packages/django-dramatiq-postgres: remove tenacity and enqueue retries

Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space>
web: build system had some legacy stuff that I found confusing while working on the CSS ordering (#20698 )
2026-05-05 22:52:42 +02:00 · 2026-04-13 17:46:03 +02:00 · 2026-04-13 15:37:21 +00:00 · 2026-04-13 13:57:09 +00:00 · 2026-04-13 13:34:20 +00:00 · 2026-04-13 13:34:11 +00:00
1621 changed files with 122206 additions and 62365 deletions
--- a/.cargo/config.toml
+++ b/.cargo/config.toml
@@ -0,0 +1,5 @@
+[alias]
+t = ["nextest", "run"]
+
+[build]
+rustflags = ["--cfg", "tokio_unstable"]
--- a/.cargo/deny.toml
+++ b/.cargo/deny.toml
@@ -2,12 +2,14 @@
 allow = [
  "Apache-2.0",
  "BSD-3-Clause",
+  "CC0-1.0",
  "CDLA-Permissive-2.0",
  "ISC",
  "MIT",
  "MPL-2.0",
  "OpenSSL",
  "Unicode-3.0",
+  "Zlib",
 ]

 [licenses.private]
--- a/.cargo/rustfmt.toml
+++ b/.cargo/rustfmt.toml
@@ -12,5 +12,4 @@ reorder_impl_items = true
 style_edition = "2024"
 use_field_init_shorthand = true
 use_try_shorthand = true
-where_single_line = true
 wrap_comments = true
--- a/.dockerignore
+++ b/.dockerignore
@@ -10,4 +10,4 @@ build_docs/**
 blueprints/local
 .git
 .venv
-target/
+target
--- a/.github/actions/docker-push-variables/action.yml
+++ b/.github/actions/docker-push-variables/action.yml
@@ -54,10 +54,6 @@ outputs:
 runs:
  using: "composite"
  steps:
-    - name: Setup authentik env
-      uses: ./.github/actions/setup
-      with:
-        dependencies: "python"
    - name: Generate config
      id: ev
      shell: bash
@@ -68,4 +64,4 @@ runs:
        PR_HEAD_SHA: ${{ github.event.pull_request.head.sha }}
        REF: ${{ github.ref }}
      run: |
-        uv run python3 ${{ github.action_path }}/push_vars.py
+        python3 ${{ github.action_path }}/push_vars.py
--- a/.github/actions/docker-push-variables/push_vars.py
+++ b/.github/actions/docker-push-variables/push_vars.py
@@ -2,10 +2,19 @@

 import os
 from json import dumps
+from pathlib import Path
 from sys import exit as sysexit
 from time import time
+from typing import Any

-from authentik import authentik_version
+
+def authentik_version() -> str:
+    init = Path(__file__).parent.parent.parent.parent / "authentik" / "__init__.py"
+    with open(init) as f:
+        content = f.read()
+    locals: dict[str, Any] = {}
+    exec(content, None, locals)  # nosec
+    return str(locals["VERSION"])


 def must_or_fail(input: str | None, error: str) -> str:
@@ -97,6 +106,7 @@ if os.getenv("RELEASE", "false").lower() == "true":
    image_build_args = [f"VERSION={os.getenv('REF')}"]
 else:
    image_build_args = [f"GIT_BUILD_HASH={sha}"]
+image_build_args_str = "\n".join(image_build_args)

 with open(os.environ["GITHUB_OUTPUT"], "a+", encoding="utf-8") as _output:
    print(f"shouldPush={str(should_push).lower()}", file=_output)
@@ -109,4 +119,4 @@ with open(os.environ["GITHUB_OUTPUT"], "a+", encoding="utf-8") as _output:
    print(f"imageMainTag={image_main_tag}", file=_output)
    print(f"imageMainName={image_tags[0]}", file=_output)
    print(f"cacheTo={cache_to}", file=_output)
-    print(f"imageBuildArgs={"\n".join(image_build_args)}", file=_output)
+    print(f"imageBuildArgs={image_build_args_str}", file=_output)
--- a/.github/actions/setup/action.yml
+++ b/.github/actions/setup/action.yml
@@ -8,31 +8,47 @@ inputs:
  postgresql_version:
    description: "Optional postgresql image tag"
    default: "16"
+  working-directory:
+    description: |
+      Optional working directory if this repo isn't in the root of the actions workspace.
+      When set, needs to contain a trailing slash
+    default: ""

 runs:
  using: "composite"
  steps:
-    - name: Install apt deps & cleanup
+    - name: Cleanup apt
+      if: ${{ contains(inputs.dependencies, 'system') || contains(inputs.dependencies, 'python') }}
+      shell: bash
+      run: sudo apt-get remove --purge man-db
+    - name: Install apt deps
+      if: ${{ contains(inputs.dependencies, 'system') || contains(inputs.dependencies, 'python') }}
+      uses: gerlero/apt-install@f4fa5265092af9e750549565d28c99aec7189639
+      with:
+        packages: libpq-dev openssl libxmlsec1-dev pkg-config gettext krb5-multidev libkrb5-dev heimdal-multidev libclang-dev krb5-kdc krb5-user krb5-admin-server
+        update: true
+        upgrade: false
+        install-recommends: false
+    - name: Make space on disk
      if: ${{ contains(inputs.dependencies, 'system') || contains(inputs.dependencies, 'python') }}
      shell: bash
      run: |
-        sudo apt-get remove --purge man-db
-        sudo apt-get update
-        sudo apt-get install --no-install-recommends -y libpq-dev openssl libxmlsec1-dev pkg-config gettext krb5-multidev libkrb5-dev heimdal-multidev libclang-dev krb5-kdc krb5-user krb5-admin-server
-        sudo rm -rf /usr/local/lib/android
+        sudo mkdir -p /tmp/empty/
+        sudo rsync -a --delete /tmp/empty/ /usr/local/lib/android/
    - name: Install uv
      if: ${{ contains(inputs.dependencies, 'python') }}
-      uses: astral-sh/setup-uv@37802adc94f370d6bfd71619e3f0bf239e1f3b78 # v5
+      uses: astral-sh/setup-uv@cec208311dfd045dd5311c1add060b2062131d57 # v5
      with:
        enable-cache: true
    - name: Setup python
      if: ${{ contains(inputs.dependencies, 'python') }}
      uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v5
      with:
-        python-version-file: "pyproject.toml"
+        python-version-file: "${{ inputs.working-directory }}pyproject.toml"
    - name: Install Python deps
      if: ${{ contains(inputs.dependencies, 'python') }}
      shell: bash
+      working-directory: ${{ inputs.working-directory }}
      run: uv sync --all-extras --dev --frozen
    - name: Setup rust (stable)
      if: ${{ contains(inputs.dependencies, 'rust') && !contains(inputs.dependencies, 'rust-nightly') }}
@@ -48,34 +64,35 @@ runs:
        rustflags: ""
    - name: Setup rust dependencies
      if: ${{ contains(inputs.dependencies, 'rust') }}
-      uses: taiki-e/install-action@80a23c5ba9e1100fd8b777106e810018ed662a7b # v2
+      uses: taiki-e/install-action@0abfcd587b70a713fdaa7fb502c885e2112acb15 # v2
      with:
        tool: cargo-deny cargo-machete cargo-llvm-cov nextest
    - name: Setup node (web)
      if: ${{ contains(inputs.dependencies, 'node') }}
      uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v4
      with:
-        node-version-file: web/package.json
+        node-version-file: "${{ inputs.working-directory }}web/package.json"
        cache: "npm"
-        cache-dependency-path: web/package-lock.json
+        cache-dependency-path: "${{ inputs.working-directory }}web/package-lock.json"
        registry-url: "https://registry.npmjs.org"
    - name: Setup node (root)
      if: ${{ contains(inputs.dependencies, 'node') }}
      uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v4
      with:
-        node-version-file: package.json
+        node-version-file: "${{ inputs.working-directory }}package.json"
        cache: "npm"
-        cache-dependency-path: package-lock.json
+        cache-dependency-path: "${{ inputs.working-directory }}package-lock.json"
        registry-url: "https://registry.npmjs.org"
    - name: Install Node deps
      if: ${{ contains(inputs.dependencies, 'node') }}
      shell: bash
+      working-directory: ${{ inputs.working-directory }}
      run: npm ci
    - name: Setup go
      if: ${{ contains(inputs.dependencies, 'go') }}
-      uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v5
+      uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v5
      with:
-        go-version-file: "go.mod"
+        go-version-file: "${{ inputs.working-directory }}go.mod"
    - name: Setup docker cache
      if: ${{ contains(inputs.dependencies, 'runtime') }}
      uses: AndreKurait/docker-cache@0fe76702a40db986d9663c24954fc14c6a6031b7
@@ -84,6 +101,7 @@ runs:
    - name: Setup dependencies
      if: ${{ contains(inputs.dependencies, 'runtime') }}
      shell: bash
+      working-directory: ${{ inputs.working-directory }}
      run: |
        export PSQL_TAG=${{ inputs.postgresql_version }}
        docker compose -f .github/actions/setup/compose.yml up -d
@@ -91,6 +109,7 @@ runs:
    - name: Generate config
      if: ${{ contains(inputs.dependencies, 'python') }}
      shell: uv run python {0}
+      working-directory: ${{ inputs.working-directory }}
      run: |
        from authentik.lib.generators import generate_id
        from yaml import safe_dump
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@@ -20,6 +20,8 @@ updates:
      prefix: "ci:"
    labels:
      - dependencies
+    cooldown:
+      default-days: 3

  #endregion

@@ -35,6 +37,16 @@ updates:
      prefix: "core:"
    labels:
      - dependencies
+    cooldown:
+      default-days: 7
+      semver-major-days: 14
+      semver-patch-days: 3
+      exclude:
+        - "golang.org/x/crypto"
+        - "golang.org/x/net"
+        - "github.com/golang-jwt/jwt/*"
+        - "github.com/coreos/go-oidc/*"
+        - "github.com/go-ldap/ldap/*"

  #endregion

@@ -50,6 +62,10 @@ updates:
      prefix: "core:"
    labels:
      - dependencies
+    cooldown:
+      default-days: 7
+      semver-major-days: 14
+      semver-patch-days: 3

  - package-ecosystem: rust-toolchain
    directory: "/"
@@ -61,6 +77,8 @@ updates:
      prefix: "core:"
    labels:
      - dependencies
+    cooldown:
+      default-days: 3

  #endregion

@@ -79,6 +97,10 @@ updates:
    open-pull-requests-limit: 10
    commit-message:
      prefix: "web:"
+    cooldown:
+      default-days: 7
+      semver-major-days: 14
+      semver-patch-days: 3
    groups:
      sentry:
        patterns:
@@ -142,6 +164,10 @@ updates:
    open-pull-requests-limit: 10
    commit-message:
      prefix: "core, web:"
+    cooldown:
+      default-days: 7
+      semver-major-days: 14
+      semver-patch-days: 3
    groups:
      sentry:
        patterns:
@@ -200,6 +226,10 @@ updates:
      prefix: "website:"
    labels:
      - dependencies
+    cooldown:
+      default-days: 7
+      semver-major-days: 14
+      semver-patch-days: 3
    groups:
      docusaurus:
        patterns:
@@ -238,6 +268,10 @@ updates:
      prefix: "lifecycle/aws:"
    labels:
      - dependencies
+    cooldown:
+      default-days: 7
+      semver-major-days: 14
+      semver-patch-days: 3

  #endregion

@@ -253,6 +287,18 @@ updates:
      prefix: "core:"
    labels:
      - dependencies
+    cooldown:
+      default-days: 7
+      semver-major-days: 14
+      semver-patch-days: 3
+      exclude:
+        - "django"
+        - "cryptography"
+        - "pyjwt"
+        - "xmlsec"
+        - "lxml"
+        - "psycopg"
+        - "pyopenssl"

  #endregion

@@ -270,6 +316,8 @@ updates:
      prefix: "core:"
    labels:
      - dependencies
+    cooldown:
+      default-days: 3
  - package-ecosystem: docker-compose
    directories:
      - /packages/client-go
@@ -285,5 +333,7 @@ updates:
      prefix: "core:"
    labels:
      - dependencies
+    cooldown:
+      default-days: 3

