Flesh out auto-categories.

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

.github/ISSUE_TEMPLATE/1-bug-report.yml

@@ -0,0 +1,81 @@
+name: Bug report
+description: Create a report to help us improve
+labels: ["bug", "triage"]
+type: bug
+body:
+  - type: markdown
+    attributes:
+      value: |
+        Thank you for taking the time to fill out this bug report!
+  - type: textarea
+    id: describe-the-bug
+    attributes:
+      label: Describe the bug
+      description: "A clear and concise description of what the bug is."
+      placeholder: "Describe the issue"
+    validations:
+      required: true
+  - type: textarea
+    id: how-to-reproduce
+    attributes:
+      label: How to reproduce
+      description: "Steps to reproduce the behavior."
+      placeholder: |
+        1. Go to '...'
+        2. Click on '....'
+        3. Scroll down to '....'
+        4. See error
+    validations:
+      required: true
+  - type: textarea
+    id: expected-behavior
+    attributes:
+      label: Expected behavior
+      description: "A clear and concise description of what you expected to happen."
+      placeholder: "The behavior that I expect to see is [...]"
+    validations:
+      required: true
+  - type: textarea
+    id: screenshots
+    attributes:
+      label: Screenshots
+      description: "If applicable, add screenshots to help explain your problem."
+    validations:
+      required: false
+  - type: textarea
+    id: additional-context
+    attributes:
+      label: Additional context
+      description: "Add any other context about the problem here."
+      placeholder: "Also note that [...]"
+    validations:
+      required: false
+  - type: dropdown
+    id: deployment-method
+    attributes:
+      label: Deployment Method
+      description: "What deployment method are you using for authentik? Only Docker, Kubernetes and AWS CloudFormation are supported."
+      options:
+        - Docker
+        - Kubernetes
+        - AWS CloudFormation
+        - Other (please specify)
+      default: 0
+    validations:
+      required: true
+  - type: input
+    id: version
+    attributes:
+      label: Version
+      description: "What version of authentik are you using?"
+      placeholder: "[e.g. 2025.10.1]"
+    validations:
+      required: true
+  - type: textarea
+    id: logs
+    attributes:
+      label: Relevant log output
+      description: "Please copy and paste any relevant log output. This will be automatically formatted into code, so no need for backticks."
+      render: shell
+    validations:
+      required: false

.github/ISSUE_TEMPLATE/2-docs-issue.yml

@@ -0,0 +1,49 @@
+name: Documentation suggestion/problem
+description: Suggest an improvement or report a problem in our docs
+labels: ["area: docs", "triage"]
+type: task
+body:
+  - type: markdown
+    attributes:
+      value: |
+        Thank you for taking the time to fill out this documentation issue!
+  - type: markdown
+    attributes:
+      value: |
+
+        **Consider opening a PR!**
+        If the issue is one that you can fix, or even make a good pass at, we'd appreciate a PR.
+
+        For more information about making a contribution to the docs, and using our Style Guide and our templates, refer to ["Writing documentation"](https://docs.goauthentik.io/docs/developer-docs/docs/writing-documentation).
+  - type: textarea
+    id: issue
+    attributes:
+      label: Do you see an area that can be clarified or expanded, a technical inaccuracy, or a broken link?
+      description: "A clear and concise description of what the problem is, or where the document can be improved."
+      placeholder: "I believe we need more details about [...]"
+    validations:
+      required: true
+  - type: input
+    id: link
+    attributes:
+      label: Link
+      description: "Provide the URL or link to the exact page in the documentation to which you are referring."
+      placeholder: "If there are multiple pages, list them all"
+    validations:
+      required: true
+  - type: textarea
+    id: solution
+    attributes:
+      label: Solution
+      description: "A clear and concise description of what you suggest as a solution"
+      placeholder: "This issue could be resolved by [...]"
+    validations:
+      required: true
+  - type: textarea
+    id: additional-context
+    attributes:
+      label: Additional context
+      description: "Add any other context or screenshots about the documentation issue here."
+      placeholder: "Also note that [...]"
+    validations:
+      required: false

.github/ISSUE_TEMPLATE/3-feature-request.yml

@@ -0,0 +1,41 @@
+name: Feature request
+description: Suggest an idea for a feature
+labels: ["enhancement", "triage"]
+type: feature
+body:
+  - type: markdown
+    attributes:
+      value: |
+        Thank you for taking the time to fill out this feature request!
+  - type: textarea
+    id: related-to-problem
+    attributes:
+      label: Is your feature request related to a problem?
+      description: "A clear and concise description of what the problem is."
+      placeholder: "I'm always frustrated when [...]"
+    validations:
+      required: true
+  - type: textarea
+    id: feature
+    attributes:
+      label: Describe the solution you'd like
+      description: A clear and concise description of what you want to happen.
+      placeholder: "I'd like authentik to have [...]"
+    validations:
+      required: false
+  - type: textarea
+    id: alternatives
+    attributes:
+      label: Describe alternatives that you've considered
+      description: "A clear and concise description of any alternative solutions or features you've considered."
+      placeholder: "I've tried this but [...]"
+    validations:
+      required: true
+  - type: textarea
+    id: additional-context
+    attributes:
+      label: Additional context
+      description: "Add any other context or screenshots about the feature request here."
+      placeholder: "Also note that [...]"
+    validations:
+      required: false

.github/ISSUE_TEMPLATE/bug_report.md

@@ -1,39 +0,0 @@
----
-name: Bug report
-about: Create a report to help us improve
-title: ""
-labels: bug
-assignees: ""
----
-
-**Describe the bug**
-A clear and concise description of what the bug is.
-
-**To Reproduce**
-Steps to reproduce the behavior:
-
-1. Go to '...'
-2. Click on '....'
-3. Scroll down to '....'
-4. See error
-
-**Expected behavior**
-A clear and concise description of what you expected to happen.
-
-**Screenshots**
-If applicable, add screenshots to help explain your problem.
-
-**Logs**
-Output of docker-compose logs or kubectl logs respectively
-
-**Version and Deployment (please complete the following information):**
-
-<!--
-Notice: authentik supports installation via Docker, Kubernetes, and AWS CloudFormation only. Support is not available for other methods. For detailed installation and configuration instructions, please refer to the official documentation at https://docs.goauthentik.io/docs/install-config/.
--->
-
--   authentik version: [e.g. 2025.2.0]
--   Deployment: [e.g. docker-compose, helm]
-
-**Additional context**
-Add any other context about the problem here.

.github/ISSUE_TEMPLATE/config.yml

@@ -0,0 +1,8 @@
+blank_issues_enabled: false
+contact_links:
+  - name: Question
+    url: https://github.com/goauthentik/authentik/discussions
+    about: Please ask questions via GitHub Discussions rather than creating issues.
+  - name: authentik Discord
+    url: https://discord.com/invite/jg33eMhnj6
+    about: For community support, visit our Discord server.

.github/ISSUE_TEMPLATE/docs_issue.md

@@ -1,22 +0,0 @@
----
-name: Documentation issue
-about: Suggest an improvement or report a problem
-title: ""
-labels: documentation
-assignees: ""
----
-
-**Do you see an area that can be clarified or expanded, a technical inaccuracy, or a broken link? Please describe.**
-A clear and concise description of what the problem is, or where the document can be improved. Ex. I believe we need more details about [...]
-
-**Provide the URL or link to the exact page in the documentation to which you are referring.**
-If there are multiple pages, list them all, and be sure to state the header or section where the content is.
-
-**Describe the solution you'd like**
-A clear and concise description of what you want to happen.
-
-**Additional context**
-Add any other context or screenshots about the documentation issue here.
-
-**Consider opening a PR!**
-If the issue is one that you can fix, or even make a good pass at, we'd appreciate a PR. For more information about making a contribution to the docs, and using our Style Guide and our templates, refer to ["Writing documentation"](https://docs.goauthentik.io/docs/developer-docs/docs/writing-documentation).

.github/ISSUE_TEMPLATE/feature_request.md

@@ -1,19 +0,0 @@
----
-name: Feature request
-about: Suggest an idea for this project
-title: ""
-labels: enhancement
-assignees: ""
----
-
-**Is your feature request related to a problem? Please describe.**
-A clear and concise description of what the problem is. Ex. I'm always frustrated when [...]
-
-**Describe the solution you'd like**
-A clear and concise description of what you want to happen.
-
-**Describe alternatives you've considered**
-A clear and concise description of any alternative solutions or features you've considered.
-
-**Additional context**
-Add any other context or screenshots about the feature request here.

.github/ISSUE_TEMPLATE/hackathon_idea.md

@@ -1,17 +0,0 @@
----
-name: Hackathon Idea
-about: Propose an idea for the hackathon
-title: ""
-labels: hackathon
-assignees: ""
----
-
-**Describe the idea**
-
-A clear concise description of the idea you want to implement
-
-You're also free to work on existing GitHub issues, whether they be feature requests or bugs, just link the existing GitHub issue here.
-
-<!-- Don't modify below here -->
-
-If you want to help working on this idea or want to contribute in any other way, react to this issue with a :rocket:

.github/ISSUE_TEMPLATE/issue_template.md

@@ -0,0 +1,7 @@
+---
+name: Blank issue
+about: This issue type is only for internal use
+title:
+labels:
+assignees:
+---

.github/ISSUE_TEMPLATE/question.md

@@ -1,32 +0,0 @@
----
-name: Question
-about: Ask a question about a feature or specific configuration
-title: ""
-labels: question
-assignees: ""
----
-
-**Describe your question/**
-A clear and concise description of what you're trying to do.
-
-**Relevant info**
-i.e. Version of other software you're using, specifics of your setup
-
-**Screenshots**
-If applicable, add screenshots to help explain your problem.
-
-**Logs**
-Output of docker-compose logs or kubectl logs respectively
-
-**Version and Deployment (please complete the following information):**
-
-<!--
-Notice: authentik supports installation via Docker, Kubernetes, and AWS CloudFormation only. Support is not available for other methods. For detailed installation and configuration instructions, please refer to the official documentation at https://docs.goauthentik.io/docs/install-config/.
--->
-
-
--   authentik version: [e.g. 2025.2.0]
--   Deployment: [e.g. docker-compose, helm]
-
-**Additional context**
-Add any other context about the problem here.

.github/actions/cherry-pick/action.yml

@@ -179,7 +179,7 @@ runs:
             fi
 
             # Create a unique branch name for the cherry-pick
-            CHERRY_PICK_BRANCH="cherry-pick-${PR_NUMBER}-to-${TARGET_BRANCH}"
+            CHERRY_PICK_BRANCH="cherry-pick/${PR_NUMBER}-to-${TARGET_BRANCH}"
 
             # Check if a cherry-pick PR already exists
             EXISTING_PR=$(gh pr list --head "$CHERRY_PICK_BRANCH" --json number --jq '.[0].number' 2>/dev/null || echo "")
@@ -201,7 +201,7 @@ runs:
               git push origin "$CHERRY_PICK_BRANCH"
 
               # Create PR for the cherry-pick
-              CHERRY_PICK_TITLE="$PR_TITLE (cherry-pick #$PR_NUMBER)"
+              CHERRY_PICK_TITLE="$PR_TITLE (cherry-pick #$PR_NUMBER to $TARGET_BRANCH)"
               CHERRY_PICK_BODY="Cherry-pick of #$PR_NUMBER to \`$TARGET_BRANCH\` branch.
 
         **Original PR:** #$PR_NUMBER
@@ -236,7 +236,7 @@ runs:
               git push origin "$CHERRY_PICK_BRANCH"
 
               # Create PR with conflict notice
-              CONFLICT_TITLE="$PR_TITLE (backport of #$PR_NUMBER)"
+              CONFLICT_TITLE="$PR_TITLE (cherry-pick #$PR_NUMBER to $TARGET_BRANCH)"
               CONFLICT_BODY="⚠️ **This cherry-pick has conflicts that require manual resolution.**
 
         Cherry-pick of #$PR_NUMBER to \`$TARGET_BRANCH\` branch.

.github/actions/comment-pr-instructions/action.yml

@@ -10,14 +10,14 @@ runs:
   using: "composite"
   steps:
     - name: Find Comment
-      uses: peter-evans/find-comment@v2
+      uses: peter-evans/find-comment@b30e6a3c0ed37e7c023ccd3f1db5c6c0b0c23aad # v2
       id: fc
       with:
         issue-number: ${{ github.event.pull_request.number }}
         comment-author: "github-actions[bot]"
         body-includes: authentik PR Installation instructions
     - name: Create or update comment
-      uses: peter-evans/create-or-update-comment@v2
+      uses: peter-evans/create-or-update-comment@e8674b075228eee787fea43ef493e45ece1004c9 # v2
       with:
         comment-id: ${{ steps.fc.outputs.comment-id }}
         issue-number: ${{ github.event.pull_request.number }}

.github/actions/setup/action.yml

@@ -8,9 +8,6 @@ inputs:
   postgresql_version:
     description: "Optional postgresql image tag"
     default: "16"
-  profiles:
-    description: "Extra profiles of supporting services to start"
-    default: ""
 
 runs:
   using: "composite"
@@ -24,12 +21,12 @@ runs:
         sudo apt-get install --no-install-recommends -y libpq-dev openssl libxmlsec1-dev pkg-config gettext libkrb5-dev krb5-kdc krb5-user krb5-admin-server
     - name: Install uv
       if: ${{ contains(inputs.dependencies, 'python') }}
-      uses: astral-sh/setup-uv@v5
+      uses: astral-sh/setup-uv@5a7eac68fb9809dea845d802897dc5c723910fa3 # v5
       with:
         enable-cache: true
     - name: Setup python
       if: ${{ contains(inputs.dependencies, 'python') }}
-      uses: actions/setup-python@v5
+      uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v5
       with:
         python-version-file: "pyproject.toml"
     - name: Install Python deps
@@ -38,14 +35,15 @@ runs:
       run: uv sync --all-extras --dev --frozen
     - name: Setup node
       if: ${{ contains(inputs.dependencies, 'node') }}
-      uses: actions/setup-node@v4
+      uses: actions/setup-node@2028fbc5c25fe9cf00d9f06a71cc4710d4507903 # v4
       with:
         node-version-file: web/package.json
         cache: "npm"
         cache-dependency-path: web/package-lock.json
+        registry-url: 'https://registry.npmjs.org'
     - name: Setup go
       if: ${{ contains(inputs.dependencies, 'go') }}
-      uses: actions/setup-go@v5
+      uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v5
       with:
         go-version-file: "go.mod"
     - name: Setup docker cache
@@ -58,13 +56,21 @@ runs:
       shell: bash
       run: |
         export PSQL_TAG=${{ inputs.postgresql_version }}
-        export COMPOSE_PROFILES=${{ inputs.profiles }}
         docker compose -f .github/actions/setup/docker-compose.yml up -d
-        cd web && npm ci
+        cd web && npm i
     - name: Generate config
       if: ${{ contains(inputs.dependencies, 'python') }}
-      shell: bash
-      env:
-        PROFILES: ${{ inputs.profiles }}
+      shell: uv run python {0}
       run: |
-        uv run python3 ${{ github.action_path }}/ci_config.py
+        from authentik.lib.generators import generate_id
+        from yaml import safe_dump
+
+        with open("local.env.yml", "w") as _config:
+            safe_dump(
+                {
+                    "log_level": "debug",
+                    "secret_key": generate_id(),
+                },
+                _config,
+                default_flow_style=False,
+            )

.github/actions/setup/ci_config.py

@@ -1,18 +0,0 @@
-from os import getenv
-from typing import Any
-
-from yaml import safe_dump
-
-from authentik.lib.generators import generate_id
-
-config: dict[str, Any] = {
-    "log_level": "debug",
-    "secret_key": generate_id(),
-}
-
-profiles = getenv("PROFILES")
-if profiles and "postgres_replica" in profiles:
-    config["postgresql"] = {"read_replicas": {"0": {"host": "localhost", "port": 5433}}}
-
-with open("local.env.yml", "w") as _config:
-    safe_dump(config, _config, default_flow_style=False)

.github/actions/setup/docker-compose.yml

@@ -1,17 +1,9 @@
 services:
-  redis:
-    image: docker.io/library/redis:7
-    ports:
-      - 6379:6379
-    restart: always
-
-  postgres:
+  postgresql:
     image: docker.io/library/postgres:${PSQL_TAG:-16}
     volumes:
       - db-data:/var/lib/postgresql/data
-      - ./primary/00-replication.sql:/docker-entrypoint-initdb.d/00-replication.sql
-      - ./primary/01-replication-hba.sh:/docker-entrypoint-initdb.d/01-replication-hba.sh
-    command: postgres -c 'wal_level=replica' -c 'max_wal_senders=10' -c 'max_replication_slots=10' -c 'listen_addresses=*'
+    command: "-c log_statement=all"
     environment:
       POSTGRES_USER: authentik
       POSTGRES_PASSWORD: "EK-5jnKfjrGRm<77"
@@ -19,34 +11,12 @@ services:
     ports:
       - 5432:5432
     restart: always
-    healthcheck:
-      test: ["CMD-SHELL", "pg_isready -U $${POSTGRES_USER}"]
-      interval: 5s
-      timeout: 5s
-      retries: 5
-
-  postgres_replica:
-    profiles:
-      - postgres_replica
-    image: docker.io/library/postgres:${PSQL_TAG:-16}
-    environment:
-      POSTGRES_USER: authentik
-      POSTGRES_PASSWORD: "EK-5jnKfjrGRm<77"
-      POSTGRES_DB: authentik
+  redis:
+    image: docker.io/library/redis:7
     ports:
-      - "5433:5432"
-    volumes:
-      - db-data-replica:/var/lib/postgresql/data
-      - ./replica:/replica
-    command: /replica/start.sh
-    healthcheck:
-      test: ["CMD-SHELL", "pg_isready -U $${POSTGRES_USER}"]
-      interval: 5s
-      timeout: 5s
-      retries: 5
+      - 6379:6379
+    restart: always
 
 volumes:
   db-data:
     driver: local
-  db-data-replica:
-    driver: local

.github/actions/setup/primary/00-replication.sql

@@ -1,9 +0,0 @@
--- Create replication role if it doesn't exist
-DO $$ BEGIN
-    IF NOT EXISTS (SELECT FROM pg_catalog.pg_roles WHERE rolname = 'replica') THEN
-        CREATE ROLE replica WITH REPLICATION LOGIN PASSWORD 'EK-5jnKfjrGRm<77';
-    END IF;
-END $$;
-
--- Create replication slot if it doesn't exist
-SELECT pg_create_physical_replication_slot('replica_slot', true);

.github/actions/setup/primary/01-replication-hba.sh

@@ -1,3 +0,0 @@
-#!/bin/bash
-set -euxo pipefail
-echo "host replication all all scram-sha-256" >> /var/lib/postgresql/data/pg_hba.conf

.github/actions/setup/replica/start.sh

@@ -1,9 +0,0 @@
-#!/bin/bash
-set -euxo pipefail
-echo 'Waiting for primary to be ready...'
-while ! pg_isready -h postgres -p 5432 -U replica; do sleep 1; done;
-echo 'Primary is ready, starting replica...'
-rm -rf /var/lib/postgresql/data/* 2>/dev/null || true
-PGPASSWORD=${POSTGRES_PASSWORD} pg_basebackup -h postgres -U replica -D /var/lib/postgresql/data -Fp -Xs -R -P
-echo 'Replication setup complete, starting PostgreSQL...'
-docker-entrypoint.sh postgres

.github/actions/test-results/action.yml

@@ -0,0 +1,28 @@
+name: "Process test results"
+description: Convert test results to JUnit, add them to GitHub Actions and codecov
+
+inputs:
+  flags:
+    description: Codecov flags
+
+runs:
+  using: "composite"
+  steps:
+    - uses: codecov/codecov-action@5a1091511ad55cbe89839c7260b706298ca349f7 # v5
+      with:
+        flags: ${{ inputs.flags }}
+        use_oidc: true
+    - uses: codecov/test-results-action@47f89e9acb64b76debcd5ea40642d25a4adced9f # v1
+      with:
+        flags: ${{ inputs.flags }}
+        file: unittest.xml
+        use_oidc: true
+    - name: PostgreSQL Logs
+      shell: bash
+      run: |
+        if [[ $ACTIONS_RUNNER_DEBUG == 'true' || $ACTIONS_STEP_DEBUG == 'true' ]]; then
+          docker stop setup-postgresql-1
+          echo "::group::PostgreSQL Logs"
+          docker logs setup-postgresql-1
+          echo "::endgroup::"
+        fi

.github/dependabot.yml

@@ -1,7 +1,15 @@
 version: 2
 updates:
   - package-ecosystem: "github-actions"
-    directory: "/"
+    directories:
+      - /
+      # Required to update composite actions
+      # https://github.com/dependabot/dependabot-core/issues/6704
+      - /.github/actions/cherry-pick
+      - /.github/actions/setup
+      - /.github/actions/docker-push-variables
+      - /.github/actions/comment-pr-instructions
+      - /.github/actions/test-results
     schedule:
       interval: daily
       time: "04:00"
@@ -134,7 +142,9 @@ updates:
     labels:
       - dependencies
   - package-ecosystem: docker
-    directory: "/"
+    directories:
+      - /
+      - /website
     schedule:
       interval: daily
       time: "04:00"
@@ -146,6 +156,7 @@ updates:
   - package-ecosystem: docker-compose
     directories:
       # - /scripts # Maybe
+      - /scripts/api
       - /tests/e2e
     schedule:
       interval: daily

.github/workflows/_reusable-docker-build-single.yml

@@ -42,9 +42,9 @@ jobs:
       # Needed for checkout
       contents: read
     steps:
-      - uses: actions/checkout@v5
-      - uses: docker/setup-qemu-action@v3.6.0
-      - uses: docker/setup-buildx-action@v3
+      - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
+      - uses: docker/setup-qemu-action@c7c53464625b32c7a7e944ae62b3e17d2b600130 # v3.7.0
+      - uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3
       - name: prepare variables
         uses: ./.github/actions/docker-push-variables
         id: ev
@@ -56,13 +56,13 @@ jobs:
           release: ${{ inputs.release }}
       - name: Login to Docker Hub
         if: ${{ inputs.registry_dockerhub }}
-        uses: docker/login-action@v3
+        uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3
         with:
           username: ${{ secrets.DOCKER_CORP_USERNAME }}
           password: ${{ secrets.DOCKER_CORP_PASSWORD }}
       - name: Login to GitHub Container Registry
         if: ${{ inputs.registry_ghcr }}
-        uses: docker/login-action@v3
+        uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3
         with:
           registry: ghcr.io
           username: ${{ github.repository_owner }}
@@ -72,11 +72,18 @@ jobs:
         run: |
           mkdir -p ./gen-ts-api
           mkdir -p ./gen-go-api
+      - name: Setup node
+        if: ${{ !inputs.release }}
+        uses: actions/setup-node@2028fbc5c25fe9cf00d9f06a71cc4710d4507903 # v5
+        with:
+          node-version-file: web/package.json
+          cache: "npm"
+          cache-dependency-path: web/package-lock.json
       - name: generate ts client
         if: ${{ !inputs.release }}
         run: make gen-client-ts
       - name: Build Docker Image
-        uses: docker/build-push-action@v6
+        uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6
         id: push
         with:
           context: .
@@ -90,7 +97,7 @@ jobs:
           platforms: linux/${{ inputs.image_arch }}
           cache-from: type=registry,ref=${{ steps.ev.outputs.attestImageNames }}:buildcache-${{ inputs.image_arch }}
           cache-to: ${{ steps.ev.outputs.cacheTo }}
-      - uses: actions/attest-build-provenance@v3
+      - uses: actions/attest-build-provenance@977bb373ede98d70efdf65b84cb5f73e068dcc2a # v3
         id: attest
         if: ${{ steps.ev.outputs.shouldPush == 'true' }}
         with:

