LDAP sync forward deletions crashes if SCIM backchannel provider is active #15652
Description
Describe the bug
In Authentik 2025.6, the new feature LDAP source sync forward deletions fails when used in environments where a SCIM provider is attached as a backchannel to an application. When a user is deleted from the LDAP source, the LDAP synchronization task triggers SCIM propagation, and an exception is raised. As a result, the user is not deleted from Authentik.
Detaching all SCIM providers from applications prevents the crash and allows users to be deleted automatically when they no longer exist on the LDAP source. However, SCIM propagation to the downstream applications no longer occurs.
To Reproduce
Steps to reproduce the behavior:
- Create an LDAP source under
Directory > Federation. - Enable both
Sync UsersandDelete Not Found Objectssettings. - Create an application and attach an SCIM provider as backchannel.
- Remove one of the users from the external LDAP directory.
- Trigger LDAP source synchronization.
Expected behavior
The user should be deleted from Authentik and the deletion should be propagated through the SCIM provider to the connected applications (in my case, AWS), without causing the Celery task to fail.
Logs
{
"action": "system_task_exception",
"client_ip": null,
"context": {
"message": "Task ldap_sync encountered an error: Traceback (most recent call last):\n File \"/ak-root/.venv/lib/python3.13/site-packages/celery/app/trace.py\", line 453, in trace_task\n R = retval = fun(*args, **kwargs)\n ~~~^^^^^^^^^^^^^^^^^\n File \"/ak-root/.venv/lib/python3.13/site-packages/celery/app/trace.py\", line 736, in __protected_call__\n return self.run(*args, **kwargs)\n ~~~~~~~~^^^^^^^^^^^^^^^^^\n File \"/authentik/sources/ldap/tasks.py\", line 142, in ldap_sync\n count = sync_inst.sync(page)\n File \"/authentik/sources/ldap/sync/forward_delete_users.py\", line 62, in sync\n _, deleted_per_type = User.objects.filter(pk__in=user_pks).delete()\n ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~^^\n File \"/ak-root/.venv/lib/python3.13/site-packages/django/db/models/query.py\", line 1188, in delete\n num_deleted, num_deleted_per_model = collector.delete()\n ~~~~~~~~~~~~~~~~^^\n File \"/ak-root/.venv/lib/python3.13/site-packages/django/db/models/deletion.py\", line 459, in delete\n signals.pre_delete.send(\n ~~~~~~~~~~~~~~~~~~~~~~~^\n sender=model,\n ^^^^^^^^^^^^^\n ...<2 lines>...\n origin=self.origin,\n ^^^^^^^^^^^^^^^^^^^\n )\n ^\n File \"/ak-root/.venv/lib/python3.13/site-packages/django/dispatch/dispatcher.py\", line 189, in send\n response = receiver(signal=self, sender=sender, **named)\n File \"/authentik/lib/sync/outgoing/signals.py\", line 55, in model_pre_delete\n ).get(propagate=False)\n ~~~^^^^^^^^^^^^^^^^^\n File \"/ak-root/.venv/lib/python3.13/site-packages/celery/result.py\", line 237, in get\n assert_will_not_block()\n ~~~~~~~~~~~~~~~~~~~~~^^\n File \"/ak-root/.venv/lib/python3.13/site-packages/celery/result.py\", line 38, in assert_will_not_block\n raise RuntimeError(E_WOULDBLOCK)\nbuiltins.RuntimeError: Never call result.get() within a task!\nSee https://docs.celeryq.dev/en/latest/userguide/tasks.html#avoid-launching-synchronous-subtasks\n"
},
"domain_url": null,
"event": "Created Event",
"level": "info",
"logger": "authentik.events.models",
"pid": 32644,
"schema_name": "public",
"task_id": "task-527c9ee645b94bf9a46d67b6b4e841e9",
"timestamp": "2025-07-18T05:12:10.527271",
"user": {}
}{
"event": "Task authentik.sources.ldap.tasks.ldap_sync[527c9ee6-45b9-4bf9-a46d-67b6b4e841e9] raised unexpected: RuntimeError('Never call result.get() within a task!\\nSee https://docs.celeryq.dev/en/latest/userguide/tasks.html#avoid-launching-synchronous-subtasks\\n')",
"exception": [
{