  #endregion
--- a/.github/workflows/_reusable-docker-build-single.yml
+++ b/.github/workflows/_reusable-docker-build-single.yml
@@ -56,27 +56,19 @@ jobs:
          release: ${{ inputs.release }}
      - name: Login to Docker Hub
        if: ${{ inputs.registry_dockerhub }}
-        uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0
+        uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0
        with:
          username: ${{ secrets.DOCKER_CORP_USERNAME }}
          password: ${{ secrets.DOCKER_CORP_PASSWORD }}
      - name: Login to GitHub Container Registry
        if: ${{ inputs.registry_ghcr }}
-        uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0
+        uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0
        with:
          registry: ghcr.io
          username: ${{ github.repository_owner }}
          password: ${{ secrets.GITHUB_TOKEN }}
-      - uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v5
-        with:
-          node-version-file: web/package.json
-          cache: "npm"
-          cache-dependency-path: web/package-lock.json
-      - uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6
-        with:
-          go-version-file: "go.mod"
      - name: Build Docker Image
-        uses: docker/build-push-action@d08e5c354a6adb9ed34480a06d141179aa583294 # v7.0.0
+        uses: docker/build-push-action@bcafcacb16a39f128d818304e6c9c0c18556b85f # v7.1.0
        id: push
        with:
          context: .
--- a/.github/workflows/_reusable-docker-build.yml
+++ b/.github/workflows/_reusable-docker-build.yml
@@ -79,18 +79,18 @@ jobs:
          image-name: ${{ inputs.image_name }}
      - name: Login to Docker Hub
        if: ${{ inputs.registry_dockerhub }}
-        uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0
+        uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0
        with:
          username: ${{ secrets.DOCKER_CORP_USERNAME }}
          password: ${{ secrets.DOCKER_CORP_PASSWORD }}
      - name: Login to GitHub Container Registry
        if: ${{ inputs.registry_ghcr }}
-        uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0
+        uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0
        with:
          registry: ghcr.io
          username: ${{ github.repository_owner }}
          password: ${{ secrets.GITHUB_TOKEN }}
-      - uses: int128/docker-manifest-create-action@8aac06098a12365ccdf99372dcfb453ccce8a0b0 # v2
+      - uses: int128/docker-manifest-create-action@44422a4b046d55dc036df622039ed3aec43c613c # v2
        id: build
        with:
          tags: ${{ matrix.tag }}
--- a/.github/workflows/ci-api-docs.yml
+++ b/.github/workflows/ci-api-docs.yml
@@ -55,7 +55,7 @@ jobs:
        env:
          NODE_ENV: production
        run: npm run build -w api
-      - uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v4
+      - uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v4
        with:
          name: api-docs
          path: website/api/build
--- a/.github/workflows/ci-docs.yml
+++ b/.github/workflows/ci-docs.yml
@@ -89,14 +89,14 @@ jobs:
          image-name: ghcr.io/goauthentik/dev-docs
      - name: Login to Container Registry
        if: ${{ steps.ev.outputs.shouldPush == 'true' }}
-        uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0
+        uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0
        with:
          registry: ghcr.io
          username: ${{ github.repository_owner }}
          password: ${{ secrets.GITHUB_TOKEN }}
      - name: Build Docker Image
        id: push
-        uses: docker/build-push-action@d08e5c354a6adb9ed34480a06d141179aa583294 # v7.0.0
+        uses: docker/build-push-action@bcafcacb16a39f128d818304e6c9c0c18556b85f # v7.1.0
        with:
          tags: ${{ steps.ev.outputs.imageTags }}
          file: website/Dockerfile
--- a/.github/workflows/ci-main-daily.yml
+++ b/.github/workflows/ci-main-daily.yml
@@ -20,13 +20,19 @@ jobs:
        version:
          - docs
          - version-2025-12
-          - version-2025-10
+          - version-2026-2
    steps:
      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v5
      - run: |
+          set -euo pipefail
          current="$(pwd)"
          dir="/tmp/authentik/${{ matrix.version }}"
+          # 2025.12 still serves the legacy docker-compose filename; newer sites use compose.yml.
+          compose_path="compose.yml"
+          if [ "${{ matrix.version }}" = "version-2025-12" ]; then
+            compose_path="docker-compose.yml"
+          fi
          mkdir -p "${dir}/lifecycle/container"
          cd "${dir}"
-          wget "https://${{ matrix.version }}.goauthentik.io/docker-compose.yml" -O "${dir}/lifecycle/container/compose.yml"
+          wget "https://${{ matrix.version }}.goauthentik.io/${compose_path}" -O "${dir}/lifecycle/container/compose.yml"
          "${current}/scripts/test_docker.sh"
--- a/.github/workflows/ci-main.yml
+++ b/.github/workflows/ci-main.yml
@@ -196,6 +196,7 @@ jobs:
      - name: run integration
        run: |
          uv run coverage run manage.py test tests/integration
+          uv run coverage combine
          uv run coverage xml
      - uses: ./.github/actions/test-results
        if: ${{ always() }}
@@ -223,6 +224,9 @@ jobs:
            profiles: selenium
          - name: ldap
            glob: tests/e2e/test_provider_ldap* tests/e2e/test_source_ldap*
+          - name: rac
+            glob: tests/e2e/test_provider_rac*
+            profiles: selenium
          - name: ws-fed
            glob: tests/e2e/test_provider_ws_fed*
            profiles: selenium
@@ -247,11 +251,12 @@ jobs:
          docker compose -f tests/e2e/compose.yml up -d --quiet-pull
      - id: cache-web
        uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v4
+        if: contains(matrix.job.profiles, 'selenium')
        with:
          path: web/dist
          key: ${{ runner.os }}-web-${{ hashFiles('web/package-lock.json', 'package-lock.json', 'web/src/**', 'web/packages/sfe/src/**') }}-b
      - name: prepare web ui
-        if: steps.cache-web.outputs.cache-hit != 'true'
+        if: steps.cache-web.outputs.cache-hit != 'true' && contains(matrix.job.profiles, 'selenium')
        working-directory: web
        run: |
          npm ci
@@ -260,6 +265,7 @@ jobs:
      - name: run e2e
        run: |
          uv run coverage run manage.py test ${{ matrix.job.glob }}
+          uv run coverage combine
          uv run coverage xml
      - uses: ./.github/actions/test-results
        if: ${{ always() }}
@@ -304,13 +310,14 @@ jobs:
      - name: run conformance
        run: |
          uv run coverage run manage.py test ${{ matrix.job.glob }}
+          uv run coverage combine
          uv run coverage xml
      - uses: ./.github/actions/test-results
        if: ${{ always() }}
        with:
          flags: conformance
      - if: ${{ !cancelled() }}
-        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
        with:
          name: conformance-certification-${{ matrix.job.name }}
          path: tests/openid_conformance/exports/
@@ -322,7 +329,7 @@ jobs:
      - name: Setup authentik env
        uses: ./.github/actions/setup
        with:
-          dependencies: rust
+          dependencies: rust,runtime
      - name: run tests
        run: |
          cargo llvm-cov --no-report nextest --workspace
@@ -333,7 +340,7 @@ jobs:
          files: target/llvm-cov-target/rust.json
          flags: rust
      - if: ${{ !cancelled() }}
-        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
        with:
          name: test-rust
          path: target/llvm-cov-target/rust.json
--- a/.github/workflows/ci-outpost.yml
+++ b/.github/workflows/ci-outpost.yml
@@ -22,7 +22,7 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v5
-      - uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6
+      - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6
        with:
          go-version-file: "go.mod"
      - name: Prepare and generate API
@@ -41,7 +41,7 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v5
-      - uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6
+      - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6
        with:
          go-version-file: "go.mod"
      - name: Setup authentik env
@@ -98,14 +98,14 @@ jobs:
          image-name: ghcr.io/goauthentik/dev-${{ matrix.type }}
      - name: Login to Container Registry
        if: ${{ steps.ev.outputs.shouldPush == 'true' }}
-        uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0
+        uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0
        with:
          registry: ghcr.io
          username: ${{ github.repository_owner }}
          password: ${{ secrets.GITHUB_TOKEN }}
      - name: Build Docker Image
        id: push
-        uses: docker/build-push-action@d08e5c354a6adb9ed34480a06d141179aa583294 # v7.0.0
+        uses: docker/build-push-action@bcafcacb16a39f128d818304e6c9c0c18556b85f # v7.1.0
        with:
          tags: ${{ steps.ev.outputs.imageTags }}
          file: lifecycle/container/${{ matrix.type }}.Dockerfile
@@ -142,7 +142,7 @@ jobs:
      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v5
        with:
          ref: ${{ github.event.pull_request.head.sha }}
-      - uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6
+      - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6
        with:
          go-version-file: "go.mod"
      - uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v5
--- a/.github/workflows/gen-image-compress.yml
+++ b/.github/workflows/gen-image-compress.yml
@@ -42,7 +42,7 @@ jobs:
        with:
          GITHUB_TOKEN: ${{ steps.generate_token.outputs.token }}
          compressOnly: ${{ github.event_name != 'pull_request' }}
-      - uses: peter-evans/create-pull-request@c0f553fe549906ede9cf27b5156039d195d2ece0 # v7
+      - uses: peter-evans/create-pull-request@5f6978faf089d4d20b00c7766989d076bb2fc7f1 # v7
        if: "${{ github.event_name != 'pull_request' && steps.compress.outputs.markdown != '' }}"
        id: cpr
        with:
--- a/.github/workflows/gen-update-webauthn-mds.yml
+++ b/.github/workflows/gen-update-webauthn-mds.yml
@@ -26,7 +26,7 @@ jobs:
      - name: Setup authentik env
        uses: ./.github/actions/setup
      - run: uv run ak update_webauthn_mds
-      - uses: peter-evans/create-pull-request@c0f553fe549906ede9cf27b5156039d195d2ece0 # v7
+      - uses: peter-evans/create-pull-request@5f6978faf089d4d20b00c7766989d076bb2fc7f1 # v7
        id: cpr
        with:
          token: ${{ steps.generate_token.outputs.token }}
--- a/.github/workflows/release-branch-off.yml
+++ b/.github/workflows/release-branch-off.yml
@@ -73,7 +73,7 @@ jobs:
      - name: Bump version
        run: "make bump version=${{ inputs.next_version }}.0-rc1"
      - name: Create pull request
-        uses: peter-evans/create-pull-request@c0f553fe549906ede9cf27b5156039d195d2ece0 # v7
+        uses: peter-evans/create-pull-request@5f6978faf089d4d20b00c7766989d076bb2fc7f1 # v7
        with:
          token: ${{ steps.generate_token.outputs.token }}
          branch: release-bump-${{ inputs.next_version }}
--- a/.github/workflows/release-publish.yml
+++ b/.github/workflows/release-publish.yml
@@ -44,14 +44,14 @@ jobs:
        with:
          image-name: ghcr.io/goauthentik/docs
      - name: Login to GitHub Container Registry
-        uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0
+        uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0
        with:
          registry: ghcr.io
          username: ${{ github.repository_owner }}
          password: ${{ secrets.GITHUB_TOKEN }}
      - name: Build Docker Image
        id: push
-        uses: docker/build-push-action@d08e5c354a6adb9ed34480a06d141179aa583294 # v7.0.0
+        uses: docker/build-push-action@bcafcacb16a39f128d818304e6c9c0c18556b85f # v7.1.0
        with:
          tags: ${{ steps.ev.outputs.imageTags }}
          file: website/Dockerfile
@@ -84,7 +84,7 @@ jobs:
          - rac
    steps:
      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v5
-      - uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6
+      - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6
        with:
          go-version-file: "go.mod"
      - uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v5
@@ -104,18 +104,18 @@ jobs:
        with:
          image-name: ghcr.io/goauthentik/${{ matrix.type }},authentik/${{ matrix.type }}
      - name: Docker Login Registry
-        uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0
+        uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0
        with:
          username: ${{ secrets.DOCKER_CORP_USERNAME }}
          password: ${{ secrets.DOCKER_CORP_PASSWORD }}
      - name: Login to GitHub Container Registry
-        uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0
+        uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0
        with:
          registry: ghcr.io
          username: ${{ github.repository_owner }}
          password: ${{ secrets.GITHUB_TOKEN }}
      - name: Build Docker Image
-        uses: docker/build-push-action@d08e5c354a6adb9ed34480a06d141179aa583294 # v7.0.0
+        uses: docker/build-push-action@bcafcacb16a39f128d818304e6c9c0c18556b85f # v7.1.0
        id: push
        with:
          push: true
@@ -148,7 +148,7 @@ jobs:
        goarch: [amd64, arm64]
    steps:
      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v5
-      - uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6
+      - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6
        with:
          go-version-file: "go.mod"
      - uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v5
@@ -191,7 +191,7 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v5
-      - uses: aws-actions/configure-aws-credentials@8df5847569e6427dd6c4fb1cf565c83acfa8afa7 # v6.0.0
+      - uses: aws-actions/configure-aws-credentials@ec61189d14ec14c8efccab744f656cffd0e33f37 # v6.1.0
        with:
          role-to-assume: "arn:aws:iam::016170277896:role/github_goauthentik_authentik"
          aws-region: ${{ env.AWS_REGION }}
@@ -236,7 +236,7 @@ jobs:
          container=$(docker container create ${{ steps.ev.outputs.imageMainName }})
          docker cp ${container}:web/ .
      - name: Create a Sentry.io release
-        uses: getsentry/action-release@dab6548b3c03c4717878099e43782cf5be654289 # v3
+        uses: getsentry/action-release@5657c9e888b4e2cc85f4d29143ea4131fde4a73a # v3
        continue-on-error: true
        env:
          SENTRY_AUTH_TOKEN: ${{ secrets.SENTRY_AUTH_TOKEN }}
--- a/.github/workflows/release-tag.yml
+++ b/.github/workflows/release-tag.yml
@@ -137,7 +137,7 @@ jobs:
          sed -E -i 's/[0-9]{4}\.[0-9]{1,2}\.[0-9]+$/${{ inputs.version }}/' charts/authentik/Chart.yaml
          ./scripts/helm-docs.sh
      - name: Create pull request
-        uses: peter-evans/create-pull-request@c0f553fe549906ede9cf27b5156039d195d2ece0 # v7
+        uses: peter-evans/create-pull-request@5f6978faf089d4d20b00c7766989d076bb2fc7f1 # v7
        with:
          token: "${{ steps.app-token.outputs.token }}"
          branch: bump-${{ inputs.version }}
@@ -196,7 +196,7 @@ jobs:
            '.stable.version = $version | .stable.changelog = $changelog | .stable.changelog_url = $changelog_url | .stable.reason = $reason' version.json > version.new.json
          mv version.new.json version.json
      - name: Create pull request
-        uses: peter-evans/create-pull-request@c0f553fe549906ede9cf27b5156039d195d2ece0 # v7
+        uses: peter-evans/create-pull-request@5f6978faf089d4d20b00c7766989d076bb2fc7f1 # v7
        with:
          token: "${{ steps.app-token.outputs.token }}"
          branch: bump-${{ inputs.version }}
--- a/.github/workflows/translation-extract-compile.yml
+++ b/.github/workflows/translation-extract-compile.yml
@@ -42,7 +42,7 @@ jobs:
          make web-check-compile
      - name: Create Pull Request
        if: ${{ github.event_name != 'pull_request' }}
-        uses: peter-evans/create-pull-request@c0f553fe549906ede9cf27b5156039d195d2ece0 # v7
+        uses: peter-evans/create-pull-request@5f6978faf089d4d20b00c7766989d076bb2fc7f1 # v7
        with:
          token: ${{ steps.generate_token.outputs.token }}
          branch: extract-compile-backend-translation
--- a/1
+++ b/1
@@ -27,6 +27,7 @@ Makefile                                @goauthentik/infrastructure
 .editorconfig                           @goauthentik/infrastructure
 CODEOWNERS                              @goauthentik/infrastructure
 # Backend packages
+packages/ak-*                           @goauthentik/backend
 packages/client-rust                    @goauthentik/backend
 packages/django-channels-postgres       @goauthentik/backend
 packages/django-postgres-cache          @goauthentik/backend
--- a/Cargo.lock
+++ b/Cargo.lock
--- a/Cargo.toml
+++ b/Cargo.toml
@@ -1,5 +1,10 @@
 [workspace]
-members = ["packages/client-rust", "website/scripts/docsmg"]
+members = [
+  "packages/ak-axum",
+  "packages/ak-common",
+  "packages/client-rust",
+  "website/scripts/docsmg",
+]
 resolver = "3"

 [workspace.package]
@@ -14,11 +19,29 @@ license-file = "LICENSE"
 publish = false

 [workspace.dependencies]
+arc-swap = "= 1.9.1"
+axum-server = { version = "= 0.8.0", features = ["tls-rustls-no-provider"] }
 aws-lc-rs = { version = "= 1.16.2", features = ["fips"] }
+axum = { version = "= 0.8.8", features = ["http2", "macros", "ws"] }
 clap = { version = "= 4.6.0", features = ["derive", "env"] }
+client-ip = { version = "0.2.1", features = ["forwarded-header"] }
 colored = "= 3.1.1"
+config-rs = { package = "config", version = "= 0.15.22", default-features = false, features = [
+  "json",
+  "yaml",
+] }
+console-subscriber = "= 0.5.0"
 dotenvy = "= 0.15.7"
+durstr = "= 0.5.1"
 eyre = "= 0.6.12"
+forwarded-header-value = "= 0.1.1"
+futures = "= 0.3.32"
+glob = "= 0.3.3"
+ipnet = { version = "= 2.12.0", features = ["serde"] }
+json-subscriber = "= 0.2.8"
+nix = { version = "= 0.31.2", features = ["signal"] }
+notify = "= 8.2.0"
+pin-project-lite = "= 0.2.17"
 regex = "= 1.12.3"
 reqwest = { version = "= 0.13.2", features = [
  "form",
@@ -36,17 +59,54 @@ reqwest-middleware = { version = "= 0.5.1", features = [
  "rustls",
 ] }
 rustls = { version = "= 0.23.37", features = ["fips"] }
+sentry = { version = "= 0.47.0", default-features = false, features = [
+  "backtrace",
+  "contexts",
+  "debug-images",
+  "panic",
+  "rustls",
+  "reqwest",
+  "tower",
+  "tracing",
+] }
 serde = { version = "= 1.0.228", features = ["derive"] }
 serde_json = "= 1.0.149"
 serde_repr = "= 0.1.20"
 serde_with = { version = "= 3.18.0", default-features = false, features = [
  "base64",
 ] }
-tokio = { version = "= 1.50.0", features = ["full"] }
+sqlx = { version = "= 0.8.6", default-features = false, features = [
+  "runtime-tokio",
+  "tls-rustls-aws-lc-rs",
+  "postgres",
+  "derive",
+  "macros",
+  "uuid",
+  "chrono",
+  "ipnet",
+  "json",
+] }
+tempfile = "= 3.27.0"
+thiserror = "= 2.0.18"
+time = { version = "= 0.3.47", features = ["macros"] }
+tokio = { version = "= 1.51.1", features = ["full", "tracing"] }
+tokio-rustls = "= 0.26.4"
 tokio-util = { version = "= 0.7.18", features = ["full"] }
+tower = "= 0.5.3"
+tower-http = { version = "= 0.6.8", features = ["timeout"] }
+tracing = "= 0.1.44"
+tracing-error = "= 0.2.1"
+tracing-subscriber = { version = "= 0.3.23", features = [
+  "env-filter",
+  "json",
+  "local-time",
+  "tracing-log",
+] }
 url = "= 2.5.8"
 uuid = { version = "= 1.23.0", features = ["serde", "v4"] }

+ak-common = { package = "authentik-common", version = "2026.5.0-rc1", path = "./packages/ak-common", default-features = false }
+
 [profile.dev.package.backtrace]
 opt-level = 3

@@ -89,12 +149,20 @@ perf = { priority = -1, level = "warn" }
 style = { priority = -1, level = "warn" }
 suspicious = { priority = -1, level = "warn" }
 ### and disable the ones we don't want
+### cargo group
+multiple_crate_versions = "allow"
 ### pedantic group
+missing_errors_doc = "allow"
+missing_panics_doc = "allow"
+must_use_candidate = "allow"
 redundant_closure_for_method_calls = "allow"
+struct_field_names = "allow"
 too_many_lines = "allow"
 ### nursery
-redundant_pub_crate = "allow"
+missing_const_for_fn = "allow"
 option_if_let_else = "allow"
+redundant_pub_crate = "allow"
+significant_drop_tightening = "allow"
 ### restriction group
 allow_attributes = "warn"
 allow_attributes_without_reason = "warn"
@@ -107,7 +175,6 @@ create_dir = "warn"
 dbg_macro = "warn"
 default_numeric_fallback = "warn"
 disallowed_script_idents = "warn"
-doc_paragraphs_missing_punctuation = "warn"
 empty_drop = "warn"
 empty_enum_variants_with_brackets = "warn"
 empty_structs_with_brackets = "warn"
--- a/17
+++ b/17
@@ -74,6 +74,7 @@ rust-test:  ## Run the Rust tests

 test: ## Run the server tests and produce a coverage report (locally)
 	$(UV) run coverage run manage.py test --keepdb $(or $(filter-out $@,$(MAKECMDGOALS)),authentik)
+	$(UV) run coverage combine
 	$(UV) run coverage html
 	$(UV) run coverage report

@@ -143,8 +144,14 @@ dev-create-db:
 dev-reset: dev-drop-db dev-create-db migrate  ## Drop and restore the Authentik PostgreSQL instance to a "fresh install" state.

 update-test-mmdb:  ## Update test GeoIP and ASN Databases
-	curl -L https://raw.githubusercontent.com/maxmind/MaxMind-DB/refs/heads/main/test-data/GeoLite2-ASN-Test.mmdb -o ${PWD}/tests/GeoLite2-ASN-Test.mmdb
-	curl -L https://raw.githubusercontent.com/maxmind/MaxMind-DB/refs/heads/main/test-data/GeoLite2-City-Test.mmdb -o ${PWD}/tests/GeoLite2-City-Test.mmdb
+	curl \
+		-L \
+		-o ${PWD}/tests/geoip/GeoLite2-ASN-Test.mmdb \
+		https://raw.githubusercontent.com/maxmind/MaxMind-DB/refs/heads/main/test-data/GeoLite2-ASN-Test.mmdb
+	curl \
+		-L \
+		-o ${PWD}/tests/geoip/GeoLite2-City-Test.mmdb \
+		https://raw.githubusercontent.com/maxmind/MaxMind-DB/refs/heads/main/test-data/GeoLite2-City-Test.mmdb

 bump:  ## Bump authentik version. Usage: make bump version=20xx.xx.xx
 ifndef version
@@ -153,6 +160,7 @@ endif
 	$(eval current_version := $(shell cat ${PWD}/internal/constants/VERSION))
 	$(SED_INPLACE) 's/^version = ".*"/version = "$(version)"/' ${PWD}/pyproject.toml
 	$(SED_INPLACE) 's/^VERSION = ".*"/VERSION = "$(version)"/' ${PWD}/authentik/__init__.py
+	$(SED_INPLACE) "s/version = \"${current_version}\"/version = \"$(version)\"" ${PWD}/Cargo.toml ${PWD}/Cargo.lock
 	$(MAKE) gen-build gen-compose aws-cfn
 	$(SED_INPLACE) "s/\"${current_version}\"/\"$(version)\"/" ${PWD}/package.json ${PWD}/package-lock.json ${PWD}/web/package.json ${PWD}/web/package-lock.json
 	echo -n $(version) > ${PWD}/internal/constants/VERSION
@@ -284,7 +292,7 @@ docs-api-build:
 	npm run --prefix website -w api build

 docs-api-watch:  ## Build and watch the API documentation
-	npm run --prefix website -w api build:api
+	npm run --prefix website -w api generate
 	npm run --prefix website -w api start

 docs-api-clean: ## Clean generated API documentation
@@ -342,6 +350,7 @@ ci-lint-clippy: ci--meta-debug
 	$(CARGO) clippy --workspace -- -D warnings

 ci-test: ci--meta-debug
-	$(UV) run coverage run manage.py test --keepdb authentik
+	$(UV) run coverage run manage.py test --keepdb --parallel auto authentik
+	$(UV) run coverage combine
 	$(UV) run coverage report
 	$(UV) run coverage xml
--- a/SECURITY.md
+++ b/SECURITY.md
@@ -18,10 +18,10 @@ Even if the issue is not a CVE, we still greatly appreciate your help in hardeni