.github/workflows/_reusable-docker-build.yml

@@ -49,7 +49,7 @@ jobs:
       tags: ${{ steps.ev.outputs.imageTagsJSON }}
       shouldPush: ${{ steps.ev.outputs.shouldPush }}
     steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
       - name: prepare variables
         uses: ./.github/actions/docker-push-variables
         id: ev
@@ -69,7 +69,7 @@ jobs:
       matrix:
         tag: ${{ fromJson(needs.get-tags.outputs.tags) }}
     steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
       - name: prepare variables
         uses: ./.github/actions/docker-push-variables
         id: ev
@@ -79,25 +79,25 @@ jobs:
           image-name: ${{ inputs.image_name }}
       - name: Login to Docker Hub
         if: ${{ inputs.registry_dockerhub }}
-        uses: docker/login-action@v3
+        uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3
         with:
           username: ${{ secrets.DOCKER_CORP_USERNAME }}
           password: ${{ secrets.DOCKER_CORP_PASSWORD }}
       - name: Login to GitHub Container Registry
         if: ${{ inputs.registry_ghcr }}
-        uses: docker/login-action@v3
+        uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3
         with:
           registry: ghcr.io
           username: ${{ github.repository_owner }}
           password: ${{ secrets.GITHUB_TOKEN }}
-      - uses: int128/docker-manifest-create-action@v2
+      - uses: int128/docker-manifest-create-action@b60433fd4312d7a64a56d769b76ebe3f45cf36b4 # v2
         id: build
         with:
           tags: ${{ matrix.tag }}
           sources: |
             ${{ steps.ev.outputs.attestImageNames }}@${{ needs.build-server-amd64.outputs.image-digest }}
             ${{ steps.ev.outputs.attestImageNames }}@${{ needs.build-server-arm64.outputs.image-digest }}
-      - uses: actions/attest-build-provenance@v3
+      - uses: actions/attest-build-provenance@977bb373ede98d70efdf65b84cb5f73e068dcc2a # v3
         id: attest
         with:
           subject-name: ${{ steps.ev.outputs.attestImageNames }}

.github/workflows/api-ts-publish.yml

@@ -8,20 +8,24 @@ on:
       - "schema.yml"
   workflow_dispatch:
 
+permissions:
+  # Required for NPM OIDC trusted publisher
+  id-token: write
+  contents: read
+
 jobs:
   build:
-    if: ${{ github.repository != 'goauthentik/authentik-internal' }}
     runs-on: ubuntu-latest
     steps:
       - id: generate_token
-        uses: tibdex/github-app-token@v2
+        uses: actions/create-github-app-token@67018539274d69449ef7c02e8e71183d1719ab42 # v2
         with:
-          app_id: ${{ secrets.GH_APP_ID }}
-          private_key: ${{ secrets.GH_APP_PRIVATE_KEY }}
-      - uses: actions/checkout@v5
+          app-id: ${{ secrets.GH_APP_ID }}
+          private-key: ${{ secrets.GH_APP_PRIVATE_KEY }}
+      - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
         with:
           token: ${{ steps.generate_token.outputs.token }}
-      - uses: actions/setup-node@v5
+      - uses: actions/setup-node@2028fbc5c25fe9cf00d9f06a71cc4710d4507903 # v5
         with:
           node-version-file: web/package.json
           registry-url: "https://registry.npmjs.org"
@@ -32,8 +36,6 @@ jobs:
         run: |
           npm i
           npm publish --tag generated
-        env:
-          NODE_AUTH_TOKEN: ${{ secrets.NPM_PUBLISH_TOKEN }}
       - name: Upgrade /web
         working-directory: web
         run: |
@@ -44,7 +46,7 @@ jobs:
         run: |
           export VERSION=`node -e 'console.log(require("../gen-ts-api/package.json").version)'`
           npm i @goauthentik/api@$VERSION
-      - uses: peter-evans/create-pull-request@v7
+      - uses: peter-evans/create-pull-request@271a8d0340265f705b14b6d32b9829c1cb33d45e # v7
         id: cpr
         with:
           token: ${{ steps.generate_token.outputs.token }}
@@ -57,7 +59,7 @@ jobs:
           # ID from https://api.github.com/users/authentik-automation[bot]
           author: authentik-automation[bot] <135050075+authentik-automation[bot]@users.noreply.github.com>
           labels: dependencies
-      - uses: peter-evans/enable-pull-request-automerge@v3
+      - uses: peter-evans/enable-pull-request-automerge@a660677d5469627102a1c1e11409dd063606628d # v3
         with:
           token: ${{ steps.generate_token.outputs.token }}
           pull-request-number: ${{ steps.cpr.outputs.pull-request-number }}

.github/workflows/ci-api-docs.yml

@@ -21,7 +21,7 @@ jobs:
         command:
           - prettier-check
     steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
       - name: Install Dependencies
         working-directory: website/
         run: npm ci
@@ -32,8 +32,8 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
-      - uses: actions/checkout@v5
-      - uses: actions/setup-node@v5
+      - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
+      - uses: actions/setup-node@2028fbc5c25fe9cf00d9f06a71cc4710d4507903 # v5
         with:
           node-version-file: website/package.json
           cache: "npm"
@@ -41,7 +41,7 @@ jobs:
       - working-directory: website/
         name: Install Dependencies
         run: npm ci
-      - uses: actions/cache@v4
+      - uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4
         with:
           path: |
             ${{ github.workspace }}/website/api/.docusaurus
@@ -55,7 +55,7 @@ jobs:
         env:
           NODE_ENV: production
         run: npm run build -w api
-      - uses: actions/upload-artifact@v4
+      - uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v4
         with:
           name: api-docs
           path: website/api/build
@@ -66,12 +66,12 @@ jobs:
       - lint
       - build
     steps:
-      - uses: actions/checkout@v5
-      - uses: actions/download-artifact@v5
+      - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
+      - uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v5
         with:
           name: api-docs
           path: website/api/build
-      - uses: actions/setup-node@v5
+      - uses: actions/setup-node@2028fbc5c25fe9cf00d9f06a71cc4710d4507903 # v5
         with:
           node-version-file: website/package.json
           cache: "npm"

.github/workflows/ci-aws-cfn.yml

@@ -21,10 +21,10 @@ jobs:
   check-changes-applied:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
       - name: Setup authentik env
         uses: ./.github/actions/setup
-      - uses: actions/setup-node@v5
+      - uses: actions/setup-node@2028fbc5c25fe9cf00d9f06a71cc4710d4507903 # v5
         with:
           node-version-file: lifecycle/aws/package.json
           cache: "npm"
@@ -35,13 +35,13 @@ jobs:
       - name: Check changes have been applied
         run: |
           uv run make aws-cfn
-          git diff --exit-code
+          git diff --exit-code lifecycle/aws/template.yaml
   ci-aws-cfn-mark:
     if: always()
     needs:
       - check-changes-applied
     runs-on: ubuntu-latest
     steps:
-      - uses: re-actors/alls-green@release/v1
+      - uses: re-actors/alls-green@05ac9388f0aebcb5727afa17fcccfecd6f8ec5fe # release/v1
         with:
           jobs: ${{ toJSON(needs) }}

.github/workflows/ci-docs-source.yml

@@ -13,11 +13,10 @@ env:
 
 jobs:
   publish-source-docs:
-    if: ${{ github.repository != 'goauthentik/authentik-internal' }}
     runs-on: ubuntu-latest
     timeout-minutes: 120
     steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
       - name: Setup authentik env
         uses: ./.github/actions/setup
       - name: generate docs
@@ -25,9 +24,9 @@ jobs:
           uv run make migrate
           uv run ak build_source_docs
       - name: Publish
-        uses: netlify/actions/cli@master
-        with:
-          args: deploy --dir=source_docs --prod
         env:
           NETLIFY_SITE_ID: eb246b7b-1d83-4f69-89f7-01a936b4ca59
           NETLIFY_AUTH_TOKEN: ${{ secrets.NETLIFY_AUTH_TOKEN }}
+        run: |
+          npm install -g netlify-cli
+          netlify deploy --dir=source_docs --prod

.github/workflows/ci-docs.yml

@@ -21,7 +21,7 @@ jobs:
         command:
           - prettier-check
     steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
       - name: Install dependencies
         working-directory: website/
         run: npm ci
@@ -32,8 +32,8 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
-      - uses: actions/checkout@v5
-      - uses: actions/setup-node@v5
+      - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
+      - uses: actions/setup-node@2028fbc5c25fe9cf00d9f06a71cc4710d4507903 # v5
         with:
           node-version-file: website/package.json
           cache: "npm"
@@ -48,8 +48,8 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
-      - uses: actions/checkout@v5
-      - uses: actions/setup-node@v5
+      - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
+      - uses: actions/setup-node@2028fbc5c25fe9cf00d9f06a71cc4710d4507903 # v5
         with:
           node-version-file: website/package.json
           cache: "npm"
@@ -61,7 +61,6 @@ jobs:
         working-directory: website/
         run: npm run build -w integrations
   build-container:
-    if: ${{ github.repository != 'goauthentik/authentik-internal' }}
     runs-on: ubuntu-latest
     permissions:
       # Needed to upload container images to ghcr.io
@@ -70,13 +69,13 @@ jobs:
       id-token: write
       attestations: write
     steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
         with:
           ref: ${{ github.event.pull_request.head.sha }}
       - name: Set up QEMU
-        uses: docker/setup-qemu-action@v3.6.0
+        uses: docker/setup-qemu-action@c7c53464625b32c7a7e944ae62b3e17d2b600130 # v3.7.0
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v3
+        uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3
       - name: prepare variables
         uses: ./.github/actions/docker-push-variables
         id: ev
@@ -86,14 +85,14 @@ jobs:
           image-name: ghcr.io/goauthentik/dev-docs
       - name: Login to Container Registry
         if: ${{ steps.ev.outputs.shouldPush == 'true' }}
-        uses: docker/login-action@v3
+        uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3
         with:
           registry: ghcr.io
           username: ${{ github.repository_owner }}
           password: ${{ secrets.GITHUB_TOKEN }}
       - name: Build Docker Image
         id: push
-        uses: docker/build-push-action@v6
+        uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6
         with:
           tags: ${{ steps.ev.outputs.imageTags }}
           file: website/Dockerfile
@@ -102,7 +101,7 @@ jobs:
           context: .
           cache-from: type=registry,ref=ghcr.io/goauthentik/dev-docs:buildcache
           cache-to: ${{ steps.ev.outputs.shouldPush == 'true' && 'type=registry,ref=ghcr.io/goauthentik/dev-docs:buildcache,mode=max' || '' }}
-      - uses: actions/attest-build-provenance@v3
+      - uses: actions/attest-build-provenance@977bb373ede98d70efdf65b84cb5f73e068dcc2a # v3
         id: attest
         if: ${{ steps.ev.outputs.shouldPush == 'true' }}
         with:
@@ -118,7 +117,6 @@ jobs:
       - build-container
     runs-on: ubuntu-latest
     steps:
-      - uses: re-actors/alls-green@release/v1
+      - uses: re-actors/alls-green@05ac9388f0aebcb5727afa17fcccfecd6f8ec5fe # release/v1
         with:
           jobs: ${{ toJSON(needs) }}
-          allowed-skips: ${{ github.repository == 'goauthentik/authentik-internal' && 'build-container' || '[]' }}

.github/workflows/ci-main-daily.yml

@@ -9,7 +9,6 @@ on:
 
 jobs:
   test-container:
-    if: ${{ github.repository != 'goauthentik/authentik-internal' }}
     runs-on: ubuntu-latest
     strategy:
       fail-fast: false
@@ -19,7 +18,7 @@ jobs:
           - version-2025-4
           - version-2025-2
     steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
       - run: |
           current="$(pwd)"
           dir="/tmp/authentik/${{ matrix.version }}"

.github/workflows/ci-main.yml

@@ -37,7 +37,7 @@ jobs:
           - mypy
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
       - name: Setup authentik env
         uses: ./.github/actions/setup
       - name: run job
@@ -45,7 +45,7 @@ jobs:
   test-migrations:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
       - name: Setup authentik env
         uses: ./.github/actions/setup
       - name: run migrations
@@ -61,26 +61,35 @@ jobs:
   test-migrations-from-stable:
     name: test-migrations-from-stable - PostgreSQL ${{ matrix.psql }} - Run ${{ matrix.run_id }}/5
     runs-on: ubuntu-latest
-    timeout-minutes: 20
+    timeout-minutes: 30
     needs: test-make-seed
     strategy:
       fail-fast: false
       matrix:
         psql:
-          - 16-alpine
-          - 17-alpine
+          - 14-alpine
+          - 18-alpine
         run_id: [1, 2, 3, 4, 5]
     steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
         with:
           fetch-depth: 0
       - name: checkout stable
         run: |
+          set -e -o pipefail
           # Copy current, latest config to local
           cp authentik/lib/default.yml local.env.yml
           cp -R .github ..
           cp -R scripts ..
-          git checkout $(git tag --sort=version:refname | grep '^version/' | grep -vE -- '-rc[0-9]+$' | tail -n1)
+          # Previous stable tag
+          prev_stable=$(git tag --sort=version:refname | grep '^version/' | grep -vE -- '-rc[0-9]+$' | tail -n1)
+          # Current version family based on
+          current_version_family=$(cat internal/constants/VERSION | grep -vE -- 'rc[0-9]+$' || true)
+          if [[ -n $current_version_family ]]; then
+              prev_stable=$current_version_family
+          fi
+          echo "::notice::Checking out ${prev_stable} as stable version..."
+          git checkout $(prev_stable)
           rm -rf .github/ scripts/
           mv ../.github ../scripts .
       - name: Setup authentik env (stable)
@@ -112,28 +121,28 @@ jobs:
           CI_TOTAL_RUNS: "5"
         run: |
           uv run make ci-test
+      - uses: ./.github/actions/test-results
+        if: ${{ always() }}
+        with:
+          flags: unit-migrate
   test-unittest:
-    name: test-unittest - PostgreSQL ${{ matrix.psql }} (${{ matrix.profiles }}) - Run ${{ matrix.run_id }}/5
+    name: test-unittest - PostgreSQL ${{ matrix.psql }} - Run ${{ matrix.run_id }}/5
     runs-on: ubuntu-latest
-    timeout-minutes: 20
+    timeout-minutes: 30
     needs: test-make-seed
     strategy:
       fail-fast: false
       matrix:
         psql:
-          - 16-alpine
-          - 17-alpine
-        profiles:
-          - ""
-          - postgres_replica
+          - 14-alpine
+          - 18-alpine
         run_id: [1, 2, 3, 4, 5]
     steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
       - name: Setup authentik env
         uses: ./.github/actions/setup
         with:
           postgresql_version: ${{ matrix.psql }}
-          profiles: ${{ matrix.profiles }}
       - name: run unittest
         env:
           CI_TEST_SEED: ${{ needs.test-make-seed.outputs.seed }}
@@ -141,41 +150,27 @@ jobs:
           CI_TOTAL_RUNS: "5"
         run: |
           uv run make ci-test
-      - if: ${{ always() }}
-        uses: codecov/codecov-action@v5
+      - uses: ./.github/actions/test-results
+        if: ${{ always() }}
         with:
           flags: unit
-          use_oidc: true
-      - if: ${{ !cancelled() }}
-        uses: codecov/test-results-action@v1
-        with:
-          flags: unit
-          file: unittest.xml
-          use_oidc: true
   test-integration:
     runs-on: ubuntu-latest
     timeout-minutes: 30
     steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
       - name: Setup authentik env
         uses: ./.github/actions/setup
       - name: Create k8s Kind Cluster
-        uses: helm/kind-action@v1.12.0
+        uses: helm/kind-action@92086f6be054225fa813e0a4b13787fc9088faab # v1.13.0
       - name: run integration
         run: |
           uv run coverage run manage.py test tests/integration
           uv run coverage xml
-      - if: ${{ always() }}
-        uses: codecov/codecov-action@v5
+      - uses: ./.github/actions/test-results
+        if: ${{ always() }}
         with:
           flags: integration
-          use_oidc: true
-      - if: ${{ !cancelled() }}
-        uses: codecov/test-results-action@v1
-        with:
-          flags: integration
-          file: unittest.xml
-          use_oidc: true
   test-e2e:
     name: test-e2e (${{ matrix.job.name }})
     runs-on: ubuntu-latest
@@ -201,14 +196,14 @@ jobs:
           - name: flows
             glob: tests/e2e/test_flows*
     steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
       - name: Setup authentik env
         uses: ./.github/actions/setup
       - name: Setup e2e env (chrome, etc)
         run: |
           docker compose -f tests/e2e/docker-compose.yml up -d --quiet-pull
       - id: cache-web
-        uses: actions/cache@v4
+        uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4
         with:
           path: web/dist
           key: ${{ runner.os }}-web-${{ hashFiles('web/package-lock.json', 'package-lock.json', 'web/src/**', 'web/packages/sfe/src/**') }}-b
@@ -224,17 +219,10 @@ jobs:
         run: |
           uv run coverage run manage.py test ${{ matrix.job.glob }}
           uv run coverage xml
-      - if: ${{ always() }}
-        uses: codecov/codecov-action@v5
+      - uses: ./.github/actions/test-results
+        if: ${{ always() }}
         with:
           flags: e2e
-          use_oidc: true
-      - if: ${{ !cancelled() }}
-        uses: codecov/test-results-action@v1
-        with:
-          flags: e2e
-          file: unittest.xml
-          use_oidc: true
   ci-core-mark:
     if: always()
     needs:
@@ -246,7 +234,7 @@ jobs:
       - test-e2e
     runs-on: ubuntu-latest
     steps:
-      - uses: re-actors/alls-green@release/v1
+      - uses: re-actors/alls-green@05ac9388f0aebcb5727afa17fcccfecd6f8ec5fe # release/v1
         with:
           jobs: ${{ toJSON(needs) }}
   build:
@@ -274,7 +262,7 @@ jobs:
       pull-requests: write
     timeout-minutes: 120
     steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
         with:
           ref: ${{ github.event.pull_request.head.sha }}
       - name: prepare variables

.github/workflows/ci-outpost.yml

@@ -12,12 +12,17 @@ on:
       - main
       - version-*
 
+env:
+  POSTGRES_DB: authentik
+  POSTGRES_USER: authentik
+  POSTGRES_PASSWORD: "EK-5jnKfjrGRm<77"
+
 jobs:
   lint-golint:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v5
-      - uses: actions/setup-go@v6
+      - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
+      - uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6
         with:
           go-version-file: "go.mod"
       - name: Prepare and generate API
@@ -29,7 +34,7 @@ jobs:
       - name: Generate API
         run: make gen-client-go
       - name: golangci-lint
-        uses: golangci/golangci-lint-action@v8
+        uses: golangci/golangci-lint-action@0a35821d5c230e903fcfe077583637dea1b27b47 # v8
         with:
           version: latest
           args: --timeout 5000s --verbose
@@ -37,14 +42,17 @@ jobs:
   test-unittest:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v5
-      - uses: actions/setup-go@v6
+      - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
+      - uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6
         with:
           go-version-file: "go.mod"
       - name: Setup authentik env
         uses: ./.github/actions/setup
       - name: Generate API
         run: make gen-client-go
+      - name: prepare database
+        run: |
+          uv run make migrate
       - name: Go unittests
         run: |
           go test -timeout 0 -v -race -coverprofile=coverage.out -covermode=atomic -cover ./...
@@ -55,11 +63,10 @@ jobs:
       - test-unittest
     runs-on: ubuntu-latest
     steps:
-      - uses: re-actors/alls-green@release/v1
+      - uses: re-actors/alls-green@05ac9388f0aebcb5727afa17fcccfecd6f8ec5fe # release/v1
         with:
           jobs: ${{ toJSON(needs) }}
   build-container:
-    if: ${{ github.repository != 'goauthentik/authentik-internal' }}
     timeout-minutes: 120
     needs:
       - ci-outpost-mark
@@ -79,13 +86,13 @@ jobs:
       id-token: write
       attestations: write
     steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
         with:
           ref: ${{ github.event.pull_request.head.sha }}
       - name: Set up QEMU
-        uses: docker/setup-qemu-action@v3.6.0
+        uses: docker/setup-qemu-action@c7c53464625b32c7a7e944ae62b3e17d2b600130 # v3.7.0
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v3
+        uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3
       - name: prepare variables
         uses: ./.github/actions/docker-push-variables
         id: ev
@@ -95,7 +102,7 @@ jobs:
           image-name: ghcr.io/goauthentik/dev-${{ matrix.type }}
       - name: Login to Container Registry
         if: ${{ steps.ev.outputs.shouldPush == 'true' }}
-        uses: docker/login-action@v3
+        uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3
         with:
           registry: ghcr.io
           username: ${{ github.repository_owner }}
@@ -104,7 +111,7 @@ jobs:
         run: make gen-client-go
       - name: Build Docker Image
         id: push
-        uses: docker/build-push-action@v6
+        uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6
         with:
           tags: ${{ steps.ev.outputs.imageTags }}
           file: ${{ matrix.type }}.Dockerfile
@@ -115,7 +122,7 @@ jobs:
           context: .
           cache-from: type=registry,ref=ghcr.io/goauthentik/dev-${{ matrix.type }}:buildcache
           cache-to: ${{ steps.ev.outputs.shouldPush == 'true' && format('type=registry,ref=ghcr.io/goauthentik/dev-{0}:buildcache,mode=max', matrix.type) || '' }}
-      - uses: actions/attest-build-provenance@v3
+      - uses: actions/attest-build-provenance@977bb373ede98d70efdf65b84cb5f73e068dcc2a # v3
         id: attest
         if: ${{ steps.ev.outputs.shouldPush == 'true' }}
         with:
@@ -138,13 +145,13 @@ jobs:
         goos: [linux]
         goarch: [amd64, arm64]
     steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
         with:
           ref: ${{ github.event.pull_request.head.sha }}
-      - uses: actions/setup-go@v6
+      - uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6
         with:
           go-version-file: "go.mod"
-      - uses: actions/setup-node@v5
+      - uses: actions/setup-node@2028fbc5c25fe9cf00d9f06a71cc4710d4507903 # v5
         with:
           node-version-file: web/package.json
           cache: "npm"

