providers/oauth2: fix amr claim not set due to login event not associated

[BeryJu]

Details

The amr claim (authentication methods) relies to looking up the login event from the session where we store which methods the user used. However for OAuth since requests are sent server-to-server, the session for that request does not have a login_event saved in the session and as such cannot look up the methods used.

This changes OAuth Tokens (Access/Refresh/Device) and Codes to have a reference to the AuthenticatedSession (we previously just kept a hashed version of the session key) so we can use the data from that session.

---

Checklist

• Local tests pass (ak test authentik/)
• The code has been formatted (make lint-fix)

If an API change has been made

• The API schema has been updated (make gen-build)

If changes to the frontend have been made

• The code has been formatted (make web)

If applicable

• The documentation has been updated
• The documentation has been formatted (make website)

[netlify]

✅ Deploy Preview for authentik-storybook canceled.

Name	Link
🔨 Latest commit	0ddbc9f
🔍 Latest deploy log	https://app.netlify.com/sites/authentik-storybook/deploys/671933b4143d64000801dd33

[netlify]

✅ Deploy Preview for authentik-docs canceled.

Name	Link
🔨 Latest commit	0ddbc9f
🔍 Latest deploy log	https://app.netlify.com/sites/authentik-docs/deploys/671933b48c8e0a000839df93

[codecov]

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 92.55%. Comparing base (d3ebfca) to head (0ddbc9f).
Report is 5 commits behind head on main.

✅ All tests successful. No failed tests found.

Additional details and impacted files

@@            Coverage Diff             @@
##             main   #11780      +/-   ##
==========================================
- Coverage   92.69%   92.55%   -0.14%     
==========================================
  Files         745      760      +15     
  Lines       37003    37731     +728     
==========================================
+ Hits        34299    34922     +623     
- Misses       2704     2809     +105     

Flag	Coverage Δ
e2e	49.17% <93.54%> (-0.17%)	⬇️
integration	24.94% <41.93%> (-0.07%)	⬇️
unit	90.13% <100.00%> (-0.10%)	⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[github-actions]

authentik PR Installation instructions

Instructions for docker-compose

Add the following block to your .env file:

AUTHENTIK_IMAGE=ghcr.io/goauthentik/dev-server
AUTHENTIK_TAG=gh-0ddbc9f58cc8921109f0a89d9fa99f37188b79d0
AUTHENTIK_OUTPOSTS__CONTAINER_IMAGE_BASE=ghcr.io/goauthentik/dev-%(type)s:gh-%(build_hash)s

For arm64, use these values:

AUTHENTIK_IMAGE=ghcr.io/goauthentik/dev-server
AUTHENTIK_TAG=gh-0ddbc9f58cc8921109f0a89d9fa99f37188b79d0-arm64
AUTHENTIK_OUTPOSTS__CONTAINER_IMAGE_BASE=ghcr.io/goauthentik/dev-%(type)s:gh-%(build_hash)s

Afterwards, run the upgrade commands from the latest release notes.

Instructions for Kubernetes

Add the following block to your values.yml file:

authentik:
    outposts:
        container_image_base: ghcr.io/goauthentik/dev-%(type)s:gh-%(build_hash)s
global:
    image:
        repository: ghcr.io/goauthentik/dev-server
        tag: gh-0ddbc9f58cc8921109f0a89d9fa99f37188b79d0

For arm64, use these values:

authentik:
    outposts:
        container_image_base: ghcr.io/goauthentik/dev-%(type)s:gh-%(build_hash)s
global:
    image:
        repository: ghcr.io/goauthentik/dev-server
        tag: gh-0ddbc9f58cc8921109f0a89d9fa99f37188b79d0-arm64

Afterwards, run the upgrade commands from the latest release notes.