 (.x being the latest patch release for each version)

-| Version    | Supported  |
-| ---------- | ---------- |
-| 2025.12.x  | ✅         |
-| 2026.2.x   | ✅         |
+| Version   | Supported |
+| --------- | --------- |
+| 2025.12.x | ✅        |
+| 2026.2.x  | ✅        |

 ## Reporting a Vulnerability

@@ -60,6 +60,40 @@ authentik reserves the right to reclassify CVSS as necessary. To determine sever
 | 7.0 – 8.9  | High     |
 | 9.0 – 10.0 | Critical |

+## Intended functionality
+
+The following capabilities are part of intentional system design and should not be reported as security vulnerabilities:
+
+- Expressions (property mappings/policies/prompts) can execute arbitrary Python code without safeguards.
+
+This is expected behavior. Any user with permission to create or modify objects containing expression fields can write code that is executed within authentik. If a vulnerability allows a user without the required permissions to write or modify code and have it executed, that would be a valid security report.
+
+However, the fact that expressions are executed as part of normal operations is not considered a privilege escalation or security vulnerability.
+
+- Blueprints can access all files on the filesystem.
+
+This access is intentional to allow legitimate configuration and deployment tasks. It does not represent a security problem by itself.
+
+- Importing blueprints allows arbitrary modification of application objects.
+
+This is intended functionality. This behavior reflects the privileged design of blueprint imports. It is "exploitable" when importing blueprints from untrusted sources without reviewing the blueprint beforehand. However, any method to create, modify or execute blueprints without the required permissions would be a valid security report.
+
+- Flow imports may contain objects other than flows (such as policies, users, groups, etc.)
+
+This is expected behavior as flow imports are blueprint files.
+
+- Prompt HTML is not escaped.
+
+Prompts intentionally allow raw HTML, including script tags, so they can be used to create interactive or customized user interface elements. Because of this, scripts within prompts may affect or interact with the surrounding page as designed.
+
+- Open redirects that do not include tokens or other sensitive information are not considered a security vulnerability.
+
+Redirects that only change navigation flow and do not expose session tokens, API keys, or other confidential data are considered acceptable and do not require reporting.
+
+- Outgoing network requests are not filtered.
+
+The destinations of outgoing network requests (HTTP, TCP, etc.) made by authentik to configurable endpoints through objects such as OAuth Sources, SSO Providers, and others are not validated. Depending on your threat model, these requests should be restricted at the network level using appropriate firewall or network policies.
+
 ## Disclosure process

 1. Report from Github or Issue is reported via Email as listed above.
--- a/authentik/api/pagination.py
+++ b/authentik/api/pagination.py
@@ -1,10 +1,18 @@
 """Pagination which includes total pages and current page"""

+from typing import TYPE_CHECKING
+
 from drf_spectacular.plumbing import build_object_type
 from rest_framework import pagination
 from rest_framework.response import Response

+from authentik.api.search.ql import QLSearch
 from authentik.api.v3.schema.pagination import PAGINATION
+from authentik.api.v3.schema.search import AUTOCOMPLETE_SCHEMA
+
+if TYPE_CHECKING:
+    from django.db.models import QuerySet
+    from rest_framework.request import Request


 class Pagination(pagination.PageNumberPagination):
@@ -13,14 +21,14 @@ class Pagination(pagination.PageNumberPagination):
    page_query_param = "page"
    page_size_query_param = "page_size"

-    def get_page_size(self, request):
+    def get_page_size(self, request: Request) -> int:
        if self.page_size_query_param in request.query_params:
            page_size = super().get_page_size(request)
            if page_size is not None:
                return min(super().get_page_size(request), request.tenant.pagination_max_page_size)
        return request.tenant.pagination_default_page_size

-    def get_paginated_response(self, data):
+    def get_paginated_response(self, data) -> Response:
        previous_page_number = 0
        if self.page.has_previous():
            previous_page_number = self.page.previous_page_number()
@@ -39,16 +47,33 @@ class Pagination(pagination.PageNumberPagination):
                    "end_index": self.page.end_index(),
                },
                "results": data,
+                "autocomplete": self.get_autocomplete(),
            }
        )

+    def paginate_queryset(self, queryset: QuerySet, request: Request, view=None):
+        self.view = view
+        return super().paginate_queryset(queryset, request, view)
+
+    def get_autocomplete(self):
+        schema = QLSearch().get_schema(self.request, self.view)
+        introspections = {}
+        if hasattr(self.view, "get_ql_fields"):
+            from authentik.api.search.schema import AKQLSchemaSerializer
+
+            introspections = AKQLSchemaSerializer().serialize(
+                schema(self.page.paginator.object_list.model)
+            )
+        return introspections
+
    def get_paginated_response_schema(self, schema):
        return build_object_type(
            properties={
                "pagination": PAGINATION.ref,
                "results": schema,
+                "autocomplete": AUTOCOMPLETE_SCHEMA.ref,
            },
-            required=["pagination", "results"],
+            required=["pagination", "results", "autocomplete"],
        )


--- a/authentik/enterprise/search/init.py
+++ b/authentik/enterprise/search/init.py
--- a/authentik/enterprise/search/fields.py
+++ b/authentik/enterprise/search/fields.py
--- a/authentik/enterprise/search/ql.py
+++ b/authentik/enterprise/search/ql.py
@@ -1,25 +1,17 @@
 """DjangoQL search"""

-from django.apps import apps
 from django.db.models import QuerySet
 from djangoql.ast import Name
 from djangoql.exceptions import DjangoQLError
 from djangoql.queryset import apply_search
 from djangoql.schema import DjangoQLSchema
-from drf_spectacular.plumbing import ResolvedComponent, build_object_type
 from rest_framework.filters import SearchFilter
 from rest_framework.request import Request
 from structlog.stdlib import get_logger

-from authentik.enterprise.search.fields import JSONSearchField
+from authentik.api.search.fields import JSONSearchField

 LOGGER = get_logger()
-AUTOCOMPLETE_SCHEMA = ResolvedComponent(
-    name="Autocomplete",
-    object="Autocomplete",
-    type=ResolvedComponent.SCHEMA,
-    schema=build_object_type(additionalProperties={}),
-)


 class BaseSchema(DjangoQLSchema):
@@ -48,10 +40,6 @@ class QLSearch(SearchFilter):
        super().__init__()
        self._fallback = SearchFilter()

-    @property
-    def enabled(self):
-        return apps.get_app_config("authentik_enterprise").enabled()
-
    def get_search_terms(self, request: Request) -> str:
        """Search terms are set by a ?search=... query parameter,
        and may be comma and/or whitespace delimited."""
@@ -73,7 +61,7 @@ class QLSearch(SearchFilter):
    def filter_queryset(self, request: Request, queryset: QuerySet, view) -> QuerySet:
        search_query = self.get_search_terms(request)
        schema = self.get_schema(request, view)
-        if len(search_query) == 0 or not self.enabled:
+        if len(search_query) == 0:
            return self._fallback.filter_queryset(request, queryset, view)
        try:
            return apply_search(queryset, search_query, schema=schema)
--- a/authentik/enterprise/search/schema.py
+++ b/authentik/enterprise/search/schema.py
@@ -1,8 +1,6 @@
 from djangoql.serializers import DjangoQLSchemaSerializer
-from drf_spectacular.generators import SchemaGenerator

-from authentik.enterprise.search.fields import JSONSearchField
-from authentik.enterprise.search.ql import AUTOCOMPLETE_SCHEMA
+from authentik.api.search.fields import JSONSearchField


 class AKQLSchemaSerializer(DjangoQLSchemaSerializer):
@@ -20,9 +18,3 @@ class AKQLSchemaSerializer(DjangoQLSchemaSerializer):
        if isinstance(field, JSONSearchField):
            result["relation"] = field.relation()
        return result
-
-
-def postprocess_schema_search_autocomplete(result, generator: SchemaGenerator, **kwargs):
-    generator.registry.register_on_missing(AUTOCOMPLETE_SCHEMA)
-
-    return result
--- a/authentik/enterprise/search/tests.py
+++ b/authentik/enterprise/search/tests.py
@@ -1,5 +1,4 @@
 from json import loads
-from unittest.mock import PropertyMock, patch
 from urllib.parse import urlencode

 from django.urls import reverse
@@ -8,10 +7,6 @@ from rest_framework.test import APITestCase
 from authentik.core.tests.utils import create_test_admin_user


-@patch(
-    "authentik.enterprise.audit.middleware.EnterpriseAuditMiddleware.enabled",
-    PropertyMock(return_value=True),
-)
 class QLTest(APITestCase):

    def setUp(self):
--- a/authentik/api/v3/schema/search.py
+++ b/authentik/api/v3/schema/search.py
@@ -0,0 +1,20 @@
+from typing import TYPE_CHECKING
+
+from drf_spectacular.plumbing import ResolvedComponent, build_object_type
+
+if TYPE_CHECKING:
+    from drf_spectacular.generators import SchemaGenerator
+
+
+AUTOCOMPLETE_SCHEMA = ResolvedComponent(
+    name="Autocomplete",
+    object="Autocomplete",
+    type=ResolvedComponent.SCHEMA,
+    schema=build_object_type(additionalProperties={}),
+)
+
+
+def postprocess_schema_search_autocomplete(result, generator: SchemaGenerator, **kwargs):
+    generator.registry.register_on_missing(AUTOCOMPLETE_SCHEMA)
+
+    return result
--- a/authentik/blueprints/api.py
+++ b/authentik/blueprints/api.py
@@ -1,24 +1,60 @@
 """Serializer mixin for managed models"""

+from typing import cast
+
+from django.conf import settings
+from django.core.files.uploadedfile import InMemoryUploadedFile
 from django.utils.translation import gettext_lazy as _
 from drf_spectacular.utils import extend_schema, inline_serializer
 from rest_framework.decorators import action
-from rest_framework.exceptions import ValidationError
-from rest_framework.fields import CharField, DateTimeField
+from rest_framework.exceptions import PermissionDenied, ValidationError
+from rest_framework.fields import (
+    BooleanField,
+    CharField,
+    DateTimeField,
+    FileField,
+)
+from rest_framework.parsers import MultiPartParser
 from rest_framework.request import Request
 from rest_framework.response import Response
 from rest_framework.serializers import ListSerializer
 from rest_framework.viewsets import ModelViewSet

+from authentik.api.validation import validate
 from authentik.blueprints.models import BlueprintInstance
+from authentik.blueprints.v1.common import Blueprint
 from authentik.blueprints.v1.importer import Importer
 from authentik.blueprints.v1.oci import OCI_PREFIX
 from authentik.blueprints.v1.tasks import apply_blueprint, blueprints_find_dict
 from authentik.core.api.used_by import UsedByMixin
 from authentik.core.api.utils import JSONDictField, ModelSerializer, PassiveSerializer
+from authentik.core.models import User
+from authentik.events.logs import LogEventSerializer
 from authentik.rbac.decorators import permission_required


+def get_blueprints():
+    if settings.DEBUG:
+        return blueprints_find_dict()
+    return blueprints_find_dict.send().get_result(block=True)
+
+
+class BlueprintUploadSerializer(PassiveSerializer):
+    """Serializer to upload file"""
+
+    file = FileField(required=False)
+    path = CharField(required=False)
+
+    def validate_path(self, path: str) -> str:
+        """Ensure the path (if set) specified is retrievable"""
+        if path == "":
+            return path
+        files: list[dict] = get_blueprints()
+        if path not in [file["path"] for file in files]:
+            raise ValidationError(_("Blueprint file does not exist"))
+        return path
+
+
 class ManagedSerializer:
    """Managed Serializer"""

@@ -39,7 +75,7 @@ class BlueprintInstanceSerializer(ModelSerializer):
        """Ensure the path (if set) specified is retrievable"""
        if path == "" or path.startswith(OCI_PREFIX):
            return path
-        files: list[dict] = blueprints_find_dict.send().get_result(block=True)
+        files: list[dict] = get_blueprints()
        if path not in [file["path"] for file in files]:
            raise ValidationError(_("Blueprint file does not exist"))
        return path
@@ -88,6 +124,33 @@ class BlueprintInstanceSerializer(ModelSerializer):
        }


+def check_blueprint_perms(blueprint: Blueprint, user: User, explicit_action: str | None = None):
+    """Check for individual permissions for each model in a blueprint"""
+    for entry in blueprint.entries:
+        full_model = entry.get_model(blueprint)
+        app, __, model = full_model.partition(".")
+        perms = [
+            f"{app}.add_{model}",
+            f"{app}.change_{model}",
+            f"{app}.delete_{model}",
+        ]
+        if explicit_action:
+            perms = [f"{app}.{explicit_action}_{model}"]
+        for perm in perms:
+            if not user.has_perm(perm):
+                raise PermissionDenied(
+                    {
+                        entry.id: _(
+                            "User lacks permission to create {model}".format_map(
+                                {
+                                    "model": full_model,
+                                }
+                            )
+                        )
+                    }
+                )
+
+
 class BlueprintInstanceViewSet(UsedByMixin, ModelViewSet):
    """Blueprint instances"""

@@ -97,6 +160,12 @@ class BlueprintInstanceViewSet(UsedByMixin, ModelViewSet):
    filterset_fields = ["name", "path"]
    ordering = ["name"]

+    class BlueprintImportResultSerializer(PassiveSerializer):
+        """Logs of an attempted blueprint import"""
+
+        logs = LogEventSerializer(many=True, read_only=True)
+        success = BooleanField(read_only=True)
+
    @extend_schema(
        responses={
            200: ListSerializer(
@@ -115,7 +184,7 @@ class BlueprintInstanceViewSet(UsedByMixin, ModelViewSet):
    @action(detail=False, pagination_class=None, filter_backends=[])
    def available(self, request: Request) -> Response:
        """Get blueprints"""
-        files: list[dict] = blueprints_find_dict.send().get_result(block=True)
+        files: list[dict] = get_blueprints()
        return Response(files)

    @permission_required("authentik_blueprints.view_blueprintinstance")
@@ -131,3 +200,53 @@ class BlueprintInstanceViewSet(UsedByMixin, ModelViewSet):
        blueprint = self.get_object()
        apply_blueprint.send_with_options(args=(blueprint.pk,), rel_obj=blueprint)
        return self.retrieve(request, *args, **kwargs)
+
+    @extend_schema(
+        request={"multipart/form-data": BlueprintUploadSerializer},
+        responses={
+            204: BlueprintImportResultSerializer,
+            400: BlueprintImportResultSerializer,
+        },
+    )
+    @action(url_path="import", detail=False, methods=["POST"], parser_classes=(MultiPartParser,))
+    @validate(
+        BlueprintUploadSerializer,
+    )
+    def import_(self, request: Request, body: BlueprintUploadSerializer) -> Response:
+        """Import blueprint from .yaml file and apply it once, without creating an instance"""
+        string_contents = ""
+        if body.validated_data.get("file"):
+            file = cast(InMemoryUploadedFile, body.validated_data["file"])
+            string_contents = file.read().decode()
+        elif body.validated_data.get("path"):
+            string_contents = BlueprintInstance(
+                path=body.validated_data.get("path")
+            ).retrieve_file()
+        else:
+            raise ValidationError("Either path or file must be set")
+        importer = Importer.from_string(string_contents)
+
+        check_blueprint_perms(importer.blueprint, request.user)
+
+        valid, logs = importer.validate()
+
+        import_response = self.BlueprintImportResultSerializer(
+            data={
+                "logs": [],
+                "success": False,
+            }
+        )
+        import_response.is_valid(raise_exception=True)
+
+        import_response.initial_data["logs"] = [LogEventSerializer(log).data for log in logs]
+        import_response.initial_data["success"] = valid
+        import_response.is_valid()
+        if not valid:
+            return Response(data=import_response.initial_data, status=200)
+
+        successful = importer.apply()
+        import_response.initial_data["success"] = successful
+        import_response.is_valid()
+        if not successful:
+            return Response(data=import_response.initial_data, status=200)
+        return Response(data=import_response.initial_data, status=200)
--- a/authentik/common/oauth/constants.py
+++ b/authentik/common/oauth/constants.py
@@ -21,6 +21,9 @@ PROMPT_CONSENT = "consent"
 PROMPT_LOGIN = "login"

 PLAN_CONTEXT_OIDC_LOGOUT_IFRAME_SESSIONS = "goauthentik.io/providers/oauth2/iframe_sessions"
+PLAN_CONTEXT_POST_LOGOUT_REDIRECT_URI = "goauthentik.io/providers/oauth2/post_logout_redirect_uri"
+
+OAUTH2_BINDING = "redirect"

