feat: add "nonce" into the OAuth and OIDC tokens, for some apps require "nonce" to integrate (#2522 )

feat: add token hash to improve performance
feat: Improve LDAP filter support (#2519 )
2025-07-17 02:13:50 +08:00 · 2023-12-01 18:29:39 +08:00 · 2023-11-30 18:05:30 +08:00 · 2023-11-26 23:11:49 +08:00 · 2023-11-25 18:31:33 +08:00 · 2023-11-24 15:52:59 +08:00
227 changed files with 7941 additions and 3153 deletions
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@ -127,7 +127,7 @@ jobs:
  release-and-push:
    name: Release And Push
    runs-on: ubuntu-latest
-    if: github.repository == 'casdoor/casdoor' && github.event_name == 'push'
+    if: github.repository == 'casbin/casdoor' && github.event_name == 'push'
    needs: [ frontend, backend, linter, e2e ]
    steps:
      - name: Checkout
@ -184,27 +184,27 @@ jobs:

      - name: Log in to Docker Hub
        uses: docker/login-action@v1
-        if: github.repository == 'casdoor/casdoor' && github.event_name == 'push' && steps.should_push.outputs.push=='true'
+        if: github.repository == 'casbin/casdoor' && github.event_name == 'push' && steps.should_push.outputs.push=='true'
        with:
          username: ${{ secrets.DOCKERHUB_USERNAME }}
          password: ${{ secrets.DOCKERHUB_PASSWORD }}

      - name: Push to Docker Hub
        uses: docker/build-push-action@v3
-        if: github.repository == 'casdoor/casdoor' && github.event_name == 'push' && steps.should_push.outputs.push=='true'
+        if: github.repository == 'casbin/casdoor' && github.event_name == 'push' && steps.should_push.outputs.push=='true'
        with:
          context: .
          target: STANDARD
-          platforms: linux/amd64,linux/arm64
+          platforms: linux/amd64
          push: true
          tags: casbin/casdoor:${{steps.get-current-tag.outputs.tag }},casbin/casdoor:latest

      - name: Push All In One Version to Docker Hub
        uses: docker/build-push-action@v3
-        if: github.repository == 'casdoor/casdoor' && github.event_name == 'push' && steps.should_push.outputs.push=='true'
+        if: github.repository == 'casbin/casdoor' && github.event_name == 'push' && steps.should_push.outputs.push=='true'
        with:
          context: .
          target: ALLINONE
-          platforms: linux/amd64,linux/arm64
+          platforms: linux/amd64
          push: true
          tags: casbin/casdoor-all-in-one:${{steps.get-current-tag.outputs.tag }},casbin/casdoor-all-in-one:latest
--- a/.github/workflows/migrate.yml
+++ b/.github/workflows/migrate.yml
@ -1,61 +0,0 @@
-name: Migration Test
-
-on:
-  push:
-    paths:
-      - 'object/migrator**'
-  pull_request:
-    paths:
-      - 'object/migrator**'
-
-jobs:
-
-  db-migrator-test:
-    name: db-migrator-test
-    runs-on: ubuntu-latest
-    services:
-      mysql:
-        image: mysql:5.7
-        env:
-          MYSQL_DATABASE: casdoor
-          MYSQL_ROOT_PASSWORD: 123456
-        ports:
-          - 3306:3306
-        options: --health-cmd="mysqladmin ping" --health-interval=10s --health-timeout=5s --health-retries=3
-    steps:
-      - uses: actions/checkout@v2
-      - uses: actions/setup-go@v2
-        with:
-          go-version: '^1.16.5'
-      - uses: actions/setup-node@v2
-        with:
-          node-version: 16
-      - name: pull casdoor-master-latest
-        run: |
-          sudo apt update
-          sudo apt install git
-          sudo apt install net-tools
-          sudo mkdir tmp
-          cd tmp
-          sudo git clone https://github.com/casdoor/casdoor.git
-          cd ..
-        working-directory: ./
-      - name: run casdoor-master-latest
-        run: |
-          sudo nohup go run main.go &
-          sudo sleep 2m
-        working-directory: ./tmp/casdoor
-      - name: stop casdoor-master-latest
-        run: |
-          sudo kill -9 `sudo netstat -anltp | grep 8000 | awk '{print $7}' | cut -d / -f 1`
-        working-directory: ./
-      - name: run casdoor-current-version
-        run: |
-          sudo nohup go run ./main.go &
-          sudo sleep 2m
-        working-directory: ./
-      - name: test port-8000
-        run: |
-          if [[ `sudo netstat -anltp | grep 8000 | awk '{print $7}'` == "" ]];then echo 'db-migrator-test fail' && exit 1;fi;
-          echo 'db-migrator-test pass'
-        working-directory: ./
--- a/.github/workflows/sync.yml
+++ b/.github/workflows/sync.yml
@ -7,7 +7,7 @@ on:
 jobs:
  synchronize-with-crowdin:
    runs-on: ubuntu-latest
-    if: github.repository == 'casdoor/casdoor' && github.event_name == 'push'
+    if: github.repository == 'casbin/casdoor' && github.event_name == 'push'
    steps:

    - name: Checkout
--- a/.gitignore
+++ b/.gitignore
@ -30,5 +30,4 @@ commentsRouter*.go

 # ignore build result
 casdoor
-server_linux_arm64
-server_linux_amd64
+server
--- a/12
+++ b/12
@ -1,7 +1,6 @@
 FROM node:16.18.0 AS FRONT
 WORKDIR /web
 COPY ./web .
-RUN yarn config set registry https://registry.npmmirror.com
 RUN yarn install --frozen-lockfile --network-timeout 1000000 && yarn run build


@ -14,9 +13,6 @@ RUN go test -v -run TestGetVersionInfo ./util/system_test.go ./util/system.go >
 FROM alpine:latest AS STANDARD
 LABEL MAINTAINER="https://casdoor.org/"
 ARG USER=casdoor
-ARG TARGETOS
-ARG TARGETARCH
-ENV BUILDX_ARCH="${TARGETOS:-linux}_${TARGETARCH:-amd64}"

 RUN sed -i 's/https/http/' /etc/apk/repositories
 RUN apk add --update sudo
@ -31,7 +27,7 @@ RUN adduser -D $USER -u 1000 \

 USER 1000
 WORKDIR /
-COPY --from=BACK --chown=$USER:$USER /go/src/casdoor/server_${BUILDX_ARCH} ./server
+COPY --from=BACK --chown=$USER:$USER /go/src/casdoor/server ./server
 COPY --from=BACK --chown=$USER:$USER /go/src/casdoor/swagger ./swagger
 COPY --from=BACK --chown=$USER:$USER /go/src/casdoor/conf/app.conf ./conf/app.conf
 COPY --from=BACK --chown=$USER:$USER /go/src/casdoor/version_info.txt ./go/src/casdoor/version_info.txt
@ -50,21 +46,17 @@ RUN apt update \

 FROM db AS ALLINONE
 LABEL MAINTAINER="https://casdoor.org/"
-ARG TARGETOS
-ARG TARGETARCH
-ENV BUILDX_ARCH="${TARGETOS:-linux}_${TARGETARCH:-amd64}"

 RUN apt update
 RUN apt install -y ca-certificates && update-ca-certificates

 WORKDIR /
-COPY --from=BACK /go/src/casdoor/server_${BUILDX_ARCH} ./server
+COPY --from=BACK /go/src/casdoor/server ./server
 COPY --from=BACK /go/src/casdoor/swagger ./swagger
 COPY --from=BACK /go/src/casdoor/docker-entrypoint.sh /docker-entrypoint.sh
 COPY --from=BACK /go/src/casdoor/conf/app.conf ./conf/app.conf
 COPY --from=BACK /go/src/casdoor/version_info.txt ./go/src/casdoor/version_info.txt
 COPY --from=FRONT /web/build ./web/build
-RUN mkdir tempFiles

 ENTRYPOINT ["/bin/bash"]
 CMD ["/docker-entrypoint.sh"]
--- a/README.md
+++ b/README.md
@ -1,5 +1,5 @@
 <h1 align="center" style="border-bottom: none;">📦⚡️ Casdoor</h1>
-<h3 align="center">A UI-first centralized authentication / Single-Sign-On (SSO) platform based on OAuth 2.0 / OIDC.</h3>
+<h3 align="center">An open-source UI-first Identity and Access Management (IAM) / Single-Sign-On (SSO) platform with web UI supporting OAuth 2.0, OIDC, SAML, CAS, LDAP, SCIM, WebAuthn, TOTP, MFA and RADIUS</h3>
 <p align="center">
  <a href="#badge">
    <img alt="semantic-release" src="https://img.shields.io/badge/%20%20%F0%9F%93%A6%F0%9F%9A%80-semantic--release-e10079.svg">
--- a/authz/authz.go
+++ b/authz/authz.go
@ -46,6 +46,7 @@ p, *, *, POST, /api/login, *, *
 p, *, *, GET, /api/get-app-login, *, *
 p, *, *, POST, /api/logout, *, *
 p, *, *, GET, /api/logout, *, *
+p, *, *, POST, /api/callback, *, *
 p, *, *, GET, /api/get-account, *, *
 p, *, *, GET, /api/userinfo, *, *
 p, *, *, GET, /api/user, *, *
@ -80,6 +81,7 @@ p, *, *, GET, /api/get-saml-login, *, *
 p, *, *, POST, /api/acs, *, *
 p, *, *, GET, /api/saml/metadata, *, *
 p, *, *, *, /cas, *, *
+p, *, *, *, /scim, *, *
 p, *, *, *, /api/webauthn, *, *
 p, *, *, GET, /api/get-release, *, *
 p, *, *, GET, /api/get-default-application, *, *
@ -88,12 +90,13 @@ p, *, *, *, /api/metrics, *, *
 p, *, *, GET, /api/get-pricing, *, *
 p, *, *, GET, /api/get-plan, *, *
 p, *, *, GET, /api/get-subscription, *, *
+p, *, *, GET, /api/get-provider, *, *
 p, *, *, GET, /api/get-organization-names, *, *
 `

 		sa := stringadapter.NewAdapter(ruleText)
 		// load all rules from string adapter to enforcer's memory
-		err := sa.LoadPolicy(Enforcer.GetModel())
+		err = sa.LoadPolicy(Enforcer.GetModel())
 		if err != nil {
 			panic(err)
 		}
@ -120,10 +123,20 @@ func IsAllowed(subOwner string, subName string, method string, urlPath string, o
 		panic(err)
 	}

-	if user != nil && user.IsAdmin && (subOwner == objOwner || (objOwner == "admin")) {
+	if subOwner == "app" {
 		return true
 	}

+	if user != nil {
+		if user.IsDeleted {
+			return false
+		}
+
+		if user.IsAdmin && (subOwner == objOwner || (objOwner == "admin")) {
+			return true
+		}
+	}
+
 	res, err := Enforcer.Enforce(subOwner, subName, method, urlPath, objOwner, objName)
 	if err != nil {
 		panic(err)
@ -134,11 +147,11 @@ func IsAllowed(subOwner string, subName string, method string, urlPath string, o

 func isAllowedInDemoMode(subOwner string, subName string, method string, urlPath string, objOwner string, objName string) bool {
 	if method == "POST" {
-		if strings.HasPrefix(urlPath, "/api/login") || urlPath == "/api/logout" || urlPath == "/api/signup" || urlPath == "/api/send-verification-code" || urlPath == "/api/send-email" || urlPath == "/api/verify-captcha" {
+		if strings.HasPrefix(urlPath, "/api/login") || urlPath == "/api/logout" || urlPath == "/api/signup" || urlPath == "/api/callback" || urlPath == "/api/send-verification-code" || urlPath == "/api/send-email" || urlPath == "/api/verify-captcha" {
 			return true
 		} else if urlPath == "/api/update-user" {
 			// Allow ordinary users to update their own information
-			if subOwner == objOwner && subName == objName && !(subOwner == "built-in" && subName == "admin") {
+			if (subOwner == objOwner && subName == objName || subOwner == "app") && !(subOwner == "built-in" && subName == "admin") {
 				return true
 			}
 			return false
--- a/build.sh
+++ b/build.sh
@ -8,5 +8,4 @@ else
    echo "Google is blocked, Go proxy is enabled: GOPROXY=https://goproxy.cn,direct"
    export GOPROXY="https://goproxy.cn,direct"
 fi
-CGO_ENABLED=0 GOOS=linux GOARCH=amd64 go build -ldflags="-w -s" -o server_linux_amd64 .
-CGO_ENABLED=0 GOOS=linux GOARCH=arm64 go build -ldflags="-w -s" -o server_linux_arm64 .
+CGO_ENABLED=0 GOOS=linux GOARCH=amd64 go build -ldflags="-w -s" -o server .
--- a/conf/app.conf
+++ b/conf/app.conf
@ -8,18 +8,23 @@ dbName = casdoor
 tableNamePrefix =
 showSql = false
 redisEndpoint =
-defaultStorageProvider = 
+defaultStorageProvider =
 isCloudIntranet = false
 authState = "casdoor"
 socks5Proxy = "127.0.0.1:10808"
 verificationCodeTimeout = 10
-initScore = 2000
+initScore = 0
 logPostOnly = true
 origin =
+originFrontend =
 staticBaseUrl = "https://cdn.casbin.org"
 isDemoMode = false
 batchSize = 100
+enableGzip = true
 ldapServerPort = 389
+radiusServerPort = 1812
+radiusSecret = "secret"
 quota = {"organization": -1, "user": -1, "application": -1, "provider": -1}
 logConfig = {"filename": "logs/casdoor.log", "maxdays":99999, "perm":"0770"}
-initDataFile = "./init_data.json"
+initDataFile = "./init_data.json"
+frontendBaseDir = "../casdoor"
--- a/controllers/account.go
+++ b/controllers/account.go
@ -18,7 +18,6 @@ import (
 	"encoding/json"
 	"fmt"
 	"net/http"
-	"strconv"
 	"strings"

 	"github.com/casdoor/casdoor/form"
@ -119,20 +118,10 @@ func (c *ApiController) Signup() {
 		}
 	}

-	id := util.GenerateId()
-	if application.GetSignupItemRule("ID") == "Incremental" {
-		lastUser, err := object.GetLastUser(authForm.Organization)
-		if err != nil {
-			c.ResponseError(err.Error())
-			return
-		}
-
-		lastIdInt := -1
-		if lastUser != nil {
-			lastIdInt = util.ParseInt(lastUser.Id)
-		}
-
-		id = strconv.Itoa(lastIdInt + 1)
+	id, err := object.GenerateIdForNewUser(application)
+	if err != nil {
+		c.ResponseError(err.Error())
+		return
 	}

 	username := authForm.Username
@ -309,27 +298,32 @@ func (c *ApiController) Logout() {
 			return
 		}

-		if application.IsRedirectUriValid(redirectUri) {
-			if user == "" {
-				user = util.GetId(token.Organization, token.User)
-			}
+		if user == "" {
+			user = util.GetId(token.Organization, token.User)
+		}

-			c.ClearUserSession()
-			// TODO https://github.com/casdoor/casdoor/pull/1494#discussion_r1095675265
-			owner, username := util.GetOwnerAndNameFromId(user)
+		c.ClearUserSession()
+		// TODO https://github.com/casdoor/casdoor/pull/1494#discussion_r1095675265
+		owner, username := util.GetOwnerAndNameFromId(user)

-			_, err := object.DeleteSessionId(util.GetSessionId(owner, username, object.CasdoorApplication), c.Ctx.Input.CruSession.SessionID())
-			if err != nil {
-				c.ResponseError(err.Error())
+		_, err = object.DeleteSessionId(util.GetSessionId(owner, username, object.CasdoorApplication), c.Ctx.Input.CruSession.SessionID())
+		if err != nil {
+			c.ResponseError(err.Error())
+			return
+		}
+
+		util.LogInfo(c.Ctx, "API: [%s] logged out", user)
+
+		if redirectUri == "" {
+			c.ResponseOk()
+			return
+		} else {
+			if application.IsRedirectUriValid(redirectUri) {
+				c.Ctx.Redirect(http.StatusFound, fmt.Sprintf("%s?state=%s", strings.TrimRight(redirectUri, "/"), state))
+			} else {
+				c.ResponseError(fmt.Sprintf(c.T("token:Redirect URI: %s doesn't exist in the allowed Redirect URI list"), redirectUri))
 				return
 			}
-
-			util.LogInfo(c.Ctx, "API: [%s] logged out", user)
-
-			c.Ctx.Redirect(http.StatusFound, fmt.Sprintf("%s?state=%s", strings.TrimRight(redirectUri, "/"), state))
-		} else {
-			c.ResponseError(fmt.Sprintf(c.T("token:Redirect URI: %s doesn't exist in the allowed Redirect URI list"), redirectUri))
-			return
 		}
 	}
 }
--- a/controllers/application.go
+++ b/controllers/application.go
@ -90,14 +90,24 @@ func (c *ApiController) GetApplication() {
 		return
 	}

-	if c.Input().Get("withKey") != "" && application.Cert != "" {
+	if c.Input().Get("withKey") != "" && application != nil && application.Cert != "" {
 		cert, err := object.GetCert(util.GetId(application.Owner, application.Cert))
 		if err != nil {
 			c.ResponseError(err.Error())
 			return
 		}

-		application.CertPublicKey = cert.Certificate
+		if cert == nil {
+			cert, err = object.GetCert(util.GetId(application.Organization, application.Cert))
+			if err != nil {
+				c.ResponseError(err.Error())
+				return
+			}
+		}
+
+		if cert != nil {
+			application.CertPublicKey = cert.Certificate
+		}
 	}

 	c.ResponseOk(object.GetMaskedApplication(application, userId))
@ -163,6 +173,12 @@ func (c *ApiController) GetOrganizationApplications() {
 			return
 		}

+		applications, err = object.GetAllowedApplications(applications, userId)
+		if err != nil {
+			c.ResponseError(err.Error())
+			return
+		}
+
 		c.ResponseOk(object.GetMaskedApplications(applications, userId))
 	} else {
 		limit := util.ParseInt(limit)
--- a/controllers/auth.go
+++ b/controllers/auth.go
@ -20,6 +20,7 @@ import (
 	"encoding/xml"
 	"fmt"
 	"io/ioutil"
+	"net/http"
 	"net/url"
 	"strconv"
 	"strings"
@ -33,6 +34,7 @@ import (
 	"github.com/casdoor/casdoor/proxy"
 	"github.com/casdoor/casdoor/util"
 	"github.com/google/uuid"
+	"golang.org/x/oauth2"
 )

 var (
@ -59,7 +61,7 @@ func tokenToResponse(token *object.Token) *Response {
 func (c *ApiController) HandleLoggedIn(application *object.Application, user *object.User, form *form.AuthForm) (resp *Response) {
 	userId := user.GetId()

-	allowed, err := object.CheckAccessPermission(userId, application)
+	allowed, err := object.CheckLoginPermission(userId, application)
 	if err != nil {
 		c.ResponseError(err.Error(), nil)
 		return
@ -153,7 +155,8 @@ func (c *ApiController) HandleLoggedIn(application *object.Application, user *ob
 			resp = &Response{Status: "error", Msg: fmt.Sprintf("error: grant_type: %s is not supported in this application", form.Type), Data: ""}
 		} else {
 			scope := c.Input().Get("scope")
-			token, _ := object.GetTokenByUser(application, user, scope, c.Ctx.Request.Host)
+			nonce := c.Input().Get("nonce")
+			token, _ := object.GetTokenByUser(application, user, scope, nonce, c.Ctx.Request.Host)
 			resp = tokenToResponse(token)
 		}
 	} else if form.Type == ResponseTypeSaml { // saml flow
@ -330,8 +333,6 @@ func (c *ApiController) Login() {
 		}

 		var user *object.User
-		var msg string
-
 		if authForm.Password == "" {
 			if user, err = object.GetUserByFields(authForm.Organization, authForm.Username); err != nil {
 				c.ResponseError(err.Error(), nil)
@ -353,20 +354,21 @@ func (c *ApiController) Login() {
 			}

 			// check result through Email or Phone
-			checkResult := object.CheckSigninCode(user, checkDest, authForm.Code, c.GetAcceptLanguage())
-			if len(checkResult) != 0 {
-				c.ResponseError(fmt.Sprintf("%s - %s", verificationCodeType, checkResult))
+			err = object.CheckSigninCode(user, checkDest, authForm.Code, c.GetAcceptLanguage())
+			if err != nil {
+				c.ResponseError(fmt.Sprintf("%s - %s", verificationCodeType, err.Error()))
 				return
 			}

 			// disable the verification code
-			err := object.DisableVerificationCode(checkDest)
+			err = object.DisableVerificationCode(checkDest)
 			if err != nil {
 				c.ResponseError(err.Error(), nil)
 				return
 			}
 		} else {
-			application, err := object.GetApplication(fmt.Sprintf("admin/%s", authForm.Application))
+			var application *object.Application
+			application, err = object.GetApplication(fmt.Sprintf("admin/%s", authForm.Application))
 			if err != nil {
 				c.ResponseError(err.Error(), nil)
 				return
@ -385,7 +387,8 @@ func (c *ApiController) Login() {
 				c.ResponseError(err.Error())
 				return
 			} else if enableCaptcha {
-				isHuman, err := captcha.VerifyCaptchaByCaptchaType(authForm.CaptchaType, authForm.CaptchaToken, authForm.ClientSecret)
+				var isHuman bool
+				isHuman, err = captcha.VerifyCaptchaByCaptchaType(authForm.CaptchaType, authForm.CaptchaToken, authForm.ClientSecret)
 				if err != nil {
 					c.ResponseError(err.Error())
 					return
@ -398,13 +401,15 @@ func (c *ApiController) Login() {
 			}

 			password := authForm.Password
-			user, msg = object.CheckUserPassword(authForm.Organization, authForm.Username, password, c.GetAcceptLanguage(), enableCaptcha)
+			user, err = object.CheckUserPassword(authForm.Organization, authForm.Username, password, c.GetAcceptLanguage(), enableCaptcha)
 		}

-		if msg != "" {
-			resp = &Response{Status: "error", Msg: msg}
+		if err != nil {
+			c.ResponseError(err.Error())
+			return
 		} else {
-			application, err := object.GetApplication(fmt.Sprintf("admin/%s", authForm.Application))
+			var application *object.Application
+			application, err = object.GetApplication(fmt.Sprintf("admin/%s", authForm.Application))
 			if err != nil {
 				c.ResponseError(err.Error())
 				return
@ -415,7 +420,8 @@ func (c *ApiController) Login() {
 				return
 			}

-			organization, err := object.GetOrganizationByUser(user)
+			var organization *object.Organization
+			organization, err = object.GetOrganizationByUser(user)
 			if err != nil {
 				c.ResponseError(err.Error())
 			}
@ -460,12 +466,15 @@ func (c *ApiController) Login() {
 			c.ResponseError(fmt.Sprintf(c.T("auth:The application: %s does not exist"), authForm.Application))
 			return
 		}
-		organization, err := object.GetOrganization(util.GetId("admin", application.Organization))
+
+		var organization *object.Organization
+		organization, err = object.GetOrganization(util.GetId("admin", application.Organization))
 		if err != nil {
 			c.ResponseError(c.T(err.Error()))
 		}

-		provider, err := object.GetProvider(util.GetId("admin", authForm.Provider))
+		var provider *object.Provider
+		provider, err = object.GetProvider(util.GetId("admin", authForm.Provider))
 		if err != nil {
 			c.ResponseError(err.Error())
 			return
@ -476,11 +485,10 @@ func (c *ApiController) Login() {
 			c.ResponseError(fmt.Sprintf(c.T("auth:The provider: %s is not enabled for the application"), provider.Name))
 			return
 		}
-
 		userInfo := &idp.UserInfo{}
 		if provider.Category == "SAML" {
 			// SAML
-			userInfo.Id, err = object.ParseSamlResponse(authForm.SamlResponse, provider, c.Ctx.Request.Host)
+			userInfo, err = object.ParseSamlResponse(authForm.SamlResponse, provider, c.Ctx.Request.Host)
 			if err != nil {
 				c.ResponseError(err.Error())
 				return
@ -488,7 +496,12 @@ func (c *ApiController) Login() {
 		} else if provider.Category == "OAuth" || provider.Category == "Web3" {
 			// OAuth
 			idpInfo := object.FromProviderToIdpInfo(c.Ctx, provider)
-			idProvider := idp.GetIdProvider(idpInfo, authForm.RedirectUri)
+			var idProvider idp.IdProvider
+			idProvider, err = idp.GetIdProvider(idpInfo, authForm.RedirectUri)
+			if err != nil {
+				c.ResponseError(err.Error())
+				return
+			}
 			if idProvider == nil {
 				c.ResponseError(fmt.Sprintf(c.T("storage:The provider type: %s is not supported"), provider.Type))
 				return
@ -502,7 +515,8 @@ func (c *ApiController) Login() {
 			}

 			// https://github.com/golang/oauth2/issues/123#issuecomment-103715338
-			token, err := idProvider.GetToken(authForm.Code)
+			var token *oauth2.Token
+			token, err = idProvider.GetToken(authForm.Code)
 			if err != nil {
 				c.ResponseError(err.Error())
 				return
@ -523,7 +537,8 @@ func (c *ApiController) Login() {
 		if authForm.Method == "signup" {
 			user := &object.User{}
 			if provider.Category == "SAML" {
-				user, err = object.GetUser(util.GetId(application.Organization, userInfo.Id))
+				// The userInfo.Id is the NameID in SAML response, it could be name / email / phone
+				user, err = object.GetUserByFields(application.Organization, userInfo.Id)
 				if err != nil {
 					c.ResponseError(err.Error())
 					return
@ -542,7 +557,12 @@ func (c *ApiController) Login() {
 				if user.IsForbidden {
 					c.ResponseError(c.T("check:The user is forbidden to sign in, please contact the administrator"))
 				}
-
+				// sync info from 3rd-party if possible
+				_, err = object.SetUserOAuthProperties(organization, user, provider.Type, userInfo)
+				if err != nil {
+					c.ResponseError(err.Error())
+					return
+				}
 				resp = c.HandleLoggedIn(application, user, &authForm)

 				record := object.NewRecord(c.Ctx)
@ -583,14 +603,16 @@ func (c *ApiController) Login() {
 					}

 					// Handle username conflicts
-					tmpUser, err := object.GetUser(util.GetId(application.Organization, userInfo.Username))
+					var tmpUser *object.User
+					tmpUser, err = object.GetUser(util.GetId(application.Organization, userInfo.Username))
 					if err != nil {
 						c.ResponseError(err.Error())
 						return
 					}

 					if tmpUser != nil {
-						uid, err := uuid.NewRandom()
+						var uid uuid.UUID
+						uid, err = uuid.NewRandom()
 						if err != nil {
 							c.ResponseError(err.Error())
 							return
@ -601,24 +623,31 @@ func (c *ApiController) Login() {
 					}

 					properties := map[string]string{}
-					count, err := object.GetUserCount(application.Organization, "", "", "")
+					var count int64
+					count, err = object.GetUserCount(application.Organization, "", "", "")
 					if err != nil {
 						c.ResponseError(err.Error())
 						return
 					}

 					properties["no"] = strconv.Itoa(int(count + 2))
-					initScore, err := organization.GetInitScore()
+					var initScore int
+					initScore, err = organization.GetInitScore()
 					if err != nil {
 						c.ResponseError(fmt.Errorf(c.T("account:Get init score failed, error: %w"), err).Error())
 						return
 					}

+					userId := userInfo.Id
+					if userId == "" {
+						userId = util.GenerateId()
+					}
+
 					user = &object.User{
 						Owner:             application.Organization,
 						Name:              userInfo.Username,
 						CreatedTime:       util.GetCurrentTime(),
-						Id:                util.GenerateId(),
+						Id:                userId,
 						Type:              "normal-user",
 						DisplayName:       userInfo.DisplayName,
 						Avatar:            userInfo.AvatarUrl,
@ -635,7 +664,8 @@ func (c *ApiController) Login() {
 						Properties:        properties,
 					}

-					affected, err := object.AddUser(user)
+					var affected bool
+					affected, err = object.AddUser(user)
 					if err != nil {
 						c.ResponseError(err.Error())
 						return
@ -645,10 +675,19 @@ func (c *ApiController) Login() {
 						c.ResponseError(fmt.Sprintf(c.T("auth:Failed to create user, user information is invalid: %s"), util.StructToJson(user)))
 						return
 					}
+
+					if providerItem.SignupGroup != "" {
+						user.Groups = []string{providerItem.SignupGroup}
+						_, err = object.UpdateUser(user.GetId(), user, []string{"groups"}, false)
+						if err != nil {
+							c.ResponseError(err.Error())
+							return
+						}
+					}
 				}

 				// sync info from 3rd-party if possible
-				_, err := object.SetUserOAuthProperties(organization, user, provider.Type, userInfo)
+				_, err = object.SetUserOAuthProperties(organization, user, provider.Type, userInfo)
 				if err != nil {
 					c.ResponseError(err.Error())
 					return
@ -673,6 +712,7 @@ func (c *ApiController) Login() {
 				record2.User = user.Name
 				util.SafeGoroutine(func() { object.AddRecord(record2) })
 			} else if provider.Category == "SAML" {
+				// TODO: since we get the user info from SAML response, we can try to create the user
 				resp = &Response{Status: "error", Msg: fmt.Sprintf(c.T("general:The user: %s doesn't exist"), util.GetId(application.Organization, userInfo.Id))}
 			}
 			// resp = &Response{Status: "ok", Msg: "", Data: res}
@ -683,7 +723,8 @@ func (c *ApiController) Login() {
 				return
 			}

