goauthentik / authentik Goto Github PK

Currently, on enrollment via a Source, a decision is made whether to create a new user or authenticate an existing user.

This decision is made using the following criteria:

• OAuth Source:
  If the request is authenticated, the OAuth identity is assigned to the currently authenticated user.
  If the identifier has been saved before, the user is authenticated
  Otherwise, a new user is created
• SAML Source
  Depending on the NameID Policy of the remote IDP, a user query is done.
  If a user is found, they are authenticated. Otherwise a new user is created
• LDAP Source has a special attribute, but since this source doesn't use an interactive flow, so it'll stay as is.

The goal is for the admin to be able to configure if and on which criteria a user is created or merged, and if the enduser has a choice.

If the enduser can select between merging and creating a new account, they will have to authenticate their existing account in some form.

Is your feature request related to a problem? Please describe.

LDAP is tricky to set up, and I'd rather my single source of truth be something like this,

Describe the solution you'd like

Embed a glauth configuration generator in authentik, similar to how glauth-ui works. Include glauth examples in the docker compose files.

Describe alternatives you've considered

This is more an ease of use thing, there are definitely alternative solutions but they don't let you mention "LDAP server" in your list of features.

Describe the bug
In OpenLDAP the distinguished name attribute is not distinguishedName but dn. The consequences are that empty groups and users are imported.

To Reproduce
Sync with an OpenLDAP.

Expected behavior
Automatically find the good attribute or throw an error.

Screenshots

Logs

worker_1      | {"app": "authentik", "app_environment": "customer", "event": "To merge new User with existing user, set the User's Attribute 'ldap_uniq' to '95060448-a628-103a-9b54-9f0becc82f14'", "level": "warning", "logger": "authentik.sources.ldap.sync", "pid": 18, "timestamp": 1612431775.4070318}
worker_1      | {"app": "authentik", "app_environment": "customer", "event": "Failed to create user", "exc": "IntegrityError('duplicate key value violates unique constraint \"authentik_core_user_username_key\"\\nDETAIL:  Key (username)=() already exists.\\n')", "level": "warning", "logger": "authentik.sources.ldap.sync", "pid": 18, "timestamp": 1612431775.4130397}

Version and Deployment (please complete the following information):

• authentik version: 2021.1.4-stable
• Deployment: docker-compose

Additional context

Describe the bug

When changing the password, the error "Pending user has no backend is shown".

To Reproduce
Steps to reproduce the behavior:

1. Go to users tab
2. Click on '..Reset Password..'
3. Go to the URL and change password
4. See error

Expected behavior
No deny page must be presented.

Screenshots

Logs

Version and Deployment (please complete the following information):

• authentik version: 2021.4.3
• Deployment: Docker Compose

Additional context
Maybe additional documentation is required.

Is your feature request related to a problem? Please describe.
No.

Describe the solution you'd like
A refresh button for tables would be nice. For example to refresh the status of outposts, sources, etc.

Describe alternatives you've considered
Hitting F5 like a pleb.

Additional context
N/A.

Is your feature request related to a problem? Please describe.
It's hard to navigate a non-alphabetised list when there's a lot of entries.

Describe the solution you'd like
Alphabetise the list.

Describe alternatives you've considered
Paying attention while I scroll through the list like a scrub.

Additional context

Is your feature request related to a problem? Please describe.
Just as the title says, can we get analytics as an opt-in feature instead of being enabled by default ?

This is common for big open-source projects or for the becoming ones.

Add support for Unraid so it can be installed easily. As an interim, support to install with Docker Hub/docker create.

Describe the bug

I set up a fresh instance of authentik. After setting up traefik, I wanted to hide the traefik dashboard behind an outpost.