 SCOPE_OPENID = "openid"
 SCOPE_OPENID_PROFILE = "profile"
@@ -37,6 +40,9 @@ TOKEN_TYPE = "Bearer"  # nosec

 SCOPE_AUTHENTIK_API = "goauthentik.io/api"

+# URI schemes that are forbidden for redirect URIs
+FORBIDDEN_URI_SCHEMES = {"javascript", "data", "vbscript"}
+
 # Read/write full user (including email)
 SCOPE_GITHUB_USER = "user"
 # Read user (without email)
--- a/authentik/core/api/applications.py
+++ b/authentik/core/api/applications.py
@@ -48,7 +48,12 @@ class ApplicationSerializer(ModelSerializer):
    """Application Serializer"""

    launch_url = SerializerMethodField()
-    provider_obj = ProviderSerializer(source="get_provider", required=False, read_only=True)
+    provider_obj = ProviderSerializer(
+        source="get_provider",
+        required=False,
+        read_only=True,
+        allow_null=True,
+    )
    backchannel_providers_obj = ProviderSerializer(
        source="backchannel_providers", required=False, read_only=True, many=True
    )
--- a/authentik/core/api/groups.py
+++ b/authentik/core/api/groups.py
@@ -7,6 +7,7 @@ from django.http import Http404
 from django.utils.translation import gettext as _
 from django_filters.filters import CharFilter, ModelMultipleChoiceFilter
 from django_filters.filterset import FilterSet
+from djangoql.schema import BoolField, StrField
 from drf_spectacular.utils import (
    OpenApiParameter,
    OpenApiResponse,
@@ -25,6 +26,9 @@ from rest_framework.serializers import ListSerializer, ValidationError
 from rest_framework.viewsets import ModelViewSet

 from authentik.api.authentication import TokenAuthentication
+from authentik.api.search.fields import (
+    JSONSearchField,
+)
 from authentik.api.validation import validate
 from authentik.core.api.used_by import UsedByMixin
 from authentik.core.api.utils import JSONDictField, ModelSerializer, PassiveSerializer
@@ -265,12 +269,6 @@ class GroupViewSet(UsedByMixin, ModelViewSet):
    ]

    def get_ql_fields(self):
-        from djangoql.schema import BoolField, StrField
-
-        from authentik.enterprise.search.fields import (
-            JSONSearchField,
-        )
-
        return [
            StrField(Group, "name"),
            BoolField(Group, "is_superuser", nullable=True),
--- a/authentik/core/api/transactional_applications.py
+++ b/authentik/core/api/transactional_applications.py
@@ -2,9 +2,8 @@

 from django.apps import apps
 from django.db.models import Model
-from django.utils.translation import gettext as _
 from drf_spectacular.utils import PolymorphicProxySerializer, extend_schema, extend_schema_field
-from rest_framework.exceptions import PermissionDenied, ValidationError
+from rest_framework.exceptions import ValidationError
 from rest_framework.fields import BooleanField, CharField, ChoiceField, DictField, ListField
 from rest_framework.permissions import IsAuthenticated
 from rest_framework.request import Request
@@ -13,6 +12,7 @@ from rest_framework.views import APIView
 from yaml import ScalarNode

 from authentik.api.validation import validate
+from authentik.blueprints.api import check_blueprint_perms
 from authentik.blueprints.v1.common import (
    Blueprint,
    BlueprintEntry,
@@ -165,21 +165,7 @@ class TransactionalApplicationView(APIView):
    def put(self, request: Request, body: TransactionApplicationSerializer) -> Response:
        """Convert data into a blueprint, validate it and apply it"""
        blueprint: Blueprint = body.validated_data
-        for entry in blueprint.entries:
-            full_model = entry.get_model(blueprint)
-            app, __, model = full_model.partition(".")
-            if not request.user.has_perm(f"{app}.add_{model}"):
-                raise PermissionDenied(
-                    {
-                        entry.id: _(
-                            "User lacks permission to create {model}".format_map(
-                                {
-                                    "model": full_model,
-                                }
-                            )
-                        )
-                    }
-                )
+        check_blueprint_perms(blueprint, request.user, explicit_action="add")
        importer = Importer(blueprint, {})
        applied = importer.apply()
        response = {"applied": False, "logs": []}
--- a/authentik/core/api/users.py
+++ b/authentik/core/api/users.py
@@ -22,6 +22,7 @@ from django_filters.filters import (
    UUIDFilter,
 )
 from django_filters.filterset import FilterSet
+from djangoql.schema import BoolField, StrField
 from drf_spectacular.types import OpenApiTypes
 from drf_spectacular.utils import (
    OpenApiParameter,
@@ -55,6 +56,10 @@ from rest_framework.viewsets import ModelViewSet
 from structlog.stdlib import get_logger

 from authentik.api.authentication import TokenAuthentication
+from authentik.api.search.fields import (
+    ChoiceSearchField,
+    JSONSearchField,
+)
 from authentik.api.validation import validate
 from authentik.blueprints.v1.importer import SERIALIZER_CONTEXT_BLUEPRINT
 from authentik.brands.models import Brand
@@ -524,13 +529,6 @@ class UserViewSet(
    ]

    def get_ql_fields(self):
-        from djangoql.schema import BoolField, StrField
-
-        from authentik.enterprise.search.fields import (
-            ChoiceSearchField,
-            JSONSearchField,
-        )
-
        return [
            StrField(User, "username"),
            StrField(User, "name"),
--- a/authentik/core/models.py
+++ b/authentik/core/models.py
@@ -796,11 +796,11 @@ class Application(SerializerModel, PolicyBindingModel):

    def backchannel_provider_for[T: Provider](self, provider_type: type[T], **kwargs) -> T | None:
        """Get Backchannel provider for a specific type"""
-        providers = self.backchannel_providers.filter(
+        provider: BackchannelProvider | None = self.backchannel_providers.filter(
            **{f"{provider_type._meta.model_name}__isnull": False},
            **kwargs,
-        )
-        return getattr(providers.first(), provider_type._meta.model_name)
+        ).first()
+        return getattr(provider, provider_type._meta.model_name) if provider else None

    def __str__(self):
        return str(self.name)
--- a/authentik/core/sessions.py
+++ b/authentik/core/sessions.py
@@ -72,6 +72,7 @@ class SessionStore(SessionBase):
            #                  and their descriptors fail to initialize (e.g., missing storage)
            # TypeError - can happen with incompatible pickled objects
            # If any of these happen, just return an empty dictionary (an empty session)
+            LOGGER.warning("Failed to decode session data", exc_info=True)
            pass
        return {}

--- a/authentik/endpoints/connectors/agent/api/enrollment_tokens.py
+++ b/authentik/endpoints/connectors/agent/api/enrollment_tokens.py
@@ -18,7 +18,10 @@ from authentik.rbac.decorators import permission_required
 class EnrollmentTokenSerializer(ModelSerializer):

    device_group_obj = DeviceAccessGroupSerializer(
-        source="device_group", read_only=True, required=False
+        source="device_group",
+        read_only=True,
+        required=False,
+        allow_null=True,
    )

    def __init__(self, *args, **kwargs) -> None:
--- a/authentik/enterprise/providers/ssf/api/providers.py
+++ b/authentik/enterprise/providers/ssf/api/providers.py
@@ -18,6 +18,10 @@ class SSFProviderSerializer(EnterpriseRequiredMixin, ProviderSerializer):
    ssf_url = SerializerMethodField()
    token_obj = TokenSerializer(source="token", required=False, read_only=True)

+    oidc_auth_providers_obj = ProviderSerializer(
+        read_only=True, source="oidc_auth_providers", many=True
+    )
+
    def get_ssf_url(self, instance: SSFProvider) -> str | None:
        request: Request = self._context.get("request")
        if not request:
@@ -45,8 +49,10 @@ class SSFProviderSerializer(EnterpriseRequiredMixin, ProviderSerializer):
            "signing_key",
            "token_obj",
            "oidc_auth_providers",
+            "oidc_auth_providers_obj",
            "ssf_url",
            "event_retention",
+            "push_verify_certificates",
        ]
        extra_kwargs = {}

@@ -54,7 +60,7 @@ class SSFProviderSerializer(EnterpriseRequiredMixin, ProviderSerializer):
 class SSFProviderViewSet(UsedByMixin, ModelViewSet):
    """SSFProvider Viewset"""

-    queryset = SSFProvider.objects.all()
+    queryset = SSFProvider.objects.all().prefetch_related("oidc_auth_providers")
    serializer_class = SSFProviderSerializer
    filterset_fields = {
        "application": ["isnull"],
--- a/authentik/enterprise/providers/ssf/api/streams.py
+++ b/authentik/enterprise/providers/ssf/api/streams.py
@@ -1,6 +1,7 @@
 """SSF Stream API Views"""

-from rest_framework.viewsets import ReadOnlyModelViewSet
+from rest_framework import mixins
+from rest_framework.viewsets import GenericViewSet

 from authentik.core.api.utils import ModelSerializer
 from authentik.enterprise.providers.ssf.api.providers import SSFProviderSerializer
@@ -16,6 +17,7 @@ class SSFStreamSerializer(ModelSerializer):
        model = Stream
        fields = [
            "pk",
+            "status",
            "provider",
            "provider_obj",
            "delivery_method",
@@ -27,7 +29,12 @@ class SSFStreamSerializer(ModelSerializer):
        ]


-class SSFStreamViewSet(ReadOnlyModelViewSet):
+class SSFStreamViewSet(
+    mixins.RetrieveModelMixin,
+    mixins.DestroyModelMixin,
+    mixins.ListModelMixin,
+    GenericViewSet,
+):
    """SSFStream Viewset"""

    queryset = Stream.objects.all()
--- a/authentik/enterprise/providers/ssf/migrations/0002_ssfprovider_push_verify_certificates_and_more.py
+++ b/authentik/enterprise/providers/ssf/migrations/0002_ssfprovider_push_verify_certificates_and_more.py
@@ -0,0 +1,43 @@
+# Generated by Django 5.2.12 on 2026-04-04 16:58
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ("authentik_providers_ssf", "0001_initial"),
+    ]
+
+    operations = [
+        migrations.AddField(
+            model_name="ssfprovider",
+            name="push_verify_certificates",
+            field=models.BooleanField(default=True),
+        ),
+        migrations.AddField(
+            model_name="stream",
+            name="authorization_header",
+            field=models.TextField(default=None, null=True),
+        ),
+        migrations.AddField(
+            model_name="stream",
+            name="status",
+            field=models.TextField(
+                choices=[("enabled", "Enabled"), ("paused", "Paused"), ("disabled", "Disabled")],
+                default="enabled",
+            ),
+        ),
+        migrations.AlterField(
+            model_name="stream",
+            name="delivery_method",
+            field=models.TextField(
+                choices=[
+                    ("https://schemas.openid.net/secevent/risc/delivery-method/push", "Risc Push"),
+                    ("https://schemas.openid.net/secevent/risc/delivery-method/poll", "Risc Poll"),
+                    ("urn:ietf:rfc:8935", "SSF RFC Push"),
+                    ("urn:ietf:rfc:8936", "SSF RFC Pull"),
+                ]
+            ),
+        ),
+    ]
--- a/authentik/enterprise/providers/ssf/models.py
+++ b/authentik/enterprise/providers/ssf/models.py
@@ -33,6 +33,8 @@ class DeliveryMethods(models.TextChoices):

    RISC_PUSH = "https://schemas.openid.net/secevent/risc/delivery-method/push"
    RISC_POLL = "https://schemas.openid.net/secevent/risc/delivery-method/poll"
+    RFC_PUSH = "urn:ietf:rfc:8935", _("SSF RFC Push")
+    RFC_PULL = "urn:ietf:rfc:8936", _("SSF RFC Pull")


 class SSFEventStatus(models.TextChoices):
@@ -43,6 +45,13 @@ class SSFEventStatus(models.TextChoices):
    SENT = "sent"


+class StreamStatus(models.TextChoices):
+
+    ENABLED = "enabled"
+    PAUSED = "paused"
+    DISABLED = "disabled"
+
+
 class SSFProvider(TasksModel, BackchannelProvider):
    """Shared Signals Framework provider to allow applications to
    receive user events from authentik."""
@@ -54,6 +63,8 @@ class SSFProvider(TasksModel, BackchannelProvider):
        help_text=_("Key used to sign the SSF Events."),
    )

+    push_verify_certificates = models.BooleanField(default=True)
+
    oidc_auth_providers = models.ManyToManyField(OAuth2Provider, blank=True, default=None)

    token = models.ForeignKey(Token, on_delete=models.CASCADE, null=True, default=None)
@@ -106,10 +117,14 @@ class Stream(models.Model):
    """SSF Stream"""

    uuid = models.UUIDField(default=uuid4, primary_key=True, editable=False)
+
+    status = models.TextField(choices=StreamStatus.choices, default=StreamStatus.ENABLED)
+
    provider = models.ForeignKey(SSFProvider, on_delete=models.CASCADE)

    delivery_method = models.TextField(choices=DeliveryMethods.choices)
    endpoint_url = models.TextField(null=True)
+    authorization_header = models.TextField(null=True, default=None)

    events_requested = ArrayField(models.TextField(choices=EventTypes.choices), default=list)
    format = models.TextField()
@@ -146,7 +161,7 @@ class Stream(models.Model):
        }

    def encode(self, data: dict) -> str:
-        headers = {}
+        headers = {"typ": "secevent+jwt"}
        if self.provider.signing_key:
            headers["kid"] = self.provider.signing_key.kid
        key, alg = self.provider.jwt_key
--- a/authentik/enterprise/providers/ssf/tasks.py
+++ b/authentik/enterprise/providers/ssf/tasks.py
@@ -16,6 +16,7 @@ from authentik.enterprise.providers.ssf.models import (
    SSFEventStatus,
    Stream,
    StreamEvent,
+    StreamStatus,
 )
 from authentik.lib.utils.http import get_http_session
 from authentik.lib.utils.time import timedelta_from_string
@@ -88,23 +89,42 @@ def send_ssf_event(stream_uuid: UUID, event_data: dict[str, Any]):
    self.set_uid(event.pk)
    if event.status == SSFEventStatus.SENT:
        return
-    if stream.delivery_method != DeliveryMethods.RISC_PUSH:
+    if stream.delivery_method not in [DeliveryMethods.RISC_PUSH, DeliveryMethods.RFC_PUSH]:
        return

