Cherry-pick #22059 to version-2026.2 (with conflicts)

This cherry-pick has conflicts that need manual resolution. Original PR: #22059 Original commit: 716bc6e136
rbac: ensure migration 0056 runs before 0010 removes group field (cherry-pick #21964 to version-2026.2) (#22033 )
2026-05-05 22:52:42 +02:00 · 2026-05-05 13:04:54 +00:00 · 2026-05-04 18:06:55 +02:00 · 2026-04-30 11:59:01 +00:00 · 2026-04-27 14:41:38 +02:00 · 2026-04-25 21:13:53 +02:00
1407 changed files with 69824 additions and 28831 deletions
--- a/.github/actions/cherry-pick/action.yml
+++ b/.github/actions/cherry-pick/action.yml
@@ -115,20 +115,13 @@ runs:
      shell: bash
      env:
        GITHUB_TOKEN: ${{ inputs.token }}
+        PR_NUMBER: ${{ steps.should_run.outputs.pr_number }}
+        REASON: ${{ steps.should_run.outputs.reason }}
      run: |
        set -e -o pipefail
-        PR_NUMBER="${{ steps.should_run.outputs.pr_number }}"
-
-        # Get PR details
-        PR_DATA=$(gh api repos/${{ github.repository }}/pulls/$PR_NUMBER)
-        PR_TITLE=$(echo "$PR_DATA" | jq -r '.title')
-        PR_AUTHOR=$(echo "$PR_DATA" | jq -r '.user.login')
-
-        echo "pr_title=$PR_TITLE" >> $GITHUB_OUTPUT
-        echo "pr_author=$PR_AUTHOR" >> $GITHUB_OUTPUT

        # Determine which labels to process
-        if [ "${{ steps.should_run.outputs.reason }}" = "label_added_to_merged_pr" ]; then
+        if [ "${REASON}" = "label_added_to_merged_pr" ]; then
          # Only process the specific label that was just added
          if [ "${{ github.event_name }}" = "issues" ]; then
            LABEL_NAME="${{ github.event.label.name }}"
@@ -152,13 +145,13 @@ runs:
      shell: bash
      env:
        GITHUB_TOKEN: ${{ inputs.token }}
+        PR_NUMBER: '${{ steps.should_run.outputs.pr_number }}'
+        COMMIT_SHA: '${{ steps.should_run.outputs.merge_commit_sha }}'
+        PR_TITLE: ${{ github.event.pull_request.title }}
+        PR_AUTHOR: ${{ github.event.pull_request.user.login }}
+        LABELS: '${{ steps.pr_details.outputs.labels }}'
      run: |
        set -e -o pipefail
-        PR_NUMBER='${{ steps.should_run.outputs.pr_number }}'
-        COMMIT_SHA='${{ steps.should_run.outputs.merge_commit_sha }}'
-        PR_TITLE='${{ steps.pr_details.outputs.pr_title }}'
-        PR_AUTHOR='${{ steps.pr_details.outputs.pr_author }}'
-        LABELS='${{ steps.pr_details.outputs.labels }}'

        echo "Processing PR #$PR_NUMBER (reason: ${{ steps.should_run.outputs.reason }})"
        echo "Found backport labels: $LABELS"
@@ -215,6 +208,9 @@ runs:
                --head "$CHERRY_PICK_BRANCH" \
                --label "cherry-pick")

+              # Assign the PR to the original author
+              gh pr edit "$NEW_PR" --add-assignee "$PR_AUTHOR" || true
+
              echo "✅ Created cherry-pick PR $NEW_PR for $TARGET_BRANCH"

              # Comment on original PR
@@ -254,6 +250,9 @@ runs:
                --head "$CHERRY_PICK_BRANCH" \
                --label "cherry-pick")

+              # Assign the PR to the original author
+              gh pr edit "$NEW_PR" --add-assignee "$PR_AUTHOR" || true
+
              echo "⚠️ Created conflict resolution PR $NEW_PR for $TARGET_BRANCH"

              # Comment on original PR
--- a/.github/actions/docker-push-variables/push_vars.py
+++ b/.github/actions/docker-push-variables/push_vars.py
@@ -89,6 +89,8 @@ if should_push:
    _cache_tag = "buildcache"
    if image_arch:
        _cache_tag += f"-{image_arch}"
+    if is_release:
+        _cache_tag += f"-{version_family}"
    cache_to = f"type=registry,ref={get_attest_image_names(image_tags)}:{_cache_tag},mode=max"


--- a/.github/actions/setup/action.yml
+++ b/.github/actions/setup/action.yml
@@ -8,45 +8,61 @@ inputs:
  postgresql_version:
    description: "Optional postgresql image tag"
    default: "16"
+  working-directory:
+    description: |
+      Optional working directory if this repo isn't in the root of the actions workspace.
+      When set, needs to contain a trailing slash
+    default: ""

 runs:
  using: "composite"
  steps:
-    - name: Install apt deps & cleanup
+    - name: Cleanup apt
+      if: ${{ contains(inputs.dependencies, 'system') || contains(inputs.dependencies, 'python') }}
+      shell: bash
+      run: sudo apt-get remove --purge man-db
+    - name: Install apt deps
+      if: ${{ contains(inputs.dependencies, 'system') || contains(inputs.dependencies, 'python') }}
+      uses: gerlero/apt-install@f4fa5265092af9e750549565d28c99aec7189639
+      with:
+        packages: libpq-dev openssl libxmlsec1-dev pkg-config gettext krb5-multidev libkrb5-dev heimdal-multidev libclang-dev krb5-kdc krb5-user krb5-admin-server
+        update: true
+        upgrade: false
+        install-recommends: false
+    - name: Make space on disk
      if: ${{ contains(inputs.dependencies, 'system') || contains(inputs.dependencies, 'python') }}
      shell: bash
      run: |
-        sudo apt-get remove --purge man-db
-        sudo apt-get update
-        sudo apt-get install --no-install-recommends -y libpq-dev openssl libxmlsec1-dev pkg-config gettext libkrb5-dev krb5-kdc krb5-user krb5-admin-server
-        sudo rm -rf /usr/local/lib/android
+        sudo mkdir -p /tmp/empty/
+        sudo rsync -a --delete /tmp/empty/ /usr/local/lib/android/
    - name: Install uv
      if: ${{ contains(inputs.dependencies, 'python') }}
-      uses: astral-sh/setup-uv@61cb8a9741eeb8a550a1b8544337180c0fc8476b # v5
+      uses: astral-sh/setup-uv@eac588ad8def6316056a12d4907a9d4d84ff7a3b # v5
      with:
        enable-cache: true
    - name: Setup python
      if: ${{ contains(inputs.dependencies, 'python') }}
-      uses: actions/setup-python@83679a892e2d95755f2dac6acb0bfd1e9ac5d548 # v5
+      uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v5
      with:
-        python-version-file: "pyproject.toml"
+        python-version-file: "${{ inputs.working-directory }}pyproject.toml"
    - name: Install Python deps
      if: ${{ contains(inputs.dependencies, 'python') }}
      shell: bash
+      working-directory: ${{ inputs.working-directory }}
      run: uv sync --all-extras --dev --frozen
    - name: Setup node
      if: ${{ contains(inputs.dependencies, 'node') }}
-      uses: actions/setup-node@395ad3262231945c25e8478fd5baf05154b1d79f # v4
+      uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v4
      with:
-        node-version-file: web/package.json
+        node-version-file: ${{ inputs.working-directory }}web/package.json
        cache: "npm"
-        cache-dependency-path: web/package-lock.json
+        cache-dependency-path: ${{ inputs.working-directory }}web/package-lock.json
        registry-url: 'https://registry.npmjs.org'
    - name: Setup go
      if: ${{ contains(inputs.dependencies, 'go') }}
-      uses: actions/setup-go@4dc6199c7b1a012772edbd06daecab0f50c9053c # v5
+      uses: actions/setup-go@7a3fe6cf4cb3a834922a1244abfce67bcef6a0c5 # v5
      with:
-        go-version-file: "go.mod"
+        go-version-file: "${{ inputs.working-directory }}go.mod"
    - name: Setup docker cache
      if: ${{ contains(inputs.dependencies, 'runtime') }}
      uses: AndreKurait/docker-cache@0fe76702a40db986d9663c24954fc14c6a6031b7
@@ -55,13 +71,15 @@ runs:
    - name: Setup dependencies
      if: ${{ contains(inputs.dependencies, 'runtime') }}
      shell: bash
+      working-directory: ${{ inputs.working-directory }}
      run: |
        export PSQL_TAG=${{ inputs.postgresql_version }}
        docker compose -f .github/actions/setup/compose.yml up -d
-        cd web && npm i
+        cd web && npm ci
    - name: Generate config
      if: ${{ contains(inputs.dependencies, 'python') }}
      shell: uv run python {0}
+      working-directory: ${{ inputs.working-directory }}
      run: |
        from authentik.lib.generators import generate_id
        from yaml import safe_dump
--- a/.github/actions/setup/compose.yml
+++ b/.github/actions/setup/compose.yml
@@ -2,7 +2,7 @@ services:
  postgresql:
    image: docker.io/library/postgres:${PSQL_TAG:-16}
    volumes:
-      - db-data:/var/lib/postgresql/data
+      - db-data:/var/lib/postgresql
    command: "-c log_statement=all"
    environment:
      POSTGRES_USER: authentik
@@ -22,7 +22,7 @@ services:
      - 8020:8000
    volumes:
      - s3-data:/usr/src/app/localData
-      - s3-metadata:/usr/scr/app/localMetadata
+      - s3-metadata:/usr/src/app/localMetadata
    restart: always

 volumes:
--- a/.github/workflows/_reusable-docker-build-single.yml
+++ b/.github/workflows/_reusable-docker-build-single.yml
@@ -42,7 +42,7 @@ jobs:
      # Needed for checkout
      contents: read
    steps:
-      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v5
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v5
      - uses: docker/setup-qemu-action@c7c53464625b32c7a7e944ae62b3e17d2b600130 # v3.7.0
      - uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3
      - name: prepare variables
@@ -56,30 +56,29 @@ jobs:
          release: ${{ inputs.release }}
      - name: Login to Docker Hub
        if: ${{ inputs.registry_dockerhub }}
-        uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3
+        uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3
        with:
          username: ${{ secrets.DOCKER_CORP_USERNAME }}
          password: ${{ secrets.DOCKER_CORP_PASSWORD }}
      - name: Login to GitHub Container Registry
        if: ${{ inputs.registry_ghcr }}
-        uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3
+        uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3
        with:
          registry: ghcr.io
          username: ${{ github.repository_owner }}
          password: ${{ secrets.GITHUB_TOKEN }}
-      - name: make empty clients
-        if: ${{ inputs.release }}
-        run: |
-          mkdir -p ./gen-ts-api
-          mkdir -p ./gen-go-api
-      - name: Setup node
-        uses: actions/setup-node@395ad3262231945c25e8478fd5baf05154b1d79f # v5
+      - uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v5
        with:
          node-version-file: web/package.json
          cache: "npm"
          cache-dependency-path: web/package-lock.json
-      - name: generate ts client
-        run: make gen-client-ts
+      - uses: actions/setup-go@7a3fe6cf4cb3a834922a1244abfce67bcef6a0c5 # v6
+        with:
+          go-version-file: "go.mod"
+      - name: Generate API Clients
+        run: |
+          make gen-client-ts
+          make gen-client-go
      - name: Build Docker Image
        uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6
        id: push
@@ -96,7 +95,7 @@ jobs:
          platforms: linux/${{ inputs.image_arch }}
          cache-from: type=registry,ref=${{ steps.ev.outputs.attestImageNames }}:buildcache-${{ inputs.image_arch }}
          cache-to: ${{ steps.ev.outputs.cacheTo }}
-      - uses: actions/attest-build-provenance@00014ed6ed5efc5b1ab7f7f34a39eb55d41aa4f8 # v3
+      - uses: actions/attest-build-provenance@96278af6caaf10aea03fd8d33a09a777ca52d62f # v3
        id: attest
        if: ${{ steps.ev.outputs.shouldPush == 'true' }}
        with:
--- a/.github/workflows/_reusable-docker-build.yml
+++ b/.github/workflows/_reusable-docker-build.yml
@@ -49,7 +49,7 @@ jobs:
      tags: ${{ steps.ev.outputs.imageTagsJSON }}
      shouldPush: ${{ steps.ev.outputs.shouldPush }}
    steps:
-      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v5
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v5
      - name: prepare variables
        uses: ./.github/actions/docker-push-variables
        id: ev
@@ -69,7 +69,7 @@ jobs:
      matrix:
        tag: ${{ fromJson(needs.get-tags.outputs.tags) }}
    steps:
-      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v5
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v5
      - name: prepare variables
        uses: ./.github/actions/docker-push-variables
        id: ev
@@ -79,25 +79,25 @@ jobs:
          image-name: ${{ inputs.image_name }}
      - name: Login to Docker Hub
        if: ${{ inputs.registry_dockerhub }}
-        uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3
+        uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3
        with:
          username: ${{ secrets.DOCKER_CORP_USERNAME }}
          password: ${{ secrets.DOCKER_CORP_PASSWORD }}
      - name: Login to GitHub Container Registry
        if: ${{ inputs.registry_ghcr }}
-        uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3
+        uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3
        with:
          registry: ghcr.io
          username: ${{ github.repository_owner }}
          password: ${{ secrets.GITHUB_TOKEN }}
-      - uses: int128/docker-manifest-create-action@6cdd53a8337cd50bc3ef8c7016579d8d460edd94 # v2
+      - uses: int128/docker-manifest-create-action@1a059c021f1d5e9f2bd39de745d5dd3a0ef6df90 # v2
        id: build
        with:
          tags: ${{ matrix.tag }}
          sources: |
            ${{ steps.ev.outputs.attestImageNames }}@${{ needs.build-server-amd64.outputs.image-digest }}
            ${{ steps.ev.outputs.attestImageNames }}@${{ needs.build-server-arm64.outputs.image-digest }}
-      - uses: actions/attest-build-provenance@00014ed6ed5efc5b1ab7f7f34a39eb55d41aa4f8 # v3
+      - uses: actions/attest-build-provenance@96278af6caaf10aea03fd8d33a09a777ca52d62f # v3
        id: attest
        with:
          subject-name: ${{ steps.ev.outputs.attestImageNames }}
--- a/.github/workflows/api-ts-publish.yml
+++ b/.github/workflows/api-ts-publish.yml
@@ -21,11 +21,11 @@ jobs:
        uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf # v2
        with:
          app-id: ${{ secrets.GH_APP_ID }}
-          private-key: ${{ secrets.GH_APP_PRIVATE_KEY }}
-      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v5
+          private-key: ${{ secrets.GH_APP_PRIV_KEY }}
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v5
        with:
          token: ${{ steps.generate_token.outputs.token }}
-      - uses: actions/setup-node@395ad3262231945c25e8478fd5baf05154b1d79f # v5
+      - uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v5
        with:
          node-version-file: web/package.json
          registry-url: "https://registry.npmjs.org"
@@ -46,7 +46,7 @@ jobs:
        run: |
          export VERSION=`node -e 'console.log(require("../gen-ts-api/package.json").version)'`
          npm i @goauthentik/api@$VERSION
-      - uses: peter-evans/create-pull-request@98357b18bf14b5342f975ff684046ec3b2a07725 # v7
+      - uses: peter-evans/create-pull-request@c0f553fe549906ede9cf27b5156039d195d2ece0 # v7
        id: cpr
        with:
          token: ${{ steps.generate_token.outputs.token }}
--- a/.github/workflows/ci-api-docs.yml
+++ b/.github/workflows/ci-api-docs.yml
@@ -21,7 +21,7 @@ jobs:
        command:
          - prettier-check
    steps:
-      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v5
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v5
      - name: Install Dependencies
        working-directory: website/
        run: npm ci
@@ -32,8 +32,8 @@ jobs:
    runs-on: ubuntu-latest

    steps:
-      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v5
-      - uses: actions/setup-node@395ad3262231945c25e8478fd5baf05154b1d79f # v5
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v5
+      - uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v5
        with:
          node-version-file: website/package.json
          cache: "npm"
@@ -41,7 +41,7 @@ jobs:
      - working-directory: website/
        name: Install Dependencies
        run: npm ci
-      - uses: actions/cache@9255dc7a253b0ccc959486e2bca901246202afeb # v4
+      - uses: actions/cache@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v4
        with:
          path: |
            ${{ github.workspace }}/website/api/.docusaurus
@@ -66,12 +66,12 @@ jobs:
      - lint
      - build
    steps:
-      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v5
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v5
      - uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v5
        with:
          name: api-docs
          path: website/api/build
-      - uses: actions/setup-node@395ad3262231945c25e8478fd5baf05154b1d79f # v5
+      - uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v5
        with:
          node-version-file: website/package.json
          cache: "npm"
--- a/.github/workflows/ci-aws-cfn.yml
+++ b/.github/workflows/ci-aws-cfn.yml
@@ -21,10 +21,10 @@ jobs:
  check-changes-applied:
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v5
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v5
      - name: Setup authentik env
        uses: ./.github/actions/setup
-      - uses: actions/setup-node@395ad3262231945c25e8478fd5baf05154b1d79f # v5
+      - uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v5
        with:
          node-version-file: lifecycle/aws/package.json
          cache: "npm"
--- a/.github/workflows/ci-docs-source.yml
+++ b/.github/workflows/ci-docs-source.yml
@@ -16,7 +16,7 @@ jobs:
    runs-on: ubuntu-latest
    timeout-minutes: 120
    steps:
-      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v5
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v5
      - name: Setup authentik env
        uses: ./.github/actions/setup
      - name: generate docs
--- a/.github/workflows/ci-docs.yml
+++ b/.github/workflows/ci-docs.yml
@@ -15,13 +15,15 @@ on:
 jobs:
  lint:
    runs-on: ubuntu-latest
+    env:
+      NODE_ENV: production
    strategy:
      fail-fast: false
      matrix:
        command:
          - prettier-check
    steps:
-      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v5
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v5
      - name: Install dependencies
        working-directory: website/
        run: npm ci
@@ -30,10 +32,11 @@ jobs:
        run: npm run ${{ matrix.command }}
  build-docs:
    runs-on: ubuntu-latest
-
+    env:
+      NODE_ENV: production
    steps:
-      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v5
-      - uses: actions/setup-node@395ad3262231945c25e8478fd5baf05154b1d79f # v5
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v5
+      - uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v5
        with:
          node-version-file: website/package.json
          cache: "npm"
@@ -46,10 +49,11 @@ jobs:
        run: npm run build
  build-integrations:
    runs-on: ubuntu-latest
-
+    env:
+      NODE_ENV: production
    steps:
-      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v5
-      - uses: actions/setup-node@395ad3262231945c25e8478fd5baf05154b1d79f # v5
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v5
+      - uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v5
        with:
          node-version-file: website/package.json
          cache: "npm"
@@ -69,7 +73,7 @@ jobs:
      id-token: write
      attestations: write
    steps:
-      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v5
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v5
        with:
          ref: ${{ github.event.pull_request.head.sha }}
      - name: Set up QEMU
@@ -85,7 +89,7 @@ jobs:
          image-name: ghcr.io/goauthentik/dev-docs
      - name: Login to Container Registry
        if: ${{ steps.ev.outputs.shouldPush == 'true' }}
-        uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3
+        uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3
        with:
          registry: ghcr.io
          username: ${{ github.repository_owner }}
@@ -101,7 +105,7 @@ jobs:
          context: .
          cache-from: type=registry,ref=ghcr.io/goauthentik/dev-docs:buildcache
          cache-to: ${{ steps.ev.outputs.shouldPush == 'true' && 'type=registry,ref=ghcr.io/goauthentik/dev-docs:buildcache,mode=max' || '' }}
-      - uses: actions/attest-build-provenance@00014ed6ed5efc5b1ab7f7f34a39eb55d41aa4f8 # v3
+      - uses: actions/attest-build-provenance@96278af6caaf10aea03fd8d33a09a777ca52d62f # v3
        id: attest
        if: ${{ steps.ev.outputs.shouldPush == 'true' }}
        with:
--- a/.github/workflows/ci-main-daily.yml
+++ b/.github/workflows/ci-main-daily.yml
@@ -18,7 +18,7 @@ jobs:
          - version-2025-4
          - version-2025-2
    steps:
-      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v5
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v5
      - run: |
          current="$(pwd)"
          dir="/tmp/authentik/${{ matrix.version }}"
--- a/.github/workflows/ci-main.yml
+++ b/.github/workflows/ci-main.yml
@@ -37,7 +37,7 @@ jobs:
          - mypy
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v5
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v5
      - name: Setup authentik env
        uses: ./.github/actions/setup
      - name: run job
@@ -45,7 +45,7 @@ jobs:
  test-migrations:
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v5
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v5
      - name: Setup authentik env
        uses: ./.github/actions/setup
      - name: run migrations
@@ -71,7 +71,7 @@ jobs:
          - 18-alpine
        run_id: [1, 2, 3, 4, 5]
    steps:
-      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v5
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v5
        with:
          fetch-depth: 0
      - name: checkout stable
@@ -84,7 +84,7 @@ jobs:
          # Current version family based on
          current_version_family=$(cat internal/constants/VERSION | grep -vE -- 'rc[0-9]+$' || true)
          if [[ -n $current_version_family ]]; then
-              prev_stable=$current_version_family
+              prev_stable="version/${current_version_family}"
          fi
          echo "::notice::Checking out ${prev_stable} as stable version..."
          git checkout ${prev_stable}
@@ -95,7 +95,10 @@ jobs:
        with:
          postgresql_version: ${{ matrix.psql }}
      - name: run migrations to stable
-        run: uv run python -m lifecycle.migrate
+        run: |
+          docker ps
+          docker logs setup-postgresql-1
+          uv run python -m lifecycle.migrate
      - name: checkout current code
        run: |
          set -x
@@ -136,7 +139,7 @@ jobs:
          - 18-alpine
        run_id: [1, 2, 3, 4, 5]
    steps:
-      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v5
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v5
      - name: Setup authentik env
        uses: ./.github/actions/setup
        with:
@@ -156,7 +159,7 @@ jobs:
    runs-on: ubuntu-latest
    timeout-minutes: 30
    steps:
-      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v5
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v5
      - name: Setup authentik env
        uses: ./.github/actions/setup
      - name: Create k8s Kind Cluster
@@ -187,6 +190,8 @@ jobs:
            glob: tests/e2e/test_provider_saml* tests/e2e/test_source_saml*
          - name: ldap
            glob: tests/e2e/test_provider_ldap* tests/e2e/test_source_ldap*
+          - name: ws-fed
+            glob: tests/e2e/test_provider_ws_fed*
          - name: radius
            glob: tests/e2e/test_provider_radius*
          - name: scim
@@ -196,14 +201,14 @@ jobs:
          - name: endpoints
            glob: tests/e2e/test_endpoints_*
    steps:
-      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v5
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v5
      - name: Setup authentik env
        uses: ./.github/actions/setup
      - name: Setup e2e env (chrome, etc)
        run: |
          docker compose -f tests/e2e/compose.yml up -d --quiet-pull
      - id: cache-web
-        uses: actions/cache@9255dc7a253b0ccc959486e2bca901246202afeb # v4
+        uses: actions/cache@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v4
        with:
          path: web/dist
          key: ${{ runner.os }}-web-${{ hashFiles('web/package-lock.json', 'package-lock.json', 'web/src/**', 'web/packages/sfe/src/**') }}-b
@@ -236,7 +241,7 @@ jobs:
          - name: implicit
            glob: tests/openid_conformance/test_implicit.py
    steps:
-      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v5
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v5
      - name: Setup authentik env
        uses: ./.github/actions/setup
      - name: Setup e2e env (chrome, etc)
@@ -246,7 +251,7 @@ jobs:
        run: |
          docker compose -f tests/openid_conformance/compose.yml up -d --quiet-pull
      - id: cache-web
-        uses: actions/cache@9255dc7a253b0ccc959486e2bca901246202afeb # v4
+        uses: actions/cache@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v4
        with:
          path: web/dist
          key: ${{ runner.os }}-web-${{ hashFiles('web/package-lock.json', 'web/src/**', 'web/packages/sfe/src/**') }}-b
@@ -310,7 +315,7 @@ jobs:
      pull-requests: write
    timeout-minutes: 120
    steps:
-      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v5
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v5
        with:
          ref: ${{ github.event.pull_request.head.sha }}
      - name: prepare variables
--- a/.github/workflows/ci-outpost.yml
+++ b/.github/workflows/ci-outpost.yml
@@ -21,8 +21,8 @@ jobs:
  lint-golint:
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v5
-      - uses: actions/setup-go@4dc6199c7b1a012772edbd06daecab0f50c9053c # v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v5
+      - uses: actions/setup-go@7a3fe6cf4cb3a834922a1244abfce67bcef6a0c5 # v6
        with:
          go-version-file: "go.mod"
      - name: Prepare and generate API
@@ -42,8 +42,8 @@ jobs:
  test-unittest:
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v5
-      - uses: actions/setup-go@4dc6199c7b1a012772edbd06daecab0f50c9053c # v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v5
+      - uses: actions/setup-go@7a3fe6cf4cb3a834922a1244abfce67bcef6a0c5 # v6
        with:
          go-version-file: "go.mod"
      - name: Setup authentik env
@@ -86,7 +86,7 @@ jobs:
      id-token: write
      attestations: write
    steps:
-      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v5
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v5
        with:
          ref: ${{ github.event.pull_request.head.sha }}
      - name: Set up QEMU
@@ -102,7 +102,7 @@ jobs:
          image-name: ghcr.io/goauthentik/dev-${{ matrix.type }}
      - name: Login to Container Registry
        if: ${{ steps.ev.outputs.shouldPush == 'true' }}
-        uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3
+        uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3
        with:
          registry: ghcr.io
          username: ${{ github.repository_owner }}
@@ -122,7 +122,7 @@ jobs:
          context: .
          cache-from: type=registry,ref=ghcr.io/goauthentik/dev-${{ matrix.type }}:buildcache
          cache-to: ${{ steps.ev.outputs.shouldPush == 'true' && format('type=registry,ref=ghcr.io/goauthentik/dev-{0}:buildcache,mode=max', matrix.type) || '' }}
-      - uses: actions/attest-build-provenance@00014ed6ed5efc5b1ab7f7f34a39eb55d41aa4f8 # v3
+      - uses: actions/attest-build-provenance@96278af6caaf10aea03fd8d33a09a777ca52d62f # v3
        id: attest
        if: ${{ steps.ev.outputs.shouldPush == 'true' }}
        with:
@@ -145,13 +145,13 @@ jobs:
        goos: [linux]
        goarch: [amd64, arm64]
    steps:
-      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v5
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v5
        with:
          ref: ${{ github.event.pull_request.head.sha }}
-      - uses: actions/setup-go@4dc6199c7b1a012772edbd06daecab0f50c9053c # v6
+      - uses: actions/setup-go@7a3fe6cf4cb3a834922a1244abfce67bcef6a0c5 # v6
        with:
          go-version-file: "go.mod"
-      - uses: actions/setup-node@395ad3262231945c25e8478fd5baf05154b1d79f # v5
+      - uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v5
        with:
          node-version-file: web/package.json
          cache: "npm"
--- a/.github/workflows/ci-web.yml
+++ b/.github/workflows/ci-web.yml
@@ -31,8 +31,8 @@ jobs:
          - command: lit-analyse
            project: web
    steps:
-      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v5
-      - uses: actions/setup-node@395ad3262231945c25e8478fd5baf05154b1d79f # v5
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v5
+      - uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v5
        with:
          node-version-file: ${{ matrix.project }}/package.json
          cache: "npm"
@@ -48,8 +48,8 @@ jobs:
  build:
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v5
-      - uses: actions/setup-node@395ad3262231945c25e8478fd5baf05154b1d79f # v5
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v5
+      - uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v5
        with:
          node-version-file: web/package.json
          cache: "npm"
@@ -76,8 +76,8 @@ jobs:
      - ci-web-mark
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v5
-      - uses: actions/setup-node@395ad3262231945c25e8478fd5baf05154b1d79f # v5
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v5
+      - uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v5
        with:
          node-version-file: web/package.json
          cache: "npm"
--- a/.github/workflows/gen-image-compress.yml
+++ b/.github/workflows/gen-image-compress.yml
@@ -32,17 +32,17 @@ jobs:
        uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf # v2
        with:
          app-id: ${{ secrets.GH_APP_ID }}
-          private-key: ${{ secrets.GH_APP_PRIVATE_KEY }}
-      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v5
+          private-key: ${{ secrets.GH_APP_PRIV_KEY }}
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v5
        with:
          token: ${{ steps.generate_token.outputs.token }}
      - name: Compress images
        id: compress
-        uses: calibreapp/image-actions@420075c115b26f8785e293c5bd5bef0911c506e5 # main
+        uses: calibreapp/image-actions@d9c8ee5c3dc52ae4622c82ead88d658f4b16b65f # main
        with:
          GITHUB_TOKEN: ${{ steps.generate_token.outputs.token }}
          compressOnly: ${{ github.event_name != 'pull_request' }}
-      - uses: peter-evans/create-pull-request@98357b18bf14b5342f975ff684046ec3b2a07725 # v7
+      - uses: peter-evans/create-pull-request@c0f553fe549906ede9cf27b5156039d195d2ece0 # v7
        if: "${{ github.event_name != 'pull_request' && steps.compress.outputs.markdown != '' }}"
        id: cpr
        with:
--- a/.github/workflows/gen-update-webauthn-mds.yml
+++ b/.github/workflows/gen-update-webauthn-mds.yml
@@ -19,14 +19,14 @@ jobs:
        uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf # v2
        with:
          app-id: ${{ secrets.GH_APP_ID }}
-          private-key: ${{ secrets.GH_APP_PRIVATE_KEY }}
-      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v5
+          private-key: ${{ secrets.GH_APP_PRIV_KEY }}
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v5
        with:
          token: ${{ steps.generate_token.outputs.token }}
      - name: Setup authentik env
        uses: ./.github/actions/setup
      - run: uv run ak update_webauthn_mds
-      - uses: peter-evans/create-pull-request@98357b18bf14b5342f975ff684046ec3b2a07725 # v7
+      - uses: peter-evans/create-pull-request@c0f553fe549906ede9cf27b5156039d195d2ece0 # v7
        id: cpr
        with:
          token: ${{ steps.generate_token.outputs.token }}
--- a/.github/workflows/gh-cherry-pick.yml
+++ b/.github/workflows/gh-cherry-pick.yml
@@ -14,10 +14,10 @@ jobs:
        if: ${{ env.GH_APP_ID != '' }}
        with:
          app-id: ${{ secrets.GH_APP_ID }}
-          private-key: ${{ secrets.GH_APP_PRIVATE_KEY }}
+          private-key: ${{ secrets.GH_APP_PRIV_KEY }}
        env:
          GH_APP_ID: ${{ secrets.GH_APP_ID }}
-      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v5
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v5
        if: ${{ steps.app-token.outcome != 'skipped' }}
        with:
          fetch-depth: 0
--- a/.github/workflows/gh-gha-cache-cleanup.yml
+++ b/.github/workflows/gh-gha-cache-cleanup.yml
@@ -16,7 +16,7 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - name: Check out code
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v5
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v5

