = sources.first()
+    self.set_uid(source.slug)
+    auth = PlexAuth(source, source.plex_token)
+    try:
+        auth.get_user_info()
+        self.set_status(
+            TaskResult(TaskResultStatus.SUCCESSFUL, ["Plex token is valid."])
+        )
+    except RequestException as exc:
+        self.set_status(
+            TaskResult(
+                TaskResultStatus.ERROR,
+                ["Plex token is invalid/an error occurred:", str(exc)],
+            )
+        )
+        Event.new(
+            EventAction.CONFIGURATION_ERROR,
+            message=f"Plex token invalid, please re-authenticate source.\n{str(exc)}",
+            source=source,
+        ).save()
diff --git a/authentik/sources/plex/tests.py b/authentik/sources/plex/tests.py
index eb2ab30c..5ee57d5d 100644
--- a/authentik/sources/plex/tests.py
+++ b/authentik/sources/plex/tests.py
@@ -1,10 +1,13 @@
 """plex Source tests"""
 from django.test import TestCase
+from requests.exceptions import RequestException
 from requests_mock import Mocker
 
+from authentik.events.models import Event, EventAction
 from authentik.providers.oauth2.generators import generate_client_secret
 from authentik.sources.plex.models import PlexSource
 from authentik.sources.plex.plex import PlexAuth
+from authentik.sources.plex.tasks import check_plex_token_all
 
 USER_INFO_RESPONSE = {
     "id": 1234123419,
@@ -62,3 +65,18 @@ class TestPlexSource(TestCase):
         with Mocker() as mocker:
             mocker.get("https://plex.tv/api/v2/resources", json=RESOURCES_RESPONSE)
             self.assertTrue(api.check_server_overlap())
+
+    def test_check_task(self):
+        """Test token check task"""
+        with Mocker() as mocker:
+            mocker.get("https://plex.tv/api/v2/user", json=USER_INFO_RESPONSE)
+            check_plex_token_all()
+            self.assertFalse(
+                Event.objects.filter(action=EventAction.CONFIGURATION_ERROR).exists()
+            )
+        with Mocker() as mocker:
+            mocker.get("https://plex.tv/api/v2/user", exc=RequestException())
+            check_plex_token_all()
+            self.assertTrue(
+                Event.objects.filter(action=EventAction.CONFIGURATION_ERROR).exists()
+            )

From 72b7642c5ab9002ab0287e19940216df82447740 Mon Sep 17 00:00:00 2001
From: Jens Langhammer <jens.langhammer@beryju.org>
Date: Sun, 1 Aug 2021 12:25:11 +0200
Subject: [PATCH 15/24] outposts: catch invalid ServiceConnection error in
 outpost controller

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
---
 authentik/outposts/tasks.py | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/authentik/outposts/tasks.py b/authentik/outposts/tasks.py
index 7bcca047..da683f8f 100644
--- a/authentik/outposts/tasks.py
+++ b/authentik/outposts/tasks.py
@@ -28,6 +28,7 @@ from authentik.outposts.models import (
     OutpostServiceConnection,
     OutpostState,
     OutpostType,
+    ServiceConnectionInvalid,
 )
 from authentik.providers.ldap.controllers.docker import LDAPDockerController
 from authentik.providers.ldap.controllers.kubernetes import LDAPKubernetesController
@@ -114,7 +115,7 @@ def outpost_controller(
         for log in logs:
             LOGGER.debug(log)
         LOGGER.debug("-----------------Outpost Controller logs end-------------------")
-    except ControllerException as exc:
+    except (ControllerException, ServiceConnectionInvalid) as exc:
         self.set_status(TaskResult(TaskResultStatus.ERROR).with_error(exc))
     else:
         self.set_status(TaskResult(TaskResultStatus.SUCCESSFUL, logs))

From fe629f8b5118f06acfa790af37f5e0da7b22c923 Mon Sep 17 00:00:00 2001
From: Jens Langhammer <jens.langhammer@beryju.org>
Date: Sun, 1 Aug 2021 12:44:10 +0200
Subject: [PATCH 16/24] web/admin: fix empty column when no invitation expiry
 was set