+    headers = {"Content-Type": "application/secevent+jwt", "Accept": "application/json"}
+    if stream.authorization_header:
+        headers["Authorization"] = stream.authorization_header
    try:
        response = session.post(
            event.stream.endpoint_url,
            data=event.stream.encode(event.payload),
-            headers={"Content-Type": "application/secevent+jwt", "Accept": "application/json"},
+            headers=headers,
+            verify=stream.provider.push_verify_certificates,
+            timeout=180,
        )
        response.raise_for_status()
        event.status = SSFEventStatus.SENT
        event.save()
-        return
+        self.info("Event successfully sent", status=response.status_code)
+        # Cleanup, if we were the last pending message for this stream and it has been deleted
+        # (status=StreamStatus.DISABLED), then we can delete the stream
+        if (
+            not StreamEvent.objects.filter(
+                stream=stream,
+                status__in=[SSFEventStatus.PENDING_FAILED, SSFEventStatus.PENDING_NEW],
+            ).exists()
+            and stream.status == StreamStatus.DISABLED
+        ):
+            LOGGER.info(
+                "Deleting inactive stream as all pending messages were sent.", stream=stream
+            )
+            self.info("Deleting inactive stream as all pending messages were sent.")
+            stream.delete()
    except RequestException as exc:
-        LOGGER.warning("Failed to send SSF event", exc=exc)
+        LOGGER.warning("Failed to send SSF event", exc=exc, stream=stream)
        attrs = {}
-        if exc.response:
+        if exc.response is not None:
            attrs["response"] = {
                "content": exc.response.text,
                "status": exc.response.status_code,
@@ -113,5 +133,6 @@ def send_ssf_event(stream_uuid: UUID, event_data: dict[str, Any]):
        self.warning("Failed to send request", **attrs)
        # Re-up the expiry of the stream event
        event.expires = now() + timedelta_from_string(event.stream.provider.event_retention)
+        self.info(f"Event will be re-sent at {event.expires}")
        event.status = SSFEventStatus.PENDING_FAILED
        event.save()
--- a/authentik/enterprise/providers/ssf/tests/test_auth.py
+++ b/authentik/enterprise/providers/ssf/tests/test_auth.py
@@ -0,0 +1,170 @@
+import json
+from dataclasses import asdict
+
+from django.urls import reverse
+from django.utils import timezone
+from rest_framework.test import APITestCase
+
+from authentik.core.models import Application, Token, TokenIntents
+from authentik.core.tests.utils import (
+    create_test_admin_user,
+    create_test_cert,
+    create_test_flow,
+    create_test_user,
+)
+from authentik.enterprise.providers.ssf.models import (
+    SSFEventStatus,
+    SSFProvider,
+    Stream,
+    StreamEvent,
+)
+from authentik.lib.generators import generate_id
+from authentik.providers.oauth2.id_token import IDToken
+from authentik.providers.oauth2.models import AccessToken, OAuth2Provider
+
+
+class TestSSFAuth(APITestCase):
+    def setUp(self):
+        self.application = Application.objects.create(name=generate_id(), slug=generate_id())
+        self.provider = SSFProvider.objects.create(
+            name=generate_id(),
+            signing_key=create_test_cert(),
+            backchannel_application=self.application,
+        )
+
+    def test_stream_add_token(self):
+        """test stream add (token auth)"""
+        res = self.client.post(
+            reverse(
+                "authentik_providers_ssf:stream",
+                kwargs={"application_slug": self.application.slug},
+            ),
+            data={
+                "iss": "https://authentik.company/.well-known/ssf-configuration/foo/5",
+                "aud": ["https://app.authentik.company"],
+                "delivery": {
+                    "method": "https://schemas.openid.net/secevent/risc/delivery-method/push",
+                    "endpoint_url": "https://app.authentik.company",
+                },
+                "events_requested": [
+                    "https://schemas.openid.net/secevent/caep/event-type/credential-change",
+                    "https://schemas.openid.net/secevent/caep/event-type/session-revoked",
+                ],
+                "format": "iss_sub",
+            },
+            HTTP_AUTHORIZATION=f"Bearer {self.provider.token.key}",
+        )
+        self.assertEqual(res.status_code, 201)
+        stream = Stream.objects.filter(provider=self.provider).first()
+        self.assertIsNotNone(stream)
+        event = StreamEvent.objects.filter(stream=stream).first()
+        self.assertIsNotNone(event)
+        self.assertEqual(event.status, SSFEventStatus.PENDING_FAILED)
+        self.assertEqual(
+            event.payload["events"],
+            {"https://schemas.openid.net/secevent/ssf/event-type/verification": {"state": None}},
+        )
+
+    def test_stream_add_oidc(self):
+        """test stream add (oidc auth)"""
+        provider = OAuth2Provider.objects.create(
+            name=generate_id(),
+            authorization_flow=create_test_flow(),
+        )
+        self.application.provider = provider
+        self.application.save()
+        user = create_test_admin_user()
+        token = AccessToken.objects.create(
+            provider=provider,
+            user=user,
+            token=generate_id(),
+            auth_time=timezone.now(),
+            _scope="openid user profile",
+            _id_token=json.dumps(
+                asdict(
+                    IDToken("foo", "bar"),
+                )
+            ),
+        )
+
+        res = self.client.post(
+            reverse(
+                "authentik_providers_ssf:stream",
+                kwargs={"application_slug": self.application.slug},
+            ),
+            data={
+                "iss": "https://authentik.company/.well-known/ssf-configuration/foo/5",
+                "aud": ["https://app.authentik.company"],
+                "delivery": {
+                    "method": "https://schemas.openid.net/secevent/risc/delivery-method/push",
+                    "endpoint_url": "https://app.authentik.company",
+                },
+                "events_requested": [
+                    "https://schemas.openid.net/secevent/caep/event-type/credential-change",
+                    "https://schemas.openid.net/secevent/caep/event-type/session-revoked",
+                ],
+                "format": "iss_sub",
+            },
+            HTTP_AUTHORIZATION=f"Bearer {token.token}",
+        )
+        self.assertEqual(res.status_code, 201)
+        stream = Stream.objects.filter(provider=self.provider).first()
+        self.assertIsNotNone(stream)
+        event = StreamEvent.objects.filter(stream=stream).first()
+        self.assertIsNotNone(event)
+        self.assertEqual(event.status, SSFEventStatus.PENDING_FAILED)
+        self.assertEqual(
+            event.payload["events"],
+            {"https://schemas.openid.net/secevent/ssf/event-type/verification": {"state": None}},
+        )
+
+    def test_token_invalid(self):
+        res = self.client.post(
+            reverse(
+                "authentik_providers_ssf:stream",
+                kwargs={"application_slug": self.application.slug},
+            ),
+            data={
+                "iss": "https://authentik.company/.well-known/ssf-configuration/foo/5",
+                "aud": ["https://app.authentik.company"],
+                "delivery": {
+                    "method": "https://schemas.openid.net/secevent/risc/delivery-method/push",
+                    "endpoint_url": "https://app.authentik.company",
+                },
+                "events_requested": [
+                    "https://schemas.openid.net/secevent/caep/event-type/credential-change",
+                    "https://schemas.openid.net/secevent/caep/event-type/session-revoked",
+                ],
+                "format": "iss_sub",
+            },
+            HTTP_AUTHORIZATION=f"Bearer {self.provider.token.key}a",
+        )
+        # Response code needs to be 401 according to spec
+        self.assertEqual(res.status_code, 401)
+
+    def test_token_unrelated(self):
+        token = Token.objects.create(
+            identifier=generate_id(), user=create_test_user(), intent=TokenIntents.INTENT_API
+        )
+        res = self.client.post(
+            reverse(
+                "authentik_providers_ssf:stream",
+                kwargs={"application_slug": self.application.slug},
+            ),
+            data={
+                "iss": "https://authentik.company/.well-known/ssf-configuration/foo/5",
+                "aud": ["https://app.authentik.company"],
+                "delivery": {
+                    "method": "https://schemas.openid.net/secevent/risc/delivery-method/push",
+                    "endpoint_url": "https://app.authentik.company",
+                },
+                "events_requested": [
+                    "https://schemas.openid.net/secevent/caep/event-type/credential-change",
+                    "https://schemas.openid.net/secevent/caep/event-type/session-revoked",
+                ],
+                "format": "iss_sub",
+            },
+            HTTP_AUTHORIZATION=f"Bearer {token.key}",
+        )
+        # Response code needs to be 401 according to spec
+        self.assertEqual(res.status_code, 401)
--- a/authentik/enterprise/providers/ssf/tests/test_config.py
+++ b/authentik/enterprise/providers/ssf/tests/test_config.py
@@ -44,3 +44,15 @@ class TestConfiguration(APITestCase):
        self.assertEqual(res.status_code, 200)
        content = json.loads(res.content)
        self.assertEqual(content["spec_version"], "1_0-ID2")
+
+    def test_config_not_found(self):
+        """test SSF configuration (authenticated)"""
+        self.provider.delete()
+        res = self.client.get(
+            reverse(
+                "authentik_providers_ssf:configuration",
+                kwargs={"application_slug": self.application.slug},
+            ),
+            HTTP_AUTHORIZATION=f"Bearer {self.provider.token.key}",
+        )
+        self.assertEqual(res.status_code, 404)
--- a/authentik/enterprise/providers/ssf/tests/test_stream.py
+++ b/authentik/enterprise/providers/ssf/tests/test_stream.py
@@ -1,21 +1,18 @@
-import json
-from dataclasses import asdict
+from uuid import uuid4

 from django.urls import reverse
-from django.utils import timezone
 from rest_framework.test import APITestCase

 from authentik.core.models import Application
-from authentik.core.tests.utils import create_test_admin_user, create_test_cert, create_test_flow
+from authentik.core.tests.utils import create_test_cert
 from authentik.enterprise.providers.ssf.models import (
    SSFEventStatus,
    SSFProvider,
    Stream,
    StreamEvent,
+    StreamStatus,
 )
 from authentik.lib.generators import generate_id
-from authentik.providers.oauth2.id_token import IDToken
-from authentik.providers.oauth2.models import AccessToken, OAuth2Provider


 class TestStream(APITestCase):
@@ -87,29 +84,71 @@ class TestStream(APITestCase):
            {"delivery": {"method": ["Polling for SSF events is not currently supported."]}},
        )

-    def test_stream_add_oidc(self):
-        """test stream add (oidc auth)"""
-        provider = OAuth2Provider.objects.create(
-            name=generate_id(),
-            authorization_flow=create_test_flow(),
-        )
-        self.application.provider = provider
-        self.application.save()
-        user = create_test_admin_user()
-        token = AccessToken.objects.create(
-            provider=provider,
-            user=user,
-            token=generate_id(),
-            auth_time=timezone.now(),
-            _scope="openid user profile",
-            _id_token=json.dumps(
-                asdict(
-                    IDToken("foo", "bar"),
-                )
+    def test_stream_delete(self):
+        """delete stream"""
+        stream = Stream.objects.create(provider=self.provider)
+        res = self.client.delete(
+            reverse(
+                "authentik_providers_ssf:stream",
+                kwargs={"application_slug": self.application.slug},
            ),
+            HTTP_AUTHORIZATION=f"Bearer {self.provider.token.key}",
        )
+        self.assertEqual(res.status_code, 204)
+        stream.refresh_from_db()
+        self.assertEqual(stream.status, StreamStatus.DISABLED)

-        res = self.client.post(
+    def test_stream_get(self):
+        """get stream"""
+        Stream.objects.create(provider=self.provider)
+        res = self.client.get(
+            reverse(
+                "authentik_providers_ssf:stream",
+                kwargs={"application_slug": self.application.slug},
+            ),
+            HTTP_AUTHORIZATION=f"Bearer {self.provider.token.key}",
+        )
+        self.assertEqual(res.status_code, 200)
+
+    def test_stream_get_filter_query(self):
+        """get stream"""
+        other_stream = Stream.objects.create(provider=self.provider)
+        stream = Stream.objects.create(provider=self.provider)
+        res = self.client.get(
+            reverse(
+                "authentik_providers_ssf:stream",
+                kwargs={"application_slug": self.application.slug},
+            )
+            + f"?stream_id={stream.pk}",
+            HTTP_AUTHORIZATION=f"Bearer {self.provider.token.key}",
+        )
+        self.assertEqual(res.status_code, 200)
+        self.assertIn(str(stream.pk), res.content.decode())
+        self.assertNotIn(str(other_stream.pk), res.content.decode())
+
+    def test_stream_patch(self):
+        """patch stream"""
+        other_stream = Stream.objects.create(provider=self.provider)
+        stream = Stream.objects.create(provider=self.provider)
+        res = self.client.patch(
+            reverse(
+                "authentik_providers_ssf:stream",
+                kwargs={"application_slug": self.application.slug},
+            ),
+            data={
+                "delivery": {"endpoint_url": "https://localhost"},
+                "stream_id": str(stream.pk),
+            },
+            HTTP_AUTHORIZATION=f"Bearer {self.provider.token.key}",
+        )
+        self.assertEqual(res.status_code, 200)
+        self.assertIn(str(stream.pk), res.content.decode())
+        self.assertNotIn(str(other_stream.pk), res.content.decode())
+
+    def test_stream_put(self):
+        """put stream"""
+        stream = Stream.objects.create(provider=self.provider)
+        res = self.client.put(
            reverse(
                "authentik_providers_ssf:stream",
                kwargs={"application_slug": self.application.slug},
@@ -126,29 +165,63 @@ class TestStream(APITestCase):
                    "https://schemas.openid.net/secevent/caep/event-type/session-revoked",
                ],
                "format": "iss_sub",
+                "stream_id": str(stream.pk),
            },
-            HTTP_AUTHORIZATION=f"Bearer {token.token}",
-        )
-        self.assertEqual(res.status_code, 201)
-        stream = Stream.objects.filter(provider=self.provider).first()
-        self.assertIsNotNone(stream)
-        event = StreamEvent.objects.filter(stream=stream).first()
-        self.assertIsNotNone(event)
-        self.assertEqual(event.status, SSFEventStatus.PENDING_FAILED)
-        self.assertEqual(
-            event.payload["events"],
-            {"https://schemas.openid.net/secevent/ssf/event-type/verification": {"state": None}},
+            HTTP_AUTHORIZATION=f"Bearer {self.provider.token.key}",
        )
+        self.assertEqual(res.status_code, 200)
+        self.assertIn(str(stream.pk), res.content.decode())
+        stream.refresh_from_db()
+        self.assertEqual(stream.aud, ["https://app.authentik.company"])

-    def test_stream_delete(self):
-        """delete stream"""
+    def test_stream_verify(self):
+        """Test stream verify"""
        stream = Stream.objects.create(provider=self.provider)
-        res = self.client.delete(
+        res = self.client.post(
            reverse(
-                "authentik_providers_ssf:stream",
+                "authentik_providers_ssf:stream-verify",
                kwargs={"application_slug": self.application.slug},
            ),
+            data={
+                "stream_id": str(stream.pk),
+            },
            HTTP_AUTHORIZATION=f"Bearer {self.provider.token.key}",
        )
        self.assertEqual(res.status_code, 204)
-        self.assertFalse(Stream.objects.filter(pk=stream.pk).exists())
+
+    def test_stream_status(self):
+        """Test stream status"""
+        stream = Stream.objects.create(provider=self.provider)
+        res = self.client.get(
+            reverse(
+                "authentik_providers_ssf:stream-status",
+                kwargs={"application_slug": self.application.slug},
+            ),
+            data={
+                "stream_id": str(stream.pk),
+            },
+            HTTP_AUTHORIZATION=f"Bearer {self.provider.token.key}",
+        )
+        self.assertEqual(res.status_code, 200)
+        self.assertJSONEqual(
+            res.content,
+            {
+                "stream_id": str(stream.pk),
+                "status": str(stream.status),
+            },
+        )
+
+    def test_stream_status_not_found(self):
+        """Test stream status"""
+        Stream.objects.create(provider=self.provider)
+        res = self.client.get(
+            reverse(
+                "authentik_providers_ssf:stream-status",
+                kwargs={"application_slug": self.application.slug},
+            ),
+            data={
+                "stream_id": str(uuid4()),
+            },
+            HTTP_AUTHORIZATION=f"Bearer {self.provider.token.key}",
+        )
+        self.assertEqual(res.status_code, 404)
--- a/authentik/enterprise/providers/ssf/tests/test_tasks.py
+++ b/authentik/enterprise/providers/ssf/tests/test_tasks.py
@@ -0,0 +1,123 @@
+from jwt import decode_complete
+from requests_mock import Mocker
+from rest_framework.test import APITestCase
+
+from authentik.core.models import Application
+from authentik.core.tests.utils import create_test_cert
+from authentik.enterprise.providers.ssf.models import (
+    DeliveryMethods,
+    EventTypes,
+    SSFProvider,
+    Stream,
+    StreamStatus,
+)
+from authentik.enterprise.providers.ssf.tasks import send_ssf_event
+from authentik.lib.generators import generate_id
+from authentik.tasks.models import TaskLog
+
+
+class TestTasks(APITestCase):
+    def setUp(self):
+        self.application = Application.objects.create(name=generate_id(), slug=generate_id())
+        self.provider = SSFProvider.objects.create(
+            name=generate_id(),
+            signing_key=create_test_cert(),
+            backchannel_application=self.application,
+        )
+
+    def test_push_simple(self):
+        stream = Stream.objects.create(
+            provider=self.provider,
+            delivery_method=DeliveryMethods.RFC_PUSH,
+            endpoint_url="http://localhost/ssf-push",
+        )
+        event_data = stream.prepare_event_payload(
+            EventTypes.SET_VERIFICATION,
+            {"state": None},
+            sub_id={"format": "opaque", "id": str(stream.uuid)},
+        )
+        with Mocker() as mocker:
+            mocker.post("http://localhost/ssf-push", status_code=202)
+            send_ssf_event.send_with_options(
+                args=(stream.pk, event_data), rel_obj=stream.provider
+            ).get_result(block=True, timeout=1)
+        self.assertEqual(
+            mocker.request_history[0].headers["Content-Type"], "application/secevent+jwt"
+        )
+        jwt = decode_complete(mocker.request_history[0].body, options={"verify_signature": False})
+        self.assertEqual(jwt["header"]["typ"], "secevent+jwt")
+        self.assertIsNone(jwt["payload"]["events"][EventTypes.SET_VERIFICATION]["state"])
+
+    def test_push_auth(self):
+        auth = generate_id()
+        stream = Stream.objects.create(
+            provider=self.provider,
+            delivery_method=DeliveryMethods.RFC_PUSH,
+            endpoint_url="http://localhost/ssf-push",
+            authorization_header=auth,
+        )
+        event_data = stream.prepare_event_payload(
+            EventTypes.SET_VERIFICATION,
+            {"state": None},
+            sub_id={"format": "opaque", "id": str(stream.uuid)},
+        )
+        with Mocker() as mocker:
+            mocker.post("http://localhost/ssf-push", status_code=202)
+            send_ssf_event.send_with_options(
+                args=(stream.pk, event_data), rel_obj=stream.provider
+            ).get_result(block=True, timeout=1)
+        self.assertEqual(mocker.request_history[0].headers["Authorization"], auth)
+        self.assertEqual(
+            mocker.request_history[0].headers["Content-Type"], "application/secevent+jwt"
+        )
+        jwt = decode_complete(mocker.request_history[0].body, options={"verify_signature": False})
+        self.assertEqual(jwt["header"]["typ"], "secevent+jwt")
+        self.assertIsNone(jwt["payload"]["events"][EventTypes.SET_VERIFICATION]["state"])
+
+    def test_push_stream_disable(self):
+        auth = generate_id()
+        stream = Stream.objects.create(
+            provider=self.provider,
+            delivery_method=DeliveryMethods.RFC_PUSH,
+            endpoint_url="http://localhost/ssf-push",
+            authorization_header=auth,
+            status=StreamStatus.DISABLED,
+        )
+        event_data = stream.prepare_event_payload(
+            EventTypes.SET_VERIFICATION,
+            {"state": None},
+            sub_id={"format": "opaque", "id": str(stream.uuid)},
+        )
+        with Mocker() as mocker:
+            mocker.post("http://localhost/ssf-push", status_code=202)
+            send_ssf_event.send_with_options(
+                args=(stream.pk, event_data), rel_obj=stream.provider
+            ).get_result(block=True, timeout=1)
+        jwt = decode_complete(mocker.request_history[0].body, options={"verify_signature": False})
+        self.assertEqual(jwt["header"]["typ"], "secevent+jwt")
+        self.assertIsNone(jwt["payload"]["events"][EventTypes.SET_VERIFICATION]["state"])
+        self.assertFalse(Stream.objects.filter(pk=stream.pk).exists())
+
+    def test_push_error(self):
+        stream = Stream.objects.create(
+            provider=self.provider,
+            delivery_method=DeliveryMethods.RFC_PUSH,
+            endpoint_url="http://localhost/ssf-push",
+        )
+        event_data = stream.prepare_event_payload(
+            EventTypes.SET_VERIFICATION,
+            {"state": None},
+            sub_id={"format": "opaque", "id": str(stream.uuid)},
+        )
+        with Mocker() as mocker:
+            mocker.post("http://localhost/ssf-push", text="error", status_code=400)
+            send_ssf_event.send_with_options(
+                args=(stream.pk, event_data), rel_obj=stream.provider
+            ).get_result(block=True, timeout=1)
+        logs = (
+            TaskLog.objects.filter(task__actor_name=send_ssf_event.actor_name)
+            .order_by("timestamp")
+            .filter(event="Failed to send request")
+            .first()
+        )
+        self.assertEqual(logs.attributes, {"response": {"status": 400, "content": "error"}})
--- a/authentik/enterprise/providers/ssf/urls.py
+++ b/authentik/enterprise/providers/ssf/urls.py
@@ -6,7 +6,11 @@ from authentik.enterprise.providers.ssf.api.providers import SSFProviderViewSet
 from authentik.enterprise.providers.ssf.api.streams import SSFStreamViewSet
 from authentik.enterprise.providers.ssf.views.configuration import ConfigurationView
 from authentik.enterprise.providers.ssf.views.jwks import JWKSview
-from authentik.enterprise.providers.ssf.views.stream import StreamView
+from authentik.enterprise.providers.ssf.views.stream import (
+    StreamStatusView,
+    StreamVerifyView,
+    StreamView,
+)