      - name: Cleanup
        run: |
--- a/.github/workflows/gh-ghcr-retention.yml
+++ b/.github/workflows/gh-ghcr-retention.yml
@@ -19,7 +19,7 @@ jobs:
        uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf # v2
        with:
          app-id: ${{ secrets.GH_APP_ID }}
-          private-key: ${{ secrets.GH_APP_PRIVATE_KEY }}
+          private-key: ${{ secrets.GH_APP_PRIV_KEY }}
      - name: Delete 'dev' containers older than a week
        uses: snok/container-retention-policy@3b0972b2276b171b212f8c4efbca59ebba26eceb # v3.0.1
        with:
--- a/.github/workflows/packages-npm-publish.yml
+++ b/.github/workflows/packages-npm-publish.yml
@@ -31,16 +31,16 @@ jobs:
          - packages/docusaurus-config
          - packages/esbuild-plugin-live-reload
    steps:
-      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v5
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v5
        with:
          fetch-depth: 2
-      - uses: actions/setup-node@395ad3262231945c25e8478fd5baf05154b1d79f # v5
+      - uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v5
        with:
          node-version-file: ${{ matrix.package }}/package.json
          registry-url: "https://registry.npmjs.org"
      - name: Get changed files
        id: changed-files
-        uses: tj-actions/changed-files@e0021407031f5be11a464abee9a0776171c79891 # 24d32ffd492484c1d75e0c0b894501ddb9d30d62
+        uses: tj-actions/changed-files@8cba46e29c11878d930bca7870bb54394d3e8b21 # 24d32ffd492484c1d75e0c0b894501ddb9d30d62
        with:
          files: |
            ${{ matrix.package }}/package.json
--- a/.github/workflows/qa-codeql.yml
+++ b/.github/workflows/qa-codeql.yml
@@ -24,7 +24,7 @@ jobs:
        language: ["go", "javascript", "python"]
    steps:
      - name: Checkout repository
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v5
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v5
      - name: Setup authentik env
        uses: ./.github/actions/setup
      - name: Initialize CodeQL
--- a/.github/workflows/qa-semgrep.yml
+++ b/.github/workflows/qa-semgrep.yml
@@ -26,5 +26,5 @@ jobs:
      image: semgrep/semgrep
    if: (github.actor != 'dependabot[bot]')
    steps:
-      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v5
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v5
      - run: semgrep ci
--- a/.github/workflows/release-branch-off.yml
+++ b/.github/workflows/release-branch-off.yml
@@ -32,9 +32,9 @@ jobs:
        uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf # v2
        with:
          app-id: ${{ secrets.GH_APP_ID }}
-          private-key: ${{ secrets.GH_APP_PRIVATE_KEY }}
+          private-key: ${{ secrets.GH_APP_PRIV_KEY }}
      - name: Checkout main
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v5
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v5
        with:
          ref: main
          token: "${{ steps.app-token.outputs.token }}"
@@ -60,9 +60,9 @@ jobs:
        uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf # v2
        with:
          app-id: ${{ secrets.GH_APP_ID }}
-          private-key: ${{ secrets.GH_APP_PRIVATE_KEY }}
+          private-key: ${{ secrets.GH_APP_PRIV_KEY }}
      - name: Checkout main
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v5
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v5
        with:
          ref: main
          token: ${{ steps.generate_token.outputs.token }}
@@ -73,7 +73,7 @@ jobs:
      - name: Bump version
        run: "make bump version=${{ inputs.next_version }}.0-rc1"
      - name: Create pull request
-        uses: peter-evans/create-pull-request@98357b18bf14b5342f975ff684046ec3b2a07725 # v7
+        uses: peter-evans/create-pull-request@c0f553fe549906ede9cf27b5156039d195d2ece0 # v7
        with:
          token: ${{ steps.generate_token.outputs.token }}
          branch: release-bump-${{ inputs.next_version }}
--- a/.github/workflows/release-next-branch.yml
+++ b/.github/workflows/release-next-branch.yml
@@ -15,7 +15,7 @@ jobs:
    runs-on: ubuntu-latest
    environment: internal-production
    steps:
-      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v5
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v5
        with:
          ref: main
      - run: |
--- a/.github/workflows/release-publish.yml
+++ b/.github/workflows/release-publish.yml
@@ -31,7 +31,7 @@ jobs:
      id-token: write
      attestations: write
    steps:
-      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v5
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v5
      - name: Set up QEMU
        uses: docker/setup-qemu-action@c7c53464625b32c7a7e944ae62b3e17d2b600130 # v3.7.0
      - name: Set up Docker Buildx
@@ -44,7 +44,7 @@ jobs:
        with:
          image-name: ghcr.io/goauthentik/docs
      - name: Login to GitHub Container Registry
-        uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3
+        uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3
        with:
          registry: ghcr.io
          username: ${{ github.repository_owner }}
@@ -58,7 +58,7 @@ jobs:
          push: true
          platforms: linux/amd64,linux/arm64
          context: .
-      - uses: actions/attest-build-provenance@00014ed6ed5efc5b1ab7f7f34a39eb55d41aa4f8 # v3
+      - uses: actions/attest-build-provenance@96278af6caaf10aea03fd8d33a09a777ca52d62f # v3
        id: attest
        if: true
        with:
@@ -83,10 +83,15 @@ jobs:
          - radius
          - rac
    steps:
-      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v5
-      - uses: actions/setup-go@4dc6199c7b1a012772edbd06daecab0f50c9053c # v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v5
+      - uses: actions/setup-go@7a3fe6cf4cb3a834922a1244abfce67bcef6a0c5 # v6
        with:
          go-version-file: "go.mod"
+      - uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v5
+        with:
+          node-version-file: web/package.json
+          cache: "npm"
+          cache-dependency-path: web/package-lock.json
      - name: Set up QEMU
        uses: docker/setup-qemu-action@c7c53464625b32c7a7e944ae62b3e17d2b600130 # v3.7.0
      - name: Set up Docker Buildx
@@ -98,17 +103,17 @@ jobs:
          DOCKER_USERNAME: ${{ secrets.DOCKER_CORP_USERNAME }}
        with:
          image-name: ghcr.io/goauthentik/${{ matrix.type }},authentik/${{ matrix.type }}
-      - name: make empty clients
+      - name: Generate API Clients
        run: |
-          mkdir -p ./gen-ts-api
-          mkdir -p ./gen-go-api
+          make gen-client-ts
+          make gen-client-go
      - name: Docker Login Registry
-        uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3
+        uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3
        with:
          username: ${{ secrets.DOCKER_CORP_USERNAME }}
          password: ${{ secrets.DOCKER_CORP_PASSWORD }}
      - name: Login to GitHub Container Registry
-        uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3
+        uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3
        with:
          registry: ghcr.io
          username: ${{ github.repository_owner }}
@@ -124,7 +129,7 @@ jobs:
          file: lifecycle/container/${{ matrix.type }}.Dockerfile
          platforms: linux/amd64,linux/arm64
          context: .
-      - uses: actions/attest-build-provenance@00014ed6ed5efc5b1ab7f7f34a39eb55d41aa4f8 # v3
+      - uses: actions/attest-build-provenance@96278af6caaf10aea03fd8d33a09a777ca52d62f # v3
        id: attest
        with:
          subject-name: ${{ steps.ev.outputs.attestImageNames }}
@@ -146,19 +151,26 @@ jobs:
        goos: [linux, darwin]
        goarch: [amd64, arm64]
    steps:
-      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v5
-      - uses: actions/setup-go@4dc6199c7b1a012772edbd06daecab0f50c9053c # v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v5
+      - uses: actions/setup-go@7a3fe6cf4cb3a834922a1244abfce67bcef6a0c5 # v6
        with:
          go-version-file: "go.mod"
-      - uses: actions/setup-node@395ad3262231945c25e8478fd5baf05154b1d79f # v5
+      - uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v5
        with:
          node-version-file: web/package.json
          cache: "npm"
          cache-dependency-path: web/package-lock.json
-      - name: Build web
+      - name: Install web dependencies
        working-directory: web/
        run: |
          npm ci
+      - name: Generate API Clients
+        run: |
+          make gen-client-ts
+          make gen-client-go
+      - name: Build web
+        working-directory: web/
+        run: |
          npm run build-proxy
      - name: Build outpost
        run: |
@@ -186,8 +198,8 @@ jobs:
      AWS_REGION: eu-central-1
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v5
-      - uses: aws-actions/configure-aws-credentials@61815dcd50bd041e203e49132bacad1fd04d2708 # v5
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v5
+      - uses: aws-actions/configure-aws-credentials@8df5847569e6427dd6c4fb1cf565c83acfa8afa7 # v6.0.0
        with:
          role-to-assume: "arn:aws:iam::016170277896:role/github_goauthentik_authentik"
          aws-region: ${{ env.AWS_REGION }}
@@ -202,15 +214,15 @@ jobs:
      - build-outpost-binary
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v5
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v5
      - name: Run test suite in final docker images
        run: |
-          echo "PG_PASS=$(openssl rand 32 | base64 -w 0)" >> .env
-          echo "AUTHENTIK_SECRET_KEY=$(openssl rand 32 | base64 -w 0)" >> .env
-          docker compose pull -q
-          docker compose up --no-start
-          docker compose start postgresql
-          docker compose run -u root server test-all
+          echo "PG_PASS=$(openssl rand 32 | base64 -w 0)" >> lifecycle/container/.env
+          echo "AUTHENTIK_SECRET_KEY=$(openssl rand 32 | base64 -w 0)" >> lifecycle/container/.env
+          docker compose -f lifecycle/container/compose.yml pull -q
+          docker compose -f lifecycle/container/compose.yml up --no-start
+          docker compose -f lifecycle/container/compose.yml start postgresql
+          docker compose -f lifecycle/container/compose.yml run -u root server test-all
  sentry-release:
    needs:
      - build-server
@@ -218,7 +230,7 @@ jobs:
      - build-outpost-binary
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v5
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v5
      - name: prepare variables
        uses: ./.github/actions/docker-push-variables
        id: ev
--- a/.github/workflows/release-tag.yml
+++ b/.github/workflows/release-tag.yml
@@ -52,9 +52,11 @@ jobs:
    needs:
      - check-inputs
    steps:
-      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v5
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v5
        with:
          ref: "version-${{ needs.check-inputs.outputs.major_version }}"
+      - name: Setup authentik env
+        uses: ./.github/actions/setup
      - run: make test-docker
  bump-authentik:
    name: Bump authentik version
@@ -68,13 +70,13 @@ jobs:
        uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf # v2
        with:
          app-id: ${{ secrets.GH_APP_ID }}
-          private-key: ${{ secrets.GH_APP_PRIVATE_KEY }}
+          private-key: ${{ secrets.GH_APP_PRIV_KEY }}
      - id: get-user-id
        name: Get GitHub app user ID
        run: echo "user-id=$(gh api "/users/${{ steps.app-token.outputs.app-slug }}[bot]" --jq .id)" >> "$GITHUB_OUTPUT"
        env:
          GH_TOKEN: "${{ steps.app-token.outputs.token }}"
-      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v5
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v5
        with:
          ref: "version-${{ needs.check-inputs.outputs.major_version }}"
          token: "${{ steps.app-token.outputs.token }}"
@@ -89,6 +91,7 @@ jobs:
          # ID from https://api.github.com/users/authentik-automation[bot]
          git config --global user.name '${{ steps.app-token.outputs.app-slug }}[bot]'
          git config --global user.email '${{ steps.get-user-id.outputs.user-id }}+${{ steps.app-token.outputs.app-slug }}[bot]@users.noreply.github.com'
+          git pull
          git commit -a -m "release: ${{ inputs.version }}" --allow-empty
          git tag "version/${{ inputs.version }}" HEAD -m "version/${{ inputs.version }}"
          git push --follow-tags
@@ -115,14 +118,14 @@ jobs:
        uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf # v2
        with:
          app-id: ${{ secrets.GH_APP_ID }}
-          private-key: ${{ secrets.GH_APP_PRIVATE_KEY }}
+          private-key: ${{ secrets.GH_APP_PRIV_KEY }}
          repositories: helm
      - id: get-user-id
        name: Get GitHub app user ID
        run: echo "user-id=$(gh api "/users/${{ steps.app-token.outputs.app-slug }}[bot]" --jq .id)" >> "$GITHUB_OUTPUT"
        env:
          GH_TOKEN: "${{ steps.app-token.outputs.token }}"
-      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v5
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v5
        with:
          repository: "${{ github.repository_owner }}/helm"
          token: "${{ steps.app-token.outputs.token }}"
@@ -134,7 +137,7 @@ jobs:
          sed -E -i 's/[0-9]{4}\.[0-9]{1,2}\.[0-9]+$/${{ inputs.version }}/' charts/authentik/Chart.yaml
          ./scripts/helm-docs.sh
      - name: Create pull request
-        uses: peter-evans/create-pull-request@98357b18bf14b5342f975ff684046ec3b2a07725 # v7
+        uses: peter-evans/create-pull-request@c0f553fe549906ede9cf27b5156039d195d2ece0 # v7
        with:
          token: "${{ steps.app-token.outputs.token }}"
          branch: bump-${{ inputs.version }}
@@ -157,14 +160,14 @@ jobs:
        uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf # v2
        with:
          app-id: ${{ secrets.GH_APP_ID }}
-          private-key: ${{ secrets.GH_APP_PRIVATE_KEY }}
+          private-key: ${{ secrets.GH_APP_PRIV_KEY }}
          repositories: version
      - id: get-user-id
        name: Get GitHub app user ID
        run: echo "user-id=$(gh api "/users/${{ steps.app-token.outputs.app-slug }}[bot]" --jq .id)" >> "$GITHUB_OUTPUT"
        env:
          GH_TOKEN: "${{ steps.app-token.outputs.token }}"
-      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v5
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v5
        with:
          repository: "${{ github.repository_owner }}/version"
          token: "${{ steps.app-token.outputs.token }}"
@@ -172,24 +175,28 @@ jobs:
        if: "${{ inputs.release_reason == 'feature' }}"
        run: |
          changelog_url="https://docs.goauthentik.io/docs/releases/${{ needs.check-inputs.outputs.major_version }}"
+          reason="${{ inputs.release_reason }}"
          jq \
            --arg version "${{ inputs.version }}" \
            --arg changelog "See ${changelog_url}" \
            --arg changelog_url "${changelog_url}" \
-            '.stable.version = $version | .stable.changelog = $changelog | .stable.changelog_url = $changelog_url' version.json > version.new.json
+            --arg reason "${reason}" \
+            '.stable.version = $version | .stable.changelog = $changelog | .stable.changelog_url = $changelog_url | .stable.reason = $reason' version.json > version.new.json
          mv version.new.json version.json
      - name: Bump version
        if: "${{ inputs.release_reason != 'feature' }}"
        run: |
          changelog_url="https://docs.goauthentik.io/docs/releases/${{ needs.check-inputs.outputs.major_version }}#fixed-in-$(echo -n ${{ inputs.version}} | sed 's/\.//g')"
+          reason="${{ inputs.release_reason }}"
          jq \
            --arg version "${{ inputs.version }}" \
            --arg changelog "See ${changelog_url}" \
            --arg changelog_url "${changelog_url}" \
-            '.stable.version = $version | .stable.changelog = $changelog | .stable.changelog_url = $changelog_url' version.json > version.new.json
+            --arg reason "${reason}" \
+            '.stable.version = $version | .stable.changelog = $changelog | .stable.changelog_url = $changelog_url | .stable.reason = $reason' version.json > version.new.json
          mv version.new.json version.json
      - name: Create pull request
-        uses: peter-evans/create-pull-request@98357b18bf14b5342f975ff684046ec3b2a07725 # v7
+        uses: peter-evans/create-pull-request@c0f553fe549906ede9cf27b5156039d195d2ece0 # v7
        with:
          token: "${{ steps.app-token.outputs.token }}"
          branch: bump-${{ inputs.version }}
--- a/.github/workflows/repo-stale.yml
+++ b/.github/workflows/repo-stale.yml
@@ -18,7 +18,7 @@ jobs:
        uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf # v2
        with:
          app-id: ${{ secrets.GH_APP_ID }}
-          private-key: ${{ secrets.GH_APP_PRIVATE_KEY }}
+          private-key: ${{ secrets.GH_APP_PRIV_KEY }}
      - uses: actions/stale@997185467fa4f803885201cee163a9f38240193d # v10
        with:
          repo-token: ${{ steps.generate_token.outputs.token }}
--- a/.github/workflows/translation-extract-compile.yml
+++ b/.github/workflows/translation-extract-compile.yml
@@ -24,12 +24,12 @@ jobs:
        uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf # v2
        with:
          app-id: ${{ secrets.GH_APP_ID }}
-          private-key: ${{ secrets.GH_APP_PRIVATE_KEY }}
-      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v5
+          private-key: ${{ secrets.GH_APP_PRIV_KEY }}
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v5
        if: ${{ github.event_name != 'pull_request' }}
        with:
          token: ${{ steps.generate_token.outputs.token }}
-      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v5
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v5
        if: ${{ github.event_name == 'pull_request' }}
      - name: Setup authentik env
        uses: ./.github/actions/setup
@@ -44,7 +44,7 @@ jobs:
          make web-check-compile
      - name: Create Pull Request
        if: ${{ github.event_name != 'pull_request' }}
-        uses: peter-evans/create-pull-request@98357b18bf14b5342f975ff684046ec3b2a07725 # v7
+        uses: peter-evans/create-pull-request@c0f553fe549906ede9cf27b5156039d195d2ece0 # v7
        with:
          token: ${{ steps.generate_token.outputs.token }}
          branch: extract-compile-backend-translation
--- a/133
+++ b/133
@@ -5,7 +5,6 @@ SHELL := /usr/bin/env bash
 PWD = $(shell pwd)
 UID = $(shell id -u)
 GID = $(shell id -g)
-NPM_VERSION = $(shell python -m scripts.generate_semver)
 PY_SOURCES = authentik packages tests scripts lifecycle .github
 DOCKER_IMAGE ?= "authentik:test"

@@ -20,24 +19,42 @@ GEN_API_TS = gen-ts-api
 GEN_API_PY = gen-py-api
 GEN_API_GO = gen-go-api

-pg_user := $(shell uv run python -m authentik.lib.config postgresql.user 2>/dev/null)
-pg_host := $(shell uv run python -m authentik.lib.config postgresql.host 2>/dev/null)
-pg_name := $(shell uv run python -m authentik.lib.config postgresql.name 2>/dev/null)
+BREW_LDFLAGS :=
+BREW_CPPFLAGS :=
+BREW_PKG_CONFIG_PATH :=
+
+UV := uv