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
---
 web/src/pages/stages/invitation/InvitationListPage.ts | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/web/src/pages/stages/invitation/InvitationListPage.ts b/web/src/pages/stages/invitation/InvitationListPage.ts
index 08dbb691..fa273668 100644
--- a/web/src/pages/stages/invitation/InvitationListPage.ts
+++ b/web/src/pages/stages/invitation/InvitationListPage.ts
@@ -56,7 +56,7 @@ export class InvitationListPage extends TablePage<Invitation> {
         return [
             html`${item.pk}`,
             html`${item.createdBy?.username}`,
-            html`${item.expires?.toLocaleString()}`,
+            html`${item.expires?.toLocaleString() || "-"}`,
             html`
             <ak-forms-delete
                 .obj=${item}

From 26e66969c9a14a94e38bba6965ee0d1cc2c210c2 Mon Sep 17 00:00:00 2001
From: Jens Langhammer <jens.langhammer@beryju.org>
Date: Sun, 1 Aug 2021 13:21:27 +0200
Subject: [PATCH 17/24] stages/invitation: delete invite only after full
 enrollment flow is completed

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
---
 authentik/stages/invitation/stage.py | 39 +++++++++++++++++++++++++---
 authentik/stages/invitation/tests.py |  6 +++--
 2 files changed, 40 insertions(+), 5 deletions(-)

diff --git a/authentik/stages/invitation/stage.py b/authentik/stages/invitation/stage.py
index 5385411d..d48ee03a 100644
--- a/authentik/stages/invitation/stage.py
+++ b/authentik/stages/invitation/stage.py
@@ -1,18 +1,23 @@
 """invitation stage logic"""
-from copy import deepcopy
 from typing import Optional
 
+from deepmerge import always_merger
 from django.http import HttpRequest, HttpResponse
+from django.http.response import HttpResponseBadRequest
 from django.shortcuts import get_object_or_404
+from structlog.stdlib import get_logger
 
+from authentik.flows.models import in_memory_stage
 from authentik.flows.stage import StageView
 from authentik.flows.views import SESSION_KEY_GET
 from authentik.stages.invitation.models import Invitation, InvitationStage
 from authentik.stages.invitation.signals import invitation_used
 from authentik.stages.prompt.stage import PLAN_CONTEXT_PROMPT
 
+LOGGER = get_logger()
 INVITATION_TOKEN_KEY = "token"  # nosec
 INVITATION_IN_EFFECT = "invitation_in_effect"
+INVITATION = "invitation"
 
 
 class InvitationStageView(StageView):
@@ -39,9 +44,37 @@ class InvitationStageView(StageView):
             return self.executor.stage_invalid()
 
         invite: Invitation = get_object_or_404(Invitation, pk=token)
-        self.executor.plan.context[PLAN_CONTEXT_PROMPT] = deepcopy(invite.fixed_data)
         self.executor.plan.context[INVITATION_IN_EFFECT] = True
+        self.executor.plan.context[INVITATION] = invite
+
+        context = {}
+        always_merger.merge(
+            context, self.executor.plan.context.get(PLAN_CONTEXT_PROMPT, {})
+        )
+        always_merger.merge(context, invite.fixed_data)
+        self.executor.plan.context[PLAN_CONTEXT_PROMPT] = context
+
         invitation_used.send(sender=self, request=request, invitation=invite)
         if invite.single_use:
-            invite.delete()
+            self.executor.plan.append_stage(in_memory_stage(InvitationFinalStageView))
+        return self.executor.stage_ok()
+
+
+class InvitationFinalStageView(StageView):
+    """Final stage which is injected by invitation stage. Deletes
+    the used invitation."""
+
+    def post(self, request: HttpRequest, *args, **kwargs) -> HttpResponse:
+        """Call get as this request may be called with post"""
+        return self.get(request, *args, **kwargs)
+
+    def get(self, request: HttpRequest, *args, **kwargs) -> HttpResponse:
+        """Delete invitation if single_use is active"""
+        invitation: Invitation = self.executor.plan.context.get(INVITATION, None)
+        if not invitation:
+            LOGGER.warning("InvitationFinalStageView stage called without invitation")
+            return HttpResponseBadRequest
+        if not invitation.single_use:
+            return self.executor.stage_ok()
+        invitation.delete()
         return self.executor.stage_ok()
diff --git a/authentik/stages/invitation/tests.py b/authentik/stages/invitation/tests.py
index 72e9f93b..c82e2b44 100644
--- a/authentik/stages/invitation/tests.py
+++ b/authentik/stages/invitation/tests.py
@@ -156,11 +156,13 @@ class TestUserLoginStage(TestCase):
             base_url = reverse(
                 "authentik_api:flow-executor", kwargs={"flow_slug": self.flow.slug}
             )
-            response = self.client.get(base_url)
+            response = self.client.get(base_url, follow=True)
 