 urlpatterns = [
    path(
@@ -24,6 +28,16 @@ urlpatterns = [
        StreamView.as_view(),
        name="stream",
    ),
+    path(
+        "application/ssf/<slug:application_slug>/stream/verify/",
+        StreamVerifyView.as_view(),
+        name="stream-verify",
+    ),
+    path(
+        "application/ssf/<slug:application_slug>/stream/status/",
+        StreamStatusView.as_view(),
+        name="stream-status",
+    ),
 ]

 api_urlpatterns = [
--- a/authentik/enterprise/providers/ssf/views/auth.py
+++ b/authentik/enterprise/providers/ssf/views/auth.py
@@ -64,3 +64,7 @@ class SSFTokenAuth(BaseAuthentication):
        if jwt_token:
            return (jwt_token.user, token)
        return None
+
+    # Required to correctly propagate a 401 header which the SSF spec requires
+    def authenticate_header(self, request):
+        return "SSF"
--- a/authentik/enterprise/providers/ssf/views/base.py
+++ b/authentik/enterprise/providers/ssf/views/base.py
@@ -1,10 +1,10 @@
-from django.http import HttpRequest
+from django.http import Http404, HttpRequest
 from rest_framework.permissions import IsAuthenticated
 from rest_framework.views import APIView
 from structlog.stdlib import BoundLogger, get_logger

 from authentik.core.models import Application
-from authentik.enterprise.providers.ssf.models import SSFProvider
+from authentik.enterprise.providers.ssf.models import SSFProvider, Stream, StreamStatus
 from authentik.enterprise.providers.ssf.views.auth import SSFTokenAuth


@@ -21,3 +21,18 @@ class SSFView(APIView):

    def get_authenticators(self):
        return [SSFTokenAuth(self)]
+
+
+class SSFStreamView(SSFView):
+    def get_object(self, any_status=False) -> Stream:
+        streams = Stream.objects.filter(provider=self.provider)
+        if not any_status:
+            streams = streams.filter(status__in=[StreamStatus.ENABLED, StreamStatus.PAUSED])
+        if "stream_id" in self.request.query_params:
+            streams = streams.filter(pk=self.request.query_params["stream_id"])
+        if "stream_id" in self.request.data:
+            streams = streams.filter(pk=self.request.data["stream_id"])
+        stream = streams.first()
+        if not stream:
+            raise Http404()
+        return stream
--- a/authentik/enterprise/providers/ssf/views/configuration.py
+++ b/authentik/enterprise/providers/ssf/views/configuration.py
@@ -47,9 +47,23 @@ class ConfigurationView(SSFView):
                    },
                )
            ),
-            "delivery_methods_supported": [
-                DeliveryMethods.RISC_PUSH,
-            ],
+            "verification_endpoint": self.request.build_absolute_uri(
+                reverse(
+                    "authentik_providers_ssf:stream-verify",
+                    kwargs={
+                        "application_slug": application.slug,
+                    },
+                )
+            ),
+            "status_endpoint": self.request.build_absolute_uri(
+                reverse(
+                    "authentik_providers_ssf:stream-status",
+                    kwargs={
+                        "application_slug": application.slug,
+                    },
+                )
+            ),
+            "delivery_methods_supported": [DeliveryMethods.RISC_PUSH, DeliveryMethods.RFC_PUSH],
            "authorization_schemes": [{"spec_urn": "urn:ietf:rfc:6749"}],
        }
        return JsonResponse(data)
--- a/authentik/enterprise/providers/ssf/views/stream.py
+++ b/authentik/enterprise/providers/ssf/views/stream.py
@@ -1,3 +1,5 @@
+from uuid import uuid4
+
 from django.http import HttpRequest
 from django.urls import reverse
 from rest_framework.exceptions import PermissionDenied, ValidationError
@@ -13,9 +15,10 @@ from authentik.enterprise.providers.ssf.models import (
    EventTypes,
    SSFProvider,
    Stream,
+    StreamStatus,
 )
 from authentik.enterprise.providers.ssf.tasks import send_ssf_events
-from authentik.enterprise.providers.ssf.views.base import SSFView
+from authentik.enterprise.providers.ssf.views.base import SSFStreamView

 LOGGER = get_logger()

@@ -23,6 +26,7 @@ LOGGER = get_logger()
 class StreamDeliverySerializer(PassiveSerializer):
    method = ChoiceField(choices=[(x.value, x.value) for x in DeliveryMethods])
    endpoint_url = CharField(required=False)
+    authorization_header = CharField(required=False)

    def validate_method(self, method: DeliveryMethods):
        """Currently only push is supported"""
@@ -31,7 +35,7 @@ class StreamDeliverySerializer(PassiveSerializer):
        return method

    def validate(self, attrs: dict) -> dict:
-        if attrs["method"] == DeliveryMethods.RISC_PUSH:
+        if attrs.get("method") in [DeliveryMethods.RISC_PUSH, DeliveryMethods.RFC_PUSH]:
            if not attrs.get("endpoint_url"):
                raise ValidationError("Endpoint URL is required when using push.")
        return attrs
@@ -42,8 +46,8 @@ class StreamSerializer(ModelSerializer):
    events_requested = ListField(
        child=ChoiceField(choices=[(x.value, x.value) for x in EventTypes])
    )
-    format = CharField()
-    aud = ListField(child=CharField())
+    format = CharField(default="iss_sub")
+    aud = ListField(child=CharField(), allow_empty=True, default=list)

    def create(self, validated_data):
        provider: SSFProvider = validated_data["provider"]
@@ -58,15 +62,19 @@ class StreamSerializer(ModelSerializer):
        )
        # Ensure that streams always get SET verification events sent to them
        validated_data["events_requested"].append(EventTypes.SET_VERIFICATION)
+        stream_id = uuid4()
+        default_aud = f"goauthentik.io/providers/ssf/{str(stream_id)}"
        return super().create(
            {
                "delivery_method": validated_data["delivery"]["method"],
                "endpoint_url": validated_data["delivery"].get("endpoint_url"),
+                "authorization_header": validated_data["delivery"].get("authorization_header"),
                "format": validated_data["format"],
                "provider": validated_data["provider"],
                "events_requested": validated_data["events_requested"],
-                "aud": validated_data["aud"],
+                "aud": validated_data["aud"] or [default_aud],
                "iss": iss,
+                "pk": stream_id,
            }
        )

@@ -101,7 +109,14 @@ class StreamResponseSerializer(PassiveSerializer):
        return [x.value for x in EventTypes]


-class StreamView(SSFView):
+class StreamView(SSFStreamView):
+
+    def get(self, request: Request, *args, **kwargs):
+        stream = self.get_object()
+        return Response(
+            StreamResponseSerializer(instance=stream, context={"request": request}).data
+        )
+
    @validate(StreamSerializer)
    def post(self, request: Request, *args, body: StreamSerializer, **kwargs) -> Response:
        if not request.user.has_perm("authentik_providers_ssf.add_stream", self.provider):
@@ -109,6 +124,8 @@ class StreamView(SSFView):
                "User does not have permission to create stream for this provider."
            )
        instance: Stream = body.save(provider=self.provider)
+
+        LOGGER.info("Sending verification event", stream=instance)
        send_ssf_events(
            EventTypes.SET_VERIFICATION,
            {
@@ -120,10 +137,56 @@ class StreamView(SSFView):
        response = StreamResponseSerializer(instance=instance, context={"request": request}).data
        return Response(response, status=201)

+    def patch(self, request: Request, *args, **kwargs) -> Response:
+        stream = self.get_object()
+        serializer = StreamSerializer(stream, data=request.data, partial=True)
+        serializer.is_valid(raise_exception=True)
+        serializer.save()
+        response = StreamResponseSerializer(
+            instance=serializer.instance, context={"request": request}
+        ).data
+        return Response(response, status=200)
+
+    def put(self, request: Request, *args, **kwargs) -> Response:
+        stream = self.get_object()
+        serializer = StreamSerializer(stream, data=request.data)
+        serializer.is_valid(raise_exception=True)
+        serializer.save()
+        response = StreamResponseSerializer(
+            instance=serializer.instance, context={"request": request}
+        ).data
+        return Response(response, status=200)
+
    def delete(self, request: Request, *args, **kwargs) -> Response:
-        streams = Stream.objects.filter(provider=self.provider)
-        # Technically this parameter is required by the spec...
-        if "stream_id" in request.query_params:
-            streams = streams.filter(stream_id=request.query_params["stream_id"])
-        streams.delete()
+        stream = self.get_object()
+        stream.status = StreamStatus.DISABLED
+        stream.save()
        return Response(status=204)
+
+
+class StreamVerifyView(SSFStreamView):
+
+    def post(self, request: Request, *args, **kwargs):
+        stream = self.get_object()
+        state = request.data.get("state", None)
+        send_ssf_events(
+            EventTypes.SET_VERIFICATION,
+            {
+                "state": state,
+            },
+            stream_filter={"pk": stream.uuid},
+            sub_id={"format": "opaque", "id": str(stream.uuid)},
+        )
+        return Response(status=204)
+
+
+class StreamStatusView(SSFStreamView):
+
+    def get(self, request: Request, *args, **kwargs):
+        stream = self.get_object(any_status=True)
+        return Response(
+            {
+                "stream_id": str(stream.pk),
+                "status": str(stream.status),
+            }
+        )
--- a/authentik/enterprise/search/apps.py
+++ b/authentik/enterprise/search/apps.py
@@ -1,12 +0,0 @@
-"""Enterprise app config"""
-
-from authentik.enterprise.apps import EnterpriseConfig
-
-
-class AuthentikEnterpriseSearchConfig(EnterpriseConfig):
-    """Enterprise app config"""
-
-    name = "authentik.enterprise.search"
-    label = "authentik_search"
-    verbose_name = "authentik Enterprise.Search"
-    default = True
--- a/authentik/enterprise/search/pagination.py
+++ b/authentik/enterprise/search/pagination.py
@@ -1,51 +0,0 @@
-from rest_framework.response import Response
-
-from authentik.api.pagination import Pagination
-from authentik.enterprise.search.ql import AUTOCOMPLETE_SCHEMA, QLSearch
-
-
-class AutocompletePagination(Pagination):
-
-    def paginate_queryset(self, queryset, request, view=None):
-        self.view = view
-        return super().paginate_queryset(queryset, request, view)
-
-    def get_autocomplete(self):
-        schema = QLSearch().get_schema(self.request, self.view)
-        introspections = {}
-        if hasattr(self.view, "get_ql_fields"):
-            from authentik.enterprise.search.schema import AKQLSchemaSerializer
-
-            introspections = AKQLSchemaSerializer().serialize(
-                schema(self.page.paginator.object_list.model)
-            )
-        return introspections
-
-    def get_paginated_response(self, data):
-        previous_page_number = 0
-        if self.page.has_previous():
-            previous_page_number = self.page.previous_page_number()
-        next_page_number = 0
-        if self.page.has_next():
-            next_page_number = self.page.next_page_number()
-        return Response(
-            {
-                "pagination": {
-                    "next": next_page_number,
-                    "previous": previous_page_number,
-                    "count": self.page.paginator.count,
-                    "current": self.page.number,
-                    "total_pages": self.page.paginator.num_pages,
-                    "start_index": self.page.start_index(),
-                    "end_index": self.page.end_index(),
-                },
-                "results": data,
-                "autocomplete": self.get_autocomplete(),
-            }
-        )
-
-    def get_paginated_response_schema(self, schema):
-        final_schema = super().get_paginated_response_schema(schema)
-        final_schema["properties"]["autocomplete"] = AUTOCOMPLETE_SCHEMA.ref
-        final_schema["required"].append("autocomplete")
-        return final_schema
--- a/authentik/enterprise/search/settings.py
+++ b/authentik/enterprise/search/settings.py
@@ -1,20 +0,0 @@
-SPECTACULAR_SETTINGS = {
-    "POSTPROCESSING_HOOKS": [
-        "authentik.api.v3.schema.response.postprocess_schema_register",
-        "authentik.api.v3.schema.response.postprocess_schema_responses",
-        "authentik.api.v3.schema.query.postprocess_schema_query_params",
-        "authentik.api.v3.schema.cleanup.postprocess_schema_remove_unused",
-        "authentik.enterprise.search.schema.postprocess_schema_search_autocomplete",
-        "authentik.api.v3.schema.enum.postprocess_schema_enums",
-    ],
-}
-
-REST_FRAMEWORK = {
-    "DEFAULT_PAGINATION_CLASS": "authentik.enterprise.search.pagination.AutocompletePagination",
-    "DEFAULT_FILTER_BACKENDS": [
-        "authentik.enterprise.search.ql.QLSearch",
-        "authentik.rbac.filters.ObjectFilter",
-        "django_filters.rest_framework.DjangoFilterBackend",
-        "rest_framework.filters.OrderingFilter",
-    ],
-}
--- a/authentik/enterprise/settings.py
+++ b/authentik/enterprise/settings.py
@@ -14,7 +14,6 @@ TENANT_APPS = [
    "authentik.enterprise.providers.ssf",
    "authentik.enterprise.providers.ws_federation",
    "authentik.enterprise.reports",
-    "authentik.enterprise.search",
    "authentik.enterprise.stages.authenticator_endpoint_gdtc",
    "authentik.enterprise.stages.mtls",
    "authentik.enterprise.stages.source",
--- a/authentik/enterprise/stages/mtls/stage.py
+++ b/authentik/enterprise/stages/mtls/stage.py
@@ -102,7 +102,7 @@ class MTLSStageView(ChallengeStageView):
            return []
        certs = []
        for cert in ftcc_raw.split(","):
-            certs.extend(self.__parse_single_cert(cert, ParseOptions.UNQUOTE, ParseOptions.FORMAT))
+            certs.extend(self.__parse_single_cert(cert, ParseOptions.FORMAT))
        return certs

    def _parse_cert_outpost(self) -> list[Certificate]:
--- a/authentik/enterprise/stages/mtls/tests/test_stage.py
+++ b/authentik/enterprise/stages/mtls/tests/test_stage.py
@@ -53,7 +53,7 @@ class MTLSStageTests(FlowTestCase):

    def _format_traefik(self, cert: str | None = None):
        cert = cert if cert else self.client_cert
-        return quote_plus(cert.replace(PEM_HEADER, "").replace(PEM_FOOTER, "").replace("\n", ""))
+        return cert.replace(PEM_HEADER, "").replace(PEM_FOOTER, "").replace("\n", "")

    def test_parse_xfcc(self):
        """Test authentik Proxy/Envoy's XFCC format"""
--- a/authentik/events/api/events.py
+++ b/authentik/events/api/events.py
@@ -11,6 +11,8 @@ from django.db.models.functions import TruncHour
 from django.db.models.query_utils import Q
 from django.utils.text import slugify
 from django.utils.timezone import now
+from djangoql.schema import DateTimeField as QLDateTimeFIeld
+from djangoql.schema import IntField, StrField
 from drf_spectacular.types import OpenApiTypes
 from drf_spectacular.utils import OpenApiParameter, extend_schema
 from guardian.shortcuts import get_objects_for_user
@@ -27,6 +29,7 @@ from rest_framework.request import Request
 from rest_framework.response import Response
 from rest_framework.viewsets import ModelViewSet

+from authentik.api.search.fields import ChoiceSearchField, JSONSearchField
 from authentik.api.validation import validate
 from authentik.core.api.object_types import TypeCreateSerializer
 from authentik.core.api.utils import ModelSerializer, PassiveSerializer
@@ -171,10 +174,6 @@ class EventViewSet(
    filterset_class = EventsFilter

    def get_ql_fields(self):
-        from djangoql.schema import DateTimeField, IntField, StrField
-
-        from authentik.enterprise.search.fields import ChoiceSearchField, JSONSearchField
-
        return [
            ChoiceSearchField(Event, "action"),
            StrField(Event, "event_uuid"),
@@ -216,7 +215,7 @@ class EventViewSet(
                    ),
                ),
            ),
-            DateTimeField(Event, "created", suggest_options=True),
+            QLDateTimeFIeld(Event, "created", suggest_options=True),
        ]

    @extend_schema(
--- a/authentik/events/migrations/0018_event_authentik_e_user_pk__idx.py
+++ b/authentik/events/migrations/0018_event_authentik_e_user_pk__idx.py
@@ -0,0 +1,17 @@
+# Generated by Django 5.2.12 on 2026-04-09 16:03
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ("authentik_events", "0017_notificationtransport_webhook_ca"),
+    ]
+
+    operations = [
+        migrations.AddIndex(
+            model_name="event",
+            index=models.Index(models.F("user__pk"), name="authentik_e_user_pk__idx"),
+        ),
+    ]
--- a/authentik/events/models.py
+++ b/authentik/events/models.py
@@ -321,6 +321,10 @@ class Event(SerializerModel, ExpiringModel):
                models.F("context__authorized_application"),
                name="authentik_e_ctx_app__idx",
            ),
+            models.Index(
+                models.F("user__pk"),
+                name="authentik_e_user_pk__idx",
+            ),
        ]