 # For macOS users, add the libxml2 installed from brew libxmlsec1 to the build path
 # to prevent SAML-related tests from failing and ensure correct pip dependency compilation
-# These functions are only evaluated when called in specific targets
-LIBXML2_EXISTS = $(shell brew list libxml2 2> /dev/null)
-KRB5_EXISTS = $(shell brew list krb5 2> /dev/null)
+ifeq ($(UNAME_S),Darwin)
+# Only add for brew users who installed libxmlsec1
+	BREW_EXISTS := $(shell command -v brew 2> /dev/null)
+	ifdef BREW_EXISTS
+		LIBXML2_EXISTS := $(shell brew list libxml2 2> /dev/null)
+		ifdef LIBXML2_EXISTS
+			_xml_pref := $(shell brew --prefix libxml2)
+			BREW_LDFLAGS += -L${_xml_pref}/lib
+			BREW_CPPFLAGS += -I${_xml_pref}/include
+			BREW_PKG_CONFIG_PATH = ${_xml_pref}/lib/pkgconfig:$(PKG_CONFIG_PATH)
+		endif
+		KRB5_EXISTS := $(shell brew list krb5 2> /dev/null)
+		ifdef KRB5_EXISTS
+			_krb5_pref := $(shell brew --prefix krb5)
+			BREW_LDFLAGS += -L${_krb5_pref}/lib
+			BREW_CPPFLAGS += -I${_krb5_pref}/include
+			BREW_PKG_CONFIG_PATH = ${_krb5_pref}/lib/pkgconfig:$(PKG_CONFIG_PATH)
+		endif
+		UV := LDFLAGS="$(BREW_LDFLAGS)" CPPFLAGS="$(BREW_CPPFLAGS)" PKG_CONFIG_PATH="$(BREW_PKG_CONFIG_PATH)" uv
+	endif
+endif

-LIBXML2_LDFLAGS = -L$(shell brew --prefix libxml2)/lib $(LDFLAGS)
-LIBXML2_CPPFLAGS = -I$(shell brew --prefix libxml2)/include $(CPPFLAGS)
-LIBXML2_PKG_CONFIG = $(shell brew --prefix libxml2)/lib/pkgconfig:$(PKG_CONFIG_PATH)
-
-KRB_PATH =
-
-ifneq ($(KRB5_EXISTS),)
-	KRB_PATH = PATH="$(shell brew --prefix krb5)/sbin:$(shell brew --prefix krb5)/bin:$$PATH"
+NPM_VERSION :=
+UV_EXISTS := $(shell command -v uv 2> /dev/null)
+ifdef UV_EXISTS
+	NPM_VERSION := $(shell $(UV) run python -m scripts.generate_semver)
+else
+	NPM_VERSION = $(shell python -m scripts.generate_semver)
 endif

 all: lint-fix lint gen web test  ## Lint, build, and test everything
@@ -56,47 +73,46 @@ go-test:
 	go test -timeout 0 -v -race -cover ./...

 test: ## Run the server tests and produce a coverage report (locally)
-	$(KRB_PATH) uv run coverage run manage.py test --keepdb $(or $(filter-out $@,$(MAKECMDGOALS)),authentik)
-	uv run coverage html
-	uv run coverage report
+	$(UV) run coverage run manage.py test --keepdb $(or $(filter-out $@,$(MAKECMDGOALS)),authentik)
+	$(UV) run coverage html
+	$(UV) run coverage report

 lint-fix: lint-codespell  ## Lint and automatically fix errors in the python source code. Reports spelling errors.
-	uv run black $(PY_SOURCES)
-	uv run ruff check --fix $(PY_SOURCES)
+	$(UV) run black $(PY_SOURCES)
+	$(UV) run ruff check --fix $(PY_SOURCES)

 lint-codespell:  ## Reports spelling errors.
-	uv run codespell -w
+	$(UV) run codespell -w

-lint: ## Lint the python and golang sources
-	uv run bandit -c pyproject.toml -r $(PY_SOURCES)
+lint: ci-bandit ci-mypy ## Lint the python and golang sources
 	golangci-lint run -v

 core-install:
-ifneq ($(LIBXML2_EXISTS),)
+ifdef ($(BREW_EXISTS))
 # Clear cache to ensure fresh compilation
-	uv cache clean
+	$(UV) cache clean
 # Force compilation from source for lxml and xmlsec with correct environment
-	LDFLAGS="$(LIBXML2_LDFLAGS)" CPPFLAGS="$(LIBXML2_CPPFLAGS)" PKG_CONFIG_PATH="$(LIBXML2_PKG_CONFIG)" uv sync --frozen --reinstall-package lxml --reinstall-package xmlsec --no-binary-package lxml --no-binary-package xmlsec
+	$(UV) sync --frozen --reinstall-package lxml --reinstall-package xmlsec --no-binary-package lxml --no-binary-package xmlsec
 else
-	uv sync --frozen
+	$(UV) sync --frozen
 endif

 migrate: ## Run the Authentik Django server's migrations
-	uv run python -m lifecycle.migrate
+	$(UV) run python -m lifecycle.migrate

 i18n-extract: core-i18n-extract web-i18n-extract  ## Extract strings that require translation into files to send to a translation service

 aws-cfn:
-	cd lifecycle/aws && npm i && uv run npm run aws-cfn
+	cd lifecycle/aws && npm i && $(UV) run npm run aws-cfn

 run-server:  ## Run the main authentik server process
-	uv run ak server
+	$(UV) run ak server

 run-worker:  ## Run the main authentik worker process
-	uv run ak worker
+	$(UV) run ak worker

 core-i18n-extract:
-	uv run ak makemessages \
+	$(UV) run ak makemessages \
 		--add-location file \
 		--no-obsolete \
 		--ignore web \
@@ -109,11 +125,17 @@ core-i18n-extract:
 install: node-install docs-install core-install  ## Install all requires dependencies for `node`, `docs` and `core`

 dev-drop-db:
+	$(eval pg_user := $(shell $(UV) run python -m authentik.lib.config postgresql.user 2>/dev/null))
+	$(eval pg_host := $(shell $(UV) run python -m authentik.lib.config postgresql.host 2>/dev/null))
+	$(eval pg_name := $(shell $(UV) run python -m authentik.lib.config postgresql.name 2>/dev/null))
 	dropdb -U ${pg_user} -h ${pg_host} ${pg_name} || true
 	# Also remove the test-db if it exists
 	dropdb -U ${pg_user} -h ${pg_host} test_${pg_name} || true

 dev-create-db:
+	$(eval pg_user := $(shell $(UV) run python -m authentik.lib.config postgresql.user 2>/dev/null))
+	$(eval pg_host := $(shell $(UV) run python -m authentik.lib.config postgresql.host 2>/dev/null))
+	$(eval pg_name := $(shell $(UV) run python -m authentik.lib.config postgresql.name 2>/dev/null))
 	createdb -U ${pg_user} -h ${pg_host} ${pg_name}

 dev-reset: dev-drop-db dev-create-db migrate  ## Drop and restore the Authentik PostgreSQL instance to a "fresh install" state.
@@ -126,11 +148,11 @@ bump:  ## Bump authentik version. Usage: make bump version=20xx.xx.xx
 ifndef version
 	$(error Usage: make bump version=20xx.xx.xx )
 endif
-	$(SED_INPLACE) 's/^version = ".*"/version = "$(version)"/' pyproject.toml
-	$(SED_INPLACE) 's/^VERSION = ".*"/VERSION = "$(version)"/' authentik/__init__.py
+	$(eval current_version := $(shell cat ${PWD}/internal/constants/VERSION))
+	$(SED_INPLACE) 's/^version = ".*"/version = "$(version)"/' ${PWD}/pyproject.toml
+	$(SED_INPLACE) 's/^VERSION = ".*"/VERSION = "$(version)"/' ${PWD}/authentik/__init__.py
 	$(MAKE) gen-build gen-compose aws-cfn
-	npm version --no-git-tag-version --allow-same-version $(version)
-	cd ${PWD}/web && npm version --no-git-tag-version --allow-same-version $(version)
+	$(SED_INPLACE) "s/\"${current_version}\"/\"$(version)\"/" ${PWD}/package.json ${PWD}/package-lock.json ${PWD}/web/package.json ${PWD}/web/package-lock.json
 	echo -n $(version) > ${PWD}/internal/constants/VERSION

 #########################
@@ -141,10 +163,10 @@ gen-build:  ## Extract the schema from the database
 	AUTHENTIK_DEBUG=true \
 		AUTHENTIK_TENANTS__ENABLED=true \
 		AUTHENTIK_OUTPOSTS__DISABLE_EMBEDDED_OUTPOST=true \
-		uv run ak build_schema
+		$(UV) run ak build_schema

 gen-compose:
-	uv run scripts/generate_compose.py
+	$(UV) run scripts/generate_compose.py

 gen-changelog:  ## (Release) generate the changelog based from the commits since the last tag
 	git log --pretty=format:" - %s" $(shell git describe --tags $(shell git rev-list --tags --max-count=1))...$(shell git branch --show-current) | sort > changelog.md
@@ -191,28 +213,19 @@ gen-client-ts: gen-clean-ts  ## Build and install the authentik API for Typescri

 gen-client-py: gen-clean-py ## Build and install the authentik API for Python
 	mkdir -p ${PWD}/${GEN_API_PY}
-ifeq ($(wildcard ${PWD}/${GEN_API_PY}/.*),)
 	git clone --depth 1 https://github.com/goauthentik/client-python.git ${PWD}/${GEN_API_PY}
-else
-	cd ${PWD}/${GEN_API_PY} && git pull
-endif
 	cp ${PWD}/schema.yml ${PWD}/${GEN_API_PY}
 	make -C ${PWD}/${GEN_API_PY} build version=${NPM_VERSION}

-gen-client-go:  ## Build and install the authentik API for Golang
+gen-client-go: gen-clean-go  ## Build and install the authentik API for Golang
 	mkdir -p ${PWD}/${GEN_API_GO}
-ifeq ($(wildcard ${PWD}/${GEN_API_GO}/.*),)
 	git clone --depth 1 https://github.com/goauthentik/client-go.git ${PWD}/${GEN_API_GO}
-else
-	cd ${PWD}/${GEN_API_GO} && git reset --hard
-	cd ${PWD}/${GEN_API_GO} && git pull
-endif
 	cp ${PWD}/schema.yml ${PWD}/${GEN_API_GO}
-	make -C ${PWD}/${GEN_API_GO} build
+	make -C ${PWD}/${GEN_API_GO} build version=${NPM_VERSION}
 	go mod edit -replace goauthentik.io/api/v3=./${GEN_API_GO}

 gen-dev-config:  ## Generate a local development config file
-	uv run scripts/generate_config.py
+	$(UV) run scripts/generate_config.py

 gen: gen-build gen-client-ts

@@ -308,28 +321,28 @@ test-docker:
 # which makes the YAML File a lot smaller

 ci--meta-debug:
-	python -V
+	$(UV) run python -V
 	node --version

 ci-mypy: ci--meta-debug
-	uv run mypy --strict $(PY_SOURCES)
+	$(UV) run mypy --strict $(PY_SOURCES)

 ci-black: ci--meta-debug
-	uv run black --check $(PY_SOURCES)
+	$(UV) run black --check $(PY_SOURCES)

 ci-ruff: ci--meta-debug
-	uv run ruff check $(PY_SOURCES)
+	$(UV) run ruff check $(PY_SOURCES)

 ci-codespell: ci--meta-debug
-	uv run codespell -s
+	$(UV) run codespell -s

 ci-bandit: ci--meta-debug
-	uv run bandit -r $(PY_SOURCES)
+	$(UV) run bandit -c pyproject.toml -r $(PY_SOURCES) -iii

 ci-pending-migrations: ci--meta-debug
-	uv run ak makemigrations --check
+	$(UV) run ak makemigrations --check

 ci-test: ci--meta-debug
-	uv run coverage run manage.py test --keepdb authentik
-	uv run coverage report
-	uv run coverage xml
+	$(UV) run coverage run manage.py test --keepdb authentik
+	$(UV) run coverage report
+	$(UV) run coverage xml
--- a/SECURITY.md
+++ b/SECURITY.md
@@ -18,10 +18,10 @@ Even if the issue is not a CVE, we still greatly appreciate your help in hardeni

 (.x being the latest patch release for each version)

-| Version    | Supported  |
-| ---------- | ---------- |
-| 2025.8.x   | ✅         |
-| 2025.10.x  | ✅         |
+| Version   | Supported |
+| --------- | --------- |
+| 2025.12.x | ✅        |
+| 2026.2.x  | ✅        |

 ## Reporting a Vulnerability

@@ -60,6 +60,40 @@ authentik reserves the right to reclassify CVSS as necessary. To determine sever
 | 7.0 – 8.9  | High     |
 | 9.0 – 10.0 | Critical |

+## Intended functionality
+
+The following capabilities are part of intentional system design and should not be reported as security vulnerabilities:
+
+- Expressions (property mappings/policies/prompts) can execute arbitrary Python code without safeguards.
+
+This is expected behavior. Any user with permission to create or modify objects containing expression fields can write code that is executed within authentik. If a vulnerability allows a user without the required permissions to write or modify code and have it executed, that would be a valid security report.
+
+However, the fact that expressions are executed as part of normal operations is not considered a privilege escalation or security vulnerability.
+
+- Blueprints can access all files on the filesystem.
+
+This access is intentional to allow legitimate configuration and deployment tasks. It does not represent a security problem by itself.
+
+- Importing blueprints allows arbitrary modification of application objects.
+
+This is intended functionality. This behavior reflects the privileged design of blueprint imports. It is "exploitable" when importing blueprints from untrusted sources without reviewing the blueprint beforehand. However, any method to create, modify or execute blueprints without the required permissions would be a valid security report.
+
+- Flow imports may contain objects other than flows (such as policies, users, groups, etc.)
+
+This is expected behavior as flow imports are blueprint files.
+
+- Prompt HTML is not escaped.
+
+Prompts intentionally allow raw HTML, including script tags, so they can be used to create interactive or customized user interface elements. Because of this, scripts within prompts may affect or interact with the surrounding page as designed.
+
+- Open redirects that do not include tokens or other sensitive information are not considered a security vulnerability.
+
+Redirects that only change navigation flow and do not expose session tokens, API keys, or other confidential data are considered acceptable and do not require reporting.
+
+- Outgoing network requests are not filtered.
+
+The destinations of outgoing network requests (HTTP, TCP, etc.) made by authentik to configurable endpoints through objects such as OAuth Sources, SSO Providers, and others are not validated. Depending on your threat model, these requests should be restricted at the network level using appropriate firewall or network policies.
+
 ## Disclosure process

 1. Report from Github or Issue is reported via Email as listed above.
--- a/authentik/init.py
+++ b/authentik/init.py
@@ -3,7 +3,7 @@
 from functools import lru_cache
 from os import environ

-VERSION = "2026.2.0-rc1"
+VERSION = "2026.2.3-rc1"
 ENV_GIT_HASH_KEY = "GIT_BUILD_HASH"


--- a/authentik/admin/api/system.py
+++ b/authentik/admin/api/system.py
@@ -18,7 +18,6 @@ from rest_framework.views import APIView

 from authentik import authentik_full_version
 from authentik.core.api.utils import PassiveSerializer
-from authentik.enterprise.license import LicenseKey
 from authentik.lib.config import CONFIG
 from authentik.lib.utils.reflection import get_env
 from authentik.outposts.apps import MANAGED_OUTPOST
@@ -26,6 +25,15 @@ from authentik.outposts.models import Outpost
 from authentik.rbac.permissions import HasPermission


+def fips_enabled():
+    try:
+        from authentik.enterprise.license import LicenseKey
+
+        return backend._fips_enabled if LicenseKey.get_total().status().is_valid else None
+    except ModuleNotFoundError:
+        return None
+
+
 class RuntimeDict(TypedDict):
    """Runtime information"""

@@ -80,9 +88,7 @@ class SystemInfoSerializer(PassiveSerializer):
            "architecture": platform.machine(),
            "authentik_version": authentik_full_version(),
            "environment": get_env(),
-            "openssl_fips_enabled": (
-                backend._fips_enabled if LicenseKey.get_total().status().is_valid else None
-            ),
+            "openssl_fips_enabled": fips_enabled(),
            "openssl_version": OPENSSL_VERSION,
            "platform": platform.platform(),
            "python_version": python_version,
--- a/authentik/admin/files/api.py
+++ b/authentik/admin/files/api.py
@@ -1,5 +1,3 @@
-import mimetypes
-
 from django.db.models import Q
 from django.utils.translation import gettext as _
 from drf_spectacular.utils import extend_schema
@@ -12,13 +10,14 @@ from rest_framework.request import Request
 from rest_framework.response import Response
 from rest_framework.views import APIView

+from authentik.admin.files.backends.base import get_content_type
 from authentik.admin.files.fields import FileField as AkFileField
 from authentik.admin.files.manager import get_file_manager
 from authentik.admin.files.usage import FileApiUsage
 from authentik.admin.files.validation import validate_upload_file_name
 from authentik.api.validation import validate
 from authentik.core.api.used_by import DeleteAction, UsedBySerializer
-from authentik.core.api.utils import PassiveSerializer
+from authentik.core.api.utils import PassiveSerializer, ThemedUrlsSerializer
 from authentik.events.models import Event, EventAction
 from authentik.lib.utils.reflection import get_apps
 from authentik.rbac.permissions import HasPermission
@@ -26,11 +25,6 @@ from authentik.rbac.permissions import HasPermission
 MAX_FILE_SIZE_BYTES = 25 * 1024 * 1024  # 25MB


-def get_mime_from_filename(filename: str) -> str:
-    mime_type, _ = mimetypes.guess_type(filename)
-    return mime_type or "application/octet-stream"
-
-
 class FileView(APIView):
    pagination_class = None
    parser_classes = [MultiPartParser]
@@ -53,6 +47,7 @@ class FileView(APIView):
        name = CharField()
        mime_type = CharField()
        url = CharField()
+        themed_urls = ThemedUrlsSerializer(required=False, allow_null=True)

    @extend_schema(
        parameters=[FileListParameters],
@@ -80,8 +75,9 @@ class FileView(APIView):
            FileView.FileListSerializer(
                data={
                    "name": file,
-                    "url": manager.file_url(file),
-                    "mime_type": get_mime_from_filename(file),
+                    "url": manager.file_url(file, request),
+                    "mime_type": get_content_type(file),
+                    "themed_urls": manager.themed_urls(file, request),
                }
            )
            for file in files
@@ -150,7 +146,7 @@ class FileView(APIView):
                "pk": name,
                "name": name,
                "usage": usage.value,
-                "mime_type": get_mime_from_filename(name),
+                "mime_type": get_content_type(name),
            },
        ).from_http(request)

--- a/authentik/admin/files/backends/base.py
+++ b/authentik/admin/files/backends/base.py
@@ -1,3 +1,4 @@
+import mimetypes
 from collections.abc import Callable, Generator, Iterator
 from typing import cast

@@ -10,6 +11,32 @@ from authentik.admin.files.usage import FileUsage
 CACHE_PREFIX = "goauthentik.io/admin/files"
 LOGGER = get_logger()

+# Theme variable placeholder for theme-specific files like logo-%(theme)s.png
+THEME_VARIABLE = "%(theme)s"
+
+
+def get_content_type(name: str) -> str:
+    """Get MIME type for a file based on its extension."""
+    content_type, _ = mimetypes.guess_type(name)
+    return content_type or "application/octet-stream"
+
+
+def get_valid_themes() -> list[str]:
+    """Get valid themes that can be substituted for %(theme)s."""
+    from authentik.brands.api import Themes
+
+    return [t.value for t in Themes if t != Themes.AUTOMATIC]
+
+
+def has_theme_variable(name: str) -> bool:
+    """Check if filename contains %(theme)s variable."""
+    return THEME_VARIABLE in name
+
+
+def substitute_theme(name: str, theme: str) -> str:
+    """Replace %(theme)s with the given theme."""
+    return name.replace(THEME_VARIABLE, theme)
+

 class Backend:
    """
@@ -75,6 +102,29 @@ class Backend:
        """
        raise NotImplementedError

+    def themed_urls(
+        self,
+        name: str,
+        request: HttpRequest | None = None,
+    ) -> dict[str, str] | None:
+        """
+        Get URLs for each theme variant when filename contains %(theme)s.
+
+        Args:
+            name: File path potentially containing %(theme)s
+            request: Optional Django HttpRequest for URL building
+
+        Returns:
+            Dict mapping theme to URL if %(theme)s present, None otherwise
+        """
+        if not has_theme_variable(name):
+            return None
+
+        return {
+            theme: self.file_url(substitute_theme(name, theme), request, use_cache=True)
+            for theme in get_valid_themes()
+        }
+

 class ManageableBackend(Backend):
    """
--- a/authentik/admin/files/backends/file.py
+++ b/authentik/admin/files/backends/file.py
@@ -45,8 +45,13 @@ class FileBackend(ManageableBackend):

    @property
    def manageable(self) -> bool:
+        # Check _base_dir (the mount point, e.g. /data) rather than base_path
+        # (which includes usage/schema subdirs, e.g. /data/media/public).
+        # The subdirectories are created on first file write via mkdir(parents=True)
+        # in save_file(), so requiring them to exist beforehand would prevent
+        # file creation on fresh installs.
        return (
-            self.base_path.exists()
+            self._base_dir.exists()
            and (self._base_dir.is_mount() or (self._base_dir / self.usage.value).is_mount())
            or (settings.DEBUG or settings.TEST)
        )
--- a/authentik/admin/files/backends/passthrough.py
+++ b/authentik/admin/files/backends/passthrough.py
@@ -46,3 +46,25 @@ class PassthroughBackend(Backend):
    ) -> str:
        """Return the URL as-is for passthrough files."""
        return name
+
+    def themed_urls(
+        self,
+        name: str,
+        request: HttpRequest | None = None,
+    ) -> dict[str, str] | None:
+        """Support themed URLs for external URLs with %(theme)s placeholder.
+
+        If the external URL contains %(theme)s, substitute it for each theme.
+        We can't verify that themed variants exist at the external location,
+        but we trust the user to provide valid URLs.
+        """
+        from authentik.admin.files.backends.base import (
+            get_valid_themes,
+            has_theme_variable,
+            substitute_theme,
+        )
+
+        if not has_theme_variable(name):
+            return None
+
+        return {theme: substitute_theme(name, theme) for theme in get_valid_themes()}
--- a/authentik/admin/files/backends/s3.py
+++ b/authentik/admin/files/backends/s3.py
@@ -9,7 +9,7 @@ from botocore.exceptions import ClientError
 from django.db import connection
 from django.http.request import HttpRequest

-from authentik.admin.files.backends.base import ManageableBackend
+from authentik.admin.files.backends.base import ManageableBackend, get_content_type
 from authentik.admin.files.usage import FileUsage
 from authentik.lib.config import CONFIG
 from authentik.lib.utils.time import timedelta_from_string
@@ -173,7 +173,22 @@ class S3Backend(ManageableBackend):
            if custom_domain:
                parsed = urlsplit(url)
                scheme = "https" if use_https else "http"
-                url = f"{scheme}://{custom_domain}{parsed.path}?{parsed.query}"
+                path = parsed.path
+
+                # When using path-style addressing, the presigned URL contains the bucket
+                # name in the path (e.g., /bucket-name/key). Since custom_domain must
+                # include the bucket name (per docs), strip it from the path to avoid
+                # duplication. See: https://github.com/goauthentik/authentik/issues/19521
+                # Check with trailing slash to ensure exact bucket name match
+                if path.startswith(f"/{self.bucket_name}/"):
+                    path = path.removeprefix(f"/{self.bucket_name}")
+
+                # Normalize to avoid double slashes
+                custom_domain = custom_domain.rstrip("/")
+                if not path.startswith("/"):
+                    path = f"/{path}"
+
+                url = f"{scheme}://{custom_domain}{path}?{parsed.query}"

            return url

@@ -189,6 +204,7 @@ class S3Backend(ManageableBackend):
            Key=f"{self.base_path}/{name}",
            Body=content,
            ACL="private",
+            ContentType=get_content_type(name),
        )

    @contextmanager
@@ -204,6 +220,7 @@ class S3Backend(ManageableBackend):
                Key=f"{self.base_path}/{name}",
                ExtraArgs={
                    "ACL": "private",
+                    "ContentType": get_content_type(name),
                },
            )