         session = self.client.session
         plan: FlowPlan = session[SESSION_KEY_PLAN]
-        self.assertEqual(plan.context[PLAN_CONTEXT_PROMPT], data)
+        self.assertEqual(
+            plan.context[PLAN_CONTEXT_PROMPT], data | plan.context[PLAN_CONTEXT_PROMPT]
+        )
 
         self.assertEqual(response.status_code, 200)
         self.assertJSONEqual(

From 29fe731bbf38c07dd89b595c83c169be3326f1c5 Mon Sep 17 00:00:00 2001
From: Jens Langhammer <jens.langhammer@beryju.org>
Date: Sun, 1 Aug 2021 13:50:54 +0200
Subject: [PATCH 18/24] providers/saml: fix Error when getting metadata for
 invalid ID

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
---
 authentik/providers/saml/api.py | 4 +---
 1 file changed, 1 insertion(+), 3 deletions(-)

diff --git a/authentik/providers/saml/api.py b/authentik/providers/saml/api.py
index a5cdcf6c..ba2ff33e 100644
--- a/authentik/providers/saml/api.py
+++ b/authentik/providers/saml/api.py
@@ -3,7 +3,6 @@ from xml.etree.ElementTree import ParseError  # nosec
 
 from defusedxml.ElementTree import fromstring
 from django.http.response import HttpResponse
-from django.shortcuts import get_object_or_404
 from django.urls import reverse
 from django.utils.translation import gettext_lazy as _
 from drf_spectacular.types import OpenApiTypes
@@ -115,8 +114,7 @@ class SAMLProviderViewSet(UsedByMixin, ModelViewSet):
     # pylint: disable=invalid-name, unused-argument
     def metadata(self, request: Request, pk: int) -> Response:
         """Return metadata as XML string"""
-        # We don't use self.get_object() on purpose as this view is un-authenticated
-        provider = get_object_or_404(SAMLProvider, pk=pk)
+        provider = self.get_object()
         try:
             metadata = MetadataProcessor(provider, request).build_entity_descriptor()
             if "download" in request._request.GET:

From 1ec540ea9a2749bc06c4b5f174151279972bf347 Mon Sep 17 00:00:00 2001
From: Jens Langhammer <jens.langhammer@beryju.org>
Date: Sun, 1 Aug 2021 14:50:17 +0200
Subject: [PATCH 19/24] providers/saml: fix metadata being inaccessible without
 authentication

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
---
 authentik/providers/saml/api.py            | 9 +++++++--
 authentik/providers/saml/tests/test_api.py | 7 +++++++
 2 files changed, 14 insertions(+), 2 deletions(-)

diff --git a/authentik/providers/saml/api.py b/authentik/providers/saml/api.py
index ba2ff33e..510f2a15 100644
--- a/authentik/providers/saml/api.py
+++ b/authentik/providers/saml/api.py
@@ -2,7 +2,8 @@
 from xml.etree.ElementTree import ParseError  # nosec
 
 from defusedxml.ElementTree import fromstring
-from django.http.response import HttpResponse
+from django.http.response import Http404, HttpResponse
+from django.shortcuts import get_object_or_404
 from django.urls import reverse
 from django.utils.translation import gettext_lazy as _
 from drf_spectacular.types import OpenApiTypes
@@ -114,7 +115,11 @@ class SAMLProviderViewSet(UsedByMixin, ModelViewSet):
     # pylint: disable=invalid-name, unused-argument
     def metadata(self, request: Request, pk: int) -> Response:
         """Return metadata as XML string"""
-        provider = self.get_object()
+        # We don't use self.get_object() on purpose as this view is un-authenticated
+        try:
+            provider = get_object_or_404(SAMLProvider, pk=pk)
+        except ValueError:
+            raise Http404
         try:
             metadata = MetadataProcessor(provider, request).build_entity_descriptor()
             if "download" in request._request.GET:
diff --git a/authentik/providers/saml/tests/test_api.py b/authentik/providers/saml/tests/test_api.py
index 3e34edac..ad7b0dac 100644
--- a/authentik/providers/saml/tests/test_api.py
+++ b/authentik/providers/saml/tests/test_api.py
@@ -20,6 +20,7 @@ class TestSAMLProviderAPI(APITestCase):
 