-			oldUser, err := object.GetUserByField(application.Organization, provider.Type, userInfo.Id)
+			var oldUser *object.User
+			oldUser, err = object.GetUserByField(application.Organization, provider.Type, userInfo.Id)
 			if err != nil {
 				c.ResponseError(err.Error())
 				return
@ -694,7 +735,8 @@ func (c *ApiController) Login() {
 				return
 			}

-			user, err := object.GetUser(userId)
+			var user *object.User
+			user, err = object.GetUser(userId)
 			if err != nil {
 				c.ResponseError(err.Error())
 				return
@ -707,7 +749,8 @@ func (c *ApiController) Login() {
 				return
 			}

-			isLinked, err := object.LinkUserAccount(user, provider.Type, userInfo.Id)
+			var isLinked bool
+			isLinked, err = object.LinkUserAccount(user, provider.Type, userInfo.Id)
 			if err != nil {
 				c.ResponseError(err.Error())
 				return
@ -720,7 +763,8 @@ func (c *ApiController) Login() {
 			}
 		}
 	} else if c.getMfaUserSession() != "" {
-		user, err := object.GetUser(c.getMfaUserSession())
+		var user *object.User
+		user, err = object.GetUser(c.getMfaUserSession())
 		if err != nil {
 			c.ResponseError(err.Error())
 			return
@ -753,7 +797,8 @@ func (c *ApiController) Login() {
 			return
 		}

-		application, err := object.GetApplication(fmt.Sprintf("admin/%s", authForm.Application))
+		var application *object.Application
+		application, err = object.GetApplication(fmt.Sprintf("admin/%s", authForm.Application))
 		if err != nil {
 			c.ResponseError(err.Error())
 			return
@ -774,7 +819,8 @@ func (c *ApiController) Login() {
 	} else {
 		if c.GetSessionUsername() != "" {
 			// user already signed in to Casdoor, so let the user click the avatar button to do the quick sign-in
-			application, err := object.GetApplication(fmt.Sprintf("admin/%s", authForm.Application))
+			var application *object.Application
+			application, err = object.GetApplication(fmt.Sprintf("admin/%s", authForm.Application))
 			if err != nil {
 				c.ResponseError(err.Error())
 				return
@ -896,3 +942,16 @@ func (c *ApiController) GetCaptchaStatus() {
 	}
 	c.ResponseOk(captchaEnabled)
 }
+
+// Callback
+// @Title Callback
+// @Tag Callback API
+// @Description Get Login Error Counts
+// @router /api/Callback [post]
+func (c *ApiController) Callback() {
+	code := c.GetString("code")
+	state := c.GetString("state")
+
+	frontendCallbackUrl := fmt.Sprintf("/callback?code=%s&state=%s", code, state)
+	c.Ctx.Redirect(http.StatusFound, frontendCallbackUrl)
+}
--- a/controllers/casbin_api.go
+++ b/controllers/casbin_api.go
@ -37,6 +37,11 @@ func (c *ApiController) Enforce() {
 	resourceId := c.Input().Get("resourceId")
 	enforcerId := c.Input().Get("enforcerId")

+	if len(c.Ctx.Input.RequestBody) == 0 {
+		c.ResponseError("The request body should not be empty")
+		return
+	}
+
 	var request object.CasbinRequest
 	err := json.Unmarshal(c.Ctx.Input.RequestBody, &request)
 	if err != nil {
--- a/controllers/cert.go
+++ b/controllers/cert.go
@ -65,13 +65,13 @@ func (c *ApiController) GetCerts() {
 	}
 }

-// GetGlobleCerts
-// @Title GetGlobleCerts
+// GetGlobalCerts
+// @Title GetGlobalCerts
 // @Tag Cert API
 // @Description get globle certs
 // @Success 200 {array} object.Cert The Response object
-// @router /get-globle-certs [get]
-func (c *ApiController) GetGlobleCerts() {
+// @router /get-global-certs [get]
+func (c *ApiController) GetGlobalCerts() {
 	limit := c.Input().Get("pageSize")
 	page := c.Input().Get("p")
 	field := c.Input().Get("field")
@ -80,7 +80,7 @@ func (c *ApiController) GetGlobleCerts() {
 	sortOrder := c.Input().Get("sortOrder")

 	if limit == "" || page == "" {
-		maskedCerts, err := object.GetMaskedCerts(object.GetGlobleCerts())
+		maskedCerts, err := object.GetMaskedCerts(object.GetGlobalCerts())
 		if err != nil {
 			c.ResponseError(err.Error())
 			return
--- a/controllers/enforcer.go
+++ b/controllers/enforcer.go
@ -191,7 +191,7 @@ func (c *ApiController) UpdatePolicy() {
 		return
 	}

-	affected, err := object.UpdatePolicy(id, util.CasbinToSlice(policies[0]), util.CasbinToSlice(policies[1]))
+	affected, err := object.UpdatePolicy(id, policies[0].Ptype, util.CasbinToSlice(policies[0]), util.CasbinToSlice(policies[1]))
 	if err != nil {
 		c.ResponseError(err.Error())
 		return
@ -210,7 +210,7 @@ func (c *ApiController) AddPolicy() {
 		return
 	}

-	affected, err := object.AddPolicy(id, util.CasbinToSlice(policy))
+	affected, err := object.AddPolicy(id, policy.Ptype, util.CasbinToSlice(policy))
 	if err != nil {
 		c.ResponseError(err.Error())
 		return
@ -229,7 +229,7 @@ func (c *ApiController) RemovePolicy() {
 		return
 	}

-	affected, err := object.RemovePolicy(id, util.CasbinToSlice(policy))
+	affected, err := object.RemovePolicy(id, policy.Ptype, util.CasbinToSlice(policy))
 	if err != nil {
 		c.ResponseError(err.Error())
 		return
--- a/controllers/payment.go
+++ b/controllers/payment.go
@ -176,11 +176,10 @@ func (c *ApiController) DeletePayment() {
 func (c *ApiController) NotifyPayment() {
 	owner := c.Ctx.Input.Param(":owner")
 	paymentName := c.Ctx.Input.Param(":payment")
-	orderId := c.Ctx.Input.Param("order")

 	body := c.Ctx.Input.RequestBody

-	payment, err := object.NotifyPayment(c.Ctx.Request, body, owner, paymentName, orderId)
+	payment, err := object.NotifyPayment(body, owner, paymentName)
 	if err != nil {
 		c.ResponseError(err.Error())
 		return
--- a/controllers/plan.go
+++ b/controllers/plan.go
@ -16,7 +16,6 @@ package controllers

 import (
 	"encoding/json"
-	"fmt"

 	"github.com/beego/beego/utils/pagination"
 	"github.com/casdoor/casdoor/object"
@ -83,11 +82,8 @@ func (c *ApiController) GetPlan() {
 		c.ResponseError(err.Error())
 		return
 	}
-	if plan == nil {
-		c.ResponseError(fmt.Sprintf(c.T("plan:The plan: %s does not exist"), id))
-		return
-	}
-	if includeOption {
+
+	if plan != nil && includeOption {
 		options, err := object.GetPermissionsByRole(plan.Role)
 		if err != nil {
 			c.ResponseError(err.Error())
@ -97,11 +93,9 @@ func (c *ApiController) GetPlan() {
 		for _, option := range options {
 			plan.Options = append(plan.Options, option.DisplayName)
 		}
-
-		c.ResponseOk(plan)
-	} else {
-		c.ResponseOk(plan)
 	}
+
+	c.ResponseOk(plan)
 }

 // UpdatePlan
--- a/controllers/pricing.go
+++ b/controllers/pricing.go
@ -16,7 +16,6 @@ package controllers

 import (
 	"encoding/json"
-	"fmt"

 	"github.com/beego/beego/utils/pagination"
 	"github.com/casdoor/casdoor/object"
@ -81,10 +80,7 @@ func (c *ApiController) GetPricing() {
 		c.ResponseError(err.Error())
 		return
 	}
-	if pricing == nil {
-		c.ResponseError(fmt.Sprintf(c.T("pricing:The pricing: %s does not exist"), id))
-		return
-	}
+
 	c.ResponseOk(pricing)
 }

--- a/controllers/product.go
+++ b/controllers/product.go
@ -163,6 +163,8 @@ func (c *ApiController) BuyProduct() {
 	id := c.Input().Get("id")
 	host := c.Ctx.Request.Host
 	providerName := c.Input().Get("providerName")
+	paymentEnv := c.Input().Get("paymentEnv")
+
 	// buy `pricingName/planName` for `paidUserName`
 	pricingName := c.Input().Get("pricingName")
 	planName := c.Input().Get("planName")
@ -187,11 +189,11 @@ func (c *ApiController) BuyProduct() {
 		return
 	}

-	payUrl, orderId, err := object.BuyProduct(id, user, providerName, pricingName, planName, host)
+	payment, attachInfo, err := object.BuyProduct(id, user, providerName, pricingName, planName, host, paymentEnv)
 	if err != nil {
 		c.ResponseError(err.Error())
 		return
 	}

-	c.ResponseOk(payUrl, orderId)
+	c.ResponseOk(payment, attachInfo)
 }
--- a/controllers/resource.go
+++ b/controllers/resource.go
@ -272,6 +272,11 @@ func (c *ApiController) UploadResource() {
 		return
 	}

+	if username == "Built-in-Untracked" {
+		c.ResponseOk(fileUrl, objectKey)
+		return
+	}
+
 	if createdTime == "" {
 		createdTime = util.GetCurrentTime()
 	}
--- a/controllers/saml.go
+++ b/controllers/saml.go
@ -33,7 +33,13 @@ func (c *ApiController) GetSamlMeta() {
 		c.ResponseError(fmt.Sprintf(c.T("saml:Application %s not found"), paramApp))
 		return
 	}
-	metadata, _ := object.GetSamlMeta(application, host)
+
+	metadata, err := object.GetSamlMeta(application, host)
+	if err != nil {
+		c.ResponseError(err.Error())
+		return
+	}
+
 	c.Data["xml"] = metadata
 	c.ServeXML()
 }
--- a/controllers/scim.go
+++ b/controllers/scim.go
@ -0,0 +1,27 @@
+// Copyright 2023 The Casdoor Authors. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package controllers
+
+import (
+	"strings"
+
+	"github.com/casdoor/casdoor/scim"
+)
+
+func (c *RootController) HandleScim() {
+	path := c.Ctx.Request.URL.Path
+	c.Ctx.Request.URL.Path = strings.TrimPrefix(path, "/scim")
+	scim.Server.ServeHTTP(c.Ctx.ResponseWriter, c.Ctx.Request)
+}
--- a/controllers/token.go
+++ b/controllers/token.go
@ -156,12 +156,11 @@ func (c *ApiController) DeleteToken() {
 // @Success 200 {object} object.TokenWrapper The Response object
 // @Success 400 {object} object.TokenError The Response object
 // @Success 401 {object} object.TokenError The Response object
-// @router /login/oauth/access_token [post]
+// @router api/login/oauth/access_token [post]
 func (c *ApiController) GetOAuthToken() {
-	grantType := c.Input().Get("grant_type")
-	refreshToken := c.Input().Get("refresh_token")
 	clientId := c.Input().Get("client_id")
 	clientSecret := c.Input().Get("client_secret")
+	grantType := c.Input().Get("grant_type")
 	code := c.Input().Get("code")
 	verifier := c.Input().Get("code_verifier")
 	scope := c.Input().Get("scope")
@ -169,35 +168,61 @@ func (c *ApiController) GetOAuthToken() {
 	password := c.Input().Get("password")
 	tag := c.Input().Get("tag")
 	avatar := c.Input().Get("avatar")
+	refreshToken := c.Input().Get("refresh_token")

 	if clientId == "" && clientSecret == "" {
 		clientId, clientSecret, _ = c.Ctx.Request.BasicAuth()
 	}
-	if clientId == "" {
-		// If clientID is empty, try to read data from RequestBody
+
+	if len(c.Ctx.Input.RequestBody) != 0 {
+		// If clientId is empty, try to read data from RequestBody
 		var tokenRequest TokenRequest
-		if err := json.Unmarshal(c.Ctx.Input.RequestBody, &tokenRequest); err == nil {
-			clientId = tokenRequest.ClientId
-			clientSecret = tokenRequest.ClientSecret
-			grantType = tokenRequest.GrantType
-			refreshToken = tokenRequest.RefreshToken
-			code = tokenRequest.Code
-			verifier = tokenRequest.Verifier
-			scope = tokenRequest.Scope
-			username = tokenRequest.Username
-			password = tokenRequest.Password
-			tag = tokenRequest.Tag
-			avatar = tokenRequest.Avatar
+		err := json.Unmarshal(c.Ctx.Input.RequestBody, &tokenRequest)
+		if err == nil {
+			if clientId == "" {
+				clientId = tokenRequest.ClientId
+			}
+			if clientSecret == "" {
+				clientSecret = tokenRequest.ClientSecret
+			}
+			if grantType == "" {
+				grantType = tokenRequest.GrantType
+			}
+			if code == "" {
+				code = tokenRequest.Code
+			}
+			if verifier == "" {
+				verifier = tokenRequest.Verifier
+			}
+			if scope == "" {
+				scope = tokenRequest.Scope
+			}
+			if username == "" {
+				username = tokenRequest.Username
+			}
+			if password == "" {
+				password = tokenRequest.Password
+			}
+			if tag == "" {
+				tag = tokenRequest.Tag
+			}
+			if avatar == "" {
+				avatar = tokenRequest.Avatar
+			}
+			if refreshToken == "" {
+				refreshToken = tokenRequest.RefreshToken
+			}
 		}
 	}
+
 	host := c.Ctx.Request.Host
-	oAuthtoken, err := object.GetOAuthToken(grantType, clientId, clientSecret, code, verifier, scope, username, password, host, refreshToken, tag, avatar, c.GetAcceptLanguage())
+	token, err := object.GetOAuthToken(grantType, clientId, clientSecret, code, verifier, scope, username, password, host, refreshToken, tag, avatar, c.GetAcceptLanguage())
 	if err != nil {
 		c.ResponseError(err.Error())
 		return
 	}

-	c.Data["json"] = oAuthtoken
+	c.Data["json"] = token
 	c.SetTokenErrorHttpStatus()
 	c.ServeJSON()
 }
--- a/controllers/types.go
+++ b/controllers/types.go
@ -15,10 +15,10 @@
 package controllers

 type TokenRequest struct {
-	GrantType    string `json:"grant_type"`
-	Code         string `json:"code"`
 	ClientId     string `json:"client_id"`
 	ClientSecret string `json:"client_secret"`
+	GrantType    string `json:"grant_type"`
+	Code         string `json:"code"`
 	Verifier     string `json:"code_verifier"`
 	Scope        string `json:"scope"`
 	Username     string `json:"username"`
--- a/controllers/user.go
+++ b/controllers/user.go
@ -160,35 +160,51 @@ func (c *ApiController) GetUser() {
 		id = util.GetId(userFromUserId.Owner, userFromUserId.Name)
 	}

-	if owner == "" {
-		owner = util.GetOwnerFromId(id)
-	}
+	var user *object.User
+	if id == "" && owner == "" {
+		switch {
+		case email != "":
+			user, err = object.GetUserByEmailOnly(email)
+		case phone != "":
+			user, err = object.GetUserByPhoneOnly(phone)
+		case userId != "":
+			user, err = object.GetUserByUserIdOnly(userId)
+		}
+	} else {
+		if owner == "" {
+			owner = util.GetOwnerFromId(id)
+		}

-	organization, err := object.GetOrganization(util.GetId("admin", owner))
-	if err != nil {
-		c.ResponseError(err.Error())
-		return
-	}
-
-	if !organization.IsProfilePublic {
-		requestUserId := c.GetSessionUsername()
-		hasPermission, err := object.CheckUserPermission(requestUserId, id, false, c.GetAcceptLanguage())
-		if !hasPermission {
+		var organization *object.Organization
+		organization, err = object.GetOrganization(util.GetId("admin", owner))
+		if err != nil {
 			c.ResponseError(err.Error())
 			return
 		}
-	}
+		if organization == nil {
+			c.ResponseError(fmt.Sprintf("the organization: %s is not found", owner))
+			return
+		}

-	var user *object.User
-	switch {
-	case email != "":
-		user, err = object.GetUserByEmail(owner, email)
-	case phone != "":
-		user, err = object.GetUserByPhone(owner, phone)
-	case userId != "":
-		user = userFromUserId
-	default:
-		user, err = object.GetUser(id)
+		if !organization.IsProfilePublic {
+			requestUserId := c.GetSessionUsername()
+			hasPermission, err := object.CheckUserPermission(requestUserId, id, false, c.GetAcceptLanguage())
+			if !hasPermission {
+				c.ResponseError(err.Error())
+				return
+			}
+		}
+
+		switch {
+		case email != "":
+			user, err = object.GetUserByEmail(owner, email)
+		case phone != "":
+			user, err = object.GetUserByPhone(owner, phone)
+		case userId != "":
+			user = userFromUserId
+		default:
+			user, err = object.GetUser(id)
+		}
 	}

 	if err != nil {
@ -457,10 +473,19 @@ func (c *ApiController) SetPassword() {
 		return
 	}

-	if oldPassword != "" {
-		msg := object.CheckPassword(targetUser, oldPassword, c.GetAcceptLanguage())
-		if msg != "" {
-			c.ResponseError(msg)
+	isAdmin := c.IsAdmin()
+	if isAdmin {
+		if oldPassword != "" {
+			err = object.CheckPassword(targetUser, oldPassword, c.GetAcceptLanguage())
+			if err != nil {
+				c.ResponseError(err.Error())
+				return
+			}
+		}
+	} else if code == "" {
+		err = object.CheckPassword(targetUser, oldPassword, c.GetAcceptLanguage())
+		if err != nil {
+			c.ResponseError(err.Error())
 			return
 		}
 	}
@ -493,11 +518,11 @@ func (c *ApiController) CheckUserPassword() {
 		return
 	}

-	_, msg := object.CheckUserPassword(user.Owner, user.Name, user.Password, c.GetAcceptLanguage())
-	if msg == "" {
-		c.ResponseOk()
+	_, err = object.CheckUserPassword(user.Owner, user.Name, user.Password, c.GetAcceptLanguage())
+	if err != nil {
+		c.ResponseError(err.Error())
 	} else {
-		c.ResponseError(msg)
+		c.ResponseOk()
 	}
 }

@ -551,11 +576,11 @@ func (c *ApiController) GetUserCount() {
 	c.ResponseOk(count)
 }

-// AddUserkeys
-// @Title AddUserkeys
+// AddUserKeys
+// @Title AddUserKeys
 // @router /add-user-keys [post]
 // @Tag User API
-func (c *ApiController) AddUserkeys() {
+func (c *ApiController) AddUserKeys() {
 	var user object.User
 	err := json.Unmarshal(c.Ctx.Input.RequestBody, &user)
 	if err != nil {
@ -564,7 +589,7 @@ func (c *ApiController) AddUserkeys() {
 	}

 	isAdmin := c.IsAdmin()
-	affected, err := object.AddUserkeys(&user, isAdmin)
+	affected, err := object.AddUserKeys(&user, isAdmin)
 	if err != nil {
 		c.ResponseError(err.Error())
 		return
--- a/controllers/util.go
+++ b/controllers/util.go
@ -96,6 +96,13 @@ func (c *ApiController) RequireSignedInUser() (*object.User, bool) {
 		return nil, false
 	}

+	if strings.HasPrefix(userId, "app/") {
+		tmpUserId := c.Input().Get("userId")
+		if tmpUserId != "" {
+			userId = tmpUserId
+		}
+	}
+
 	user, err := object.GetUser(userId)
 	if err != nil {
 		c.ResponseError(err.Error())
--- a/controllers/verification.go
+++ b/controllers/verification.go
@ -142,6 +142,10 @@ func (c *ApiController) SendVerificationCode() {
 			c.ResponseError(err.Error())
 			return
 		}
+		if provider == nil {
+			c.ResponseError(fmt.Sprintf("please add an Email provider to the \"Providers\" list for the application: %s", application.Name))
+			return
+		}

 		sendResp = object.SendVerificationCodeToEmail(organization, user, provider, remoteAddr, vform.Dest)
 	case object.VerifyTypePhone:
@ -184,6 +188,10 @@ func (c *ApiController) SendVerificationCode() {
 			c.ResponseError(err.Error())
 			return
 		}
+		if provider == nil {
+			c.ResponseError(fmt.Sprintf("please add a SMS provider to the \"Providers\" list for the application: %s", application.Name))
+			return
+		}

 		if phone, ok := util.GetE164Number(vform.Dest, vform.CountryCode); !ok {
 			c.ResponseError(fmt.Sprintf(c.T("verification:Phone number is invalid in your region %s"), vform.CountryCode))
--- a/controllers/webauthn.go
+++ b/controllers/webauthn.go
@ -154,6 +154,7 @@ func (c *ApiController) WebAuthnSigninBegin() {
 // @router /webauthn/signin/finish [post]
 func (c *ApiController) WebAuthnSigninFinish() {
 	responseType := c.Input().Get("responseType")
+	clientId := c.Input().Get("clientId")
 	webauthnObj, err := object.GetWebAuthnObject(c.Ctx.Request.Host)
 	if err != nil {
 		c.ResponseError(err.Error())
@ -182,7 +183,13 @@ func (c *ApiController) WebAuthnSigninFinish() {
 	c.SetSessionUsername(userId)
 	util.LogInfo(c.Ctx, "API: [%s] signed in", userId)