@@ -456,7 +460,7 @@ class NotificationTransport(TasksModel, SerializerModel):
                response.raise_for_status()
            except RequestException as exc:
                raise NotificationTransportError(
-                    exc.response.text if exc.response else str(exc)
+                    exc.response.text if exc.response is not None else str(exc)
                ) from exc
            return [
                response.status_code,
@@ -519,7 +523,7 @@ class NotificationTransport(TasksModel, SerializerModel):
            response = get_http_session().post(self.webhook_url, json=body)
            response.raise_for_status()
        except RequestException as exc:
-            text = exc.response.text if exc.response else str(exc)
+            text = exc.response.text if exc.response is not None else str(exc)
            raise NotificationTransportError(text) from exc
        return [
            response.status_code,
--- a/authentik/flows/api/flows.py
+++ b/authentik/flows/api/flows.py
@@ -7,15 +7,18 @@ from django.utils.translation import gettext as _
 from drf_spectacular.types import OpenApiTypes
 from drf_spectacular.utils import OpenApiResponse, extend_schema
 from rest_framework.decorators import action
-from rest_framework.fields import BooleanField, FileField, ReadOnlyField, SerializerMethodField
-from rest_framework.parsers import MultiPartParser
+from rest_framework.fields import (
+    BooleanField,
+    FileField,
+    ReadOnlyField,
+    SerializerMethodField,
+)
 from rest_framework.request import Request
 from rest_framework.response import Response
 from rest_framework.viewsets import ModelViewSet
 from structlog.stdlib import get_logger

 from authentik.blueprints.v1.exporter import FlowExporter
-from authentik.blueprints.v1.importer import Importer
 from authentik.core.api.used_by import UsedByMixin
 from authentik.core.api.utils import (
    CacheSerializer,
@@ -24,7 +27,6 @@ from authentik.core.api.utils import (
    PassiveSerializer,
    ThemedUrlsSerializer,
 )
-from authentik.events.logs import LogEventSerializer
 from authentik.flows.api.flows_diagram import FlowDiagram, FlowDiagramSerializer
 from authentik.flows.exceptions import FlowNonApplicableException
 from authentik.flows.models import Flow
@@ -106,13 +108,6 @@ class FlowSetSerializer(FlowSerializer):
        ]


-class FlowImportResultSerializer(PassiveSerializer):
-    """Logs of an attempted flow import"""
-
-    logs = LogEventSerializer(many=True, read_only=True)
-    success = BooleanField(read_only=True)
-
-
 class FlowViewSet(UsedByMixin, ModelViewSet):
    """Flow Viewset"""

@@ -146,59 +141,6 @@ class FlowViewSet(UsedByMixin, ModelViewSet):
        LOGGER.debug("Cleared flow cache", keys=len(keys))
        return Response(status=204)

-    @permission_required(
-        None,
-        [
-            "authentik_flows.add_flow",
-            "authentik_flows.change_flow",
-            "authentik_flows.add_flowstagebinding",
-            "authentik_flows.change_flowstagebinding",
-            "authentik_flows.add_stage",
-            "authentik_flows.change_stage",
-            "authentik_policies.add_policy",
-            "authentik_policies.change_policy",
-            "authentik_policies.add_policybinding",
-            "authentik_policies.change_policybinding",
-            "authentik_stages_prompt.add_prompt",
-            "authentik_stages_prompt.change_prompt",
-        ],
-    )
-    @extend_schema(
-        request={"multipart/form-data": FlowUploadSerializer},
-        responses={
-            204: FlowImportResultSerializer,
-            400: FlowImportResultSerializer,
-        },
-    )
-    @action(url_path="import", detail=False, methods=["POST"], parser_classes=(MultiPartParser,))
-    def import_flow(self, request: Request) -> Response:
-        """Import flow from .yaml file"""
-        import_response = FlowImportResultSerializer(
-            data={
-                "logs": [],
-                "success": False,
-            }
-        )
-        import_response.is_valid()
-        file = request.FILES.get("file", None)
-        if not file:
-            return Response(data=import_response.initial_data, status=400)
-
-        importer = Importer.from_string(file.read().decode())
-        valid, logs = importer.validate()
-        import_response.initial_data["logs"] = [LogEventSerializer(log).data for log in logs]
-        import_response.initial_data["success"] = valid
-        import_response.is_valid()
-        if not valid:
-            return Response(data=import_response.initial_data, status=200)
-
-        successful = importer.apply()
-        import_response.initial_data["success"] = successful
-        import_response.is_valid()
-        if not successful:
-            return Response(data=import_response.initial_data, status=200)
-        return Response(data=import_response.initial_data, status=200)
-
    @permission_required(
        "authentik_flows.export_flow",
        [
--- a/authentik/flows/stage.py
+++ b/authentik/flows/stage.py
@@ -15,6 +15,7 @@ from rest_framework.request import Request
 from sentry_sdk import start_span
 from structlog.stdlib import BoundLogger, get_logger

+from authentik.common.oauth.constants import PLAN_CONTEXT_POST_LOGOUT_REDIRECT_URI
 from authentik.core.models import Application, User
 from authentik.flows.challenge import (
    AccessDeniedChallenge,
@@ -300,7 +301,24 @@ class SessionEndStage(ChallengeStageView):
    that the user is likely to take after signing out of a provider."""

    def get_challenge(self, *args, **kwargs) -> Challenge:
+        # Check for OIDC post_logout_redirect_uri in context
+        post_logout_redirect_uri = self.executor.plan.context.get(
+            PLAN_CONTEXT_POST_LOGOUT_REDIRECT_URI
+        )
+
+        if post_logout_redirect_uri:
+            self.logger.debug(
+                "SessionEndStage redirecting to post_logout_redirect_uri",
+                redirect_url=post_logout_redirect_uri,
+            )
+            return RedirectChallenge(
+                data={
+                    "to": post_logout_redirect_uri,
+                },
+            )
+
        if not self.request.user.is_authenticated:
+            # User is logged out with no redirect URI - go to default
            return RedirectChallenge(
                data={
                    "to": reverse("authentik_core:root-redirect"),
--- a/authentik/flows/templates/if/flow.html
+++ b/authentik/flows/templates/if/flow.html
@@ -47,33 +47,23 @@
 {% block body %}
 <ak-skip-to-content></ak-skip-to-content>
 <ak-message-container></ak-message-container>
-
-<div class="pf-c-page__drawer">
-    <div class="pf-c-drawer pf-m-collapsed" id="flow-drawer">
-        <div class="pf-c-drawer__main">
-            <div class="pf-c-drawer__content">
-                <div class="pf-c-drawer__body">
-                        <ak-flow-executor
-                            slug="{{ flow.slug }}"
-                            class="pf-c-login"
-                            data-layout="{{ flow.layout|default:'stacked' }}"
-                            loading
-                        >
-                            {% include "base/placeholder.html" %}
-
-                            <ak-brand-links name="flow-links" slot="footer"></ak-brand-links>
-                        </ak-flow-executor>
-                    </div>
-                </div>
-
-                <ak-flow-inspector
-                    id="flow-inspector"
-                    data-registration="lazy"
-                    class="pf-c-drawer__panel pf-m-width-33"
-                    slug="{{ flow.slug }}"
-                ></ak-flow-inspector>
-            </div>
-        </div>
-    </div>
-</div>
+<ak-drawer id="flow-drawer">
+    <ak-flow-executor
+        slug="{{ flow.slug }}"
+        class="pf-c-login"
+        data-layout="{{ flow.layout|default:'stacked' }}"
+        loading
+    >
+        {% include "base/placeholder.html" %}
+        
+        <ak-brand-links name="flow-links" slot="footer"></ak-brand-links>
+    </ak-flow-executor>
+    
+    <ak-flow-inspector
+        slot="panel"
+        id="flow-inspector"
+        data-registration="lazy"
+        slug="{{ flow.slug }}"
+    ></ak-flow-inspector>
+</ak-drawer>
 {% endblock %}
--- a/authentik/lib/default.yml
+++ b/authentik/lib/default.yml
@@ -47,6 +47,7 @@ listen:
    - "[::]:9300"
  debug: 0.0.0.0:9900
  debug_py: 0.0.0.0:9901
+  debug_tokio: "[::]:6669"
  trusted_proxy_cidrs:
    - 127.0.0.0/8
    - 10.0.0.0/8
@@ -73,6 +74,19 @@ log_level: info
 log:
  http_headers:
    - User-Agent
+  rust_log:
+    "console_subscriber": info
+    "h2": info
+    "hyper_util": warn
+    "mio": info
+    "notify": info
+    "reqwest": info
+    "runtime": info
+    "rustls": info
+    "sqlx": info
+    "sqlx_postgres": info
+    "tokio": info
+    "tungstenite": info

 sessions:
  unauthenticated_age: days=1
--- a/authentik/lib/tests/utils.py
+++ b/authentik/lib/tests/utils.py
@@ -4,12 +4,15 @@ from inspect import currentframe
 from pathlib import Path


-def load_fixture(path: str, **kwargs) -> str:
+def load_fixture(path: str, path_only=False, **kwargs) -> str:
    """Load fixture, optionally formatting it with kwargs"""
    current = currentframe()
    parent = current.f_back
    calling_file_path = parent.f_globals["__file__"]
-    with open(Path(calling_file_path).resolve().parent / Path(path), encoding="utf-8") as _fixture:
+    fixture_path = Path(calling_file_path).resolve().parent / Path(path)
+    if path_only:
+        return fixture_path
+    with open(fixture_path, encoding="utf-8") as _fixture:
        fixture = _fixture.read()
        try:
            return fixture % kwargs
--- a/authentik/policies/api/bindings.py
+++ b/authentik/policies/api/bindings.py
@@ -57,9 +57,11 @@ class PolicyBindingSerializer(ModelSerializer):
        required=True,
    )

-    policy_obj = PolicySerializer(required=False, read_only=True, source="policy")
-    group_obj = PartialGroupSerializer(required=False, read_only=True, source="group")
-    user_obj = PartialUserSerializer(required=False, read_only=True, source="user")
+    policy_obj = PolicySerializer(required=False, allow_null=True, read_only=True, source="policy")
+    group_obj = PartialGroupSerializer(
+        required=False, allow_null=True, read_only=True, source="group"
+    )
+    user_obj = PartialUserSerializer(required=False, allow_null=True, read_only=True, source="user")

    class Meta:
        model = PolicyBinding
--- a/authentik/providers/oauth2/api/providers.py
+++ b/authentik/providers/oauth2/api/providers.py
@@ -27,6 +27,7 @@ from authentik.providers.oauth2.models import (
    AccessToken,
    OAuth2Provider,
    RedirectURIMatchingMode,
+    RedirectURIType,
    ScopeMapping,
 )
 from authentik.rbac.decorators import permission_required
@@ -37,6 +38,9 @@ class RedirectURISerializer(PassiveSerializer):

    matching_mode = ChoiceField(choices=RedirectURIMatchingMode.choices)
    url = CharField()
+    redirect_uri_type = ChoiceField(
+        choices=RedirectURIType.choices, default=RedirectURIType.AUTHORIZATION, required=False
+    )


 class OAuth2ProviderSerializer(ProviderSerializer):
--- a/authentik/providers/oauth2/models.py
+++ b/authentik/providers/oauth2/models.py
@@ -97,6 +97,11 @@ class RedirectURIMatchingMode(models.TextChoices):
    REGEX = "regex", _("Regular Expression URL matching")


+class RedirectURIType(models.TextChoices):
+    AUTHORIZATION = "authorization", _("Authorization")
+    LOGOUT = "logout", _("Logout")
+
+
 class OAuth2LogoutMethod(models.TextChoices):
    """OAuth2/OIDC Logout methods"""

@@ -110,6 +115,7 @@ class RedirectURI:

    matching_mode: RedirectURIMatchingMode
    url: str
+    redirect_uri_type: RedirectURIType = RedirectURIType.AUTHORIZATION


 class ResponseTypes(models.TextChoices):
@@ -220,7 +226,6 @@ class OAuth2Provider(WebfingerProvider, Provider):
            "Frontchannel uses iframes in your browser"
        ),
    )
-
    include_claims_in_id_token = models.BooleanField(
        default=True,
        verbose_name=_("Include claims in id_token"),
@@ -343,7 +348,12 @@ class OAuth2Provider(WebfingerProvider, Provider):
                from_dict(
                    RedirectURI,
                    entry,
-                    config=Config(type_hooks={RedirectURIMatchingMode: RedirectURIMatchingMode}),
+                    config=Config(
+                        type_hooks={
+                            RedirectURIMatchingMode: RedirectURIMatchingMode,
+                            RedirectURIType: RedirectURIType,
+                        }
+                    ),
                )
            )
        return uris
@@ -355,10 +365,24 @@ class OAuth2Provider(WebfingerProvider, Provider):
            cleansed.append(asdict(entry))
        self._redirect_uris = cleansed

+    @property
+    def authorization_redirect_uris(self) -> list[RedirectURI]:
+        return [
+            uri
+            for uri in self.redirect_uris
+            if uri.redirect_uri_type == RedirectURIType.AUTHORIZATION
+        ]
+
+    @property
+    def post_logout_redirect_uris(self) -> list[RedirectURI]:
+        return [
+            uri for uri in self.redirect_uris if uri.redirect_uri_type == RedirectURIType.LOGOUT
+        ]
+
    @property
    def launch_url(self) -> str | None:
        """Guess launch_url based on first redirect_uri"""
-        redirects = self.redirect_uris
+        redirects = self.authorization_redirect_uris
        if len(redirects) < 1:
            return None
        main_url = redirects[0].url
--- a/authentik/providers/oauth2/signals.py
+++ b/authentik/providers/oauth2/signals.py
@@ -1,13 +1,13 @@
-from urllib.parse import parse_qs, urlencode, urlparse, urlunparse
-
 from django.db.models.signals import post_save, pre_delete
 from django.dispatch import receiver
 from structlog.stdlib import get_logger

-from authentik.common.oauth.constants import PLAN_CONTEXT_OIDC_LOGOUT_IFRAME_SESSIONS
+from authentik.common.oauth.constants import (
+    OAUTH2_BINDING,
+    PLAN_CONTEXT_OIDC_LOGOUT_IFRAME_SESSIONS,
+)
 from authentik.core.models import AuthenticatedSession, User
 from authentik.flows.models import in_memory_stage
-from authentik.outposts.tasks import hash_session_key
 from authentik.providers.iframe_logout import IframeLogoutStageView
 from authentik.providers.oauth2.models import (
    AccessToken,
@@ -16,6 +16,7 @@ from authentik.providers.oauth2.models import (
    RefreshToken,
 )
 from authentik.providers.oauth2.tasks import backchannel_logout_notification_dispatch
+from authentik.providers.oauth2.utils import build_frontchannel_logout_url
 from authentik.stages.user_logout.models import UserLogoutStage
 from authentik.stages.user_logout.stage import flow_pre_user_logout

@@ -51,43 +52,22 @@ def handle_flow_pre_user_logout(sender, request, user, executor, **kwargs):
        LOGGER.debug("No sessions requiring IFrame frontchannel logout")
        return