.github/workflows/ci-web.yml

@@ -31,8 +31,8 @@ jobs:
           - command: lit-analyse
             project: web
     steps:
-      - uses: actions/checkout@v5
-      - uses: actions/setup-node@v5
+      - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
+      - uses: actions/setup-node@2028fbc5c25fe9cf00d9f06a71cc4710d4507903 # v5
         with:
           node-version-file: ${{ matrix.project }}/package.json
           cache: "npm"
@@ -48,8 +48,8 @@ jobs:
   build:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v5
-      - uses: actions/setup-node@v5
+      - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
+      - uses: actions/setup-node@2028fbc5c25fe9cf00d9f06a71cc4710d4507903 # v5
         with:
           node-version-file: web/package.json
           cache: "npm"
@@ -68,7 +68,7 @@ jobs:
       - lint
     runs-on: ubuntu-latest
     steps:
-      - uses: re-actors/alls-green@release/v1
+      - uses: re-actors/alls-green@05ac9388f0aebcb5727afa17fcccfecd6f8ec5fe # release/v1
         with:
           jobs: ${{ toJSON(needs) }}
   test:
@@ -76,8 +76,8 @@ jobs:
       - ci-web-mark
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v5
-      - uses: actions/setup-node@v5
+      - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
+      - uses: actions/setup-node@2028fbc5c25fe9cf00d9f06a71cc4710d4507903 # v5
         with:
           node-version-file: web/package.json
           cache: "npm"

.github/workflows/gen-image-compress.yml

@@ -29,32 +29,32 @@ jobs:
        github.event.pull_request.head.repo.full_name == github.repository)
     steps:
       - id: generate_token
-        uses: tibdex/github-app-token@v2
+        uses: actions/create-github-app-token@67018539274d69449ef7c02e8e71183d1719ab42 # v2
         with:
-          app_id: ${{ secrets.GH_APP_ID }}
-          private_key: ${{ secrets.GH_APP_PRIVATE_KEY }}
-      - uses: actions/checkout@v5
+          app-id: ${{ secrets.GH_APP_ID }}
+          private-key: ${{ secrets.GH_APP_PRIVATE_KEY }}
+      - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
         with:
           token: ${{ steps.generate_token.outputs.token }}
       - name: Compress images
         id: compress
-        uses: calibreapp/image-actions@main
+        uses: calibreapp/image-actions@420075c115b26f8785e293c5bd5bef0911c506e5 # main
         with:
-          githubToken: ${{ steps.generate_token.outputs.token }}
+          GITHUB_TOKEN: ${{ steps.generate_token.outputs.token }}
           compressOnly: ${{ github.event_name != 'pull_request' }}
-      - uses: peter-evans/create-pull-request@v7
+      - uses: peter-evans/create-pull-request@271a8d0340265f705b14b6d32b9829c1cb33d45e # v7
         if: "${{ github.event_name != 'pull_request' && steps.compress.outputs.markdown != '' }}"
         id: cpr
         with:
           token: ${{ steps.generate_token.outputs.token }}
           title: "*: Auto compress images"
           branch-suffix: timestamp
-          commit-messsage: "*: compress images"
+          commit-message: "*: compress images"
           body: ${{ steps.compress.outputs.markdown }}
           delete-branch: true
           signoff: true
           labels: dependencies
-      - uses: peter-evans/enable-pull-request-automerge@v3
+      - uses: peter-evans/enable-pull-request-automerge@a660677d5469627102a1c1e11409dd063606628d # v3
         if: "${{ github.event_name != 'pull_request' && steps.compress.outputs.markdown != '' }}"
         with:
           token: ${{ steps.generate_token.outputs.token }}

.github/workflows/gen-update-webauthn-mds.yml

@@ -13,21 +13,20 @@ env:
 
 jobs:
   build:
-    if: ${{ github.repository != 'goauthentik/authentik-internal' }}
     runs-on: ubuntu-latest
     steps:
       - id: generate_token
-        uses: tibdex/github-app-token@v2
+        uses: actions/create-github-app-token@67018539274d69449ef7c02e8e71183d1719ab42 # v2
         with:
-          app_id: ${{ secrets.GH_APP_ID }}
-          private_key: ${{ secrets.GH_APP_PRIVATE_KEY }}
-      - uses: actions/checkout@v5
+          app-id: ${{ secrets.GH_APP_ID }}
+          private-key: ${{ secrets.GH_APP_PRIVATE_KEY }}
+      - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
         with:
           token: ${{ steps.generate_token.outputs.token }}
       - name: Setup authentik env
         uses: ./.github/actions/setup
       - run: uv run ak update_webauthn_mds
-      - uses: peter-evans/create-pull-request@v7
+      - uses: peter-evans/create-pull-request@271a8d0340265f705b14b6d32b9829c1cb33d45e # v7
         id: cpr
         with:
           token: ${{ steps.generate_token.outputs.token }}
@@ -40,7 +39,7 @@ jobs:
           # ID from https://api.github.com/users/authentik-automation[bot]
           author: authentik-automation[bot] <135050075+authentik-automation[bot]@users.noreply.github.com>
           labels: dependencies
-      - uses: peter-evans/enable-pull-request-automerge@v3
+      - uses: peter-evans/enable-pull-request-automerge@a660677d5469627102a1c1e11409dd063606628d # v3
         with:
           token: ${{ steps.generate_token.outputs.token }}
           pull-request-number: ${{ steps.cpr.outputs.pull-request-number }}

.github/workflows/gh-cherry-pick.yml

@@ -10,14 +10,14 @@ jobs:
     steps:
       - id: app-token
         name: Generate app token
-        uses: actions/create-github-app-token@v2
+        uses: actions/create-github-app-token@67018539274d69449ef7c02e8e71183d1719ab42 # v2
         if: ${{ env.GH_APP_ID != '' }}
         with:
           app-id: ${{ secrets.GH_APP_ID }}
           private-key: ${{ secrets.GH_APP_PRIVATE_KEY }}
         env:
           GH_APP_ID: ${{ secrets.GH_APP_ID }}
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
         if: ${{ steps.app-token.outcome != 'skipped' }}
         with:
           fetch-depth: 0

.github/workflows/gh-gha-cache-cleanup.yml

@@ -16,7 +16,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Check out code
-        uses: actions/checkout@v5
+        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
 
       - name: Cleanup
         run: |

.github/workflows/gh-ghcr-retention.yml

@@ -5,25 +5,28 @@ on:
   # schedule:
   #   - cron: "0 0 * * *" # every day at midnight
   workflow_dispatch:
+    inputs:
+      dry-run:
+        type: boolean
+        description: Enable dry-run mode
 
 jobs:
   clean-ghcr:
-    if: ${{ github.repository != 'goauthentik/authentik-internal' }}
     name: Delete old unused container images
     runs-on: ubuntu-latest
     steps:
       - id: generate_token
-        uses: tibdex/github-app-token@v2
+        uses: actions/create-github-app-token@67018539274d69449ef7c02e8e71183d1719ab42 # v2
         with:
-          app_id: ${{ secrets.GH_APP_ID }}
-          private_key: ${{ secrets.GH_APP_PRIVATE_KEY }}
+          app-id: ${{ secrets.GH_APP_ID }}
+          private-key: ${{ secrets.GH_APP_PRIVATE_KEY }}
       - name: Delete 'dev' containers older than a week
-        uses: snok/container-retention-policy@v2
+        uses: snok/container-retention-policy@3b0972b2276b171b212f8c4efbca59ebba26eceb # v3.0.1
         with:
           image-names: dev-server,dev-ldap,dev-proxy
+          image-tags: "!gh-next,!gh-main"
           cut-off: One week ago UTC
-          account-type: org
-          org-name: goauthentik
-          untagged-only: false
+          account: goauthentik
+          tag-selection: untagged
           token: ${{ steps.generate_token.outputs.token }}
-          skip-tags: gh-next,gh-main
+          dry-run: ${{ inputs.dry-run }}

.github/workflows/packages-npm-publish.yml

@@ -12,9 +12,13 @@ on:
       - packages/esbuild-plugin-live-reload/**
   workflow_dispatch:
 
+permissions:
+  # Required for NPM OIDC trusted publisher
+  id-token: write
+  contents: read
+
 jobs:
   publish:
-    if: ${{ github.repository != 'goauthentik/authentik-internal' }}
     runs-on: ubuntu-latest
     strategy:
       fail-fast: false
@@ -26,16 +30,16 @@ jobs:
           - packages/tsconfig
           - packages/esbuild-plugin-live-reload
     steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
         with:
           fetch-depth: 2
-      - uses: actions/setup-node@v5
+      - uses: actions/setup-node@2028fbc5c25fe9cf00d9f06a71cc4710d4507903 # v5
         with:
           node-version-file: ${{ matrix.package }}/package.json
           registry-url: "https://registry.npmjs.org"
       - name: Get changed files
         id: changed-files
-        uses: tj-actions/changed-files@24d32ffd492484c1d75e0c0b894501ddb9d30d62
+        uses: tj-actions/changed-files@24d32ffd492484c1d75e0c0b894501ddb9d30d62 # 24d32ffd492484c1d75e0c0b894501ddb9d30d62
         with:
           files: |
             ${{ matrix.package }}/package.json
@@ -46,5 +50,3 @@ jobs:
           npm ci
           npm run build
           npm publish
-        env:
-          NODE_AUTH_TOKEN: ${{ secrets.NPM_PUBLISH_TOKEN }}

.github/workflows/qa-codeql.yml

@@ -24,14 +24,14 @@ jobs:
         language: ["go", "javascript", "python"]
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v5
+        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
       - name: Setup authentik env
         uses: ./.github/actions/setup
       - name: Initialize CodeQL
-        uses: github/codeql-action/init@v3
+        uses: github/codeql-action/init@v4
         with:
           languages: ${{ matrix.language }}
       - name: Autobuild
-        uses: github/codeql-action/autobuild@v3
+        uses: github/codeql-action/autobuild@v4
       - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@v3
+        uses: github/codeql-action/analyze@v4

.github/workflows/qa-semgrep.yml

@@ -26,5 +26,5 @@ jobs:
       image: semgrep/semgrep
     if: (github.actor != 'dependabot[bot]')
     steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
       - run: semgrep ci

.github/workflows/release-branch-off.yml

@@ -29,12 +29,12 @@ jobs:
     steps:
       - id: app-token
         name: Generate app token
-        uses: actions/create-github-app-token@v2
+        uses: actions/create-github-app-token@67018539274d69449ef7c02e8e71183d1719ab42 # v2
         with:
           app-id: ${{ secrets.GH_APP_ID }}
           private-key: ${{ secrets.GH_APP_PRIVATE_KEY }}
       - name: Checkout main
-        uses: actions/checkout@v5
+        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
         with:
           ref: main
           token: "${{ steps.app-token.outputs.token }}"
@@ -57,12 +57,12 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - id: generate_token
-        uses: tibdex/github-app-token@v2
+        uses: actions/create-github-app-token@67018539274d69449ef7c02e8e71183d1719ab42 # v2
         with:
-          app_id: ${{ secrets.GH_APP_ID }}
-          private_key: ${{ secrets.GH_APP_PRIVATE_KEY }}
+          app-id: ${{ secrets.GH_APP_ID }}
+          private-key: ${{ secrets.GH_APP_PRIVATE_KEY }}
       - name: Checkout main
-        uses: actions/checkout@v5
+        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
         with:
           ref: main
           token: ${{ steps.generate_token.outputs.token }}
@@ -73,7 +73,7 @@ jobs:
       - name: Bump version
         run: "make bump version=${{ inputs.next_version }}.0-rc1"
       - name: Create pull request
-        uses: peter-evans/create-pull-request@v7
+        uses: peter-evans/create-pull-request@271a8d0340265f705b14b6d32b9829c1cb33d45e # v7
         with:
           token: ${{ steps.generate_token.outputs.token }}
           branch: release-bump-${{ inputs.next_version }}

.github/workflows/release-next-branch.yml

@@ -12,11 +12,10 @@ permissions:
 
 jobs:
   update-next:
-    if: ${{ github.repository != 'goauthentik/authentik-internal' }}
     runs-on: ubuntu-latest
     environment: internal-production
     steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
         with:
           ref: main
       - run: |

.github/workflows/release-publish.yml

@@ -31,11 +31,11 @@ jobs:
       id-token: write
       attestations: write
     steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
       - name: Set up QEMU
-        uses: docker/setup-qemu-action@v3.6.0
+        uses: docker/setup-qemu-action@c7c53464625b32c7a7e944ae62b3e17d2b600130 # v3.7.0
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v3
+        uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3
       - name: prepare variables
         uses: ./.github/actions/docker-push-variables
         id: ev
@@ -44,21 +44,21 @@ jobs:
         with:
           image-name: ghcr.io/goauthentik/docs
       - name: Login to GitHub Container Registry
-        uses: docker/login-action@v3
+        uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3
         with:
           registry: ghcr.io
           username: ${{ github.repository_owner }}
           password: ${{ secrets.GITHUB_TOKEN }}
       - name: Build Docker Image
         id: push
-        uses: docker/build-push-action@v6
+        uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6
         with:
           tags: ${{ steps.ev.outputs.imageTags }}
           file: website/Dockerfile
           push: true
           platforms: linux/amd64,linux/arm64
           context: .
-      - uses: actions/attest-build-provenance@v3
+      - uses: actions/attest-build-provenance@977bb373ede98d70efdf65b84cb5f73e068dcc2a # v3
         id: attest
         if: true
         with:
@@ -83,14 +83,14 @@ jobs:
           - radius
           - rac
     steps:
-      - uses: actions/checkout@v5
-      - uses: actions/setup-go@v6
+      - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
+      - uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6
         with:
           go-version-file: "go.mod"
       - name: Set up QEMU
-        uses: docker/setup-qemu-action@v3.6.0
+        uses: docker/setup-qemu-action@c7c53464625b32c7a7e944ae62b3e17d2b600130 # v3.7.0
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v3
+        uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3
       - name: prepare variables
         uses: ./.github/actions/docker-push-variables
         id: ev
@@ -103,18 +103,18 @@ jobs:
           mkdir -p ./gen-ts-api
           mkdir -p ./gen-go-api
       - name: Docker Login Registry
-        uses: docker/login-action@v3
+        uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3
         with:
           username: ${{ secrets.DOCKER_CORP_USERNAME }}
           password: ${{ secrets.DOCKER_CORP_PASSWORD }}
       - name: Login to GitHub Container Registry
-        uses: docker/login-action@v3
+        uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3
         with:
           registry: ghcr.io
           username: ${{ github.repository_owner }}
           password: ${{ secrets.GITHUB_TOKEN }}
       - name: Build Docker Image
-        uses: docker/build-push-action@v6
+        uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6
         id: push
         with:
           push: true
@@ -124,7 +124,7 @@ jobs:
           file: ${{ matrix.type }}.Dockerfile
           platforms: linux/amd64,linux/arm64
           context: .
-      - uses: actions/attest-build-provenance@v3
+      - uses: actions/attest-build-provenance@977bb373ede98d70efdf65b84cb5f73e068dcc2a # v3
         id: attest
         with:
           subject-name: ${{ steps.ev.outputs.attestImageNames }}
@@ -146,11 +146,11 @@ jobs:
         goos: [linux, darwin]
         goarch: [amd64, arm64]
     steps:
-      - uses: actions/checkout@v5
-      - uses: actions/setup-go@v6
+      - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
+      - uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6
         with:
           go-version-file: "go.mod"
-      - uses: actions/setup-node@v5
+      - uses: actions/setup-node@2028fbc5c25fe9cf00d9f06a71cc4710d4507903 # v5
         with:
           node-version-file: web/package.json
           cache: "npm"
@@ -168,7 +168,7 @@ jobs:
           export CGO_ENABLED=0
           go build -tags=outpost_static_embed -v -o ./authentik-outpost-${{ matrix.type }}_${{ matrix.goos }}_${{ matrix.goarch }} ./cmd/${{ matrix.type }}
       - name: Upload binaries to release
-        uses: svenstaro/upload-release-action@v2
+        uses: svenstaro/upload-release-action@81c65b7cd4de9b2570615ce3aad67a41de5b1a13 # v2
         with:
           repo_token: ${{ secrets.GITHUB_TOKEN }}
           file: ./authentik-outpost-${{ matrix.type }}_${{ matrix.goos }}_${{ matrix.goarch }}
@@ -186,8 +186,8 @@ jobs:
       AWS_REGION: eu-central-1
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v5
-      - uses: aws-actions/configure-aws-credentials@v5
+      - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
+      - uses: aws-actions/configure-aws-credentials@00943011d9042930efac3dcd3a170e4273319bc8 # v5
         with:
           role-to-assume: "arn:aws:iam::016170277896:role/github_goauthentik_authentik"
           aws-region: ${{ env.AWS_REGION }}
@@ -202,14 +202,14 @@ jobs:
       - build-outpost-binary
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
       - name: Run test suite in final docker images
         run: |
           echo "PG_PASS=$(openssl rand 32 | base64 -w 0)" >> .env
           echo "AUTHENTIK_SECRET_KEY=$(openssl rand 32 | base64 -w 0)" >> .env
           docker compose pull -q
           docker compose up --no-start
-          docker compose start postgresql redis
+          docker compose start postgresql
           docker compose run -u root server test-all
   sentry-release:
     needs:
@@ -218,7 +218,7 @@ jobs:
       - build-outpost-binary
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
       - name: prepare variables
         uses: ./.github/actions/docker-push-variables
         id: ev
@@ -232,7 +232,7 @@ jobs:
           container=$(docker container create ${{ steps.ev.outputs.imageMainName }})
           docker cp ${container}:web/ .
       - name: Create a Sentry.io release
-        uses: getsentry/action-release@v3
+        uses: getsentry/action-release@128c5058bbbe93c8e02147fe0a9c713f166259a6 # v3
         continue-on-error: true
         env:
           SENTRY_AUTH_TOKEN: ${{ secrets.SENTRY_AUTH_TOKEN }}

.github/workflows/release-tag.yml

@@ -35,8 +35,10 @@ jobs:
           echo "major_version=${{ inputs.version }}" | grep -oE "^major_version=[0-9]{4}\.[0-9]{1,2}" >> "$GITHUB_OUTPUT"
       - id: changelog-url
         run: |
-          if [ "${{ inputs.release_reason }}" = "feature" ] || [ "${{ inputs.release_reason }}" = "prerelease" ]; then
+          if [ "${{ inputs.release_reason }}" = "feature" ]; then
             changelog_url="https://docs.goauthentik.io/docs/releases/${{ steps.check.outputs.major_version }}"
+          elif [ "${{ inputs.release_reason }}" = "prerelease" ]; then
+            changelog_url="https://next.goauthentik.io/docs/releases/${{ steps.check.outputs.major_version }}"
           else
             changelog_url="https://docs.goauthentik.io/docs/releases/${{ steps.check.outputs.major_version }}#fixed-in-$(echo -n ${{ inputs.version }} | sed 's/\.//g')"
           fi
@@ -48,7 +50,7 @@ jobs:
     name: Pre-release test
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
       - run: make test-docker
   bump-authentik:
     name: Bump authentik version
@@ -59,7 +61,7 @@ jobs:
     steps:
       - id: app-token
         name: Generate app token
-        uses: actions/create-github-app-token@v2
+        uses: actions/create-github-app-token@67018539274d69449ef7c02e8e71183d1719ab42 # v2
         with:
           app-id: ${{ secrets.GH_APP_ID }}
           private-key: ${{ secrets.GH_APP_PRIVATE_KEY }}
@@ -68,7 +70,7 @@ jobs:
         run: echo "user-id=$(gh api "/users/${{ steps.app-token.outputs.app-slug }}[bot]" --jq .id)" >> "$GITHUB_OUTPUT"
         env:
           GH_TOKEN: "${{ steps.app-token.outputs.token }}"
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
         with:
           ref: "version-${{ needs.check-inputs.outputs.major_version }}"
           token: "${{ steps.app-token.outputs.token }}"
@@ -87,7 +89,7 @@ jobs:
           git tag "version/${{ inputs.version }}" HEAD -m "version/${{ inputs.version }}"
           git push --follow-tags
       - name: Create Release
-        uses: softprops/action-gh-release@v2
+        uses: softprops/action-gh-release@5be0e66d93ac7ed76da52eca8bb058f665c3a5fe # v2.4.2
         with:
           token: "${{ steps.app-token.outputs.token }}"
           tag_name: "version/${{ inputs.version }}"
@@ -106,7 +108,7 @@ jobs:
     steps:
       - id: app-token
         name: Generate app token
-        uses: actions/create-github-app-token@v2
+        uses: actions/create-github-app-token@67018539274d69449ef7c02e8e71183d1719ab42 # v2
         with:
           app-id: ${{ secrets.GH_APP_ID }}
           private-key: ${{ secrets.GH_APP_PRIVATE_KEY }}
@@ -116,7 +118,7 @@ jobs:
         run: echo "user-id=$(gh api "/users/${{ steps.app-token.outputs.app-slug }}[bot]" --jq .id)" >> "$GITHUB_OUTPUT"
         env:
           GH_TOKEN: "${{ steps.app-token.outputs.token }}"
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
         with:
           repository: "${{ github.repository_owner }}/helm"
           token: "${{ steps.app-token.outputs.token }}"
@@ -128,7 +130,7 @@ jobs:
           sed -E -i 's/[0-9]{4}\.[0-9]{1,2}\.[0-9]+$/${{ inputs.version }}/' charts/authentik/Chart.yaml
           ./scripts/helm-docs.sh
       - name: Create pull request
-        uses: peter-evans/create-pull-request@v7
+        uses: peter-evans/create-pull-request@271a8d0340265f705b14b6d32b9829c1cb33d45e # v7
         with:
           token: "${{ steps.app-token.outputs.token }}"
           branch: bump-${{ inputs.version }}
@@ -148,7 +150,7 @@ jobs:
     steps:
       - id: app-token
         name: Generate app token
-        uses: actions/create-github-app-token@v2
+        uses: actions/create-github-app-token@67018539274d69449ef7c02e8e71183d1719ab42 # v2
         with:
           app-id: ${{ secrets.GH_APP_ID }}
           private-key: ${{ secrets.GH_APP_PRIVATE_KEY }}
@@ -158,7 +160,7 @@ jobs:
         run: echo "user-id=$(gh api "/users/${{ steps.app-token.outputs.app-slug }}[bot]" --jq .id)" >> "$GITHUB_OUTPUT"
         env:
           GH_TOKEN: "${{ steps.app-token.outputs.token }}"
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
         with:
           repository: "${{ github.repository_owner }}/version"
           token: "${{ steps.app-token.outputs.token }}"
@@ -183,7 +185,7 @@ jobs:
             '.stable.version = $version | .stable.changelog = $changelog | .stable.changelog_url = $changelog_url' version.json > version.new.json
           mv version.new.json version.json
       - name: Create pull request
-        uses: peter-evans/create-pull-request@v7
+        uses: peter-evans/create-pull-request@271a8d0340265f705b14b6d32b9829c1cb33d45e # v7
         with:
           token: "${{ steps.app-token.outputs.token }}"
           branch: bump-${{ inputs.version }}

