Skip to content

core: separate applications API #18136

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
BeryJu wants to merge 1 commit into
base: main
Choose a base branch
from
Open

core: separate applications API #18136

BeryJu wants to merge 1 commit into from
+64 −32

Conversation

@BeryJu
Copy link
Member

@BeryJu BeryJu commented Nov 13, 2025

this separates the concept of "RBAC accessible application" and "Policy-accessible application"

I dont remember what issue this was but we chatted about this at some point @dominic-r

@BeryJu
core: separate applications API
6ce3dd7 
this separates the concept of "RBAC accessible application" and "Policy-accessible application"

Signed-off-by: Jens Langhammer <[email protected]>
@BeryJu BeryJu requested review from a team as code owners November 13, 2025 21:11
@BeryJu BeryJu requested a review from gergosimonyi November 13, 2025 21:11
@BeryJu BeryJu added this to the Release 2025.12 milestone Nov 13, 2025
@netlify
Copy link

netlify bot commented Nov 13, 2025
edited
Loading

Deploy Preview for authentik-storybook ready!

Name Link
🔨 Latest commit 6ce3dd7
🔍 Latest deploy log https://app.netlify.com/projects/authentik-storybook/deploys/691649841d2d7a00081cfc25
😎 Deploy Preview https://deploy-preview-18136--authentik-storybook.netlify.app
📱 Preview on mobile
Toggle QR Code...

QR Code

Use your smartphone camera to open QR code link.

To edit notification comments on pull requests, go to your Netlify project configuration.

@netlify
Copy link

netlify bot commented Nov 13, 2025
edited
Loading

Deploy Preview for authentik-docs ready!

Name Link
🔨 Latest commit 6ce3dd7
🔍 Latest deploy log https://app.netlify.com/projects/authentik-docs/deploys/691649841d2d7a00081cfc29
😎 Deploy Preview https://deploy-preview-18136--authentik-docs.netlify.app
📱 Preview on mobile
Toggle QR Code...

QR Code

Use your smartphone camera to open QR code link.

To edit notification comments on pull requests, go to your Netlify project configuration.

@netlify
Copy link

netlify bot commented Nov 13, 2025
edited
Loading

Deploy Preview for authentik-integrations canceled.

Name Link
🔨 Latest commit 6ce3dd7
🔍 Latest deploy log https://app.netlify.com/projects/authentik-integrations/deploys/69164984e9d41a0008579c33

@codecov
Copy link

codecov bot commented Nov 13, 2025
edited
Loading

❌ 1 Tests Failed:

Tests completed Failed Passed Skipped
2201 1 2200 2
View the top 1 failed test(s) by shortest run time 
authentik.core.tests.test_applications_api.TestApplicationsAPI::test_list
Stack Traces | 1.75s run time 
self = <unittest.case._Outcome object at 0x7f5b5a57fad0>
test_case = <authentik.core.tests.test_applications_api.TestApplicationsAPI testMethod=test_list>
subTest = False

    @contextlib.contextmanager
    def testPartExecutor(self, test_case, subTest=False):
        old_success = self.success
        self.success = True
        try:
>           yield

.../hostedtoolcache/Python/3.13.9................../x64/lib/python3.13/unittest/case.py:58: 
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ 

self = <authentik.core.tests.test_applications_api.TestApplicationsAPI testMethod=test_list>
result = <TestCaseFunction test_list>

    def run(self, result=None):
        if result is None:
            result = self.defaultTestResult()
            startTestRun = getattr(result, 'startTestRun', None)
            stopTestRun = getattr(result, 'stopTestRun', None)
            if startTestRun is not None:
                startTestRun()
        else:
            stopTestRun = None
    
        result.startTest(self)
        try:
            testMethod = getattr(self, self._testMethodName)
            if (getattr(self.__class__, "__unittest_skip__", False) or
                getattr(testMethod, "__unittest_skip__", False)):
                # If the class or method was skipped.
                skip_why = (getattr(self.__class__, '__unittest_skip_why__', '')
                            or getattr(testMethod, '__unittest_skip_why__', ''))
                _addSkip(result, self, skip_why)
                return result
    