"exc_notes": [],
"exc_type": "RuntimeError",
"exc_value": "Never call result.get() within a task!\nSee https://docs.celeryq.dev/en/latest/userguide/tasks.html#avoid-launching-synchronous-subtasks\n",
"frames": [
{
"filename": "/ak-root/.venv/lib/python3.13/site-packages/celery/app/trace.py",
"lineno": 453,
"locals": {
"I": "None",
"IGNORE_STATES": "frozenset({'RETRY', 'IGNORED', 'REJECTED'})",
"Info": "<class 'celery.app.trace.TraceInfo'>",
"R": "None",
"Rstr": "None",
"T": "None",
"_does_info": "False",
"app": "<CeleryApp authentik at 0x7f20a27370e0>",
"args": "\"['813d8a35-bcdb-4141-8f4c-3ba64df14fda', 'authentik.sources.ldap.sync.forward_de\"+109",
"deduplicate_successful_tasks": "False",
"eager": "False",
"exc": "\"RuntimeError('Never call result.get() within a task!\\\\nSee https://docs.celeryq.d\"+74",
"fun": "<@task: authentik.sources.ldap.tasks.ldap_sync of authentik at 0x7f20a27370e0>",
"hostname": "'[REDACTED]'",
"inherit_parent_priority": "False",
"kwargs": "{}",
"loader_cleanup": "'<bound method BaseLoader.on_process_cleanup of <celery.loaders.app.AppLoader obj'+23",
"loader_task_init": "'<bound method BaseLoader.on_task_init of <celery.loaders.app.AppLoader object at'+17",
"monotonic": "<built-in function monotonic>",
"name": "'authentik.sources.ldap.tasks.ldap_sync'",
"on_error": "<function build_tracer.<locals>.on_error at 0x7f2097dee5c0>",
"pid": "32644",
"pop_request": "'<bound method _LocalStack.pop of <celery.utils.threads._LocalStack object at 0x7'+13",
"pop_task": "'<bound method _LocalStack.pop of <celery.utils.threads._LocalStack object at 0x7'+13",
"postrun_receivers": "\"[(('tenant_schemas_restore_schema', 139778275204400), <weakref at 0x7f20a2599f30\"+303",
"prerun_receivers": "\"[(('tenant_schemas_switch_schema', 139778275204400), <weakref at 0x7f20a2599df0;\"+300",
"publish_result": "True",
"push_request": "'<bound method _LocalStack.push of <celery.utils.threads._LocalStack object at 0x'+14",
"push_task": "'<bound method _LocalStack.push of <celery.utils.threads._LocalStack object at 0x'+14",
"redelivered": "False",
"request": "\"{'lang': 'py', 'task': 'authentik.sources.ldap.tasks.ldap_sync', 'id': '527c9ee6\"+1578",
"resultrepr_maxsize": "1024",
"retval": "None",
"root_id": "'e84b51c1-93ae-4912-82e6-1d466479c8a3'",
"signature": "<function maybe_signature at 0x7f20a2c20900>",
"state": "None",
"success_receivers": "[]",
"task": "<@task: authentik.sources.ldap.tasks.ldap_sync of authentik at 0x7f20a27370e0>",
"task_after_return": "'<bound method SystemTask.after_return of <@task: authentik.sources.ldap.tasks.ld'+40",
"task_before_start": "'<bound method SystemTask.before_start of <@task: authentik.sources.ldap.tasks.ld'+40",
"task_on_success": "None",
"task_priority": "None",
"task_request": "\"<Context: {'lang': 'py', 'task': 'authentik.sources.ldap.tasks.ldap_sync', 'id':\"+1845",
"time_start": "62696.431286574",
"trace_ok_t": "<class 'celery.app.trace.trace_ok_t'>",
"track_started": "False",
"uuid": "'527c9ee6-45b9-4bf9-a46d-67b6b4e841e9'"
},
"name": "trace_task"
},
{
"filename": "/ak-root/.venv/lib/python3.13/site-packages/celery/app/trace.py",
"lineno": 736,
"locals": {
"args": "\"('813d8a35-bcdb-4141-8f4c-3ba64df14fda', 'authentik.sources.ldap.sync.forward_de\"+109",
"kwargs": "{}",
"orig": "<function Task.__call__ at 0x7f20a2c22c00>",
"req": "\"<Context: {'lang': 'py', 'task': 'authentik.sources.ldap.tasks.ldap_sync', 'id':\"+1845",
"self": "<@task: authentik.sources.ldap.tasks.ldap_sync of authentik at 0x7f20a27370e0>",
"stack": "<celery.utils.threads._LocalStack object at 0x7f209850cbe0>"
},
"name": "__protected_call__"
},
{
"filename": "/authentik/sources/ldap/tasks.py",
"lineno": 142,
"locals": {
"page": "(16, 20, 23, 27, 30, 39, 44, 45, 51)",
"page_cache_key": "'goauthentik.io/sources/ldap/page/175949fb-e884-4b34-9ee6-83d55741e8bf'",
"self": "<@task: authentik.sources.ldap.tasks.ldap_sync of authentik at 0x7f20a27370e0>",
"source": "<LDAPSource: [REDACTED]>",
"source_pk": "'813d8a35-bcdb-4141-8f4c-3ba64df14fda'",
"sync": "\"<class 'authentik.sources.ldap.sync.forward_delete_users.UserLDAPForwardDeletion\"+2",
"sync_class": "'authentik.sources.ldap.sync.forward_delete_users.UserLDAPForwardDeletion'",
"sync_inst": "'<authentik.sources.ldap.sync.forward_delete_users.UserLDAPForwardDeletion object'+19",
"uid": "'175949fb-e884-4b34-9ee6-83d55741e8bf'"
},
"name": "ldap_sync"
},
{
"filename": "/authentik/sources/ldap/sync/forward_delete_users.py",
"lineno": 62,
"locals": {
"self": "'<authentik.sources.ldap.sync.forward_delete_users.UserLDAPForwardDeletion object'+19",
"user_pks": "(16, 20, 23, 27, 30, 39, 44, 45, 51)"
},
"name": "sync"
},
{
"filename": "/ak-root/.venv/lib/python3.13/site-packages/django/db/models/query.py",
"lineno": 1188,
"locals": {
"collector": "<django.db.models.deletion.Collector object at 0x7f209b293b10>",
"del_query": "'<UserQuerySet [<User: [REDACTED]>, <User: [REDACTED]>, <User: [REDACTED]'+152",
"self": "'<UserQuerySet [<User: [REDACTED]>, <User: [REDACTED]>, <User: [REDACTED]'+152"
},
"name": "delete"
},
{
"filename": "/ak-root/.venv/lib/python3.13/site-packages/django/db/models/deletion.py",
"lineno": 459,
"locals": {
"deleted_counter": "Counter()",
"instances": "'{<UserLDAPSourceConnection: User-source connection (user=27, source=813d8a35-bcd'+883",
"model": "<class 'authentik.core.models.User'>",
"obj": "<User: [REDACTED]>",
"self": "<django.db.models.deletion.Collector object at 0x7f209b293b10>"
},
"name": "delete"
},
{
"filename": "/ak-root/.venv/lib/python3.13/site-packages/django/dispatch/dispatcher.py",
"lineno": 189,
"locals": {
"async_receivers": "[]",
"named": "\"{'instance': <User: [REDACTED]>, 'using': 'default', 'origin': <UserQuerySet [\"+218",
"receiver": "<function register_signals.<locals>.model_pre_delete at 0x7f209b0a4360>",
"response": "None",
"responses": "'[(<function event_user_pre_delete_cleanup at 0x7f209c67eb60>, None), (<function '+48",
"self": "<django.db.models.signals.ModelSignal object at 0x7f20a663dcd0>",
"sender": "<class 'authentik.core.models.User'>",
"sync_receivers": "'[<function event_user_pre_delete_cleanup at 0x7f209c67eb60>, <function invalidat'+251"
},
"name": "send"
},
{
"filename": "/authentik/lib/sync/outgoing/signals.py",
"lineno": 55,
"locals": {
"_": "\"{'signal': <django.db.models.signals.ModelSignal object at 0x7f20a663dcd0>, 'usi\"+259",
"instance": "<User: [REDACTED]>",
"provider_type": "<class 'authentik.providers.scim.models.SCIMProvider'>",
"sender": "<class 'authentik.core.models.User'>",
"task_sync_direct": "'<@task: authentik.providers.scim.tasks.scim_sync_direct of authentik at 0x7f20a2'+7"
},
"name": "model_pre_delete"
},
{
"filename": "/ak-root/.venv/lib/python3.13/site-packages/celery/result.py",
"lineno": 237,
"locals": {
"EXCEPTION_STATES": "frozenset({'RETRY', 'REVOKED', 'FAILURE'})",
"PROPAGATE_STATES": "frozenset({'REVOKED', 'FAILURE'})",
"callback": "None",
"disable_sync_subtasks": "True",
"follow_parents": "True",
"interval": "0.5",
"no_ack": "True",
"on_interval": "None",
"on_message": "None",
"propagate": "False",
"self": "<AsyncResult: 0d256e5b-8707-4dbd-aa0f-94f96b8a2d81>",
"timeout": "None"
},
"name": "get"
},
{
"filename": "/ak-root/.venv/lib/python3.13/site-packages/celery/result.py",
"lineno": 38,
"locals": {},
"name": "assert_will_not_block"
}
],
"is_cause": false,
"syntax_error": null
}
],
"level": "error",
"logger": "celery.app.trace",
"timestamp": 1752815530.5549679
}
Version and Deployment:
- authentik version: 2025.6.3
- Deployment: Kubernetes