-	application, err := object.GetApplicationByUser(user)
+	var application *object.Application
+
+	if clientId != "" && (responseType == ResponseTypeCode) {
+		application, err = object.GetApplicationByClientId(clientId)
+	} else {
+		application, err = object.GetApplicationByUser(user)
+	}
 	if err != nil {
 		c.ResponseError(err.Error())
 		return
--- a/email/azure_acs.go
+++ b/email/azure_acs.go
@ -0,0 +1,229 @@
+// Copyright 2023 The Casdoor Authors. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package email
+
+import (
+	"bytes"
+	"crypto/hmac"
+	"crypto/sha256"
+	"encoding/base64"
+	"encoding/json"
+	"fmt"
+	"io"
+	"net/http"
+	"strings"
+	"time"
+
+	"github.com/google/uuid"
+)
+
+const (
+	importanceNormal  = "normal"
+	sendEmailEndpoint = "/emails:send"
+	apiVersion        = "2023-03-31"
+)
+
+type Email struct {
+	Recipients    Recipients     `json:"recipients"`
+	SenderAddress string         `json:"senderAddress"`
+	Content       Content        `json:"content"`
+	Headers       []CustomHeader `json:"headers"`
+	Tracking      bool           `json:"disableUserEngagementTracking"`
+	Importance    string         `json:"importance"`
+	ReplyTo       []EmailAddress `json:"replyTo"`
+	Attachments   []Attachment   `json:"attachments"`
+}
+
+type Recipients struct {
+	To  []EmailAddress `json:"to"`
+	CC  []EmailAddress `json:"cc"`
+	BCC []EmailAddress `json:"bcc"`
+}
+
+type EmailAddress struct {
+	DisplayName string `json:"displayName"`
+	Address     string `json:"address"`
+}
+
+type Content struct {
+	Subject   string `json:"subject"`
+	HTML      string `json:"html"`
+	PlainText string `json:"plainText"`
+}
+
+type CustomHeader struct {
+	Name  string `json:"name"`
+	Value string `json:"value"`
+}
+
+type Attachment struct {
+	Content        string `json:"contentBytesBase64"`
+	AttachmentType string `json:"attachmentType"`
+	Name           string `json:"name"`
+}
+
+type ErrorResponse struct {
+	Error CommunicationError `json:"error"`
+}
+
+// CommunicationError contains the error code and message
+type CommunicationError struct {
+	Code    string `json:"code"`
+	Message string `json:"message"`
+}
+
+type AzureACSEmailProvider struct {
+	AccessKey string
+	Endpoint  string
+}
+
+func NewAzureACSEmailProvider(accessKey string, endpoint string) *AzureACSEmailProvider {
+	return &AzureACSEmailProvider{
+		AccessKey: accessKey,
+		Endpoint:  endpoint,
+	}
+}
+
+func newEmail(fromAddress string, toAddress string, subject string, content string) *Email {
+	return &Email{
+		Recipients: Recipients{
+			To: []EmailAddress{
+				{
+					DisplayName: toAddress,
+					Address:     toAddress,
+				},
+			},
+		},
+		SenderAddress: fromAddress,
+		Content: Content{
+			Subject: subject,
+			HTML:    content,
+		},
+		Importance: importanceNormal,
+	}
+}
+
+func (a *AzureACSEmailProvider) sendEmail(e *Email) error {
+	postBody, err := json.Marshal(e)
+	if err != nil {
+		return fmt.Errorf("email JSON marshall failed: %s", err)
+	}
+
+	bodyBuffer := bytes.NewBuffer(postBody)
+
+	endpoint := strings.TrimSuffix(a.Endpoint, "/")
+	url := fmt.Sprintf("%s/emails:send?api-version=2023-03-31", endpoint)
+	req, err := http.NewRequest("POST", url, bodyBuffer)
+	if err != nil {
+		return fmt.Errorf("error creating AzureACS API request: %s", err)
+	}
+
+	// Sign the request using the AzureACS access key and HMAC-SHA256
+	err = signRequestHMAC(a.AccessKey, req)
+	if err != nil {
+		return fmt.Errorf("error signing AzureACS API request: %s", err)
+	}
+
+	req.Header.Set("Content-Type", "application/json")
+
+	// Some important header
+	req.Header.Set("repeatability-request-id", uuid.New().String())
+	req.Header.Set("repeatability-first-sent", time.Now().UTC().Format(http.TimeFormat))
+
+	// Send request
+	client := &http.Client{}
+	resp, err := client.Do(req)
+	if err != nil {
+		return fmt.Errorf("error sending AzureACS API request: %s", err)
+	}
+	defer resp.Body.Close()
+
+	// Response error Handling
+	if resp.StatusCode == http.StatusBadRequest || resp.StatusCode == http.StatusUnauthorized {
+		commError := ErrorResponse{}
+
+		err = json.NewDecoder(resp.Body).Decode(&commError)
+		if err != nil {
+			return err
+		}
+
+		return fmt.Errorf("error sending email: %s", commError.Error.Message)
+	}
+
+	if resp.StatusCode != http.StatusAccepted {
+		return fmt.Errorf("error sending email: status: %d", resp.StatusCode)
+	}
+
+	return nil
+}
+
+func signRequestHMAC(secret string, req *http.Request) error {
+	method := req.Method
+	host := req.URL.Host
+	pathAndQuery := req.URL.Path
+
+	if req.URL.RawQuery != "" {
+		pathAndQuery = pathAndQuery + "?" + req.URL.RawQuery
+	}
+
+	var content []byte
+	var err error
+	if req.Body != nil {
+		content, err = io.ReadAll(req.Body)
+		if err != nil {
+			// return err
+			content = []byte{}
+		}
+	}
+
+	req.Body = io.NopCloser(bytes.NewBuffer(content))
+
+	key, err := base64.StdEncoding.DecodeString(secret)
+	if err != nil {
+		return fmt.Errorf("error decoding secret: %s", err)
+	}
+
+	timestamp := time.Now().UTC().Format(http.TimeFormat)
+	contentHash := GetContentHashBase64(content)
+	stringToSign := fmt.Sprintf("%s\n%s\n%s;%s;%s", strings.ToUpper(method), pathAndQuery, timestamp, host, contentHash)
+	signature := GetHmac(stringToSign, key)
+
+	req.Header.Set("x-ms-content-sha256", contentHash)
+	req.Header.Set("x-ms-date", timestamp)
+
+	req.Header.Set("Authorization", "HMAC-SHA256 SignedHeaders=x-ms-date;host;x-ms-content-sha256&Signature="+signature)
+
+	return nil
+}
+
+func GetContentHashBase64(content []byte) string {
+	hasher := sha256.New()
+	hasher.Write(content)
+
+	return base64.StdEncoding.EncodeToString(hasher.Sum(nil))
+}
+
+func GetHmac(content string, key []byte) string {
+	hmac := hmac.New(sha256.New, key)
+	hmac.Write([]byte(content))
+
+	return base64.StdEncoding.EncodeToString(hmac.Sum(nil))
+}
+
+func (a *AzureACSEmailProvider) Send(fromAddress string, fromName string, toAddress string, subject string, content string) error {
+	e := newEmail(fromAddress, toAddress, subject, content)
+
+	return a.sendEmail(e)
+}
--- a/email/provider.go
+++ b/email/provider.go
@ -0,0 +1,27 @@
+// Copyright 2023 The Casdoor Authors. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package email
+
+type EmailProvider interface {
+	Send(fromAddress string, fromName, toAddress string, subject string, content string) error
+}
+
+func GetEmailProvider(typ string, clientId string, clientSecret string, host string, port int, disableSsl bool) EmailProvider {
+	if typ == "Azure ACS" {
+		return NewAzureACSEmailProvider(clientSecret, host)
+	} else {
+		return NewSmtpEmailProvider(clientId, clientSecret, host, port, typ, disableSsl)
+	}
+}
--- a/email/smtp.go
+++ b/email/smtp.go
@ -0,0 +1,49 @@
+// Copyright 2023 The Casdoor Authors. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package email
+
+import (
+	"crypto/tls"
+
+	"github.com/casdoor/gomail/v2"
+)
+
+type SmtpEmailProvider struct {
+	Dialer *gomail.Dialer
+}
+
+func NewSmtpEmailProvider(userName string, password string, host string, port int, typ string, disableSsl bool) *SmtpEmailProvider {
+	dialer := &gomail.Dialer{}
+	dialer = gomail.NewDialer(host, port, userName, password)
+	if typ == "SUBMAIL" {
+		dialer.TLSConfig = &tls.Config{InsecureSkipVerify: true}
+	}
+
+	dialer.SSL = !disableSsl
+
+	return &SmtpEmailProvider{Dialer: dialer}
+}
+
+func (s *SmtpEmailProvider) Send(fromAddress string, fromName string, toAddress string, subject string, content string) error {
+	message := gomail.NewMessage()
+
+	message.SetAddressHeader("From", fromAddress, fromName)
+	message.SetHeader("To", toAddress)
+	message.SetHeader("Subject", subject)
+	message.SetBody("text/html", content)
+
+	message.SkipUsernameCheck = true
+	return s.Dialer.DialAndSend(message)
+}
--- a/go.mod
+++ b/go.mod
@ -6,38 +6,39 @@ require (
 	github.com/Masterminds/squirrel v1.5.3
 	github.com/RobotsAndPencils/go-saml v0.0.0-20170520135329-fb13cb52a46b
 	github.com/alexedwards/argon2id v0.0.0-20211130144151-3585854a6387
-	github.com/aliyun/alibaba-cloud-sdk-go v1.62.188 // indirect
-	github.com/aws/aws-sdk-go v1.44.4
+	github.com/aws/aws-sdk-go v1.45.5
 	github.com/beego/beego v1.12.12
 	github.com/beevik/etree v1.1.0
 	github.com/casbin/casbin v1.9.1 // indirect
-	github.com/casbin/casbin/v2 v2.30.1
-	github.com/casdoor/go-sms-sender v0.12.0
+	github.com/casbin/casbin/v2 v2.77.2
+	github.com/casdoor/go-sms-sender v0.15.0
 	github.com/casdoor/gomail/v2 v2.0.1
+	github.com/casdoor/notify v0.45.0
 	github.com/casdoor/oss v1.3.0
-	github.com/casdoor/xorm-adapter/v3 v3.0.4
+	github.com/casdoor/xorm-adapter/v3 v3.1.0
 	github.com/casvisor/casvisor-go-sdk v1.0.3
 	github.com/dchest/captcha v0.0.0-20200903113550-03f5f0333e1f
 	github.com/denisenkom/go-mssqldb v0.9.0
 	github.com/elazarl/go-bindata-assetfs v1.0.1 // indirect
+	github.com/elimity-com/scim v0.0.0-20230426070224-941a5eac92f3
 	github.com/fogleman/gg v1.3.0
 	github.com/forestmgy/ldapserver v1.1.0
 	github.com/go-git/go-git/v5 v5.6.0
-	github.com/go-ldap/ldap/v3 v3.3.0
+	github.com/go-ldap/ldap/v3 v3.4.6
 	github.com/go-mysql-org/go-mysql v1.7.0
 	github.com/go-pay/gopay v1.5.72
 	github.com/go-sql-driver/mysql v1.6.0
 	github.com/go-telegram-bot-api/telegram-bot-api v4.6.4+incompatible
 	github.com/go-webauthn/webauthn v0.6.0
 	github.com/golang-jwt/jwt/v4 v4.5.0
-	github.com/google/uuid v1.3.0
+	github.com/google/uuid v1.3.1
+	github.com/json-iterator/go v1.1.12 // indirect
 	github.com/kardianos/osext v0.0.0-20190222173326-2bc1f35cddc0 // indirect
 	github.com/lestrrat-go/jwx v1.2.21
 	github.com/lib/pq v1.10.9
 	github.com/lor00x/goldap v0.0.0-20180618054307-a546dffdd1a3
 	github.com/markbates/goth v1.75.2
 	github.com/mitchellh/mapstructure v1.5.0
-	github.com/nikoksr/notify v0.41.0
 	github.com/nu7hatch/gouuid v0.0.0-20131221200532-179d4d0c4d8d // indirect
 	github.com/nyaruka/phonenumbers v1.1.5
 	github.com/pquerna/otp v1.4.0
@ -55,15 +56,20 @@ require (
 	github.com/stripe/stripe-go/v74 v74.29.0
 	github.com/tealeg/xlsx v1.0.5
 	github.com/thanhpk/randstr v1.0.4
+	github.com/tidwall/pretty v1.2.1 // indirect
 	github.com/tklauser/go-sysconf v0.3.10 // indirect
 	github.com/xorm-io/builder v0.3.13
 	github.com/xorm-io/core v0.7.4
 	github.com/xorm-io/xorm v1.1.6
 	github.com/yusufpapurcu/wmi v1.2.2 // indirect
-	golang.org/x/crypto v0.11.0
-	golang.org/x/net v0.13.0
-	golang.org/x/oauth2 v0.10.0
+	golang.org/x/crypto v0.13.0
+	golang.org/x/net v0.14.0
+	golang.org/x/oauth2 v0.11.0
+	golang.org/x/text v0.13.0 // indirect
+	google.golang.org/api v0.138.0
 	gopkg.in/ini.v1 v1.67.0 // indirect
 	gopkg.in/square/go-jose.v2 v2.6.0
+	layeh.com/radius v0.0.0-20221205141417-e7fbddd11d68
+	maunium.net/go/mautrix v0.16.0
 	modernc.org/sqlite v1.18.2
 )
--- a/go.sum
+++ b/go.sum
--- a/i18n/locales/fr/data.json
+++ b/i18n/locales/fr/data.json
@ -19,7 +19,7 @@
    "The provider: %s is not enabled for the application": "Le fournisseur :%s n'est pas activé pour l'application",
    "Unauthorized operation": "Opération non autorisée",
    "Unknown authentication type (not password or provider), form = %s": "Type d'authentification inconnu (pas de mot de passe ou de fournisseur), formulaire = %s",
-    "User's tag: %s is not listed in the application's tags": "User's tag: %s is not listed in the application's tags"
+    "User's tag: %s is not listed in the application's tags": "Le tag de l’utilisateur %s n’est pas répertorié dans les tags de l’application"
  },
  "cas": {
    "Service %s and %s do not match": "Les services %s et %s ne correspondent pas"
@ -43,7 +43,7 @@
    "Phone number is invalid": "Le numéro de téléphone est invalide",
    "Session outdated, please login again": "Session expirée, veuillez vous connecter à nouveau",
    "The user is forbidden to sign in, please contact the administrator": "L'utilisateur est interdit de se connecter, veuillez contacter l'administrateur",
-    "The user: %s doesn't exist in LDAP server": "The user: %s doesn't exist in LDAP server",
+    "The user: %s doesn't exist in LDAP server": "L'utilisateur %s n'existe pas sur le serveur LDAP",
    "The username may only contain alphanumeric characters, underlines or hyphens, cannot have consecutive hyphens or underlines, and cannot begin or end with a hyphen or underline.": "Le nom d'utilisateur ne peut contenir que des caractères alphanumériques, des traits soulignés ou des tirets, ne peut pas avoir de tirets ou de traits soulignés consécutifs et ne peut pas commencer ou se terminer par un tiret ou un trait souligné.",
    "Username already exists": "Nom d'utilisateur existe déjà",
    "Username cannot be an email address": "Nom d'utilisateur ne peut pas être une adresse e-mail",
@ -53,7 +53,7 @@
    "Username must have at least 2 characters": "Le nom d'utilisateur doit comporter au moins 2 caractères",
    "You have entered the wrong password or code too many times, please wait for %d minutes and try again": "Vous avez entré le mauvais mot de passe ou code plusieurs fois, veuillez attendre %d minutes et réessayer",
    "Your region is not allow to signup by phone": "Votre région n'est pas autorisée à s'inscrire par téléphone",
-    "password or code is incorrect": "password or code is incorrect",
+    "password or code is incorrect": "mot de passe ou code invalide",
    "password or code is incorrect, you have %d remaining chances": "Le mot de passe ou le code est incorrect, il vous reste %d chances",
    "unsupported password type: %s": "Type de mot de passe non pris en charge : %s"
  },
@ -61,8 +61,8 @@
    "Missing parameter": "Paramètre manquant",
    "Please login first": "Veuillez d'abord vous connecter",
    "The user: %s doesn't exist": "L'utilisateur : %s n'existe pas",
-    "don't support captchaProvider: ": "Ne pas prendre en charge la captchaProvider",
-    "this operation is not allowed in demo mode": "this operation is not allowed in demo mode"
+    "don't support captchaProvider: ": "ne prend pas en charge captchaProvider: ",
+    "this operation is not allowed in demo mode": "cette opération n’est pas autorisée en mode démo"
  },
  "ldap": {
    "Ldap server exist": "Le serveur LDAP existe"
--- a/i18n/locales/it/data.json
+++ b/i18n/locales/it/data.json
@ -24,14 +24,6 @@
  "cas": {
    "Service %s and %s do not match": "Service %s and %s do not match"
  },
-  "chat": {
-    "The chat type must be \\\"AI\\\"": "The chat type must be \\\"AI\\\"",
-    "The chat: %s is not found": "The chat: %s is not found",
-    "The message is invalid": "The message is invalid",
-    "The message: %s is not found": "The message: %s is not found",
-    "The provider: %s is invalid": "The provider: %s is invalid",
-    "The provider: %s is not found": "The provider: %s is not found"
-  },
  "check": {
    "Affiliation cannot be blank": "Affiliation cannot be blank",
    "DisplayName cannot be blank": "DisplayName cannot be blank",
--- a/i18n/locales/ms/data.json
+++ b/i18n/locales/ms/data.json
@ -24,14 +24,6 @@
  "cas": {
    "Service %s and %s do not match": "Service %s and %s do not match"
  },
-  "chat": {
-    "The chat type must be \\\"AI\\\"": "The chat type must be \\\"AI\\\"",
-    "The chat: %s is not found": "The chat: %s is not found",
-    "The message is invalid": "The message is invalid",
-    "The message: %s is not found": "The message: %s is not found",
-    "The provider: %s is invalid": "The provider: %s is invalid",
-    "The provider: %s is not found": "The provider: %s is not found"
-  },
  "check": {
    "Affiliation cannot be blank": "Affiliation cannot be blank",
    "DisplayName cannot be blank": "DisplayName cannot be blank",
--- a/i18n/locales/tr/data.json
+++ b/i18n/locales/tr/data.json
@ -24,14 +24,6 @@
  "cas": {
    "Service %s and %s do not match": "Service %s and %s do not match"
  },
-  "chat": {
-    "The chat type must be \\\"AI\\\"": "The chat type must be \\\"AI\\\"",
-    "The chat: %s is not found": "The chat: %s is not found",
-    "The message is invalid": "The message is invalid",
-    "The message: %s is not found": "The message: %s is not found",
-    "The provider: %s is invalid": "The provider: %s is invalid",
-    "The provider: %s is not found": "The provider: %s is not found"
-  },
  "check": {
    "Affiliation cannot be blank": "Affiliation cannot be blank",
    "DisplayName cannot be blank": "DisplayName cannot be blank",
--- a/i18n/locales/zh/data.json
+++ b/i18n/locales/zh/data.json
@ -43,7 +43,7 @@
    "Phone number is invalid": "无效手机号",
    "Session outdated, please login again": "会话已过期，请重新登录",
    "The user is forbidden to sign in, please contact the administrator": "该用户被禁止登录，请联系管理员",
-    "The user: %s doesn't exist in LDAP server": "The user: %s doesn't exist in LDAP server",
+    "The user: %s doesn't exist in LDAP server": "用户: %s 在LDAP服务器中未找到",
    "The username may only contain alphanumeric characters, underlines or hyphens, cannot have consecutive hyphens or underlines, and cannot begin or end with a hyphen or underline.": "用户名只能包含字母数字字符、下划线或连字符，不能有连续的连字符或下划线，也不能以连字符或下划线开头或结尾",
    "Username already exists": "用户名已存在",
    "Username cannot be an email address": "用户名不可以是邮箱地址",
@ -62,7 +62,7 @@
    "Please login first": "请先登录",
    "The user: %s doesn't exist": "用户: %s不存在",
    "don't support captchaProvider: ": "不支持验证码提供商: ",
-    "this operation is not allowed in demo mode": "this operation is not allowed in demo mode"
+    "this operation is not allowed in demo mode": "demo模式下不允许该操作"
  },
  "ldap": {
    "Ldap server exist": "LDAP服务器已存在"
--- a/idp/adfs.go
+++ b/idp/adfs.go
@ -19,7 +19,6 @@ import (
 	"encoding/json"
 	"fmt"
 	"io"
-	"io/ioutil"
 	"net/http"
 	"net/url"
 	"time"
@ -84,6 +83,7 @@ func (idp *AdfsIdProvider) GetToken(code string) (*oauth2.Token, error) {
 	payload.Set("code", code)
 	payload.Set("grant_type", "authorization_code")
 	payload.Set("client_id", idp.Config.ClientID)
+	payload.Set("client_secret", idp.Config.ClientSecret)
 	payload.Set("redirect_uri", idp.Config.RedirectURL)
 	resp, err := idp.Client.PostForm(idp.Config.Endpoint.TokenURL, payload)
 	if err != nil {
@ -118,11 +118,25 @@ func (idp *AdfsIdProvider) GetUserInfo(token *oauth2.Token) (*UserInfo, error) {
 	if err != nil {
 		return nil, err
 	}
-	body, err := ioutil.ReadAll(resp.Body)
-	keyset, err := jwk.ParseKey(body)
+	body, err := io.ReadAll(resp.Body)
+	var respKeys struct {
+		Keys []interface{} `json:"keys"`
+	}
+
+	if err := json.Unmarshal(body, &respKeys); err != nil {
+		return nil, err
+	}
+
+	respKey, err := json.Marshal(&(respKeys.Keys[0]))
 	if err != nil {
 		return nil, err
 	}
+
+	keyset, err := jwk.ParseKey(respKey)
+	if err != nil {
+		return nil, err
+	}
+
 	tokenSrc := []byte(token.AccessToken)
 	publicKey, _ := keyset.PublicKey()
 	idToken, _ := jwt.Parse(tokenSrc, jwt.WithVerify(jwa.RS256, publicKey))
--- a/idp/facebook.go
+++ b/idp/facebook.go
@ -72,13 +72,13 @@ type FacebookCheckToken struct {
 }

 // FacebookCheckTokenData
-// Get more detail via: https://developers.facebook.com/docs/facebook-login/manually-build-a-login-flow#checktoken
+// Get more detail via: https://developers.facebook.com/docs/facebook-login/guides/advanced/manual-flow#checktoken
 type FacebookCheckTokenData struct {
 	UserId string `json:"user_id"`
 }

 // GetToken use code get access_token (*operation of getting code ought to be done in front)
-// get more detail via: https://developers.facebook.com/docs/facebook-login/manually-build-a-login-flow#confirm
+// get more detail via: https://developers.facebook.com/docs/facebook-login/guides/advanced/manual-flow#confirm
 func (idp *FacebookIdProvider) GetToken(code string) (*oauth2.Token, error) {
 	params := url.Values{}
 	params.Add("client_id", idp.Config.ClientID)
--- a/idp/goth.go
+++ b/idp/goth.go
@ -19,6 +19,7 @@ import (
 	"net/http"
 	"net/url"
 	"reflect"
+	"strings"
 	"time"

 	"github.com/casdoor/casdoor/util"
@ -88,7 +89,7 @@ type GothIdProvider struct {
 	Session  goth.Session
 }

-func NewGothIdProvider(providerType string, clientId string, clientSecret string, redirectUrl string, hostUrl string) *GothIdProvider {
+func NewGothIdProvider(providerType string, clientId string, clientSecret string, clientId2 string, clientSecret2 string, redirectUrl string, hostUrl string) (*GothIdProvider, error) {
 	var idp GothIdProvider
 	switch providerType {
 	case "Amazon":
@ -97,8 +98,27 @@ func NewGothIdProvider(providerType string, clientId string, clientSecret string
 			Session:  &amazon.Session{},
 		}
 	case "Apple":
+		if !strings.Contains(redirectUrl, "/api/callback") {
+			redirectUrl = strings.Replace(redirectUrl, "/callback", "/api/callback", 1)
+		}
+
+		iat := time.Now().Unix()
+		exp := iat + 60*60
+		sp := apple.SecretParams{
+			ClientId:        clientId,
+			TeamId:          clientSecret,
+			KeyId:           clientId2,
+			PKCS8PrivateKey: clientSecret2,
+			Iat:             int(iat),
+			Exp:             int(exp),
+		}
+		secret, err := apple.MakeSecret(sp)
+		if err != nil {
+			return nil, err
+		}
+
 		idp = GothIdProvider{
-			Provider: apple.New(clientId, clientSecret, redirectUrl, nil),
+			Provider: apple.New(clientId, *secret, redirectUrl, nil),
 			Session:  &apple.Session{},
 		}
 	case "AzureAD":
@ -382,17 +402,19 @@ func NewGothIdProvider(providerType string, clientId string, clientSecret string
 			Session:  &zoom.Session{},
 		}
 	default:
-		return nil
+		return nil, fmt.Errorf("OAuth Goth provider type: %s is not supported", providerType)
 	}

-	return &idp
+	return &idp, nil
 }

 // SetHttpClient
 // Goth's idp all implement the Client method, but since the goth.Provider interface does not provide to modify idp's client method, reflection is required
 func (idp *GothIdProvider) SetHttpClient(client *http.Client) {
 	idpClient := reflect.ValueOf(idp.Provider).Elem().FieldByName("HTTPClient")
-	idpClient.Set(reflect.ValueOf(client))
+	if idpClient.IsValid() {
+		idpClient.Set(reflect.ValueOf(client))
+	}
 }

 func (idp *GothIdProvider) GetToken(code string) (*oauth2.Token, error) {
@ -468,6 +490,8 @@ func getUser(gothUser goth.User, provider string) *UserInfo {
 	if provider == "steam" {
 		user.Username = user.Id
 		user.Email = ""
+	} else if provider == "apple" {
+		user.Username = util.GetUsernameFromEmail(user.Email)
 	}
 	return &user
 }
--- a/idp/provider.go
+++ b/idp/provider.go
@ -15,6 +15,7 @@
 package idp

 import (
+	"fmt"
 	"net/http"
 	"strings"

@ -30,16 +31,19 @@ type UserInfo struct {
 	Phone       string
 	CountryCode string
 	AvatarUrl   string
+	Extra       map[string]string
 }

 type ProviderInfo struct {
-	Type         string
-	SubType      string
-	ClientId     string
-	ClientSecret string
-	AppId        string
-	HostUrl      string
-	RedirectUrl  string
+	Type          string
+	SubType       string
+	ClientId      string
+	ClientSecret  string
+	ClientId2     string
+	ClientSecret2 string
+	AppId         string
+	HostUrl       string
+	RedirectUrl   string

 	TokenURL    string
 	AuthURL     string
@ -53,71 +57,71 @@ type IdProvider interface {
 	GetUserInfo(token *oauth2.Token) (*UserInfo, error)
 }

-func GetIdProvider(idpInfo *ProviderInfo, redirectUrl string) IdProvider {
+func GetIdProvider(idpInfo *ProviderInfo, redirectUrl string) (IdProvider, error) {
 	switch idpInfo.Type {
 	case "GitHub":
-		return NewGithubIdProvider(idpInfo.ClientId, idpInfo.ClientSecret, redirectUrl)
+		return NewGithubIdProvider(idpInfo.ClientId, idpInfo.ClientSecret, redirectUrl), nil
 	case "Google":
-		return NewGoogleIdProvider(idpInfo.ClientId, idpInfo.ClientSecret, redirectUrl)
+		return NewGoogleIdProvider(idpInfo.ClientId, idpInfo.ClientSecret, redirectUrl), nil
 	case "QQ":
-		return NewQqIdProvider(idpInfo.ClientId, idpInfo.ClientSecret, redirectUrl)
+		return NewQqIdProvider(idpInfo.ClientId, idpInfo.ClientSecret, redirectUrl), nil
 	case "WeChat":
-		return NewWeChatIdProvider(idpInfo.ClientId, idpInfo.ClientSecret, redirectUrl)
+		return NewWeChatIdProvider(idpInfo.ClientId, idpInfo.ClientSecret, redirectUrl), nil
 	case "Facebook":
-		return NewFacebookIdProvider(idpInfo.ClientId, idpInfo.ClientSecret, redirectUrl)
+		return NewFacebookIdProvider(idpInfo.ClientId, idpInfo.ClientSecret, redirectUrl), nil
 	case "DingTalk":
-		return NewDingTalkIdProvider(idpInfo.ClientId, idpInfo.ClientSecret, redirectUrl)
+		return NewDingTalkIdProvider(idpInfo.ClientId, idpInfo.ClientSecret, redirectUrl), nil
 	case "Weibo":
-		return NewWeiBoIdProvider(idpInfo.ClientId, idpInfo.ClientSecret, redirectUrl)
+		return NewWeiBoIdProvider(idpInfo.ClientId, idpInfo.ClientSecret, redirectUrl), nil
 	case "Gitee":
-		return NewGiteeIdProvider(idpInfo.ClientId, idpInfo.ClientSecret, redirectUrl)
+		return NewGiteeIdProvider(idpInfo.ClientId, idpInfo.ClientSecret, redirectUrl), nil
 	case "LinkedIn":
-		return NewLinkedInIdProvider(idpInfo.ClientId, idpInfo.ClientSecret, redirectUrl)
+		return NewLinkedInIdProvider(idpInfo.ClientId, idpInfo.ClientSecret, redirectUrl), nil
 	case "WeCom":
 		if idpInfo.SubType == "Internal" {
-			return NewWeComInternalIdProvider(idpInfo.ClientId, idpInfo.ClientSecret, redirectUrl)
+			return NewWeComInternalIdProvider(idpInfo.ClientId, idpInfo.ClientSecret, redirectUrl), nil
 		} else if idpInfo.SubType == "Third-party" {
-			return NewWeComIdProvider(idpInfo.ClientId, idpInfo.ClientSecret, redirectUrl)
+			return NewWeComIdProvider(idpInfo.ClientId, idpInfo.ClientSecret, redirectUrl), nil
 		} else {
-			return nil
+			return nil, fmt.Errorf("WeCom provider subType: %s is not supported", idpInfo.SubType)
 		}
 	case "Lark":
-		return NewLarkIdProvider(idpInfo.ClientId, idpInfo.ClientSecret, redirectUrl)
+		return NewLarkIdProvider(idpInfo.ClientId, idpInfo.ClientSecret, redirectUrl), nil
 	case "GitLab":
-		return NewGitlabIdProvider(idpInfo.ClientId, idpInfo.ClientSecret, redirectUrl)
-	case "Adfs":
-		return NewAdfsIdProvider(idpInfo.ClientId, idpInfo.ClientSecret, redirectUrl, idpInfo.HostUrl)
+		return NewGitlabIdProvider(idpInfo.ClientId, idpInfo.ClientSecret, redirectUrl), nil
+	case "ADFS":
+		return NewAdfsIdProvider(idpInfo.ClientId, idpInfo.ClientSecret, redirectUrl, idpInfo.HostUrl), nil
 	case "Baidu":
-		return NewBaiduIdProvider(idpInfo.ClientId, idpInfo.ClientSecret, redirectUrl)
+		return NewBaiduIdProvider(idpInfo.ClientId, idpInfo.ClientSecret, redirectUrl), nil
 	case "Alipay":
-		return NewAlipayIdProvider(idpInfo.ClientId, idpInfo.ClientSecret, redirectUrl)
+		return NewAlipayIdProvider(idpInfo.ClientId, idpInfo.ClientSecret, redirectUrl), nil
 	case "Custom":
-		return NewCustomIdProvider(idpInfo, redirectUrl)
+		return NewCustomIdProvider(idpInfo, redirectUrl), nil
 	case "Infoflow":
 		if idpInfo.SubType == "Internal" {
-			return NewInfoflowInternalIdProvider(idpInfo.ClientId, idpInfo.ClientSecret, idpInfo.AppId, redirectUrl)
+			return NewInfoflowInternalIdProvider(idpInfo.ClientId, idpInfo.ClientSecret, idpInfo.AppId, redirectUrl), nil
 		} else if idpInfo.SubType == "Third-party" {
-			return NewInfoflowIdProvider(idpInfo.ClientId, idpInfo.ClientSecret, idpInfo.AppId, redirectUrl)
+			return NewInfoflowIdProvider(idpInfo.ClientId, idpInfo.ClientSecret, idpInfo.AppId, redirectUrl), nil
 		} else {
-			return nil
+			return nil, fmt.Errorf("Infoflow provider subType: %s is not supported", idpInfo.SubType)
 		}
 	case "Casdoor":
-		return NewCasdoorIdProvider(idpInfo.ClientId, idpInfo.ClientSecret, redirectUrl, idpInfo.HostUrl)
+		return NewCasdoorIdProvider(idpInfo.ClientId, idpInfo.ClientSecret, redirectUrl, idpInfo.HostUrl), nil
 	case "Okta":
-		return NewOktaIdProvider(idpInfo.ClientId, idpInfo.ClientSecret, redirectUrl, idpInfo.HostUrl)
+		return NewOktaIdProvider(idpInfo.ClientId, idpInfo.ClientSecret, redirectUrl, idpInfo.HostUrl), nil
 	case "Douyin":
-		return NewDouyinIdProvider(idpInfo.ClientId, idpInfo.ClientSecret, redirectUrl)
+		return NewDouyinIdProvider(idpInfo.ClientId, idpInfo.ClientSecret, redirectUrl), nil
 	case "Bilibili":
-		return NewBilibiliIdProvider(idpInfo.ClientId, idpInfo.ClientSecret, redirectUrl)
+		return NewBilibiliIdProvider(idpInfo.ClientId, idpInfo.ClientSecret, redirectUrl), nil
 	case "MetaMask":
-		return NewMetaMaskIdProvider()
+		return NewMetaMaskIdProvider(), nil
 	case "Web3Onboard":
-		return NewWeb3OnboardIdProvider()
+		return NewWeb3OnboardIdProvider(), nil
 	default:
 		if isGothSupport(idpInfo.Type) {
-			return NewGothIdProvider(idpInfo.Type, idpInfo.ClientId, idpInfo.ClientSecret, redirectUrl, idpInfo.HostUrl)
+			return NewGothIdProvider(idpInfo.Type, idpInfo.ClientId, idpInfo.ClientSecret, idpInfo.ClientId2, idpInfo.ClientSecret2, redirectUrl, idpInfo.HostUrl)
 		}
-		return nil
+		return nil, fmt.Errorf("OAuth provider type: %s is not supported", idpInfo.Type)
 	}
 }

--- a/idp/wechat.go
+++ b/idp/wechat.go
@ -186,15 +186,24 @@ func (idp *WeChatIdProvider) GetUserInfo(token *oauth2.Token) (*UserInfo, error)
 		id = wechatUserInfo.Openid
 	}

+	extra := make(map[string]string)
+	extra["wechat_unionid"] = wechatUserInfo.Openid
+	// For WeChat, different appId corresponds to different openId
+	extra[BuildWechatOpenIdKey(idp.Config.ClientID)] = wechatUserInfo.Openid
 	userInfo := UserInfo{
 		Id:          id,
 		Username:    wechatUserInfo.Nickname,
 		DisplayName: wechatUserInfo.Nickname,
 		AvatarUrl:   wechatUserInfo.Headimgurl,
+		Extra:       extra,
 	}
 	return &userInfo, nil
 }