.github/workflows/repo-mirror-cleanup.yml

@@ -1,22 +0,0 @@
----
-name: Repo - Cleanup internal mirror
-
-on:
-  workflow_dispatch:
-
-jobs:
-  to_internal:
-    if: ${{ github.repository != 'goauthentik/authentik-internal' }}
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v5
-        with:
-          fetch-depth: 0
-      - if: ${{ env.MIRROR_KEY != '' }}
-        uses: BeryJu/repository-mirroring-action@5cf300935bc2e068f73ea69bcc411a8a997208eb
-        with:
-          target_repo_url: git@github.com:goauthentik/authentik-internal.git
-          ssh_private_key: ${{ secrets.GH_MIRROR_KEY }}
-          args: --tags --force --prune
-        env:
-          MIRROR_KEY: ${{ secrets.GH_MIRROR_KEY }}

.github/workflows/repo-mirror.yml

@@ -1,21 +0,0 @@
----
-name: Repo - Mirror to internal
-
-on: [push, delete]
-
-jobs:
-  to_internal:
-    if: ${{ github.repository != 'goauthentik/authentik-internal' }}
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v5
-        with:
-          fetch-depth: 0
-      - if: ${{ env.MIRROR_KEY != '' }}
-        uses: BeryJu/repository-mirroring-action@5cf300935bc2e068f73ea69bcc411a8a997208eb
-        with:
-          target_repo_url: git@github.com:goauthentik/authentik-internal.git
-          ssh_private_key: ${{ secrets.GH_MIRROR_KEY }}
-          args: --tags --force
-        env:
-          MIRROR_KEY: ${{ secrets.GH_MIRROR_KEY }}

.github/workflows/repo-stale.yml

@@ -12,15 +12,14 @@ permissions:
 
 jobs:
   stale:
-    if: ${{ github.repository != 'goauthentik/authentik-internal' }}
     runs-on: ubuntu-latest
     steps:
       - id: generate_token
-        uses: tibdex/github-app-token@v2
+        uses: actions/create-github-app-token@67018539274d69449ef7c02e8e71183d1719ab42 # v2
         with:
-          app_id: ${{ secrets.GH_APP_ID }}
-          private_key: ${{ secrets.GH_APP_PRIVATE_KEY }}
-      - uses: actions/stale@v10
+          app-id: ${{ secrets.GH_APP_ID }}
+          private-key: ${{ secrets.GH_APP_PRIVATE_KEY }}
+      - uses: actions/stale@5f858e3efba33a5ca4407a664cc011ad407f2008 # v10
         with:
           repo-token: ${{ steps.generate_token.outputs.token }}
           days-before-stale: 60

.github/workflows/translation-advice.yml

@@ -20,14 +20,14 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Find Comment
-        uses: peter-evans/find-comment@v3
+        uses: peter-evans/find-comment@b30e6a3c0ed37e7c023ccd3f1db5c6c0b0c23aad # v4
         id: fc
         with:
           issue-number: ${{ github.event.pull_request.number }}
           comment-author: "github-actions[bot]"
           body-includes: authentik translations instructions
       - name: Create or update comment
-        uses: peter-evans/create-or-update-comment@v4
+        uses: peter-evans/create-or-update-comment@e8674b075228eee787fea43ef493e45ece1004c9 # v5
         with:
           comment-id: ${{ steps.fc.outputs.comment-id }}
           issue-number: ${{ github.event.pull_request.number }}

.github/workflows/translation-extract-compile.yml

@@ -17,20 +17,19 @@ env:
 
 jobs:
   compile:
-    if: ${{ github.repository != 'goauthentik/authentik-internal' }}
     runs-on: ubuntu-latest
     steps:
       - id: generate_token
         if: ${{ github.event_name != 'pull_request' }}
-        uses: tibdex/github-app-token@v2
+        uses: actions/create-github-app-token@67018539274d69449ef7c02e8e71183d1719ab42 # v2
         with:
-          app_id: ${{ secrets.GH_APP_ID }}
-          private_key: ${{ secrets.GH_APP_PRIVATE_KEY }}
-      - uses: actions/checkout@v5
+          app-id: ${{ secrets.GH_APP_ID }}
+          private-key: ${{ secrets.GH_APP_PRIVATE_KEY }}
+      - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
         if: ${{ github.event_name != 'pull_request' }}
         with:
           token: ${{ steps.generate_token.outputs.token }}
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
         if: ${{ github.event_name == 'pull_request' }}
       - name: Setup authentik env
         uses: ./.github/actions/setup
@@ -45,7 +44,7 @@ jobs:
           make web-check-compile
       - name: Create Pull Request
         if: ${{ github.event_name != 'pull_request' }}
-        uses: peter-evans/create-pull-request@v7
+        uses: peter-evans/create-pull-request@271a8d0340265f705b14b6d32b9829c1cb33d45e # v7
         with:
           token: ${{ steps.generate_token.outputs.token }}
           branch: extract-compile-backend-translation

.github/workflows/translation-rename.yml

@@ -16,12 +16,12 @@ jobs:
     runs-on: ubuntu-latest
     if: ${{ github.event.pull_request.user.login == 'transifex-integration[bot]'}}
     steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
       - id: generate_token
-        uses: tibdex/github-app-token@v2
+        uses: actions/create-github-app-token@67018539274d69449ef7c02e8e71183d1719ab42 # v2
         with:
-          app_id: ${{ secrets.GH_APP_ID }}
-          private_key: ${{ secrets.GH_APP_PRIVATE_KEY }}
+          app-id: ${{ secrets.GH_APP_ID }}
+          private-key: ${{ secrets.GH_APP_PRIVATE_KEY }}
       - name: Get current title
         id: title
         env:
@@ -34,7 +34,7 @@ jobs:
           GH_TOKEN: ${{ steps.generate_token.outputs.token }}
         run: |
           gh pr edit ${{ github.event.pull_request.number }} -t "translate: ${{ steps.title.outputs.title }}" --add-label dependencies
-      - uses: peter-evans/enable-pull-request-automerge@v3
+      - uses: peter-evans/enable-pull-request-automerge@a660677d5469627102a1c1e11409dd063606628d # v3
         with:
           token: ${{ steps.generate_token.outputs.token }}
           pull-request-number: ${{ github.event.pull_request.number }}

.gitignore

@@ -72,7 +72,7 @@ unittest.xml
 
 # Translations
 # Have to include binary mo files as they are annoying to compile at build time
-# since a full postgres and redis instance are required
+# since a full postgres instance is required
 # *.mo
 
 # Django stuff:

.vscode/settings.json

@@ -49,6 +49,9 @@
     "go.testFlags": [
         "-count=1"
     ],
+    "go.testEnvVars": {
+        "WORKSPACE_DIR": "${workspaceFolder}"
+    },
     "github-actions.workflows.pinned.workflows": [
         ".github/workflows/ci-main.yml"
     ]

CODEOWNERS

@@ -24,6 +24,8 @@ Makefile                                @goauthentik/infrastructure
 .editorconfig                           @goauthentik/infrastructure
 CODEOWNERS                              @goauthentik/infrastructure
 # Backend packages
+packages/django-channels-postgres       @goauthentik/backend
+packages/django-postgres-cache          @goauthentik/backend
 packages/django-dramatiq-postgres       @goauthentik/backend
 # Web packages
 packages/docusaurus-config              @goauthentik/frontend

Dockerfile

@@ -1,7 +1,7 @@
 # syntax=docker/dockerfile:1
 
 # Stage 1: Build webui
-FROM --platform=${BUILDPLATFORM} docker.io/library/node:24-slim AS node-builder
+FROM --platform=${BUILDPLATFORM} docker.io/library/node:24-trixie-slim@sha256:45babd1b4ce0349fb12c4e24bf017b90b96d52806db32e001e3013f341bef0fe AS node-builder
 
 ARG GIT_BUILD_HASH
 ENV GIT_BUILD_HASH=$GIT_BUILD_HASH
@@ -26,7 +26,7 @@ RUN npm run build && \
     npm run build:sfe
 
 # Stage 2: Build go proxy
-FROM --platform=${BUILDPLATFORM} docker.io/library/golang:1.25-bookworm AS go-builder
+FROM --platform=${BUILDPLATFORM} docker.io/library/golang:1.25.4-trixie@sha256:728cbef6ce5da50a5da2455cf8a13ddc4f71eb5a3245d9a5a3cce260f8ca9898 AS go-builder
 
 ARG TARGETOS
 ARG TARGETARCH
@@ -63,7 +63,7 @@ RUN --mount=type=cache,sharing=locked,target=/go/pkg/mod \
     go build -o /go/authentik ./cmd/server
 
 # Stage 3: MaxMind GeoIP
-FROM --platform=${BUILDPLATFORM} ghcr.io/maxmind/geoipupdate:v7.1.1 AS geoip
+FROM --platform=${BUILDPLATFORM} ghcr.io/maxmind/geoipupdate:v7.1.1@sha256:faecdca22579730ab0b7dea5aa9af350bb3c93cb9d39845c173639ead30346d2 AS geoip
 
 ENV GEOIPUPDATE_EDITION_IDS="GeoLite2-City GeoLite2-ASN"
 ENV GEOIPUPDATE_VERBOSE="1"
@@ -76,9 +76,9 @@ RUN --mount=type=secret,id=GEOIPUPDATE_ACCOUNT_ID \
     /bin/sh -c "GEOIPUPDATE_LICENSE_KEY_FILE=/run/secrets/GEOIPUPDATE_LICENSE_KEY /usr/bin/entry.sh || echo 'Failed to get GeoIP database, disabling'; exit 0"
 
 # Stage 4: Download uv
-FROM ghcr.io/astral-sh/uv:0.8.22 AS uv
+FROM ghcr.io/astral-sh/uv:0.9.10@sha256:29bd45092ea8902c0bbb7f0a338f0494a382b1f4b18355df5be270ade679ff1d AS uv
 # Stage 5: Base python image
-FROM ghcr.io/goauthentik/fips-python:3.13.7-slim-trixie-fips AS python-base
+FROM ghcr.io/goauthentik/fips-python:3.13.9-slim-trixie-fips@sha256:700fc8c1e290bd14e5eaca50b1d8e8c748c820010559cbfb4c4f8dfbe2c4c9ff AS python-base
 
 ENV VENV_PATH="/ak-root/.venv" \
     PATH="/lifecycle:/ak-root/.venv/bin:$PATH" \
@@ -119,7 +119,11 @@ RUN --mount=type=cache,id=apt-$TARGETARCH$TARGETVARIANT,sharing=locked,target=/v
     libltdl-dev && \
     curl https://sh.rustup.rs -sSf | sh -s -- -y
 
-ENV UV_NO_BINARY_PACKAGE="cryptography lxml python-kadmin-rs xmlsec"
+ENV UV_NO_BINARY_PACKAGE="cryptography lxml python-kadmin-rs xmlsec" \
+    # https://github.com/rust-lang/rustup/issues/2949
+    # Fixes issues where the rust version in the build cache is older than latest
+    # and rustup tries to update it, which fails
+    RUSTUP_PERMIT_COPY_RENAME="true"
 
 RUN --mount=type=bind,target=pyproject.toml,src=pyproject.toml \
     --mount=type=bind,target=uv.lock,src=uv.lock \
@@ -135,6 +139,7 @@ ARG GIT_BUILD_HASH
 ENV GIT_BUILD_HASH=$GIT_BUILD_HASH
 
 LABEL org.opencontainers.image.authors="Authentik Security Inc." \
+    org.opencontainers.image.source="https://github.com/goauthentik/authentik" \
     org.opencontainers.image.description="goauthentik.io Main server image, see https://goauthentik.io for more info." \
     org.opencontainers.image.documentation="https://docs.goauthentik.io" \
     org.opencontainers.image.licenses="https://github.com/goauthentik/authentik/blob/main/LICENSE" \

Makefile

@@ -16,7 +16,6 @@ GEN_API_GO = gen-go-api
 pg_user := $(shell uv run python -m authentik.lib.config postgresql.user 2>/dev/null)
 pg_host := $(shell uv run python -m authentik.lib.config postgresql.host 2>/dev/null)
 pg_name := $(shell uv run python -m authentik.lib.config postgresql.name 2>/dev/null)
-redis_db := $(shell uv run python -m authentik.lib.config redis.db 2>/dev/null)
 
 UNAME := $(shell uname)
 
@@ -107,7 +106,6 @@ dev-drop-db:
 	dropdb -U ${pg_user} -h ${pg_host} ${pg_name} || true
 	# Also remove the test-db if it exists
 	dropdb -U ${pg_user} -h ${pg_host} test_${pg_name} || true
-	redis-cli -n ${redis_db} flushall
 
 dev-create-db:
 	createdb -U ${pg_user} -h ${pg_host} ${pg_name}
@@ -151,14 +149,13 @@ gen-changelog:  ## (Release) generate the changelog based from the commits since
 	npx prettier --write changelog.md
 
 gen-diff:  ## (Release) generate the changelog diff between the current schema and the last tag
-	git show $(shell git describe --tags $(shell git rev-list --tags --max-count=1)):schema.yml > old_schema.yml
-	docker run \
-		--rm -v ${PWD}:/local \
-		--user ${UID}:${GID} \
-		docker.io/openapitools/openapi-diff:2.1.0-beta.8 \
-		--markdown /local/diff.md \
-		/local/old_schema.yml /local/schema.yml
-	rm old_schema.yml
+	git show $(shell git describe --tags $(shell git rev-list --tags --max-count=1)):schema.yml > schema-old.yml
+	docker compose -f scripts/api/docker-compose.yml run --rm --user "${UID}:${GID}" diff \
+		--markdown \
+		/local/diff.md \
+		/local/schema-old.yml \
+		/local/schema.yml
+	rm schema-old.yml
 	sed -i 's/{/{/g' diff.md
 	sed -i 's/}/}/g' diff.md
 	npx prettier --write diff.md
@@ -167,28 +164,21 @@ gen-clean-ts:  ## Remove generated API client for TypeScript
 	rm -rf ${PWD}/${GEN_API_TS}/
 	rm -rf ${PWD}/web/node_modules/@goauthentik/api/
 
-gen-clean-go:  ## Remove generated API client for Go
-	mkdir -p ${PWD}/${GEN_API_GO}
-ifneq ($(wildcard ${PWD}/${GEN_API_GO}/.*),)
-	make -C ${PWD}/${GEN_API_GO} clean
-else
-	rm -rf ${PWD}/${GEN_API_GO}
-endif
-
 gen-clean-py:  ## Remove generated API client for Python
-	rm -rf ${PWD}/${GEN_API_PY}/
+	rm -rf ${PWD}/${GEN_API_PY}
+
+gen-clean-go:  ## Remove generated API client for Go
+	rm -rf ${PWD}/${GEN_API_GO}
 
 gen-clean: gen-clean-ts gen-clean-go gen-clean-py  ## Remove generated API clients
 
 gen-client-ts: gen-clean-ts  ## Build and install the authentik API for Typescript into the authentik UI Application
-	docker run \
-		--rm -v ${PWD}:/local \
-		--user ${UID}:${GID} \
-		docker.io/openapitools/openapi-generator-cli:v7.15.0 generate \
+	docker compose -f scripts/api/docker-compose.yml run --rm --user "${UID}:${GID}" gen \
+		generate \
 		-i /local/schema.yml \
 		-g typescript-fetch \
 		-o /local/${GEN_API_TS} \
-		-c /local/scripts/api-ts-config.yaml \
+		-c /local/scripts/api/ts-config.yaml \
 		--additional-properties=npmVersion=${NPM_VERSION} \
 		--git-repo-id authentik \
 		--git-user-id goauthentik
@@ -198,17 +188,14 @@ gen-client-ts: gen-clean-ts  ## Build and install the authentik API for Typescri
 	cd ${PWD}/web && npm link @goauthentik/api
 
 gen-client-py: gen-clean-py ## Build and install the authentik API for Python
-	docker run \
-		--rm -v ${PWD}:/local \
-		--user ${UID}:${GID} \
-		docker.io/openapitools/openapi-generator-cli:v7.15.0 generate \
-		-i /local/schema.yml \
-		-g python \
-		-o /local/${GEN_API_PY} \
-		-c /local/scripts/api-py-config.yaml \
-		--additional-properties=packageVersion=${NPM_VERSION} \
-		--git-repo-id authentik \
-		--git-user-id goauthentik
+	mkdir -p ${PWD}/${GEN_API_PY}
+ifeq ($(wildcard ${PWD}/${GEN_API_PY}/.*),)
+	git clone --depth 1 https://github.com/goauthentik/client-python.git ${PWD}/${GEN_API_PY}
+else
+	cd ${PWD}/${GEN_API_PY} && git pull
+endif
+	cp ${PWD}/schema.yml ${PWD}/${GEN_API_PY}
+	make -C ${PWD}/${GEN_API_PY} build version=${NPM_VERSION}
 
 gen-client-go: gen-clean-go  ## Build and install the authentik API for Golang
 	mkdir -p ${PWD}/${GEN_API_GO}

README.md

@@ -10,7 +10,7 @@
 [![GitHub Workflow Status](https://img.shields.io/github/actions/workflow/status/goauthentik/authentik/ci-web.yml?branch=main&label=web%20build&style=for-the-badge)](https://github.com/goauthentik/authentik/actions/workflows/ci-web.yml)
 [![Code Coverage](https://img.shields.io/codecov/c/gh/goauthentik/authentik?style=for-the-badge)](https://codecov.io/gh/goauthentik/authentik)
 ![Latest version](https://img.shields.io/docker/v/authentik/server?sort=semver&style=for-the-badge)
-[![](https://img.shields.io/badge/Help%20translate-transifex-blue?style=for-the-badge)](https://www.transifex.com/authentik/authentik/)
+[![](https://img.shields.io/badge/Help%20translate-transifex-blue?style=for-the-badge)](https://explore.transifex.com/authentik/authentik/)
 
 ## What is authentik?
 

SECURITY.md

@@ -18,10 +18,10 @@ Even if the issue is not a CVE, we still greatly appreciate your help in hardeni
 
 (.x being the latest patch release for each version)
 
-| Version   | Supported |
-| --------- | --------- |
-| 2025.6.x  | ✅        |
-| 2025.8.x  | ✅        |
+| Version    | Supported  |
+| ---------- | ---------- |
+| 2025.8.x   | ✅         |
+| 2025.10.x  | ✅         |
 
 ## Reporting a Vulnerability
 

authentik/__init__.py

@@ -3,7 +3,7 @@
 from functools import lru_cache
 from os import environ
 
-VERSION = "2025.10.0-rc1"
+VERSION = "2025.12.0-rc1"
 ENV_GIT_HASH_KEY = "GIT_BUILD_HASH"
 
 

authentik/admin/signals.py

@@ -0,0 +1,9 @@
+from django.dispatch import receiver
+
+from authentik.admin.tasks import _set_prom_info
+from authentik.root.signals import post_startup
+
+
+@receiver(post_startup)
+def post_startup_admin_metrics(sender, **_):
+    _set_prom_info()

authentik/admin/tasks.py

@@ -2,7 +2,6 @@
 
 from django.core.cache import cache
 from django.utils.translation import gettext_lazy as _
-from django_dramatiq_postgres.middleware import CurrentTask
 from dramatiq import actor
 from packaging.version import parse
 from requests import RequestException
@@ -13,7 +12,7 @@ from authentik.admin.apps import PROM_INFO
 from authentik.events.models import Event, EventAction
 from authentik.lib.config import CONFIG
 from authentik.lib.utils.http import get_http_session
-from authentik.tasks.models import Task
+from authentik.tasks.middleware import CurrentTask
 
 LOGGER = get_logger()
 VERSION_NULL = "0.0.0"
@@ -35,7 +34,7 @@ def _set_prom_info():
 
 @actor(description=_("Update latest version info."))
 def update_latest_version():
-    self: Task = CurrentTask.get_task()
+    self = CurrentTask.get_task()
     if CONFIG.get_bool("disable_update_check"):
         cache.set(VERSION_CACHE_KEY, VERSION_NULL, VERSION_CACHE_TIMEOUT)
         self.info("Version check disabled.")
@@ -72,6 +71,3 @@ def update_latest_version():
     except (RequestException, IndexError) as exc:
         cache.set(VERSION_CACHE_KEY, VERSION_NULL, VERSION_CACHE_TIMEOUT)
         raise exc
-
-
-_set_prom_info()

authentik/api/pagination.py

@@ -1,44 +1,10 @@
 """Pagination which includes total pages and current page"""
 
+from drf_spectacular.plumbing import build_object_type
 from rest_framework import pagination
 from rest_framework.response import Response
 
-PAGINATION_COMPONENT_NAME = "Pagination"
-PAGINATION_SCHEMA = {
-    "type": "object",
-    "properties": {
-        "next": {
-            "type": "number",
-        },
-        "previous": {
-            "type": "number",
-        },
-        "count": {
-            "type": "number",
-        },
-        "current": {
-            "type": "number",
-        },
-        "total_pages": {
-            "type": "number",
-        },
-        "start_index": {
-            "type": "number",
-        },
-        "end_index": {
-            "type": "number",
-        },
-    },
-    "required": [
-        "next",
-        "previous",
-        "count",
-        "current",
-        "total_pages",
-        "start_index",
-        "end_index",
-    ],
-}
+from authentik.api.v3.schema.response import PAGINATION
 
 
 class Pagination(pagination.PageNumberPagination):
@@ -70,14 +36,13 @@ class Pagination(pagination.PageNumberPagination):
         )
 
     def get_paginated_response_schema(self, schema):
-        return {
-            "type": "object",
-            "properties": {
-                "pagination": {"$ref": f"#/components/schemas/{PAGINATION_COMPONENT_NAME}"},
+        return build_object_type(
+            properties={
+                "pagination": PAGINATION.ref,
                 "results": schema,
             },
-            "required": ["pagination", "results"],
-        }
+            required=["pagination", "results"],
+        )
 
 
 class SmallerPagination(Pagination):

authentik/api/schema.py

@@ -1,96 +1,60 @@
 """Error Response schema, from https://github.com/axnsan12/drf-yasg/issues/224"""
 
