providers/proxy: rework redirect mechanism

[BeryJu]

Details

closes #6886
closes #5603

instead of relying on ?rd= being set and carried forward (which doesn't happen due to OAuth redirect URLs) and using oauth_redirect in the session (which can be overwritten by parallel requests and mainly leads to #6886)

this PR changes the logic to encode the redirect URL (after being validated) into the state param (turning the state param into a signed JWT which also contains the random secret), and then using the same state when returning to redirect the user in the end.

---

Checklist

• Local tests pass (ak test authentik/)
• The code has been formatted (make lint-fix)

If an API change has been made

• The API schema has been updated (make gen-build)

If changes to the frontend have been made

• The code has been formatted (make web)

If applicable

• The documentation has been updated
• The documentation has been formatted (make website)

[netlify]

✅ Deploy Preview for authentik-storybook canceled.

Name	Link
🔨 Latest commit	ba1c6e3
🔍 Latest deploy log	https://app.netlify.com/sites/authentik-storybook/deploys/662f649ab18e420008402ee4

[github-actions]

authentik PR Installation instructions

Instructions for docker-compose

Add the following block to your .env file:

AUTHENTIK_IMAGE=ghcr.io/goauthentik/dev-server
AUTHENTIK_TAG=gh-ghcr.io/goauthentik/dev-server:gh-ba1c6e34ae5ff93bf45adea50c4e1dfdfb74e75a
AUTHENTIK_OUTPOSTS__CONTAINER_IMAGE_BASE=ghcr.io/goauthentik/dev-%(type)s:gh-%(build_hash)s

For arm64, use these values:

AUTHENTIK_IMAGE=ghcr.io/goauthentik/dev-server
AUTHENTIK_TAG=gh-ghcr.io/goauthentik/dev-server:gh-ba1c6e34ae5ff93bf45adea50c4e1dfdfb74e75a-arm64
AUTHENTIK_OUTPOSTS__CONTAINER_IMAGE_BASE=ghcr.io/goauthentik/dev-%(type)s:gh-%(build_hash)s

Afterwards, run the upgrade commands from the latest release notes.

Instructions for Kubernetes

Add the following block to your values.yml file:

authentik:
    outposts:
        container_image_base: ghcr.io/goauthentik/dev-%(type)s:gh-%(build_hash)s
image:
    repository: ghcr.io/goauthentik/dev-server
    tag: gh-ghcr.io/goauthentik/dev-server:gh-ba1c6e34ae5ff93bf45adea50c4e1dfdfb74e75a

For arm64, use these values:

authentik:
    outposts:
        container_image_base: ghcr.io/goauthentik/dev-%(type)s:gh-%(build_hash)s
image:
    repository: ghcr.io/goauthentik/dev-server
    tag: gh-ghcr.io/goauthentik/dev-server:gh-ba1c6e34ae5ff93bf45adea50c4e1dfdfb74e75a-arm64

Afterwards, run the upgrade commands from the latest release notes.

[netlify]

✅ Deploy Preview for authentik-docs canceled.

Name	Link
🔨 Latest commit	ba1c6e3
🔍 Latest deploy log	https://app.netlify.com/sites/authentik-docs/deploys/662f649a5cc7a1000807b654

[hdlineage]

Will this patch be included in the next release? @BeryJu

[codecov]

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 92.43%. Comparing base (e716e24) to head (ba1c6e3).
Report is 8 commits behind head on main.

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #8594      +/-   ##
==========================================
- Coverage   92.45%   92.43%   -0.03%     
==========================================
  Files         669      669              
  Lines       32695    32695              
==========================================
- Hits        30228    30220       -8     
- Misses       2467     2475       +8     

Flag	Coverage Δ
e2e	50.61% <ø> (-0.03%)	⬇️
integration	26.00% <ø> (ø)
unit	89.72% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[BeryJu]

as there hasn't been enough testing with this for all the possible setup options (we've tested it with proxy (single) and forward auth with nginx and envoy), we won't be including this in the next 2024.4 bugfix release. However in this case it should be possible to use the beta outpost image with the 2024.4 release to test this change.