However, when I try to deploy the output to my Docker swarm, it crashes on startup with the following error

time="2021-04-19T16:09:26Z" level=panic msg="Failed to fetch configuration" error="response status code does not match any response statuses defined for this endpoint in the swagger spec (status 401): {}" logger=authentik.outpost.ak-api-controller,
panic: (*logrus.Entry) 0xc00010a460,
,
goroutine 1 [running]:,
github.com/sirupsen/logrus.(*Entry).log(0xc00010a3f0, 0x0, 0xc0003998a0, 0x1d),
	/go/pkg/mod/github.com/sirupsen/[email protected]/entry.go:259 +0x2e5,
github.com/sirupsen/logrus.(*Entry).Log(0xc00010a3f0, 0xc000000000, 0xc00041fc28, 0x1, 0x1),
	/go/pkg/mod/github.com/sirupsen/[email protected]/entry.go:293 +0x86,
github.com/sirupsen/logrus.(*Entry).Panic(...),
	/go/pkg/mod/github.com/sirupsen/[email protected]/entry.go:331,
goauthentik.io/outpost/pkg/ak.NewAPIController(0xc00004400f, 0x5, 0x0, 0x0, 0x0, 0xc000044017, 0x11, 0xc000044028, 0x1, 0x0, ...),
	/work/pkg/ak/api.go:59 +0x4ae,
main.main(),
	/work/cmd/proxy/server.go:48 +0x2b8,

Version and Deployment (please complete the following information):

• authentik version: 2021.04.02
• Deployment: Docker 20.10.06, Swarm Deployment

docker-stack.yml

services:
  # ...
  traefikOutpost:
    image: beryju/authentik-proxy
    ports:
      - 4180:4180
      - 4443:4443
    environment:
      AUTHENTIK_HOST: https://sso.mydomain.com/
      AUTHENTIK_INSECURE: "false" # Let's Encrypt certificate provided
      AUTHENTIK_TOKEN: "TOKEN"
      LOG_LEVEL: debug
    deploy:
      placement:
        constraints:
          - node.labels.hostname == mydomain.com
      labels:
        - traefik.enable=true
        - traefik.http.routers.traefikOutpost.rule=Host(`traefik.mydomain.com`)
        - traefik.http.routers.traefikOutpost.service.loadbalancer.server.port=4180

Is your feature request related to a problem? Please describe.
My current OpenLDAP setup use the groupOfNames class as a group which contains a member attributes with a list of dn referencing users.
In that case, user don't have an attribute referencing groups.

Describe the solution you'd like
It would be nice to have an option to switch between user reference to group reference. The membership field will reference either a user attribute or a group attribute.

Describe alternatives you've considered
Changing my LDAP setup or removing it.

Additional context
This probably add some complexity in the sync process.

Create an Outpost in a Kubernetes cluster which is managed by passbook (updated, configured, etc). Initiall this might only support the Kubernetes cluster passbook is running in, but should in the future support external clusters too.

• Implement a basic Kubernetes Controller
• Add a setup flow where the user selects namespace and service that should be used as upstream

Is your feature request related to a problem? Please describe.
I'm unable to scan a QR code with my desktop TOTP app, but I can enter a code.

Describe the solution you'd like
After clicking "Enable Time-Based OTP", I would like the raw code to be shown as well as QR code.

Describe alternatives you've considered
None.

Additional context
None.

Describe the bug
In the edit page of a proxy provider, the HTTP-Basic password is shown in plaintext.

To Reproduce
Steps to reproduce the behavior:

1. Create proxy provider with any set of credentials.
2. Save.
3. Edit the provider.
4. See plaintext password.

Expected behavior
This should be obfuscated.

Screenshots
N/A.

Logs
N/A.

Version and Deployment (please complete the following information):

• passbook version: 0.10.9-stable
• Deployment: docker-compose

Additional context
N/A.