            expecting_failure = (
                getattr(self, "__unittest_expecting_failure__", False) or
                getattr(testMethod, "__unittest_expecting_failure__", False)
            )
            outcome = _Outcome(result)
            start_time = time.perf_counter()
            try:
                self._outcome = outcome
    
                with outcome.testPartExecutor(self):
                    self._callSetUp()
                if outcome.success:
                    outcome.expecting_failure = expecting_failure
                    with outcome.testPartExecutor(self):
>                       self._callTestMethod(testMethod)

.../hostedtoolcache/Python/3.13.9................../x64/lib/python3.13/unittest/case.py:651: 
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ 

self = <authentik.core.tests.test_applications_api.TestApplicationsAPI testMethod=test_list>
method = <bound method TestApplicationsAPI.test_list of <authentik.core.tests.test_applications_api.TestApplicationsAPI testMethod=test_list>>

    def _callTestMethod(self, method):
>       if method() is not None:

.../hostedtoolcache/Python/3.13.9................../x64/lib/python3.13/unittest/case.py:606: 
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ 

self = <authentik.core.tests.test_applications_api.TestApplicationsAPI testMethod=test_list>

    def test_list(self):
        """Test list operation without superuser_full_list"""
        self.client.force_login(self.user)
        response = self.client.get(reverse("authentik_api:application-list"))
>       self.assertJSONEqual(
            response.content.decode(),
            {
                "autocomplete": {},
                "pagination": {
                    "next": 0,
                    "previous": 0,
                    "count": 2,
                    "current": 1,
                    "total_pages": 1,
                    "start_index": 1,
                    "end_index": 2,
                },
                "results": [
                    {
                        "pk": str(self.allowed.pk),
                        "name": "allowed",
                        "slug": "allowed",
                        "group": "",
                        "provider": self.provider.pk,
                        "provider_obj": {
                            "assigned_application_name": "allowed",
                            "assigned_application_slug": "allowed",
                            "authentication_flow": None,
                            "invalidation_flow": None,
                            "authorization_flow": str(self.provider.authorization_flow.pk),
                            "component": "ak-provider-oauth2-form",
                            "meta_model_name": "authentik_providers_oauth2.oauth2provider",
                            "name": self.provider.name,
                            "pk": self.provider.pk,
                            "property_mappings": [],
                            "verbose_name": "OAuth2/OpenID Provider",
                            "verbose_name_plural": "OAuth2/OpenID Providers",
                        },
                        "backchannel_providers": [],
                        "backchannel_providers_obj": [],
                        "launch_url": f"https://goauthentik.io/{self.user.username}",
                        "meta_launch_url": "https://goauthentik.io/%(username)s",
                        "open_in_new_tab": True,
                        "meta_icon": None,
                        "meta_description": "",
                        "meta_publisher": "",
                        "policy_engine_mode": "any",
                    },
                ],
            },
        )

.../core/tests/test_applications_api.py:174: 
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ 

self = <authentik.core.tests.test_applications_api.TestApplicationsAPI testMethod=test_list>
raw = '{"pagination":{"next":0,"previous":0,"count":2,"current":1,"total_pages":1,"start_index":1,"end_index":2},"results":[...,"meta_icon":null,"meta_description":"","meta_publisher":"","policy_engine_mode":"any","group":""}],"autocomplete":{}}'
expected_data = {'autocomplete': {}, 'pagination': {'count': 2, 'current': 1, 'end_index': 2, 'next': 0, ...}, 'results': [{'backchann...: [], 'backchannel_providers_obj': [], 'group': '', 'launch_url': 'https://goauthentik.io/0cJVgBWN211Ia2Myl81G', ...}]}
msg = None

    def assertJSONEqual(self, raw, expected_data, msg=None):
        """
        Assert that the JSON fragments raw and expected_data are equal.
        Usual JSON non-significant whitespace rules apply as the heavyweight
        is delegated to the json library.
        """
        try:
            data = json.loads(raw)
        except json.JSONDecodeError:
            self.fail("First argument is not valid JSON: %r" % raw)
        if isinstance(expected_data, str):
            try:
                expected_data = json.loads(expected_data)
            except ValueError:
                self.fail("Second argument is not valid JSON: %r" % expected_data)
>       self.assertEqual(data, expected_data, msg=msg)