-from django.utils.translation import gettext_lazy as _
+from collections.abc import Callable
+from typing import Any
+
 from drf_spectacular.generators import SchemaGenerator
-from drf_spectacular.plumbing import (
-    ResolvedComponent,
-    build_array_type,
-    build_basic_type,
-    build_object_type,
-)
+from drf_spectacular.plumbing import ResolvedComponent
+from drf_spectacular.renderers import OpenApiJsonRenderer
 from drf_spectacular.settings import spectacular_settings
-from drf_spectacular.types import OpenApiTypes
-from rest_framework.settings import api_settings
+from structlog.stdlib import get_logger
 
 from authentik.api.apps import AuthentikAPIConfig
-from authentik.api.pagination import PAGINATION_COMPONENT_NAME, PAGINATION_SCHEMA
-
-
-def build_standard_type(obj, **kwargs):
-    """Build a basic type with optional add owns."""
-    schema = build_basic_type(obj)
-    schema.update(kwargs)
-    return schema
-
-
-GENERIC_ERROR = build_object_type(
-    description=_("Generic API Error"),
-    properties={
-        "detail": build_standard_type(OpenApiTypes.STR),
-        "code": build_standard_type(OpenApiTypes.STR),
-    },
-    required=["detail"],
-)
-VALIDATION_ERROR = build_object_type(
-    description=_("Validation Error"),
-    properties={
-        api_settings.NON_FIELD_ERRORS_KEY: build_array_type(build_standard_type(OpenApiTypes.STR)),
-        "code": build_standard_type(OpenApiTypes.STR),
-    },
-    required=[],
-    additionalProperties={},
+from authentik.api.v3.schema.query import QUERY_PARAMS
+from authentik.api.v3.schema.response import (
+    GENERIC_ERROR,
+    GENERIC_ERROR_RESPONSE,
+    PAGINATION,
+    VALIDATION_ERROR,
+    VALIDATION_ERROR_RESPONSE,
 )
 
-
-def create_component(generator: SchemaGenerator, name, schema, type_=ResolvedComponent.SCHEMA):
-    """Register a component and return a reference to it."""
-    component = ResolvedComponent(
-        name=name,
-        type=type_,
-        schema=schema,
-        object=name,
-    )
-    generator.registry.register_on_missing(component)
-    return component
+LOGGER = get_logger()
 
 
-def postprocess_schema_responses(result, generator: SchemaGenerator, **kwargs):
-    """Workaround to set a default response for endpoints.
-    Workaround suggested at
-    <https://github.com/tfranzel/drf-spectacular/issues/119#issuecomment-656970357>
-    for the missing drf-spectacular feature discussed in
-    <https://github.com/tfranzel/drf-spectacular/issues/101>.
-    """
+def preprocess_schema_exclude_non_api(endpoints: list[tuple[str, Any, Any, Callable]], **kwargs):
+    """Filter out all API Views which are not mounted under /api"""
+    return [
+        (path, path_regex, method, callback)
+        for path, path_regex, method, callback in endpoints
+        if path.startswith("/" + AuthentikAPIConfig.mountpoint)
+    ]
 
-    create_component(generator, PAGINATION_COMPONENT_NAME, PAGINATION_SCHEMA)
 
-    generic_error = create_component(generator, "GenericError", GENERIC_ERROR)
-    validation_error = create_component(generator, "ValidationError", VALIDATION_ERROR)
+def postprocess_schema_register(
+    result: dict[str, Any], generator: SchemaGenerator, **kwargs
+) -> dict[str, Any]:
+    """Register custom schema components"""
+    LOGGER.debug("Registering custom schemas")
+    generator.registry.register_on_missing(PAGINATION)
+    generator.registry.register_on_missing(GENERIC_ERROR)
+    generator.registry.register_on_missing(GENERIC_ERROR_RESPONSE)
+    generator.registry.register_on_missing(VALIDATION_ERROR)
+    generator.registry.register_on_missing(VALIDATION_ERROR_RESPONSE)
+    for query in QUERY_PARAMS.values():
+        generator.registry.register_on_missing(query)
+    return result
 
+
+def postprocess_schema_responses(
+    result: dict[str, Any], generator: SchemaGenerator, **kwargs
+) -> dict[str, Any]:
+    """Default error responses"""
+    LOGGER.debug("Adding default error responses")
     for path in result["paths"].values():
         for method in path.values():
-            method["responses"].setdefault(
-                "400",
-                {
-                    "content": {
-                        "application/json": {
-                            "schema": validation_error.ref,
-                        }
-                    },
-                    "description": "",
-                },
-            )
-            method["responses"].setdefault(
-                "403",
-                {
-                    "content": {
-                        "application/json": {
-                            "schema": generic_error.ref,
-                        }
-                    },
-                    "description": "",
-                },
-            )
+            method["responses"].setdefault("400", VALIDATION_ERROR_RESPONSE.ref)
+            method["responses"].setdefault("403", GENERIC_ERROR_RESPONSE.ref)
 
     result["components"] = generator.registry.build(spectacular_settings.APPEND_COMPONENTS)
 
@@ -104,72 +68,36 @@ def postprocess_schema_responses(result, generator: SchemaGenerator, **kwargs):
     return result
 
 
-def postprocess_schema_pagination(result, generator: SchemaGenerator, **kwargs):
-    to_replace = {
-        "ordering": create_component(
-            generator,
-            "QueryPaginationOrdering",
-            {
-                "name": "ordering",
-                "required": False,
-                "in": "query",
-                "description": "Which field to use when ordering the results.",
-                "schema": {"type": "string"},
-            },
-            ResolvedComponent.PARAMETER,
-        ),
-        "page": create_component(
-            generator,
-            "QueryPaginationPage",
-            {
-                "name": "page",
-                "required": False,
-                "in": "query",
-                "description": "A page number within the paginated result set.",
-                "schema": {"type": "integer"},
-            },
-            ResolvedComponent.PARAMETER,
-        ),
-        "page_size": create_component(
-            generator,
-            "QueryPaginationPageSize",
-            {
-                "name": "page_size",
-                "required": False,
-                "in": "query",
-                "description": "Number of results to return per page.",
-                "schema": {"type": "integer"},
-            },
-            ResolvedComponent.PARAMETER,
-        ),
-        "search": create_component(
-            generator,
-            "QuerySearch",
-            {
-                "name": "search",
-                "required": False,
-                "in": "query",
-                "description": "A search term.",
-                "schema": {"type": "string"},
-            },
-            ResolvedComponent.PARAMETER,
-        ),
-    }
+def postprocess_schema_query_params(
+    result: dict[str, Any], generator: SchemaGenerator, **kwargs
+) -> dict[str, Any]:
+    """Optimise pagination parameters, instead of redeclaring parameters for each endpoint
+    declare them globally and refer to them"""
+    LOGGER.debug("Deduplicating query parameters")
     for path in result["paths"].values():
         for method in path.values():
-            # print(method["parameters"])
             for idx, param in enumerate(method.get("parameters", [])):
-                for replace_name, replace_ref in to_replace.items():
-                    if param["name"] == replace_name:
-                        method["parameters"][idx] = replace_ref.ref
-            # print(method["parameters"])
+                if param["name"] not in QUERY_PARAMS:
+                    continue
+                method["parameters"][idx] = QUERY_PARAMS[param["name"]].ref
     return result
 
 
-def preprocess_schema_exclude_non_api(endpoints, **kwargs):
-    """Filter out all API Views which are not mounted under /api"""
-    return [
-        (path, path_regex, method, callback)
-        for path, path_regex, method, callback in endpoints
-        if path.startswith("/" + AuthentikAPIConfig.mountpoint)
-    ]
+def postprocess_schema_remove_unused(
+    result: dict[str, Any], generator: SchemaGenerator, **kwargs
+) -> dict[str, Any]:
+    """Remove unused components"""
+    # To check if the schema is used, render it to JSON and then substring check that
+    # less efficient than walking through the tree but a lot simpler and no
+    # possibility that we miss something
+    raw = OpenApiJsonRenderer().render(result, renderer_context={}).decode()
+    count = 0
+    for key in result["components"][ResolvedComponent.SCHEMA].keys():
+        schema_usages = raw.count(f"#/components/{ResolvedComponent.SCHEMA}/{key}")
+        if schema_usages >= 1:
+            continue
+        del generator.registry[(key, ResolvedComponent.SCHEMA)]
+        count += 1
+    LOGGER.debug("Removing unused components", count=count)
+    result["components"] = generator.registry.build(spectacular_settings.APPEND_COMPONENTS)
+    return result

authentik/api/v3/config.py

@@ -56,7 +56,6 @@ class ConfigSerializer(PassiveSerializer):
     cache_timeout = IntegerField(required=True)
     cache_timeout_flows = IntegerField(required=True)
     cache_timeout_policies = IntegerField(required=True)
-    cache_timeout_reputation = IntegerField(required=True)
 
 
 class ConfigView(APIView):
@@ -103,7 +102,6 @@ class ConfigView(APIView):
                 "cache_timeout": CONFIG.get_int("cache.timeout"),
                 "cache_timeout_flows": CONFIG.get_int("cache.timeout_flows"),
                 "cache_timeout_policies": CONFIG.get_int("cache.timeout_policies"),
-                "cache_timeout_reputation": CONFIG.get_int("cache.timeout_reputation"),
             }
         )
 

authentik/api/v3/schema/query.py

@@ -0,0 +1,65 @@
+from django.utils.translation import gettext_lazy as _
+from drf_spectacular.plumbing import (
+    ResolvedComponent,
+    build_basic_type,
+    build_parameter_type,
+)
+from drf_spectacular.types import OpenApiTypes
+
+QUERY_PARAMS = {
+    "ordering": ResolvedComponent(
+        name="QueryPaginationOrdering",
+        type=ResolvedComponent.PARAMETER,
+        object="QueryPaginationOrdering",
+        schema=build_parameter_type(
+            name="ordering",
+            schema=build_basic_type(OpenApiTypes.STR),
+            location="query",
+            description=_("Which field to use when ordering the results."),
+        ),
+    ),
+    "page": ResolvedComponent(
+        name="QueryPaginationPage",
+        type=ResolvedComponent.PARAMETER,
+        object="QueryPaginationPage",
+        schema=build_parameter_type(
+            name="page",
+            schema=build_basic_type(OpenApiTypes.INT),
+            location="query",
+            description=_("A page number within the paginated result set."),
+        ),
+    ),
+    "page_size": ResolvedComponent(
+        name="QueryPaginationPageSize",
+        type=ResolvedComponent.PARAMETER,
+        object="QueryPaginationPageSize",
+        schema=build_parameter_type(
+            name="page_size",
+            schema=build_basic_type(OpenApiTypes.INT),
+            location="query",
+            description=_("Number of results to return per page."),
+        ),
+    ),
+    "search": ResolvedComponent(
+        name="QuerySearch",
+        type=ResolvedComponent.PARAMETER,
+        object="QuerySearch",
+        schema=build_parameter_type(
+            name="search",
+            schema=build_basic_type(OpenApiTypes.STR),
+            location="query",
+            description=_("A search term."),
+        ),
+    ),
+    # Not related to pagination but a very common query param
+    "name": ResolvedComponent(
+        name="QueryName",
+        type=ResolvedComponent.PARAMETER,
+        object="QueryName",
+        schema=build_parameter_type(
+            name="name",
+            schema=build_basic_type(OpenApiTypes.STR),
+            location="query",
+        ),
+    ),
+}

authentik/api/v3/schema/response.py

@@ -0,0 +1,84 @@
+from django.utils.translation import gettext_lazy as _
+from drf_spectacular.plumbing import (
+    ResolvedComponent,
+    build_array_type,
+    build_basic_type,
+    build_object_type,
+)
+from drf_spectacular.types import OpenApiTypes
+from rest_framework.settings import api_settings
+
+GENERIC_ERROR = ResolvedComponent(
+    name="GenericError",
+    type=ResolvedComponent.SCHEMA,
+    object="GenericError",
+    schema=build_object_type(
+        description=_("Generic API Error"),
+        properties={
+            "detail": build_basic_type(OpenApiTypes.STR),
+            "code": build_basic_type(OpenApiTypes.STR),
+        },
+        required=["detail"],
+    ),
+)
+GENERIC_ERROR_RESPONSE = ResolvedComponent(
+    name="GenericErrorResponse",
+    type=ResolvedComponent.RESPONSE,
+    object="GenericErrorResponse",
+    schema={
+        "content": {"application/json": {"schema": GENERIC_ERROR.ref}},
+        "description": "",
+    },
+)
+VALIDATION_ERROR = ResolvedComponent(
+    "ValidationError",
+    object="ValidationError",
+    type=ResolvedComponent.SCHEMA,
+    schema=build_object_type(
+        description=_("Validation Error"),
+        properties={
+            api_settings.NON_FIELD_ERRORS_KEY: build_array_type(build_basic_type(OpenApiTypes.STR)),
+            "code": build_basic_type(OpenApiTypes.STR),
+        },
+        required=[],
+        additionalProperties={},
+    ),
+)
+VALIDATION_ERROR_RESPONSE = ResolvedComponent(
+    name="ValidationErrorResponse",
+    type=ResolvedComponent.RESPONSE,
+    object="ValidationErrorResponse",
+    schema={
+        "content": {
+            "application/json": {
+                "schema": VALIDATION_ERROR.ref,
+            }
+        },
+        "description": "",
+    },
+)
+PAGINATION = ResolvedComponent(
+    name="Pagination",
+    type=ResolvedComponent.SCHEMA,
+    object="Pagination",
+    schema=build_object_type(
+        properties={
+            "next": build_basic_type(OpenApiTypes.NUMBER),
+            "previous": build_basic_type(OpenApiTypes.NUMBER),
+            "count": build_basic_type(OpenApiTypes.NUMBER),
+            "current": build_basic_type(OpenApiTypes.NUMBER),
+            "total_pages": build_basic_type(OpenApiTypes.NUMBER),
+            "start_index": build_basic_type(OpenApiTypes.NUMBER),
+            "end_index": build_basic_type(OpenApiTypes.NUMBER),
+        },
+        required=[
+            "next",
+            "previous",
+            "count",
+            "current",
+            "total_pages",
+            "start_index",
+            "end_index",
+        ],
+    ),
+)

authentik/blueprints/v1/importer.py

@@ -15,6 +15,7 @@ from django.db.models import Model
 from django.db.models.query_utils import Q
 from django.db.transaction import atomic
 from django.db.utils import IntegrityError
+from django_channels_postgres.models import GroupChannel, Message
 from guardian.models import UserObjectPermission
 from guardian.shortcuts import assign_perm
 from rest_framework.exceptions import ValidationError
@@ -71,13 +72,15 @@ from authentik.providers.oauth2.models import (
     DeviceToken,
     RefreshToken,
 )
+from authentik.providers.proxy.models import ProxySession
 from authentik.providers.rac.models import ConnectionToken
+from authentik.providers.saml.models import SAMLSession
 from authentik.providers.scim.models import SCIMProviderGroup, SCIMProviderUser
 from authentik.rbac.models import Role
 from authentik.sources.scim.models import SCIMSourceGroup, SCIMSourceUser
 from authentik.stages.authenticator_webauthn.models import WebAuthnDeviceType
 from authentik.stages.consent.models import UserConsent
-from authentik.tasks.models import Task
+from authentik.tasks.models import Task, TaskLog
 from authentik.tenants.models import Tenant
 
 # Context set when the serializer is created in a blueprint context
@@ -120,10 +123,12 @@ def excluded_models() -> list[type[Model]]:
         SCIMProviderUser,
         Tenant,
         Task,
+        TaskLog,
         ConnectionToken,
         AuthorizationCode,
         AccessToken,
         RefreshToken,
+        ProxySession,
         Reputation,
         WebAuthnDeviceType,
         SCIMSourceUser,
@@ -137,6 +142,9 @@ def excluded_models() -> list[type[Model]]:
         DeviceToken,
         StreamEvent,
         UserConsent,
+        SAMLSession,
+        Message,
+        GroupChannel,
     )
 
 
@@ -305,6 +313,7 @@ class Importer:
 
         serializer_kwargs = {}
         model_instance = existing_models.first()
+        override_serializer_instance = False
         if (
             not isinstance(model(), BaseMetaModel)
             and model_instance
@@ -333,11 +342,7 @@ class Importer:
                 model=model,
                 **cleanse_dict(updated_identifiers),
             )
-            model_instance = model()
-            # pk needs to be set on the model instance otherwise a new one will be generated
-            if "pk" in updated_identifiers:
-                model_instance.pk = updated_identifiers["pk"]
-            serializer_kwargs["instance"] = model_instance
+            override_serializer_instance = True
         try:
             full_data = self.__update_pks_for_attrs(entry.get_attrs(self._import))
         except ValueError as exc:
@@ -360,6 +365,12 @@ class Importer:
                 entry=entry,
                 serializer=serializer,
             ) from exc
+        if override_serializer_instance:
+            model_instance = model()
+            # pk needs to be set on the model instance otherwise a new one will be generated
+            if "pk" in updated_identifiers:
+                model_instance.pk = updated_identifiers["pk"]
+            serializer.instance = model_instance
         return serializer
 
     def _apply_permissions(self, instance: Model, entry: BlueprintEntry):
@@ -438,7 +449,7 @@ class Importer:
                 self._apply_permissions(instance, entry)
             elif state == BlueprintEntryDesiredState.ABSENT:
                 instance: Model | None = serializer.instance
-                if instance.pk:
+                if instance and instance.pk:
                     instance.delete()
                     self.logger.debug("Deleted model", mode=instance)
                     continue

authentik/blueprints/v1/tasks.py

@@ -12,7 +12,7 @@ from django.db import DatabaseError, InternalError, ProgrammingError
 from django.utils.text import slugify
 from django.utils.timezone import now
 from django.utils.translation import gettext_lazy as _
-from django_dramatiq_postgres.middleware import CurrentTask, CurrentTaskNotFound
+from django_dramatiq_postgres.middleware import CurrentTaskNotFound
 from dramatiq.actor import actor
 from dramatiq.middleware import Middleware
 from structlog.stdlib import get_logger
@@ -39,6 +39,7 @@ from authentik.events.logs import capture_logs
 from authentik.events.utils import sanitize_dict
 from authentik.lib.config import CONFIG
 from authentik.tasks.apps import PRIORITY_HIGH
+from authentik.tasks.middleware import CurrentTask
 from authentik.tasks.models import Task
 from authentik.tasks.schedules.models import Schedule
 from authentik.tenants.models import Tenant
@@ -111,7 +112,6 @@ class BlueprintEventHandler(FileSystemEventHandler):
 
 @actor(
     description=_("Find blueprints as `blueprints_find` does, but return a safe dict."),
-    throws=(DatabaseError, ProgrammingError, InternalError),
     priority=PRIORITY_HIGH,
 )
 def blueprints_find_dict():
@@ -150,12 +150,9 @@ def blueprints_find() -> list[BlueprintFile]:
     return blueprints
 
 
-@actor(
-    description=_("Find blueprints and check if they need to be created in the database."),
-    throws=(DatabaseError, ProgrammingError, InternalError),
-)
+@actor(description=_("Find blueprints and check if they need to be created in the database."))
 def blueprints_discovery(path: str | None = None):
-    self: Task = CurrentTask.get_task()
+    self = CurrentTask.get_task()
     count = 0
     for blueprint in blueprints_find():
         if path and blueprint.path != path:
@@ -195,7 +192,7 @@ def check_blueprint_v1_file(blueprint: BlueprintFile):
 @actor(description=_("Apply single blueprint."))
 def apply_blueprint(instance_pk: UUID):
     try:
-        self: Task = CurrentTask.get_task()
+        self = CurrentTask.get_task()
     except CurrentTaskNotFound:
         self = Task()
     self.set_uid(str(instance_pk))

authentik/brands/tests.py

@@ -1,8 +1,11 @@
 """Test brands"""
 
+from json import loads
+
 from django.urls import reverse
 from rest_framework.test import APITestCase
 
+from authentik.blueprints.tests import apply_blueprint
 from authentik.brands.api import Themes
 from authentik.brands.models import Brand
 from authentik.core.models import Application
@@ -23,6 +26,7 @@ class TestBrands(APITestCase):
             _flag = flag()
             if _flag.visibility == "public":
                 self.default_flags[_flag.key] = _flag.get()
+        Brand.objects.all().delete()
 
     def test_current_brand(self):
         """Test Current brand API"""
@@ -44,7 +48,6 @@ class TestBrands(APITestCase):
 
     def test_brand_subdomain(self):
         """Test Current brand API"""
-        Brand.objects.all().delete()
         Brand.objects.create(domain="bar.baz", branding_title="custom")
         self.assertJSONEqual(
             self.client.get(
@@ -65,7 +68,6 @@ class TestBrands(APITestCase):
 
     def test_fallback(self):
         """Test fallback brand"""
-        Brand.objects.all().delete()
         self.assertJSONEqual(
             self.client.get(reverse("authentik_api:brand-current")).content.decode(),
             {
@@ -81,6 +83,109 @@ class TestBrands(APITestCase):
             },
         )
 