     def test_metadata(self):
         """Test metadata export (normal)"""
+        self.client.logout()
         provider = SAMLProvider.objects.create(
             name="test",
             authorization_flow=Flow.objects.get(
@@ -34,6 +35,7 @@ class TestSAMLProviderAPI(APITestCase):
 
     def test_metadata_download(self):
         """Test metadata export (download)"""
+        self.client.logout()
         provider = SAMLProvider.objects.create(
             name="test",
             authorization_flow=Flow.objects.get(
@@ -50,6 +52,7 @@ class TestSAMLProviderAPI(APITestCase):
 
     def test_metadata_invalid(self):
         """Test metadata export (invalid)"""
+        self.client.logout()
         # Provider without application
         provider = SAMLProvider.objects.create(
             name="test",
@@ -61,6 +64,10 @@ class TestSAMLProviderAPI(APITestCase):
             reverse("authentik_api:samlprovider-metadata", kwargs={"pk": provider.pk}),
         )
         self.assertEqual(200, response.status_code)
+        response = self.client.get(
+            reverse("authentik_api:samlprovider-metadata", kwargs={"pk": "abc"}),
+        )
+        self.assertEqual(404, response.status_code)
 
     def test_import_success(self):
         """Test metadata import (success case)"""

From f84cd6208c685bbfd6c0fcbc61b80e071a69872e Mon Sep 17 00:00:00 2001
From: Jens Langhammer <jens.langhammer@beryju.org>
Date: Sun, 1 Aug 2021 14:56:48 +0200
Subject: [PATCH 20/24] flows: fix unhandled error in stage execution not being
 logged as SYSTEM_EXCEPTION event

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
---
 authentik/flows/views.py | 27 ++++++++++++++++-----------
 1 file changed, 16 insertions(+), 11 deletions(-)

diff --git a/authentik/flows/views.py b/authentik/flows/views.py
index 2a6ab7b3..7df3c922 100644
--- a/authentik/flows/views.py
+++ b/authentik/flows/views.py
@@ -26,7 +26,7 @@ from sentry_sdk import capture_exception
 from structlog.stdlib import BoundLogger, get_logger
 
 from authentik.core.models import USER_ATTRIBUTE_DEBUG
-from authentik.events.models import cleanse_dict
+from authentik.events.models import Event, EventAction, cleanse_dict
 from authentik.flows.challenge import (
     AccessDeniedChallenge,
     Challenge,
@@ -52,6 +52,7 @@ from authentik.flows.planner import (
     FlowPlanner,
 )
 from authentik.lib.sentry import SentryIgnoredException
+from authentik.lib.utils.errors import exception_to_string
 from authentik.lib.utils.reflection import all_subclasses, class_to_path
 from authentik.lib.utils.urls import is_url_absolute, redirect_with_qs
 from authentik.tenants.models import Tenant
@@ -203,6 +204,18 @@ class FlowExecutorView(APIView):
         except InvalidStageError as exc:
             return self.stage_invalid(str(exc))
 
+    def handle_exception(self, exc: Exception) -> HttpResponse:
+        """Handle exception in stage execution"""
+        if settings.DEBUG or settings.TEST:
+            raise exc
+        capture_exception(exc)
+        self._logger.warning(exc)
+        Event.new(
+            action=EventAction.SYSTEM_EXCEPTION,
+            message=exception_to_string(exc),
+        ).from_http(self.request)
+        return to_stage_response(self.request, FlowErrorResponse(self.request, exc))
+
     @extend_schema(
         responses={
             200: PolymorphicProxySerializer(
@@ -237,11 +250,7 @@ class FlowExecutorView(APIView):
             stage_response = self.current_stage_view.get(request, *args, **kwargs)
             return to_stage_response(request, stage_response)
         except Exception as exc:  # pylint: disable=broad-except
-            if settings.DEBUG or settings.TEST:
-                raise exc
-            capture_exception(exc)
-            self._logger.warning(exc)
-            return to_stage_response(request, FlowErrorResponse(request, exc))
+            return self.handle_exception(exc)
 