Sentry Issue: PASSBOOK-4W

KeyError: 'Provider Type github (type redirect) not found.'
(1 additional frame(s) were not displayed)
...
  File "django/core/handlers/base.py", line 115, in _get_response
    response = self.process_exception_by_middleware(e, request)
  File "django/core/handlers/base.py", line 113, in _get_response
    response = wrapped_callback(request, *callback_args, **callback_kwargs)
  File "django/views/generic/base.py", line 71, in view
    return self.dispatch(request, *args, **kwargs)
  File "passbook/sources/oauth/views/dispatcher.py", line 24, in dispatch
    view = MANAGER.find(source, kind=RequestKind(self.kind))
  File "passbook/sources/oauth/types/manager.py", line 57, in find
    raise KeyError(

AUTHENTIK_AUTHENTIK__BRANDING__TITLE does not modify site title after rebuild.

Is your feature request related to a problem? Please describe.
An issue that I encountered using ldap, is that every attribute may change : uid (username), sn (last name), cn (full name), mail... In order to keep some stability, it might be useful to use the entryUUID as uniqueness field but operational attributes are not available.

Describe the solution you'd like

1. Load all attributes during ldap search.

attributes=ldap3.ALL_ATTRIBUTES
replaced by
attributes=[ALL_ATTRIBUTES, ALL_OPERATIONAL_ATTRIBUTES]

2. Add the option (a checkbox) to load the operational attributes.

Describe alternatives you've considered
Not using the entryUUID.

Additional context
I'm using OpenLDAP.
I can make a pull request if necessary.

Is your feature request related to a problem? Please describe.
No.

Describe the solution you'd like
The possibility to integrate Tautulli with passbook would be great, whether this is just a matter of documenting it or adding support in passbook.

Describe alternatives you've considered
Logging in manually with a local account like a pleb 👀

Additional context
N/A.

Documentation for stages can mostly be updated form Factors. Docs for stages needs to be done from scratch

• Stage docs
• Flow docs
• Flow examples
  • Login
  • Login with 2fa
  • Login with conditional captcha
  • Enrollment
  • Enrollment with E-Mail verification
  • Recovery
  • Recovery with E-Mail verification
  • Unenrollment

I just installed this but when I want to do the initial setup I get

API request failed

GET /api/v2beta/flows/executor/initial-setup/?query=: 500

Health checks in Traefik are up.

I did notice this in the logs alog with a lot of other errors:
2021/04/18 11:16:22 [error] 32#32: *7 open() "/usr/share/nginx/html/favicon.ico" failed (2: No such file or directory), client: 192.168.90.254, server: _, request: "GET /favicon.ico HTTP/1.1", host: "authentik.mydomain.com", referrer: "https://authentik.mydomain.com/"
{"timestamp":"18/Apr/2021:11:16:22 +0000","host":"192.168.90.254","request_username":"","event":"GET /favicon.ico HTTP/1.1","status": "404","size":"186","runtime":"0.000","logger":"nginx","request_useragent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.72 Safari/537.36 Edg/90.0.818.39"}