--- a/authentik/admin/files/backends/tests/test_file_backend.py
+++ b/authentik/admin/files/backends/tests/test_file_backend.py
@@ -165,3 +165,31 @@ class TestFileBackend(FileTestFileBackendMixin, TestCase):
    def test_file_exists_false(self):
        """Test file_exists returns False for nonexistent file"""
        self.assertFalse(self.backend.file_exists("does_not_exist.txt"))
+
+    def test_themed_urls_without_theme_variable(self):
+        """Test themed_urls returns None when filename has no %(theme)s"""
+        file_name = "logo.png"
+        result = self.backend.themed_urls(file_name)
+        self.assertIsNone(result)
+
+    def test_themed_urls_with_theme_variable(self):
+        """Test themed_urls returns dict of URLs for each theme"""
+        file_name = "logo-%(theme)s.png"
+        result = self.backend.themed_urls(file_name)
+
+        self.assertIsInstance(result, dict)
+        self.assertIn("light", result)
+        self.assertIn("dark", result)
+
+        # Check URLs contain the substituted theme
+        self.assertIn("logo-light.png", result["light"])
+        self.assertIn("logo-dark.png", result["dark"])
+
+    def test_themed_urls_multiple_theme_variables(self):
+        """Test themed_urls with multiple %(theme)s in path"""
+        file_name = "%(theme)s/logo-%(theme)s.svg"
+        result = self.backend.themed_urls(file_name)
+
+        self.assertIsInstance(result, dict)
+        self.assertIn("light/logo-light.svg", result["light"])
+        self.assertIn("dark/logo-dark.svg", result["dark"])
--- a/authentik/admin/files/backends/tests/test_s3_backend.py
+++ b/authentik/admin/files/backends/tests/test_s3_backend.py
@@ -110,3 +110,106 @@ class TestS3Backend(FileTestS3BackendMixin, TestCase):
        """Test S3Backend with REPORTS usage"""
        self.assertEqual(self.reports_s3_backend.usage, FileUsage.REPORTS)
        self.assertEqual(self.reports_s3_backend.base_path, "reports/public")
+
+    @CONFIG.patch("storage.s3.secure_urls", True)
+    @CONFIG.patch("storage.s3.addressing_style", "path")
+    def test_file_url_custom_domain_with_bucket_no_duplicate(self):
+        """Test file_url doesn't duplicate bucket name when custom_domain includes bucket.
+
+        Regression test for https://github.com/goauthentik/authentik/issues/19521
+
+        When using:
+        - Path-style addressing (bucket name goes in URL path, not subdomain)
+        - Custom domain that includes the bucket name (e.g., s3.example.com/bucket-name)
+
+        The bucket name should NOT appear twice in the final URL.
+
+        Example of the bug:
+        - custom_domain = "s3.example.com/authentik-media"
+        - boto3 presigned URL = "http://s3.example.com/authentik-media/media/public/file.png?..."
+        - Buggy result = "https://s3.example.com/authentik-media/authentik-media/media/public/file.png?..."
+        """
+        bucket_name = self.media_s3_bucket_name
+
+        # Custom domain includes the bucket name
+        custom_domain = f"localhost:8020/{bucket_name}"
+
+        with CONFIG.patch("storage.media.s3.custom_domain", custom_domain):
+            url = self.media_s3_backend.file_url("application-icons/test.svg", use_cache=False)
+
+        # The bucket name should appear exactly once in the URL path, not twice
+        bucket_occurrences = url.count(bucket_name)
+        self.assertEqual(
+            bucket_occurrences,
+            1,
+            f"Bucket name '{bucket_name}' appears {bucket_occurrences} times in URL, expected 1. "
+            f"URL: {url}",
+        )
+
+    def test_themed_urls_without_theme_variable(self):
+        """Test themed_urls returns None when filename has no %(theme)s"""
+        result = self.media_s3_backend.themed_urls("logo.png")
+        self.assertIsNone(result)
+
+    def test_themed_urls_with_theme_variable(self):
+        """Test themed_urls returns dict of presigned URLs for each theme"""
+        result = self.media_s3_backend.themed_urls("logo-%(theme)s.png")
+
+        self.assertIsInstance(result, dict)
+        self.assertIn("light", result)
+        self.assertIn("dark", result)
+
+        # Check URLs are valid presigned URLs with correct file paths
+        self.assertIn("logo-light.png", result["light"])
+        self.assertIn("logo-dark.png", result["dark"])
+        self.assertIn("X-Amz-Signature=", result["light"])
+        self.assertIn("X-Amz-Signature=", result["dark"])
+
+    def test_themed_urls_multiple_theme_variables(self):
+        """Test themed_urls with multiple %(theme)s in path"""
+        result = self.media_s3_backend.themed_urls("%(theme)s/logo-%(theme)s.svg")
+
+        self.assertIsInstance(result, dict)
+        self.assertIn("light/logo-light.svg", result["light"])
+        self.assertIn("dark/logo-dark.svg", result["dark"])
+
+    def test_save_file_sets_content_type_svg(self):
+        """Test save_file sets correct ContentType for SVG files"""
+        self.media_s3_backend.save_file("test.svg", b"<svg></svg>")
+
+        response = self.media_s3_backend.client.head_object(
+            Bucket=self.media_s3_bucket_name,
+            Key="media/public/test.svg",
+        )
+        self.assertEqual(response["ContentType"], "image/svg+xml")
+
+    def test_save_file_sets_content_type_png(self):
+        """Test save_file sets correct ContentType for PNG files"""
+        self.media_s3_backend.save_file("test.png", b"\x89PNG\r\n\x1a\n")
+
+        response = self.media_s3_backend.client.head_object(
+            Bucket=self.media_s3_bucket_name,
+            Key="media/public/test.png",
+        )
+        self.assertEqual(response["ContentType"], "image/png")
+
+    def test_save_file_stream_sets_content_type(self):
+        """Test save_file_stream sets correct ContentType"""
+        with self.media_s3_backend.save_file_stream("test.css") as f:
+            f.write(b"body { color: red; }")
+
+        response = self.media_s3_backend.client.head_object(
+            Bucket=self.media_s3_bucket_name,
+            Key="media/public/test.css",
+        )
+        self.assertEqual(response["ContentType"], "text/css")
+
+    def test_save_file_unknown_extension_octet_stream(self):
+        """Test save_file sets octet-stream for unknown extensions"""
+        self.media_s3_backend.save_file("test.unknownext123", b"data")
+
+        response = self.media_s3_backend.client.head_object(
+            Bucket=self.media_s3_bucket_name,
+            Key="media/public/test.unknownext123",
+        )
+        self.assertEqual(response["ContentType"], "application/octet-stream")
--- a/authentik/admin/files/manager.py
+++ b/authentik/admin/files/manager.py
@@ -88,6 +88,28 @@ class FileManager:
        LOGGER.warning(f"Could not find file backend for file: {name}")
        return ""

+    def themed_urls(
+        self,
+        name: str | None,
+        request: HttpRequest | Request | None = None,
+    ) -> dict[str, str] | None:
+        """
+        Get URLs for each theme variant when filename contains %(theme)s.
+
+        Returns dict mapping theme to URL if %(theme)s present, None otherwise.
+        """
+        if not name:
+            return None
+
+        if isinstance(request, Request):
+            request = request._request
+
+        for backend in self.backends:
+            if backend.supports_file(name):
+                return backend.themed_urls(name, request)
+
+        return None
+
    def _check_manageable(self) -> None:
        if not self.manageable:
            raise ImproperlyConfigured("No file management backend configured.")
--- a/authentik/admin/files/tests/test_api.py
+++ b/authentik/admin/files/tests/test_api.py
@@ -5,7 +5,6 @@ from io import BytesIO
 from django.test import TestCase
 from django.urls import reverse

-from authentik.admin.files.api import get_mime_from_filename
 from authentik.admin.files.manager import FileManager
 from authentik.admin.files.tests.utils import FileTestFileBackendMixin
 from authentik.admin.files.usage import FileUsage
@@ -94,8 +93,9 @@ class TestFileAPI(FileTestFileBackendMixin, TestCase):
        self.assertIn(
            {
                "name": "/static/authentik/sources/ldap.png",
-                "url": "/static/authentik/sources/ldap.png",
+                "url": "http://testserver/static/authentik/sources/ldap.png",
                "mime_type": "image/png",
+                "themed_urls": None,
            },
            response.data,
        )
@@ -129,8 +129,9 @@ class TestFileAPI(FileTestFileBackendMixin, TestCase):
        self.assertIn(
            {
                "name": "/static/authentik/sources/ldap.png",
-                "url": "/static/authentik/sources/ldap.png",
+                "url": "http://testserver/static/authentik/sources/ldap.png",
                "mime_type": "image/png",
+                "themed_urls": None,
            },
            response.data,
        )
@@ -200,30 +201,64 @@ class TestFileAPI(FileTestFileBackendMixin, TestCase):
        self.assertEqual(response.status_code, 400)
        self.assertIn("field is required", str(response.data))

+    def test_list_files_includes_themed_urls_none(self):
+        """Test listing files includes themed_urls as None for non-themed files"""
+        manager = FileManager(FileUsage.MEDIA)
+        file_name = "test-no-theme.png"
+        manager.save_file(file_name, b"test content")

-class TestGetMimeFromFilename(TestCase):
-    """Test get_mime_from_filename function"""
+        response = self.client.get(
+            reverse("authentik_api:files", query={"search": file_name, "manageableOnly": "true"})
+        )

-    def test_image_png(self):
-        """Test PNG image MIME type"""
-        self.assertEqual(get_mime_from_filename("test.png"), "image/png")
+        self.assertEqual(response.status_code, 200)
+        file_entry = next((f for f in response.data if f["name"] == file_name), None)
+        self.assertIsNotNone(file_entry)
+        self.assertIn("themed_urls", file_entry)
+        self.assertIsNone(file_entry["themed_urls"])

-    def test_image_jpeg(self):
-        """Test JPEG image MIME type"""
-        self.assertEqual(get_mime_from_filename("test.jpg"), "image/jpeg")
+        manager.delete_file(file_name)

-    def test_image_svg(self):
-        """Test SVG image MIME type"""
-        self.assertEqual(get_mime_from_filename("test.svg"), "image/svg+xml")
+    def test_list_files_includes_themed_urls_dict(self):
+        """Test listing files includes themed_urls as dict for themed files"""
+        manager = FileManager(FileUsage.MEDIA)
+        file_name = "logo-%(theme)s.svg"
+        manager.save_file("logo-light.svg", b"<svg>light</svg>")
+        manager.save_file("logo-dark.svg", b"<svg>dark</svg>")
+        manager.save_file(file_name, b"<svg>placeholder</svg>")

-    def test_text_plain(self):
-        """Test text file MIME type"""
-        self.assertEqual(get_mime_from_filename("test.txt"), "text/plain")
+        response = self.client.get(
+            reverse("authentik_api:files", query={"search": "%(theme)s", "manageableOnly": "true"})
+        )

-    def test_unknown_extension(self):
-        """Test unknown extension returns octet-stream"""
-        self.assertEqual(get_mime_from_filename("test.unknown"), "application/octet-stream")
+        self.assertEqual(response.status_code, 200)
+        file_entry = next((f for f in response.data if f["name"] == file_name), None)
+        self.assertIsNotNone(file_entry)
+        self.assertIn("themed_urls", file_entry)
+        self.assertIsInstance(file_entry["themed_urls"], dict)
+        self.assertIn("light", file_entry["themed_urls"])
+        self.assertIn("dark", file_entry["themed_urls"])

-    def test_no_extension(self):
-        """Test no extension returns octet-stream"""
-        self.assertEqual(get_mime_from_filename("test"), "application/octet-stream")
+        manager.delete_file(file_name)
+        manager.delete_file("logo-light.svg")
+        manager.delete_file("logo-dark.svg")
+
+    def test_upload_file_with_theme_variable(self):
+        """Test uploading file with %(theme)s in name"""
+        manager = FileManager(FileUsage.MEDIA)
+        file_name = "brand-logo-%(theme)s.svg"
+        file_content = b"<svg></svg>"
+
+        response = self.client.post(
+            reverse("authentik_api:files"),
+            {
+                "file": BytesIO(file_content),
+                "name": file_name,
+                "usage": FileUsage.MEDIA.value,
+            },
+            format="multipart",
+        )
+
+        self.assertEqual(response.status_code, 200)
+        self.assertTrue(manager.file_exists(file_name))
+        manager.delete_file(file_name)
--- a/authentik/admin/files/tests/test_manager.py
+++ b/authentik/admin/files/tests/test_manager.py
@@ -1,6 +1,7 @@
 """Test file service layer"""

 from unittest import skipUnless
+from urllib.parse import urlparse

 from django.http import HttpRequest
 from django.test import TestCase
@@ -104,3 +105,71 @@ class TestResolveFileUrlS3Backend(FileTestS3BackendMixin, TestCase):

        # S3 URLs should be returned as-is (already absolute)
        self.assertTrue(result.startswith("http://s3.test:8080/test"))
+
+
+class TestThemedUrls(FileTestFileBackendMixin, TestCase):
+    """Test FileManager.themed_urls method"""
+
+    def test_themed_urls_none_path(self):
+        """Test themed_urls returns None for None path"""
+        manager = FileManager(FileUsage.MEDIA)
+        result = manager.themed_urls(None)
+        self.assertIsNone(result)
+
+    def test_themed_urls_empty_path(self):
+        """Test themed_urls returns None for empty path"""
+        manager = FileManager(FileUsage.MEDIA)
+        result = manager.themed_urls("")
+        self.assertIsNone(result)
+
+    def test_themed_urls_no_theme_variable(self):
+        """Test themed_urls returns None when no %(theme)s in path"""
+        manager = FileManager(FileUsage.MEDIA)
+        result = manager.themed_urls("logo.png")
+        self.assertIsNone(result)
+
+    def test_themed_urls_with_theme_variable(self):
+        """Test themed_urls returns dict of URLs for each theme"""
+        manager = FileManager(FileUsage.MEDIA)
+        result = manager.themed_urls("logo-%(theme)s.png")
+
+        self.assertIsInstance(result, dict)
+        self.assertIn("light", result)
+        self.assertIn("dark", result)
+        self.assertIn("logo-light.png", result["light"])
+        self.assertIn("logo-dark.png", result["dark"])
+
+    def test_themed_urls_with_request(self):
+        """Test themed_urls builds absolute URLs with request"""
+        mock_request = HttpRequest()
+        mock_request.META = {
+            "HTTP_HOST": "example.com",
+            "SERVER_NAME": "example.com",
+        }
+
+        manager = FileManager(FileUsage.MEDIA)
+        result = manager.themed_urls("logo-%(theme)s.svg", mock_request)
+
+        self.assertIsInstance(result, dict)
+        light_url = urlparse(result["light"])
+        dark_url = urlparse(result["dark"])
+        self.assertEqual(light_url.scheme, "http")
+        self.assertEqual(light_url.netloc, "example.com")
+        self.assertEqual(dark_url.scheme, "http")
+        self.assertEqual(dark_url.netloc, "example.com")
+
+    def test_themed_urls_passthrough_with_theme_variable(self):
+        """Test themed_urls returns dict for passthrough URLs with %(theme)s"""
+        manager = FileManager(FileUsage.MEDIA)
+        # External URLs with %(theme)s should return themed URLs
+        result = manager.themed_urls("https://example.com/logo-%(theme)s.png")
+        self.assertIsInstance(result, dict)
+        self.assertEqual(result["light"], "https://example.com/logo-light.png")
+        self.assertEqual(result["dark"], "https://example.com/logo-dark.png")
+
+    def test_themed_urls_passthrough_without_theme_variable(self):
+        """Test themed_urls returns None for passthrough URLs without %(theme)s"""
+        manager = FileManager(FileUsage.MEDIA)
+        # External URLs without %(theme)s should return None
+        result = manager.themed_urls("https://example.com/logo.png")
+        self.assertIsNone(result)
--- a/authentik/admin/files/validation.py
+++ b/authentik/admin/files/validation.py
@@ -4,6 +4,7 @@ from pathlib import PurePosixPath
 from django.core.exceptions import ValidationError
 from django.utils.translation import gettext as _

+from authentik.admin.files.backends.base import THEME_VARIABLE
 from authentik.admin.files.backends.passthrough import PassthroughBackend
 from authentik.admin.files.backends.static import StaticBackend
 from authentik.admin.files.usage import FileUsage
@@ -12,10 +13,6 @@ from authentik.admin.files.usage import FileUsage
 MAX_FILE_NAME_LENGTH = 1024
 MAX_PATH_COMPONENT_LENGTH = 255

-# Theme variable placeholder that can be used in file paths
-# This allows for theme-specific files like logo-%(theme)s.png
-THEME_VARIABLE = "%(theme)s"
-

 def validate_file_name(name: str) -> None:
    if PassthroughBackend(FileUsage.MEDIA).supports_file(name) or StaticBackend(
@@ -44,16 +41,16 @@ def validate_upload_file_name(
        raise ValidationError(_("File name cannot be empty"))

    # Allow %(theme)s placeholder for theme-specific files
-    # We temporarily replace it for validation, then check the result
+    # Replace with placeholder for validation, then check the result
    name_for_validation = name.replace(THEME_VARIABLE, "theme")

-    # Same regex is used in the frontend as well (without %(theme)s handling there)
+    # Same regex is used in the frontend as well (with %(theme)s handling)
    if not re.match(r"^[a-zA-Z0-9._/-]+$", name_for_validation):
        raise ValidationError(
            _(
                "File name can only contain letters (a-z, A-Z), numbers (0-9), "
                "dots (.), hyphens (-), underscores (_), forward slashes (/), "
-                "and the special placeholder %(theme)s for theme-specific files"
+                "and the placeholder %(theme)s for theme-specific files"
            )
        )

--- a/authentik/api/authentication.py
+++ b/authentik/api/authentication.py
@@ -13,10 +13,10 @@ from rest_framework.exceptions import AuthenticationFailed
 from rest_framework.request import Request
 from structlog.stdlib import get_logger

+from authentik.common.oauth.constants import SCOPE_AUTHENTIK_API
 from authentik.core.middleware import CTX_AUTH_VIA
 from authentik.core.models import Token, TokenIntents, User, UserTypes
 from authentik.outposts.models import Outpost
-from authentik.providers.oauth2.constants import SCOPE_AUTHENTIK_API

 LOGGER = get_logger()
 _tmp = Path(gettempdir())
--- a/authentik/api/tests/test_auth.py
+++ b/authentik/api/tests/test_auth.py
@@ -11,12 +11,12 @@ from rest_framework.exceptions import AuthenticationFailed

 from authentik.api.authentication import IPCUser, TokenAuthentication
 from authentik.blueprints.tests import reconcile_app
+from authentik.common.oauth.constants import SCOPE_AUTHENTIK_API
 from authentik.core.models import Token, TokenIntents, UserTypes
 from authentik.core.tests.utils import create_test_admin_user, create_test_flow
 from authentik.lib.generators import generate_id
 from authentik.outposts.apps import MANAGED_OUTPOST
 from authentik.outposts.models import Outpost
-from authentik.providers.oauth2.constants import SCOPE_AUTHENTIK_API
 from authentik.providers.oauth2.models import AccessToken, OAuth2Provider


--- a/authentik/api/tests/test_schema.py
+++ b/authentik/api/tests/test_schema.py
@@ -1,6 +1,8 @@
 """Schema generation tests"""

 from pathlib import Path
+from tempfile import gettempdir
+from uuid import uuid4

 from django.core.management import call_command
 from django.urls import reverse
@@ -29,15 +31,14 @@ class TestSchemaGeneration(APITestCase):

    def test_build_schema(self):
        """Test schema build command"""
-        blueprint_file = Path("blueprints/schema.json")
-        api_file = Path("schema.yml")
-        blueprint_file.unlink()
-        api_file.unlink()
+        tmp = Path(gettempdir())
+        blueprint_file = tmp / f"{str(uuid4())}.json"
+        api_file = tmp / f"{str(uuid4())}.yml"
        with (
            CONFIG.patch("debug", True),
            CONFIG.patch("tenants.enabled", True),
            CONFIG.patch("outposts.disable_embedded_outpost", True),
        ):
-            call_command("build_schema")
+            call_command("build_schema", blueprint_file=blueprint_file, api_file=api_file)
        self.assertTrue(blueprint_file.exists())
        self.assertTrue(api_file.exists())
--- a/authentik/api/tests/test_viewsets.py
+++ b/authentik/api/tests/test_viewsets.py
@@ -1,31 +1,73 @@
 """authentik API Modelviewset tests"""

 from collections.abc import Callable
+from urllib.parse import urlencode

 from django.test import TestCase
 from rest_framework.viewsets import ModelViewSet, ReadOnlyModelViewSet

+from authentik.admin.api.version_history import VersionHistoryViewSet
 from authentik.api.v3.urls import router
+from authentik.core.tests.utils import RequestFactory, create_test_admin_user
+from authentik.lib.generators import generate_id
+from authentik.tenants.api.domains import DomainViewSet
+from authentik.tenants.api.tenants import TenantViewSet
+from authentik.tenants.utils import get_current_tenant


 class TestModelViewSets(TestCase):
    """Test Viewset"""

+    def setUp(self):
+        self.user = create_test_admin_user()
+        self.factory = RequestFactory()

-def viewset_tester_factory(test_viewset: type[ModelViewSet]) -> Callable:
+
+def viewset_tester_factory(test_viewset: type[ModelViewSet], full=True) -> dict[str, Callable]:
    """Test Viewset"""

-    def tester(self: TestModelViewSets):
-        self.assertIsNotNone(getattr(test_viewset, "search_fields", None))
+    def test_attrs(self: TestModelViewSets) -> None:
+        """Test attributes we require on all viewsets"""
        self.assertIsNotNone(getattr(test_viewset, "ordering", None))
+        self.assertIsNotNone(getattr(test_viewset, "search_fields", None))
        filterset_class = getattr(test_viewset, "filterset_class", None)
        if not filterset_class:
            self.assertIsNotNone(getattr(test_viewset, "filterset_fields", None))

-    return tester
+    def test_ordering(self: TestModelViewSets) -> None:
+        """Test that all ordering fields are correct"""
+        view = test_viewset.as_view({"get": "list"})
+        for ordering_field in test_viewset.ordering:
+            with self.subTest(ordering_field):
+                req = self.factory.get(
+                    f"/?{urlencode({'ordering': ordering_field}, doseq=True)}", user=self.user
+                )
+                req.tenant = get_current_tenant()
+                res = view(req)
+                self.assertEqual(res.status_code, 200)
+
+    def test_search(self: TestModelViewSets) -> None:
+        """Test that search fields are correct"""
+        view = test_viewset.as_view({"get": "list"})
+        req = self.factory.get(
+            f"/?{urlencode({'search': generate_id()}, doseq=True)}", user=self.user
+        )
+        req.tenant = get_current_tenant()
+        res = view(req)
+        self.assertEqual(res.status_code, 200)
+
+    cases = {
+        "attrs": test_attrs,
+    }
+    if full:
+        cases["ordering"] = test_ordering
+        cases["search"] = test_search
+    return cases


 for _, viewset, _ in router.registry:
    if not issubclass(viewset, ModelViewSet | ReadOnlyModelViewSet):
        continue
-    setattr(TestModelViewSets, f"test_viewset_{viewset.__name__}", viewset_tester_factory(viewset))
+    full = viewset not in [VersionHistoryViewSet, DomainViewSet, TenantViewSet]
+    for test, case in viewset_tester_factory(viewset, full=full).items():
+        setattr(TestModelViewSets, f"test_viewset_{viewset.__name__}_{test}", case)
--- a/authentik/blueprints/apps.py
+++ b/authentik/blueprints/apps.py
@@ -3,7 +3,6 @@
 import traceback
 from collections.abc import Callable
 from importlib import import_module
-from inspect import ismethod

 from django.apps import AppConfig
 from django.conf import settings
@@ -72,12 +71,19 @@ class ManagedAppConfig(AppConfig):

    def _reconcile(self, prefix: str) -> None:
        for meth_name in dir(self):
-            meth = getattr(self, meth_name)
-            if not ismethod(meth):
+            # Check the attribute on the class to avoid evaluating @property descriptors.
+            # Using getattr(self, ...) on a @property would evaluate it, which can trigger
+            # expensive side effects (e.g. tenant_schedule_specs iterating all providers
+            # and running PolicyEngine queries for every user).
+            class_attr = getattr(type(self), meth_name, None)
+            if class_attr is None or isinstance(class_attr, property):
                continue
-            category = getattr(meth, "_authentik_managed_reconcile", None)
+            if not callable(class_attr):
+                continue
+            category = getattr(class_attr, "_authentik_managed_reconcile", None)
            if category != prefix:
                continue
+            meth = getattr(self, meth_name)
            name = meth_name.replace(prefix, "")
            try:
                self.logger.debug("Starting reconciler", name=name)
--- a/authentik/blueprints/tests/fixtures/rbac_object.yaml
+++ b/authentik/blueprints/tests/fixtures/rbac_object.yaml
@@ -18,7 +18,7 @@ entries:
      name: foo
      title: foo
    permissions:
-      - permission: view_flow
+      - permission: authentik_flows.view_flow
        user: !KeyOf user
-      - permission: view_flow
+      - permission: authentik_flows.view_flow
        role: !KeyOf role
--- a/authentik/blueprints/v1/common.py
+++ b/authentik/blueprints/v1/common.py
@@ -9,7 +9,7 @@ from functools import reduce
 from json import JSONDecodeError, loads
 from operator import ixor
 from os import getenv
-from typing import Any, Literal, Union
+from typing import Any, Literal
 from uuid import UUID

 from deepmerge import always_merger
@@ -43,8 +43,6 @@ def get_attrs(obj: SerializerModel) -> dict[str, Any]:
            continue
        if _field.read_only:
            data.pop(field_name, None)
-        if _field.get_initial() == data.get(field_name, None):
-            data.pop(field_name, None)
        if field_name.endswith("_set"):
            data.pop(field_name, None)
    return data
@@ -70,19 +68,17 @@ class BlueprintEntryDesiredState(Enum):
 class BlueprintEntryPermission:
    """Describe object-level permissions"""