     @extend_schema(
         responses={
@@ -278,11 +287,7 @@ class FlowExecutorView(APIView):
             stage_response = self.current_stage_view.post(request, *args, **kwargs)
             return to_stage_response(request, stage_response)
         except Exception as exc:  # pylint: disable=broad-except
-            if settings.DEBUG or settings.TEST:
-                raise exc
-            capture_exception(exc)
-            self._logger.warning(exc)
-            return to_stage_response(request, FlowErrorResponse(request, exc))
+            return self.handle_exception(exc)
 
     def _initiate_plan(self) -> FlowPlan:
         planner = FlowPlanner(self.flow)

From d767504474b5c346b63c375d5a35e0d7cbb4ad29 Mon Sep 17 00:00:00 2001
From: Jens Langhammer <jens.langhammer@beryju.org>
Date: Sun, 1 Aug 2021 15:10:45 +0200
Subject: [PATCH 21/24] flows: don't check redirect URL when set from flow plan
 (set from authentik or policy)

closes #1203

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
---
 authentik/flows/views.py    | 15 ++++++++-------
 authentik/lib/utils/urls.py |  2 +-
 2 files changed, 9 insertions(+), 8 deletions(-)

diff --git a/authentik/flows/views.py b/authentik/flows/views.py
index 7df3c922..3f3fe4b0 100644
--- a/authentik/flows/views.py
+++ b/authentik/flows/views.py
@@ -322,14 +322,15 @@ class FlowExecutorView(APIView):
         """User Successfully passed all stages"""
         # Since this is wrapped by the ExecutorShell, the next argument is saved in the session
         # extract the next param before cancel as that cleans it
-        next_param = None
-        if self.plan:
-            next_param = self.plan.context.get(PLAN_CONTEXT_REDIRECT)
-        if not next_param:
-            next_param = self.request.session.get(SESSION_KEY_GET, {}).get(
-                NEXT_ARG_NAME, "authentik_core:root-redirect"
-            )
         self.cancel()
+        if self.plan and PLAN_CONTEXT_REDIRECT in self.plan.context:
+            # The context `redirect` variable can only be set by
+            # an expression policy or authentik itself, so we don't
+            # check if its an absolute URL or a relative one
+            return redirect(self.plan.context.get(PLAN_CONTEXT_REDIRECT))
+        next_param = self.request.session.get(SESSION_KEY_GET, {}).get(
+            NEXT_ARG_NAME, "authentik_core:root-redirect"
+        )
         return to_stage_response(self.request, redirect_with_qs(next_param))
 
     def stage_ok(self) -> HttpResponse:
diff --git a/authentik/lib/utils/urls.py b/authentik/lib/utils/urls.py
index 5dc92a75..f3c5de93 100644
--- a/authentik/lib/utils/urls.py
+++ b/authentik/lib/utils/urls.py
@@ -22,7 +22,7 @@ def redirect_with_qs(view: str, get_query_set=None, **kwargs) -> HttpResponse:
     except NoReverseMatch:
         if not is_url_absolute(view):
             return redirect(view)
-        LOGGER.debug("redirect target is not a valid view", view=view)
+        LOGGER.warning("redirect target is not a valid view", view=view)
         raise
     else:
         if get_query_set:

From 85e86351cdb1becd6070095a49933145db6e540e Mon Sep 17 00:00:00 2001
From: Jens Langhammer <jens.langhammer@beryju.org>
Date: Sun, 1 Aug 2021 17:50:43 +0200
Subject: [PATCH 22/24] flows: fix flows not redirecting correctly

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
---
 authentik/flows/views.py | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/authentik/flows/views.py b/authentik/flows/views.py
index 3f3fe4b0..ddfb8fa4 100644
--- a/authentik/flows/views.py
+++ b/authentik/flows/views.py
@@ -322,15 +322,16 @@ class FlowExecutorView(APIView):
         """User Successfully passed all stages"""
         # Since this is wrapped by the ExecutorShell, the next argument is saved in the session
         # extract the next param before cancel as that cleans it
-        self.cancel()
         if self.plan and PLAN_CONTEXT_REDIRECT in self.plan.context:
             # The context `redirect` variable can only be set by
             # an expression policy or authentik itself, so we don't
             # check if its an absolute URL or a relative one
+            self.cancel()
             return redirect(self.plan.context.get(PLAN_CONTEXT_REDIRECT))
         next_param = self.request.session.get(SESSION_KEY_GET, {}).get(
             NEXT_ARG_NAME, "authentik_core:root-redirect"
         )
+        self.cancel()
         return to_stage_response(self.request, redirect_with_qs(next_param))
 
     def stage_ok(self) -> HttpResponse:

From aac91c2e9d8ca1e08c1c926bbc0542031f01e7ee Mon Sep 17 00:00:00 2001
From: Jens Langhammer <jens.langhammer@beryju.org>
Date: Sun, 1 Aug 2021 17:53:13 +0200
Subject: [PATCH 23/24] stages/email: handle OSError

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
---
 authentik/stages/email/tasks.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/authentik/stages/email/tasks.py b/authentik/stages/email/tasks.py
index db9c72d3..59ebf6e6 100644
--- a/authentik/stages/email/tasks.py
+++ b/authentik/stages/email/tasks.py
@@ -91,7 +91,7 @@ def send_mail(
                 messages=["Successfully sent Mail."],
             )
         )
-    except (SMTPException, ConnectionError) as exc:
+    except (SMTPException, ConnectionError, OSError) as exc:
         LOGGER.debug("Error sending email, retrying...", exc=exc)
         self.set_status(TaskResult(TaskResultStatus.ERROR).with_error(exc))
         raise exc

From add7a80fdc7933823d01394b730071fa1367990c Mon Sep 17 00:00:00 2001
From: Jens Langhammer <jens.langhammer@beryju.org>
Date: Sun, 1 Aug 2021 19:11:50 +0200
Subject: [PATCH 24/24] release: 2021.7.2

---
 .bumpversion.cfg                              |  2 +-
 .github/workflows/release.yml                 | 20 +++++++++----------
 authentik/__init__.py                         |  2 +-
 docker-compose.yml                            |  4 ++--
 internal/constants/constants.go               |  2 +-
 schema.yml                                    |  2 +-
 web/src/constants.ts                          |  2 +-
 website/docs/installation/docker-compose.md   |  4 ++--
 .../outposts/manual-deploy-docker-compose.md  |  4 ++--
 .../docs/outposts/manual-deploy-kubernetes.md | 14 ++++++-------
 10 files changed, 28 insertions(+), 28 deletions(-)

diff --git a/.bumpversion.cfg b/.bumpversion.cfg
index b010321e..d9f67e48 100644
--- a/.bumpversion.cfg
+++ b/.bumpversion.cfg
@@ -1,5 +1,5 @@
 [bumpversion]
-current_version = 2021.7.1
+current_version = 2021.7.2
 tag = True
 commit = True
 parse = (?P<major>\d+)\.(?P<minor>\d+)\.(?P<patch>\d+)\-?(?P<release>.*)
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index db2ce859..9ff962ed 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -33,14 +33,14 @@ jobs:
         with:
           push: ${{ github.event_name == 'release' }}
           tags: |
-            beryju/authentik:2021.7.1,
+            beryju/authentik:2021.7.2,
             beryju/authentik:latest,
-            ghcr.io/goauthentik/server:2021.7.1,
+            ghcr.io/goauthentik/server:2021.7.2,
             ghcr.io/goauthentik/server:latest
           platforms: linux/amd64,linux/arm64
           context: .
       - name: Building Docker Image (stable)
-        if: ${{ github.event_name == 'release' && !contains('2021.7.1', 'rc') }}
+        if: ${{ github.event_name == 'release' && !contains('2021.7.2', 'rc') }}
         run: |
           docker pull beryju/authentik:latest
           docker tag beryju/authentik:latest beryju/authentik:stable
@@ -75,14 +75,14 @@ jobs:
         with:
           push: ${{ github.event_name == 'release' }}
           tags: |
-            beryju/authentik-proxy:2021.7.1,
+            beryju/authentik-proxy:2021.7.2,
             beryju/authentik-proxy:latest,
-            ghcr.io/goauthentik/proxy:2021.7.1,
+            ghcr.io/goauthentik/proxy:2021.7.2,
             ghcr.io/goauthentik/proxy:latest
           file: proxy.Dockerfile
           platforms: linux/amd64,linux/arm64
       - name: Building Docker Image (stable)
-        if: ${{ github.event_name == 'release' && !contains('2021.7.1', 'rc') }}
+        if: ${{ github.event_name == 'release' && !contains('2021.7.2', 'rc') }}
         run: |
           docker pull beryju/authentik-proxy:latest
           docker tag beryju/authentik-proxy:latest beryju/authentik-proxy:stable
@@ -117,14 +117,14 @@ jobs:
         with:
           push: ${{ github.event_name == 'release' }}
           tags: |
-            beryju/authentik-ldap:2021.7.1,
+            beryju/authentik-ldap:2021.7.2,
             beryju/authentik-ldap:latest,
-            ghcr.io/goauthentik/ldap:2021.7.1,
+            ghcr.io/goauthentik/ldap:2021.7.2,
             ghcr.io/goauthentik/ldap:latest
           file: ldap.Dockerfile
           platforms: linux/amd64,linux/arm64
       - name: Building Docker Image (stable)
-        if: ${{ github.event_name == 'release' && !contains('2021.7.1', 'rc') }}
+        if: ${{ github.event_name == 'release' && !contains('2021.7.2', 'rc') }}
         run: |
           docker pull beryju/authentik-ldap:latest
           docker tag beryju/authentik-ldap:latest beryju/authentik-ldap:stable
@@ -176,7 +176,7 @@ jobs:
           SENTRY_PROJECT: authentik
           SENTRY_URL: https://sentry.beryju.org
         with:
-          version: authentik@2021.7.1
+          version: authentik@2021.7.2
           environment: beryjuorg-prod
           sourcemaps: './web/dist'
           url_prefix: '~/static/dist'
diff --git a/authentik/__init__.py b/authentik/__init__.py
index ec160d27..49849a06 100644
--- a/authentik/__init__.py
+++ b/authentik/__init__.py
@@ -1,3 +1,3 @@
 """authentik"""
-__version__ = "2021.7.1"
+__version__ = "2021.7.2"
 ENV_GIT_HASH_KEY = "GIT_BUILD_HASH"
diff --git a/docker-compose.yml b/docker-compose.yml
index e4054506..60d8d5f2 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -21,7 +21,7 @@ services:
     networks:
       - internal
   server:
-    image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2021.7.1}
+    image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2021.7.2}
     restart: unless-stopped
     command: server
     environment:
@@ -44,7 +44,7 @@ services:
       - "0.0.0.0:9000:9000"
       - "0.0.0.0:9443:9443"
   worker:
-    image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2021.7.1}
+    image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2021.7.2}
     restart: unless-stopped
     command: worker
     networks:
diff --git a/internal/constants/constants.go b/internal/constants/constants.go
index 5cbfa41d..680d353c 100644
--- a/internal/constants/constants.go
+++ b/internal/constants/constants.go
@@ -17,4 +17,4 @@ func OutpostUserAgent() string {
 	return fmt.Sprintf("authentik-outpost@%s (%s)", VERSION, BUILD())
 }
 