+    @apply_blueprint("default/default-brand.yaml")
+    def test_blueprint(self):
+        """Test Current brand API"""
+        response = loads(self.client.get(reverse("authentik_api:brand-current")).content.decode())
+        response.pop("flow_authentication", None)
+        response.pop("flow_invalidation", None)
+        response.pop("flow_user_settings", None)
+        self.assertEqual(
+            response,
+            {
+                "branding_logo": "/static/dist/assets/icons/icon_left_brand.svg",
+                "branding_favicon": "/static/dist/assets/icons/icon.png",
+                "branding_title": "authentik",
+                "branding_custom_css": "",
+                "matched_domain": "authentik-default",
+                "ui_footer_links": [],
+                "ui_theme": Themes.AUTOMATIC,
+                "default_locale": "",
+                "flags": self.default_flags,
+            },
+        )
+
+    @apply_blueprint("default/default-brand.yaml")
+    def test_blueprint_with_other_brand(self):
+        """Test Current brand API"""
+        Brand.objects.create(domain="bar.baz", branding_title="custom")
+        response = loads(self.client.get(reverse("authentik_api:brand-current")).content.decode())
+        response.pop("flow_authentication", None)
+        response.pop("flow_invalidation", None)
+        response.pop("flow_user_settings", None)
+        self.assertEqual(
+            response,
+            {
+                "branding_logo": "/static/dist/assets/icons/icon_left_brand.svg",
+                "branding_favicon": "/static/dist/assets/icons/icon.png",
+                "branding_title": "authentik",
+                "branding_custom_css": "",
+                "matched_domain": "authentik-default",
+                "ui_footer_links": [],
+                "ui_theme": Themes.AUTOMATIC,
+                "default_locale": "",
+                "flags": self.default_flags,
+            },
+        )
+        self.assertJSONEqual(
+            self.client.get(
+                reverse("authentik_api:brand-current"), HTTP_HOST="foo.bar.baz"
+            ).content.decode(),
+            {
+                "branding_logo": "/static/dist/assets/icons/icon_left_brand.svg",
+                "branding_favicon": "/static/dist/assets/icons/icon.png",
+                "branding_title": "custom",
+                "branding_custom_css": "",
+                "matched_domain": "bar.baz",
+                "ui_footer_links": [],
+                "ui_theme": Themes.AUTOMATIC,
+                "default_locale": "",
+                "flags": self.default_flags,
+            },
+        )
+
+    def test_brand_subdomain_same_suffix(self):
+        """Test Current brand API"""
+        Brand.objects.create(domain="bar.baz", branding_title="custom-weak")
+        Brand.objects.create(domain="foo.bar.baz", branding_title="custom-strong")
+        self.assertJSONEqual(
+            self.client.get(
+                reverse("authentik_api:brand-current"), HTTP_HOST="foo.bar.baz"
+            ).content.decode(),
+            {
+                "branding_logo": "/static/dist/assets/icons/icon_left_brand.svg",
+                "branding_favicon": "/static/dist/assets/icons/icon.png",
+                "branding_title": "custom-strong",
+                "branding_custom_css": "",
+                "matched_domain": "foo.bar.baz",
+                "ui_footer_links": [],
+                "ui_theme": Themes.AUTOMATIC,
+                "default_locale": "",
+                "flags": self.default_flags,
+            },
+        )
+
+    def test_brand_subdomain_other_suffix(self):
+        """Test Current brand API"""
+        Brand.objects.create(domain="bar.baz", branding_title="custom-weak")
+        Brand.objects.create(domain="foo.bar.baz", branding_title="custom-strong")
+        self.assertJSONEqual(
+            self.client.get(
+                reverse("authentik_api:brand-current"), HTTP_HOST="other.bar.baz"
+            ).content.decode(),
+            {
+                "branding_logo": "/static/dist/assets/icons/icon_left_brand.svg",
+                "branding_favicon": "/static/dist/assets/icons/icon.png",
+                "branding_title": "custom-weak",
+                "branding_custom_css": "",
+                "matched_domain": "bar.baz",
+                "ui_footer_links": [],
+                "ui_theme": Themes.AUTOMATIC,
+                "default_locale": "",
+                "flags": self.default_flags,
+            },
+        )
+
     def test_create_default_multiple(self):
         """Test attempted creation of multiple default brands"""
         Brand.objects.create(

authentik/brands/utils.py

@@ -2,8 +2,8 @@
 
 from typing import Any
 
-from django.db.models import F, Q
-from django.db.models import Value as V
+from django.db.models import Case, F, IntegerField, Q, Value, When
+from django.db.models.functions import Length
 from django.http.request import HttpRequest
 from django.utils.html import _json_script_escapes
 from django.utils.safestring import mark_safe
@@ -19,15 +19,36 @@ DEFAULT_BRAND = Brand(domain="fallback")
 
 def get_brand_for_request(request: HttpRequest) -> Brand:
     """Get brand object for current request"""
-    db_brands = (
-        Brand.objects.annotate(host_domain=V(request.get_host()))
-        .filter(Q(host_domain__iendswith=F("domain")) | _q_default)
-        .order_by("default")
+
+    brand = (
+        Brand.objects.annotate(
+            host_domain=Value(request.get_host()),
+            domain_length=Length("domain"),
+            match_priority=Case(
+                When(
+                    condition=Q(host_domain__iendswith=F("domain")),
+                    then=F("domain_length"),
+                ),
+                default=Value(-1),
+                output_field=IntegerField(),
+            ),
+            is_default_fallback=Case(
+                When(
+                    condition=Q(default=True),
+                    then=Value(0),
+                ),
+                default=Value(-2),
+                output_field=IntegerField(),
+            ),
+        )
+        .filter(Q(match_priority__gt=-1) | Q(default=True))
+        .order_by("-match_priority", "-is_default_fallback")
+        .first()
     )
-    brands = list(db_brands.all())
-    if len(brands) < 1:
+
+    if brand is None:
         return DEFAULT_BRAND
-    return brands[0]
+    return brand
 
 
 def context_processor(request: HttpRequest) -> dict[str, Any]:

authentik/commands/apps.py

@@ -0,0 +1,8 @@
+from authentik.blueprints.apps import ManagedAppConfig
+
+
+class AuthentikCommandsConfig(ManagedAppConfig):
+    name = "authentik.commands"
+    label = "authentik_commands"
+    verbose_name = "authentik Commands"
+    default = True

authentik/commands/management/commands/__init__.py

@@ -0,0 +1,8 @@
+from django.db.migrations.autodetector import MigrationAutodetector as BaseMigrationAutodetector
+from pgtrigger.migrations import MigrationAutodetectorMixin
+
+MigrationAutodetector = type(
+    "MigrationAutodetector",
+    (MigrationAutodetectorMixin, BaseMigrationAutodetector),
+    {},
+)

authentik/commands/management/commands/makemigrations.py

@@ -0,0 +1,7 @@
+from django.core.management.commands.makemigrations import Command as BaseCommand
+
+from authentik.commands.management.commands import MigrationAutodetector
+
+
+class Command(BaseCommand):
+    autodetector = MigrationAutodetector

authentik/commands/management/commands/migrate.py

@@ -0,0 +1,7 @@
+from django_tenants.management.commands.migrate import Command as BaseCommand
+
+from authentik.commands.management.commands import MigrationAutodetector
+
+
+class Command(BaseCommand):
+    autodetector = MigrationAutodetector  # type: ignore[assignment]

authentik/commands/management/commands/migrate_schemas.py

@@ -0,0 +1,7 @@
+from django_tenants.management.commands.migrate_schemas import Command as BaseCommand
+
+from authentik.commands.management.commands import MigrationAutodetector
+
+
+class Command(BaseCommand):
+    autodetector = MigrationAutodetector  # type: ignore[assignment]

authentik/core/api/groups.py

@@ -29,8 +29,8 @@ from authentik.rbac.api.roles import RoleSerializer
 from authentik.rbac.decorators import permission_required
 
 
-class GroupMemberSerializer(ModelSerializer):
-    """Stripped down user serializer to show relevant users for groups"""
+class PartialUserSerializer(ModelSerializer):
+    """Partial User Serializer, does not include child relations."""
 
     attributes = JSONDictField(required=False)
     uid = CharField(read_only=True)
@@ -94,11 +94,11 @@ class GroupSerializer(ModelSerializer):
             return True
         return str(request.query_params.get("include_children", "false")).lower() == "true"
 
-    @extend_schema_field(GroupMemberSerializer(many=True))
-    def get_users_obj(self, instance: Group) -> list[GroupMemberSerializer] | None:
+    @extend_schema_field(PartialUserSerializer(many=True))
+    def get_users_obj(self, instance: Group) -> list[PartialUserSerializer] | None:
         if not self._should_include_users:
             return None
-        return GroupMemberSerializer(instance.users, many=True).data
+        return PartialUserSerializer(instance.users, many=True).data
 
     @extend_schema_field(GroupChildSerializer(many=True))
     def get_children_obj(self, instance: Group) -> list[GroupChildSerializer] | None:
@@ -228,6 +228,19 @@ class GroupViewSet(UsedByMixin, ModelViewSet):
     filterset_class = GroupFilter
     ordering = ["name"]
 
+    def get_ql_fields(self):
+        from djangoql.schema import BoolField, StrField
+
+        from authentik.enterprise.search.fields import (
+            JSONSearchField,
+        )
+
+        return [
+            StrField(Group, "name"),
+            BoolField(Group, "is_superuser", nullable=True),
+            JSONSearchField(Group, "attributes", suggest_nested=False),
+        ]
+
     def get_queryset(self):
         base_qs = Group.objects.all().select_related("parent").prefetch_related("roles")
 

authentik/core/api/users.py

@@ -97,8 +97,8 @@ class ParamUserSerializer(PassiveSerializer):
     user = PrimaryKeyRelatedField(queryset=User.objects.all().exclude_anonymous(), required=False)
 
 
-class UserGroupSerializer(ModelSerializer):
-    """Simplified Group Serializer for user's groups"""
+class PartialGroupSerializer(ModelSerializer):
+    """Partial Group Serializer, does not include child relations."""
 
     attributes = JSONDictField(required=False)
     parent_name = CharField(source="parent.name", read_only=True, allow_null=True)
@@ -143,11 +143,11 @@ class UserSerializer(ModelSerializer):
             return True
         return str(request.query_params.get("include_groups", "true")).lower() == "true"
 
-    @extend_schema_field(UserGroupSerializer(many=True))
-    def get_groups_obj(self, instance: User) -> list[UserGroupSerializer] | None:
+    @extend_schema_field(PartialGroupSerializer(many=True))
+    def get_groups_obj(self, instance: User) -> list[PartialGroupSerializer] | None:
         if not self._should_include_groups:
             return None
-        return UserGroupSerializer(instance.ak_groups, many=True).data
+        return PartialGroupSerializer(instance.ak_groups, many=True).data
 
     def __init__(self, *args, **kwargs):
         super().__init__(*args, **kwargs)
@@ -334,6 +334,21 @@ class UserPasswordSetSerializer(PassiveSerializer):
     password = CharField(required=True)
 
 
+class UserServiceAccountSerializer(PassiveSerializer):
+    """Payload to create a service account"""
+
+    name = CharField(
+        required=True,
+        validators=[UniqueValidator(queryset=User.objects.all().order_by("username"))],
+    )
+    create_group = BooleanField(default=False)
+    expiring = BooleanField(default=True)
+    expires = DateTimeField(
+        required=False,
+        help_text="If not provided, valid for 360 days",
+    )
+
+
 class UsersFilter(FilterSet):
     """Filter for users"""
 
@@ -494,18 +509,7 @@ class UserViewSet(UsedByMixin, ModelViewSet):
 
     @permission_required(None, ["authentik_core.add_user", "authentik_core.add_token"])
     @extend_schema(
-        request=inline_serializer(
-            "UserServiceAccountSerializer",
-            {
-                "name": CharField(required=True),
-                "create_group": BooleanField(default=False),
-                "expiring": BooleanField(default=True),
-                "expires": DateTimeField(
-                    required=False,
-                    help_text="If not provided, valid for 360 days",
-                ),
-            },
-        ),
+        request=UserServiceAccountSerializer,
         responses={
             200: inline_serializer(
                 "UserServiceAccountResponse",
@@ -527,11 +531,12 @@ class UserViewSet(UsedByMixin, ModelViewSet):
     )
     def service_account(self, request: Request) -> Response:
         """Create a new user account that is marked as a service account"""
-        username = request.data.get("name")
-        create_group = request.data.get("create_group", False)
-        expiring = request.data.get("expiring", True)
-        expires = request.data.get("expires", now() + timedelta(days=360))
+        data = UserServiceAccountSerializer(data=request.data)
+        data.is_valid(raise_exception=True)
+        expires = data.validated_data.get("expires", now() + timedelta(days=360))
 
+        username = data.validated_data["name"]
+        expiring = data.validated_data["expiring"]
         with atomic():
             try:
                 user: User = User.objects.create(
@@ -549,10 +554,10 @@ class UserViewSet(UsedByMixin, ModelViewSet):
                     "user_uid": user.uid,
                     "user_pk": user.pk,
                 }
-                if create_group and self.request.user.has_perm("authentik_core.add_group"):
-                    group = Group.objects.create(
-                        name=username,
-                    )
+                if data.validated_data["create_group"] and self.request.user.has_perm(
+                    "authentik_core.add_group"
+                ):
+                    group = Group.objects.create(name=username)
                     group.users.add(user)
                     response["group_pk"] = str(group.pk)
                 token = Token.objects.create(
@@ -565,7 +570,29 @@ class UserViewSet(UsedByMixin, ModelViewSet):
                 response["token"] = token.key
                 return Response(response)
             except IntegrityError as exc:
-                return Response(data={"non_field_errors": [str(exc)]}, status=400)
+                error_msg = str(exc).lower()
+
+                if "unique" in error_msg:
+                    return Response(
+                        data={
+                            "non_field_errors": [
+                                _("A user/group with these details already exists")
+                            ]
+                        },
+                        status=400,
+                    )
+                else:
+                    LOGGER.warning("Service account creation failed", exc=exc)
+                    return Response(
+                        data={"non_field_errors": [_("Unable to create user")]},
+                        status=400,
+                    )
+            except (ValueError, TypeError) as exc:
+                LOGGER.error("Unexpected error during service account creation", exc=exc)
+                return Response(
+                    data={"non_field_errors": [_("Unknown error occurred")]},
+                    status=500,
+                )
 
     @extend_schema(responses={200: SessionUserSerializer(many=False)})
     @action(
@@ -719,7 +746,7 @@ class UserViewSet(UsedByMixin, ModelViewSet):
         return Response(status=204)
 
     @extend_schema(
-        request=OpenApiTypes.NONE,
+        request=None,
         responses={
             "204": OpenApiResponse(description="Successfully ended impersonation"),
         },

authentik/core/management/commands/shell.py

@@ -1,13 +1,9 @@
 """authentik shell command"""
 
-import code
 import platform
-import sys
-import traceback
 from pprint import pprint
 
-from django.apps import apps
-from django.core.management.base import BaseCommand
+from django.core.management.commands.shell import Command as BaseCommand
 from django.db.models import Model
 from django.db.models.signals import post_save, pre_delete
 
@@ -26,29 +22,12 @@ def get_banner_text(shell_type="shell") -> str:
 class Command(BaseCommand):
     """Start the Django shell with all authentik models already imported"""
 
-    django_models = {}
-
-    def add_arguments(self, parser):
-        parser.add_argument(
-            "-c",
-            "--command",
-            help="Python code to execute (instead of starting an interactive shell)",
-        )
-
-    def get_namespace(self):
-        """Prepare namespace with all models"""
-        namespace = {
+    def get_namespace(self, **options):
+        return {
+            **super().get_namespace(**options),
             "pprint": pprint,
         }
 
-        # Gather Django models and constants from each app
-        for app in apps.get_app_configs():
-            # Load models from each app
-            for model in app.get_models():
-                namespace[model.__name__] = model
-
-        return namespace
-
     @staticmethod
     def post_save_handler(sender, instance: Model, created: bool, **_):
         """Signal handler for all object's post_save"""
@@ -79,41 +58,9 @@ class Command(BaseCommand):
         ).save()
 
     def handle(self, **options):
-        namespace = self.get_namespace()
-
         post_save.connect(Command.post_save_handler)
         pre_delete.connect(Command.pre_delete_handler)
 
-        # If Python code has been passed, execute it and exit.
-        if options["command"]:
+        print(get_banner_text())
 
-            exec(options["command"], namespace)  # nosec # noqa
-            return
-
-        try:
-            hook = sys.__interactivehook__
-        except AttributeError:
-            # Match the behavior of the cpython shell where a missing
-            # sys.__interactivehook__ is ignored.
-            pass
-        else:
-            try:
-                hook()
-            except Exception:  # noqa
-                # Match the behavior of the cpython shell where an error in
-                # sys.__interactivehook__ prints a warning and the exception
-                # and continues.
-                print("Failed calling sys.__interactivehook__")
-                traceback.print_exc()
-        # Try to enable tab-complete
-        try:
-            import readline
-            import rlcompleter
-        except ModuleNotFoundError:
-            pass
-        else:
-            readline.set_completer(rlcompleter.Completer(namespace).complete)
-            readline.parse_and_bind("tab: complete")
-
-        # Run interactive shell
-        code.interact(banner=get_banner_text(), local=namespace)
+        super().handle(**options)

authentik/core/migrations/0018_auto_20210330_1345_squashed_0028_alter_token_intent.py

@@ -13,14 +13,6 @@ import authentik.core.models
 import authentik.lib.models
 
 
-def migrate_sessions(apps: Apps, schema_editor: BaseDatabaseSchemaEditor):
-    from django.contrib.sessions.backends.cache import KEY_PREFIX
-    from django.core.cache import cache
-
-    session_keys = cache.keys(KEY_PREFIX + "*")
-    cache.delete_many(session_keys)
-
-
 def fix_duplicates(apps: Apps, schema_editor: BaseDatabaseSchemaEditor):
     db_alias = schema_editor.connection.alias
     Token = apps.get_model("authentik_core", "token")
@@ -151,9 +143,6 @@ class Migration(migrations.Migration):
                 "abstract": False,
             },
         ),
-        migrations.RunPython(
-            code=migrate_sessions,
-        ),
         migrations.AlterField(
             model_name="application",
             name="meta_launch_url",

authentik/core/migrations/0046_session_and_more.py

@@ -7,15 +7,10 @@ from django.contrib.auth import BACKEND_SESSION_KEY, HASH_SESSION_KEY, SESSION_K
 from django.db import migrations, models
 import django.db.models.deletion
 from django.conf import settings
-from django.contrib.sessions.backends.cache import KEY_PREFIX
-from django.utils.timezone import now, timedelta
 from authentik.lib.migrations import progress_bar
 from authentik.root.middleware import ClientIPMiddleware
 
 
-SESSION_CACHE_ALIAS = "default"
-
-
 class PickleSerializer:
     """
     Simple wrapper around pickle to be used in signing.dumps()/loads() and
@@ -83,27 +78,6 @@ def _migrate_session(
         )
 
 
-def migrate_redis_sessions(apps, schema_editor):
-    from django.core.cache import caches
-
-    db_alias = schema_editor.connection.alias
-    cache = caches[SESSION_CACHE_ALIAS]
-
-    # Not a redis cache, skipping
-    if not hasattr(cache, "keys"):
-        return
-
-    print("\nMigrating Redis sessions to database, this might take a couple of minutes...")
-    for key, session_data in progress_bar(cache.get_many(cache.keys(f"{KEY_PREFIX}*")).items()):
-        _migrate_session(
-            apps=apps,
-            db_alias=db_alias,
-            session_key=key.removeprefix(KEY_PREFIX),
-            session_data=session_data,
-            expires=now() + timedelta(seconds=cache.ttl(key)),
-        )
-
-
 def migrate_database_sessions(apps, schema_editor):
     DjangoSession = apps.get_model("sessions", "Session")
     db_alias = schema_editor.connection.alias
@@ -231,10 +205,6 @@ class Migration(migrations.Migration):
                 "verbose_name_plural": "Authenticated Sessions",
             },
         ),
-        migrations.RunPython(
-            code=migrate_redis_sessions,
-            reverse_code=migrations.RunPython.noop,
-        ),
         migrations.RunPython(
             code=migrate_database_sessions,
             reverse_code=migrations.RunPython.noop,

authentik/core/migrations/0051_group_authentik_c_is_supe_1e5a97_idx.py

@@ -0,0 +1,18 @@
+# Generated by Django 5.1.12 on 2025-09-25 13:39
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ("authentik_core", "0050_user_last_updated_and_more"),
+        ("authentik_rbac", "0006_alter_role_options"),
+    ]
+
+    operations = [
+        migrations.AddIndex(
+            model_name="group",
+            index=models.Index(fields=["is_superuser"], name="authentik_c_is_supe_1e5a97_idx"),
+        ),
+    ]

authentik/core/models.py

@@ -15,7 +15,7 @@ from django.db import models
 from django.db.models import Q, QuerySet, options
 from django.db.models.constants import LOOKUP_SEP
 from django.http import HttpRequest
-from django.utils.functional import SimpleLazyObject, cached_property
+from django.utils.functional import cached_property
 from django.utils.timezone import now
 from django.utils.translation import gettext_lazy as _
 from django_cte import CTE, with_cte
@@ -29,6 +29,7 @@ from authentik.blueprints.models import ManagedModel
 from authentik.core.expression.exceptions import PropertyMappingExpressionException
 from authentik.core.types import UILoginButton, UserSettingSerializer
 from authentik.lib.avatars import get_avatar
+from authentik.lib.config import CONFIG
 from authentik.lib.expression.exceptions import ControlFlowException
 from authentik.lib.generators import generate_id
 from authentik.lib.merge import MERGE_LIST_UNIQUE
@@ -43,18 +44,19 @@ from authentik.tenants.models import DEFAULT_TOKEN_DURATION, DEFAULT_TOKEN_LENGT
 from authentik.tenants.utils import get_current_tenant, get_unique_identifier
 