-    permission: Union[str, "YAMLTag"]
-    user: Union[int, "YAMLTag", None] = field(default=None)
-    role: Union[str, "YAMLTag", None] = field(default=None)
+    permission: str | YAMLTag
+    user: int | YAMLTag | None = field(default=None)
+    role: str | YAMLTag | None = field(default=None)


@dataclass
 class BlueprintEntry:
    """Single entry of a blueprint"""

-    model: Union[str, "YAMLTag"]
-    state: Union[BlueprintEntryDesiredState, "YAMLTag"] = field(
-        default=BlueprintEntryDesiredState.PRESENT
-    )
+    model: str | YAMLTag
+    state: BlueprintEntryDesiredState | YAMLTag = field(default=BlueprintEntryDesiredState.PRESENT)
    conditions: list[Any] = field(default_factory=list)
    identifiers: dict[str, Any] = field(default_factory=dict)
    attrs: dict[str, Any] | None = field(default_factory=dict)
@@ -96,7 +92,7 @@ class BlueprintEntry:
        self.__tag_contexts: list[YAMLTagContext] = []

    @staticmethod
-    def from_model(model: SerializerModel, *extra_identifier_names: str) -> "BlueprintEntry":
+    def from_model(model: SerializerModel, *extra_identifier_names: str) -> BlueprintEntry:
        """Convert a SerializerModel instance to a blueprint Entry"""
        identifiers = {
            "pk": model.pk,
@@ -114,8 +110,8 @@ class BlueprintEntry:
    def get_tag_context(
        self,
        depth: int = 0,
-        context_tag_type: type["YAMLTagContext"] | tuple["YAMLTagContext", ...] | None = None,
-    ) -> "YAMLTagContext":
+        context_tag_type: type[YAMLTagContext] | tuple[YAMLTagContext, ...] | None = None,
+    ) -> YAMLTagContext:
        """Get a YAMLTagContext object located at a certain depth in the tag tree"""
        if depth < 0:
            raise ValueError("depth must be a positive number or zero")
@@ -130,7 +126,7 @@ class BlueprintEntry:
        except IndexError as exc:
            raise ValueError(f"invalid depth: {depth}. Max depth: {len(contexts) - 1}") from exc

-    def tag_resolver(self, value: Any, blueprint: "Blueprint") -> Any:
+    def tag_resolver(self, value: Any, blueprint: Blueprint) -> Any:
        """Check if we have any special tags that need handling"""
        val = copy(value)

@@ -152,23 +148,23 @@ class BlueprintEntry:

        return val

-    def get_attrs(self, blueprint: "Blueprint") -> dict[str, Any]:
+    def get_attrs(self, blueprint: Blueprint) -> dict[str, Any]:
        """Get attributes of this entry, with all yaml tags resolved"""
        return self.tag_resolver(self.attrs, blueprint)

-    def get_identifiers(self, blueprint: "Blueprint") -> dict[str, Any]:
+    def get_identifiers(self, blueprint: Blueprint) -> dict[str, Any]:
        """Get attributes of this entry, with all yaml tags resolved"""
        return self.tag_resolver(self.identifiers, blueprint)

-    def get_state(self, blueprint: "Blueprint") -> BlueprintEntryDesiredState:
+    def get_state(self, blueprint: Blueprint) -> BlueprintEntryDesiredState:
        """Get the blueprint state, with yaml tags resolved if present"""
        return BlueprintEntryDesiredState(self.tag_resolver(self.state, blueprint))

-    def get_model(self, blueprint: "Blueprint") -> str:
+    def get_model(self, blueprint: Blueprint) -> str:
        """Get the blueprint model, with yaml tags resolved if present"""
        return str(self.tag_resolver(self.model, blueprint))

-    def get_permissions(self, blueprint: "Blueprint") -> Generator[BlueprintEntryPermission]:
+    def get_permissions(self, blueprint: Blueprint) -> Generator[BlueprintEntryPermission]:
        """Get permissions of this entry, with all yaml tags resolved"""
        for perm in self.permissions:
            yield BlueprintEntryPermission(
@@ -177,7 +173,7 @@ class BlueprintEntry:
                role=self.tag_resolver(perm.role, blueprint),
            )

-    def check_all_conditions_match(self, blueprint: "Blueprint") -> bool:
+    def check_all_conditions_match(self, blueprint: Blueprint) -> bool:
        """Check all conditions of this entry match (evaluate to True)"""
        return all(self.tag_resolver(self.conditions, blueprint))

@@ -232,7 +228,7 @@ class KeyOf(YAMLTag):

    id_from: str

-    def __init__(self, loader: "BlueprintLoader", node: ScalarNode) -> None:
+    def __init__(self, loader: BlueprintLoader, node: ScalarNode) -> None:
        super().__init__()
        self.id_from = node.value

@@ -258,7 +254,7 @@ class Env(YAMLTag):
    key: str
    default: Any | None

-    def __init__(self, loader: "BlueprintLoader", node: ScalarNode | SequenceNode) -> None:
+    def __init__(self, loader: BlueprintLoader, node: ScalarNode | SequenceNode) -> None:
        super().__init__()
        self.default = None
        if isinstance(node, ScalarNode):
@@ -277,7 +273,7 @@ class File(YAMLTag):
    path: str
    default: Any | None

-    def __init__(self, loader: "BlueprintLoader", node: ScalarNode | SequenceNode) -> None:
+    def __init__(self, loader: BlueprintLoader, node: ScalarNode | SequenceNode) -> None:
        super().__init__()
        self.default = None
        if isinstance(node, ScalarNode):
@@ -305,7 +301,7 @@ class Context(YAMLTag):
    key: str
    default: Any | None

-    def __init__(self, loader: "BlueprintLoader", node: ScalarNode | SequenceNode) -> None:
+    def __init__(self, loader: BlueprintLoader, node: ScalarNode | SequenceNode) -> None:
        super().__init__()
        self.default = None
        if isinstance(node, ScalarNode):
@@ -328,7 +324,7 @@ class ParseJSON(YAMLTag):

    raw: str

-    def __init__(self, loader: "BlueprintLoader", node: ScalarNode) -> None:
+    def __init__(self, loader: BlueprintLoader, node: ScalarNode) -> None:
        super().__init__()
        self.raw = node.value

@@ -345,7 +341,7 @@ class Format(YAMLTag):
    format_string: str
    args: list[Any]

-    def __init__(self, loader: "BlueprintLoader", node: SequenceNode) -> None:
+    def __init__(self, loader: BlueprintLoader, node: SequenceNode) -> None:
        super().__init__()
        self.format_string = loader.construct_object(node.value[0])
        self.args = []
@@ -372,7 +368,7 @@ class Find(YAMLTag):
    model_name: str | YAMLTag
    conditions: list[list]

-    def __init__(self, loader: "BlueprintLoader", node: SequenceNode) -> None:
+    def __init__(self, loader: BlueprintLoader, node: SequenceNode) -> None:
        super().__init__()
        self.model_name = loader.construct_object(node.value[0])
        self.conditions = []
@@ -444,7 +440,7 @@ class Condition(YAMLTag):
        "XNOR": lambda args: not (reduce(ixor, args) if len(args) > 1 else args[0]),
    }

-    def __init__(self, loader: "BlueprintLoader", node: SequenceNode) -> None:
+    def __init__(self, loader: BlueprintLoader, node: SequenceNode) -> None:
        super().__init__()
        self.mode = loader.construct_object(node.value[0])
        self.args = []
@@ -478,7 +474,7 @@ class If(YAMLTag):
    when_true: Any
    when_false: Any

-    def __init__(self, loader: "BlueprintLoader", node: SequenceNode) -> None:
+    def __init__(self, loader: BlueprintLoader, node: SequenceNode) -> None:
        super().__init__()
        self.condition = loader.construct_object(node.value[0])
        if len(node.value) == 1:
@@ -518,7 +514,7 @@ class Enumerate(YAMLTag, YAMLTagContext):
        ),
    }

-    def __init__(self, loader: "BlueprintLoader", node: SequenceNode) -> None:
+    def __init__(self, loader: BlueprintLoader, node: SequenceNode) -> None:
        super().__init__()
        self.iterable = loader.construct_object(node.value[0])
        self.output_body = loader.construct_object(node.value[1])
@@ -584,7 +580,7 @@ class EnumeratedItem(YAMLTag):

    _SUPPORTED_CONTEXT_TAGS = (Enumerate,)

-    def __init__(self, _loader: "BlueprintLoader", node: ScalarNode) -> None:
+    def __init__(self, _loader: BlueprintLoader, node: ScalarNode) -> None:
        super().__init__()
        self.depth = int(node.value)

@@ -640,7 +636,7 @@ class AtIndex(YAMLTag):
    attribute: int | str | YAMLTag
    default: Any | UNSET

-    def __init__(self, loader: "BlueprintLoader", node: SequenceNode) -> None:
+    def __init__(self, loader: BlueprintLoader, node: SequenceNode) -> None:
        super().__init__()
        self.obj = loader.construct_object(node.value[0])
        self.attribute = loader.construct_object(node.value[1])
@@ -757,7 +753,7 @@ class EntryInvalidError(SentryIgnoredException):
    @staticmethod
    def from_entry(
        msg_or_exc: str | Exception, entry: BlueprintEntry, *args, **kwargs
-    ) -> "EntryInvalidError":
+    ) -> EntryInvalidError:
        """Create EntryInvalidError with the context of an entry"""
        error = EntryInvalidError(msg_or_exc, *args, **kwargs)
        if isinstance(msg_or_exc, ValidationError):
--- a/authentik/blueprints/v1/importer.py
+++ b/authentik/blueprints/v1/importer.py
@@ -15,7 +15,7 @@ from django.db.models import Model
 from django.db.models.query_utils import Q
 from django.db.transaction import atomic
 from django.db.utils import IntegrityError
-from guardian.models import RoleObjectPermission, UserObjectPermission
+from guardian.models import RoleObjectPermission
 from rest_framework.exceptions import ValidationError
 from rest_framework.serializers import BaseSerializer, Serializer
 from structlog.stdlib import BoundLogger, get_logger
@@ -41,7 +41,6 @@ from authentik.core.models import (
    UserSourceConnection,
 )
 from authentik.endpoints.models import Connector
-from authentik.enterprise.license import LicenseKey
 from authentik.events.logs import LogEvent, capture_logs
 from authentik.events.utils import cleanse_dict
 from authentik.flows.models import Stage
@@ -71,7 +70,6 @@ def excluded_models() -> list[type[Model]]:
        ContentType,
        Permission,
        RoleObjectPermission,
-        UserObjectPermission,
        # Base classes
        Provider,
        Source,
@@ -141,13 +139,22 @@ class Importer:

    def default_context(self):
        """Default context"""
-        return {
-            "goauthentik.io/enterprise/licensed": LicenseKey.get_total().status().is_valid,
+        context = {
            "goauthentik.io/rbac/models": rbac_models(),
+            "goauthentik.io/enterprise/licensed": False,
        }
+        try:
+            from authentik.enterprise.license import LicenseKey
+
+            context["goauthentik.io/enterprise/licensed"] = (
+                LicenseKey.get_total().status().is_valid,
+            )
+        except ModuleNotFoundError:
+            pass
+        return context

    @staticmethod
-    def from_string(yaml_input: str, context: dict | None = None) -> "Importer":
+    def from_string(yaml_input: str, context: dict | None = None) -> Importer:
        """Parse YAML string and create blueprint importer from it"""
        import_dict = load(yaml_input, BlueprintLoader)
        try:
--- a/authentik/blueprints/v1/meta/apply_blueprint.py
+++ b/authentik/blueprints/v1/meta/apply_blueprint.py
@@ -23,7 +23,7 @@ class ApplyBlueprintMetaSerializer(PassiveSerializer):

    # We cannot override `instance` as that will confuse rest_framework
    # and make it attempt to update the instance
-    blueprint_instance: "BlueprintInstance"
+    blueprint_instance: BlueprintInstance

    def validate(self, attrs):
        from authentik.blueprints.models import BlueprintInstance
--- a/authentik/brands/api.py
+++ b/authentik/brands/api.py
@@ -6,7 +6,12 @@ from django.db import models
 from drf_spectacular.utils import extend_schema, extend_schema_field
 from rest_framework.decorators import action
 from rest_framework.exceptions import ValidationError
-from rest_framework.fields import CharField, ChoiceField, ListField, SerializerMethodField
+from rest_framework.fields import (
+    CharField,
+    ChoiceField,
+    ListField,
+    SerializerMethodField,
+)
 from rest_framework.filters import OrderingFilter, SearchFilter
 from rest_framework.permissions import AllowAny
 from rest_framework.request import Request
@@ -16,7 +21,7 @@ from rest_framework.viewsets import ModelViewSet

 from authentik.brands.models import Brand
 from authentik.core.api.used_by import UsedByMixin
-from authentik.core.api.utils import ModelSerializer, PassiveSerializer
+from authentik.core.api.utils import ModelSerializer, PassiveSerializer, ThemedUrlsSerializer
 from authentik.rbac.filters import SecretKeyFilter
 from authentik.tenants.api.settings import FlagJSONField
 from authentik.tenants.flags import Flag
@@ -90,7 +95,9 @@ class CurrentBrandSerializer(PassiveSerializer):
    matched_domain = CharField(source="domain")
    branding_title = CharField()
    branding_logo = CharField(source="branding_logo_url")
+    branding_logo_themed_urls = ThemedUrlsSerializer(read_only=True, allow_null=True)
    branding_favicon = CharField(source="branding_favicon_url")
+    branding_favicon_themed_urls = ThemedUrlsSerializer(read_only=True, allow_null=True)
    branding_custom_css = CharField()
    ui_footer_links = ListField(
        child=FooterLinkSerializer(),
@@ -117,10 +124,8 @@ class CurrentBrandSerializer(PassiveSerializer):
    @extend_schema_field(field=FlagJSONField)
    def get_flags(self, _):
        values = {}
-        for flag in Flag.available():
-            _flag = flag()
-            if _flag.visibility == "public":
-                values[_flag.key] = _flag.get()
+        for flag in Flag.available(visibility="public"):
+            values[flag().key] = flag.get()
        return values


--- a/authentik/brands/models.py
+++ b/authentik/brands/models.py
@@ -89,14 +89,26 @@ class Brand(SerializerModel):
        """Get branding_logo URL"""
        return get_file_manager(FileUsage.MEDIA).file_url(self.branding_logo)

+    def branding_logo_themed_urls(self) -> dict[str, str] | None:
+        """Get themed URLs for branding_logo if it contains %(theme)s"""
+        return get_file_manager(FileUsage.MEDIA).themed_urls(self.branding_logo)
+
    def branding_favicon_url(self) -> str:
        """Get branding_favicon URL"""
        return get_file_manager(FileUsage.MEDIA).file_url(self.branding_favicon)

+    def branding_favicon_themed_urls(self) -> dict[str, str] | None:
+        """Get themed URLs for branding_favicon if it contains %(theme)s"""
+        return get_file_manager(FileUsage.MEDIA).themed_urls(self.branding_favicon)
+
    def branding_default_flow_background_url(self) -> str:
        """Get branding_default_flow_background URL"""
        return get_file_manager(FileUsage.MEDIA).file_url(self.branding_default_flow_background)

+    def branding_default_flow_background_themed_urls(self) -> dict[str, str] | None:
+        """Get themed URLs for branding_default_flow_background if it contains %(theme)s"""
+        return get_file_manager(FileUsage.MEDIA).themed_urls(self.branding_default_flow_background)
+
    @property
    def serializer(self) -> type[Serializer]:
        from authentik.brands.api import BrandSerializer
--- a/authentik/brands/tests.py
+++ b/authentik/brands/tests.py
@@ -6,7 +6,6 @@ from django.urls import reverse
 from rest_framework.test import APITestCase

 from authentik.blueprints.tests import apply_blueprint
-from authentik.brands.api import Themes
 from authentik.brands.models import Brand
 from authentik.core.models import Application
 from authentik.core.tests.utils import create_test_admin_user, create_test_brand
@@ -22,10 +21,8 @@ class TestBrands(APITestCase):
    def setUp(self):
        super().setUp()
        self.default_flags = {}
-        for flag in Flag.available():
-            _flag = flag()
-            if _flag.visibility == "public":
-                self.default_flags[_flag.key] = _flag.get()
+        for flag in Flag.available(visibility="public"):
+            self.default_flags[flag().key] = flag.get()
        Brand.objects.all().delete()

    def test_current_brand(self):
@@ -35,12 +32,14 @@ class TestBrands(APITestCase):
            self.client.get(reverse("authentik_api:brand-current")).content.decode(),
            {
                "branding_logo": "/static/dist/assets/icons/icon_left_brand.svg",
+                "branding_logo_themed_urls": None,
                "branding_favicon": "/static/dist/assets/icons/icon.png",
+                "branding_favicon_themed_urls": None,
                "branding_title": "authentik",
                "branding_custom_css": "",
                "matched_domain": brand.domain,
                "ui_footer_links": [],
-                "ui_theme": Themes.AUTOMATIC,
+                "ui_theme": "automatic",
                "default_locale": "",
                "flags": self.default_flags,
            },
@@ -55,12 +54,14 @@ class TestBrands(APITestCase):
            ).content.decode(),
            {
                "branding_logo": "/static/dist/assets/icons/icon_left_brand.svg",
+                "branding_logo_themed_urls": None,
                "branding_favicon": "/static/dist/assets/icons/icon.png",
+                "branding_favicon_themed_urls": None,
                "branding_title": "custom",
                "branding_custom_css": "",
                "matched_domain": "bar.baz",
                "ui_footer_links": [],
-                "ui_theme": Themes.AUTOMATIC,
+                "ui_theme": "automatic",
                "default_locale": "",
                "flags": self.default_flags,
            },
@@ -72,12 +73,14 @@ class TestBrands(APITestCase):
            self.client.get(reverse("authentik_api:brand-current")).content.decode(),
            {
                "branding_logo": "/static/dist/assets/icons/icon_left_brand.svg",
+                "branding_logo_themed_urls": None,
                "branding_favicon": "/static/dist/assets/icons/icon.png",
+                "branding_favicon_themed_urls": None,
                "branding_title": "authentik",
                "branding_custom_css": "",
                "matched_domain": "fallback",
                "ui_footer_links": [],
-                "ui_theme": Themes.AUTOMATIC,
+                "ui_theme": "automatic",
                "default_locale": "",
                "flags": self.default_flags,
            },
@@ -94,12 +97,14 @@ class TestBrands(APITestCase):
            response,
            {
                "branding_logo": "/static/dist/assets/icons/icon_left_brand.svg",
+                "branding_logo_themed_urls": None,
                "branding_favicon": "/static/dist/assets/icons/icon.png",
+                "branding_favicon_themed_urls": None,
                "branding_title": "authentik",
                "branding_custom_css": "",
                "matched_domain": "authentik-default",
                "ui_footer_links": [],
-                "ui_theme": Themes.AUTOMATIC,
+                "ui_theme": "automatic",
                "default_locale": "",
                "flags": self.default_flags,
            },
@@ -117,12 +122,14 @@ class TestBrands(APITestCase):
            response,
            {
                "branding_logo": "/static/dist/assets/icons/icon_left_brand.svg",
+                "branding_logo_themed_urls": None,
                "branding_favicon": "/static/dist/assets/icons/icon.png",
+                "branding_favicon_themed_urls": None,
                "branding_title": "authentik",
                "branding_custom_css": "",
                "matched_domain": "authentik-default",
                "ui_footer_links": [],
-                "ui_theme": Themes.AUTOMATIC,
+                "ui_theme": "automatic",
                "default_locale": "",
                "flags": self.default_flags,
            },
@@ -133,12 +140,14 @@ class TestBrands(APITestCase):
            ).content.decode(),
            {
                "branding_logo": "/static/dist/assets/icons/icon_left_brand.svg",
+                "branding_logo_themed_urls": None,
                "branding_favicon": "/static/dist/assets/icons/icon.png",
+                "branding_favicon_themed_urls": None,
                "branding_title": "custom",
                "branding_custom_css": "",
                "matched_domain": "bar.baz",
                "ui_footer_links": [],
-                "ui_theme": Themes.AUTOMATIC,
+                "ui_theme": "automatic",
                "default_locale": "",
                "flags": self.default_flags,
            },
@@ -154,12 +163,14 @@ class TestBrands(APITestCase):
            ).content.decode(),
            {
                "branding_logo": "/static/dist/assets/icons/icon_left_brand.svg",
+                "branding_logo_themed_urls": None,
                "branding_favicon": "/static/dist/assets/icons/icon.png",
+                "branding_favicon_themed_urls": None,
                "branding_title": "custom-strong",
                "branding_custom_css": "",
                "matched_domain": "foo.bar.baz",
                "ui_footer_links": [],
-                "ui_theme": Themes.AUTOMATIC,
+                "ui_theme": "automatic",
                "default_locale": "",
                "flags": self.default_flags,
            },
@@ -175,12 +186,14 @@ class TestBrands(APITestCase):
            ).content.decode(),
            {
                "branding_logo": "/static/dist/assets/icons/icon_left_brand.svg",
+                "branding_logo_themed_urls": None,
                "branding_favicon": "/static/dist/assets/icons/icon.png",
+                "branding_favicon_themed_urls": None,
                "branding_title": "custom-weak",
                "branding_custom_css": "",
                "matched_domain": "bar.baz",
                "ui_footer_links": [],
-                "ui_theme": Themes.AUTOMATIC,
+                "ui_theme": "automatic",
                "default_locale": "",
                "flags": self.default_flags,
            },
@@ -256,12 +269,14 @@ class TestBrands(APITestCase):
            self.client.get(reverse("authentik_api:brand-current")).content.decode(),
            {
                "branding_logo": "https://goauthentik.io/img/icon.png",
+                "branding_logo_themed_urls": None,
                "branding_favicon": "https://goauthentik.io/img/icon.png",
+                "branding_favicon_themed_urls": None,
                "branding_title": "authentik",
                "branding_custom_css": "",
                "matched_domain": brand.domain,
                "ui_footer_links": [],
-                "ui_theme": Themes.AUTOMATIC,
+                "ui_theme": "automatic",
                "default_locale": "",
                "flags": self.default_flags,
            },
--- a/authentik/brands/utils.py
+++ b/authentik/brands/utils.py
@@ -3,7 +3,7 @@
 from typing import Any

 from django.db.models import Case, F, IntegerField, Q, Value, When
-from django.db.models.functions import Length
+from django.db.models.functions import Concat, Length
 from django.http.request import HttpRequest
 from django.utils.html import _json_script_escapes
 from django.utils.safestring import mark_safe
@@ -26,7 +26,8 @@ def get_brand_for_request(request: HttpRequest) -> Brand:
            domain_length=Length("domain"),
            match_priority=Case(
                When(
-                    condition=Q(host_domain__iendswith=F("domain")),
+                    condition=Q(host_domain__iexact=F("domain"))
+                    | Q(host_domain__iendswith=Concat(Value("."), F("domain"))),
                    then=F("domain_length"),
                ),
                default=Value(-1),
--- a/web/src/elements/wizard/WizardFormPage.ts
+++ b/web/src/elements/wizard/WizardFormPage.ts
--- a/authentik/common/oauth/init.py
+++ b/authentik/common/oauth/init.py
--- a/authentik/providers/oauth2/constants.py
+++ b/authentik/providers/oauth2/constants.py
@@ -10,6 +10,8 @@ GRANT_TYPE_CLIENT_CREDENTIALS = "client_credentials"
 GRANT_TYPE_PASSWORD = "password"  # nosec
 GRANT_TYPE_DEVICE_CODE = "urn:ietf:params:oauth:grant-type:device_code"

+QS_LOGIN_HINT = "login_hint"
+
 CLIENT_ASSERTION = "client_assertion"
 CLIENT_ASSERTION_TYPE = "client_assertion_type"
 CLIENT_ASSERTION_TYPE_JWT = "urn:ietf:params:oauth:client-assertion-type:jwt-bearer"
--- a/authentik/common/saml/init.py
+++ b/authentik/common/saml/init.py
--- a/authentik/sources/saml/processors/constants.py
+++ b/authentik/sources/saml/processors/constants.py
@@ -28,6 +28,8 @@ SAML_ATTRIBUTES_GROUP = "http://schemas.xmlsoap.org/claims/Group"
 SAML_BINDING_POST = "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
 SAML_BINDING_REDIRECT = "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"