.venv/lib/python3.13.../django/test/testcases.py:1032: 
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ 

self = <authentik.core.tests.test_applications_api.TestApplicationsAPI testMethod=test_list>
first = {'autocomplete': {}, 'pagination': {'count': 2, 'current': 1, 'end_index': 2, 'next': 0, ...}, 'results': [{'backchann...a2Myl81G', ...}, {'backchannel_providers': [], 'backchannel_providers_obj': [], 'group': '', 'launch_url': None, ...}]}
second = {'autocomplete': {}, 'pagination': {'count': 2, 'current': 1, 'end_index': 2, 'next': 0, ...}, 'results': [{'backchann...: [], 'backchannel_providers_obj': [], 'group': '', 'launch_url': 'https://goauthentik.io/0cJVgBWN211Ia2Myl81G', ...}]}
msg = None

    def assertEqual(self, first, second, msg=None):
        """Fail if the two objects are unequal as determined by the '=='
           operator.
        """
        assertion_func = self._getAssertEqualityFunc(first, second)
>       assertion_func(first, second, msg=msg)

.../hostedtoolcache/Python/3.13.9................../x64/lib/python3.13/unittest/case.py:907: 
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ 

self = <authentik.core.tests.test_applications_api.TestApplicationsAPI testMethod=test_list>
d1 = {'autocomplete': {}, 'pagination': {'count': 2, 'current': 1, 'end_index': 2, 'next': 0, ...}, 'results': [{'backchann...a2Myl81G', ...}, {'backchannel_providers': [], 'backchannel_providers_obj': [], 'group': '', 'launch_url': None, ...}]}
d2 = {'autocomplete': {}, 'pagination': {'count': 2, 'current': 1, 'end_index': 2, 'next': 0, ...}, 'results': [{'backchann...: [], 'backchannel_providers_obj': [], 'group': '', 'launch_url': 'https://goauthentik.io/0cJVgBWN211Ia2Myl81G', ...}]}
msg = None

    def assertDictEqual(self, d1, d2, msg=None):
        self.assertIsInstance(d1, dict, 'First argument is not a dictionary')
        self.assertIsInstance(d2, dict, 'Second argument is not a dictionary')
    
        if d1 != d2:
            standardMsg = '%s != %s' % _common_shorten_repr(d1, d2)
            diff = ('\n' + '\n'.join(difflib.ndiff(
                           pprint.pformat(d1).splitlines(),
                           pprint.pformat(d2).splitlines())))
            standardMsg = self._truncateMessage(standardMsg, diff)
>           self.fail(self._formatMessage(msg, standardMsg))

.../hostedtoolcache/Python/3.13.9................../x64/lib/python3.13/unittest/case.py:1206: 
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ 

self = <authentik.core.tests.test_applications_api.TestApplicationsAPI testMethod=test_list>
msg = "{'pagination': {'next': 0, 'previous': 0, '[1343 chars]: {}} != {'autocomplete': {}, 'pagination': {'next':[981 chars... 'any',\n-               'provider': None,\n-               'provider_obj': None,\n-               'slug': 'denied'}]}"

    def fail(self, msg=None):
        """Fail immediately, with the given message."""
>       raise self.failureException(msg)
E       AssertionError: {'pagination': {'next': 0, 'previous': 0, '[1343 chars]: {}} != {'autocomplete': {}, 'pagination': {'next':[981 chars]y'}]}
E         {'autocomplete': {},
E          'pagination': {'count': 2,
E                         'current': 1,
E                         'end_index': 2,
E                         'next': 0,
E                         'previous': 0,
E                         'start_index': 1,
E                         'total_pages': 1},
E          'results': [{'backchannel_providers': [],
E                       'backchannel_providers_obj': [],
E                       'group': '',
E                       'launch_url': 'https://goauthentik.io/0cJVgBWN211Ia2Myl81G',
E                       'meta_description': '',
E                       'meta_icon': None,
E                       'meta_launch_url': 'https://goauthentik.io/%(username)s',
E                       'meta_publisher': '',
E                       'name': 'allowed',
E                       'open_in_new_tab': True,
E                       'pk': '93ff05b3-5395-4b14-8646-17e66069a30c',
E                       'policy_engine_mode': 'any',
E                       'provider': 5,
E                       'provider_obj': {'assigned_application_name': 'allowed',
E                                        'assigned_application_slug': 'allowed',
E                                        'authentication_flow': None,
E                                        'authorization_flow': 'c96a061e-7551-4c78-bf16-d96e15cd6a11',
E                                        'component': 'ak-provider-oauth2-form',
E                                        'invalidation_flow': None,
E                                        'meta_model_name': 'authentik_providers_oauth2.oauth2provider',
E                                        'name': 'test',
E                                        'pk': 5,
E                                        'property_mappings': [],
E                                        'verbose_name': 'OAuth2/OpenID Provider',
E                                        'verbose_name_plural': 'OAuth2/OpenID '
E                                                               'Providers'},
E       -               'slug': 'allowed'},
E       ?                                 ^
E       
E       +               'slug': 'allowed'}]}
E       ?                                 ^^
E       
E       -              {'backchannel_providers': [],
E       -               'backchannel_providers_obj': [],
E       -               'group': '',
E       -               'launch_url': None,
E       -               'meta_description': '',
E       -               'meta_icon': None,
E       -               'meta_launch_url': '',
E       -               'meta_publisher': '',
E       -               'name': 'denied',
E       -               'open_in_new_tab': False,
E       -               'pk': 'd11a113d-6a55-48e0-847f-737ca5d70427',
E       -               'policy_engine_mode': 'any',
E       -               'provider': None,
E       -               'provider_obj': None,
E       -               'slug': 'denied'}]}

.../hostedtoolcache/Python/3.13.9................../x64/lib/python3.13/unittest/case.py:732: AssertionError

To view more test analytics, go to the Test Analytics Dashboard
📋 Got 3 mins? Take this short survey to help us improve Test Analytics.

@dominic-r
Copy link
Member

dominic-r commented Nov 13, 2025

Desired implementation discussed in https://authentiksecurity.slack.com/archives/C08ABMS9TRP/p1759335136241499 with issue in: #17064

@BeryJu BeryJu self-assigned this Nov 27, 2025
rissson
rissson requested changes Dec 5, 2025
View reviewed changes
Copy link
Member

@rissson rissson left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should include the optimizations from #18330

@github-project-automation github-project-automation bot moved this from Todo to In Progress in authentik Core Dec 5, 2025
dominic-r

This comment was marked as outdated.

Sign in to view

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@rissson rissson rissson requested changes

@dominic-r dominic-r dominic-r approved these changes

@kensternberg-authentik kensternberg-authentik Awaiting requested review from kensternberg-authentik kensternberg-authentik is a code owner automatically assigned from goauthentik/frontend

@gergosimonyi gergosimonyi Awaiting requested review from gergosimonyi gergosimonyi is a code owner automatically assigned from goauthentik/backend

Requested changes must be addressed to merge this pull request.

Assignees

@BeryJu BeryJu

Labels

None yet

Projects

authentik Core
Status: In Progress

Milestone

Release 2025.12

Development

Successfully merging this pull request may close these issues.

4 participants

@BeryJu @dominic-r @rissson