+func BuildWechatOpenIdKey(appId string) string {
+	return fmt.Sprintf("wechat_openid_%s", appId)
+}
+
 func GetWechatOfficialAccountAccessToken(clientId string, clientSecret string) (string, error) {
 	accessTokenUrl := fmt.Sprintf("https://api.weixin.qq.com/cgi-bin/token?grant_type=client_credential&appid=%s&secret=%s", clientId, clientSecret)
 	request, err := http.NewRequest("GET", accessTokenUrl, nil)
--- a/init_data.json.template
+++ b/init_data.json.template
@ -15,6 +15,7 @@
      "tags": [],
      "languages": ["en", "zh", "es", "fr", "de", "id", "ja", "ko", "ru", "vi", "it", "ms", "tr","ar", "he", "nl", "pl", "fi", "sv", "uk", "kk", "fa"],
      "masterPassword": "",
+      "defaultPassword": "",
      "initScore": 2000,
      "enableSoftDeletion": false,
      "isProfilePublic": true,
@ -176,9 +177,7 @@
  ],
  "permissions": [
    {
-      "actions": [
-        ""
-      ],
+      "actions": [],
      "displayName": "",
      "effect": "",
      "isEnabled": true,
@ -186,15 +185,9 @@
      "name": "",
      "owner": "",
      "resourceType": "",
-      "resources": [
-        ""
-      ],
-      "roles": [
-        ""
-      ],
-      "users": [
-        ""
-      ]
+      "resources": [],
+      "roles": [],
+      "users": []
    }
  ],
  "payments": [
@ -236,9 +229,7 @@
      "name": "",
      "owner": "",
      "price": 0,
-      "providers": [
-        ""
-      ],
+      "providers": [],
      "quantity": 0,
      "returnUrl": "",
      "sold": 0,
@ -268,12 +259,8 @@
      "isEnabled": true,
      "name": "",
      "owner": "",
-      "roles": [
-        ""
-      ],
-      "users": [
-        ""
-      ]
+      "roles": [],
+      "users": []
    }
  ],
  "syncers": [
@ -284,7 +271,7 @@
      "databaseType": "",
      "errorText": "",
      "host": "",
-      "isEnabled": true,
+      "isEnabled": false,
      "name": "",
      "organization": "",
      "owner": "",
@ -298,9 +285,7 @@
          "isHashed": true,
          "name": "",
          "type": "",
-          "values": [
-            ""
-          ]
+          "values": []
        }
      ],
      "tablePrimaryKey": "",
@ -330,9 +315,7 @@
  "webhooks": [
    {
      "contentType": "",
-      "events": [
-        ""
-      ],
+      "events": [],
      "headers": [
        {
          "name": "",
--- a/ldap/server.go
+++ b/ldap/server.go
@ -16,6 +16,7 @@ package ldap

 import (
 	"fmt"
+	"hash/fnv"
 	"log"

 	"github.com/casdoor/casdoor/conf"
@ -25,6 +26,11 @@ import (
 )

 func StartLdapServer() {
+	ldapServerPort := conf.GetConfigString("ldapServerPort")
+	if ldapServerPort == "" || ldapServerPort == "0" {
+		return
+	}
+
 	server := ldap.NewServer()
 	routes := ldap.NewRouteMux()

@ -32,9 +38,9 @@ func StartLdapServer() {
 	routes.Search(handleSearch).Label(" SEARCH****")

 	server.Handle(routes)
-	err := server.ListenAndServe("0.0.0.0:" + conf.GetConfigString("ldapServerPort"))
+	err := server.ListenAndServe("0.0.0.0:" + ldapServerPort)
 	if err != nil {
-		log.Printf("StartLdapServer() failed, ErrMsg = %s", err.Error())
+		log.Printf("StartLdapServer() failed, err = %s", err.Error())
 	}
 }

@ -44,20 +50,20 @@ func handleBind(w ldap.ResponseWriter, m *ldap.Message) {

 	if r.AuthenticationChoice() == "simple" {
 		bindUsername, bindOrg, err := getNameAndOrgFromDN(string(r.Name()))
-		if err != "" {
-			log.Printf("Bind failed ,ErrMsg=%s", err)
+		if err != nil {
+			log.Printf("getNameAndOrgFromDN() error: %s", err.Error())
 			res.SetResultCode(ldap.LDAPResultInvalidDNSyntax)
-			res.SetDiagnosticMessage("bind failed ErrMsg: " + err)
+			res.SetDiagnosticMessage(fmt.Sprintf("getNameAndOrgFromDN() error: %s", err.Error()))
 			w.Write(res)
 			return
 		}

 		bindPassword := string(r.AuthenticationSimple())
 		bindUser, err := object.CheckUserPassword(bindOrg, bindUsername, bindPassword, "en")
-		if err != "" {
+		if err != nil {
 			log.Printf("Bind failed User=%s, Pass=%#v, ErrMsg=%s", string(r.Name()), r.Authentication(), err)
 			res.SetResultCode(ldap.LDAPResultInvalidCredentials)
-			res.SetDiagnosticMessage("invalid credentials ErrMsg: " + err)
+			res.SetDiagnosticMessage("invalid credentials ErrMsg: " + err.Error())
 			w.Write(res)
 			return
 		}
@ -73,7 +79,7 @@ func handleBind(w ldap.ResponseWriter, m *ldap.Message) {
 		m.Client.OrgName = bindOrg
 	} else {
 		res.SetResultCode(ldap.LDAPResultAuthMethodNotSupported)
-		res.SetDiagnosticMessage("Authentication method not supported,Please use Simple Authentication")
+		res.SetDiagnosticMessage("Authentication method not supported, please use Simple Authentication")
 	}
 	w.Write(res)
 }
@ -108,10 +114,22 @@ func handleSearch(w ldap.ResponseWriter, m *ldap.Message) {
 	}

 	for _, user := range users {
-		dn := fmt.Sprintf("cn=%s,%s", user.Name, string(r.BaseObject()))
+		dn := fmt.Sprintf("uid=%s,cn=%s,%s", user.Id, user.Name, string(r.BaseObject()))
 		e := ldap.NewSearchResultEntry(dn)
-
-		for _, attr := range r.Attributes() {
+		uidNumberStr := fmt.Sprintf("%v", hash(user.Name))
+		e.AddAttribute("uidNumber", message.AttributeValue(uidNumberStr))
+		e.AddAttribute("gidNumber", message.AttributeValue(uidNumberStr))
+		e.AddAttribute("homeDirectory", message.AttributeValue("/home/"+user.Name))
+		e.AddAttribute("cn", message.AttributeValue(user.Name))
+		e.AddAttribute("uid", message.AttributeValue(user.Id))
+		attrs := r.Attributes()
+		for _, attr := range attrs {
+			if string(attr) == "*" {
+				attrs = AdditionalLdapAttributes
+				break
+			}
+		}
+		for _, attr := range attrs {
 			e.AddAttribute(message.AttributeDescription(attr), getAttribute(string(attr), user))
 			if string(attr) == "cn" {
 				e.AddAttribute(message.AttributeDescription(attr), getAttribute("title", user))
@ -122,3 +140,9 @@ func handleSearch(w ldap.ResponseWriter, m *ldap.Message) {
 	}
 	w.Write(res)
 }
+
+func hash(s string) uint32 {
+	h := fnv.New32a()
+	h.Write([]byte(s))
+	return h.Sum32()
+}
--- a/ldap/util.go
+++ b/ldap/util.go
@ -24,9 +24,73 @@ import (
 	"github.com/lor00x/goldap/message"

 	ldap "github.com/forestmgy/ldapserver"
+
+	"github.com/xorm-io/builder"
 )

-func getNameAndOrgFromDN(DN string) (string, string, string) {
+type AttributeMapper func(user *object.User) message.AttributeValue
+
+type FieldRelation struct {
+	userField     string
+	notSearchable bool
+	hideOnStarOp  bool
+	fieldMapper   AttributeMapper
+}
+
+func (rel FieldRelation) GetField() (string, error) {
+	if rel.notSearchable {
+		return "", fmt.Errorf("attribute %s not supported", rel.userField)
+	}
+	return rel.userField, nil
+}
+
+func (rel FieldRelation) GetAttributeValue(user *object.User) message.AttributeValue {
+	return rel.fieldMapper(user)
+}
+
+var ldapAttributesMapping = map[string]FieldRelation{
+	"cn": {userField: "name", hideOnStarOp: true, fieldMapper: func(user *object.User) message.AttributeValue {
+		return message.AttributeValue(user.Name)
+	}},
+	"uid": {userField: "name", hideOnStarOp: true, fieldMapper: func(user *object.User) message.AttributeValue {
+		return message.AttributeValue(user.Name)
+	}},
+	"displayname": {userField: "displayName", fieldMapper: func(user *object.User) message.AttributeValue {
+		return message.AttributeValue(user.DisplayName)
+	}},
+	"email": {userField: "email", fieldMapper: func(user *object.User) message.AttributeValue {
+		return message.AttributeValue(user.Email)
+	}},
+	"mail": {userField: "email", fieldMapper: func(user *object.User) message.AttributeValue {
+		return message.AttributeValue(user.Email)
+	}},
+	"mobile": {userField: "phone", fieldMapper: func(user *object.User) message.AttributeValue {
+		return message.AttributeValue(user.Phone)
+	}},
+	"title": {userField: "tag", fieldMapper: func(user *object.User) message.AttributeValue {
+		return message.AttributeValue(user.Tag)
+	}},
+	"userPassword": {
+		userField:     "userPassword",
+		notSearchable: true,
+		fieldMapper: func(user *object.User) message.AttributeValue {
+			return message.AttributeValue(getUserPasswordWithType(user))
+		},
+	},
+}
+
+var AdditionalLdapAttributes []message.LDAPString
+
+func init() {
+	for k, v := range ldapAttributesMapping {
+		if v.hideOnStarOp {
+			continue
+		}
+		AdditionalLdapAttributes = append(AdditionalLdapAttributes, message.LDAPString(k))
+	}
+}
+
+func getNameAndOrgFromDN(DN string) (string, string, error) {
 	DNFields := strings.Split(DN, ",")
 	params := make(map[string]string, len(DNFields))
 	for _, field := range DNFields {
@ -37,12 +101,12 @@ func getNameAndOrgFromDN(DN string) (string, string, string) {
 	}

 	if params["cn"] == "" {
-		return "", "", "please use Admin Name format like cn=xxx,ou=xxx,dc=example,dc=com"
+		return "", "", fmt.Errorf("please use Admin Name format like cn=xxx,ou=xxx,dc=example,dc=com")
 	}
 	if params["ou"] == "" {
-		return params["cn"], object.CasdoorOrganization, ""
+		return params["cn"], object.CasdoorOrganization, nil
 	}
-	return params["cn"], params["ou"], ""
+	return params["cn"], params["ou"], nil
 }

 func getNameAndOrgFromFilter(baseDN, filter string) (string, string, int) {
@ -50,7 +114,11 @@ func getNameAndOrgFromFilter(baseDN, filter string) (string, string, int) {
 		return "", "", ldap.LDAPResultInvalidDNSyntax
 	}

-	name, org, _ := getNameAndOrgFromDN(fmt.Sprintf("cn=%s,", getUsername(filter)) + baseDN)
+	name, org, err := getNameAndOrgFromDN(fmt.Sprintf("cn=%s,", getUsername(filter)) + baseDN)
+	if err != nil {
+		panic(err)
+	}
+
 	return name, org, ldap.LDAPResultSuccess
 }

@ -83,6 +151,92 @@ func stringInSlice(value string, list []string) bool {
 	return false
 }

+func buildUserFilterCondition(filter interface{}) (builder.Cond, error) {
+	switch f := filter.(type) {
+	case message.FilterAnd:
+		conditions := make([]builder.Cond, len(f))
+		for i, v := range f {
+			cond, err := buildUserFilterCondition(v)
+			if err != nil {
+				return nil, err
+			}
+			conditions[i] = cond
+		}
+		return builder.And(conditions...), nil
+	case message.FilterOr:
+		conditions := make([]builder.Cond, len(f))
+		for i, v := range f {
+			cond, err := buildUserFilterCondition(v)
+			if err != nil {
+				return nil, err
+			}
+			conditions[i] = cond
+		}
+		return builder.Or(conditions...), nil
+	case message.FilterNot:
+		cond, err := buildUserFilterCondition(f.Filter)
+		if err != nil {
+			return nil, err
+		}
+		return builder.Not{cond}, nil
+	case message.FilterEqualityMatch:
+		field, err := getUserFieldFromAttribute(string(f.AttributeDesc()))
+		if err != nil {
+			return nil, err
+		}
+		return builder.Eq{field: string(f.AssertionValue())}, nil
+	case message.FilterPresent:
+		field, err := getUserFieldFromAttribute(string(f))
+		if err != nil {
+			return nil, err
+		}
+		return builder.NotNull{field}, nil
+	case message.FilterGreaterOrEqual:
+		field, err := getUserFieldFromAttribute(string(f.AttributeDesc()))
+		if err != nil {
+			return nil, err
+		}
+		return builder.Gte{field: string(f.AssertionValue())}, nil
+	case message.FilterLessOrEqual:
+		field, err := getUserFieldFromAttribute(string(f.AttributeDesc()))
+		if err != nil {
+			return nil, err
+		}
+		return builder.Lte{field: string(f.AssertionValue())}, nil
+	case message.FilterSubstrings:
+		field, err := getUserFieldFromAttribute(string(f.Type_()))
+		if err != nil {
+			return nil, err
+		}
+		var expr string
+		for _, substring := range f.Substrings() {
+			switch s := substring.(type) {
+			case message.SubstringInitial:
+				expr += string(s) + "%"
+				continue
+			case message.SubstringAny:
+				expr += string(s) + "%"
+				continue
+			case message.SubstringFinal:
+				expr += string(s)
+				continue
+			}
+		}
+		return builder.Expr(field+" LIKE ?", expr), nil
+	default:
+		return nil, fmt.Errorf("LDAP filter operation %#v not supported", f)
+	}
+}
+
+func buildSafeCondition(filter interface{}) builder.Cond {
+	condition, err := buildUserFilterCondition(filter)
+	if err != nil {
+		log.Printf("err = %v", err.Error())
+		return nil
+	}
+	return condition
+}
+
 func GetFilteredUsers(m *ldap.Message) (filteredUsers []*object.User, code int) {
 	var err error
 	r := m.GetSearchRequest()
@ -94,15 +248,14 @@ func GetFilteredUsers(m *ldap.Message) (filteredUsers []*object.User, code int)

 	if name == "*" && m.Client.IsOrgAdmin { // get all users from organization 'org'
 		if m.Client.IsGlobalAdmin && org == "*" {
-
-			filteredUsers, err = object.GetGlobalUsers()
+			filteredUsers, err = object.GetGlobalUsersWithFilter(buildSafeCondition(r.Filter()))
 			if err != nil {
 				panic(err)
 			}
 			return filteredUsers, ldap.LDAPResultSuccess
 		}
 		if m.Client.IsGlobalAdmin || org == m.Client.OrgName {
-			filteredUsers, err = object.GetUsers(org)
+			filteredUsers, err = object.GetUsersWithFilter(org, buildSafeCondition(r.Filter()))
 			if err != nil {
 				panic(err)
 			}
@ -117,7 +270,7 @@ func GetFilteredUsers(m *ldap.Message) (filteredUsers []*object.User, code int)

 		hasPermission, err := object.CheckUserPermission(requestUserId, userId, true, "en")
 		if !hasPermission {
-			log.Printf("ErrMsg = %v", err.Error())
+			log.Printf("err = %v", err.Error())
 			return nil, ldap.LDAPResultInsufficientAccessRights
 		}

@ -144,7 +297,7 @@ func GetFilteredUsers(m *ldap.Message) (filteredUsers []*object.User, code int)
 			return nil, ldap.LDAPResultNoSuchObject
 		}

-		users, err := object.GetUsersByTag(org, name)
+		users, err := object.GetUsersByTagWithFilter(org, name, buildSafeCondition(r.Filter()))
 		if err != nil {
 			panic(err)
 		}
@ -178,24 +331,17 @@ func getUserPasswordWithType(user *object.User) string {
 }

 func getAttribute(attributeName string, user *object.User) message.AttributeValue {
-	switch attributeName {
-	case "cn":
-		return message.AttributeValue(user.Name)
-	case "uid":
-		return message.AttributeValue(user.Name)
-	case "displayname":
-		return message.AttributeValue(user.DisplayName)
-	case "email":
-		return message.AttributeValue(user.Email)
-	case "mail":
-		return message.AttributeValue(user.Email)
-	case "mobile":
-		return message.AttributeValue(user.Phone)
-	case "title":
-		return message.AttributeValue(user.Tag)
-	case "userPassword":
-		return message.AttributeValue(getUserPasswordWithType(user))
-	default:
+	v, ok := ldapAttributesMapping[attributeName]
+	if !ok {
 		return ""
 	}
+	return v.GetAttributeValue(user)
+}
+
+func getUserFieldFromAttribute(attributeName string) (string, error) {
+	v, ok := ldapAttributesMapping[attributeName]
+	if !ok {
+		return "", fmt.Errorf("attribute %s not supported", attributeName)
+	}
+	return v.GetField()
 }
--- a/ldap/util_test.go
+++ b/ldap/util_test.go
@ -0,0 +1,87 @@
+package ldap
+
+import (
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+
+	ber "github.com/go-asn1-ber/asn1-ber"
+	goldap "github.com/go-ldap/ldap/v3"
+	"github.com/lor00x/goldap/message"
+	"github.com/xorm-io/builder"
+)
+
+func args(exp ...interface{}) []interface{} {
+	return exp
+}
+
+func TestLdapFilterAsQuery(t *testing.T) {
+	scenarios := []struct {
+		description  string
+		input        string
+		expectedExpr string
+		expectedArgs []interface{}
+	}{
+		{"Should be SQL for FilterAnd", "(&(mail=2)(email=1))", "email=? AND email=?", args("2", "1")},
+		{"Should be SQL for FilterOr", "(|(mail=2)(email=1))", "email=? OR email=?", args("2", "1")},
+		{"Should be SQL for FilterNot", "(!(mail=2))", "NOT email=?", args("2")},
+		{"Should be SQL for FilterEqualityMatch", "(mail=2)", "email=?", args("2")},
+		{"Should be SQL for FilterPresent", "(mail=*)", "email IS NOT NULL", nil},
+		{"Should be SQL for FilterGreaterOrEqual", "(mail>=admin)", "email>=?", args("admin")},
+		{"Should be SQL for FilterLessOrEqual", "(mail<=admin)", "email<=?", args("admin")},
+		{"Should be SQL for FilterSubstrings", "(mail=admin*ex*c*m)", "email LIKE ?", args("admin%ex%c%m")},
+	}
+
+	for _, scenery := range scenarios {
+		t.Run(scenery.description, func(t *testing.T) {
+			searchRequest, err := buildLdapSearchRequest(scenery.input)
+			if err != nil {
+				assert.FailNow(t, "Unable to create searchRequest", err)
+			}
+			m, err := message.ReadLDAPMessage(message.NewBytes(0, searchRequest.Bytes()))
+			if err != nil {
+				assert.FailNow(t, "Unable to create searchRequest", err)
+			}
+			req := m.ProtocolOp().(message.SearchRequest)
+
+			cond, err := buildUserFilterCondition(req.Filter())
+			if err != nil {
+				assert.FailNow(t, "Unable to build condition", err)
+			}
+			expr, args, err := builder.ToSQL(cond)
+			if err != nil {
+				assert.FailNow(t, "Unable to build sql", err)
+			}
+
+			assert.Equal(t, scenery.expectedExpr, expr)
+			assert.Equal(t, scenery.expectedArgs, args)
+		})
+	}
+}
+
+func buildLdapSearchRequest(filter string) (*ber.Packet, error) {
+	packet := ber.Encode(ber.ClassUniversal, ber.TypeConstructed, ber.TagSequence, nil, "LDAP Request")
+	packet.AppendChild(ber.NewInteger(ber.ClassUniversal, ber.TypePrimitive, ber.TagInteger, 1, "MessageID"))
+
+	pkt := ber.Encode(ber.ClassApplication, ber.TypeConstructed, goldap.ApplicationSearchRequest, nil, "Search Request")
+	pkt.AppendChild(ber.NewString(ber.ClassUniversal, ber.TypePrimitive, ber.TagOctetString, "", "Base DN"))
+	pkt.AppendChild(ber.NewInteger(ber.ClassUniversal, ber.TypePrimitive, ber.TagEnumerated, 0, "Scope"))
+	pkt.AppendChild(ber.NewInteger(ber.ClassUniversal, ber.TypePrimitive, ber.TagEnumerated, 0, "Deref Aliases"))
+	pkt.AppendChild(ber.NewInteger(ber.ClassUniversal, ber.TypePrimitive, ber.TagInteger, 0, "Size Limit"))
+	pkt.AppendChild(ber.NewInteger(ber.ClassUniversal, ber.TypePrimitive, ber.TagInteger, 0, "Time Limit"))
+	pkt.AppendChild(ber.NewBoolean(ber.ClassUniversal, ber.TypePrimitive, ber.TagBoolean, false, "Types Only"))
+	// compile and encode filter
+	filterPacket, err := goldap.CompileFilter(filter)
+	if err != nil {
+		return nil, err
+	}
+	pkt.AppendChild(filterPacket)
+	// encode attributes
+	attributesPacket := ber.Encode(ber.ClassUniversal, ber.TypeConstructed, ber.TagSequence, nil, "Attributes")
+	attributesPacket.AppendChild(ber.NewString(ber.ClassUniversal, ber.TypePrimitive, ber.TagOctetString, "*", "Attribute"))
+	pkt.AppendChild(attributesPacket)
+
+	packet.AppendChild(pkt)
+
+	return packet, nil
+}
--- a/main.go
+++ b/main.go
@ -25,6 +25,7 @@ import (
 	"github.com/casdoor/casdoor/ldap"
 	"github.com/casdoor/casdoor/object"
 	"github.com/casdoor/casdoor/proxy"
+	"github.com/casdoor/casdoor/radius"
 	"github.com/casdoor/casdoor/routers"
 	"github.com/casdoor/casdoor/util"
 )
@ -33,7 +34,6 @@ func main() {
 	object.InitFlag()
 	object.InitAdapter()
 	object.CreateTables()
-	object.DoMigration()

 	object.InitDb()
 	object.InitFromFile()
@ -81,6 +81,7 @@ func main() {
 	logs.SetLogFuncCall(false)

 	go ldap.StartLdapServer()
+	go radius.StartRadiusServer()
 	go object.ClearThroughputPerSecond()

 	beego.Run(fmt.Sprintf(":%v", port))
--- a/manifests/casdoor/values.yaml
+++ b/manifests/casdoor/values.yaml
@ -22,14 +22,15 @@ config: |
  dataSourceName = "file:ent?mode=memory&cache=shared&_fk=1"
  dbName = casdoor
  redisEndpoint =
-  defaultStorageProvider = 
+  defaultStorageProvider =
  isCloudIntranet = false
  authState = "casdoor"
  socks5Proxy = ""
  verificationCodeTimeout = 10
-  initScore = 2000
+  initScore = 0
  logPostOnly = true
-  origin = "https://door.casbin.com"
+  origin =
+  enableGzip = true

 imagePullSecrets: []
 nameOverride: ""
--- a/notification/bark.go
+++ b/notification/bark.go
@ -0,0 +1,29 @@
+// Copyright 2023 The Casdoor Authors. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package notification
+
+import (
+	"github.com/casdoor/notify"
+	"github.com/casdoor/notify/service/bark"
+)
+
+func NewBarkProvider(deviceKey string) (notify.Notifier, error) {
+	barkSrv := bark.New(deviceKey)
+
+	notifier := notify.New()
+	notifier.UseServices(barkSrv)
+
+	return notifier, nil
+}
--- a/notification/dingtalk.go
+++ b/notification/dingtalk.go
@ -0,0 +1,33 @@
+// Copyright 2023 The Casdoor Authors. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package notification
+
+import (
+	"github.com/casdoor/notify"
+	"github.com/casdoor/notify/service/dingding"
+)
+
+func NewDingTalkProvider(token string, secret string) (notify.Notifier, error) {
+	cfg := dingding.Config{
+		Token:  token,
+		Secret: secret,
+	}
+	dingtalkSrv := dingding.New(&cfg)
+
+	notifier := notify.New()
+	notifier.UseServices(dingtalkSrv)
+
+	return notifier, nil
+}
--- a/notification/discord.go
+++ b/notification/discord.go
@ -0,0 +1,37 @@
+// Copyright 2023 The Casdoor Authors. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package notification
+
+import (
+	"github.com/casdoor/casdoor/proxy"
+	"github.com/casdoor/notify"
+	"github.com/casdoor/notify/service/discord"
+)
+
+func NewDiscordProvider(token string, channelId string) (*notify.Notify, error) {
+	discordSrv := discord.New()
+
+	err := discordSrv.AuthenticateWithBotToken(token)
+	if err != nil {
+		return nil, err
+	}
+
+	discordSrv.SetHttpClient(proxy.ProxyHttpClient)
+	discordSrv.AddReceivers(channelId)
+
+	notifier := notify.NewWithServices(discordSrv)
+
+	return notifier, nil
+}
--- a/notification/google_chat.go
+++ b/notification/google_chat.go
@ -0,0 +1,53 @@
+// Copyright 2023 The Casdoor Authors. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package notification
+
+import (
+	"context"
+	"strings"
+
+	"github.com/casdoor/notify"
+	"github.com/casdoor/notify/service/googlechat"
+	"google.golang.org/api/chat/v1"
+	"google.golang.org/api/option"
+)
+
+func NewGoogleChatProvider(credentials string) (*notify.Notify, error) {
+	withCred := option.WithCredentialsJSON([]byte(credentials))
+	withSpacesScope := option.WithScopes("https://www.googleapis.com/auth/chat.spaces")
+
+	listSvc, err := chat.NewService(context.Background(), withCred, withSpacesScope)
+	spaces, err := listSvc.Spaces.List().Do()
+	if err != nil {
+		return nil, err
+	}
+
+	receivers := make([]string, 0)
+	for _, space := range spaces.Spaces {
+		name := strings.Replace(space.Name, "spaces/", "", 1)
+		receivers = append(receivers, name)
+	}
+
+	googleChatSrv, err := googlechat.New(withCred)
+	if err != nil {
+		return nil, err
+	}
+
+	googleChatSrv.AddReceivers(receivers...)
+
+	notifier := notify.NewWithServices(googleChatSrv)
+
+	return notifier, nil
+}
--- a/notification/lark.go
+++ b/notification/lark.go
@ -0,0 +1,29 @@
+// Copyright 2023 The Casdoor Authors. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package notification
+
+import (
+	"github.com/casdoor/notify"
+	"github.com/casdoor/notify/service/lark"
+)
+
+func NewLarkProvider(webhookURL string) (notify.Notifier, error) {
+	larkSrv := lark.NewWebhookService(webhookURL)
+
+	notifier := notify.New()
+	notifier.UseServices(larkSrv)
+
+	return notifier, nil
+}
--- a/notification/line.go
+++ b/notification/line.go
@ -0,0 +1,32 @@
+// Copyright 2023 The Casdoor Authors. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package notification
+
+import (
+	"github.com/casdoor/casdoor/proxy"
+	"github.com/casdoor/notify"
+	"github.com/casdoor/notify/service/line"
+)
+
+func NewLineProvider(channelSecret string, accessToken string, receiver string) (*notify.Notify, error) {
+	lineSrv, _ := line.NewWithHttpClient(channelSecret, accessToken, proxy.ProxyHttpClient)
+
+	lineSrv.AddReceivers(receiver)
+
+	notifier := notify.New()
+	notifier.UseServices(lineSrv)
+
+	return notifier, nil
+}
--- a/notification/matrix.go
+++ b/notification/matrix.go
@ -0,0 +1,36 @@
+// Copyright 2023 The Casdoor Authors. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package notification
+
+import (
+	"github.com/casdoor/casdoor/proxy"
+	"github.com/casdoor/notify"
+	"github.com/casdoor/notify/service/matrix"
+	"maunium.net/go/mautrix/id"
+)
+
+func NewMatrixProvider(userId string, accessToken string, roomId string, homeServer string) (*notify.Notify, error) {
+	matrixSrv, err := matrix.New(id.UserID(userId), id.RoomID(roomId), homeServer, accessToken)
+	if err != nil {
+		return nil, err
+	}
+
+	matrixSrv.SetHttpClient(proxy.ProxyHttpClient)
+
+	notifier := notify.New()
+	notifier.UseServices(matrixSrv)
+
+	return notifier, nil
+}
--- a/notification/microsoft_teams.go
+++ b/notification/microsoft_teams.go
@ -0,0 +1,31 @@
+// Copyright 2023 The Casdoor Authors. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package notification
+
+import (
+	"github.com/casdoor/notify"
+	"github.com/casdoor/notify/service/msteams"
+)
+
+func NewMicrosoftTeamsProvider(webhookURL string) (notify.Notifier, error) {
+	msTeamsSrv := msteams.New()
+
+	msTeamsSrv.AddReceivers(webhookURL)
+
+	notifier := notify.New()
+	notifier.UseServices(msTeamsSrv)
+
+	return notifier, nil
+}
--- a/notification/provider.go
+++ b/notification/provider.go
@ -14,13 +14,45 @@

 package notification

-import "github.com/nikoksr/notify"
+import "github.com/casdoor/notify"