+SAML_STATUS_SUCCESS = "urn:oasis:names:tc:SAML:2.0:status:Success"
+
 DSA_SHA1 = "http://www.w3.org/2000/09/xmldsig#dsa-sha1"
 RSA_SHA1 = "http://www.w3.org/2000/09/xmldsig#rsa-sha1"
 # https://datatracker.ietf.org/doc/html/rfc4051#section-2.3.2
--- a/authentik/core/api/application_entitlements.py
+++ b/authentik/core/api/application_entitlements.py
@@ -47,7 +47,8 @@ class ApplicationEntitlementViewSet(UsedByMixin, ModelViewSet):
    search_fields = [
        "pbm_uuid",
        "name",
-        "app",
+        "app__name",
+        "app__slug",
        "attributes",
    ]
    filterset_fields = [
--- a/authentik/core/api/applications.py
+++ b/authentik/core/api/applications.py
@@ -24,7 +24,7 @@ from authentik.blueprints.v1.importer import SERIALIZER_CONTEXT_BLUEPRINT
 from authentik.core.api.providers import ProviderSerializer
 from authentik.core.api.used_by import UsedByMixin
 from authentik.core.api.users import UserSerializer
-from authentik.core.api.utils import ModelSerializer
+from authentik.core.api.utils import ModelSerializer, ThemedUrlsSerializer
 from authentik.core.models import Application, User
 from authentik.events.logs import LogEventSerializer, capture_logs
 from authentik.policies.api.exec import PolicyTestResultSerializer
@@ -47,12 +47,20 @@ class ApplicationSerializer(ModelSerializer):
    """Application Serializer"""

    launch_url = SerializerMethodField()
-    provider_obj = ProviderSerializer(source="get_provider", required=False, read_only=True)
+    provider_obj = ProviderSerializer(
+        source="get_provider",
+        required=False,
+        read_only=True,
+        allow_null=True,
+    )
    backchannel_providers_obj = ProviderSerializer(
        source="backchannel_providers", required=False, read_only=True, many=True
    )

    meta_icon_url = ReadOnlyField(source="get_meta_icon")
+    meta_icon_themed_urls = ThemedUrlsSerializer(
+        source="get_meta_icon_themed_urls", read_only=True, allow_null=True
+    )

    def get_launch_url(self, app: Application) -> str | None:
        """Allow formatting of launch URL"""
@@ -63,7 +71,7 @@ class ApplicationSerializer(ModelSerializer):
            user = self.context["request"].user

        # Cache serialized user data to avoid N+1 when formatting launch URLs
-        # for multiple applications. UserSerializer accesses user.ak_groups which
+        # for multiple applications. UserSerializer accesses user.groups which
        # would otherwise trigger a query for each application.
        if user is not None:
            if "_cached_user_data" not in self.context:
@@ -102,6 +110,7 @@ class ApplicationSerializer(ModelSerializer):
            "meta_launch_url",
            "meta_icon",
            "meta_icon_url",
+            "meta_icon_themed_urls",
            "meta_description",
            "meta_publisher",
            "policy_engine_mode",
--- a/authentik/core/api/authenticated_sessions.py
+++ b/authentik/core/api/authenticated_sessions.py
@@ -2,36 +2,49 @@

 from typing import TypedDict

-from rest_framework import mixins
+from drf_spectacular.utils import (
+    extend_schema,
+    inline_serializer,
+)
+from rest_framework import mixins, serializers
+from rest_framework.decorators import action
 from rest_framework.fields import SerializerMethodField
 from rest_framework.request import Request
-from rest_framework.serializers import CharField, DateTimeField, IPAddressField
+from rest_framework.response import Response
+from rest_framework.serializers import (
+    CharField,
+    DateTimeField,
+    IPAddressField,
+    ListField,
+)
 from rest_framework.viewsets import GenericViewSet
 from ua_parser import user_agent_parser

+from authentik.api.validation import validate
 from authentik.core.api.used_by import UsedByMixin
-from authentik.core.api.utils import ModelSerializer
+from authentik.core.api.utils import ModelSerializer, PassiveSerializer
 from authentik.core.models import AuthenticatedSession
 from authentik.events.context_processors.asn import ASN_CONTEXT_PROCESSOR, ASNDict
 from authentik.events.context_processors.geoip import GEOIP_CONTEXT_PROCESSOR, GeoIPDict
+from authentik.rbac.decorators import permission_required


 class UserAgentDeviceDict(TypedDict):
    """User agent device"""

-    brand: str
+    brand: str | None = None
    family: str
-    model: str
+    model: str | None = None


 class UserAgentOSDict(TypedDict):
    """User agent os"""

    family: str
-    major: str
-    minor: str
-    patch: str
-    patch_minor: str
+    major: str | None = None
+    minor: str | None = None
+    patch: str | None = None
+    patch_minor: str | None = None


 class UserAgentBrowserDict(TypedDict):
@@ -52,6 +65,14 @@ class UserAgentDict(TypedDict):
    string: str


+class BulkDeleteSessionSerializer(PassiveSerializer):
+    """Serializer for bulk deleting authenticated sessions by user"""
+
+    user_pks = ListField(
+        child=serializers.IntegerField(), help_text="List of user IDs to revoke all sessions for"
+    )
+
+
 class AuthenticatedSessionSerializer(ModelSerializer):
    """AuthenticatedSession Serializer"""

@@ -115,3 +136,22 @@ class AuthenticatedSessionViewSet(
    filterset_fields = ["user__username", "session__last_ip", "session__last_user_agent"]
    ordering = ["user__username"]
    owner_field = "user"
+
+    @permission_required("authentik_core.delete_authenticatedsession")
+    @extend_schema(
+        parameters=[BulkDeleteSessionSerializer],
+        responses={
+            200: inline_serializer(
+                "BulkDeleteSessionResponse",
+                {"deleted": serializers.IntegerField()},
+            ),
+        },
+    )
+    @validate(BulkDeleteSessionSerializer, location="query")
+    @action(detail=False, methods=["DELETE"], pagination_class=None, filter_backends=[])
+    def bulk_delete(self, request: Request, *, query: BulkDeleteSessionSerializer) -> Response:
+        """Bulk revoke all sessions for multiple users"""
+        user_pks = query.validated_data.get("user_pks", [])
+        deleted_count, _ = AuthenticatedSession.objects.filter(user_id__in=user_pks).delete()
+
+        return Response({"deleted": deleted_count}, status=200)
--- a/authentik/core/api/devices.py
+++ b/authentik/core/api/devices.py
@@ -16,11 +16,15 @@ from rest_framework.viewsets import ViewSet
 from authentik.api.validation import validate
 from authentik.core.api.users import ParamUserSerializer
 from authentik.core.api.utils import MetaNameSerializer
-from authentik.enterprise.stages.authenticator_endpoint_gdtc.models import EndpointDevice
 from authentik.stages.authenticator import device_classes, devices_for_user
 from authentik.stages.authenticator.models import Device
 from authentik.stages.authenticator_webauthn.models import WebAuthnDevice

+try:
+    from authentik.enterprise.stages.authenticator_endpoint_gdtc.models import EndpointDevice
+except ModuleNotFoundError:
+    EndpointDevice = None
+

 class DeviceSerializer(MetaNameSerializer):
    """Serializer for authenticator devices"""
@@ -43,7 +47,7 @@ class DeviceSerializer(MetaNameSerializer):
        """Get extra description"""
        if isinstance(instance, WebAuthnDevice):
            return instance.device_type.description if instance.device_type else None
-        if isinstance(instance, EndpointDevice):
+        if EndpointDevice and isinstance(instance, EndpointDevice):
            return instance.data.get("deviceSignals", {}).get("deviceModel")
        return None

@@ -51,7 +55,7 @@ class DeviceSerializer(MetaNameSerializer):
        """Get external Device ID"""
        if isinstance(instance, WebAuthnDevice):
            return instance.device_type.aaguid if instance.device_type else None
-        if isinstance(instance, EndpointDevice):
+        if EndpointDevice and isinstance(instance, EndpointDevice):
            return instance.data.get("deviceSignals", {}).get("deviceModel")
        return None

--- a/authentik/core/api/object_types.py
+++ b/authentik/core/api/object_types.py
@@ -10,7 +10,6 @@ from rest_framework.request import Request
 from rest_framework.response import Response

 from authentik.core.api.utils import PassiveSerializer
-from authentik.enterprise.apps import EnterpriseConfig
 from authentik.lib.models import DeprecatedMixin
 from authentik.lib.utils.reflection import all_subclasses

@@ -61,19 +60,25 @@ class TypesMixin:
                    continue
                instance = subclass()
            try:
-                data.append(
-                    {
-                        "name": subclass._meta.verbose_name,
-                        "description": subclass.__doc__,
-                        "component": instance.component,
-                        "model_name": subclass._meta.model_name,
-                        "icon_url": getattr(instance, "icon_url", None),
-                        "requires_enterprise": isinstance(
-                            subclass._meta.app_config, EnterpriseConfig
-                        ),
-                        "deprecated": isinstance(instance, DeprecatedMixin),
-                    }
-                )
+                type_signature = {
+                    "name": subclass._meta.verbose_name,
+                    "description": subclass.__doc__,
+                    "component": instance.component,
+                    "model_name": subclass._meta.model_name,
+                    "icon_url": getattr(instance, "icon_url", None),
+                    "requires_enterprise": False,
+                    "deprecated": isinstance(instance, DeprecatedMixin),
+                }
+                try:
+                    from authentik.enterprise.apps import EnterpriseConfig
+
+                    type_signature["requires_enterprise"] = isinstance(
+                        subclass._meta.app_config, EnterpriseConfig
+                    )
+                except ModuleNotFoundError:
+                    pass
+
+                data.append(type_signature)
            except NotImplementedError:
                continue
        if additional:
--- a/authentik/core/api/providers.py
+++ b/authentik/core/api/providers.py
@@ -18,10 +18,14 @@ from authentik.core.models import Provider
 class ProviderSerializer(ModelSerializer, MetaNameSerializer):
    """Provider Serializer"""

-    assigned_application_slug = ReadOnlyField(source="application.slug")
-    assigned_application_name = ReadOnlyField(source="application.name")
-    assigned_backchannel_application_slug = ReadOnlyField(source="backchannel_application.slug")
-    assigned_backchannel_application_name = ReadOnlyField(source="backchannel_application.name")
+    assigned_application_slug = ReadOnlyField(source="application.slug", allow_null=True)
+    assigned_application_name = ReadOnlyField(source="application.name", allow_null=True)
+    assigned_backchannel_application_slug = ReadOnlyField(
+        source="backchannel_application.slug", allow_null=True
+    )
+    assigned_backchannel_application_name = ReadOnlyField(
+        source="backchannel_application.name", allow_null=True
+    )

    component = SerializerMethodField()

--- a/authentik/core/api/sources.py
+++ b/authentik/core/api/sources.py
@@ -14,7 +14,7 @@ from structlog.stdlib import get_logger

 from authentik.core.api.object_types import TypesMixin
 from authentik.core.api.used_by import UsedByMixin
-from authentik.core.api.utils import MetaNameSerializer, ModelSerializer
+from authentik.core.api.utils import MetaNameSerializer, ModelSerializer, ThemedUrlsSerializer
 from authentik.core.models import GroupSourceConnection, Source, UserSourceConnection
 from authentik.core.types import UserSettingSerializer
 from authentik.policies.engine import PolicyEngine
@@ -28,6 +28,7 @@ class SourceSerializer(ModelSerializer, MetaNameSerializer):
    managed = ReadOnlyField()
    component = SerializerMethodField()
    icon_url = ReadOnlyField()
+    icon_themed_urls = ThemedUrlsSerializer(read_only=True, allow_null=True)

    def get_component(self, obj: Source) -> str:
        """Get object component so that we know how to edit the object"""
@@ -57,6 +58,7 @@ class SourceSerializer(ModelSerializer, MetaNameSerializer):
            "user_path_template",
            "icon",
            "icon_url",
+            "icon_themed_urls",
        ]


--- a/authentik/core/api/tokens.py
+++ b/authentik/core/api/tokens.py
@@ -75,7 +75,8 @@ class TokenSerializer(ManagedSerializer, ModelSerializer):
                except ValueError:
                    pass

-            if "expires" in attrs and attrs.get("expires") > max_token_lifetime_dt:
+            expires = attrs.get("expires")
+            if expires is not None and expires > max_token_lifetime_dt:
                raise ValidationError(
                    {
                        "expires": (
--- a/authentik/core/api/users.py
+++ b/authentik/core/api/users.py
@@ -30,7 +30,6 @@ from drf_spectacular.utils import (
    extend_schema_field,
    inline_serializer,
 )
-from guardian.shortcuts import get_objects_for_user
 from rest_framework.authentication import SessionAuthentication
 from rest_framework.decorators import action
 from rest_framework.exceptions import ValidationError
@@ -42,6 +41,7 @@ from rest_framework.fields import (
    IntegerField,
    ListField,
    SerializerMethodField,
+    UUIDField,
 )
 from rest_framework.permissions import IsAuthenticated
 from rest_framework.request import Request
@@ -72,12 +72,14 @@ from authentik.core.middleware import (
 from authentik.core.models import (
    USER_ATTRIBUTE_TOKEN_EXPIRING,
    USER_PATH_SERVICE_ACCOUNT,
+    USERNAME_MAX_LENGTH,
    Group,
    Session,
    Token,
    TokenIntents,
    User,
    UserTypes,
+    default_token_duration,
 )
 from authentik.endpoints.connectors.agent.auth import AgentAuth
 from authentik.events.models import Event, EventAction
@@ -87,6 +89,7 @@ from authentik.flows.planner import PLAN_CONTEXT_PENDING_USER, FlowPlanner
 from authentik.flows.views.executor import QS_KEY_TOKEN
 from authentik.lib.avatars import get_avatar
 from authentik.lib.utils.reflection import ConditionalInheritance
+from authentik.lib.utils.time import timedelta_from_string, timedelta_string_validator
 from authentik.rbac.api.roles import RoleSerializer
 from authentik.rbac.decorators import permission_required
 from authentik.rbac.models import Role, get_permission_choices
@@ -129,7 +132,6 @@ class UserSerializer(ModelSerializer):
    groups = PrimaryKeyRelatedField(
        allow_empty=True,
        many=True,
-        source="ak_groups",
        queryset=Group.objects.all().order_by("name"),
        default=list,
    )
@@ -143,7 +145,7 @@ class UserSerializer(ModelSerializer):
    roles_obj = SerializerMethodField(allow_null=True)
    uid = CharField(read_only=True)
    username = CharField(
-        max_length=150,
+        max_length=USERNAME_MAX_LENGTH,
        validators=[UniqueValidator(queryset=User.objects.all().order_by("username"))],
    )

@@ -165,7 +167,7 @@ class UserSerializer(ModelSerializer):
    def get_groups_obj(self, instance: User) -> list[PartialGroupSerializer] | None:
        if not self._should_include_groups:
            return None
-        return PartialGroupSerializer(instance.ak_groups, many=True).data
+        return PartialGroupSerializer(instance.groups, many=True).data

    @extend_schema_field(RoleSerializer(many=True))
    def get_roles_obj(self, instance: User) -> list[RoleSerializer] | None:
@@ -239,14 +241,14 @@ class UserSerializer(ModelSerializer):
            and self.instance.type == UserTypes.INTERNAL_SERVICE_ACCOUNT
            and user_type != UserTypes.INTERNAL_SERVICE_ACCOUNT.value
        ):
-            raise ValidationError("Can't change internal service account to other user type.")
+            raise ValidationError(_("Can't change internal service account to other user type."))
        if not self.instance and user_type == UserTypes.INTERNAL_SERVICE_ACCOUNT.value:
-            raise ValidationError("Setting a user to internal service account is not allowed.")
+            raise ValidationError(_("Setting a user to internal service account is not allowed."))
        return user_type

    def validate(self, attrs: dict) -> dict:
        if self.instance and self.instance.type == UserTypes.INTERNAL_SERVICE_ACCOUNT:
-            raise ValidationError("Can't modify internal service account users")
+            raise ValidationError(_("Can't modify internal service account users"))
        return super().validate(attrs)

    class Meta:
@@ -398,6 +400,18 @@ class UserServiceAccountSerializer(PassiveSerializer):
    )


+class UserRecoveryLinkSerializer(PassiveSerializer):
+    """Payload to create a recovery link"""
+
+    token_duration = CharField(required=False)
+
+
+class UserRecoveryEmailSerializer(UserRecoveryLinkSerializer):
+    """Payload to create and email a recovery link"""
+
+    email_stage = UUIDField()
+
+
 class UsersFilter(FilterSet):
    """Filter for users"""

@@ -421,7 +435,7 @@ class UsersFilter(FilterSet):
    last_login__gt = IsoDateTimeFilter(field_name="last_login", lookup_expr="gt")
    last_login__isnull = BooleanFilter(field_name="last_login", lookup_expr="isnull")

-    is_superuser = BooleanFilter(field_name="ak_groups", method="filter_is_superuser")
+    is_superuser = BooleanFilter(field_name="groups", method="filter_is_superuser")
    uuid = UUIDFilter(field_name="uuid")

    path = CharFilter(field_name="path")
@@ -430,12 +444,12 @@ class UsersFilter(FilterSet):
    type = MultipleChoiceFilter(choices=UserTypes.choices, field_name="type")

    groups_by_name = ModelMultipleChoiceFilter(
-        field_name="ak_groups__name",
+        field_name="groups__name",
        to_field_name="name",
        queryset=Group.objects.all().order_by("name"),
    )
    groups_by_pk = ModelMultipleChoiceFilter(
-        field_name="ak_groups",
+        field_name="groups",
        queryset=Group.objects.all().order_by("name"),
    )

@@ -451,22 +465,22 @@ class UsersFilter(FilterSet):

    def filter_is_superuser(self, queryset, name, value):
        if value:
-            return queryset.filter(ak_groups__is_superuser=True).distinct()
-        return queryset.exclude(ak_groups__is_superuser=True).distinct()
+            return queryset.filter(groups__is_superuser=True).distinct()
+        return queryset.exclude(groups__is_superuser=True).distinct()

    def filter_attributes(self, queryset, name, value):
        """Filter attributes by query args"""
        try:
            value = loads(value)
        except ValueError:
-            raise ValidationError(detail="filter: failed to parse JSON") from None
+            raise ValidationError(_("filter: failed to parse JSON")) from None
        if not isinstance(value, dict):
-            raise ValidationError(detail="filter: value must be key:value mapping")
+            raise ValidationError(_("filter: value must be key:value mapping"))
        qs = {}
        for key, _value in value.items():
            qs[f"attributes__{key}"] = _value
        try:
-            _ = len(queryset.filter(**qs))
+            __ = len(queryset.filter(**qs))
            return queryset.filter(**qs)
        except ValueError:
            return queryset
@@ -530,7 +544,7 @@ class UserViewSet(
    def get_queryset(self):
        base_qs = User.objects.all().exclude_anonymous()
        if self.serializer_class(context={"request": self.request})._should_include_groups:
-            base_qs = base_qs.prefetch_related("ak_groups")
+            base_qs = base_qs.prefetch_related("groups")
        if self.serializer_class(context={"request": self.request})._should_include_roles:
            base_qs = base_qs.prefetch_related("roles")
        return base_qs
@@ -544,14 +558,16 @@ class UserViewSet(
    def list(self, request, *args, **kwargs):
        return super().list(request, *args, **kwargs)

-    def _create_recovery_link(self, for_email=False) -> tuple[str, Token]:
+    def _create_recovery_link(
+        self, token_duration: str | None, for_email=False
+    ) -> tuple[str, Token]:
        """Create a recovery link (when the current brand has a recovery flow set),
        that can either be shown to an admin or sent to the user directly"""
-        brand: Brand = self.request._request.brand
+        brand: Brand = self.request.brand
        # Check that there is a recovery flow, if not return an error
        flow = brand.flow_recovery
        if not flow:
-            raise ValidationError({"non_field_errors": "No recovery flow set."})
+            raise ValidationError({"non_field_errors": _("No recovery flow set.")})
        user: User = self.get_object()
        planner = FlowPlanner(flow)
        planner.allow_empty_flows = True
@@ -565,11 +581,15 @@ class UserViewSet(
            )
        except FlowNonApplicableException:
            raise ValidationError(
-                {"non_field_errors": "Recovery flow not applicable to user"}
+                {"non_field_errors": _("Recovery flow not applicable to user")}
            ) from None
        _plan = FlowToken.pickle(plan)
        if for_email:
            _plan = pickle_flow_token_for_email(plan)
+        expires = default_token_duration()
+        if token_duration:
+            timedelta_string_validator(token_duration)
+            expires = now() + timedelta_from_string(token_duration)
        token, __ = FlowToken.objects.update_or_create(
            identifier=f"{user.uid}-password-reset",
            defaults={
@@ -577,6 +597,7 @@ class UserViewSet(
                "flow": flow,
                "_plan": _plan,
                "revoke_on_execution": not for_email,
+                "expires": expires,
            },
        )
        querystring = urlencode({QS_KEY_TOKEN: token.key})
@@ -724,60 +745,60 @@ class UserViewSet(

    @permission_required("authentik_core.reset_user_password")
    @extend_schema(
+        request=UserRecoveryLinkSerializer,
        responses={
            "200": LinkSerializer(many=False),
        },
-        request=None,
    )
    @action(detail=True, pagination_class=None, filter_backends=[], methods=["POST"])
-    def recovery(self, request: Request, pk: int) -> Response:
+    @validate(UserRecoveryLinkSerializer)
+    def recovery(self, request: Request, pk: int, body: UserRecoveryLinkSerializer) -> Response:
        """Create a temporary link that a user can use to recover their account"""
-        link, _ = self._create_recovery_link()
+        link, _ = self._create_recovery_link(
+            token_duration=body.validated_data.get("token_duration")
+        )
        return Response({"link": link})

    @permission_required("authentik_core.reset_user_password")
    @extend_schema(
-        parameters=[
-            OpenApiParameter(
-                name="email_stage",
-                location=OpenApiParameter.QUERY,
-                type=OpenApiTypes.STR,
-                required=True,
-            )
-        ],
+        request=UserRecoveryEmailSerializer,
        responses={
            "204": OpenApiResponse(description="Successfully sent recover email"),
        },
-        request=None,
    )
    @action(detail=True, pagination_class=None, filter_backends=[], methods=["POST"])
-    def recovery_email(self, request: Request, pk: int) -> Response:
+    @validate(UserRecoveryEmailSerializer)
+    def recovery_email(
+        self, request: Request, pk: int, body: UserRecoveryEmailSerializer
+    ) -> Response:
        """Send an email with a temporary link that a user can use to recover their account"""
-        for_user: User = self.get_object()
-        if for_user.email == "":
+        email_error_message = _("User does not have an email address set.")
+        stage_error_message = _("Email stage not found.")
+        user: User = self.get_object()
+        if not user.email:
            LOGGER.debug("User doesn't have an email address")
-            raise ValidationError({"non_field_errors": "User does not have an email address set."})
-        link, token = self._create_recovery_link(for_email=True)
-        # Lookup the email stage to assure the current user can access it
-        stages = get_objects_for_user(
-            request.user, "authentik_stages_email.view_emailstage"
-        ).filter(pk=request.query_params.get("email_stage"))
-        if not stages.exists():
-            LOGGER.debug("Email stage does not exist/user has no permissions")
-            raise ValidationError({"non_field_errors": "Email stage does not exist."})
-        email_stage: EmailStage = stages.first()
+            raise ValidationError({"non_field_errors": email_error_message})
+        if not (stage := EmailStage.objects.filter(pk=body.validated_data["email_stage"]).first()):
+            LOGGER.debug("Email stage does not exist")
+            raise ValidationError({"non_field_errors": stage_error_message})
+        if not request.user.has_perm("authentik_stages_email.view_emailstage", stage):
+            LOGGER.debug("User has no view access to email stage")
+            raise ValidationError({"non_field_errors": stage_error_message})
+        link, token = self._create_recovery_link(
+            token_duration=body.validated_data.get("token_duration"), for_email=True
+        )
        message = TemplateEmailMessage(
-            subject=_(email_stage.subject),
-            to=[(for_user.name, for_user.email)],
-            template_name=email_stage.template,
-            language=for_user.locale(request),
+            subject=_(stage.subject),
+            to=[(user.name, user.email)],
+            template_name=stage.template,
+            language=user.locale(request),
            template_context={
                "url": link,
-                "user": for_user,
+                "user": user,
                "expires": token.expires,
            },
        )
-        send_mails(email_stage, message)
+        send_mails(stage, message)
        return Response(status=204)