-const VERSION = "2021.7.1"
+const VERSION = "2021.7.2"
diff --git a/schema.yml b/schema.yml
index 5e842ee1..29a140af 100644
--- a/schema.yml
+++ b/schema.yml
@@ -1,7 +1,7 @@
 openapi: 3.0.3
 info:
   title: authentik
-  version: 2021.7.1
+  version: 2021.7.2
   description: Making authentication simple.
   contact:
     email: hello@beryju.org
diff --git a/web/src/constants.ts b/web/src/constants.ts
index 32d5edb2..314eb50a 100644
--- a/web/src/constants.ts
+++ b/web/src/constants.ts
@@ -3,7 +3,7 @@ export const SUCCESS_CLASS = "pf-m-success";
 export const ERROR_CLASS = "pf-m-danger";
 export const PROGRESS_CLASS = "pf-m-in-progress";
 export const CURRENT_CLASS = "pf-m-current";
-export const VERSION = "2021.7.1";
+export const VERSION = "2021.7.2";
 export const PAGE_SIZE = 20;
 export const TITLE_DEFAULT = "authentik";
 export const ROUTE_SEPARATOR = ";";
diff --git a/website/docs/installation/docker-compose.md b/website/docs/installation/docker-compose.md
index b5e819ae..0f3ac2ac 100644
--- a/website/docs/installation/docker-compose.md
+++ b/website/docs/installation/docker-compose.md
@@ -12,11 +12,11 @@ This installation method is for test-setups and small-scale productive setups.
 
 ## Preparation
 
-Download the latest `docker-compose.yml` from [here](https://raw.githubusercontent.com/goauthentik/authentik/version/2021.7.1/docker-compose.yml). Place it in a directory of your choice.
+Download the latest `docker-compose.yml` from [here](https://raw.githubusercontent.com/goauthentik/authentik/version/2021.7.2/docker-compose.yml). Place it in a directory of your choice.
 