-func GetNotificationProvider(typ string, appId string, receiver string, method string, title string) (notify.Notifier, error) {
+func GetNotificationProvider(typ string, clientId string, clientSecret string, clientId2 string, clientSecret2 string, appId string, receiver string, method string, title string, metaData string) (notify.Notifier, error) {
 	if typ == "Telegram" {
-		return NewTelegramProvider(appId, receiver)
+		return NewTelegramProvider(clientSecret, receiver)
 	} else if typ == "Custom HTTP" {
 		return NewCustomHttpProvider(receiver, method, title)
+	} else if typ == "DingTalk" {
+		return NewDingTalkProvider(clientId, clientSecret)
+	} else if typ == "Lark" {
+		return NewLarkProvider(clientSecret)
+	} else if typ == "Microsoft Teams" {
+		return NewMicrosoftTeamsProvider(clientSecret)
+	} else if typ == "Bark" {
+		return NewBarkProvider(clientSecret)
+	} else if typ == "Pushover" {
+		return NewPushoverProvider(clientSecret, receiver)
+	} else if typ == "Pushbullet" {
+		return NewPushbulletProvider(clientSecret, receiver)
+	} else if typ == "Slack" {
+		return NewSlackProvider(clientSecret, receiver)
+	} else if typ == "Webpush" {
+		return NewWebpushProvider(clientId, clientSecret, receiver)
+	} else if typ == "Discord" {
+		return NewDiscordProvider(clientSecret, receiver)
+	} else if typ == "Google Chat" {
+		return NewGoogleChatProvider(metaData)
+	} else if typ == "Line" {
+		return NewLineProvider(clientSecret, appId, receiver)
+	} else if typ == "Matrix" {
+		return NewMatrixProvider(clientId, clientSecret, appId, receiver)
+	} else if typ == "Twitter" {
+		return NewTwitterProvider(clientId, clientSecret, clientId2, clientSecret2, receiver)
+	} else if typ == "Reddit" {
+		return NewRedditProvider(clientId, clientSecret, clientId2, clientSecret2, receiver)
+	} else if typ == "Rocket Chat" {
+		return NewRocketChatProvider(clientId, clientSecret, appId, receiver)
+	} else if typ == "Viber" {
+		return NewViberProvider(clientId, clientSecret, appId, receiver)
 	}

 	return nil, nil
--- a/notification/pushbullet.go
+++ b/notification/pushbullet.go
@ -0,0 +1,31 @@
+// Copyright 2023 The Casdoor Authors. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package notification
+
+import (
+	"github.com/casdoor/notify"
+	"github.com/casdoor/notify/service/pushbullet"
+)
+
+func NewPushbulletProvider(apiToken string, deviceNickname string) (notify.Notifier, error) {
+	pushbulletSrv := pushbullet.New(apiToken)
+
+	pushbulletSrv.AddReceivers(deviceNickname)
+
+	notifier := notify.New()
+	notifier.UseServices(pushbulletSrv)
+
+	return notifier, nil
+}
--- a/notification/pushover.go
+++ b/notification/pushover.go
@ -0,0 +1,31 @@
+// Copyright 2023 The Casdoor Authors. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package notification
+
+import (
+	"github.com/casdoor/notify"
+	"github.com/casdoor/notify/service/pushover"
+)
+
+func NewPushoverProvider(appToken string, recipientID string) (notify.Notifier, error) {
+	pushoverSrv := pushover.New(appToken)
+
+	pushoverSrv.AddReceivers(recipientID)
+
+	notifier := notify.New()
+	notifier.UseServices(pushoverSrv)
+
+	return notifier, nil
+}
--- a/notification/reddit.go
+++ b/notification/reddit.go
@ -0,0 +1,34 @@
+// Copyright 2023 The Casdoor Authors. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package notification
+
+import (
+	"github.com/casdoor/notify"
+	"github.com/casdoor/notify/service/reddit"
+)
+
+func NewRedditProvider(clientId string, clientSecret string, username string, password string, recipient string) (notify.Notifier, error) {
+	redditSrv, err := reddit.New(clientId, clientSecret, username, password)
+	if err != nil {
+		return nil, err
+	}
+
+	redditSrv.AddReceivers(recipient)
+
+	notifier := notify.New()
+	notifier.UseServices(redditSrv)
+
+	return notifier, nil
+}
--- a/notification/rocket_chat.go
+++ b/notification/rocket_chat.go
@ -0,0 +1,47 @@
+// Copyright 2023 The Casdoor Authors. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package notification
+
+import (
+	"fmt"
+	"strings"
+
+	"github.com/casdoor/notify"
+	"github.com/casdoor/notify/service/rocketchat"
+)
+
+func NewRocketChatProvider(clientId string, clientSecret string, endpoint string, channelName string) (notify.Notifier, error) {
+	parts := strings.Split(endpoint, "://")
+
+	var scheme, serverURL string
+	if len(parts) >= 2 {
+		scheme = parts[0]
+		serverURL = parts[1]
+	} else {
+		return nil, fmt.Errorf("parse endpoint error")
+	}
+
+	rocketChatSrv, err := rocketchat.New(serverURL, scheme, clientId, clientSecret)
+	if err != nil {
+		return nil, err
+	}
+
+	rocketChatSrv.AddReceivers(channelName)
+
+	notifier := notify.New()
+	notifier.UseServices(rocketChatSrv)
+
+	return notifier, nil
+}
--- a/notification/slack.go
+++ b/notification/slack.go
@ -0,0 +1,30 @@
+// Copyright 2023 The Casdoor Authors. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package notification
+
+import (
+	"github.com/casdoor/notify"
+	"github.com/casdoor/notify/service/slack"
+)
+
+func NewSlackProvider(apiToken string, channelID string) (*notify.Notify, error) {
+	slackSrv := slack.New(apiToken)
+	slackSrv.AddReceivers(channelID)
+
+	notifier := notify.New()
+	notifier.UseServices(slackSrv)
+
+	return notifier, nil
+}
--- a/notification/telegram.go
+++ b/notification/telegram.go
@ -18,9 +18,9 @@ import (
 	"strconv"

 	"github.com/casdoor/casdoor/proxy"
+	"github.com/casdoor/notify"
+	"github.com/casdoor/notify/service/telegram"
 	api "github.com/go-telegram-bot-api/telegram-bot-api"
-	"github.com/nikoksr/notify"
-	"github.com/nikoksr/notify/service/telegram"
 )

 func NewTelegramProvider(apiToken string, chatIdStr string) (notify.Notifier, error) {
@ -28,15 +28,18 @@ func NewTelegramProvider(apiToken string, chatIdStr string) (notify.Notifier, er
 	if err != nil {
 		return nil, err
 	}
-	t := &telegram.Telegram{}
-	t.SetClient(client)
+	telegramSrv := &telegram.Telegram{}
+	telegramSrv.SetClient(client)

 	chatId, err := strconv.ParseInt(chatIdStr, 10, 64)
 	if err != nil {
 		return nil, err
 	}

-	t.AddReceivers(chatId)
+	telegramSrv.AddReceivers(chatId)

-	return t, nil
+	notifier := notify.New()
+	notifier.UseServices(telegramSrv)
+
+	return notifier, nil
 }
--- a/notification/twitter.go
+++ b/notification/twitter.go
@ -0,0 +1,41 @@
+// Copyright 2023 The Casdoor Authors. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package notification
+
+import (
+	"github.com/casdoor/casdoor/proxy"
+	"github.com/casdoor/notify"
+	"github.com/casdoor/notify/service/twitter"
+)
+
+func NewTwitterProvider(consumerKey string, consumerSecret string, accessToken string, accessTokenSecret string, twitterId string) (*notify.Notify, error) {
+	credentials := twitter.Credentials{
+		ConsumerKey:       consumerKey,
+		ConsumerSecret:    consumerSecret,
+		AccessToken:       accessToken,
+		AccessTokenSecret: accessTokenSecret,
+	}
+	twitterSrv, err := twitter.NewWithHttpClient(credentials, proxy.ProxyHttpClient)
+	if err != nil {
+		return nil, err
+	}
+
+	twitterSrv.AddReceivers(twitterId)
+
+	notifier := notify.New()
+	notifier.UseServices(twitterSrv)
+
+	return notifier, nil
+}
--- a/notification/viber.go
+++ b/notification/viber.go
@ -0,0 +1,36 @@
+// Copyright 2023 The Casdoor Authors. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package notification
+
+import (
+	"github.com/casdoor/notify"
+	"github.com/casdoor/notify/service/viber"
+)
+
+func NewViberProvider(senderName string, appKey string, webhookURL string, receiverId string) (notify.Notifier, error) {
+	viberSrv := viber.New(appKey, senderName, "")
+
+	err := viberSrv.SetWebhook(webhookURL)
+	if err != nil {
+		return nil, err
+	}
+
+	viberSrv.AddReceivers(receiverId)
+
+	notifier := notify.New()
+	notifier.UseServices(viberSrv)
+
+	return notifier, nil
+}
--- a/notification/webpush.go
+++ b/notification/webpush.go
@ -0,0 +1,33 @@
+// Copyright 2023 The Casdoor Authors. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package notification
+
+import (
+	"github.com/casdoor/notify"
+	"github.com/casdoor/notify/service/webpush"
+)
+
+func NewWebpushProvider(publicKey string, privateKey string, endpoint string) (*notify.Notify, error) {
+	webpushSrv := webpush.New(publicKey, privateKey)
+
+	subscription := webpush.Subscription{
+		Endpoint: endpoint,
+	}
+	webpushSrv.AddReceivers(subscription)
+
+	notifier := notify.NewWithServices(webpushSrv)
+
+	return notifier, nil
+}
--- a/object/adapter.go
+++ b/object/adapter.go
@ -30,15 +30,15 @@ type Adapter struct {
 	Name        string `xorm:"varchar(100) notnull pk" json:"name"`
 	CreatedTime string `xorm:"varchar(100)" json:"createdTime"`

-	Type            string `xorm:"varchar(100)" json:"type"`
-	DatabaseType    string `xorm:"varchar(100)" json:"databaseType"`
-	Host            string `xorm:"varchar(100)" json:"host"`
-	Port            int    `json:"port"`
-	User            string `xorm:"varchar(100)" json:"user"`
-	Password        string `xorm:"varchar(100)" json:"password"`
-	Database        string `xorm:"varchar(100)" json:"database"`
-	Table           string `xorm:"varchar(100)" json:"table"`
-	TableNamePrefix string `xorm:"varchar(100)" json:"tableNamePrefix"`
+	Table        string `xorm:"varchar(100)" json:"table"`
+	UseSameDb    bool   `json:"useSameDb"`
+	Type         string `xorm:"varchar(100)" json:"type"`
+	DatabaseType string `xorm:"varchar(100)" json:"databaseType"`
+	Host         string `xorm:"varchar(100)" json:"host"`
+	Port         int    `json:"port"`
+	User         string `xorm:"varchar(100)" json:"user"`
+	Password     string `xorm:"varchar(100)" json:"password"`
+	Database     string `xorm:"varchar(100)" json:"database"`

 	*xormadapter.Adapter `xorm:"-" json:"-"`
 }
@ -139,63 +139,69 @@ func (adapter *Adapter) GetId() string {
 	return fmt.Sprintf("%s/%s", adapter.Owner, adapter.Name)
 }

-func (adapter *Adapter) getTable() string {
-	if adapter.DatabaseType == "mssql" {
-		return fmt.Sprintf("[%s]", adapter.Table)
-	} else {
-		return adapter.Table
-	}
-}
-
 func (adapter *Adapter) InitAdapter() error {
-	if adapter.Adapter == nil {
-		var dataSourceName string
+	if adapter.Adapter != nil {
+		return nil
+	}

-		if adapter.isBuiltIn() {
-			dataSourceName = conf.GetConfigString("dataSourceName")
-			if adapter.DatabaseType == "mysql" {
-				dataSourceName = dataSourceName + adapter.Database
-			}
-		} else {
-			switch adapter.DatabaseType {
-			case "mssql":
-				dataSourceName = fmt.Sprintf("sqlserver://%s:%s@%s:%d?database=%s", adapter.User,
-					adapter.Password, adapter.Host, adapter.Port, adapter.Database)
-			case "mysql":
-				dataSourceName = fmt.Sprintf("%s:%s@tcp(%s:%d)/%s", adapter.User,
-					adapter.Password, adapter.Host, adapter.Port, adapter.Database)
-			case "postgres":
-				dataSourceName = fmt.Sprintf("user=%s password=%s host=%s port=%d sslmode=disable dbname=%s", adapter.User,
-					adapter.Password, adapter.Host, adapter.Port, adapter.Database)
-			case "CockroachDB":
-				dataSourceName = fmt.Sprintf("user=%s password=%s host=%s port=%d sslmode=disable dbname=%s serial_normalization=virtual_sequence",
-					adapter.User, adapter.Password, adapter.Host, adapter.Port, adapter.Database)
-			case "sqlite3":
-				dataSourceName = fmt.Sprintf("file:%s", adapter.Host)
-			default:
-				return fmt.Errorf("unsupported database type: %s", adapter.DatabaseType)
-			}
+	var driverName string
+	var dataSourceName string
+	if adapter.UseSameDb || adapter.isBuiltIn() {
+		driverName = conf.GetConfigString("driverName")
+		dataSourceName = conf.GetConfigString("dataSourceName")
+		if conf.GetConfigString("driverName") == "mysql" {
+			dataSourceName = dataSourceName + conf.GetConfigString("dbName")
 		}
-
-		if !isCloudIntranet {
-			dataSourceName = strings.ReplaceAll(dataSourceName, "dbi.", "db.")
-		}
-
-		var err error
-		engine, err := xorm.NewEngine(adapter.DatabaseType, dataSourceName)
-
-		if adapter.isBuiltIn() && adapter.DatabaseType == "postgres" {
-			schema := util.GetValueFromDataSourceName("search_path", dataSourceName)
-			if schema != "" {
-				engine.SetSchema(schema)
-			}
-		}
-
-		adapter.Adapter, err = xormadapter.NewAdapterByEngineWithTableName(engine, adapter.getTable(), adapter.TableNamePrefix)
-		if err != nil {
-			return err
+	} else {
+		driverName = adapter.DatabaseType
+		switch driverName {
+		case "mssql":
+			dataSourceName = fmt.Sprintf("sqlserver://%s:%s@%s:%d?database=%s", adapter.User,
+				adapter.Password, adapter.Host, adapter.Port, adapter.Database)
+		case "mysql":
+			dataSourceName = fmt.Sprintf("%s:%s@tcp(%s:%d)/%s", adapter.User,
+				adapter.Password, adapter.Host, adapter.Port, adapter.Database)
+		case "postgres":
+			dataSourceName = fmt.Sprintf("user=%s password=%s host=%s port=%d sslmode=disable dbname=%s", adapter.User,
+				adapter.Password, adapter.Host, adapter.Port, adapter.Database)
+		case "CockroachDB":
+			dataSourceName = fmt.Sprintf("user=%s password=%s host=%s port=%d sslmode=disable dbname=%s serial_normalization=virtual_sequence",
+				adapter.User, adapter.Password, adapter.Host, adapter.Port, adapter.Database)
+		case "sqlite3":
+			dataSourceName = fmt.Sprintf("file:%s", adapter.Host)
+		default:
+			return fmt.Errorf("unsupported database type: %s", adapter.DatabaseType)
 		}
 	}
+
+	if !isCloudIntranet {
+		dataSourceName = strings.ReplaceAll(dataSourceName, "dbi.", "db.")
+	}
+
+	engine, err := xorm.NewEngine(driverName, dataSourceName)
+	if err != nil {
+		return err
+	}
+
+	if (adapter.UseSameDb || adapter.isBuiltIn()) && driverName == "postgres" {
+		schema := util.GetValueFromDataSourceName("search_path", dataSourceName)
+		if schema != "" {
+			engine.SetSchema(schema)
+		}
+	}
+
+	var tableName string
+	if driverName == "mssql" {
+		tableName = fmt.Sprintf("[%s]", adapter.Table)
+	} else {
+		tableName = adapter.Table
+	}
+
+	adapter.Adapter, err = xormadapter.NewAdapterByEngineWithTableName(engine, tableName, "")
+	if err != nil {
+		return err
+	}
+
 	return nil
 }

--- a/object/application.go
+++ b/object/application.go
@ -25,11 +25,19 @@ import (
 )

 type SignupItem struct {
-	Name     string `json:"name"`
-	Visible  bool   `json:"visible"`
-	Required bool   `json:"required"`
-	Prompted bool   `json:"prompted"`
-	Rule     string `json:"rule"`
+	Name        string `json:"name"`
+	Visible     bool   `json:"visible"`
+	Required    bool   `json:"required"`
+	Prompted    bool   `json:"prompted"`
+	Label       string `json:"label"`
+	Placeholder string `json:"placeholder"`
+	Rule        string `json:"rule"`
+}
+
+type SamlItem struct {
+	Name       string `json:"name"`
+	NameFormat string `json:"nameformat"`
+	Value      string `json:"value"`
 }

 type Application struct {
@ -49,17 +57,19 @@ type Application struct {
 	EnableAutoSignin    bool            `json:"enableAutoSignin"`
 	EnableCodeSignin    bool            `json:"enableCodeSignin"`
 	EnableSamlCompress  bool            `json:"enableSamlCompress"`
+	EnableSamlC14n10    bool            `json:"enableSamlC14n10"`
 	EnableWebAuthn      bool            `json:"enableWebAuthn"`
 	EnableLinkWithEmail bool            `json:"enableLinkWithEmail"`
 	OrgChoiceMode       string          `json:"orgChoiceMode"`
 	SamlReplyUrl        string          `xorm:"varchar(100)" json:"samlReplyUrl"`
 	Providers           []*ProviderItem `xorm:"mediumtext" json:"providers"`
-	SignupItems         []*SignupItem   `xorm:"varchar(1000)" json:"signupItems"`
+	SignupItems         []*SignupItem   `xorm:"varchar(2000)" json:"signupItems"`
 	GrantTypes          []string        `xorm:"varchar(1000)" json:"grantTypes"`
 	OrganizationObj     *Organization   `xorm:"-" json:"organizationObj"`
 	CertPublicKey       string          `xorm:"-" json:"certPublicKey"`
 	Tags                []string        `xorm:"mediumtext" json:"tags"`
 	InvitationCodes     []string        `xorm:"varchar(200)" json:"invitationCodes"`
+	SamlAttributes      []*SamlItem     `xorm:"varchar(1000)" json:"samlAttributes"`

 	ClientId             string     `xorm:"varchar(100)" json:"clientId"`
 	ClientSecret         string     `xorm:"varchar(100)" json:"clientSecret"`
@ -306,6 +316,12 @@ func GetMaskedApplication(application *Application, userId string) *Application
 		if application.OrganizationObj.MasterPassword != "" {
 			application.OrganizationObj.MasterPassword = "***"
 		}
+		if application.OrganizationObj.DefaultPassword != "" {
+			application.OrganizationObj.DefaultPassword = "***"
+		}
+		if application.OrganizationObj.MasterVerificationCode != "" {
+			application.OrganizationObj.MasterVerificationCode = "***"
+		}
 		if application.OrganizationObj.PasswordType != "" {
 			application.OrganizationObj.PasswordType = "***"
 		}
@ -332,6 +348,34 @@ func GetMaskedApplications(applications []*Application, userId string) []*Applic
 	return applications
 }

+func GetAllowedApplications(applications []*Application, userId string) ([]*Application, error) {
+	if userId == "" || isUserIdGlobalAdmin(userId) {
+		return applications, nil
+	}
+
+	user, err := GetUser(userId)
+	if err != nil {
+		return nil, err
+	}
+	if user != nil && user.IsAdmin {
+		return applications, nil
+	}
+
+	res := []*Application{}
+	for _, application := range applications {
+		var allowed bool
+		allowed, err = CheckLoginPermission(userId, application)
+		if err != nil {
+			return nil, err
+		}
+
+		if allowed {
+			res = append(res, application)
+		}
+	}
+	return res, nil
+}
+
 func UpdateApplication(id string, application *Application) (bool, error) {
 	owner, name := util.GetOwnerAndNameFromId(id)
 	oldApplication, err := getApplication(owner, name)
@ -428,15 +472,14 @@ func (application *Application) GetId() string {
 }

 func (application *Application) IsRedirectUriValid(redirectUri string) bool {
-	isValid := false
-	for _, targetUri := range application.RedirectUris {
+	redirectUris := append([]string{"http://localhost:", "https://localhost:", "http://127.0.0.1:", "http://casdoor-app"}, application.RedirectUris...)
+	for _, targetUri := range redirectUris {
 		targetUriRegex := regexp.MustCompile(targetUri)
 		if targetUriRegex.MatchString(redirectUri) || strings.Contains(redirectUri, targetUri) {
-			isValid = true
-			break
+			return true
 		}
 	}
-	return isValid
+	return false
 }

 func IsOriginAllowed(origin string) (bool, error) {
--- a/object/cert.go
+++ b/object/cert.go
@ -33,10 +33,8 @@ type Cert struct {
 	BitSize         int    `json:"bitSize"`
 	ExpireInYears   int    `json:"expireInYears"`

-	Certificate            string `xorm:"mediumtext" json:"certificate"`
-	PrivateKey             string `xorm:"mediumtext" json:"privateKey"`
-	AuthorityPublicKey     string `xorm:"mediumtext" json:"authorityPublicKey"`
-	AuthorityRootPublicKey string `xorm:"mediumtext" json:"authorityRootPublicKey"`
+	Certificate string `xorm:"mediumtext" json:"certificate"`
+	PrivateKey  string `xorm:"mediumtext" json:"privateKey"`
 }

 func GetMaskedCert(cert *Cert) *Cert {
@ -89,7 +87,7 @@ func GetGlobalCertsCount(field, value string) (int64, error) {
 	return session.Count(&Cert{})
 }

-func GetGlobleCerts() ([]*Cert, error) {
+func GetGlobalCerts() ([]*Cert, error) {
 	certs := []*Cert{}
 	err := ormer.Engine.Desc("created_time").Find(&certs)
 	if err != nil {
@ -165,6 +163,12 @@ func UpdateCert(id string, cert *Cert) (bool, error) {
 			return false, err
 		}
 	}
+
+	err := cert.populateContent()
+	if err != nil {
+		return false, err
+	}
+
 	affected, err := ormer.Engine.ID(core.PK{owner, name}).AllCols().Update(cert)
 	if err != nil {
 		return false, err
@ -174,10 +178,9 @@ func UpdateCert(id string, cert *Cert) (bool, error) {
 }

 func AddCert(cert *Cert) (bool, error) {
-	if cert.Certificate == "" || cert.PrivateKey == "" {
-		certificate, privateKey := generateRsaKeys(cert.BitSize, cert.ExpireInYears, cert.Name, cert.Owner)
-		cert.Certificate = certificate
-		cert.PrivateKey = privateKey
+	err := cert.populateContent()
+	if err != nil {
+		return false, err
 	}

 	affected, err := ormer.Engine.Insert(cert)
@ -201,6 +204,20 @@ func (p *Cert) GetId() string {
 	return fmt.Sprintf("%s/%s", p.Owner, p.Name)
 }

+func (p *Cert) populateContent() error {
+	if p.Certificate == "" || p.PrivateKey == "" {
+		certificate, privateKey, err := generateRsaKeys(p.BitSize, p.ExpireInYears, p.Name, p.Owner)
+		if err != nil {
+			return err
+		}
+
+		p.Certificate = certificate
+		p.PrivateKey = privateKey
+	}
+
+	return nil
+}
+
 func getCertByApplication(application *Application) (*Cert, error) {
 	if application.Cert != "" {
 		return getCertByName(application.Cert)
--- a/object/cert.go~
+++ b/object/cert.go~
--- a/object/check.go
+++ b/object/check.go
@ -142,7 +142,7 @@ func CheckUserSignup(application *Application, organization *Organization, form
 	return ""
 }

-func checkSigninErrorTimes(user *User, lang string) string {
+func checkSigninErrorTimes(user *User, lang string) error {
 	if user.SigninWrongTimes >= SigninWrongTimesLimit {
 		lastSignWrongTime, _ := time.Parse(time.RFC3339, user.LastSigninWrongTime)
 		passedTime := time.Now().UTC().Sub(lastSignWrongTime)
@ -150,37 +150,39 @@ func checkSigninErrorTimes(user *User, lang string) string {

 		// deny the login if the error times is greater than the limit and the last login time is less than the duration
 		if minutes > 0 {
-			return fmt.Sprintf(i18n.Translate(lang, "check:You have entered the wrong password or code too many times, please wait for %d minutes and try again"), minutes)
+			return fmt.Errorf(i18n.Translate(lang, "check:You have entered the wrong password or code too many times, please wait for %d minutes and try again"), minutes)
 		}

 		// reset the error times
 		user.SigninWrongTimes = 0

-		UpdateUser(user.GetId(), user, []string{"signin_wrong_times"}, false)
+		_, err := UpdateUser(user.GetId(), user, []string{"signin_wrong_times"}, false)
+		return err
 	}

-	return ""
+	return nil
 }

-func CheckPassword(user *User, password string, lang string, options ...bool) string {
+func CheckPassword(user *User, password string, lang string, options ...bool) error {
 	enableCaptcha := false
 	if len(options) > 0 {
 		enableCaptcha = options[0]
 	}
 	// check the login error times
 	if !enableCaptcha {
-		if msg := checkSigninErrorTimes(user, lang); msg != "" {
-			return msg
+		err := checkSigninErrorTimes(user, lang)
+		if err != nil {
+			return err
 		}
 	}

 	organization, err := GetOrganizationByUser(user)
 	if err != nil {
-		panic(err)
+		return err
 	}

 	if organization == nil {
-		return i18n.Translate(lang, "check:Organization does not exist")
+		return fmt.Errorf(i18n.Translate(lang, "check:Organization does not exist"))
 	}

 	passwordType := user.PasswordType
@ -191,19 +193,17 @@ func CheckPassword(user *User, password string, lang string, options ...bool) st
 	if credManager != nil {
 		if organization.MasterPassword != "" {
 			if credManager.IsPasswordCorrect(password, organization.MasterPassword, "", organization.PasswordSalt) {
-				resetUserSigninErrorTimes(user)
-				return ""
+				return resetUserSigninErrorTimes(user)
 			}
 		}

 		if credManager.IsPasswordCorrect(password, user.Password, user.PasswordSalt, organization.PasswordSalt) {
-			resetUserSigninErrorTimes(user)
-			return ""
+			return resetUserSigninErrorTimes(user)
 		}

 		return recordSigninErrorInfo(user, lang, enableCaptcha)
 	} else {
-		return fmt.Sprintf(i18n.Translate(lang, "check:unsupported password type: %s"), organization.PasswordType)
+		return fmt.Errorf(i18n.Translate(lang, "check:unsupported password type: %s"), organization.PasswordType)
 	}
 }

@ -217,10 +217,10 @@ func CheckPasswordComplexity(user *User, password string) string {
 	return CheckPasswordComplexityByOrg(organization, password)
 }

-func checkLdapUserPassword(user *User, password string, lang string) string {
+func checkLdapUserPassword(user *User, password string, lang string) error {
 	ldaps, err := GetLdaps(user.Owner)
 	if err != nil {
-		return err.Error()
+		return err
 	}

 	ldapLoginSuccess := false
@ -237,14 +237,14 @@ func checkLdapUserPassword(user *User, password string, lang string) string {

 		searchResult, err := conn.Conn.Search(searchReq)
 		if err != nil {
-			return err.Error()
+			return err
 		}

 		if len(searchResult.Entries) == 0 {
 			continue
 		}
 		if len(searchResult.Entries) > 1 {
-			return i18n.Translate(lang, "check:Multiple accounts with same uid, please check your ldap server")
+			return fmt.Errorf(i18n.Translate(lang, "check:Multiple accounts with same uid, please check your ldap server"))
 		}

 		hit = true
@ -257,45 +257,47 @@ func checkLdapUserPassword(user *User, password string, lang string) string {

 	if !ldapLoginSuccess {
 		if !hit {
-			return "user not exist"
+			return fmt.Errorf("user not exist")
 		}
-		return i18n.Translate(lang, "check:LDAP user name or password incorrect")
+		return fmt.Errorf(i18n.Translate(lang, "check:LDAP user name or password incorrect"))
 	}
-	return ""
+	return nil
 }

-func CheckUserPassword(organization string, username string, password string, lang string, options ...bool) (*User, string) {
+func CheckUserPassword(organization string, username string, password string, lang string, options ...bool) (*User, error) {
 	enableCaptcha := false
 	if len(options) > 0 {
 		enableCaptcha = options[0]
 	}
 	user, err := GetUserByFields(organization, username)
 	if err != nil {
-		panic(err)
+		return nil, err
 	}

 	if user == nil || user.IsDeleted {
-		return nil, fmt.Sprintf(i18n.Translate(lang, "general:The user: %s doesn't exist"), util.GetId(organization, username))
+		return nil, fmt.Errorf(i18n.Translate(lang, "general:The user: %s doesn't exist"), util.GetId(organization, username))
 	}

 	if user.IsForbidden {
-		return nil, i18n.Translate(lang, "check:The user is forbidden to sign in, please contact the administrator")
+		return nil, fmt.Errorf(i18n.Translate(lang, "check:The user is forbidden to sign in, please contact the administrator"))
 	}

 	if user.Ldap != "" {
-		// ONLY for ldap users
-		if msg := checkLdapUserPassword(user, password, lang); msg != "" {
-			if msg == "user not exist" {
-				return nil, fmt.Sprintf(i18n.Translate(lang, "check:The user: %s doesn't exist in LDAP server"), username)
+		// only for LDAP users
+		err = checkLdapUserPassword(user, password, lang)
+		if err != nil {
+			if err.Error() == "user not exist" {
+				return nil, fmt.Errorf(i18n.Translate(lang, "check:The user: %s doesn't exist in LDAP server"), username)
 			}
-			return nil, msg
+			return nil, err
 		}
 	} else {
-		if msg := CheckPassword(user, password, lang, enableCaptcha); msg != "" {
-			return nil, msg
+		err = CheckPassword(user, password, lang, enableCaptcha)
+		if err != nil {
+			return nil, err
 		}
 	}
-	return user, ""
+	return user, nil
 }

 func CheckUserPermission(requestUserId, userId string, strict bool, lang string) (bool, error) {
@ -308,7 +310,7 @@ func CheckUserPermission(requestUserId, userId string, strict bool, lang string)
 	if userId != "" {
 		targetUser, err := GetUser(userId)
 		if err != nil {
-			panic(err)
+			return false, err
 		}

 		if targetUser == nil {
@ -350,9 +352,9 @@ func CheckUserPermission(requestUserId, userId string, strict bool, lang string)
 	return hasPermission, fmt.Errorf(i18n.Translate(lang, "auth:Unauthorized operation"))
 }