my config=

 authentik-server:
    image: beryju/authentik
    restart: unless-stopped
    container_name: authentik-server
    command: server
    environment:
      AUTHENTIK_REDIS__HOST: authentik-redis
      AUTHENTIK_POSTGRESQL__HOST: authentik-postgresql
      AUTHENTIK_POSTGRESQL__USER: ${PG_USER:-authentik}
      AUTHENTIK_POSTGRESQL__NAME: ${PG_DB:-authentik}
      AUTHENTIK_POSTGRESQL__PASSWORD: ${PG_PASS}
      # AUTHENTIK_ERROR_REPORTING__ENABLED: "true"
      # WORKERS: 2
    volumes:
      - $DOCKERDIR/authentik/server/media:/media
      - $DOCKERDIR/authentik/server/custom-templates:/templates
#      - geoip:/geoip
    networks:
      - t2_proxy
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.authentik.rule=Host(`authentik.mydomain.com`) && PathPrefix(`/`)"
#      - "traefik.http.routers.authentik.middlewares=chain-authelia@file"
      - "traefik.http.routers.authentik.service=authentik-service"
      - "traefik.http.routers.authentik.tls=true"
      - "traefik.http.services.authentik-service.loadbalancer.healthcheck.path=/-/health/live/"
      - "traefik.http.services.authentik-service.loadbalancer.server.port=8000"
#      traefik.docker.network: internal
#      traefik.http.routers.app-router.rule: PathPrefix(`/`)
#      traefik.http.routers.app-router.service: app-service
#      traefik.http.routers.app-router.tls: 'true'
#      traefik.http.services.app-service.loadbalancer.healthcheck.path: /-/health/live/
#      traefik.http.services.app-service.loadbalancer.server.port: '8000'
    env_file:
      - .env
  authentik-worker:
    image: beryju/authentik
    restart: unless-stopped
    container_name: authentik-worker
    command: worker
    networks:
      - t2_proxy
    environment:
      AUTHENTIK_REDIS__HOST: authentik-redis
      AUTHENTIK_POSTGRESQL__HOST: authentik-postgresql
      AUTHENTIK_POSTGRESQL__USER: ${PG_USER:-authentik}
      AUTHENTIK_POSTGRESQL__NAME: ${PG_DB:-authentik}
      AUTHENTIK_POSTGRESQL__PASSWORD: ${PG_PASS}
      # AUTHENTIK_ERROR_REPORTING__ENABLED: "true"
    volumes:
      - $DOCKERDIR/authentik/worker/backups:/backups
      - /var/run/docker.sock:/var/run/docker.sock
      - $DOCKERDIR/authentik/worker/custom-templates:/templates
#      - geoip:/geoip
    env_file:
      - .env
  authentik-static:
    image: beryju/authentik-static
    restart: unless-stopped
    container_name: authentik-static
    networks:
      - t2_proxy
    labels:
      - "traefik.enable=true"
#      - "traefik.docker.network=t2_proxy"
#      - "traefik.http.routers.authentik-static.middlewares=chain-authelia@file"
      - "traefik.http.routers.authentik-static.rule=Host(`authentik.mydomain.com`) && PathPrefix(`/static`, `/if`, `/media`, `/robots.txt`, `/favicon.ico`)"
      - "traefik.http.routers.authentik-static.tls=true"
      - "traefik.http.routers.authentik-static.service=static-service"
      - "traefik.http.services.static-service.loadbalancer.healthcheck.path=/"
      - "traefik.http.services.static-service.loadbalancer.healthcheck.interval=30s"
      - "traefik.http.services.static-service.loadbalancer.server.port=80"
    volumes:
      - $DOCKERDIR/authentik/static/media:/usr/share/nginx/html/media

Dependabot couldn't authenticate with https://pypi.org/simple/.

You can provide authentication details in your Dependabot dashboard by clicking into the account menu (in the top right) and selecting 'Config variables'.

View the update logs.

Sentry Issue: AUTHENTIK-CJ

ValueError: None is not instance of PolicyBindingModel
(10 additional frame(s) were not displayed)
...
  File "django/views/generic/base.py", line 98, in dispatch
    return handler(request, *args, **kwargs)
  File "/authentik/sources/oauth/views/callback.py", line 100, in get
    return self.handle_enroll(self.source, connection, info)
  File "/authentik/sources/oauth/views/callback.py", line 237, in handle_enroll
    plan = planner.plan(self.request, context)
  File "/authentik/flows/planner.py", line 125, in plan
    engine = PolicyEngine(self.flow, user, request)
  File "/authentik/policies/engine.py", line 71, in __init__
    raise ValueError(f"{pbm} is not instance of PolicyBindingModel")

On everything but the first Stage, autofocus is not respected.

Sentry Issue: PASSBOOK-4E

UniqueViolation: duplicate key value violates unique constraint "passbook_core_user_username_key"
DETAIL:  Key (username)=(pbadmin) already exists.