    @permission_required("authentik_core.impersonate")
--- a/authentik/core/api/utils.py
+++ b/authentik/core/api/utils.py
@@ -127,3 +127,10 @@ class LinkSerializer(PassiveSerializer):
    """Returns a single link"""

    link = CharField()
+
+
+class ThemedUrlsSerializer(PassiveSerializer):
+    """Themed URLs - maps theme names to URLs for light and dark themes"""
+
+    light = CharField(required=False, allow_null=True)
+    dark = CharField(required=False, allow_null=True)
--- a/authentik/core/middleware.py
+++ b/authentik/core/middleware.py
@@ -8,7 +8,7 @@ from uuid import uuid4
 from django.contrib.auth import logout
 from django.contrib.auth.models import AnonymousUser
 from django.core.exceptions import ImproperlyConfigured
-from django.http import HttpRequest, HttpResponse
+from django.http import HttpRequest, HttpResponse, HttpResponseBadRequest
 from django.utils.deprecation import MiddlewareMixin
 from django.utils.functional import SimpleLazyObject
 from django.utils.translation import override
@@ -47,7 +47,7 @@ async def aget_user(request):


 class AuthenticationMiddleware(MiddlewareMixin):
-    def process_request(self, request):
+    def process_request(self, request: HttpRequest) -> HttpResponseBadRequest | None:
        if not hasattr(request, "session"):
            raise ImproperlyConfigured(
                "The Django authentication middleware requires session "
@@ -62,7 +62,8 @@ class AuthenticationMiddleware(MiddlewareMixin):
        user = request.user
        if user and user.is_authenticated and not user.is_active:
            logout(request)
-            raise AssertionError()
+            return HttpResponseBadRequest()
+        return None


 class ImpersonateMiddleware:
--- a/authentik/core/migrations/0029_provider_backchannel_applications_and_more.py
+++ b/authentik/core/migrations/0029_provider_backchannel_applications_and_more.py
@@ -16,7 +16,7 @@ def backport_is_backchannel(apps: Apps, schema_editor: BaseDatabaseSchemaEditor)
            for obj in model.objects.using(db_alias).only("is_backchannel"):
                obj.is_backchannel = True
                obj.save()
-        except (DatabaseError, InternalError, ProgrammingError):
+        except DatabaseError, InternalError, ProgrammingError:
            # The model might not have been migrated yet/doesn't exist yet
            # so we don't need to worry about backporting the data
            pass
--- a/authentik/core/migrations/0046_session_and_more.py
+++ b/authentik/core/migrations/0046_session_and_more.py
@@ -1,101 +1,9 @@
 # Generated by Django 5.0.11 on 2025-01-27 12:58

 import uuid
-import pickle  # nosec
-from django.core import signing
-from django.contrib.auth import BACKEND_SESSION_KEY, HASH_SESSION_KEY, SESSION_KEY
 from django.db import migrations, models
 import django.db.models.deletion
 from django.conf import settings
-from authentik.lib.migrations import progress_bar
-from authentik.root.middleware import ClientIPMiddleware
-
-
-class PickleSerializer:
-    """
-    Simple wrapper around pickle to be used in signing.dumps()/loads() and
-    cache backends.
-    """
-
-    def __init__(self, protocol=None):
-        self.protocol = pickle.HIGHEST_PROTOCOL if protocol is None else protocol
-
-    def dumps(self, obj):
-        """Pickle data to be stored in redis"""
-        return pickle.dumps(obj, self.protocol)
-
-    def loads(self, data):
-        """Unpickle data to be loaded from redis"""
-        try:
-            return pickle.loads(data)  # nosec
-        except Exception:
-            return {}
-
-
-def _migrate_session(
-    apps,
-    db_alias,
-    session_key,
-    session_data,
-    expires,
-):
-    Session = apps.get_model("authentik_core", "Session")
-    OldAuthenticatedSession = apps.get_model("authentik_core", "OldAuthenticatedSession")
-    AuthenticatedSession = apps.get_model("authentik_core", "AuthenticatedSession")
-
-    old_auth_session = (
-        OldAuthenticatedSession.objects.using(db_alias).filter(session_key=session_key).first()
-    )
-
-    args = {
-        "session_key": session_key,
-        "expires": expires,
-        "last_ip": ClientIPMiddleware.default_ip,
-        "last_user_agent": "",
-        "session_data": {},
-    }
-    for k, v in session_data.items():
-        if k == "authentik/stages/user_login/last_ip":
-            args["last_ip"] = v
-        elif k in ["last_user_agent", "last_used"]:
-            args[k] = v
-        elif args in [SESSION_KEY, BACKEND_SESSION_KEY, HASH_SESSION_KEY]:
-            pass
-        else:
-            args["session_data"][k] = v
-    if old_auth_session:
-        args["last_user_agent"] = old_auth_session.last_user_agent
-        args["last_used"] = old_auth_session.last_used
-
-    args["session_data"] = pickle.dumps(args["session_data"])
-    session = Session.objects.using(db_alias).create(**args)
-
-    if old_auth_session:
-        AuthenticatedSession.objects.using(db_alias).create(
-            session=session,
-            user=old_auth_session.user,
-            uuid=old_auth_session.uuid,
-        )
-
-
-def migrate_database_sessions(apps, schema_editor):
-    DjangoSession = apps.get_model("sessions", "Session")
-    db_alias = schema_editor.connection.alias
-
-    print("\nMigration database sessions, this might take a couple of minutes...")
-    for django_session in progress_bar(DjangoSession.objects.using(db_alias).all()):
-        session_data = signing.loads(
-            django_session.session_data,
-            salt="django.contrib.sessions.SessionStore",
-            serializer=PickleSerializer,
-        )
-        _migrate_session(
-            apps=apps,
-            db_alias=db_alias,
-            session_key=django_session.session_key,
-            session_data=session_data,
-            expires=django_session.expire_date,
-        )


 class Migration(migrations.Migration):
@@ -205,8 +113,4 @@ class Migration(migrations.Migration):
                "verbose_name_plural": "Authenticated Sessions",
            },
        ),
-        migrations.RunPython(
-            code=migrate_database_sessions,
-            reverse_code=migrations.RunPython.noop,
-        ),
    ]
--- a/authentik/core/migrations/0057_remove_user_groups_remove_user_user_permissions_and_more.py
+++ b/authentik/core/migrations/0057_remove_user_groups_remove_user_user_permissions_and_more.py
@@ -0,0 +1,47 @@
+# Generated by Django 5.2.10 on 2026-01-19 21:46
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ("authentik_core", "0056_user_roles"),
+        ("authentik_rbac", "0010_remove_role_group_alter_role_name"),
+    ]
+
+    operations = [
+        migrations.RemoveField(
+            model_name="user",
+            name="user_permissions",
+        ),
+        migrations.AlterField(
+            model_name="group",
+            name="roles",
+            field=models.ManyToManyField(
+                blank=True, related_name="groups", to="authentik_rbac.role"
+            ),
+        ),
+        migrations.RemoveField(
+            model_name="user",
+            name="groups",
+        ),
+        migrations.RenameField(
+            model_name="user",
+            old_name="ak_groups",
+            new_name="groups",
+        ),
+        migrations.AlterModelOptions(
+            name="user",
+            options={
+                "permissions": [
+                    ("reset_user_password", "Reset Password"),
+                    ("impersonate", "Can impersonate other users"),
+                    ("preview_user", "Can preview user data sent to providers"),
+                    ("view_user_applications", "View applications the user has access to"),
+                ],
+                "verbose_name": "User",
+                "verbose_name_plural": "Users",
+            },
+        ),
+    ]
--- a/authentik/core/models.py
+++ b/authentik/core/models.py
@@ -1,9 +1,11 @@
 """authentik core models"""

-from datetime import datetime
+import re
+import traceback
+from datetime import datetime, timedelta
 from enum import StrEnum
 from hashlib import sha256
-from typing import Any, Optional, Self
+from typing import Any, Self
 from uuid import uuid4

 import pgtrigger
@@ -15,7 +17,6 @@ from django.contrib.sessions.base_session import AbstractBaseSession
 from django.core.validators import validate_slug
 from django.db import models
 from django.db.models import Q, QuerySet, options
-from django.db.models.constants import LOOKUP_SEP
 from django.http import HttpRequest
 from django.utils.functional import cached_property
 from django.utils.timezone import now
@@ -43,6 +44,7 @@ from authentik.lib.models import (
    DomainlessFormattedURLValidator,
    SerializerModel,
 )
+from authentik.lib.utils.inheritance import get_deepest_child
 from authentik.lib.utils.time import timedelta_from_string
 from authentik.policies.models import PolicyBindingModel
 from authentik.rbac.models import Role
@@ -50,6 +52,7 @@ from authentik.tenants.models import DEFAULT_TOKEN_DURATION, DEFAULT_TOKEN_LENGT
 from authentik.tenants.utils import get_current_tenant, get_unique_identifier

 LOGGER = get_logger()
+USERNAME_MAX_LENGTH = 150
 USER_PATH_SYSTEM_PREFIX = "goauthentik.io"
 _USER_ATTR_PREFIX = f"{USER_PATH_SYSTEM_PREFIX}/user"
 USER_ATTRIBUTE_DEBUG = f"{_USER_ATTR_PREFIX}/debug"
@@ -183,7 +186,7 @@ class Group(SerializerModel, AttributesMixin):
        default=False, help_text=_("Users added to this group will be superusers.")
    )

-    roles = models.ManyToManyField("authentik_rbac.Role", related_name="ak_groups", blank=True)
+    roles = models.ManyToManyField("authentik_rbac.Role", related_name="groups", blank=True)

    parents = models.ManyToManyField(
        "Group",
@@ -225,14 +228,14 @@ class Group(SerializerModel, AttributesMixin):
        # in the LDAP Outpost we use the last 5 chars so match here
        return int(str(self.pk.int)[:5])

-    def is_member(self, user: "User") -> bool:
+    def is_member(self, user: User) -> bool:
        """Recursively check if `user` is member of us, or any parent."""
        return user.all_groups().filter(group_uuid=self.group_uuid).exists()

    def all_roles(self) -> QuerySet[Role]:
        """Get all roles of this group and all of its ancestors."""
        return Role.objects.filter(
-            ak_groups__in=Group.objects.filter(pk=self.pk).with_ancestors()
+            groups__in=Group.objects.filter(pk=self.pk).with_ancestors()
        ).distinct()

    def get_managed_role(self, create=False):
@@ -240,7 +243,7 @@ class Group(SerializerModel, AttributesMixin):
            name = managed_role_name(self)
            role, created = Role.objects.get_or_create(name=name, managed=name)
            if created:
-                role.ak_groups.add(self)
+                role.groups.add(self)
            return role
        else:
            return Role.objects.filter(name=managed_role_name(self)).first()
@@ -355,13 +358,17 @@ class UserManager(DjangoUserManager):
 class User(SerializerModel, AttributesMixin, AbstractUser):
    """authentik User model, based on django's contrib auth user model."""

+    # Overwriting PermissionsMixin: permissions are handled by roles.
+    # (This knowingly violates the Liskov substitution principle. It is better to fail loudly.)
+    user_permissions = None
+
    uuid = models.UUIDField(default=uuid4, editable=False, unique=True)
    name = models.TextField(help_text=_("User's display name."))
    path = models.TextField(default="users")
    type = models.TextField(choices=UserTypes.choices, default=UserTypes.INTERNAL)

    sources = models.ManyToManyField("Source", through="UserSourceConnection")
-    ak_groups = models.ManyToManyField("Group", related_name="users")
+    groups = models.ManyToManyField("Group", related_name="users")
    roles = models.ManyToManyField("authentik_rbac.Role", related_name="users", blank=True)
    password_change_date = models.DateTimeField(auto_now_add=True)

@@ -375,8 +382,6 @@ class User(SerializerModel, AttributesMixin, AbstractUser):
        permissions = [
            ("reset_user_password", _("Reset Password")),
            ("impersonate", _("Can impersonate other users")),
-            ("assign_user_permissions", _("Can assign permissions to users")),
-            ("unassign_user_permissions", _("Can unassign permissions from users")),
            ("preview_user", _("Can preview user data sent to providers")),
            ("view_user_applications", _("View applications the user has access to")),
        ]
@@ -400,11 +405,11 @@ class User(SerializerModel, AttributesMixin, AbstractUser):

    def all_groups(self) -> QuerySet[Group]:
        """Recursively get all groups this user is a member of."""
-        return self.ak_groups.all().with_ancestors()
+        return self.groups.all().with_ancestors()

    def all_roles(self) -> QuerySet[Role]:
        """Get all roles of this user and all of its groups (recursively)."""
-        return Role.objects.filter(Q(users=self) | Q(ak_groups__in=self.all_groups())).distinct()
+        return Role.objects.filter(Q(users=self) | Q(groups__in=self.all_groups())).distinct()

    def get_managed_role(self, create=False):
        if create:
@@ -466,7 +471,7 @@ class User(SerializerModel, AttributesMixin, AbstractUser):
        always_merger.merge(final_attributes, self.attributes)
        return final_attributes

-    def app_entitlements(self, app: "Application | None") -> QuerySet["ApplicationEntitlement"]:
+    def app_entitlements(self, app: Application | None) -> QuerySet[ApplicationEntitlement]:
        """Get all entitlements this user has for `app`."""
        if not app:
            return []
@@ -485,7 +490,7 @@ class User(SerializerModel, AttributesMixin, AbstractUser):
        ).order_by("name")
        return qs

-    def app_entitlements_attributes(self, app: "Application | None") -> dict:
+    def app_entitlements_attributes(self, app: Application | None) -> dict:
        """Get a dictionary containing all merged attributes from app entitlements for `app`."""
        final_attributes = {}
        for attrs in self.app_entitlements(app).values_list("attributes", flat=True):
@@ -508,6 +513,54 @@ class User(SerializerModel, AttributesMixin, AbstractUser):
        """superuser == staff user"""
        return self.is_superuser  # type: ignore

+    # TODO: remove this after 2026.
+    @property
+    def ak_groups(self):
+        """This is a proxy for a renamed, deprecated field."""
+        from authentik.events.models import Event, EventAction
+
+        deprecation = "authentik.core.models.User.ak_groups"
+        replacement = "authentik.core.models.User.groups"
+        message_logger = (
+            f"{deprecation} is deprecated and will be removed in a future version of "
+            f"authentik. Please use {replacement} instead."
+        )
+        message_event = (
+            f"{message_logger} This event will not be repeated until it expires (by "
+            "default: in 30 days). See authentik logs for every will invocation of this "
+            "deprecation."
+        )
+        stacktrace = traceback.format_stack()
+        # The last line is this function, the next-to-last line is its caller
+        cause = stacktrace[-2] if len(stacktrace) > 1 else "Unknown, see stacktrace in logs"
+        if search := re.search(r'"(.*?)"', cause):
+            cause = f"Property mapping or Expression policy named {search.group(1)}"
+
+        LOGGER.warning(
+            "deprecation used",
+            message=message_logger,
+            deprecation=deprecation,
+            replacement=replacement,
+            cause=cause,
+            stacktrace=stacktrace,
+        )
+        if not Event.filter_not_expired(
+            action=EventAction.CONFIGURATION_WARNING,
+            context__deprecation=deprecation,
+            context__cause=cause,
+        ).exists():
+            event = Event.new(
+                EventAction.CONFIGURATION_WARNING,
+                deprecation=deprecation,
+                replacement=replacement,
+                message=message_event,
+                cause=cause,
+            )
+            event.expires = datetime.now() + timedelta(days=30)
+            event.save()
+
+        return self.groups
+
    def set_password(self, raw_password, signal=True, sender=None, request=None):
        if self.pk and signal:
            from authentik.core.signals import password_changed
@@ -654,7 +707,7 @@ class BackchannelProvider(Provider):


 class ApplicationQuerySet(QuerySet):
-    def with_provider(self) -> "QuerySet[Application]":
+    def with_provider(self) -> QuerySet[Application]:
        qs = self.select_related("provider")
        for subclass in Provider.objects.get_queryset()._get_subclasses_recurse(Provider):
            qs = qs.select_related(f"provider__{subclass}")
@@ -713,9 +766,15 @@ class Application(SerializerModel, PolicyBindingModel):

        return get_file_manager(FileUsage.MEDIA).file_url(self.meta_icon)

-    def get_launch_url(
-        self, user: Optional["User"] = None, user_data: dict | None = None
-    ) -> str | None:
+    @property
+    def get_meta_icon_themed_urls(self) -> dict[str, str] | None:
+        """Get themed URLs for meta_icon if it contains %(theme)s"""
+        if not self.meta_icon:
+            return None
+
+        return get_file_manager(FileUsage.MEDIA).themed_urls(self.meta_icon)
+
+    def get_launch_url(self, user: User | None = None, user_data: dict | None = None) -> str | None:
        """Get launch URL if set, otherwise attempt to get launch URL based on provider.

        Args:
@@ -744,25 +803,7 @@ class Application(SerializerModel, PolicyBindingModel):
        """Get casted provider instance. Needs Application queryset with_provider"""
        if not self.provider:
            return None
-
-        candidates = []
-        base_class = Provider
-        for subclass in base_class.objects.get_queryset()._get_subclasses_recurse(base_class):
-            parent = self.provider
-            for level in subclass.split(LOOKUP_SEP):
-                try:
-                    parent = getattr(parent, level)
-                except AttributeError:
-                    break
-            if parent in candidates:
-                continue
-            idx = subclass.count(LOOKUP_SEP)
-            if type(parent) is not base_class:
-                idx += 1
-            candidates.insert(idx, parent)
-        if not candidates:
-            return None
-        return candidates[-1]
+        return get_deepest_child(self.provider)

    def backchannel_provider_for[T: Provider](self, provider_type: type[T], **kwargs) -> T | None:
        """Get Backchannel provider for a specific type"""
@@ -929,6 +970,14 @@ class Source(ManagedModel, SerializerModel, PolicyBindingModel):

        return get_file_manager(FileUsage.MEDIA).file_url(self.icon)

+    @property
+    def icon_themed_urls(self) -> dict[str, str] | None:
+        """Get themed URLs for icon if it contains %(theme)s"""
+        if not self.icon:
+            return None
+
+        return get_file_manager(FileUsage.MEDIA).themed_urls(self.icon)
+
    def get_user_path(self) -> str:
        """Get user path, fallback to default for formatting errors"""
        try:
@@ -948,7 +997,7 @@ class Source(ManagedModel, SerializerModel, PolicyBindingModel):
        raise NotImplementedError

    @property
-    def property_mapping_type(self) -> "type[PropertyMapping]":
+    def property_mapping_type(self) -> type[PropertyMapping]:
        """Return property mapping type used by this object"""
        if self.managed == self.MANAGED_INBUILT:
            from authentik.core.models import PropertyMapping
@@ -1066,10 +1115,14 @@ class ExpiringModel(models.Model):
        default the object is deleted. This is less efficient compared
        to bulk deleting objects, but classes like Token() need to change
        values instead of being deleted."""
-        return self.delete(*args, **kwargs)
+        try:
+            return self.delete(*args, **kwargs)
+        except self.DoesNotExist:
+            # Object has already been deleted, so this should be fine
+            return None

    @classmethod
-    def filter_not_expired(cls, **kwargs) -> QuerySet["Self"]:
+    def filter_not_expired(cls, **kwargs) -> QuerySet[Self]:
        """Filer for tokens which are not expired yet or are not expiring,
        and match filters in `kwargs`"""
        for obj in cls.objects.filter(**kwargs).filter(Q(expires__lt=now(), expiring=True)):
@@ -1265,7 +1318,7 @@ class AuthenticatedSession(SerializerModel):
        return f"Authenticated Session {str(self.pk)[:10]}"

    @staticmethod
-    def from_request(request: HttpRequest, user: User) -> Optional["AuthenticatedSession"]:
+    def from_request(request: HttpRequest, user: User) -> AuthenticatedSession | None:
        """Create a new session from a http request"""
        if not hasattr(request, "session") or not request.session.exists(
            request.session.session_key
--- a/authentik/core/sessions.py
+++ b/authentik/core/sessions.py
@@ -66,7 +66,7 @@ class SessionStore(SessionBase):
    def decode(self, session_data):
        try:
            return pickle.loads(session_data)  # nosec
-        except (pickle.PickleError, AttributeError, TypeError):
+        except pickle.PickleError, AttributeError, TypeError:
            # PickleError, ValueError - unpickling exceptions
            # AttributeError - can happen when Django model fields (e.g., FileField) are unpickled
            #                  and their descriptors fail to initialize (e.g., missing storage)
--- a/authentik/core/signals.py
+++ b/authentik/core/signals.py
@@ -24,7 +24,8 @@ from authentik.root.ws.consumer import build_device_group

 # Arguments: user: User, password: str
 password_changed = Signal()
-# Arguments: credentials: dict[str, any], request: HttpRequest, stage: Stage
+# Arguments: credentials: dict[str, any], request: HttpRequest,
+#            stage: Stage, context: dict[str, any]
 login_failed = Signal()

 LOGGER = get_logger()
@@ -51,7 +52,7 @@ def user_logged_in_session(sender, request: HttpRequest, user: User, **_):
    if session:
        session.save()

-    if not RefreshOtherFlowsAfterAuthentication().get():
+    if not RefreshOtherFlowsAfterAuthentication.get():
        return
    layer = get_channel_layer()
    device_cookie = request.COOKIES.get("authentik_device")
@@ -63,7 +64,7 @@ def user_logged_in_session(sender, request: HttpRequest, user: User, **_):


@receiver(post_delete, sender=AuthenticatedSession)
-def authenticated_session_delete(sender: type[Model], instance: "AuthenticatedSession", **_):
+def authenticated_session_delete(sender: type[Model], instance: AuthenticatedSession, **_):
    """Delete session when authenticated session is deleted"""
    Session.objects.filter(session_key=instance.pk).delete()

--- a/authentik/core/sources/flow_manager.py
+++ b/authentik/core/sources/flow_manager.py
@@ -392,10 +392,10 @@ class GroupUpdateStage(StageView):
            groups.append(group)

        with transaction.atomic():
-            self.user.ak_groups.remove(
-                *self.user.ak_groups.filter(groupsourceconnection__source=self.source)
+            self.user.groups.remove(
+                *self.user.groups.filter(groupsourceconnection__source=self.source)
            )
-            self.user.ak_groups.add(*groups)
+            self.user.groups.add(*groups)

        return True

--- a/authentik/core/sources/mapper.py
+++ b/authentik/core/sources/mapper.py
@@ -49,7 +49,7 @@ class SourceMapper:
    def build_object_properties(
        self,
        object_type: type[User | Group],
-        manager: "PropertyMappingManager | None" = None,
+        manager: PropertyMappingManager | None = None,
        user: User | None = None,
        request: HttpRequest | None = None,
        **kwargs,
--- a/authentik/core/templates/base/theme.html
+++ b/authentik/core/templates/base/theme.html
@@ -10,15 +10,23 @@
  {% elif ui_theme == "light" %}
  <meta name="color-scheme" content="light" />
  <meta name="theme-color" content="#ffffff">
-{% else %}
+  {% else %}
  <script data-id="theme-script">
    "use strict";