-func CheckAccessPermission(userId string, application *Application) (bool, error) {
-	var err error
-	if userId == "built-in/admin" {
+func CheckLoginPermission(userId string, application *Application) (bool, error) {
+	owner, _ := util.GetOwnerAndNameFromId(userId)
+	if owner == "built-in" {
 		return true, nil
 	}

@ -361,32 +363,60 @@ func CheckAccessPermission(userId string, application *Application) (bool, error
 		return false, err
 	}

-	allowed := true
+	allowPermissionCount := 0
+	denyPermissionCount := 0
+	allowCount := 0
+	denyCount := 0
 	for _, permission := range permissions {
-		if !permission.IsEnabled {
+		if !permission.IsEnabled || permission.State != "Approved" || permission.ResourceType != "Application" || !permission.isResourceHit(application.Name) {
 			continue
 		}

-		isHit := false
-		for _, resource := range permission.Resources {
-			if application.Name == resource {
-				isHit = true
-				break
+		if !permission.isUserHit(userId) && !permission.isRoleHit(userId) {
+			if permission.Effect == "Allow" {
+				allowPermissionCount += 1
+			} else {
+				denyPermissionCount += 1
 			}
+			continue
 		}

-		if isHit {
-			containsAsterisk := ContainsAsterisk(userId, permission.Users)
-			if containsAsterisk {
-				return true, err
+		enforcer, err := getPermissionEnforcer(permission)
+		if err != nil {
+			return false, err
+		}
+
+		var isAllowed bool
+		isAllowed, err = enforcer.Enforce(userId, application.Name, "Read")
+		if err != nil {
+			return false, err
+		}
+
+		if isAllowed {
+			if permission.Effect == "Allow" {
+				allowCount += 1
 			}
-			enforcer := getPermissionEnforcer(permission)
-			if allowed, err = enforcer.Enforce(userId, application.Name, "read"); allowed {
-				return allowed, err
+		} else {
+			if permission.Effect == "Deny" {
+				denyCount += 1
 			}
 		}
 	}
-	return allowed, err
+
+	// Deny-override, if one deny is found, then deny
+	if denyCount > 0 {
+		return false, nil
+	} else if allowCount > 0 {
+		return true, nil
+	}
+
+	// For no-allow and no-deny condition
+	// If only allow permissions exist, we suppose it's Deny-by-default, aka no-allow means deny
+	// Otherwise, it's Allow-by-default, aka no-deny means allow
+	if allowPermissionCount > 0 && denyPermissionCount == 0 {
+		return false, nil
+	}
+	return true, nil
 }

 func CheckUsername(username string, lang string) string {
--- a/object/check_util.go
+++ b/object/check_util.go
@ -36,20 +36,23 @@ func isValidRealName(s string) bool {
 	return reRealName.MatchString(s)
 }

-func resetUserSigninErrorTimes(user *User) {
+func resetUserSigninErrorTimes(user *User) error {
 	// if the password is correct and wrong times is not zero, reset the error times
 	if user.SigninWrongTimes == 0 {
-		return
+		return nil
 	}
+
 	user.SigninWrongTimes = 0
-	UpdateUser(user.GetId(), user, []string{"signin_wrong_times", "last_signin_wrong_time"}, false)
+	_, err := UpdateUser(user.GetId(), user, []string{"signin_wrong_times", "last_signin_wrong_time"}, false)
+	return err
 }

-func recordSigninErrorInfo(user *User, lang string, options ...bool) string {
+func recordSigninErrorInfo(user *User, lang string, options ...bool) error {
 	enableCaptcha := false
 	if len(options) > 0 {
 		enableCaptcha = options[0]
 	}
+
 	// increase failed login count
 	if user.SigninWrongTimes < SigninWrongTimesLimit {
 		user.SigninWrongTimes++
@ -61,13 +64,18 @@ func recordSigninErrorInfo(user *User, lang string, options ...bool) string {
 	}

 	// update user
-	UpdateUser(user.GetId(), user, []string{"signin_wrong_times", "last_signin_wrong_time"}, false)
+	_, err := UpdateUser(user.GetId(), user, []string{"signin_wrong_times", "last_signin_wrong_time"}, false)
+	if err != nil {
+		return err
+	}
+
 	leftChances := SigninWrongTimesLimit - user.SigninWrongTimes
 	if leftChances == 0 && enableCaptcha {
-		return fmt.Sprint(i18n.Translate(lang, "check:password or code is incorrect"))
+		return fmt.Errorf(i18n.Translate(lang, "check:password or code is incorrect"))
 	} else if leftChances >= 0 {
-		return fmt.Sprintf(i18n.Translate(lang, "check:password or code is incorrect, you have %d remaining chances"), leftChances)
+		return fmt.Errorf(i18n.Translate(lang, "check:password or code is incorrect, you have %d remaining chances"), leftChances)
 	}
+
 	// don't show the chance error message if the user has no chance left
-	return fmt.Sprintf(i18n.Translate(lang, "check:You have entered the wrong password or code too many times, please wait for %d minutes and try again"), int(LastSignWrongTimeDuration.Minutes()))
+	return fmt.Errorf(i18n.Translate(lang, "check:You have entered the wrong password or code too many times, please wait for %d minutes and try again"), int(LastSignWrongTimeDuration.Minutes()))
 }
--- a/object/email.go
+++ b/object/email.go
@ -19,6 +19,7 @@ package object
 import (
 	"crypto/tls"

+	"github.com/casdoor/casdoor/email"
 	"github.com/casdoor/gomail/v2"
 )

@ -35,9 +36,7 @@ func getDialer(provider *Provider) *gomail.Dialer {
 }

 func SendEmail(provider *Provider, title string, content string, dest string, sender string) error {
-	dialer := getDialer(provider)
-
-	message := gomail.NewMessage()
+	emailProvider := email.GetEmailProvider(provider.Type, provider.ClientId, provider.ClientSecret, provider.Host, provider.Port, provider.DisableSsl)

 	fromAddress := provider.ClientId2
 	if fromAddress == "" {
@ -49,14 +48,7 @@ func SendEmail(provider *Provider, title string, content string, dest string, se
 		fromName = sender
 	}

-	message.SetAddressHeader("From", fromAddress, fromName)
-	message.SetHeader("To", dest)
-	message.SetHeader("Subject", title)
-	message.SetBody("text/html", content)
-
-	message.SkipUsernameCheck = true
-
-	return dialer.DialAndSend(message)
+	return emailProvider.Send(fromAddress, fromName, dest, title, content)
 }

 // DailSmtpServer Dail Smtp server
--- a/object/enforcer.go
+++ b/object/enforcer.go
@ -18,7 +18,6 @@ import (
 	"fmt"

 	"github.com/casbin/casbin/v2"
-	"github.com/casbin/casbin/v2/config"
 	"github.com/casdoor/casdoor/util"
 	xormadapter "github.com/casdoor/xorm-adapter/v3"
 	"github.com/xorm-io/core"
@ -191,39 +190,55 @@ func GetPolicies(id string) ([]*xormadapter.CasbinRule, error) {
 		return nil, err
 	}

-	policies := util.MatrixToCasbinRules("p", enforcer.GetPolicy())
+	pRules := enforcer.GetPolicy()
+	res := util.MatrixToCasbinRules("p", pRules)
+
 	if enforcer.GetModel()["g"] != nil {
-		policies = append(policies, util.MatrixToCasbinRules("g", enforcer.GetGroupingPolicy())...)
+		gRules := enforcer.GetGroupingPolicy()
+		res2 := util.MatrixToCasbinRules("g", gRules)
+		res = append(res, res2...)
 	}

-	return policies, nil
+	return res, nil
 }

-func UpdatePolicy(id string, oldPolicy, newPolicy []string) (bool, error) {
+func UpdatePolicy(id string, ptype string, oldPolicy []string, newPolicy []string) (bool, error) {
 	enforcer, err := GetInitializedEnforcer(id)
 	if err != nil {
 		return false, err
 	}

-	return enforcer.UpdatePolicy(oldPolicy, newPolicy)
+	if ptype == "p" {
+		return enforcer.UpdatePolicy(oldPolicy, newPolicy)
+	} else {
+		return enforcer.UpdateGroupingPolicy(oldPolicy, newPolicy)
+	}
 }

-func AddPolicy(id string, policy []string) (bool, error) {
+func AddPolicy(id string, ptype string, policy []string) (bool, error) {
 	enforcer, err := GetInitializedEnforcer(id)
 	if err != nil {
 		return false, err
 	}

-	return enforcer.AddPolicy(policy)
+	if ptype == "p" {
+		return enforcer.AddPolicy(policy)
+	} else {
+		return enforcer.AddGroupingPolicy(policy)
+	}
 }

-func RemovePolicy(id string, policy []string) (bool, error) {
+func RemovePolicy(id string, ptype string, policy []string) (bool, error) {
 	enforcer, err := GetInitializedEnforcer(id)
 	if err != nil {
 		return false, err
 	}

-	return enforcer.RemovePolicy(policy)
+	if ptype == "p" {
+		return enforcer.RemovePolicy(policy)
+	} else {
+		return enforcer.RemoveGroupingPolicy(policy)
+	}
 }

 func (enforcer *Enforcer) LoadModelCfg() error {
@ -231,23 +246,17 @@ func (enforcer *Enforcer) LoadModelCfg() error {
 		return nil
 	}

-	model, err := GetModel(enforcer.Model)
+	model, err := GetModelEx(enforcer.Model)
 	if err != nil {
 		return err
 	} else if model == nil {
 		return fmt.Errorf("the model: %s for enforcer: %s is not found", enforcer.Model, enforcer.GetId())
 	}

-	cfg, err := config.NewConfigFromText(model.ModelText)
+	enforcer.ModelCfg, err = getModelCfg(model)
 	if err != nil {
 		return err
 	}

-	enforcer.ModelCfg = make(map[string]string)
-	enforcer.ModelCfg["p"] = cfg.String("policy_definition::p")
-	if cfg.String("role_definition::g") != "" {
-		enforcer.ModelCfg["g"] = cfg.String("role_definition::g")
-	}
-
 	return nil
 }
--- a/object/group.go
+++ b/object/group.go
@ -226,7 +226,7 @@ func GetGroupUserCount(groupId string, field, value string) (int64, error) {
 	} else {
 		return ormer.Engine.Table("user").
 			Where("owner = ?", owner).In("name", names).
-			And(fmt.Sprintf("user.%s LIKE ?", util.CamelToSnakeCase(field)), "%"+value+"%").
+			And(fmt.Sprintf("user.%s like ?", util.CamelToSnakeCase(field)), "%"+value+"%").
 			Count()
 	}
 }
@ -247,7 +247,7 @@ func GetPaginationGroupUsers(groupId string, offset, limit int, field, value, so
 	}

 	if field != "" && value != "" {
-		session = session.And(fmt.Sprintf("user.%s LIKE ?", util.CamelToSnakeCase(field)), "%"+value+"%")
+		session = session.And(fmt.Sprintf("user.%s like ?", util.CamelToSnakeCase(field)), "%"+value+"%")
 	}

 	if sortField == "" || sortOrder == "" {
--- a/object/init.go
+++ b/object/init.go
@ -178,7 +178,7 @@ func initBuiltInApplication() {
 		EnablePassword: true,
 		EnableSignUp:   true,
 		Providers: []*ProviderItem{
-			{Name: "provider_captcha_default", CanSignUp: false, CanSignIn: false, CanUnlink: false, Prompted: false, AlertType: "None", Rule: "None", Provider: nil},
+			{Name: "provider_captcha_default", CanSignUp: false, CanSignIn: false, CanUnlink: false, Prompted: false, SignupGroup: "", Rule: "None", Provider: nil},
 		},
 		SignupItems: []*SignupItem{
 			{Name: "ID", Visible: false, Required: true, Prompted: false, Rule: "Random"},
@ -396,15 +396,22 @@ func initBuiltInPermission() {
 		Name:         "permission-built-in",
 		CreatedTime:  util.GetCurrentTime(),
 		DisplayName:  "Built-in Permission",
+		Description:  "Built-in Permission",
 		Users:        []string{"built-in/*"},
+		Groups:       []string{},
 		Roles:        []string{},
 		Domains:      []string{},
 		Model:        "model-built-in",
+		Adapter:      "",
 		ResourceType: "Application",
 		Resources:    []string{"app-built-in"},
 		Actions:      []string{"Read", "Write", "Admin"},
 		Effect:       "Allow",
 		IsEnabled:    true,
+		Submitter:    "admin",
+		Approver:     "admin",
+		ApproveTime:  util.GetCurrentTime(),
+		State:        "Approved",
 	}
 	_, err = AddPermission(permission)
 	if err != nil {
@ -423,14 +430,11 @@ func initBuiltInUserAdapter() {
 	}

 	adapter = &Adapter{
-		Owner:           "built-in",
-		Name:            "user-adapter-built-in",
-		CreatedTime:     util.GetCurrentTime(),
-		Type:            "Database",
-		DatabaseType:    conf.GetConfigString("driverName"),
-		TableNamePrefix: conf.GetConfigString("tableNamePrefix"),
-		Database:        conf.GetConfigString("dbName"),
-		Table:           "casbin_user_rule",
+		Owner:       "built-in",
+		Name:        "user-adapter-built-in",
+		CreatedTime: util.GetCurrentTime(),
+		Table:       "casbin_user_rule",
+		UseSameDb:   true,
 	}
 	_, err = AddAdapter(adapter)
 	if err != nil {
@ -449,14 +453,11 @@ func initBuiltInApiAdapter() {
 	}

 	adapter = &Adapter{
-		Owner:           "built-in",
-		Name:            "api-adapter-built-in",
-		CreatedTime:     util.GetCurrentTime(),
-		Type:            "Database",
-		DatabaseType:    conf.GetConfigString("driverName"),
-		TableNamePrefix: conf.GetConfigString("tableNamePrefix"),
-		Database:        conf.GetConfigString("dbName"),
-		Table:           "casbin_api_rule",
+		Owner:       "built-in",
+		Name:        "api-adapter-built-in",
+		CreatedTime: util.GetCurrentTime(),
+		Table:       "casbin_api_rule",
+		UseSameDb:   true,
 	}
 	_, err = AddAdapter(adapter)
 	if err != nil {
--- a/object/init_data_dump.go
+++ b/object/init_data_dump.go
@ -0,0 +1,121 @@
+// Copyright 2023 The Casdoor Authors. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package object
+
+import "github.com/casdoor/casdoor/util"
+
+func DumpToFile(filePath string) error {
+	return writeInitDataToFile(filePath)
+}
+
+func writeInitDataToFile(filePath string) error {
+	organizations, err := GetOrganizations("admin")
+	if err != nil {
+		return err
+	}
+
+	applications, err := GetApplications("admin")
+	if err != nil {
+		return err
+	}
+
+	users, err := GetGlobalUsers()
+	if err != nil {
+		return err
+	}
+
+	certs, err := GetCerts("")
+	if err != nil {
+		return err
+	}
+
+	providers, err := GetGlobalProviders()
+	if err != nil {
+		return err
+	}
+
+	ldaps, err := GetLdaps("")
+	if err != nil {
+		return err
+	}
+
+	models, err := GetModels("")
+	if err != nil {
+		return err
+	}
+
+	permissions, err := GetPermissions("")
+	if err != nil {
+		return err
+	}
+
+	payments, err := GetPayments("")
+	if err != nil {
+		return err
+	}
+
+	products, err := GetProducts("")
+	if err != nil {
+		return err
+	}
+
+	resources, err := GetResources("", "")
+	if err != nil {
+		return err
+	}
+
+	roles, err := GetRoles("")
+	if err != nil {
+		return err
+	}
+
+	syncers, err := GetSyncers("")
+	if err != nil {
+		return err
+	}
+
+	tokens, err := GetTokens("", "")
+	if err != nil {
+		return err
+	}
+
+	webhooks, err := GetWebhooks("", "")
+	if err != nil {
+		return err
+	}
+
+	data := &InitData{
+		Organizations: organizations,
+		Applications:  applications,
+		Users:         users,
+		Certs:         certs,
+		Providers:     providers,
+		Ldaps:         ldaps,
+		Models:        models,
+		Permissions:   permissions,
+		Payments:      payments,
+		Products:      products,
+		Resources:     resources,
+		Roles:         roles,
+		Syncers:       syncers,
+		Tokens:        tokens,
+		Webhooks:      webhooks,
+	}
+
+	text := util.StructToJsonFormatted(data)
+	util.WriteStringToPath(text, filePath)
+
+	return nil
+}
--- a/object/init_data_dump_test.go
+++ b/object/init_data_dump_test.go
@ -1,4 +1,4 @@
-// Copyright 2021 The Casdoor Authors. All Rights Reserved.
+// Copyright 2023 The Casdoor Authors. All Rights Reserved.
 //
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
@ -12,26 +12,18 @@
 // See the License for the specific language governing permissions and
 // limitations under the License.

+//go:build !skipCi
+// +build !skipCi
+
 package object

-func (syncer *Syncer) getUsers() []*User {
-	users, err := GetUsers(syncer.Organization)
+import "testing"
+
+func TestDumpToFile(t *testing.T) {
+	InitConfig()
+
+	err := DumpToFile("./init_data_dump.json")
 	if err != nil {
 		panic(err)
 	}
-
-	return users
-}
-
-func (syncer *Syncer) getUserMap() ([]*User, map[string]*User, map[string]*User) {
-	users := syncer.getUsers()
-
-	m1 := map[string]*User{}
-	m2 := map[string]*User{}
-	for _, user := range users {
-		m1[user.Id] = user
-		m2[user.Name] = user
-	}
-
-	return users, m1, m2
 }
--- a/object/ldap_conn.go
+++ b/object/ldap_conn.go
@ -305,7 +305,7 @@ func SyncLdapUsers(owner string, syncUsers []LdapUser, ldapId string) (existUser
 				return nil, nil, err
 			}

-			name, err := syncUser.buildLdapUserName()
+			name, err := syncUser.buildLdapUserName(owner)
 			if err != nil {
 				return nil, nil, err
 			}
@ -354,10 +354,10 @@ func GetExistUuids(owner string, uuids []string) ([]string, error) {
 	return existUuids, nil
 }

-func (ldapUser *LdapUser) buildLdapUserName() (string, error) {
+func (ldapUser *LdapUser) buildLdapUserName(owner string) (string, error) {
 	user := User{}
 	uidWithNumber := fmt.Sprintf("%s_%s", ldapUser.Uid, ldapUser.UidNumber)
-	has, err := ormer.Engine.Where("name = ? or name = ?", ldapUser.Uid, uidWithNumber).Get(&user)
+	has, err := ormer.Engine.Where("owner = ? and (name = ? or name = ?)", owner, ldapUser.Uid, uidWithNumber).Get(&user)
 	if err != nil {
 		return "", err
 	}
--- a/object/mfa_totp.go
+++ b/object/mfa_totp.go
@ -19,7 +19,6 @@ import (
 	"fmt"
 	"time"

-	"github.com/beego/beego"
 	"github.com/beego/beego/context"
 	"github.com/google/uuid"
 	"github.com/pquerna/otp"
@ -39,10 +38,11 @@ type TotpMfa struct {
 }

 func (mfa *TotpMfa) Initiate(ctx *context.Context, userId string) (*MfaProps, error) {
-	issuer := beego.AppConfig.String("appname")
-	if issuer == "" {
-		issuer = "casdoor"
-	}
+	//issuer := beego.AppConfig.String("appname")
+	//if issuer == "" {
+	//	issuer = "casdoor"
+	//}
+	issuer := "Casdoor"

 	key, err := totp.Generate(totp.GenerateOpts{
 		Issuer:      issuer,
@ -81,12 +81,15 @@ func (mfa *TotpMfa) SetupVerify(ctx *context.Context, passcode string) error {
 		return errors.New("totp secret is missing")
 	}

-	result, _ := totp.ValidateCustom(passcode, secret.(string), time.Now().UTC(), totp.ValidateOpts{
+	result, err := totp.ValidateCustom(passcode, secret.(string), time.Now().UTC(), totp.ValidateOpts{
 		Period:    MfaTotpPeriodInSeconds,
 		Skew:      1,
 		Digits:    otp.DigitsSix,
 		Algorithm: otp.AlgorithmSHA1,
 	})
+	if err != nil {
+		return err
+	}

 	if result {
 		return nil
@ -125,7 +128,15 @@ func (mfa *TotpMfa) Enable(ctx *context.Context, user *User) error {
 }

 func (mfa *TotpMfa) Verify(passcode string) error {
-	result := totp.Validate(passcode, mfa.Config.Secret)
+	result, err := totp.ValidateCustom(passcode, mfa.Config.Secret, time.Now().UTC(), totp.ValidateOpts{
+		Period:    MfaTotpPeriodInSeconds,
+		Skew:      1,
+		Digits:    otp.DigitsSix,
+		Algorithm: otp.AlgorithmSHA1,
+	})
+	if err != nil {
+		return err
+	}

 	if result {
 		return nil
--- a/object/migrator.go
+++ b/object/migrator.go
@ -1,51 +0,0 @@
-// Copyright 2023 The Casdoor Authors. All Rights Reserved.
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-//      http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
-
-package object
-
-import "github.com/xorm-io/xorm/migrate"
-
-type Migrator interface {
-	IsMigrationNeeded() bool
-	DoMigration() *migrate.Migration
-}
-
-func DoMigration() {
-	migrators := []Migrator{
-		&Migrator_1_101_0_PR_1083{},
-		&Migrator_1_235_0_PR_1530{},
-		&Migrator_1_240_0_PR_1539{},
-		&Migrator_1_314_0_PR_1841{},
-		// more migrators add here in chronological order...
-	}
-
-	migrations := []*migrate.Migration{}
-
-	for _, migrator := range migrators {
-		if migrator.IsMigrationNeeded() {
-			migrations = append(migrations, migrator.DoMigration())
-		}
-	}
-
-	options := &migrate.Options{
-		TableName:    "migration",
-		IDColumnName: "id",
-	}
-
-	m := migrate.New(ormer.Engine, options, migrations)
-	err := m.Migrate()
-	if err != nil {
-		panic(err)
-	}
-}
--- a/object/migrator_1_101_0_PR_1083.go
+++ b/object/migrator_1_101_0_PR_1083.go
@ -1,70 +0,0 @@
-// Copyright 2023 The Casdoor Authors. All Rights Reserved.
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-//      http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
-
-package object
-
-import (
-	"strings"
-
-	"github.com/xorm-io/xorm"
-	"github.com/xorm-io/xorm/migrate"
-)
-
-type Migrator_1_101_0_PR_1083 struct{}
-
-func (*Migrator_1_101_0_PR_1083) IsMigrationNeeded() bool {
-	exist1, _ := ormer.Engine.IsTableExist("model")
-	exist2, _ := ormer.Engine.IsTableExist("permission")
-	exist3, _ := ormer.Engine.IsTableExist("permission_rule")
-
-	if exist1 && exist2 && exist3 {
-		return true
-	}
-	return false
-}
-
-func (*Migrator_1_101_0_PR_1083) DoMigration() *migrate.Migration {
-	migration := migrate.Migration{
-		ID: "20230209MigratePermissionRule--Use V5 instead of V1 to store permissionID",
-		Migrate: func(engine *xorm.Engine) error {
-			models := []*Model{}
-			err := engine.Table("model").Find(&models, &Model{})
-			if err != nil {
-				panic(err)
-			}
-
-			isHit := false
-			for _, model := range models {
-				if strings.Contains(model.ModelText, "permission") {
-					// update model table
-					model.ModelText = strings.Replace(model.ModelText, "permission,", "", -1)
-					UpdateModel(model.GetId(), model)
-					isHit = true
-				}
-			}
-
-			if isHit {
-				// update permission_rule table
-				sql := "UPDATE `permission_rule`SET V0 = V1, V1 = V2, V2 = V3, V3 = V4, V4 = V5 WHERE V0 IN (SELECT CONCAT(owner, '/', name) AS permission_id FROM `permission`)"
-				_, err = engine.Exec(sql)
-				if err != nil {
-					return err
-				}
-			}
-			return err
-		},
-	}
-
-	return &migration
-}
--- a/object/migrator_1_235_0_PR_1530.go
+++ b/object/migrator_1_235_0_PR_1530.go
@ -1,46 +0,0 @@
-// Copyright 2023 The Casdoor Authors. All Rights Reserved.
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-//      http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
-
-package object
-
-import (
-	xormadapter "github.com/casdoor/xorm-adapter/v3"
-	"github.com/xorm-io/xorm"
-	"github.com/xorm-io/xorm/migrate"
-)
-
-type Migrator_1_235_0_PR_1530 struct{}
-
-func (*Migrator_1_235_0_PR_1530) IsMigrationNeeded() bool {
-	exist, _ := ormer.Engine.IsTableExist("casbin_rule")
-
-	return exist
-}
-
-func (*Migrator_1_235_0_PR_1530) DoMigration() *migrate.Migration {
-	migration := migrate.Migration{
-		ID: "20221015CasbinRule--fill ptype field with p",
-		Migrate: func(engine *xorm.Engine) error {
-			_, err := engine.Cols("ptype").Update(&xormadapter.CasbinRule{
-				Ptype: "p",
-			})
-			return err
-		},
-		Rollback: func(engine *xorm.Engine) error {
-			return engine.DropTables(&xormadapter.CasbinRule{})
-		},
-	}
-
-	return &migration
-}
--- a/object/migrator_1_240_0_PR_1539.go
+++ b/object/migrator_1_240_0_PR_1539.go
@ -1,141 +0,0 @@
-// Copyright 2023 The Casdoor Authors. All Rights Reserved.
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-//      http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
-
-package object
-
-import (
-	"errors"
-
-	"github.com/xorm-io/xorm"
-	"github.com/xorm-io/xorm/migrate"
-)
-
-type Migrator_1_240_0_PR_1539 struct{}
-
-func (*Migrator_1_240_0_PR_1539) IsMigrationNeeded() bool {
-	exist, _ := ormer.Engine.IsTableExist("session")
-	err := ormer.Engine.Table("session").Find(&[]*Session{})
-
-	if exist && err != nil {
-		return true
-	}
-	return false
-}
-
-func (*Migrator_1_240_0_PR_1539) DoMigration() *migrate.Migration {
-	migration := migrate.Migration{
-		ID: "20230211MigrateSession--Create a new field 'application' for table `session`",
-		Migrate: func(engine *xorm.Engine) error {
-			if alreadyCreated, _ := engine.IsTableExist("session_tmp"); alreadyCreated {
-				return errors.New("there is already a table called 'session_tmp', please rename or delete it for casdoor version migration and restart")
-			}
-
-			type oldSession struct {
-				Owner       string `xorm:"varchar(100) notnull pk" json:"owner"`
-				Name        string `xorm:"varchar(100) notnull pk" json:"name"`
-				CreatedTime string `xorm:"varchar(100)" json:"createdTime"`
-
-				SessionId []string `json:"sessionId"`
-			}
-
-			tx := engine.NewSession()
-
-			defer tx.Close()
-
-			err := tx.Begin()
-			if err != nil {
-				return err
-			}
-
-			err = tx.Table("session_tmp").CreateTable(&Session{})
-			if err != nil {
-				return err
-			}
-
-			oldSessions := []*oldSession{}
-			newSessions := []*Session{}
-
-			err = tx.Table("session").Find(&oldSessions)
-			if err != nil {
-				return err
-			}
-
-			for _, oldSession := range oldSessions {
-				newApplication := "null"
-				if oldSession.Owner == "built-in" {
-					newApplication = "app-built-in"
-				}
-				newSessions = append(newSessions, &Session{
-					Owner:       oldSession.Owner,
-					Name:        oldSession.Name,
-					Application: newApplication,
-					CreatedTime: oldSession.CreatedTime,
-					SessionId:   oldSession.SessionId,
-				})
-			}
-
-			rollbackFlag := false
-			_, err = tx.Table("session_tmp").Insert(newSessions)
-			count1, _ := tx.Table("session_tmp").Count()
-			count2, _ := tx.Table("session").Count()
-
-			if err != nil || count1 != count2 {
-				rollbackFlag = true
-			}
-
-			delete := &Session{
-				Application: "null",
-			}
-			_, err = tx.Table("session_tmp").Delete(*delete)
-			if err != nil {
-				rollbackFlag = true
-			}
-
-			if rollbackFlag {
-				tx.DropTable("session_tmp")
-				return errors.New("there is something wrong with data migration for table `session`, if there is a table called `session_tmp` not created by you in casdoor, please drop it, then restart anyhow")
-			}
-
-			err = tx.DropTable("session")
-			if err != nil {
-				return errors.New("fail to drop table `session` for casdoor, please drop it and rename the table `session_tmp` to `session` manually and restart")
-			}
-
-			// Already drop table `session`
-			// Can't find an api from xorm for altering table name
-			err = tx.Table("session").CreateTable(&Session{})
-			if err != nil {
-				return errors.New("there is something wrong with data migration for table `session`, please restart")
-			}
-
-			sessions := []*Session{}
-			tx.Table("session_tmp").Find(&sessions)
-			_, err = tx.Table("session").Insert(sessions)
-			if err != nil {
-				return errors.New("there is something wrong with data migration for table `session`, please drop table `session` and rename table `session_tmp` to `session` and restart")
-			}
-
-			err = tx.DropTable("session_tmp")
-			if err != nil {
-				return errors.New("fail to drop table `session_tmp` for casdoor, please drop it manually and restart")
-			}
-
-			tx.Commit()
-
-			return nil
-		},
-	}
-
-	return &migration
-}
--- a/object/migrator_1_314_0_PR_1841.go
+++ b/object/migrator_1_314_0_PR_1841.go
@ -1,68 +0,0 @@
-// Copyright 2023 The Casdoor Authors. All Rights Reserved.
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-//      http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
-
-package object
-
-import (
-	"github.com/xorm-io/xorm"
-	"github.com/xorm-io/xorm/migrate"
-)
-
-type Migrator_1_314_0_PR_1841 struct{}
-
-func (*Migrator_1_314_0_PR_1841) IsMigrationNeeded() bool {
-	count, err := ormer.Engine.Where("password_type=?", "").Count(&User{})
-	if err != nil {
-		// table doesn't exist
-		return false
-	}
-
-	return count > 100
-}
-
-func (*Migrator_1_314_0_PR_1841) DoMigration() *migrate.Migration {
-	migration := migrate.Migration{
-		ID: "20230515MigrateUser--Create a new field 'passwordType' for table `user`",
-		Migrate: func(engine *xorm.Engine) error {
-			tx := engine.NewSession()
-
-			defer tx.Close()
-
-			err := tx.Begin()
-			if err != nil {
-				return err
-			}
-
-			organizations := []*Organization{}
-			err = tx.Table("organization").Find(&organizations)
-			if err != nil {
-				return err
-			}
-
-			for _, organization := range organizations {
-				user := &User{PasswordType: organization.PasswordType}
-				_, err = tx.Where("owner = ?", organization.Name).Cols("password_type").Update(user)
-				if err != nil {
-					return err
-				}
-			}
-
-			tx.Commit()
-
-			return nil
-		},
-	}
-
-	return &migration
-}
--- a/object/model.go
+++ b/object/model.go
@ -17,6 +17,7 @@ package object
 import (
 	"fmt"

+	"github.com/casbin/casbin/v2/config"
 	"github.com/casbin/casbin/v2/model"
 	"github.com/casdoor/casdoor/util"
 	"github.com/xorm-io/core"
@ -83,6 +84,19 @@ func GetModel(id string) (*Model, error) {
 	return getModel(owner, name)
 }

+func GetModelEx(id string) (*Model, error) {
+	owner, name := util.GetOwnerAndNameFromId(id)
+	model, err := getModel(owner, name)
+	if err != nil {
+		return nil, err
+	}
+	if model != nil {
+		return model, nil
+	}
+
+	return getModel("built-in", name)
+}
+
 func UpdateModelWithCheck(id string, modelObj *Model) error {
 	// check model grammar
 	_, err := model.NewModelFromString(modelObj.ModelText)
@ -188,3 +202,17 @@ func (m *Model) initModel() error {

 	return nil
 }
+
+func getModelCfg(m *Model) (map[string]string, error) {
+	cfg, err := config.NewConfigFromText(m.ModelText)
+	if err != nil {
+		return nil, err
+	}
+
+	modelCfg := make(map[string]string)
+	modelCfg["p"] = cfg.String("policy_definition::p")
+	if cfg.String("role_definition::g") != "" {
+		modelCfg["g"] = cfg.String("role_definition::g")
+	}
+	return modelCfg, nil
+}
--- a/object/notification.go
+++ b/object/notification.go
@ -18,12 +18,12 @@ import (
 	"context"

 	"github.com/casdoor/casdoor/notification"
-	"github.com/nikoksr/notify"
+	"github.com/casdoor/notify"
 )

 func getNotificationClient(provider *Provider) (notify.Notifier, error) {
 	var client notify.Notifier
-	client, err := notification.GetNotificationProvider(provider.Type, provider.AppId, provider.Receiver, provider.Method, provider.Title)
+	client, err := notification.GetNotificationProvider(provider.Type, provider.ClientId, provider.ClientSecret, provider.ClientId2, provider.ClientSecret2, provider.AppId, provider.Receiver, provider.Method, provider.Title, provider.Metadata)
 	if err != nil {
 		return nil, err
 	}
--- a/object/oidc_discovery.go
+++ b/object/oidc_discovery.go
@ -59,7 +59,7 @@ func isIpAddress(host string) bool {
 	return ip != nil
 }

-func getOriginFromHost(host string) (string, string) {
+func getOriginFromHostInternal(host string) (string, string) {
 	origin := conf.GetConfigString("origin")
 	if origin != "" {
 		return origin, origin
@ -82,6 +82,17 @@ func getOriginFromHost(host string) (string, string) {
 	}
 }

+func getOriginFromHost(host string) (string, string) {
+	originF, originB := getOriginFromHostInternal(host)
+
+	originFrontend := conf.GetConfigString("originFrontend")
+	if originFrontend != "" {
+		originF = originFrontend
+	}
+
+	return originF, originB
+}
+
 func GetOidcDiscovery(host string) OidcDiscovery {
 	originFrontend, originBackend := getOriginFromHost(host)

@ -127,9 +138,16 @@ func GetJsonWebKeySet() (jose.JSONWebKeySet, error) {
 			continue
 		}

+		if cert.Certificate == "" {
+			return jwks, fmt.Errorf("the certificate field should not be empty for the cert: %v", cert)
+		}
+
 		certPemBlock := []byte(cert.Certificate)
 		certDerBlock, _ := pem.Decode(certPemBlock)
-		x509Cert, _ := x509.ParseCertificate(certDerBlock.Bytes)
+		x509Cert, err := x509.ParseCertificate(certDerBlock.Bytes)
+		if err != nil {
+			return jwks, err
+		}

 		var jwk jose.JSONWebKey
 		jwk.Key = x509Cert.PublicKey
--- a/object/organization.go
+++ b/object/organization.go
@ -51,22 +51,24 @@ type Organization struct {
 	Name        string `xorm:"varchar(100) notnull pk" json:"name"`
 	CreatedTime string `xorm:"varchar(100)" json:"createdTime"`

-	DisplayName        string     `xorm:"varchar(100)" json:"displayName"`
-	WebsiteUrl         string     `xorm:"varchar(100)" json:"websiteUrl"`
-	Favicon            string     `xorm:"varchar(100)" json:"favicon"`
-	PasswordType       string     `xorm:"varchar(100)" json:"passwordType"`
-	PasswordSalt       string     `xorm:"varchar(100)" json:"passwordSalt"`
-	PasswordOptions    []string   `xorm:"varchar(100)" json:"passwordOptions"`
-	CountryCodes       []string   `xorm:"varchar(200)"  json:"countryCodes"`
-	DefaultAvatar      string     `xorm:"varchar(200)" json:"defaultAvatar"`
-	DefaultApplication string     `xorm:"varchar(100)" json:"defaultApplication"`
-	Tags               []string   `xorm:"mediumtext" json:"tags"`
-	Languages          []string   `xorm:"varchar(255)" json:"languages"`
-	ThemeData          *ThemeData `xorm:"json" json:"themeData"`
-	MasterPassword     string     `xorm:"varchar(100)" json:"masterPassword"`
-	InitScore          int        `json:"initScore"`
-	EnableSoftDeletion bool       `json:"enableSoftDeletion"`
-	IsProfilePublic    bool       `json:"isProfilePublic"`
+	DisplayName            string     `xorm:"varchar(100)" json:"displayName"`
+	WebsiteUrl             string     `xorm:"varchar(100)" json:"websiteUrl"`
+	Favicon                string     `xorm:"varchar(100)" json:"favicon"`
+	PasswordType           string     `xorm:"varchar(100)" json:"passwordType"`
+	PasswordSalt           string     `xorm:"varchar(100)" json:"passwordSalt"`
+	PasswordOptions        []string   `xorm:"varchar(100)" json:"passwordOptions"`
+	CountryCodes           []string   `xorm:"varchar(200)"  json:"countryCodes"`
+	DefaultAvatar          string     `xorm:"varchar(200)" json:"defaultAvatar"`
+	DefaultApplication     string     `xorm:"varchar(100)" json:"defaultApplication"`
+	Tags                   []string   `xorm:"mediumtext" json:"tags"`
+	Languages              []string   `xorm:"varchar(255)" json:"languages"`
+	ThemeData              *ThemeData `xorm:"json" json:"themeData"`
+	MasterPassword         string     `xorm:"varchar(100)" json:"masterPassword"`
+	DefaultPassword        string     `xorm:"varchar(100)" json:"defaultPassword"`
+	MasterVerificationCode string     `xorm:"varchar(100)" json:"masterVerificationCode"`
+	InitScore              int        `json:"initScore"`
+	EnableSoftDeletion     bool       `json:"enableSoftDeletion"`
+	IsProfilePublic        bool       `json:"isProfilePublic"`

 	MfaItems     []*MfaItem     `xorm:"varchar(300)" json:"mfaItems"`
 	AccountItems []*AccountItem `xorm:"varchar(5000)" json:"accountItems"`
@ -155,6 +157,12 @@ func GetMaskedOrganization(organization *Organization, errs ...error) (*Organiza
 	if organization.MasterPassword != "" {
 		organization.MasterPassword = "***"
 	}
+	if organization.DefaultPassword != "" {
+		organization.DefaultPassword = "***"
+	}
+	if organization.MasterVerificationCode != "" {
+		organization.MasterVerificationCode = "***"
+	}
 	return organization, nil
 }

@ -202,9 +210,17 @@ func UpdateOrganization(id string, organization *Organization) (bool, error) {
 	}

 	session := ormer.Engine.ID(core.PK{owner, name}).AllCols()
+
 	if organization.MasterPassword == "***" {
 		session.Omit("master_password")
 	}
+	if organization.DefaultPassword == "***" {
+		session.Omit("default_password")
+	}
+	if organization.MasterVerificationCode == "***" {
+		session.Omit("master_verification_code")
+	}
+
 	affected, err := session.Update(organization)
 	if err != nil {
 		return false, err
--- a/object/ormer.go
+++ b/object/ormer.go
@ -64,7 +64,6 @@ func InitConfig() {

 	InitAdapter()
 	CreateTables()
-	DoMigration()
 }

 func InitAdapter() {
@ -86,7 +85,11 @@ func InitAdapter() {
 		}
 	}

-	ormer = NewAdapter(conf.GetConfigString("driverName"), conf.GetConfigDataSourceName(), conf.GetConfigString("dbName"))
+	var err error
+	ormer, err = NewAdapter(conf.GetConfigString("driverName"), conf.GetConfigDataSourceName(), conf.GetConfigString("dbName"))
+	if err != nil {
+		panic(err)
+	}

 	tableNamePrefix := conf.GetConfigString("tableNamePrefix")
 	tbMapper := core.NewPrefixMapper(core.SnakeMapper{}, tableNamePrefix)
@ -121,19 +124,22 @@ func finalizer(a *Ormer) {
 }

 // NewAdapter is the constructor for Ormer.
-func NewAdapter(driverName string, dataSourceName string, dbName string) *Ormer {
+func NewAdapter(driverName string, dataSourceName string, dbName string) (*Ormer, error) {
 	a := &Ormer{}
 	a.driverName = driverName
 	a.dataSourceName = dataSourceName
 	a.dbName = dbName

 	// Open the DB, create it if not existed.
-	a.open()
+	err := a.open()
+	if err != nil {
+		return nil, err
+	}

 	// Call the destructor when the object is released.
 	runtime.SetFinalizer(a, finalizer)

-	return a
+	return a, nil
 }

 func refineDataSourceNameForPostgres(dataSourceName string) string {
@ -192,7 +198,7 @@ func (a *Ormer) CreateDatabase() error {
 	return err
 }

-func (a *Ormer) open() {
+func (a *Ormer) open() error {
 	dataSourceName := a.dataSourceName + a.dbName
 	if a.driverName != "mysql" {
 		dataSourceName = a.dataSourceName
@ -200,8 +206,9 @@ func (a *Ormer) open() {

 	engine, err := xorm.NewEngine(a.driverName, dataSourceName)
 	if err != nil {
-		panic(err)
+		return err
 	}
+
 	if a.driverName == "postgres" {
 		schema := util.GetValueFromDataSourceName("search_path", dataSourceName)
 		if schema != "" {
@ -210,6 +217,7 @@ func (a *Ormer) open() {
 	}

 	a.Engine = engine
+	return nil
 }

 func (a *Ormer) close() {
@ -316,7 +324,7 @@ func (a *Ormer) createTable() {
 		panic(err)
 	}

-	err = a.Engine.Sync2(new(PermissionRule))
+	err = a.Engine.Sync2(new(RadiusAccounting))
 	if err != nil {
 		panic(err)
 	}
--- a/object/payment.go
+++ b/object/payment.go
@ -16,7 +16,6 @@ package object

 import (
 	"fmt"
-	"net/http"

 	"github.com/casdoor/casdoor/pp"

@ -55,6 +54,7 @@ type Payment struct {
 	// Order Info
 	OutOrderId string          `xorm:"varchar(100)" json:"outOrderId"`
 	PayUrl     string          `xorm:"varchar(2000)" json:"payUrl"`
+	SuccessUrl string          `xorm:"varchar(2000)" json:"successUrl"` // `successUrl` is redirected from `payUrl` after pay success
 	State      pp.PaymentState `xorm:"varchar(100)" json:"state"`
 	Message    string          `xorm:"varchar(2000)" json:"message"`
 }
@ -152,7 +152,7 @@ func DeletePayment(payment *Payment) (bool, error) {
 	return affected != 0, nil
 }

-func notifyPayment(request *http.Request, body []byte, owner string, paymentName string, orderId string) (*Payment, *pp.NotifyResult, error) {
+func notifyPayment(body []byte, owner string, paymentName string) (*Payment, *pp.NotifyResult, error) {
 	payment, err := getPayment(owner, paymentName)
 	if err != nil {
 		return nil, nil, err
@ -166,7 +166,7 @@ func notifyPayment(request *http.Request, body []byte, owner string, paymentName
 	if err != nil {
 		return nil, nil, err
 	}
-	pProvider, cert, err := provider.getPaymentProvider()
+	pProvider, err := GetPaymentProvider(provider)
 	if err != nil {
 		return nil, nil, err
 	}
@ -180,11 +180,7 @@ func notifyPayment(request *http.Request, body []byte, owner string, paymentName
 		return nil, nil, err
 	}

-	if orderId == "" {
-		orderId = payment.OutOrderId
-	}
-
-	notifyResult, err := pProvider.Notify(request, body, cert.AuthorityPublicKey, orderId)
+	notifyResult, err := pProvider.Notify(body, payment.OutOrderId)
 	if err != nil {
 		return payment, nil, err
 	}
@ -205,8 +201,8 @@ func notifyPayment(request *http.Request, body []byte, owner string, paymentName
 	return payment, notifyResult, nil
 }

-func NotifyPayment(request *http.Request, body []byte, owner string, paymentName string, orderId string) (*Payment, error) {
-	payment, notifyResult, err := notifyPayment(request, body, owner, paymentName, orderId)
+func NotifyPayment(body []byte, owner string, paymentName string) (*Payment, error) {
+	payment, notifyResult, err := notifyPayment(body, owner, paymentName)
 	if payment != nil {
 		if err != nil {
 			payment.State = pp.PaymentStateError
@ -234,7 +230,7 @@ func invoicePayment(payment *Payment) (string, error) {
 		return "", fmt.Errorf("the payment provider: %s does not exist", payment.Provider)
 	}

-	pProvider, _, err := provider.getPaymentProvider()
+	pProvider, err := GetPaymentProvider(provider)
 	if err != nil {
 		return "", err
 	}
--- a/object/permission.go
+++ b/object/permission.go
@ -15,6 +15,7 @@
 package object

 import (
+	"fmt"
 	"strings"

 	"github.com/casdoor/casdoor/conf"
@ -30,6 +31,7 @@ type Permission struct {
 	Description string `xorm:"varchar(100)" json:"description"`

 	Users   []string `xorm:"mediumtext" json:"users"`
+	Groups  []string `xorm:"mediumtext" json:"groups"`
 	Roles   []string `xorm:"mediumtext" json:"roles"`
 	Domains []string `xorm:"mediumtext" json:"domains"`

@ -47,23 +49,8 @@ type Permission struct {
 	State       string `xorm:"varchar(100)" json:"state"`
 }

-type PermissionRule struct {
-	Ptype string `xorm:"varchar(100) index not null default ''" json:"ptype"`
-	V0    string `xorm:"varchar(100) index not null default ''" json:"v0"`
-	V1    string `xorm:"varchar(100) index not null default ''" json:"v1"`
-	V2    string `xorm:"varchar(100) index not null default ''" json:"v2"`
-	V3    string `xorm:"varchar(100) index not null default ''" json:"v3"`
-	V4    string `xorm:"varchar(100) index not null default ''" json:"v4"`
-	V5    string `xorm:"varchar(100) index not null default ''" json:"v5"`
-	Id    string `xorm:"varchar(100) index not null default ''" json:"id"`
-}
-
 const builtInAvailableField = 5 // Casdoor built-in adapter, use V5 to filter permission, so has 5 available field

-func (p *Permission) GetId() string {
-	return util.GetId(p.Owner, p.Name)
-}
-
 func GetPermissionCount(owner, field, value string) (int64, error) {
 	session := GetSession(owner, -1, -1, field, value, "", "")
 	return session.Count(&Permission{})
@ -115,11 +102,15 @@ func GetPermission(id string) (*Permission, error) {

 // checkPermissionValid verifies if the permission is valid
 func checkPermissionValid(permission *Permission) error {
-	enforcer := getPermissionEnforcer(permission)
+	enforcer, err := getPermissionEnforcer(permission)
+	if err != nil {
+		return err
+	}
+
 	enforcer.EnableAutoSave(false)

 	policies := getPolicies(permission)
-	_, err := enforcer.AddPolicies(policies)
+	_, err = enforcer.AddPolicies(policies)
 	if err != nil {
 		return err
 	}
@ -131,7 +122,7 @@ func checkPermissionValid(permission *Permission) error {

 	groupingPolicies := getGroupingPolicies(permission)
 	if len(groupingPolicies) > 0 {
-		_, err := enforcer.AddGroupingPolicies(groupingPolicies)
+		_, err = enforcer.AddGroupingPolicies(groupingPolicies)
 		if err != nil {
 			return err
 		}
@ -152,14 +143,40 @@ func UpdatePermission(id string, permission *Permission) (bool, error) {
 		return false, nil
 	}

+	if permission.ResourceType == "Application" && permission.Model != "" {
+		model, err := GetModelEx(util.GetId(owner, permission.Model))
+		if err != nil {
+			return false, err
+		} else if model == nil {
+			return false, fmt.Errorf("the model: %s for permission: %s is not found", permission.Model, permission.GetId())
+		}
+
+		modelCfg, err := getModelCfg(model)
+		if err != nil {
+			return false, err
+		}
+
+		if len(strings.Split(modelCfg["p"], ",")) != 3 {
+			return false, fmt.Errorf("the model: %s for permission: %s is not valid, Casbin model's [policy_defination] section should have 3 elements", permission.Model, permission.GetId())
+		}
+	}
+
 	affected, err := ormer.Engine.ID(core.PK{owner, name}).AllCols().Update(permission)
 	if err != nil {
 		return false, err
 	}

 	if affected != 0 {
-		removeGroupingPolicies(oldPermission)
-		removePolicies(oldPermission)
+		err = removeGroupingPolicies(oldPermission)
+		if err != nil {
+			return false, err
+		}
+
+		err = removePolicies(oldPermission)
+		if err != nil {
+			return false, err
+		}
+
 		if oldPermission.Adapter != "" && oldPermission.Adapter != permission.Adapter {
 			isEmpty, _ := ormer.Engine.IsTableEmpty(oldPermission.Adapter)
 			if isEmpty {
@ -169,8 +186,16 @@ func UpdatePermission(id string, permission *Permission) (bool, error) {
 				}
 			}
 		}
-		addGroupingPolicies(permission)
-		addPolicies(permission)
+
+		err = addGroupingPolicies(permission)
+		if err != nil {
+			return false, err
+		}
+
+		err = addPolicies(permission)
+		if err != nil {
+			return false, err
+		}
 	}

 	return affected != 0, nil
@ -183,59 +208,78 @@ func AddPermission(permission *Permission) (bool, error) {
 	}

 	if affected != 0 {
-		addGroupingPolicies(permission)
-		addPolicies(permission)
+		err = addGroupingPolicies(permission)
+		if err != nil {
+			return false, err
+		}
+
+		err = addPolicies(permission)
+		if err != nil {
+			return false, err
+		}
 	}

 	return affected != 0, nil
 }

-func AddPermissions(permissions []*Permission) bool {
+func AddPermissions(permissions []*Permission) (bool, error) {
 	if len(permissions) == 0 {
-		return false
+		return false, nil
 	}

 	affected, err := ormer.Engine.Insert(permissions)
 	if err != nil {
 		if !strings.Contains(err.Error(), "Duplicate entry") {
-			panic(err)
+			return false, err
 		}
 	}

 	for _, permission := range permissions {
 		// add using for loop
 		if affected != 0 {
-			addGroupingPolicies(permission)
-			addPolicies(permission)
+			err = addGroupingPolicies(permission)
+			if err != nil {
+				return false, err
+			}
+
+			err = addPolicies(permission)
+			if err != nil {
+				return false, err
+			}
 		}
 	}
-	return affected != 0
+	return affected != 0, nil
 }

-func AddPermissionsInBatch(permissions []*Permission) bool {
+func AddPermissionsInBatch(permissions []*Permission) (bool, error) {
 	batchSize := conf.GetConfigBatchSize()

 	if len(permissions) == 0 {
-		return false
+		return false, nil
 	}

 	affected := false
-	for i := 0; i < (len(permissions)-1)/batchSize+1; i++ {
-		start := i * batchSize
-		end := (i + 1) * batchSize
+	for i := 0; i < len(permissions); i += batchSize {
+		start := i
+		end := i + batchSize
 		if end > len(permissions) {
 			end = len(permissions)
 		}

 		tmp := permissions[start:end]
-		// TODO: save to log instead of standard output
-		// fmt.Printf("Add Permissions: [%d - %d].\n", start, end)
-		if AddPermissions(tmp) {
+		fmt.Printf("The syncer adds permissions: [%d - %d]\n", start, end)
+
+		b, err := AddPermissions(tmp)
+		if err != nil {
+			return false, err
+		}
+
+		if b {
 			affected = true
 		}
 	}

-	return affected
+	return affected, nil
 }

 func DeletePermission(permission *Permission) (bool, error) {
@ -245,8 +289,16 @@ func DeletePermission(permission *Permission) (bool, error) {
 	}

 	if affected != 0 {
-		removeGroupingPolicies(permission)
-		removePolicies(permission)
+		err = removeGroupingPolicies(permission)
+		if err != nil {
+			return false, err
+		}
+
+		err = removePolicies(permission)
+		if err != nil {
+			return false, err
+		}
+
 		if permission.Adapter != "" && permission.Adapter != "permission_rule" {
 			isEmpty, _ := ormer.Engine.IsTableEmpty(permission.Adapter)
 			if isEmpty {
@ -261,9 +313,59 @@ func DeletePermission(permission *Permission) (bool, error) {
 	return affected != 0, nil
 }

-func GetPermissionsAndRolesByUser(userId string) ([]*Permission, []*Role, error) {
+func getPermissionsByUser(userId string) ([]*Permission, error) {
 	permissions := []*Permission{}
 	err := ormer.Engine.Where("users like ?", "%"+userId+"\"%").Find(&permissions)
+	if err != nil {
+		return permissions, err
+	}
+
+	res := []*Permission{}
+	for _, permission := range permissions {
+		if util.InSlice(permission.Users, userId) {
+			res = append(res, permission)
+		}
+	}
+
+	return res, nil
+}
+
+func GetPermissionsByRole(roleId string) ([]*Permission, error) {
+	permissions := []*Permission{}
+	err := ormer.Engine.Where("roles like ?", "%"+roleId+"\"%").Find(&permissions)
+	if err != nil {
+		return permissions, err
+	}
+
+	res := []*Permission{}
+	for _, permission := range permissions {
+		if util.InSlice(permission.Roles, roleId) {
+			res = append(res, permission)
+		}
+	}
+
+	return res, nil
+}
+
+func GetPermissionsByResource(resourceId string) ([]*Permission, error) {
+	permissions := []*Permission{}
+	err := ormer.Engine.Where("resources like ?", "%"+resourceId+"\"%").Find(&permissions)
+	if err != nil {
+		return permissions, err
+	}
+
+	res := []*Permission{}
+	for _, permission := range permissions {
+		if util.InSlice(permission.Resources, resourceId) {
+			res = append(res, permission)
+		}
+	}
+
+	return res, nil
+}
+
+func getPermissionsAndRolesByUser(userId string) ([]*Permission, []*Role, error) {
+	permissions, err := getPermissionsByUser(userId)
 	if err != nil {
 		return nil, nil, err
 	}
@ -280,14 +382,13 @@ func GetPermissionsAndRolesByUser(userId string) ([]*Permission, []*Role, error)

 	permFromRoles := []*Permission{}

-	roles, err := GetRolesByUser(userId)
+	roles, err := getRolesByUser(userId)
 	if err != nil {
 		return nil, nil, err
 	}

 	for _, role := range roles {
-		perms := []*Permission{}
-		err := ormer.Engine.Where("roles like ?", "%"+role.GetId()+"\"%").Find(&perms)
+		perms, err := GetPermissionsByRole(role.GetId())
 		if err != nil {
 			return nil, nil, err
 		}
@ -305,26 +406,6 @@ func GetPermissionsAndRolesByUser(userId string) ([]*Permission, []*Role, error)
 	return permissions, roles, nil
 }

-func GetPermissionsByRole(roleId string) ([]*Permission, error) {
-	permissions := []*Permission{}
-	err := ormer.Engine.Where("roles like ?", "%"+roleId+"\"%").Find(&permissions)
-	if err != nil {
-		return permissions, err
-	}
-
-	return permissions, nil
-}
-
-func GetPermissionsByResource(resourceId string) ([]*Permission, error) {
-	permissions := []*Permission{}
-	err := ormer.Engine.Where("resources like ?", "%"+resourceId+"\"%").Find(&permissions)
-	if err != nil {
-		return permissions, err
-	}
-
-	return permissions, nil
-}
-
 func GetPermissionsBySubmitter(owner string, submitter string) ([]*Permission, error) {
 	permissions := []*Permission{}
 	err := ormer.Engine.Desc("created_time").Find(&permissions, &Permission{Owner: owner, Submitter: submitter})
@ -345,20 +426,6 @@ func GetPermissionsByModel(owner string, model string) ([]*Permission, error) {
 	return permissions, nil
 }

-func ContainsAsterisk(userId string, users []string) bool {
-	containsAsterisk := false
-	group, _ := util.GetOwnerAndNameFromId(userId)
-	for _, user := range users {
-		permissionGroup, permissionUserName := util.GetOwnerAndNameFromId(user)
-		if permissionGroup == group && permissionUserName == "*" {
-			containsAsterisk = true
-			break
-		}
-	}
-
-	return containsAsterisk
-}
-
 func GetMaskedPermissions(permissions []*Permission) []*Permission {
 	for _, permission := range permissions {
 		permission.Users = nil
@ -388,3 +455,42 @@ func GroupPermissionsByModelAdapter(permissions []*Permission) map[string][]stri

 	return m
 }
+
+func (p *Permission) GetId() string {
+	return util.GetId(p.Owner, p.Name)
+}
+
+func (p *Permission) isUserHit(name string) bool {
+	targetOrg, targetName := util.GetOwnerAndNameFromId(name)
+	for _, user := range p.Users {
+		userOrg, userName := util.GetOwnerAndNameFromId(user)
+		if userOrg == targetOrg && (userName == "*" || userName == targetName) {
+			return true
+		}
+	}
+	return false
+}
+
+func (p *Permission) isRoleHit(userId string) bool {
+	targetRoles, err := getRolesByUser(userId)
+	if err != nil {
+		return false
+	}
+	for _, role := range p.Roles {
+		for _, targetRole := range targetRoles {
+			if targetRole.GetId() == role {
+				return true
+			}
+		}
+	}
+	return false
+}
+
+func (p *Permission) isResourceHit(name string) bool {
+	for _, resource := range p.Resources {
+		if resource == "*" || resource == name {
+			return true
+		}
+	}
+	return false
+}
--- a/object/permission_enforcer.go
+++ b/object/permission_enforcer.go
@ -26,23 +26,23 @@ import (
 	xormadapter "github.com/casdoor/xorm-adapter/v3"
 )