  File "django/db/backends/utils.py", line 86, in _execute
    return self.cursor.execute(sql, params)

IntegrityError: duplicate key value violates unique constraint "passbook_core_user_username_key"
DETAIL:  Key (username)=(pbadmin) already exists.

(23 additional frame(s) were not displayed)
...
  File "django/db/backends/utils.py", line 68, in execute
    return self._execute_with_wrappers(sql, params, many=False, executor=self._execute)
  File "django/db/backends/utils.py", line 77, in _execute_with_wrappers
    return executor(sql, params, many, context)
  File "django/db/backends/utils.py", line 86, in _execute
    return self.cursor.execute(sql, params)
  File "django/db/utils.py", line 90, in __exit__
    raise dj_exc_value.with_traceback(traceback) from exc_value
  File "django/db/backends/utils.py", line 86, in _execute
    return self.cursor.execute(sql, params)

Is your feature request related to a problem? Please describe.
Policy selection dropdowns are not alphabetised.

Describe the solution you'd like
It would be great if policy selection dropdowns were alphabetised.

Additional context
See expression and group membership policies for best examples:

Describe the bug
The oauth2/oidc provider endpoint /application/o/token/ seems not to provide an Access-Control-Allow-Origin header.
The commit f328b21e897590ae09f5b0487341feb63ac68e5a didn't change any significantly concerning the header - it should have worked already in previous versions but it didn't so I assume the line response["Access-Control-Allow-Origin"] = origin seems not to have any effect on the actual response header.

To Reproduce
Steps to reproduce the behavior:

1. Create an application
2. Create a oauth2/oidc provider
3. Add redirect url for an application on a different domain then the authentik service
4. Try oidc authentication flow
5. Requesting the token after beeing redirected to the application the token can't be requested over /application/o/token/ -> No 'Access-Control-Allow-Origin' header is present on the requested resource.

Expected behavior
Access-Control-Allow-Origin header should be available in the response so applications from other domains then the authentik's one can be authenticated

Screenshots
/application/o/token header missing -> not working

other endpoints -> working

Logs

server_1       | {"event": "/api/v2beta/flows/executor/default-provider-authorization-implicit-consent/?query=client_id%3Dclient-id-removed%26redirect_uri%3Dhttps%253A%252F%252Furl-removed%252Fauthentication%252Flogin-callback%26response_type%3Dcode%26scope%3Dopenid%2Bprofile%2Bopenid%2Bemail%2Bprofile%26state%3Db5d9516b8ec54bbfaa8d42d80f74c356%26code_challenge%3DfgLh0GJUdj_rzt-b61g0-JfwNNKhwoPwy5JdsvIPCdI%26code_challenge_method%3DS256%26response_mode%3Dquery", "host": "172.20.0.16", "level": "info", "logger": "authentik.asgi", "method": "GET", "pid": 33, "request_id": "194a5b0fb72847d1889eedc2325d6d42", "runtime": 164, "scheme": "http", "size": 1.787, "status": 200, "timestamp": "2021-04-22T20:50:11.905080"}

server_1       | {"event": "/application/o/application-name-changed/.well-known/openid-configuration", "host": "172.20.0.16", "level": "info", "logger": "authentik.asgi", "method": "GET", "pid": 33, "request_id": "e5cb6bf5b2784151aa4113df2ddb8ea5", "runtime": 1259, "scheme": "http", "size": 0.056, "status": 200, "timestamp": "2021-04-22T20:50:13.813167"}

server_1       | {"event": "/application/o/token/", "host": "172.20.0.16", "level": "info", "logger": "authentik.asgi", "method": "POST", "pid": 33, "request_id": "50472bef52de4190833b38c5395673e4", "runtime": 2489, "scheme": "http", "size": 1.544, "status": 200, "timestamp": "2021-04-22T20:50:15.399354"}

The log doesn't show any problems with the origin as I would expect if there were any.

Version and Deployment (please complete the following information):

• authentik version: 2021.4.3
• Deployment: docker-compose (with reverse proxy)

Describe the bug
OAuth2 provider redirect URI is case sensitive.

To Reproduce
Steps to reproduce the behavior:

1. Attempt login to OAuth2 application. Success is assumed
2. Capitalise any part of the redirect URI in the OAuth2 provider configuration.
3. Retry login to the application.
4. See error.

Expected behavior
Would expect redirect URI to not be case-sensitive.

Screenshots
N/A.

Logs
N/A.

Version and Deployment (please complete the following information):

• passbook version: 0.10.5
• Deployment: docker-compose

Additional context
N/A.

Add Plex as Login provider,
see: https://github.com/Dmbob/plex-oauth/tree/master/src and https://github.com/Tautulli/Tautulli

Describe the bug
The outpost version column shows only a green tick when unknown. Perhaps this could just show "Unknown".

To Reproduce
Steps to reproduce the behavior:

1. Go to Outposts
2. Create new outpost.
3. Do not deploy outpost.
4. See issue as described.

Expected behavior
I'm not sure exactly how this should show, perhaps as suggested above? Not fussed, it just isn't great in its current state.

As a stretch, it would also be good if it showed the actual version when it is known, rather than simply a tick.

Screenshots

Logs
N/A.

Version and Deployment (please complete the following information):

• passbook version: 0.10.9-stable
• Deployment: docker-compose

Additional context
N/A.

Describe the bug
When clicking the large passbook text in header (top, left) nothing happens, despite it appearing to be clickable.

To Reproduce
Steps to reproduce the behavior:

1. Click "passbook" on the left of the header.
2. Watch nothing happen.

Expected behavior
I would expect this to either be unclickable or take me to the home page.

Screenshots
N/A.

Logs
N/A.

Version and Deployment (please complete the following information):

• passbook version: 0.10.9-stable
• Deployment: docker-compose

Additional context
N/A.

Would be great for the community if we had ARM builds (both 32 and 64bit)

Describe the bug
This is not really a but but more of a documentation detail request.

When following along with the nextcloud integration I ran into an issue where authentik reported an error because a request was made from http -> https. The documentation makes note about requiring ssl to be configured in the nextcloud deployment. While this ended up being a hint that pointed me in the right direction it was challenging to find the solution.

In the official apache based nextcloud docker image from docker hub it has a section about using it behind a reverse proxy. The key to overcome the issue mentioned from http -> https was making use of the OVERWRITEPROTOCOL environment variable on the nextcloud:stable-apache image and setting it to https. From there I was able to successfully integrate nextcloud.

Version and Deployment (please complete the following information):

• authentik version: beryju/authentik:2021.4.2
• Deployment: helm

Additional context
Is there a place where pull requests can be made for the project documentation? On initial glance the source for the docs didn't appear to be in this repo.

Currently, enabling re_evaluate_policies on a StageBinding does nothing.

Make it possible to translate Authentik in other languages. Maybe I can help with the dutch language.

Is your feature request related to a problem? Please describe.
No.

Describe the solution you'd like
It would be great if the cards in the overview (e.g. policies, users, etc.) would navigate to the relevant view (i.e. policies -> /administration/policies/) when clicked.

Describe alternatives you've considered
None.

Additional context
N/A.

Sentry Issue: PASSBOOK-57

KeyError: 'passbook.core.tasks.clean_tokens'
  File "celery/worker/consumer/consumer.py", line 562, in on_task_received
    strategy = strategies[type_]

Received unregistered task of type KeyError('passbook.core.tasks.clean_tokens').
The message has been ignored and discarded.

Did you remember to import the module containing this task?
Or maybe you're using relative imports?

Please see
http://docs.celeryq.org/en/latest/internals/protocol.html
for more information.

The full contents of the message body was:
b'[[], {}, {"callbacks": null, "errbacks": null, "chain": null, "chord": null}]' (77b)

Describe the bug
Creating a new property mapping shows an empty modal dialog

To Reproduce
Steps to reproduce the behavior:

1. Go to 'Property Mappings'
2. Click on 'Create'
3. Click on any of the property mapping types
4. Behold the empty modal dialog

Expected behavior
Some way to actually define the property mapping

Screenshots

Logs
Nothing is logged starting from reproduction step 2 and forward

Version and Deployment (please complete the following information):

• authentik version: 2021.4.1
• Deployment: docker-compose

Additional context
I followed the installation guide to the letter. Even a clean install didn't resolve it.

Is your feature request related to a problem? Please describe.
Yes, but it isn't passbook's fault.
The icon URL for my vCenter application in passbook points to the favicon of my vCenter, which means the icon doesn't load if the browser doesn't trust vCenter's certificate.

My suggestion would fix this and similar issues, such as icon URLs pointing at external locations not working when the client has local network access but no internet access.

Describe the solution you'd like
I'd like to be able to upload an icon for applications.
I don't want to be able to upload an icon and provide an icon URL, I just want to have the ability to choose between the two.

Describe alternatives you've considered
N/A.

Additional context
N/A.

Describe the bug
User names are case sensitive upon login.

To Reproduce
Steps to reproduce the behavior:

1. Attempt login with normal username. Success is assumed
2. Capitalise any part of the username.
3. Re-attempt login.
4. See error.

Expected behavior
I would expect usernames to not be case sensitive.

Screenshots
N/A.

Logs
N/A.

Version and Deployment (please complete the following information):

• passbook version: 0.10.5 👀
• Deployment: docker-compose

Additional context
N/A.

Is your feature request related to a problem? Please describe.
Setting a custom redirect URI scheme in the provider's settings throws a DisallowedRedirect exception during authentication with the following message:

"Unsafe redirect to URL with protocol 'com.example.app'"

Describe the solution you'd like
Support Private-Use URI Scheme Redirection that is commonly used by mobile apps.

Describe alternatives you've considered
I haven't, any suggestions?

Is your feature request related to a problem? Please describe.
no

Describe the solution you'd like
Provides docs to intergrate Authentik with traefik behind non oauth/saml services.

Describe alternatives you've considered
The only doc I can find is Nginx, traefik is not avaiable

Additional context

See here for refference. Authelia is an example for this.

Is your feature request related to a problem? Please describe.
No.

Describe the solution you'd like
It's be great if there were a backup/restore function in passbook. For instance a section of the web interface which can generate a ZIP of the configuration to be downloaded. Support for uploading backups for restore would also be useful.
The sort of functionality I have in mind is already present in Sonarr/Radarr/Lidarr, so perhaps it could be modelled on that?

As a stretch, scheduled backups would also be great, à la Sonarr/Radarr/Lidarr.

Describe alternatives you've considered
Backing up the volume like a pleb.

Additional context
N/A.

Describe the bug
When deploying Authentic via Helm onto a Kubernetes cluster the authentic-web deployment fails to provision as it cannot connect to the Postgresql server. When reviewing the logs, it appears it's attempting to use an incorrect password.

To Reproduce
Steps to reproduce the behavior:

1. Deploy Authentik to Kubernetes via Cluster with no values.yaml

Expected behavior
Authentik to deploy.

Screenshots
If applicable, add screenshots to help explain your problem.

Logs

2021-04-16 20:51:40.437 GMT [1347] FATAL:  password authentication failed for user "postgres"
2021-04-16 20:51:40.437 GMT [1347] DETAIL:  Password does not match for user "postgres".
	Connection matched pg_hba.conf line 1: "host     all             all             0.0.0.0/0               md5"

Version and Deployment (please complete the following information):
Helm Chart Version: authentik:2021.4.1
Additional context
Add any other context about the problem here.

Sentry Issue: PASSBOOK-4Z

ValueError: Cannot query "AnonymousUser": Must be "Group" instance.
(20 additional frame(s) were not displayed)
...
  File "django/db/models/sql/query.py", line 1354, in add_q
    clause, _ = self._add_q(q_object, self.used_aliases)
  File "django/db/models/sql/query.py", line 1381, in _add_q
    child_clause, needed_inner = self.build_filter(
  File "django/db/models/sql/query.py", line 1288, in build_filter
    self.check_related_objects(join_info.final_field, value, join_info.opts)
  File "django/db/models/sql/query.py", line 1123, in check_related_objects
    self.check_query_object_type(value, opts, field)
  File "django/db/models/sql/query.py", line 1104, in check_query_object_type
    raise ValueError(

Describe the bug

A clear and concise description of what the bug is.

When following the instructions for the kubernetes deployment via helm chart against my k3s homelab I've run into a few issues. The first is that the helm install authentik/authentik --devel -f values.yaml command failed for me without the addition of --generate-name at the end.

The second issue I ran into was that the helm chart seems to assume that prometheus is installed. It failed for me with the following error Error: unable to build kubernetes objects from release manifest: [unable to recognize "": no matches for kind "PrometheusRule" in version "monitoring.coreos.com/v1", unable to recognize "": no matches for kind "ServiceMonitor" in version "monitoring.coreos.com/v1"].

I was able to overcome the no matches for kind "PrometheusRule" error by installing prometheus via the following helm commands:

helm repo add bitnami https://charts.bitnami.com/bitnami
helm install my-prom-release bitnami/prometheus-operator

Additionally I'm seeing the following warning on both of my static and web pods error while running "VolumeBinding" prebind plugin for pod "authentik-1618536529-static-7bbb74bcd7-fs754": Failed to bind volumes: timed out waiting for the condition. I'm hoping this is just related to my cluster and will try restarting the pods to see if that gets things going.

To Reproduce

Steps to reproduce the behavior:
I followed the steps as they're written in https://goauthentik.io/docs/installation/kubernetes

Expected behavior

A clear and concise description of what you expected to happen.

I'd like to see these details either handled by the helm chart if that's appropriate, or documented as requirements.

Logs

Output of docker-compose logs or kubectl logs respectively

Logs were mentioned in the section at the top.

Version and Deployment (please complete the following information):

• authentik version: 2021.4.1
• Deployment: helm against k3s cluster

Additional context

Other than this I just wanted to mention how excited I am about this project. I believe this project fills a major whole in the selfhosted community. Keep up the awesome work and looking forward to how the project develops!

Is your feature request related to a problem? Please describe.
High memory usage

Describe the solution you'd like
Add the special __slots__ class variable to all or most classes.

Describe alternatives you've considered
Using an alternative Python interpreter such as PyPy can also reduce memory usage as PyPy does some optimisations like this already. However, PyPy lacks some features of CPython (especially the C API).

Additional context
If you're not familiar with __slots__, see here.

I'm working on a PR already, but I thought I'd create an issue first to track progress.

After upgrading to V. 2021.4.4 a persistent alert message appears stating "A newer version of the frontend is available". Clicking the reload button causes a 404 error.

Dependabot couldn't authenticate with https://pypi.org/simple/.

You can provide authentication details in your Dependabot dashboard by clicking into the account menu (in the top right) and selecting 'Config variables'.

View the update logs.

Flows depict which Factors are used in which order to Authenticate/Enrol/Recover the user account.

Is your feature request related to a problem? Please describe.
With no way to search, it can take longer than necessary to find users, groups, property mappings, and anything else with multi-page lists.

Describe the solution you'd like
A search field for users, groups, property mappings, flows, stages, and any other list which is likely to exceed a single page.

Describe alternatives you've considered
Paging through the list and searching with my eyes like a pleb.

Additional context
N/A.