    (function () {
        try {
+            /* Ignore older theme names */
+            let locallyStoredTheme = window.localStorage?.getItem("theme") || null;
+            if (typeof locallyStoredTheme === "string") {
+                locallyStoredTheme = locallyStoredTheme.trim();
+            }
+            if (!(["auto", "light", "dark"].includes(locallyStoredTheme))) {
+                locallyStoredTheme = null;
+            }
+            
            const initialThemeChoice =
-                new URLSearchParams(window.location.search).get("theme") ||
-                window.localStorage?.getItem("theme");
+                new URLSearchParams(window.location.search).get("theme") || locallyStoredTheme;

            const themeChoice =
                initialThemeChoice || document.documentElement.dataset.themeChoice || "auto";
--- a/authentik/core/templates/login/base_full.html
+++ b/authentik/core/templates/login/base_full.html
@@ -44,19 +44,24 @@
                                {% endblock %}
                            </div>
                        </main>
-                        <footer aria-label="Site footer" class="pf-c-login__footer pf-m-dark">
-                            <ul class="pf-c-list pf-m-inline">
-                                {% for link in footer_links %}
-                                <li>
-                                    <a href="{{ link.href }}">{{ link.name }}</a>
-                                </li>
-                                {% endfor %}
-                                <li>
-                                    <span>
-                                        {% trans 'Powered by authentik' %}
-                                    </span>
-                                </li>
-                            </ul>
+                        <footer
+                            name="site-footer"
+                            aria-label="{% trans 'Site footer' %}"
+                            class="pf-c-login__footer pf-m-dark">
+                            <div name="flow-links" aria-label="{% trans 'Flow links' %}">
+                                <ul class="pf-c-list pf-m-inline" part="list">
+                                    {% for link in footer_links %}
+                                    <li part="list-item">
+                                        <a part="list-item-link" href="{{ link.href }}">{{ link.name }}</a>
+                                    </li>
+                                    {% endfor %}
+                                    <li part="list-item">
+                                        <span>
+                                            {% trans 'Powered by authentik' %}
+                                        </span>
+                                    </li>
+                                </ul>
+                            </div>
                        </footer>
                    </div>
                </div>
--- a/authentik/core/tests/test_application_entitlements.py
+++ b/authentik/core/tests/test_application_entitlements.py
@@ -38,7 +38,7 @@ class TestApplicationEntitlements(APITestCase):
    def test_group(self):
        """Test direct group"""
        group = Group.objects.create(name=generate_id())
-        self.user.ak_groups.add(group)
+        self.user.groups.add(group)
        ent = ApplicationEntitlement.objects.create(app=self.app, name=generate_id())
        PolicyBinding.objects.create(target=ent, group=group, order=0)
        ents = self.user.app_entitlements(self.app)
@@ -50,7 +50,7 @@ class TestApplicationEntitlements(APITestCase):
        parent = Group.objects.create(name=generate_id())
        group = Group.objects.create(name=generate_id())
        group.parents.add(parent)
-        self.user.ak_groups.add(group)
+        self.user.groups.add(group)
        ent = ApplicationEntitlement.objects.create(app=self.app, name=generate_id())
        PolicyBinding.objects.create(target=ent, group=parent, order=0)
        ents = self.user.app_entitlements(self.app)
--- a/authentik/core/tests/test_applications_api.py
+++ b/authentik/core/tests/test_applications_api.py
@@ -107,6 +107,8 @@ class TestApplicationsAPI(APITestCase):
                        "provider_obj": {
                            "assigned_application_name": "allowed",
                            "assigned_application_slug": "allowed",
+                            "assigned_backchannel_application_name": None,
+                            "assigned_backchannel_application_slug": None,
                            "authentication_flow": None,
                            "invalidation_flow": None,
                            "authorization_flow": str(self.provider.authorization_flow.pk),
@@ -125,6 +127,7 @@ class TestApplicationsAPI(APITestCase):
                        "open_in_new_tab": True,
                        "meta_icon": "",
                        "meta_icon_url": None,
+                        "meta_icon_themed_urls": None,
                        "meta_description": "",
                        "meta_publisher": "",
                        "policy_engine_mode": "any",
@@ -162,6 +165,8 @@ class TestApplicationsAPI(APITestCase):
                        "provider_obj": {
                            "assigned_application_name": "allowed",
                            "assigned_application_slug": "allowed",
+                            "assigned_backchannel_application_name": None,
+                            "assigned_backchannel_application_slug": None,
                            "authentication_flow": None,
                            "invalidation_flow": None,
                            "authorization_flow": str(self.provider.authorization_flow.pk),
@@ -180,6 +185,7 @@ class TestApplicationsAPI(APITestCase):
                        "open_in_new_tab": True,
                        "meta_icon": "",
                        "meta_icon_url": None,
+                        "meta_icon_themed_urls": None,
                        "meta_description": "",
                        "meta_publisher": "",
                        "policy_engine_mode": "any",
@@ -189,6 +195,7 @@ class TestApplicationsAPI(APITestCase):
                        "meta_description": "",
                        "meta_icon": "",
                        "meta_icon_url": None,
+                        "meta_icon_themed_urls": None,
                        "meta_launch_url": "",
                        "open_in_new_tab": False,
                        "meta_publisher": "",
--- a/authentik/core/tests/test_groups_api.py
+++ b/authentik/core/tests/test_groups_api.py
@@ -122,8 +122,8 @@ class TestGroupsAPI(APITestCase):
    def test_superuser_update_no_perm(self):
        """Test updating a superuser group without permission"""
        group = Group.objects.create(name=generate_id(), is_superuser=True)
-        self.login_user.assign_perms_to_managed_role("view_group", group)
-        self.login_user.assign_perms_to_managed_role("change_group", group)
+        self.login_user.assign_perms_to_managed_role("authentik_core.view_group", group)
+        self.login_user.assign_perms_to_managed_role("authentik_core.change_group", group)
        self.client.force_login(self.login_user)
        res = self.client.patch(
            reverse("authentik_api:group-detail", kwargs={"pk": group.pk}),
@@ -139,8 +139,8 @@ class TestGroupsAPI(APITestCase):
        """Test updating a superuser group without permission
        and without changing the superuser status"""
        group = Group.objects.create(name=generate_id(), is_superuser=True)
-        self.login_user.assign_perms_to_managed_role("view_group", group)
-        self.login_user.assign_perms_to_managed_role("change_group", group)
+        self.login_user.assign_perms_to_managed_role("authentik_core.view_group", group)
+        self.login_user.assign_perms_to_managed_role("authentik_core.change_group", group)
        self.client.force_login(self.login_user)
        res = self.client.patch(
            reverse("authentik_api:group-detail", kwargs={"pk": group.pk}),
--- a/authentik/core/tests/test_source_flow_manager_group_update_stage.py
+++ b/authentik/core/tests/test_source_flow_manager_group_update_stage.py
@@ -54,7 +54,7 @@ class TestSourceFlowManager(FlowTestCase):
        )
        self.assertTrue(stage.handle_groups())
        self.assertTrue(Group.objects.filter(name="group 1").exists())
-        self.assertTrue(self.user.ak_groups.filter(name="group 1").exists())
+        self.assertTrue(self.user.groups.filter(name="group 1").exists())
        self.assertTrue(
            GroupOAuthSourceConnection.objects.filter(
                group=Group.objects.get(name="group 1"), source=self.source
@@ -88,7 +88,7 @@ class TestSourceFlowManager(FlowTestCase):
        )
        self.assertTrue(stage.handle_groups())
        self.assertTrue(Group.objects.filter(name="group 1").exists())
-        self.assertTrue(self.user.ak_groups.filter(name="group 1").exists())
+        self.assertTrue(self.user.groups.filter(name="group 1").exists())
        self.assertTrue(
            GroupOAuthSourceConnection.objects.filter(
                group=Group.objects.get(name="group 1"), source=self.source
@@ -123,7 +123,7 @@ class TestSourceFlowManager(FlowTestCase):
        )
        self.assertTrue(stage.handle_groups())
        self.assertTrue(Group.objects.filter(name="group 1").exists())
-        self.assertTrue(self.user.ak_groups.filter(name="group 1").exists())
+        self.assertTrue(self.user.groups.filter(name="group 1").exists())
        self.assertTrue(
            GroupOAuthSourceConnection.objects.filter(group=group, source=self.source).exists()
        )
@@ -155,7 +155,7 @@ class TestSourceFlowManager(FlowTestCase):
        )
        self.assertTrue(stage.handle_groups())
        self.assertTrue(Group.objects.filter(name="group 1").exists())
-        self.assertTrue(self.user.ak_groups.filter(name="group 1").exists())
+        self.assertTrue(self.user.groups.filter(name="group 1").exists())
        self.assertTrue(
            GroupOAuthSourceConnection.objects.filter(
                group=Group.objects.get(name="group 1"), source=self.source
@@ -189,7 +189,7 @@ class TestSourceFlowManager(FlowTestCase):
            request=request,
        )
        self.assertFalse(stage.handle_groups())
-        self.assertFalse(self.user.ak_groups.filter(name="group 1").exists())
+        self.assertFalse(self.user.groups.filter(name="group 1").exists())
        self.assertFalse(
            GroupOAuthSourceConnection.objects.filter(group=group, source=self.source).exists()
        )
@@ -201,7 +201,7 @@ class TestSourceFlowManager(FlowTestCase):
        other_group = Group.objects.create(name="other group")
        old_group = Group.objects.create(name="old group")
        new_group = Group.objects.create(name="new group")
-        self.user.ak_groups.set([other_group, old_group])
+        self.user.groups.set([other_group, old_group])
        GroupOAuthSourceConnection.objects.create(
            group=old_group, source=self.source, identifier=old_group.name
        )
@@ -231,7 +231,7 @@ class TestSourceFlowManager(FlowTestCase):
            request=request,
        )
        self.assertTrue(stage.handle_groups())
-        self.assertFalse(self.user.ak_groups.filter(name="old group").exists())
-        self.assertTrue(self.user.ak_groups.filter(name="other group").exists())
-        self.assertTrue(self.user.ak_groups.filter(name="new group").exists())
-        self.assertEqual(self.user.ak_groups.count(), 2)
+        self.assertFalse(self.user.groups.filter(name="old group").exists())
+        self.assertTrue(self.user.groups.filter(name="other group").exists())
+        self.assertTrue(self.user.groups.filter(name="new group").exists())
+        self.assertEqual(self.user.groups.count(), 2)
--- a/authentik/core/tests/test_users.py
+++ b/authentik/core/tests/test_users.py
@@ -3,6 +3,7 @@
 from django.test.testcases import TestCase

 from authentik.core.models import User
+from authentik.events.models import Event
 from authentik.lib.generators import generate_id


@@ -18,3 +19,17 @@ class TestUsers(TestCase):
        self.assertTrue(user.has_perm(perm))
        user.remove_perms_from_managed_role(perm)
        self.assertFalse(user.has_perm(perm))
+
+    def test_user_ak_groups(self):
+        """Test user.ak_groups is a proxy for user.groups"""
+        user = User.objects.create(username=generate_id())
+        self.assertEqual(user.ak_groups, user.groups)
+
+    def test_user_ak_groups_event(self):
+        """Test user.ak_groups creates exactly one event"""
+        user = User.objects.create(username=generate_id())
+        self.assertEqual(Event.objects.count(), 0)
+        user.ak_groups.all()
+        self.assertEqual(Event.objects.count(), 1)
+        user.ak_groups.all()
+        self.assertEqual(Event.objects.count(), 1)
--- a/authentik/core/tests/test_users_api.py
+++ b/authentik/core/tests/test_users_api.py
@@ -1,9 +1,10 @@
 """Test Users API"""

-from datetime import datetime
+from datetime import datetime, timedelta
 from json import loads

 from django.urls.base import reverse
+from django.utils.timezone import now
 from rest_framework.test import APITestCase

 from authentik.brands.models import Brand
@@ -127,13 +128,62 @@ class TestUsersAPI(APITestCase):
        )
        self.assertEqual(response.status_code, 200)

+    def test_recovery_duration(self):
+        """Test user recovery token duration"""
+        Token.objects.all().delete()
+        flow = create_test_flow(
+            FlowDesignation.RECOVERY,
+            authentication=FlowAuthenticationRequirement.REQUIRE_UNAUTHENTICATED,
+        )
+        brand: Brand = create_test_brand()
+        brand.flow_recovery = flow
+        brand.save()
+        self.client.force_login(self.admin)
+        response = self.client.post(
+            reverse("authentik_api:user-recovery", kwargs={"pk": self.user.pk}),
+            data={"token_duration": "days=33"},
+        )
+        self.assertEqual(response.status_code, 200)
+        expires = Token.objects.first().expires
+        expected_expires = now() + timedelta(days=33)
+        self.assertTrue(timedelta(minutes=-1) < expected_expires - expires < timedelta(minutes=1))
+
+    def test_recovery_duration_update(self):
+        """Test user recovery token duration update"""
+        Token.objects.all().delete()
+        flow = create_test_flow(
+            FlowDesignation.RECOVERY,
+            authentication=FlowAuthenticationRequirement.REQUIRE_UNAUTHENTICATED,
+        )
+        brand: Brand = create_test_brand()
+        brand.flow_recovery = flow
+        brand.save()
+        self.client.force_login(self.admin)
+        response = self.client.post(
+            reverse("authentik_api:user-recovery", kwargs={"pk": self.user.pk}),
+            data={"token_duration": "days=33"},
+        )
+        self.assertEqual(response.status_code, 200)
+        expires = Token.objects.first().expires
+        expected_expires = now() + timedelta(days=33)
+        self.assertTrue(timedelta(minutes=-1) < expected_expires - expires < timedelta(minutes=1))
+        response = self.client.post(
+            reverse("authentik_api:user-recovery", kwargs={"pk": self.user.pk}),
+            data={"token_duration": "days=66"},
+        )
+        expires = Token.objects.first().expires
+        expected_expires = now() + timedelta(days=66)
+        self.assertTrue(timedelta(minutes=-1) < expected_expires - expires < timedelta(minutes=1))
+
    def test_recovery_email_no_flow(self):
        """Test user recovery link (no recovery flow set)"""
        self.client.force_login(self.admin)
        self.user.email = ""
        self.user.save()
+        stage = EmailStage.objects.create(name="email")
        response = self.client.post(
-            reverse("authentik_api:user-recovery-email", kwargs={"pk": self.user.pk})
+            reverse("authentik_api:user-recovery-email", kwargs={"pk": self.user.pk}),
+            data={"email_stage": stage.pk},
        )
        self.assertEqual(response.status_code, 400)
        self.assertJSONEqual(
@@ -142,7 +192,8 @@ class TestUsersAPI(APITestCase):
        self.user.email = "foo@bar.baz"
        self.user.save()
        response = self.client.post(
-            reverse("authentik_api:user-recovery-email", kwargs={"pk": self.user.pk})
+            reverse("authentik_api:user-recovery-email", kwargs={"pk": self.user.pk}),
+            data={"email_stage": stage.pk},
        )
        self.assertEqual(response.status_code, 400)
        self.assertJSONEqual(response.content, {"non_field_errors": "No recovery flow set."})
@@ -160,7 +211,7 @@ class TestUsersAPI(APITestCase):
            reverse("authentik_api:user-recovery-email", kwargs={"pk": self.user.pk})
        )
        self.assertEqual(response.status_code, 400)
-        self.assertJSONEqual(response.content, {"non_field_errors": "Email stage does not exist."})
+        self.assertJSONEqual(response.content, {"email_stage": ["This field is required."]})

    def test_recovery_email(self):
        """Test user recovery link"""
@@ -178,8 +229,8 @@ class TestUsersAPI(APITestCase):
            reverse(
                "authentik_api:user-recovery-email",
                kwargs={"pk": self.user.pk},
-            )
-            + f"?email_stage={stage.pk}"
+            ),
+            data={"email_stage": stage.pk},
        )
        self.assertEqual(response.status_code, 204)

--- a/authentik/crypto/builder.py
+++ b/authentik/crypto/builder.py
@@ -7,6 +7,8 @@ from cryptography import x509
 from cryptography.hazmat.backends import default_backend
 from cryptography.hazmat.primitives import hashes, serialization
 from cryptography.hazmat.primitives.asymmetric import ec, rsa
+from cryptography.hazmat.primitives.asymmetric.ed448 import Ed448PrivateKey
+from cryptography.hazmat.primitives.asymmetric.ed25519 import Ed25519PrivateKey
 from cryptography.hazmat.primitives.asymmetric.types import PrivateKeyTypes
 from cryptography.x509.oid import NameOID
 from django.db import models
@@ -21,6 +23,8 @@ class PrivateKeyAlg(models.TextChoices):

    RSA = "rsa", _("rsa")
    ECDSA = "ecdsa", _("ecdsa")
+    ED25519 = "ed25519", _("Ed25519")
+    ED448 = "ed448", _("Ed448")


 class CertificateBuilder:
@@ -56,6 +60,10 @@ class CertificateBuilder:
            return rsa.generate_private_key(
                public_exponent=65537, key_size=4096, backend=default_backend()
            )
+        if self.alg == PrivateKeyAlg.ED25519:
+            return Ed25519PrivateKey.generate()
+        if self.alg == PrivateKeyAlg.ED448:
+            return Ed448PrivateKey.generate()
        raise ValueError(f"Invalid alg: {self.alg}")

    def build(
@@ -98,18 +106,25 @@ class CertificateBuilder:
            self.__builder = self.__builder.add_extension(
                x509.SubjectAlternativeName(alt_names), critical=True
            )
+        algo = hashes.SHA256()
+        # EdDSA doesn't take a hash algorithm
+        if isinstance(self.__private_key, (Ed25519PrivateKey | Ed448PrivateKey)):
+            algo = None
        self.__certificate = self.__builder.sign(
            private_key=self.__private_key,
-            algorithm=hashes.SHA256(),
+            algorithm=algo,
            backend=default_backend(),
        )

    @property
    def private_key(self):
        """Return private key in PEM format"""
+        format = serialization.PrivateFormat.TraditionalOpenSSL
+        if isinstance(self.__private_key, (Ed25519PrivateKey | Ed448PrivateKey)):
+            format = serialization.PrivateFormat.PKCS8
        return self.__private_key.private_bytes(
            encoding=serialization.Encoding.PEM,
-            format=serialization.PrivateFormat.TraditionalOpenSSL,
+            format=format,
            encryption_algorithm=serialization.NoEncryption(),
        ).decode("utf-8")

--- a/authentik/crypto/migrations/0006_certificatekeypair_cert_expiry_and_more.py
+++ b/authentik/crypto/migrations/0006_certificatekeypair_cert_expiry_and_more.py
@@ -41,7 +41,7 @@ def backfill_certificate_metadata(apps, schema_editor):  # noqa: ARG001
                        "fingerprint_sha1",
                    ]
                )
-            except (ValueError, TypeError, AttributeError):
+            except ValueError, TypeError, AttributeError:
                pass

        # Backfill kid with MD5 for backwards compatibility
--- a/authentik/crypto/models.py
+++ b/authentik/crypto/models.py
@@ -78,7 +78,7 @@ def generate_key_id_legacy(key_data: str) -> str:
    """Generate Key ID using MD5 (legacy format for backwards compatibility)."""
    if not key_data:
        return ""
-    return md5(key_data.encode("utf-8")).hexdigest()  # nosec
+    return md5(key_data.encode("utf-8"), usedforsecurity=False).hexdigest()  # nosec


 class CertificateKeyPair(SerializerModel, ManagedModel, CreatedUpdatedModel):
--- a/authentik/crypto/tests.py
+++ b/authentik/crypto/tests.py
@@ -196,8 +196,10 @@ class TestCrypto(APITestCase):
        """Test certificate export (download)"""
        keypair = create_test_cert()
        user = create_test_user()
-        user.assign_perms_to_managed_role("view_certificatekeypair", keypair)
-        user.assign_perms_to_managed_role("view_certificatekeypair_certificate", keypair)
+        user.assign_perms_to_managed_role("authentik_crypto.view_certificatekeypair", keypair)
+        user.assign_perms_to_managed_role(
+            "authentik_crypto.view_certificatekeypair_certificate", keypair
+        )
        self.client.force_login(user)
        response = self.client.get(
            reverse(
@@ -220,8 +222,8 @@ class TestCrypto(APITestCase):
        """Test private_key export (download)"""
        keypair = create_test_cert()
        user = create_test_user()
-        user.assign_perms_to_managed_role("view_certificatekeypair", keypair)
-        user.assign_perms_to_managed_role("view_certificatekeypair_key", keypair)
+        user.assign_perms_to_managed_role("authentik_crypto.view_certificatekeypair", keypair)
+        user.assign_perms_to_managed_role("authentik_crypto.view_certificatekeypair_key", keypair)
        self.client.force_login(user)
        response = self.client.get(
            reverse(
--- a/authentik/endpoints/api/device_access_group.py
+++ b/authentik/endpoints/api/device_access_group.py
@@ -12,6 +12,7 @@ class DeviceAccessGroupSerializer(ModelSerializer):
        fields = [
            "pbm_uuid",
            "name",
+            "attributes",
        ]


--- a/authentik/endpoints/api/device_connections.py
+++ b/authentik/endpoints/api/device_connections.py
@@ -3,7 +3,7 @@ from rest_framework.fields import SerializerMethodField
 from authentik.core.api.utils import ModelSerializer
 from authentik.endpoints.api.connectors import ConnectorSerializer
 from authentik.endpoints.api.device_fact_snapshots import DeviceFactSnapshotSerializer
-from authentik.endpoints.models import DeviceConnection
+from authentik.endpoints.models import Connector, DeviceConnection, DeviceFactSnapshot


 class DeviceConnectionSerializer(ModelSerializer):
@@ -12,10 +12,19 @@ class DeviceConnectionSerializer(ModelSerializer):
    latest_snapshot = SerializerMethodField(allow_null=True)

    def get_latest_snapshot(self, instance: DeviceConnection) -> DeviceFactSnapshotSerializer:
-        snapshot = instance.devicefactsnapshot_set.order_by("-created").first()
+        snapshot: DeviceFactSnapshot | None = instance.devicefactsnapshot_set.order_by(
+            "-created"
+        ).first()
        if not snapshot:
            return None
-        return DeviceFactSnapshotSerializer(snapshot).data
+        connector: Connector = Connector.objects.get_subclass(pk=snapshot.connection.connector_id)
+        vendor = connector.controller.vendor_identifier()
+        return DeviceFactSnapshotSerializer(
+            snapshot,
+            context={
+                "vendor": vendor,
+            },
+        ).data

    class Meta:
        model = DeviceConnection
--- a/authentik/endpoints/api/device_fact_snapshots.py
+++ b/authentik/endpoints/api/device_fact_snapshots.py
@@ -1,11 +1,32 @@
+from enum import StrEnum
+
+from rest_framework.fields import SerializerMethodField
+
 from authentik.core.api.utils import ModelSerializer
+from authentik.endpoints.controller import MERGED_VENDOR
 from authentik.endpoints.facts import DeviceFacts
-from authentik.endpoints.models import DeviceFactSnapshot
+from authentik.endpoints.models import Connector, DeviceFactSnapshot
+from authentik.lib.utils.reflection import all_subclasses
+
+
+def get_vendor_choices():
+    choices = [(MERGED_VENDOR, MERGED_VENDOR)]
+    for connector_type in all_subclasses(Connector):
+        ident = connector_type().controller.vendor_identifier()
+        choices.append((ident, ident))
+    return choices
+
+
+vendors = StrEnum("DeviceConnectorVendors", get_vendor_choices())


 class DeviceFactSnapshotSerializer(ModelSerializer):

    data = DeviceFacts()
+    vendor = SerializerMethodField()
+
+    def get_vendor(self, instance: DeviceFactSnapshot) -> vendors:
+        return self.context.get("vendor", MERGED_VENDOR)

    class Meta:
        model = DeviceFactSnapshot
@@ -14,6 +35,7 @@ class DeviceFactSnapshotSerializer(ModelSerializer):
            "connection",
            "created",
            "expires",
+            "vendor",
        ]
        extra_kwargs = {
            "created": {"read_only": True},
--- a/authentik/endpoints/api/stages.py
+++ b/authentik/endpoints/api/stages.py
@@ -1,17 +1,26 @@
+from django.utils.translation import gettext_lazy as _
+from rest_framework.exceptions import ValidationError
 from rest_framework.viewsets import ModelViewSet

 from authentik.core.api.used_by import UsedByMixin
 from authentik.endpoints.api.connectors import ConnectorSerializer
-from authentik.endpoints.models import EndpointStage
-from authentik.enterprise.api import EnterpriseRequiredMixin
+from authentik.endpoints.controller import Capabilities
+from authentik.endpoints.models import Connector, EndpointStage
 from authentik.flows.api.stages import StageSerializer


-class EndpointStageSerializer(EnterpriseRequiredMixin, StageSerializer):
+class EndpointStageSerializer(StageSerializer):
    """EndpointStage Serializer"""

    connector_obj = ConnectorSerializer(source="connector", read_only=True)

+    def validate_connector(self, connector: Connector) -> Connector:
+        conn: Connector = Connector.objects.get_subclass(pk=connector.pk)
+        controller = conn.controller(conn)
+        if Capabilities.STAGE_ENDPOINTS not in controller.capabilities():
+            raise ValidationError(_("Selected connector is not compatible with this stage."))
+        return connector
+
    class Meta:
        model = EndpointStage
        fields = StageSerializer.Meta.fields + [
--- a/authentik/endpoints/connectors/agent/api/agent.py
+++ b/authentik/endpoints/connectors/agent/api/agent.py
@@ -62,7 +62,7 @@ class AgentConfigSerializer(PassiveSerializer):
    def get_system_config(self, instance: AgentConnector) -> ConfigSerializer:
        return ConfigView.get_config(self.context["request"]).data

-    def get_license_status(self, instance: AgentConnector) -> "LicenseUsageStatus":
+    def get_license_status(self, instance: AgentConnector) -> LicenseUsageStatus:
        try:
            from authentik.enterprise.license import LicenseKey

--- a/authentik/endpoints/connectors/agent/api/enrollment_tokens.py
+++ b/authentik/endpoints/connectors/agent/api/enrollment_tokens.py
@@ -18,7 +18,10 @@ from authentik.rbac.decorators import permission_required
 class EnrollmentTokenSerializer(ModelSerializer):

    device_group_obj = DeviceAccessGroupSerializer(
-        source="device_group", read_only=True, required=False
+        source="device_group",
+        read_only=True,
+        required=False,
+        allow_null=True,
    )

    def __init__(self, *args, **kwargs) -> None:
--- a/authentik/endpoints/connectors/agent/auth.py
+++ b/authentik/endpoints/connectors/agent/auth.py
@@ -37,6 +37,8 @@ class AgentEnrollmentAuth(BaseAuthentication):
        token = EnrollmentToken.filter_not_expired(key=key).first()
        if not token:
            raise PermissionDenied()
+        if not token.connector.enabled:
+            raise PermissionDenied()
        CTX_AUTH_VIA.set("endpoint_token_enrollment")
        return (DeviceUser(), token)

@@ -51,6 +53,8 @@ class AgentAuth(BaseAuthentication):
        device_token = DeviceToken.filter_not_expired(key=key).first()
        if not device_token:
            raise PermissionDenied()
+        if not device_token.device.connector.enabled:
+            raise PermissionDenied()
        if device_token.device.device.is_expired:
            raise PermissionDenied()
        CTX_AUTH_VIA.set("endpoint_token")
--- a/Show More
+++ b/Show More