 To optionally enable error-reporting, run `echo AUTHENTIK_ERROR_REPORTING__ENABLED=true >> .env`
 
-To optionally deploy a different version run `echo AUTHENTIK_TAG=2021.7.1 >> .env`
+To optionally deploy a different version run `echo AUTHENTIK_TAG=2021.7.2 >> .env`
 
 If this is a fresh authentik install run the following commands to generate a password:
 
diff --git a/website/docs/outposts/manual-deploy-docker-compose.md b/website/docs/outposts/manual-deploy-docker-compose.md
index 5bad46bb..6ee2adf3 100644
--- a/website/docs/outposts/manual-deploy-docker-compose.md
+++ b/website/docs/outposts/manual-deploy-docker-compose.md
@@ -11,7 +11,7 @@ version: "3.5"
 
 services:
   authentik_proxy:
-    image: ghcr.io/goauthentik/proxy:2021.7.1
+    image: ghcr.io/goauthentik/proxy:2021.7.2
     ports:
       - 4180:4180
       - 4443:4443
@@ -21,7 +21,7 @@ services:
       AUTHENTIK_TOKEN: token-generated-by-authentik
   # Or, for the LDAP Outpost
   authentik_proxy:
-    image: ghcr.io/goauthentik/ldap:2021.7.1
+    image: ghcr.io/goauthentik/ldap:2021.7.2
     ports:
       - 389:3389
     environment:
diff --git a/website/docs/outposts/manual-deploy-kubernetes.md b/website/docs/outposts/manual-deploy-kubernetes.md
index 0d4ce233..b63191bf 100644
--- a/website/docs/outposts/manual-deploy-kubernetes.md
+++ b/website/docs/outposts/manual-deploy-kubernetes.md
@@ -14,7 +14,7 @@ metadata:
     app.kubernetes.io/instance: __OUTPOST_NAME__
     app.kubernetes.io/managed-by: goauthentik.io
     app.kubernetes.io/name: authentik-proxy
-    app.kubernetes.io/version: 2021.7.1
+    app.kubernetes.io/version: 2021.7.2
   name: authentik-outpost-api
 stringData:
   authentik_host: "__AUTHENTIK_URL__"
@@ -29,7 +29,7 @@ metadata:
     app.kubernetes.io/instance: __OUTPOST_NAME__
     app.kubernetes.io/managed-by: goauthentik.io
     app.kubernetes.io/name: authentik-proxy
-    app.kubernetes.io/version: 2021.7.1
+    app.kubernetes.io/version: 2021.7.2
   name: authentik-outpost
 spec:
   ports:
@@ -54,7 +54,7 @@ metadata:
     app.kubernetes.io/instance: __OUTPOST_NAME__
     app.kubernetes.io/managed-by: goauthentik.io
     app.kubernetes.io/name: authentik-proxy
-    app.kubernetes.io/version: 2021.7.1
+    app.kubernetes.io/version: 2021.7.2
   name: authentik-outpost
 spec:
   selector:
@@ -62,14 +62,14 @@ spec:
       app.kubernetes.io/instance: __OUTPOST_NAME__
       app.kubernetes.io/managed-by: goauthentik.io
       app.kubernetes.io/name: authentik-proxy
-      app.kubernetes.io/version: 2021.7.1
+      app.kubernetes.io/version: 2021.7.2
   template:
     metadata:
       labels:
         app.kubernetes.io/instance: __OUTPOST_NAME__
         app.kubernetes.io/managed-by: goauthentik.io
         app.kubernetes.io/name: authentik-proxy
-        app.kubernetes.io/version: 2021.7.1
+        app.kubernetes.io/version: 2021.7.2
     spec:
       containers:
         - env:
@@ -88,7 +88,7 @@ spec:
               secretKeyRef:
                 key: authentik_host_insecure
                 name: authentik-outpost-api
-        image: ghcr.io/goauthentik/proxy:2021.7.1
+        image: ghcr.io/goauthentik/proxy:2021.7.2
         name: proxy
         ports:
           - containerPort: 4180
@@ -110,7 +110,7 @@ metadata:
     app.kubernetes.io/instance: __OUTPOST_NAME__
     app.kubernetes.io/managed-by: goauthentik.io
     app.kubernetes.io/name: authentik-proxy
-    app.kubernetes.io/version: 2021.7.1
+    app.kubernetes.io/version: 2021.7.2
   name: authentik-outpost
 spec:
   rules: