attempt at optimizing applications api for users with a lot of groups and access to a lot of applications

ryanpesek · ryanpesek · commit b8197e773d1f · 2025-11-22T14:37:04.000-06:00
diff --git a/authentik/core/api/applications.py b/authentik/core/api/applications.py
@@ -4,6 +4,7 @@
 from copy import copy
 
 from django.core.cache import cache
+from django.db import models
 from django.db.models import QuerySet
 from django.shortcuts import get_object_or_404
 from django.utils.translation import gettext as _
@@ -63,9 +64,26 @@ class ApplicationSerializer(ModelSerializer):
     def get_launch_url(self, app: Application) -> str | None:
         """Allow formatting of launch URL"""
         user = None
+        user_data = None
+
         if "request" in self.context:
             user = self.context["request"].user
-        return app.get_launch_url(user)
+
+        # Cache serialized user data to avoid N+1 when formatting launch URLs
+        # for multiple applications. UserSerializer accesses user.ak_groups which
+        # would otherwise trigger a query for each application.
+        if user and user.is_authenticated:
+            if "_cached_user_data" not in self.context:
+                # Prefetch groups to avoid N+1
+                from django.db.models import prefetch_related_objects
+
+                from authentik.core.api.users import UserSerializer
+
+                prefetch_related_objects([user], "ak_groups")
+                self.context["_cached_user_data"] = UserSerializer(instance=user).data
+            user_data = self.context["_cached_user_data"]
+
+        return app.get_launch_url(user, user_data=user_data)
 
     def validate_slug(self, slug: str) -> str:
         if slug in Application.reserved_slugs:
@@ -262,6 +280,20 @@ def list(self, request: Request) -> Response:
             except ValueError as exc:
                 raise ValidationError from exc
             allowed_applications = self._get_allowed_applications(paginated_apps, user=for_user)
+
+            # Re-fetch with proper prefetching for serialization
+            if allowed_applications:
+                app_pks = [app.pk for app in allowed_applications]
+                allowed_applications = list(
+                    self.get_queryset()
+                    .filter(pk__in=app_pks)
+                    .order_by(
+                        models.Case(
+                            *[models.When(pk=pk, then=pos) for pos, pk in enumerate(app_pks)]
+                        )
+                    )
+                )
+
             serializer = self.get_serializer(allowed_applications, many=True)
             return self.get_paginated_response(serializer.data)
 
@@ -284,6 +316,20 @@ def list(self, request: Request) -> Response:
         if only_with_launch_url == "true":
             allowed_applications = self._filter_applications_with_launch_url(allowed_applications)
 
+        # Re-fetch applications with proper prefetching for serialization
+        # Cached applications don't have prefetched relationships, causing N+1 queries
+        # during serialization when get_provider() is called
+        if allowed_applications:
+            app_pks = [app.pk for app in allowed_applications]
+            allowed_applications = list(
+                self.get_queryset()
+                .filter(pk__in=app_pks)
+                .order_by(
+                    # Preserve the original order from policy evaluation
+                    models.Case(*[models.When(pk=pk, then=pos) for pos, pk in enumerate(app_pks)])
+                )
+            )
+
         serializer = self.get_serializer(allowed_applications, many=True)
         return self.get_paginated_response(serializer.data)
 
diff --git a/authentik/core/models.py b/authentik/core/models.py
@@ -524,6 +524,13 @@ def with_provider(self) -> "QuerySet[Application]":
         qs = self.select_related("provider")
         for subclass in Provider.objects.get_queryset()._get_subclasses_recurse(Provider):
             qs = qs.select_related(f"provider__{subclass}")
+            # Also prefetch/select through each subclass path to ensure casted instances have access
+            qs = qs.prefetch_related(f"provider__{subclass}__property_mappings")
+            qs = qs.select_related(f"provider__{subclass}__application")
+            # qs = qs.select_related(f"provider__{subclass}__backchannel_application")
+            # qs = qs.select_related(f"provider__{subclass}__authentication_flow")
+            # qs = qs.select_related(f"provider__{subclass}__authorization_flow")
+            # qs = qs.select_related(f"provider__{subclass}__invalidation_flow")
         return qs
 
 
@@ -583,8 +590,15 @@ def get_meta_icon(self) -> str | None:
             return CONFIG.get("web.path", "/")[:-1] + self.meta_icon.name
         return self.meta_icon.url
 
-    def get_launch_url(self, user: Optional["User"] = None) -> str | None:
-        """Get launch URL if set, otherwise attempt to get launch URL based on provider."""
+    def get_launch_url(
+        self, user: Optional["User"] = None, user_data: dict | None = None
+    ) -> str | None:
+        """Get launch URL if set, otherwise attempt to get launch URL based on provider.
+
+        Args:
+            user: User instance for formatting the URL
+            user_data: Pre-serialized user data to avoid re-serialization (performance optimization)
+        """
         from authentik.core.api.users import UserSerializer
 
         url = None
@@ -594,7 +608,10 @@ def get_launch_url(self, user: Optional["User"] = None) -> str | None:
             url = provider.launch_url
         if user and url:
             try:
-                return url % UserSerializer(instance=user).data
+                # Use pre-serialized data if available, otherwise serialize now
+                if user_data is None:
+                    user_data = UserSerializer(instance=user).data
+                return url % user_data
             except Exception as exc:  # noqa
                 LOGGER.warning("Failed to format launch url", exc=exc)
                 return url