 LOGGER = get_logger()
-USER_ATTRIBUTE_DEBUG = "goauthentik.io/user/debug"
-USER_ATTRIBUTE_GENERATED = "goauthentik.io/user/generated"
-USER_ATTRIBUTE_EXPIRES = "goauthentik.io/user/expires"
-USER_ATTRIBUTE_DELETE_ON_LOGOUT = "goauthentik.io/user/delete-on-logout"
-USER_ATTRIBUTE_SOURCES = "goauthentik.io/user/sources"
-USER_ATTRIBUTE_TOKEN_EXPIRING = "goauthentik.io/user/token-expires"  # nosec
-USER_ATTRIBUTE_TOKEN_MAXIMUM_LIFETIME = "goauthentik.io/user/token-maximum-lifetime"  # nosec
-USER_ATTRIBUTE_CHANGE_USERNAME = "goauthentik.io/user/can-change-username"
-USER_ATTRIBUTE_CHANGE_NAME = "goauthentik.io/user/can-change-name"
-USER_ATTRIBUTE_CHANGE_EMAIL = "goauthentik.io/user/can-change-email"
 USER_PATH_SYSTEM_PREFIX = "goauthentik.io"
-USER_PATH_SERVICE_ACCOUNT = USER_PATH_SYSTEM_PREFIX + "/service-accounts"
+_USER_ATTR_PREFIX = f"{USER_PATH_SYSTEM_PREFIX}/user"
+USER_ATTRIBUTE_DEBUG = f"{_USER_ATTR_PREFIX}/debug"
+USER_ATTRIBUTE_GENERATED = f"{_USER_ATTR_PREFIX}/generated"
+USER_ATTRIBUTE_EXPIRES = f"{_USER_ATTR_PREFIX}/expires"
+USER_ATTRIBUTE_DELETE_ON_LOGOUT = f"{_USER_ATTR_PREFIX}/delete-on-logout"
+USER_ATTRIBUTE_SOURCES = f"{_USER_ATTR_PREFIX}/sources"
+USER_ATTRIBUTE_TOKEN_EXPIRING = f"{_USER_ATTR_PREFIX}/token-expires"  # nosec
+USER_ATTRIBUTE_TOKEN_MAXIMUM_LIFETIME = f"{_USER_ATTR_PREFIX}/token-maximum-lifetime"  # nosec
+USER_ATTRIBUTE_CHANGE_USERNAME = f"{_USER_ATTR_PREFIX}/can-change-username"
+USER_ATTRIBUTE_CHANGE_NAME = f"{_USER_ATTR_PREFIX}/can-change-name"
+USER_ATTRIBUTE_CHANGE_EMAIL = f"{_USER_ATTR_PREFIX}/can-change-email"
+USER_PATH_SERVICE_ACCOUNT = f"{USER_PATH_SYSTEM_PREFIX}/service-accounts"
 
 options.DEFAULT_NAMES = options.DEFAULT_NAMES + (
     # used_by API that allows models to specify if they shadow an object
@@ -206,7 +208,10 @@ class Group(SerializerModel, AttributesMixin):
                 "parent",
             ),
         )
-        indexes = [models.Index(fields=["name"])]
+        indexes = (
+            models.Index(fields=["name"]),
+            models.Index(fields=["is_superuser"]),
+        )
         verbose_name = _("Group")
         verbose_name_plural = _("Groups")
         permissions = [
@@ -403,6 +408,8 @@ class User(SerializerModel, GuardianUserMixin, AttributesMixin, AbstractUser):
 
     def locale(self, request: HttpRequest | None = None) -> str:
         """Get the locale the user has configured"""
+        if request and hasattr(request, "LANGUAGE_CODE"):
+            return request.LANGUAGE_CODE
         try:
             return self.attributes.get("settings", {}).get("locale", "")
 
@@ -569,24 +576,26 @@ class Application(SerializerModel, PolicyBindingModel):
         it is returned as-is"""
         if not self.meta_icon:
             return None
-        if "://" in self.meta_icon.name or self.meta_icon.name.startswith("/static"):
+        if self.meta_icon.name.startswith("http"):
             return self.meta_icon.name
+        if self.meta_icon.name.startswith("fa://"):
+            return self.meta_icon.name
+        if self.meta_icon.name.startswith("/"):
+            return CONFIG.get("web.path", "/")[:-1] + self.meta_icon.name
         return self.meta_icon.url
 
     def get_launch_url(self, user: Optional["User"] = None) -> str | None:
         """Get launch URL if set, otherwise attempt to get launch URL based on provider."""
+        from authentik.core.api.users import UserSerializer
+
         url = None
         if self.meta_launch_url:
             url = self.meta_launch_url
         elif provider := self.get_provider():
             url = provider.launch_url
         if user and url:
-            if isinstance(user, SimpleLazyObject):
-                user._setup()
-                user = user._wrapped
             try:
-                return url % user.__dict__
-
+                return url % UserSerializer(instance=user).data
             except Exception as exc:  # noqa
                 LOGGER.warning("Failed to format launch url", exc=exc)
                 return url
@@ -772,8 +781,12 @@ class Source(ManagedModel, SerializerModel, PolicyBindingModel):
         starts with http it is returned as-is"""
         if not self.icon:
             return None
-        if "://" in self.icon.name or self.icon.name.startswith("/static"):
+        if self.icon.name.startswith("http"):
             return self.icon.name
+        if self.icon.name.startswith("fa://"):
+            return self.icon.name
+        if self.icon.name.startswith("/"):
+            return CONFIG.get("web.path", "/")[:-1] + self.icon.name
         return self.icon.url
 
     def get_user_path(self) -> str:

authentik/core/tasks.py

@@ -4,7 +4,8 @@ from datetime import datetime, timedelta
 
 from django.utils.timezone import now
 from django.utils.translation import gettext_lazy as _
-from django_dramatiq_postgres.middleware import CurrentTask
+from django_channels_postgres.models import GroupChannel, Message
+from django_postgres_cache.tasks import clear_expired_cache
 from dramatiq.actor import actor
 from structlog.stdlib import get_logger
 
@@ -15,14 +16,14 @@ from authentik.core.models import (
     User,
 )
 from authentik.lib.utils.db import chunked_queryset
-from authentik.tasks.models import Task
+from authentik.tasks.middleware import CurrentTask
 
 LOGGER = get_logger()
 
 
 @actor(description=_("Remove expired objects."))
 def clean_expired_models():
-    self: Task = CurrentTask.get_task()
+    self = CurrentTask.get_task()
     for cls in ExpiringModel.__subclasses__():
         cls: ExpiringModel
         objects = (
@@ -33,11 +34,14 @@ def clean_expired_models():
             obj.expire_action()
         LOGGER.debug("Expired models", model=cls, amount=amount)
         self.info(f"Expired {amount} {cls._meta.verbose_name_plural}")
+    clear_expired_cache()
+    Message.delete_expired()
+    GroupChannel.delete_expired()
 
 
 @actor(description=_("Remove temporary users created by SAML Sources."))
 def clean_temporary_users():
-    self: Task = CurrentTask.get_task()
+    self = CurrentTask.get_task()
     _now = datetime.now()
     deleted_users = 0
     for user in User.objects.filter(**{f"attributes__{USER_ATTRIBUTE_GENERATED}": True}):

authentik/core/templates/base/header_js.html

@@ -1,11 +1,13 @@
 {% load i18n %}
 {% get_current_language as LANGUAGE_CODE %}
 
-<script>
+<script data-id="authentik-config">
+    "use strict";
+
     window.authentik = {
         locale: "{{ LANGUAGE_CODE }}",
-        config: JSON.parse('{{ config_json|escapejs }}'),
-        brand: JSON.parse('{{ brand_json|escapejs }}'),
+        config: JSON.parse('{{ config_json|escapejs }}' || "{}"),
+        brand: JSON.parse('{{ brand_json|escapejs }}' || "{}"),
         versionFamily: "{{ version_family }}",
         versionSubdomain: "{{ version_subdomain }}",
         build: "{{ build }}",

authentik/core/templates/base/placeholder.html

@@ -0,0 +1,13 @@
+{% load i18n %}
+
+<div class="ak-c-placeholder" id="ak-placeholder" slot="placeholder">
+    <span
+        class="pf-c-spinner"
+        role="progressbar"
+        aria-valuetext="Loading..."
+        >
+        <span class="pf-c-spinner__clipper"></span>
+        <span class="pf-c-spinner__lead-ball"></span>
+        <span class="pf-c-spinner__tail-ball"></span>
+    </span>
+</div>

authentik/core/templates/base/skeleton.html

@@ -3,8 +3,10 @@
 {% load authentik_core %}
 
 <!DOCTYPE html>
-
-<html>
+<html
+    data-theme="{% if ui_theme == "dark" %}dark{% else %}light{% endif %}"
+    data-theme-choice="{% if ui_theme == "dark" %}dark{% elif ui_theme == "light" %}light{% else %}auto{% endif %}"
+>
     <head>
         <meta charset="UTF-8">
         <meta name="viewport" content="width=device-width, initial-scale=1, maximum-scale=1">
@@ -18,11 +20,8 @@
 
         {% include "base/theme.html" %}
 
-        <link rel="stylesheet" type="text/css" href="{% static 'dist/authentik.css' %}">
-
-        <style>{{ brand_css }}</style>
+        <style data-id="brand-css">{{ brand_css }}</style>
         <script src="{% versioned_script 'dist/poly-%v.js' %}" type="module"></script>
-        <script src="{% versioned_script 'dist/standalone/loading/index-%v.js' %}" type="module"></script>
         {% block head %}
         {% endblock %}
         {% for key, value in html_meta.items %}

authentik/core/templates/base/theme.html

@@ -1,10 +1,45 @@
+{% load static %}
+{% load authentik_core %}
+
+<link rel="stylesheet" type="text/css" href="{% versioned_script 'dist/styles/interface-%v.css' %}" />
+
 {% if ui_theme == "dark" %}
   <meta name="color-scheme" content="dark" />
   <meta name="theme-color" content="#18191a">
-{% elif ui_theme == "light" %}
+
+  {% elif ui_theme == "light" %}
   <meta name="color-scheme" content="light" />
   <meta name="theme-color" content="#ffffff">
 {% else %}
+  <script data-id="theme-script">
+    "use strict";
+
+    (function () {
+        try {
+            const initialThemeChoice =
+                new URLSearchParams(window.location.search).get("theme") ||
+                window.localStorage?.getItem("theme");
+
+            const themeChoice =
+                initialThemeChoice || document.documentElement.dataset.themeChoice || "auto";
+
+            document.documentElement.dataset.themeChoice = themeChoice;
+
+            if (themeChoice === "auto") {
+                document.documentElement.dataset.theme = window.matchMedia(
+                    "(prefers-color-scheme: dark)",
+                ).matches
+                    ? "dark"
+                    : "light";
+            } else {
+                document.documentElement.dataset.theme = themeChoice;
+            }
+        } catch (e) {
+            console.error("Failed to apply theme", e);
+        }
+    })();
+  </script>
+
   <meta name="color-scheme" content="light dark" />
   <meta name="theme-color" content="#ffffff" media="(prefers-color-scheme: light)">
   <meta name="theme-color" content="#18191a" media="(prefers-color-scheme: dark)">

authentik/core/templates/if/admin.html

@@ -8,8 +8,9 @@
 {% endblock %}
 
 {% block body %}
+<ak-skip-to-content></ak-skip-to-content>
 <ak-message-container alignment="bottom"></ak-message-container>
 <ak-interface-admin>
-    <ak-loading></ak-loading>
+    {% include "base/placeholder.html" %}
 </ak-interface-admin>
 {% endblock %}

authentik/core/templates/if/error.html

@@ -12,10 +12,13 @@
 {% endblock %}
 
 {% block card %}
-<form method="POST" class="pf-c-form">
+<div class="pf-c-form">
     <p>{% trans message %}</p>
-    <a id="ak-back-home" href="{% url 'authentik_core:root-redirect' %}" class="pf-c-button pf-m-primary">
-        {% trans 'Go home' %}
-    </a>
-</form>
+
+    <div class="pf-c-form__group">
+        <a id="ak-back-home" href="{% url 'authentik_core:root-redirect' %}" class="pf-c-button pf-m-primary pf-m-block">
+            {% trans 'Go home' %}
+        </a>
+    </div>
+</div>
 {% endblock %}

authentik/core/templates/if/user.html

@@ -8,8 +8,9 @@
 {% endblock %}
 
 {% block body %}
+<ak-skip-to-content></ak-skip-to-content>
 <ak-message-container></ak-message-container>
 <ak-interface-user>
-    <ak-loading></ak-loading>
+    {% include "base/placeholder.html" %}
 </ak-interface-user>
 {% endblock %}

authentik/core/templates/login/base_full.html

@@ -2,81 +2,66 @@
 
 {% load static %}
 {% load i18n %}
+{% load authentik_core %}
 
 {% block head_before %}
 <link rel="prefetch" href="{{ request.brand.branding_default_flow_background_url }}" />
-<link rel="stylesheet" type="text/css" href="{% static 'dist/patternfly.min.css' %}">
-<link rel="stylesheet" type="text/css" href="{% static 'dist/theme-dark.css' %}" media="(prefers-color-scheme: dark)">
 {% include "base/header_js.html" %}
 {% endblock %}
 
 {% block head %}
-<style>
-:root {
-    --ak-flow-background: url("{{ request.brand.branding_default_flow_background_url }}");
-    --pf-c-background-image--BackgroundImage: var(--ak-flow-background);
-    --pf-c-background-image--BackgroundImage-2x: var(--ak-flow-background);
-    --pf-c-background-image--BackgroundImage--sm: var(--ak-flow-background);
-    --pf-c-background-image--BackgroundImage--sm-2x: var(--ak-flow-background);
-    --pf-c-background-image--BackgroundImage--lg: var(--ak-flow-background);
-}
-/* Form with user */
-.form-control-static {
-    margin-top: var(--pf-global--spacer--sm);
-    display: flex;
-    align-items: center;
-    justify-content: space-between;
-}
-.form-control-static .avatar {
-    display: flex;
-    align-items: center;
-}
-.form-control-static img {
-    margin-right: var(--pf-global--spacer--xs);
-}
-.form-control-static a {
-    padding-top: var(--pf-global--spacer--xs);
-    padding-bottom: var(--pf-global--spacer--xs);
-    line-height: var(--pf-global--spacer--xl);
-}
+<style data-id="static-styles">
+    :root {
+        --ak-global--background-image: url("{{ request.brand.branding_default_flow_background_url }}");
+    }
 </style>
+
+<link rel="stylesheet" type="text/css" href="{% versioned_script 'dist/styles/static-%v.css' %}" />
 {% endblock %}
 
 {% block body %}
-<div class="pf-c-background-image">
-</div>
+<ak-skip-to-content></ak-skip-to-content>
 <ak-message-container></ak-message-container>
-<div class="pf-c-login stacked">
-    <div class="ak-login-container">
-        <main class="pf-c-login__main">
-            <div class="pf-c-login__main-header pf-c-brand ak-brand">
-                <img src="{{ brand.branding_logo_url }}" alt="authentik Logo" />
+
+<div class="pf-c-page__drawer">
+    <div class="pf-c-drawer pf-m-collapsed">
+        <div class="pf-c-drawer__main">
+            <div class="pf-c-drawer__content">
+                <div class="pf-c-drawer__body">
+                    <div class="pf-c-login" data-layout="stacked">
+                        <main class="pf-c-login__main" aria-label="Authentication form">
+                            <div class="pf-c-login__main-header pf-c-brand">
+                                <img class="branding-logo" src="{{ brand.branding_logo_url }}" alt="authentik Logo" />
+                            </div>
+                            <div class="pf-c-login__main-header">
+                                <h1 class="pf-c-title pf-m-3xl" data-test-id="card-title">
+                                    {% block card_title %}
+                                    {% endblock %}
+                                </h1>
+                            </div>
+                            <div class="pf-c-login__main-body">
+                                {% block card %}
+                                {% endblock %}
+                            </div>
+                        </main>
+                        <footer aria-label="Site footer" class="pf-c-login__footer pf-m-dark">
+                            <ul class="pf-c-list pf-m-inline">
+                                {% for link in footer_links %}
+                                <li>
+                                    <a href="{{ link.href }}">{{ link.name }}</a>
+                                </li>
+                                {% endfor %}
+                                <li>
+                                    <span>
+                                        {% trans 'Powered by authentik' %}
+                                    </span>
+                                </li>
+                            </ul>
+                        </footer>
+                    </div>
+                </div>
             </div>
-            <header class="pf-c-login__main-header">
-                <h1 class="pf-c-title pf-m-3xl">
-                    {% block card_title %}
-                    {% endblock %}
-                </h1>
-            </header>
-            <div class="pf-c-login__main-body">
-                {% block card %}
-                {% endblock %}
-            </div>
-        </main>
-        <footer class="pf-c-login__footer">
-            <ul class="pf-c-list pf-m-inline">
-                {% for link in footer_links %}
-                <li>
-                    <a href="{{ link.href }}">{{ link.name }}</a>
-                </li>
-                {% endfor %}
-                <li>
-                    <span>
-                        {% trans 'Powered by authentik' %}
-                    </span>
-                </li>
-            </ul>
-        </footer>
+        </div>
     </div>
 </div>
 {% endblock %}

authentik/core/tests/test_applications_api.py

@@ -82,6 +82,66 @@ class TestApplicationsAPI(APITestCase):
         self.assertEqual(self.allowed.get_meta_icon, app["meta_icon"])
         self.assertEqual(self.allowed.meta_icon.read(), b"text")
 
+    def test_set_icon_relative(self):
+        """Test set_icon (relative path)"""
+        self.client.force_login(self.user)
+        response = self.client.post(
+            reverse(
+                "authentik_api:application-set-icon-url",
+                kwargs={"slug": self.allowed.slug},
+            ),
+            data={"url": "relative/path"},
+        )
+        self.assertEqual(response.status_code, 200)
+
+        self.allowed.refresh_from_db()
+        self.assertEqual(self.allowed.get_meta_icon, "/media/public/relative/path")
+
+    def test_set_icon_absolute(self):
+        """Test set_icon (absolute path)"""
+        self.client.force_login(self.user)
+        response = self.client.post(
+            reverse(
+                "authentik_api:application-set-icon-url",
+                kwargs={"slug": self.allowed.slug},
+            ),
+            data={"url": "/relative/path"},
+        )
+        self.assertEqual(response.status_code, 200)
+
+        self.allowed.refresh_from_db()
+        self.assertEqual(self.allowed.get_meta_icon, "/relative/path")
+
+    def test_set_icon_url(self):
+        """Test set_icon (url)"""
+        self.client.force_login(self.user)
+        response = self.client.post(
+            reverse(
+                "authentik_api:application-set-icon-url",
+                kwargs={"slug": self.allowed.slug},
+            ),
+            data={"url": "https://authentik.company/img.png"},
+        )
+        self.assertEqual(response.status_code, 200)
+
+        self.allowed.refresh_from_db()
+        self.assertEqual(self.allowed.get_meta_icon, "https://authentik.company/img.png")
+
+    def test_set_icon_fa(self):
+        """Test set_icon (url)"""
+        self.client.force_login(self.user)
+        response = self.client.post(
+            reverse(
+                "authentik_api:application-set-icon-url",
+                kwargs={"slug": self.allowed.slug},
+            ),
+            data={"url": "fa://fa-check-circle"},
+        )
+        self.assertEqual(response.status_code, 200)
+
+        self.allowed.refresh_from_db()
+        self.assertEqual(self.allowed.get_meta_icon, "fa://fa-check-circle")
+
     def test_check_access(self):
         """Test check_access operation"""
         self.client.force_login(self.user)

authentik/core/tests/test_users_api.py

@@ -469,3 +469,274 @@ class TestUsersAPI(APITestCase):
         body = loads(response.content)
         self.assertEqual(len(body["results"]), 2)
         self.assertEqual(body["results"][0]["pk"], user.pk)
+
+    def test_service_account_validation_empty_username(self):
+        """Test service account creation with empty/blank username validation"""
+        self.client.force_login(self.admin)
+
+        # Test with empty string
+        response = self.client.post(
+            reverse("authentik_api:user-service-account"),
+            data={
+                "name": "",
+                "create_group": True,
+            },
+        )
+        self.assertEqual(response.status_code, 400)
+        self.assertJSONEqual(
+            response.content,
+            {"name": ["This field may not be blank."]},
+        )
+
+        # Test with only whitespace
+        response = self.client.post(
+            reverse("authentik_api:user-service-account"),
+            data={
+                "name": "   ",
+                "create_group": True,
+            },
+        )
+        self.assertEqual(response.status_code, 400)
+        self.assertJSONEqual(
+            response.content,
+            {"name": ["This field may not be blank."]},
+        )
+
+        # Test with tab and newline characters
+        response = self.client.post(
+            reverse("authentik_api:user-service-account"),
+            data={
+                "name": "\t\n",
+                "create_group": True,
+            },
+        )
+        self.assertEqual(response.status_code, 400)
+        self.assertJSONEqual(
+            response.content,
+            {"name": ["This field may not be blank."]},
+        )
+
+    def test_service_account_validation_valid_username(self):
+        """Test service account creation with valid username"""
+        self.client.force_login(self.admin)
+
+        # Test with valid username
+        response = self.client.post(
+            reverse("authentik_api:user-service-account"),
+            data={
+                "name": "valid-service-account",
+                "create_group": True,
+            },
+        )
+        self.assertEqual(response.status_code, 200)
+
+        # Verify response structure
+        body = loads(response.content)
+        self.assertIn("username", body)
+        self.assertIn("user_uid", body)
+        self.assertIn("user_pk", body)
+        self.assertIn("group_pk", body)  # Should exist since create_group=True
+        self.assertIn("token", body)
+
+        # Verify field types
+        self.assertEqual(body["username"], "valid-service-account")
+        self.assertIsInstance(body["user_pk"], int)
+        self.assertIsInstance(body["user_uid"], str)
+        self.assertIsInstance(body["token"], str)
+        self.assertIsInstance(body["group_pk"], str)
+
+    def test_service_account_validation_without_group(self):
+        """Test service account creation without creating a group"""
+        self.client.force_login(self.admin)
+
+        response = self.client.post(
+            reverse("authentik_api:user-service-account"),
+            data={
+                "name": "no-group-service-account",
+                "create_group": False,
+            },
+        )
+        self.assertEqual(response.status_code, 200)
+
+        body = loads(response.content)
+        self.assertIn("username", body)
+        self.assertIn("user_uid", body)
+        self.assertIn("user_pk", body)
+        self.assertIn("token", body)
+        # Should NOT have group_pk when create_group=False
+        self.assertNotIn("group_pk", body)
+
+    def test_service_account_validation_duplicate_username(self):
+        """Test service account creation with duplicate username"""
+        self.client.force_login(self.admin)
+
+        # Create first service account
+        response = self.client.post(
+            reverse("authentik_api:user-service-account"),
+            data={
+                "name": "duplicate-test",
+                "create_group": True,
+            },
+        )
+        self.assertEqual(response.status_code, 200)
+
+        # Attempt to create second with same username
+        response = self.client.post(
+            reverse("authentik_api:user-service-account"),
+            data={
+                "name": "duplicate-test",
+                "create_group": True,
+            },
+        )
+        self.assertEqual(response.status_code, 400)
+        self.assertJSONEqual(
+            response.content,
+            {"name": ["This field must be unique."]},
+        )
+
+    def test_service_account_validation_invalid_create_group(self):
+        """Test service account creation with invalid create_group field"""
+        self.client.force_login(self.admin)
+
+        # Test with string instead of boolean
+        response = self.client.post(
+            reverse("authentik_api:user-service-account"),
+            data={
+                "name": "test-sa",
+                "create_group": "invalid",
+            },
+        )
+        self.assertEqual(response.status_code, 400)
+        self.assertJSONEqual(
+            response.content,
+            {"create_group": ["Must be a valid boolean."]},
+        )
+
+        # Test with number instead of boolean
+        response = self.client.post(
+            reverse("authentik_api:user-service-account"),
+            data={
+                "name": "test-sa",
+                "create_group": 123,
+            },
+        )
+        self.assertEqual(response.status_code, 400)
+        self.assertJSONEqual(
+            response.content,
+            {"create_group": ["Must be a valid boolean."]},
+        )
+
+    def test_service_account_validation_invalid_expiring(self):
+        """Test service account creation with invalid expiring field"""
+        self.client.force_login(self.admin)
+
+        # Test with string instead of boolean
+        response = self.client.post(
+            reverse("authentik_api:user-service-account"),
+            data={
+                "name": "test-sa",
+                "expiring": "invalid",
+            },
+        )
+        self.assertEqual(response.status_code, 400)
+        self.assertJSONEqual(
+            response.content,
+            {"expiring": ["Must be a valid boolean."]},
+        )
+
+    def test_service_account_validation_invalid_expires(self):
+        """Test service account creation with invalid expires field"""
+        self.client.force_login(self.admin)
+
+        # Test with invalid datetime string
+        response = self.client.post(
+            reverse("authentik_api:user-service-account"),
+            data={
+                "name": "test-sa",
+                "expires": "invalid-datetime",
+            },
+        )
+        self.assertEqual(response.status_code, 400)
+        self.assertJSONEqual(
+            response.content,
+            {
+                "expires": [
+                    "Datetime has wrong format. Use one of these formats instead: "
+                    "YYYY-MM-DDThh:mm[:ss[.uuuuuu]][+HH:MM|-HH:MM|Z]."
+                ]
+            },
+        )
+
+        # Test with invalid format
+        response = self.client.post(
+            reverse("authentik_api:user-service-account"),
+            data={
+                "name": "test-sa",
+                "expires": "2024-13-45",  # Invalid month/day
+            },
+        )
+        self.assertEqual(response.status_code, 400)
+        self.assertJSONEqual(
+            response.content,
+            {
+                "expires": [
+                    "Datetime has wrong format. Use one of these formats instead: "
+                    "YYYY-MM-DDThh:mm[:ss[.uuuuuu]][+HH:MM|-HH:MM|Z]."
+                ]
+            },
+        )
+
+    def test_service_account_validation_multiple_errors(self):
+        """Test service account creation with multiple validation errors"""
+        self.client.force_login(self.admin)
+
+        response = self.client.post(
+            reverse("authentik_api:user-service-account"),
+            data={
+                "name": "",  # Empty username
+                "create_group": "invalid",  # Invalid boolean
+                "expiring": 123,  # Invalid boolean
+                "expires": "not-a-date",  # Invalid datetime
+            },
+        )
+        self.assertEqual(response.status_code, 400)
+        self.assertJSONEqual(
+            response.content,
+            {
+                "name": ["This field may not be blank."],
+                "create_group": ["Must be a valid boolean."],
+                "expiring": ["Must be a valid boolean."],
+                "expires": [
+                    "Datetime has wrong format. Use one of these formats instead: "
+                    "YYYY-MM-DDThh:mm[:ss[.uuuuuu]][+HH:MM|-HH:MM|Z]."
+                ],
+            },
+        )
+
+    def test_service_account_validation_user_friendly_duplicate_error(self):
+        """Test that duplicate username returns user-friendly error, not database error"""
+        self.client.force_login(self.admin)
+
+        # Create first service account
+        response = self.client.post(
+            reverse("authentik_api:user-service-account"),
+            data={
+                "name": "duplicate-username-test",
+                "create_group": True,
+            },
+        )
+        self.assertEqual(response.status_code, 200)
+
+        # Attempt to create second with same username
+        response = self.client.post(
+            reverse("authentik_api:user-service-account"),
+            data={
+                "name": "duplicate-username-test",
+                "create_group": True,
+            },
+        )
+        self.assertEqual(response.status_code, 400)
+        self.assertJSONEqual(
+            response.content,
+            {"name": ["This field must be unique."]},
+        )