-func getPermissionEnforcer(p *Permission, permissionIDs ...string) *casbin.Enforcer {
+func getPermissionEnforcer(p *Permission, permissionIDs ...string) (*casbin.Enforcer, error) {
 	// Init an enforcer instance without specifying a model or adapter.
 	// If you specify an adapter, it will load all policies, which is a
 	// heavy process that can slow down the application.
 	enforcer, err := casbin.NewEnforcer(&log.DefaultLogger{}, false)
 	if err != nil {
-		panic(err)
+		return nil, err
 	}

 	err = p.setEnforcerModel(enforcer)
 	if err != nil {
-		panic(err)
+		return nil, err
 	}

 	err = p.setEnforcerAdapter(enforcer)
 	if err != nil {
-		panic(err)
+		return nil, err
 	}

 	policyFilterV5 := []string{p.GetId()}
@ -60,10 +60,10 @@ func getPermissionEnforcer(p *Permission, permissionIDs ...string) *casbin.Enfor

 	err = enforcer.LoadFilteredPolicy(policyFilter)
 	if err != nil {
-		panic(err)
+		return nil, err
 	}

-	return enforcer
+	return enforcer, nil
 }

 func (p *Permission) setEnforcerAdapter(enforcer *casbin.Enforcer) error {
@ -201,72 +201,96 @@ func getGroupingPolicies(permission *Permission) [][]string {
 	return groupingPolicies
 }

-func addPolicies(permission *Permission) {
-	enforcer := getPermissionEnforcer(permission)
+func addPolicies(permission *Permission) error {
+	enforcer, err := getPermissionEnforcer(permission)
+	if err != nil {
+		return err
+	}
+
 	policies := getPolicies(permission)

-	_, err := enforcer.AddPolicies(policies)
-	if err != nil {
-		panic(err)
-	}
+	_, err = enforcer.AddPolicies(policies)
+	return err
 }

-func addGroupingPolicies(permission *Permission) {
-	enforcer := getPermissionEnforcer(permission)
+func removePolicies(permission *Permission) error {
+	enforcer, err := getPermissionEnforcer(permission)
+	if err != nil {
+		return err
+	}
+
+	policies := getPolicies(permission)
+
+	_, err = enforcer.RemovePolicies(policies)
+	return err
+}
+
+func addGroupingPolicies(permission *Permission) error {
+	enforcer, err := getPermissionEnforcer(permission)
+	if err != nil {
+		return err
+	}
+
 	groupingPolicies := getGroupingPolicies(permission)

 	if len(groupingPolicies) > 0 {
-		_, err := enforcer.AddGroupingPolicies(groupingPolicies)
+		_, err = enforcer.AddGroupingPolicies(groupingPolicies)
 		if err != nil {
-			panic(err)
+			return err
 		}
 	}
+
+	return nil
 }

-func removeGroupingPolicies(permission *Permission) {
-	enforcer := getPermissionEnforcer(permission)
+func removeGroupingPolicies(permission *Permission) error {
+	enforcer, err := getPermissionEnforcer(permission)
+	if err != nil {
+		return err
+	}
+
 	groupingPolicies := getGroupingPolicies(permission)

 	if len(groupingPolicies) > 0 {
-		_, err := enforcer.RemoveGroupingPolicies(groupingPolicies)
+		_, err = enforcer.RemoveGroupingPolicies(groupingPolicies)
 		if err != nil {
-			panic(err)
+			return err
 		}
 	}
-}

-func removePolicies(permission *Permission) {
-	enforcer := getPermissionEnforcer(permission)
-	policies := getPolicies(permission)
-
-	_, err := enforcer.RemovePolicies(policies)
-	if err != nil {
-		panic(err)
-	}
+	return nil
 }

 type CasbinRequest = []interface{}

 func Enforce(permission *Permission, request *CasbinRequest, permissionIds ...string) (bool, error) {
-	enforcer := getPermissionEnforcer(permission, permissionIds...)
+	enforcer, err := getPermissionEnforcer(permission, permissionIds...)
+	if err != nil {
+		return false, err
+	}
+
 	return enforcer.Enforce(*request...)
 }

 func BatchEnforce(permission *Permission, requests *[]CasbinRequest, permissionIds ...string) ([]bool, error) {
-	enforcer := getPermissionEnforcer(permission, permissionIds...)
+	enforcer, err := getPermissionEnforcer(permission, permissionIds...)
+	if err != nil {
+		return nil, err
+	}
+
 	return enforcer.BatchEnforce(*requests)
 }

-func getAllValues(userId string, fn func(enforcer *casbin.Enforcer) []string) []string {
-	permissions, _, err := GetPermissionsAndRolesByUser(userId)
+func getAllValues(userId string, fn func(enforcer *casbin.Enforcer) []string) ([]string, error) {
+	permissions, _, err := getPermissionsAndRolesByUser(userId)
 	if err != nil {
-		panic(err)
+		return nil, err
 	}

 	for _, role := range GetAllRoles(userId) {
 		permissionsByRole, err := GetPermissionsByRole(role)
 		if err != nil {
-			panic(err)
+			return nil, err
 		}

 		permissions = append(permissions, permissionsByRole...)
@ -274,26 +298,31 @@ func getAllValues(userId string, fn func(enforcer *casbin.Enforcer) []string) []

 	var values []string
 	for _, permission := range permissions {
-		enforcer := getPermissionEnforcer(permission)
+		enforcer, err := getPermissionEnforcer(permission)
+		if err != nil {
+			return nil, err
+		}
+
 		values = append(values, fn(enforcer)...)
 	}
-	return values
+
+	return values, nil
 }

-func GetAllObjects(userId string) []string {
+func GetAllObjects(userId string) ([]string, error) {
 	return getAllValues(userId, func(enforcer *casbin.Enforcer) []string {
 		return enforcer.GetAllObjects()
 	})
 }

-func GetAllActions(userId string) []string {
+func GetAllActions(userId string) ([]string, error) {
 	return getAllValues(userId, func(enforcer *casbin.Enforcer) []string {
 		return enforcer.GetAllActions()
 	})
 }

 func GetAllRoles(userId string) []string {
-	roles, err := GetRolesByUser(userId)
+	roles, err := getRolesByUser(userId)
 	if err != nil {
 		panic(err)
 	}
@ -330,17 +359,23 @@ m = g(r.sub, p.sub) && r.obj == p.obj && r.act == p.act`

 		// load [policy_definition]
 		policyDefinition := strings.Split(cfg.String("policy_definition::p"), ",")
+
 		fieldsNum := len(policyDefinition)
 		if fieldsNum > builtInAvailableField {
-			panic(fmt.Errorf("the maximum policy_definition field number cannot exceed %d, got %d", builtInAvailableField, fieldsNum))
+			return nil, fmt.Errorf("the maximum policy_definition field number cannot exceed %d, got %d", builtInAvailableField, fieldsNum)
 		}
+
 		// filled empty field with "" and V5 with "permissionId"
 		for i := builtInAvailableField - fieldsNum; i > 0; i-- {
 			policyDefinition = append(policyDefinition, "")
 		}
 		policyDefinition = append(policyDefinition, "permissionId")

-		m, _ := model.NewModelFromString(modelText)
+		m, err := model.NewModelFromString(modelText)
+		if err != nil {
+			return nil, err
+		}
+
 		m.AddDef("p", "p", strings.Join(policyDefinition, ","))

 		return m, err
--- a/object/permission_upload.go
+++ b/object/permission_upload.go
@ -82,5 +82,11 @@ func UploadPermissions(owner string, path string) (bool, error) {
 	if len(newPermissions) == 0 {
 		return false, nil
 	}
-	return AddPermissionsInBatch(newPermissions), nil
+
+	affected, err := AddPermissionsInBatch(newPermissions)
+	if err != nil {
+		return false, err
+	}
+
+	return affected, nil
 }
--- a/object/product.go
+++ b/object/product.go
@ -17,6 +17,8 @@ package object
 import (
 	"fmt"

+	"github.com/casdoor/casdoor/idp"
+
 	"github.com/casdoor/casdoor/pp"

 	"github.com/casdoor/casdoor/util"
@ -30,14 +32,14 @@ type Product struct {
 	DisplayName string `xorm:"varchar(100)" json:"displayName"`

 	Image       string   `xorm:"varchar(100)" json:"image"`
-	Detail      string   `xorm:"varchar(255)" json:"detail"`
-	Description string   `xorm:"varchar(100)" json:"description"`
+	Detail      string   `xorm:"varchar(1000)" json:"detail"`
+	Description string   `xorm:"varchar(200)" json:"description"`
 	Tag         string   `xorm:"varchar(100)" json:"tag"`
 	Currency    string   `xorm:"varchar(100)" json:"currency"`
 	Price       float64  `json:"price"`
 	Quantity    int      `json:"quantity"`
 	Sold        int      `json:"sold"`
-	Providers   []string `xorm:"varchar(100)" json:"providers"`
+	Providers   []string `xorm:"varchar(255)" json:"providers"`
 	ReturnUrl   string   `xorm:"varchar(1000)" json:"returnUrl"`

 	State string `xorm:"varchar(100)" json:"state"`
@ -158,31 +160,28 @@ func (product *Product) getProvider(providerName string) (*Provider, error) {
 	return provider, nil
 }

-func BuyProduct(id string, user *User, providerName, pricingName, planName, host string) (string, string, error) {
+func BuyProduct(id string, user *User, providerName, pricingName, planName, host, paymentEnv string) (payment *Payment, attachInfo map[string]interface{}, err error) {
 	product, err := GetProduct(id)
 	if err != nil {
-		return "", "", err
+		return nil, nil, err
 	}
-
 	if product == nil {
-		return "", "", fmt.Errorf("the product: %s does not exist", id)
+		return nil, nil, fmt.Errorf("the product: %s does not exist", id)
 	}

 	provider, err := product.getProvider(providerName)
 	if err != nil {
-		return "", "", err
+		return nil, nil, err
 	}

-	pProvider, _, err := provider.getPaymentProvider()
+	pProvider, err := GetPaymentProvider(provider)
 	if err != nil {
-		return "", "", err
+		return nil, nil, err
 	}

 	owner := product.Owner
-	productName := product.Name
 	payerName := fmt.Sprintf("%s | %s", user.Name, user.DisplayName)
 	paymentName := fmt.Sprintf("payment_%v", util.GenerateTimeId())
-	productDisplayName := product.DisplayName

 	originFrontend, originBackend := getOriginFromHost(host)
 	returnUrl := fmt.Sprintf("%s/payments/%s/%s/result", originFrontend, owner, paymentName)
@ -192,26 +191,46 @@ func BuyProduct(id string, user *User, providerName, pricingName, planName, host
 		if pricingName != "" && planName != "" {
 			plan, err := GetPlan(util.GetId(owner, planName))
 			if err != nil {
-				return "", "", err
+				return nil, nil, err
 			}
 			if plan == nil {
-				return "", "", fmt.Errorf("the plan: %s does not exist", planName)
+				return nil, nil, fmt.Errorf("the plan: %s does not exist", planName)
 			}
 			sub := NewSubscription(owner, user.Name, plan.Name, paymentName, plan.Period)
 			_, err = AddSubscription(sub)
 			if err != nil {
-				return "", "", err
+				return nil, nil, err
 			}
 			returnUrl = fmt.Sprintf("%s/buy-plan/%s/%s/result?subscription=%s", originFrontend, owner, pricingName, sub.Name)
 		}
 	}
-	// Create an OrderId and get the payUrl
-	payUrl, orderId, err := pProvider.Pay(providerName, productName, payerName, paymentName, productDisplayName, product.Price, product.Currency, returnUrl, notifyUrl)
+	// Create an order
+	payReq := &pp.PayReq{
+		ProviderName:       providerName,
+		ProductName:        product.Name,
+		PayerName:          payerName,
+		PayerId:            user.Id,
+		PaymentName:        paymentName,
+		ProductDisplayName: product.DisplayName,
+		Price:              product.Price,
+		Currency:           product.Currency,
+		ReturnUrl:          returnUrl,
+		NotifyUrl:          notifyUrl,
+		PaymentEnv:         paymentEnv,
+	}
+	// custom process for WeChat & WeChat Pay
+	if provider.Type == "WeChat Pay" {
+		payReq.PayerId, err = getUserExtraProperty(user, "WeChat", idp.BuildWechatOpenIdKey(provider.ClientId2))
+		if err != nil {
+			return nil, nil, err
+		}
+	}
+	payResp, err := pProvider.Pay(payReq)
 	if err != nil {
-		return "", "", err
+		return nil, nil, err
 	}
 	// Create a Payment linked with Product and Order
-	payment := Payment{
+	payment = &Payment{
 		Owner:       product.Owner,
 		Name:        paymentName,
 		CreatedTime: util.GetCurrentTime(),
@ -220,8 +239,8 @@ func BuyProduct(id string, user *User, providerName, pricingName, planName, host
 		Provider: provider.Name,
 		Type:     provider.Type,

-		ProductName:        productName,
-		ProductDisplayName: productDisplayName,
+		ProductName:        product.Name,
+		ProductDisplayName: product.DisplayName,
 		Detail:             product.Detail,
 		Tag:                product.Tag,
 		Currency:           product.Currency,
@ -229,24 +248,25 @@ func BuyProduct(id string, user *User, providerName, pricingName, planName, host
 		ReturnUrl:          product.ReturnUrl,

 		User:       user.Name,
-		PayUrl:     payUrl,
+		PayUrl:     payResp.PayUrl,
+		SuccessUrl: returnUrl,
 		State:      pp.PaymentStateCreated,
-		OutOrderId: orderId,
+		OutOrderId: payResp.OrderId,
 	}

 	if provider.Type == "Dummy" {
 		payment.State = pp.PaymentStatePaid
 	}

-	affected, err := AddPayment(&payment)
+	affected, err := AddPayment(payment)
 	if err != nil {
-		return "", "", err
+		return nil, nil, err
 	}

 	if !affected {
-		return "", "", fmt.Errorf("failed to add payment: %s", util.StructToJson(payment))
+		return nil, nil, fmt.Errorf("failed to add payment: %s", util.StructToJson(payment))
 	}
-	return payUrl, orderId, err
+	return payment, payResp.AttachInfo, nil
 }

 func ExtendProductWithProviders(product *Product) error {
--- a/object/product_test.go
+++ b/object/product_test.go
@ -17,31 +17,24 @@

 package object

-import (
-	"testing"
-
-	"github.com/casdoor/casdoor/pp"
-	"github.com/casdoor/casdoor/util"
-)
-
-func TestProduct(t *testing.T) {
-	InitConfig()
-
-	product, _ := GetProduct("admin/product_123")
-	provider, _ := getProvider(product.Owner, "provider_pay_alipay")
-	cert, _ := getCert(product.Owner, "cert-pay-alipay")
-	pProvider, err := pp.GetPaymentProvider(provider.Type, provider.ClientId, provider.ClientSecret, provider.Host, cert.Certificate, cert.PrivateKey, cert.AuthorityPublicKey, cert.AuthorityRootPublicKey, provider.ClientId2)
-	if err != nil {
-		panic(err)
-	}
-
-	paymentName := util.GenerateTimeId()
-	returnUrl := ""
-	notifyUrl := ""
-	payUrl, _, err := pProvider.Pay(provider.Name, product.Name, "alice", paymentName, product.DisplayName, product.Price, product.Currency, returnUrl, notifyUrl)
-	if err != nil {
-		panic(err)
-	}
-
-	println(payUrl)
-}
+//func TestProduct(t *testing.T) {
+//	InitConfig()
+//
+//	product, _ := GetProduct("admin/product_123")
+//	provider, _ := getProvider(product.Owner, "provider_pay_alipay")
+//	cert, _ := getCert(product.Owner, "cert-pay-alipay")
+//	pProvider, err := pp.GetPaymentProvider(provider.Type, provider.ClientId, provider.ClientSecret, provider.Host, cert.Certificate, cert.PrivateKey, cert.AuthorityPublicKey, cert.AuthorityRootPublicKey, provider.ClientId2)
+//	if err != nil {
+//		panic(err)
+//	}
+//
+//	paymentName := util.GenerateTimeId()
+//	returnUrl := ""
+//	notifyUrl := ""
+//	payUrl, _, err := pProvider.Pay(provider.Name, product.Name, "alice", paymentName, product.DisplayName, product.Price, product.Currency, returnUrl, notifyUrl)
+//	if err != nil {
+//		panic(err)
+//	}
+//
+//	println(payUrl)
+//}
--- a/object/provider.go
+++ b/object/provider.go
@ -39,7 +39,7 @@ type Provider struct {
 	ClientId          string            `xorm:"varchar(200)" json:"clientId"`
 	ClientSecret      string            `xorm:"varchar(2000)" json:"clientSecret"`
 	ClientId2         string            `xorm:"varchar(100)" json:"clientId2"`
-	ClientSecret2     string            `xorm:"varchar(100)" json:"clientSecret2"`
+	ClientSecret2     string            `xorm:"varchar(500)" json:"clientSecret2"`
 	Cert              string            `xorm:"varchar(100)" json:"cert"`
 	CustomAuthUrl     string            `xorm:"varchar(200)" json:"customAuthUrl"`
 	CustomTokenUrl    string            `xorm:"varchar(200)" json:"customTokenUrl"`
@ -251,30 +251,69 @@ func DeleteProvider(provider *Provider) (bool, error) {
 	return affected != 0, nil
 }

-func (p *Provider) getPaymentProvider() (pp.PaymentProvider, *Cert, error) {
+func GetPaymentProvider(p *Provider) (pp.PaymentProvider, error) {
 	cert := &Cert{}
 	if p.Cert != "" {
 		var err error
-		cert, err = getCert(p.Owner, p.Cert)
+		cert, err = GetCert(util.GetId(p.Owner, p.Cert))
 		if err != nil {
-			return nil, nil, err
+			return nil, err
 		}

 		if cert == nil {
-			return nil, nil, fmt.Errorf("the cert: %s does not exist", p.Cert)
+			return nil, fmt.Errorf("the cert: %s does not exist", p.Cert)
 		}
 	}
-
-	pProvider, err := pp.GetPaymentProvider(p.Type, p.ClientId, p.ClientSecret, p.Host, cert.Certificate, cert.PrivateKey, cert.AuthorityPublicKey, cert.AuthorityRootPublicKey, p.ClientId2)
-	if err != nil {
-		return nil, cert, err
+	typ := p.Type
+	if typ == "Dummy" {
+		pp, err := pp.NewDummyPaymentProvider()
+		if err != nil {
+			return nil, err
+		}
+		return pp, nil
+	} else if typ == "Alipay" {
+		if p.Metadata != "" {
+			// alipay provider store rootCert's name in metadata
+			rootCert, err := GetCert(util.GetId(p.Owner, p.Metadata))
+			if err != nil {
+				return nil, err
+			}
+			if rootCert == nil {
+				return nil, fmt.Errorf("the cert: %s does not exist", p.Metadata)
+			}
+			pp, err := pp.NewAlipayPaymentProvider(p.ClientId, cert.Certificate, cert.PrivateKey, rootCert.Certificate, rootCert.PrivateKey)
+			if err != nil {
+				return nil, err
+			}
+			return pp, nil
+		} else {
+			return nil, fmt.Errorf("the metadata of alipay provider is empty")
+		}
+	} else if typ == "GC" {
+		return pp.NewGcPaymentProvider(p.ClientId, p.ClientSecret, p.Host), nil
+	} else if typ == "WeChat Pay" {
+		pp, err := pp.NewWechatPaymentProvider(p.ClientId, p.ClientSecret, p.ClientId2, cert.Certificate, cert.PrivateKey)
+		if err != nil {
+			return nil, err
+		}
+		return pp, nil
+	} else if typ == "PayPal" {
+		pp, err := pp.NewPaypalPaymentProvider(p.ClientId, p.ClientSecret)
+		if err != nil {
+			return nil, err
+		}
+		return pp, nil
+	} else if typ == "Stripe" {
+		pp, err := pp.NewStripePaymentProvider(p.ClientId, p.ClientSecret)
+		if err != nil {
+			return nil, err
+		}
+		return pp, nil
+	} else {
+		return nil, fmt.Errorf("the payment provider type: %s is not supported", p.Type)
 	}

-	if pProvider == nil {
-		return nil, cert, fmt.Errorf("the payment provider type: %s is not supported", p.Type)
-	}
-
-	return pProvider, cert, nil
+	return nil, nil
 }

 func (p *Provider) GetId() string {
@ -359,16 +398,18 @@ func providerChangeTrigger(oldName string, newName string) error {

 func FromProviderToIdpInfo(ctx *context.Context, provider *Provider) *idp.ProviderInfo {
 	providerInfo := &idp.ProviderInfo{
-		Type:         provider.Type,
-		SubType:      provider.SubType,
-		ClientId:     provider.ClientId,
-		ClientSecret: provider.ClientSecret,
-		AppId:        provider.AppId,
-		HostUrl:      provider.Host,
-		TokenURL:     provider.CustomTokenUrl,
-		AuthURL:      provider.CustomAuthUrl,
-		UserInfoURL:  provider.CustomUserInfoUrl,
-		UserMapping:  provider.UserMapping,
+		Type:          provider.Type,
+		SubType:       provider.SubType,
+		ClientId:      provider.ClientId,
+		ClientSecret:  provider.ClientSecret,
+		ClientId2:     provider.ClientId2,
+		ClientSecret2: provider.ClientSecret2,
+		AppId:         provider.AppId,
+		HostUrl:       provider.Host,
+		TokenURL:      provider.CustomTokenUrl,
+		AuthURL:       provider.CustomAuthUrl,
+		UserInfoURL:   provider.CustomUserInfoUrl,
+		UserMapping:   provider.UserMapping,
 	}

 	if provider.Type == "WeChat" {
@ -376,6 +417,8 @@ func FromProviderToIdpInfo(ctx *context.Context, provider *Provider) *idp.Provid
 			providerInfo.ClientId = provider.ClientId2
 			providerInfo.ClientSecret = provider.ClientSecret2
 		}
+	} else if provider.Type == "AzureAD" || provider.Type == "ADFS" || provider.Type == "Okta" {
+		providerInfo.HostUrl = provider.Domain
 	}

 	return providerInfo
--- a/object/provider_item.go
+++ b/object/provider_item.go
@ -18,13 +18,13 @@ type ProviderItem struct {
 	Owner string `json:"owner"`
 	Name  string `json:"name"`

-	CanSignUp bool      `json:"canSignUp"`
-	CanSignIn bool      `json:"canSignIn"`
-	CanUnlink bool      `json:"canUnlink"`
-	Prompted  bool      `json:"prompted"`
-	AlertType string    `json:"alertType"`
-	Rule      string    `json:"rule"`
-	Provider  *Provider `json:"provider"`
+	CanSignUp   bool      `json:"canSignUp"`
+	CanSignIn   bool      `json:"canSignIn"`
+	CanUnlink   bool      `json:"canUnlink"`
+	Prompted    bool      `json:"prompted"`
+	SignupGroup string    `json:"signupGroup"`
+	Rule        string    `json:"rule"`
+	Provider    *Provider `json:"provider"`
 }

 func (application *Application) GetProviderItem(providerName string) *ProviderItem {
--- a/object/radius.go
+++ b/object/radius.go
@ -0,0 +1,124 @@
+package object
+
+import (
+	"fmt"
+	"time"
+
+	"github.com/casdoor/casdoor/util"
+	"github.com/xorm-io/core"
+)
+
+// https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_usr_radatt/configuration/xe-16/sec-usr-radatt-xe-16-book/sec-rad-ov-ietf-attr.html
+// https://support.huawei.com/enterprise/zh/doc/EDOC1000178159/35071f9a
+type RadiusAccounting struct {
+	Owner       string    `xorm:"varchar(100) notnull pk" json:"owner"`
+	Name        string    `xorm:"varchar(100) notnull pk" json:"name"`
+	CreatedTime time.Time `json:"createdTime"`
+
+	Username    string `xorm:"index" json:"username"`
+	ServiceType int64  `json:"serviceType"` // e.g. LoginUser (1)
+
+	NasId       string `json:"nasId"`       // String identifying the network access server originating the Access-Request.
+	NasIpAddr   string `json:"nasIpAddr"`   // e.g. "192.168.0.10"
+	NasPortId   string `json:"nasPortId"`   // Contains a text string which identifies the port of the NAS that is authenticating the user. e.g."eth.0"
+	NasPortType int64  `json:"nasPortType"` // Indicates the type of physical port the network access server is using to authenticate the user. e.g.Ethernet（15）
+	NasPort     int64  `json:"nasPort"`     // Indicates the physical port number of the network access server that is authenticating the user. e.g. 233
+
+	FramedIpAddr    string `json:"framedIpAddr"`    // Indicates the IP address to be configured for the user by sending the IP address of a user to the RADIUS server.
+	FramedIpNetmask string `json:"framedIpNetmask"` // Indicates the IP netmask to be configured for the user when the user is using a device on a network.
+
+	AcctSessionId      string    `xorm:"index" json:"acctSessionId"`
+	AcctSessionTime    int64     `json:"acctSessionTime"` // Indicates how long (in seconds) the user has received service.
+	AcctInputTotal     int64     `json:"acctInputTotal"`
+	AcctOutputTotal    int64     `json:"acctOutputTotal"`
+	AcctInputPackets   int64     `json:"acctInputPackets"`   // Indicates how many packets have been received from the port over the course of this service being provided to a framed user.
+	AcctOutputPackets  int64     `json:"acctOutputPackets"`  // Indicates how many packets have been sent to the port in the course of delivering this service to a framed user.
+	AcctTerminateCause int64     `json:"acctTerminateCause"` // e.g. Lost-Carrier (2)
+	LastUpdate         time.Time `json:"lastUpdate"`
+	AcctStartTime      time.Time `xorm:"index" json:"acctStartTime"`
+	AcctStopTime       time.Time `xorm:"index" json:"acctStopTime"`
+}
+
+func (ra *RadiusAccounting) GetId() string {
+	return util.GetId(ra.Owner, ra.Name)
+}
+
+func getRadiusAccounting(owner, name string) (*RadiusAccounting, error) {
+	if owner == "" || name == "" {
+		return nil, nil
+	}
+	ra := RadiusAccounting{Owner: owner, Name: name}
+	existed, err := ormer.Engine.Get(&ra)
+	if err != nil {
+		return nil, err
+	}
+	if existed {
+		return &ra, nil
+	} else {
+		return nil, nil
+	}
+}
+
+func getPaginationRadiusAccounting(owner, field, value, sortField, sortOrder string, offset, limit int) ([]*RadiusAccounting, error) {
+	ras := []*RadiusAccounting{}
+	session := GetSession(owner, offset, limit, field, value, sortField, sortOrder)
+	err := session.Find(&ras)
+	if err != nil {
+		return ras, err
+	}
+	return ras, nil
+}
+
+func GetRadiusAccounting(id string) (*RadiusAccounting, error) {
+	owner, name := util.GetOwnerAndNameFromId(id)
+	return getRadiusAccounting(owner, name)
+}
+
+func GetRadiusAccountingBySessionId(sessionId string) (*RadiusAccounting, error) {
+	ras, err := getPaginationRadiusAccounting("", "acct_session_id", sessionId, "created_time", "desc", 0, 1)
+	if err != nil {
+		return nil, err
+	}
+	if len(ras) == 0 {
+		return nil, nil
+	}
+	return ras[0], nil
+}
+
+func AddRadiusAccounting(ra *RadiusAccounting) error {
+	_, err := ormer.Engine.Insert(ra)
+	return err
+}
+
+func DeleteRadiusAccounting(ra *RadiusAccounting) error {
+	_, err := ormer.Engine.ID(core.PK{ra.Owner, ra.Name}).Delete(&RadiusAccounting{})
+	return err
+}
+
+func UpdateRadiusAccounting(id string, ra *RadiusAccounting) error {
+	owner, name := util.GetOwnerAndNameFromId(id)
+	_, err := ormer.Engine.ID(core.PK{owner, name}).Update(ra)
+	return err
+}
+
+func InterimUpdateRadiusAccounting(oldRa *RadiusAccounting, newRa *RadiusAccounting, stop bool) error {
+	if oldRa.AcctSessionId != newRa.AcctSessionId {
+		return fmt.Errorf("AcctSessionId is not equal, newRa = %s, oldRa = %s", newRa.AcctSessionId, oldRa.AcctSessionId)
+	}
+	oldRa.AcctInputTotal = newRa.AcctInputTotal
+	oldRa.AcctOutputTotal = newRa.AcctOutputTotal
+	oldRa.AcctInputPackets = newRa.AcctInputPackets
+	oldRa.AcctOutputPackets = newRa.AcctOutputPackets
+	oldRa.AcctSessionTime = newRa.AcctSessionTime
+	if stop {
+		oldRa.AcctStopTime = newRa.AcctStopTime
+		if oldRa.AcctStopTime.IsZero() {
+			oldRa.AcctStopTime = time.Now()
+		}
+		oldRa.AcctTerminateCause = newRa.AcctTerminateCause
+	} else {
+		oldRa.LastUpdate = time.Now()
+	}
+
+	return UpdateRadiusAccounting(oldRa.GetId(), oldRa)
+}
--- a/Show More
+++ b/Show More