authentik/core/urls.py

@@ -30,6 +30,7 @@ from authentik.flows.views.interface import FlowInterfaceView
 from authentik.root.asgi_middleware import AuthMiddlewareStack
 from authentik.root.messages.consumer import MessageConsumer
 from authentik.root.middleware import ChannelsLoggingMiddleware
+from authentik.tenants.channels import TenantsAwareMiddleware
 
 urlpatterns = [
     path(
@@ -97,7 +98,9 @@ api_urlpatterns = [
 websocket_urlpatterns = [
     path(
         "ws/client/",
-        ChannelsLoggingMiddleware(AuthMiddlewareStack(MessageConsumer.as_asgi())),
+        ChannelsLoggingMiddleware(
+            TenantsAwareMiddleware(AuthMiddlewareStack(MessageConsumer.as_asgi()))
+        ),
     ),
 ]
 

authentik/crypto/api.py

@@ -9,9 +9,14 @@ from django.http.response import HttpResponse
 from django.urls import reverse
 from django.utils.translation import gettext_lazy as _
 from django_filters import FilterSet
-from django_filters.filters import BooleanFilter
+from django_filters.filters import BooleanFilter, MultipleChoiceFilter
 from drf_spectacular.types import OpenApiTypes
-from drf_spectacular.utils import OpenApiParameter, OpenApiResponse, extend_schema
+from drf_spectacular.utils import (
+    OpenApiParameter,
+    OpenApiResponse,
+    extend_schema,
+    extend_schema_field,
+)
 from rest_framework.decorators import action
 from rest_framework.exceptions import ValidationError
 from rest_framework.fields import (
@@ -33,7 +38,7 @@ from authentik.core.api.utils import ModelSerializer, PassiveSerializer
 from authentik.core.models import UserTypes
 from authentik.crypto.apps import MANAGED_KEY
 from authentik.crypto.builder import CertificateBuilder, PrivateKeyAlg
-from authentik.crypto.models import CertificateKeyPair
+from authentik.crypto.models import CertificateKeyPair, KeyType
 from authentik.events.models import Event, EventAction
 from authentik.rbac.decorators import permission_required
 from authentik.rbac.filters import ObjectFilter, SecretKeyFilter
@@ -50,7 +55,7 @@ class CertificateKeyPairSerializer(ModelSerializer):
     cert_expiry = SerializerMethodField()
     cert_subject = SerializerMethodField()
     private_key_available = SerializerMethodField()
-    private_key_type = SerializerMethodField()
+    key_type = SerializerMethodField()
 
     certificate_download_url = SerializerMethodField()
     private_key_download_url = SerializerMethodField()
@@ -90,14 +95,12 @@ class CertificateKeyPairSerializer(ModelSerializer):
         """Show if this keypair has a private key configured or not"""
         return instance.key_data != "" and instance.key_data is not None
 
-    def get_private_key_type(self, instance: CertificateKeyPair) -> str | None:
-        """Get the private key's type, if set"""
+    @extend_schema_field(ChoiceField(choices=KeyType.choices, allow_null=True))
+    def get_key_type(self, instance: CertificateKeyPair) -> str | None:
+        """Get the key algorithm type from the certificate's public key"""
         if not self._should_include_details:
             return None
-        key = instance.private_key
-        if key:
-            return key.__class__.__name__.replace("_", "").lower().replace("privatekey", "")
-        return None
+        return instance.key_type
 
     def get_certificate_download_url(self, instance: CertificateKeyPair) -> str:
         """Get URL to download certificate"""
@@ -161,7 +164,7 @@ class CertificateKeyPairSerializer(ModelSerializer):
             "cert_expiry",
             "cert_subject",
             "private_key_available",
-            "private_key_type",
+            "key_type",
             "certificate_download_url",
             "private_key_download_url",
             "managed",
@@ -198,12 +201,31 @@ class CertificateKeyPairFilter(FilterSet):
         label="Only return certificate-key pairs with keys", method="filter_has_key"
     )
 
+    key_type = MultipleChoiceFilter(
+        choices=KeyType.choices,
+        label="Filter by key algorithm type",
+        method="filter_key_type",
+    )
+
     def filter_has_key(self, queryset, name, value):  # pragma: no cover
         """Only return certificate-key pairs with keys"""
         if not value:
             return queryset
         return queryset.exclude(key_data__exact="")
 
+    def filter_key_type(self, queryset, name, value):  # pragma: no cover
+        """Filter certificates by key type using the public key from the certificate"""
+        if not value:
+            return queryset
+
+        # value is a list of KeyType enum values from MultipleChoiceFilter
+        filtered_pks = []
+        for cert in queryset:
+            if cert.key_type in value:
+                filtered_pks.append(cert.pk)
+
+        return queryset.filter(pk__in=filtered_pks)
+
     class Meta:
         model = CertificateKeyPair
         fields = ["name", "managed"]
@@ -228,6 +250,17 @@ class CertificateKeyPairViewSet(UsedByMixin, ModelViewSet):
                 required=False,
                 description="Only return certificate-key pairs with keys",
             ),
+            OpenApiParameter(
+                "key_type",
+                OpenApiTypes.STR,
+                required=False,
+                many=True,
+                enum=[choice[0] for choice in KeyType.choices],
+                description=(
+                    "Filter by key algorithm type (RSA, EC, DSA, etc). "
+                    "Can be specified multiple times (e.g. '?key_type=rsa&key_type=ec')"
+                ),
+            ),
             OpenApiParameter("include_details", bool, default=True),
         ]
     )

authentik/crypto/apps.py

@@ -2,6 +2,8 @@
 
 from datetime import UTC, datetime
 
+from dramatiq.broker import get_broker
+
 from authentik.blueprints.apps import ManagedAppConfig
 from authentik.lib.generators import generate_id
 from authentik.lib.utils.time import fqdn_rand
@@ -70,6 +72,12 @@ class AuthentikCryptoConfig(ManagedAppConfig):
             },
         )
 
+    @ManagedAppConfig.reconcile_global
+    def tasks_middlewares(self):
+        from authentik.crypto.tasks import CertificateWatcherMiddleware
+
+        get_broker().add_middleware(CertificateWatcherMiddleware())
+
     @property
     def tenant_schedule_specs(self) -> list[ScheduleSpec]:
         from authentik.crypto.tasks import certificate_discovery

authentik/crypto/models.py

@@ -6,6 +6,11 @@ from uuid import uuid4
 
 from cryptography.hazmat.backends import default_backend
 from cryptography.hazmat.primitives import hashes
+from cryptography.hazmat.primitives.asymmetric.dsa import DSAPublicKey
+from cryptography.hazmat.primitives.asymmetric.ec import EllipticCurvePublicKey
+from cryptography.hazmat.primitives.asymmetric.ed448 import Ed448PublicKey
+from cryptography.hazmat.primitives.asymmetric.ed25519 import Ed25519PublicKey
+from cryptography.hazmat.primitives.asymmetric.rsa import RSAPublicKey
 from cryptography.hazmat.primitives.asymmetric.types import PrivateKeyTypes, PublicKeyTypes
 from cryptography.hazmat.primitives.serialization import load_pem_private_key
 from cryptography.x509 import Certificate, load_pem_x509_certificate
@@ -20,6 +25,21 @@ from authentik.lib.models import CreatedUpdatedModel, SerializerModel
 LOGGER = get_logger()
 
 
+class KeyType(models.TextChoices):
+    """Cryptographic key algorithm types"""
+
+    RSA = "rsa", _("RSA")
+    EC = "ec", _("Elliptic Curve")
+    DSA = "dsa", _("DSA")
+    ED25519 = "ed25519", _("Ed25519")
+    ED448 = "ed448", _("Ed448")
+
+
+def fingerprint_sha256(cert: Certificate) -> str:
+    """Get SHA256 Fingerprint of certificate"""
+    return hexlify(cert.fingerprint(hashes.SHA256()), ":").decode("utf-8")
+
+
 class CertificateKeyPair(SerializerModel, ManagedModel, CreatedUpdatedModel):
     """CertificateKeyPair that can be used for signing or encrypting if `key_data`
     is set, otherwise it can be used to verify remote data."""
@@ -82,7 +102,7 @@ class CertificateKeyPair(SerializerModel, ManagedModel, CreatedUpdatedModel):
     @property
     def fingerprint_sha256(self) -> str:
         """Get SHA256 Fingerprint of certificate_data"""
-        return hexlify(self.certificate.fingerprint(hashes.SHA256()), ":").decode("utf-8")
+        return fingerprint_sha256(self.certificate)
 
     @property
     def fingerprint_sha1(self) -> str:
@@ -98,6 +118,22 @@ class CertificateKeyPair(SerializerModel, ManagedModel, CreatedUpdatedModel):
             else ""
         )  # nosec
 
+    @property
+    def key_type(self) -> str | None:
+        """Get the key algorithm type from the certificate's public key"""
+        public_key = self.certificate.public_key()
+        if isinstance(public_key, RSAPublicKey):
+            return KeyType.RSA
+        if isinstance(public_key, EllipticCurvePublicKey):
+            return KeyType.EC
+        if isinstance(public_key, DSAPublicKey):
+            return KeyType.DSA
+        if isinstance(public_key, Ed25519PublicKey):
+            return KeyType.ED25519
+        if isinstance(public_key, Ed448PublicKey):
+            return KeyType.ED448
+        return None
+
     def __str__(self) -> str:
         return f"Certificate-Key Pair {self.name}"
 

authentik/crypto/tasks.py

@@ -2,18 +2,29 @@
 
 from glob import glob
 from pathlib import Path
+from sys import platform
 
 from cryptography.hazmat.backends import default_backend
 from cryptography.hazmat.primitives.serialization import load_pem_private_key
 from cryptography.x509.base import load_pem_x509_certificate
+from django.conf import settings
 from django.utils.translation import gettext_lazy as _
-from django_dramatiq_postgres.middleware import CurrentTask
 from dramatiq.actor import actor
+from dramatiq.middleware import Middleware
 from structlog.stdlib import get_logger
+from watchdog.events import (
+    FileCreatedEvent,
+    FileModifiedEvent,
+    FileSystemEvent,
+    FileSystemEventHandler,
+)
+from watchdog.observers import Observer
 
 from authentik.crypto.models import CertificateKeyPair
 from authentik.lib.config import CONFIG
-from authentik.tasks.models import Task
+from authentik.tasks.middleware import CurrentTask
+from authentik.tasks.schedules.models import Schedule
+from authentik.tenants.models import Tenant
 
 LOGGER = get_logger()
 
@@ -36,9 +47,68 @@ def ensure_certificate_valid(body: str):
     return body
 
 
+class CertificateWatcherMiddleware(Middleware):
+    """Middleware to start certificate file watcher"""
+
+    def start_certificate_watcher(self):
+        """Start certificate file watcher"""
+        observer = Observer()
+        kwargs = {}
+        if platform.startswith("linux"):
+            kwargs["event_filter"] = (FileCreatedEvent, FileModifiedEvent)
+        observer.schedule(
+            CertificateEventHandler(),
+            CONFIG.get("cert_discovery_dir"),
+            recursive=True,
+            **kwargs,
+        )
+        observer.start()
+
+    def after_worker_boot(self, broker, worker):
+        if not settings.TEST:
+            self.start_certificate_watcher()
+
+
+class CertificateEventHandler(FileSystemEventHandler):
+    """Event handler for certificate file events"""
+
+    # We only ever get creation and modification events.
+    # See the creation of the Observer instance above for the event filtering.
+
+    # Even though we filter to only get file events, we might still get
+    # directory events as some implementations such as inotify do not support
+    # filtering on file/directory.
+
+    def dispatch(self, event: FileSystemEvent) -> None:
+        """Call specific event handler method. Ignores directory changes."""
+        if event.is_directory:
+            return None
+        return super().dispatch(event)
+
+    def on_created(self, event: FileSystemEvent):
+        """Process certificate file creation"""
+        LOGGER.debug(
+            "Certificate file created, triggering discovery",
+            file=event.src_path,
+        )
+        for tenant in Tenant.objects.filter(ready=True):
+            with tenant:
+                Schedule.dispatch_by_actor(certificate_discovery)
+
+    def on_modified(self, event: FileSystemEvent):
+        """Process certificate file modification"""
+        LOGGER.debug(
+            "Certificate file modified, triggering discovery",
+            file=event.src_path,
+        )
+        for tenant in Tenant.objects.filter(ready=True):
+            with tenant:
+                Schedule.dispatch_by_actor(certificate_discovery)
+
+
 @actor(description=_("Discover, import and update certificates from the filesystem."))
 def certificate_discovery():
-    self: Task = CurrentTask.get_task()
+    self = CurrentTask.get_task()
     certs = {}
     private_keys = {}
     discovered = 0
@@ -67,12 +137,35 @@ def certificate_discovery():
         except (OSError, ValueError) as exc:
             LOGGER.warning("Failed to open file or invalid format", exc=exc, file=path)
     for name, cert_data in certs.items():
+        # First, try to find by filename-based managed field
         cert = CertificateKeyPair.objects.filter(managed=MANAGED_DISCOVERED % name).first()
+
+        # If not found by filename and we have a private key, check for existing key match
+        if not cert and name in private_keys:
+            existing_with_key = (
+                CertificateKeyPair.objects.filter(
+                    managed__startswith="goauthentik.io/crypto/discovered/",
+                    key_data=private_keys[name],
+                )
+                .exclude(key_data="")
+                .first()
+            )
+            if existing_with_key:
+                cert = existing_with_key
+                # Update name and managed field to reflect the new filename
+                if cert.name != name:
+                    cert.name = name
+                    cert.managed = MANAGED_DISCOVERED % name
+                    cert.save()
+
+        # Create new certificate if not found
         if not cert:
             cert = CertificateKeyPair(
                 name=name,
                 managed=MANAGED_DISCOVERED % name,
             )
+
+        # Update certificate data if changed
         dirty = False
         if cert.certificate_data != cert_data:
             cert.certificate_data = cert_data

authentik/crypto/tests.py

@@ -2,6 +2,7 @@
 
 from json import loads
 from os import makedirs
+from pathlib import Path
 from tempfile import TemporaryDirectory
 
 from cryptography.x509.extensions import SubjectAlternativeName
@@ -27,7 +28,7 @@ class TestCrypto(APITestCase):
     def test_model_private(self):
         """Test model private key"""
         cert = CertificateKeyPair.objects.create(
-            name="test",
+            name=generate_id(),
             certificate_data="foo",
             key_data="foo",
         )
@@ -271,7 +272,7 @@ class TestCrypto(APITestCase):
         keypair = create_test_cert()
         provider = OAuth2Provider.objects.create(
             name=generate_id(),
-            client_id="test",
+            client_id=generate_id(),
             client_secret=generate_key(),
             authorization_flow=create_test_flow(),
             redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "http://localhost")],
@@ -303,7 +304,7 @@ class TestCrypto(APITestCase):
         keypair = create_test_cert()
         OAuth2Provider.objects.create(
             name=generate_id(),
-            client_id="test",
+            client_id=generate_id(),
             client_secret=generate_key(),
             authorization_flow=create_test_flow(),
             redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "http://localhost")],
@@ -319,6 +320,8 @@ class TestCrypto(APITestCase):
 
     def test_discovery(self):
         """Test certificate discovery"""
+        # This test generates 2 separate cert/key combinations
+        # and verifies they both import properly
         name = generate_id()
         builder = CertificateBuilder(name)
         with self.assertRaises(ValueError):
@@ -327,6 +330,15 @@ class TestCrypto(APITestCase):
             subject_alt_names=[],
             validity_days=3,
         )
+
+        name2 = generate_id()
+        builder2 = CertificateBuilder(name2)
+        with self.assertRaises(ValueError):
+            builder2.save()
+        builder2.build(
+            subject_alt_names=[],
+            validity_days=3,
+        )
         with TemporaryDirectory() as temp_dir:
             with open(f"{temp_dir}/foo.pem", "w+", encoding="utf-8") as _cert:
                 _cert.write(builder.certificate)
@@ -334,9 +346,9 @@ class TestCrypto(APITestCase):
                 _key.write(builder.private_key)
             makedirs(f"{temp_dir}/foo.bar", exist_ok=True)
             with open(f"{temp_dir}/foo.bar/fullchain.pem", "w+", encoding="utf-8") as _cert:
-                _cert.write(builder.certificate)
+                _cert.write(builder2.certificate)
             with open(f"{temp_dir}/foo.bar/privkey.pem", "w+", encoding="utf-8") as _key:
-                _key.write(builder.private_key)
+                _key.write(builder2.private_key)
             with CONFIG.patch("cert_discovery_dir", temp_dir):
                 certificate_discovery.send()
         keypair: CertificateKeyPair = CertificateKeyPair.objects.filter(
@@ -348,3 +360,58 @@ class TestCrypto(APITestCase):
         self.assertTrue(
             CertificateKeyPair.objects.filter(managed=MANAGED_DISCOVERED % "foo.bar").exists()
         )
+
+    def test_discovery_updating_same_private_key(self):
+        """Test certificate discovery updating certs with matching private keys"""
+        name = generate_id()
+        builder = CertificateBuilder(name)
+        builder.build(
+            subject_alt_names=[],
+            validity_days=3,
+        )
+
+        with TemporaryDirectory() as temp_dir:
+            # First discovery: write cert as "original"
+            with open(f"{temp_dir}/original.pem", "w+", encoding="utf-8") as _cert:
+                _cert.write(builder.certificate)
+            with open(f"{temp_dir}/original.key", "w+", encoding="utf-8") as _key:
+                _key.write(builder.private_key)
+
+            with CONFIG.patch("cert_discovery_dir", temp_dir):
+                certificate_discovery.send()
+
+            # Verify "original" cert was created
+            original = CertificateKeyPair.objects.filter(
+                managed=MANAGED_DISCOVERED % "original"
+            ).first()
+            self.assertIsNotNone(original)
+            self.assertEqual(original.name, "original")
+            self.assertIsNotNone(original.private_key)
+
+            # Second discovery: write same cert/key as "renamed"
+            Path(f"{temp_dir}/original.pem").unlink()
+            Path(f"{temp_dir}/original.key").unlink()
+
+            with open(f"{temp_dir}/renamed.pem", "w+", encoding="utf-8") as _cert:
+                _cert.write(builder.certificate)
+            with open(f"{temp_dir}/renamed.key", "w+", encoding="utf-8") as _key:
+                _key.write(builder.private_key)
+
+            with CONFIG.patch("cert_discovery_dir", temp_dir):
+                certificate_discovery.send()
+
+            # Verify the cert was updated
+            renamed = CertificateKeyPair.objects.filter(
+                managed=MANAGED_DISCOVERED % "renamed"
+            ).first()
+            self.assertIsNotNone(renamed, "Renamed certificate should exist")
+            self.assertEqual(renamed.name, "renamed")
+            self.assertEqual(renamed.pk, original.pk, "Should be same database object")
+
+            # Verify no new cert was created
+            final_count = CertificateKeyPair.objects.filter(
+                managed__startswith="goauthentik.io/crypto/discovered/"
+            ).count()
+            self.assertEqual(
+                1, final_count, "Should not create duplicate cert for same private key"
+            )