+    session_key = auth_session.session.session_key if auth_session.session else None
    oidc_sessions = []

    for token in oidc_access_tokens:
-        # Parse the logout URI and add query parameters
-        parsed_url = urlparse(token.provider.logout_uri)
-
-        query_params = {}
-        query_params["iss"] = token.provider.get_issuer(request)
-        if auth_session.session:
-            query_params["sid"] = hash_session_key(auth_session.session.session_key)
-
-        # Combine existing query params with new ones
-        if parsed_url.query:
-            existing_params = parse_qs(parsed_url.query, keep_blank_values=True)
-            for key, value in existing_params.items():
-                if key not in query_params:
-                    query_params[key] = value[0] if len(value) == 1 else value
-
-        # Build the final URL with query parameters
-        logout_url = urlunparse(
-            (
-                parsed_url.scheme,
-                parsed_url.netloc,
-                parsed_url.path,
-                parsed_url.params,
-                urlencode(query_params),
-                parsed_url.fragment,
+        logout_url = build_frontchannel_logout_url(token.provider, request, session_key)
+        if logout_url:
+            oidc_sessions.append(
+                {
+                    "url": logout_url,
+                    "provider_name": token.provider.name,
+                    "binding": OAUTH2_BINDING,
+                    "provider_type": (
+                        f"{token.provider._meta.app_label}.{token.provider._meta.model_name}"
+                    ),
+                }
            )
-        )
-
-        logout_data = {
-            "url": logout_url,
-            "provider_name": token.provider.name,
-            "binding": "redirect",
-            "provider_type": "oidc",
-        }
-        oidc_sessions.append(logout_data)

    if oidc_sessions:
        executor.plan.context[PLAN_CONTEXT_OIDC_LOGOUT_IFRAME_SESSIONS] = oidc_sessions
--- a/authentik/providers/oauth2/tests/test_end_session.py
+++ b/authentik/providers/oauth2/tests/test_end_session.py
@@ -0,0 +1,263 @@
+"""Test OAuth2 End Session (RP-Initiated Logout) implementation"""
+
+from django.test import RequestFactory
+from django.urls import reverse
+
+from authentik.core.models import Application
+from authentik.core.tests.utils import create_test_admin_user, create_test_brand, create_test_flow
+from authentik.lib.generators import generate_id
+from authentik.providers.oauth2.models import (
+    OAuth2Provider,
+    RedirectURI,
+    RedirectURIMatchingMode,
+    RedirectURIType,
+)
+from authentik.providers.oauth2.tests.utils import OAuthTestCase
+from authentik.providers.oauth2.views.end_session import EndSessionView
+
+
+class TestEndSessionView(OAuthTestCase):
+    """Test EndSessionView validation"""
+
+    def setUp(self) -> None:
+        super().setUp()
+        self.user = create_test_admin_user()
+        self.invalidation_flow = create_test_flow()
+        self.app = Application.objects.create(name=generate_id(), slug="test-app")
+        self.provider = OAuth2Provider.objects.create(
+            name=generate_id(),
+            authorization_flow=create_test_flow(),
+            invalidation_flow=self.invalidation_flow,
+            redirect_uris=[
+                RedirectURI(
+                    RedirectURIMatchingMode.STRICT,
+                    "http://testserver/callback",
+                    RedirectURIType.AUTHORIZATION,
+                ),
+                RedirectURI(
+                    RedirectURIMatchingMode.STRICT,
+                    "http://testserver/logout",
+                    RedirectURIType.LOGOUT,
+                ),
+                RedirectURI(
+                    RedirectURIMatchingMode.REGEX,
+                    r"https://.*\.example\.com/logout",
+                    RedirectURIType.LOGOUT,
+                ),
+            ],
+        )
+        self.app.provider = self.provider
+        self.app.save()
+        # Ensure brand has an invalidation flow
+        self.brand = create_test_brand()
+        self.brand.flow_invalidation = self.invalidation_flow
+        self.brand.save()
+
+    def test_post_logout_redirect_uri_strict_match(self):
+        """Test strict URI matching redirects to flow"""
+        self.client.force_login(self.user)
+        response = self.client.get(
+            reverse(
+                "authentik_providers_oauth2:end-session",
+                kwargs={"application_slug": self.app.slug},
+            ),
+            {"post_logout_redirect_uri": "http://testserver/logout"},
+            HTTP_HOST=self.brand.domain,
+        )
+        # Should redirect to the invalidation flow
+        self.assertEqual(response.status_code, 302)
+        self.assertIn(self.invalidation_flow.slug, response.url)
+
+    def test_post_logout_redirect_uri_strict_no_match(self):
+        """Test strict URI not matching still proceeds with flow (no redirect URI in context)"""
+        self.client.force_login(self.user)
+        invalid_uri = "http://testserver/other"
+        response = self.client.get(
+            reverse(
+                "authentik_providers_oauth2:end-session",
+                kwargs={"application_slug": self.app.slug},
+            ),
+            {"post_logout_redirect_uri": invalid_uri},
+            HTTP_HOST=self.brand.domain,
+        )
+        # Should still redirect to flow, but invalid URI should not be in response
+        self.assertEqual(response.status_code, 302)
+        self.assertNotIn(invalid_uri, response.url)
+
+    def test_post_logout_redirect_uri_regex_match(self):
+        """Test regex URI matching redirects to flow"""
+        self.client.force_login(self.user)
+        response = self.client.get(
+            reverse(
+                "authentik_providers_oauth2:end-session",
+                kwargs={"application_slug": self.app.slug},
+            ),
+            {"post_logout_redirect_uri": "https://app.example.com/logout"},
+            HTTP_HOST=self.brand.domain,
+        )
+        # Should redirect to the invalidation flow
+        self.assertEqual(response.status_code, 302)
+        self.assertIn(self.invalidation_flow.slug, response.url)
+
+    def test_post_logout_redirect_uri_regex_no_match(self):
+        """Test regex URI not matching"""
+        self.client.force_login(self.user)
+        invalid_uri = "https://malicious.com/logout"
+        response = self.client.get(
+            reverse(
+                "authentik_providers_oauth2:end-session",
+                kwargs={"application_slug": self.app.slug},
+            ),
+            {"post_logout_redirect_uri": invalid_uri},
+            HTTP_HOST=self.brand.domain,
+        )
+        # Should still proceed to flow, but invalid URI should not be in response
+        self.assertEqual(response.status_code, 302)
+        self.assertNotIn(invalid_uri, response.url)
+
+    def test_state_parameter_appended_to_uri(self):
+        """Test state parameter is appended to validated redirect URI"""
+        factory = RequestFactory()
+        request = factory.get(
+            "/end-session/",
+            {
+                "post_logout_redirect_uri": "http://testserver/logout",
+                "state": "test-state-123",
+            },
+        )
+        request.user = self.user
+        request.brand = self.brand
+
+        view = EndSessionView()
+        view.request = request
+        view.kwargs = {"application_slug": self.app.slug}
+        view.resolve_provider_application()
+
+        self.assertIn("state=test-state-123", view.post_logout_redirect_uri)
+
+    def test_post_method(self):
+        """Test POST requests work same as GET"""
+        self.client.force_login(self.user)
+        response = self.client.post(
+            reverse(
+                "authentik_providers_oauth2:end-session",
+                kwargs={"application_slug": self.app.slug},
+            ),
+            {
+                "post_logout_redirect_uri": "http://testserver/logout",
+                "state": "xyz789",
+            },
+            HTTP_HOST=self.brand.domain,
+        )
+        self.assertEqual(response.status_code, 302)
+
+
+class TestEndSessionAPI(OAuthTestCase):
+    """Test End Session API functionality"""
+
+    def setUp(self) -> None:
+        super().setUp()
+        self.user = create_test_admin_user()
+        self.client.force_login(self.user)
+
+    def test_post_logout_redirect_uris_create(self):
+        """Test creating provider with post_logout redirect_uris"""
+        response = self.client.post(
+            reverse("authentik_api:oauth2provider-list"),
+            data={
+                "name": generate_id(),
+                "authorization_flow": create_test_flow().pk,
+                "invalidation_flow": create_test_flow().pk,
+                "redirect_uris": [
+                    {
+                        "matching_mode": "strict",
+                        "url": "http://testserver/callback",
+                        "redirect_uri_type": "authorization",
+                    },
+                    {
+                        "matching_mode": "strict",
+                        "url": "http://testserver/logout",
+                        "redirect_uri_type": "logout",
+                    },
+                    {
+                        "matching_mode": "regex",
+                        "url": "https://.*\\.example\\.com/logout",
+                        "redirect_uri_type": "logout",
+                    },
+                ],
+            },
+            content_type="application/json",
+        )
+        self.assertEqual(response.status_code, 201)
+        provider_data = response.json()
+        post_logout_uris = [
+            u for u in provider_data["redirect_uris"] if u["redirect_uri_type"] == "logout"
+        ]
+        self.assertEqual(len(post_logout_uris), 2)
+
+    def test_post_logout_redirect_uris_invalid_regex(self):
+        """Test that invalid regex patterns are rejected"""
+        response = self.client.post(
+            reverse("authentik_api:oauth2provider-list"),
+            data={
+                "name": generate_id(),
+                "authorization_flow": create_test_flow().pk,
+                "invalidation_flow": create_test_flow().pk,
+                "redirect_uris": [
+                    {
+                        "matching_mode": "strict",
+                        "url": "http://testserver/callback",
+                        "redirect_uri_type": "authorization",
+                    },
+                    {
+                        "matching_mode": "regex",
+                        "url": "**invalid**",
+                        "redirect_uri_type": "logout",
+                    },
+                ],
+            },
+            content_type="application/json",
+        )
+        self.assertEqual(response.status_code, 400)
+        self.assertIn("redirect_uris", response.json())
+
+    def test_post_logout_redirect_uris_update(self):
+        """Test updating redirect_uris with logout type"""
+        # First create a provider
+        provider = OAuth2Provider.objects.create(
+            name=generate_id(),
+            authorization_flow=create_test_flow(),
+            redirect_uris=[
+                RedirectURI(
+                    RedirectURIMatchingMode.STRICT,
+                    "http://testserver/callback",
+                    RedirectURIType.AUTHORIZATION,
+                ),
+            ],
+        )
+
+        # Update with post_logout redirect URIs
+        response = self.client.patch(
+            reverse("authentik_api:oauth2provider-detail", kwargs={"pk": provider.pk}),
+            data={
+                "redirect_uris": [
+                    {
+                        "matching_mode": "strict",
+                        "url": "http://testserver/callback",
+                        "redirect_uri_type": "authorization",
+                    },
+                    {
+                        "matching_mode": "strict",
+                        "url": "http://testserver/logout",
+                        "redirect_uri_type": "logout",
+                    },
+                ],
+            },
+            content_type="application/json",
+        )
+        self.assertEqual(response.status_code, 200)
+
+        # Verify the update
+        provider.refresh_from_db()
+        self.assertEqual(len(provider.post_logout_redirect_uris), 1)
+        self.assertEqual(provider.post_logout_redirect_uris[0].url, "http://testserver/logout")
--- a/authentik/providers/oauth2/utils.py
+++ b/authentik/providers/oauth2/utils.py
@@ -7,7 +7,7 @@ from binascii import Error
 from hashlib import sha256
 from hmac import compare_digest
 from typing import Any
-from urllib.parse import unquote, urlparse
+from urllib.parse import parse_qs, unquote, urlencode, urlparse, urlunparse

 from django.http import HttpRequest, HttpResponse, JsonResponse
 from django.http.response import HttpResponseRedirect
@@ -267,3 +267,32 @@ def create_logout_token(
        payload["sid"] = hash_session_key(session_key)
    # Encode the token
    return provider.encode(payload, jwt_type="logout+jwt")
+
+
+def build_frontchannel_logout_url(
+    provider: OAuth2Provider,
+    request: HttpRequest,
+    session_key: str | None = None,
+) -> str | None:
+    """Build frontchannel logout URL with iss and sid parameters.
+
+    Returns None if provider doesn't have a logout_uri configured.
+    """
+    if not provider.logout_uri:
+        return None
+
+    parsed_url = urlparse(provider.logout_uri)
+
+    query_params = {"iss": provider.get_issuer(request)}
+    if session_key:
+        query_params["sid"] = hash_session_key(session_key)
+
+    # Preserve existing query params
+    if parsed_url.query:
+        existing_params = parse_qs(parsed_url.query, keep_blank_values=True)
+        for key, value in existing_params.items():
+            if key not in query_params:
+                query_params[key] = value[0] if len(value) == 1 else value
+
+    parsed_url = parsed_url._replace(query=urlencode(query_params))
+    return urlunparse(parsed_url)
--- a/authentik/providers/oauth2/views/authorize.py
+++ b/authentik/providers/oauth2/views/authorize.py
@@ -18,6 +18,7 @@ from django.utils.translation import gettext as _
 from structlog.stdlib import get_logger

 from authentik.common.oauth.constants import (
+    FORBIDDEN_URI_SCHEMES,
    PKCE_METHOD_PLAIN,
    PKCE_METHOD_S256,
    PROMPT_CONSENT,
@@ -60,6 +61,7 @@ from authentik.providers.oauth2.models import (
    OAuth2Provider,
    RedirectURI,
    RedirectURIMatchingMode,
+    RedirectURIType,
    ResponseMode,
    ResponseTypes,
    ScopeMapping,
@@ -78,7 +80,6 @@ PLAN_CONTEXT_PARAMS = "goauthentik.io/providers/oauth2/params"
 SESSION_KEY_LAST_LOGIN_UID = "authentik/providers/oauth2/last_login_uid"

 ALLOWED_PROMPT_PARAMS = {PROMPT_NONE, PROMPT_CONSENT, PROMPT_LOGIN}
-FORBIDDEN_URI_SCHEMES = {"javascript", "data", "vbscript"}


@dataclass(slots=True)
@@ -191,7 +192,7 @@ class OAuthAuthorizationParams:

    def check_redirect_uri(self):
        """Redirect URI validation."""
-        allowed_redirect_urls = self.provider.redirect_uris
+        allowed_redirect_urls = self.provider.authorization_redirect_uris
        if not self.redirect_uri:
            LOGGER.warning("Missing redirect uri.")
            raise RedirectUriError("", allowed_redirect_urls).with_cause("redirect_uri_missing")
@@ -199,10 +200,14 @@ class OAuthAuthorizationParams:
        if len(allowed_redirect_urls) < 1:
            LOGGER.info("Setting redirect for blank redirect_uris", redirect=self.redirect_uri)
            self.provider.redirect_uris = [
-                RedirectURI(RedirectURIMatchingMode.STRICT, self.redirect_uri)
+                RedirectURI(
+                    RedirectURIMatchingMode.STRICT,
+                    self.redirect_uri,
+                    RedirectURIType.AUTHORIZATION,
+                )
            ]
            self.provider.save()
-            allowed_redirect_urls = self.provider.redirect_uris
+            allowed_redirect_urls = self.provider.authorization_redirect_uris

        match_found = False
        for allowed in allowed_redirect_urls:
--- a/authentik/providers/oauth2/views/end_session.py
+++ b/authentik/providers/oauth2/views/end_session.py
@@ -1,20 +1,42 @@
 """oauth2 provider end_session Views"""

+from re import fullmatch
+from urllib.parse import quote, urlparse
+
 from django.http import Http404, HttpRequest, HttpResponse
 from django.shortcuts import get_object_or_404

-from authentik.core.models import Application
+from authentik.common.oauth.constants import (
+    FORBIDDEN_URI_SCHEMES,
+    OAUTH2_BINDING,
+    PLAN_CONTEXT_OIDC_LOGOUT_IFRAME_SESSIONS,
+    PLAN_CONTEXT_POST_LOGOUT_REDIRECT_URI,
+)
+from authentik.core.models import Application, AuthenticatedSession
 from authentik.flows.models import Flow, in_memory_stage
-from authentik.flows.planner import PLAN_CONTEXT_APPLICATION, FlowPlanner
+from authentik.flows.planner import (
+    PLAN_CONTEXT_APPLICATION,
+    FlowPlanner,
+)
 from authentik.flows.stage import SessionEndStage
 from authentik.flows.views.executor import SESSION_KEY_PLAN
-from authentik.policies.views import PolicyAccessView
+from authentik.lib.views import bad_request_message
+from authentik.policies.views import PolicyAccessView, RequestValidationError
+from authentik.providers.iframe_logout import IframeLogoutStageView
+from authentik.providers.oauth2.models import (
+    AccessToken,
+    OAuth2LogoutMethod,
+    RedirectURIMatchingMode,
+)
+from authentik.providers.oauth2.tasks import send_backchannel_logout_request
+from authentik.providers.oauth2.utils import build_frontchannel_logout_url


 class EndSessionView(PolicyAccessView):
-    """Redirect to application's provider's invalidation flow"""
+    """OIDC RP-Initiated Logout endpoint"""

    flow: Flow
+    post_logout_redirect_uri: str | None

    def resolve_provider_application(self):
        self.application = get_object_or_404(Application, slug=self.kwargs["application_slug"])
@@ -25,6 +47,38 @@ class EndSessionView(PolicyAccessView):
        if not self.flow:
            raise Http404

+        # Parse end session parameters
+        query_dict = self.request.POST if self.request.method == "POST" else self.request.GET
+        state = query_dict.get("state")
+        request_redirect_uri = query_dict.get("post_logout_redirect_uri")
+        self.post_logout_redirect_uri = None
+
+        # Validate post_logout_redirect_uri against registered URIs
+        if request_redirect_uri:
+            if urlparse(request_redirect_uri).scheme in FORBIDDEN_URI_SCHEMES:
+                raise RequestValidationError(
+                    bad_request_message(
+                        self.request,
+                        "Forbidden URI scheme in post_logout_redirect_uri",
+                    )
+                )
+            for allowed in self.provider.post_logout_redirect_uris:
+                if allowed.matching_mode == RedirectURIMatchingMode.STRICT:
+                    if request_redirect_uri == allowed.url:
+                        self.post_logout_redirect_uri = request_redirect_uri
+                        break
+                elif allowed.matching_mode == RedirectURIMatchingMode.REGEX:
+                    if fullmatch(allowed.url, request_redirect_uri):
+                        self.post_logout_redirect_uri = request_redirect_uri
+                        break
+
+        # Append state to the redirect URI if both are present
+        if self.post_logout_redirect_uri and state:
+            separator = "&" if "?" in self.post_logout_redirect_uri else "?"
+            self.post_logout_redirect_uri = (
+                f"{self.post_logout_redirect_uri}{separator}state={quote(state, safe='')}"
+            )
+
    # If IFrame provider logout happens when a saml provider has redirect
    # logout enabled, the flow won't make it back without this dispatch
    def dispatch(self, request: HttpRequest, *args, **kwargs) -> HttpResponse:
@@ -44,11 +98,80 @@ class EndSessionView(PolicyAccessView):
        """Dispatch the flow planner for the invalidation flow"""
        planner = FlowPlanner(self.flow)
        planner.allow_empty_flows = True
-        plan = planner.plan(
-            request,
-            {
-                PLAN_CONTEXT_APPLICATION: self.application,
-            },
+
+        # Build flow context with logout parameters
+        context = {
+            PLAN_CONTEXT_APPLICATION: self.application,
+        }
+
+        # Get session info for logout notifications and token invalidation
+        auth_session = AuthenticatedSession.from_request(request, request.user)
+
+        # Add validated redirect URI (with state appended) to context if available
+        if self.post_logout_redirect_uri:
+            context[PLAN_CONTEXT_POST_LOGOUT_REDIRECT_URI] = self.post_logout_redirect_uri
+            # Invalidate tokens for this provider/session (RP-initiated logout:
+            # user stays logged into authentik, only this provider's tokens are revoked)
+            if request.user.is_authenticated and auth_session:
+                AccessToken.objects.filter(
+                    user=request.user,
+                    provider=self.provider,
+                    session=auth_session,
+                ).delete()
+        session_key = (
+            auth_session.session.session_key if auth_session and auth_session.session else None
        )
+
+        # Handle frontchannel logout
+        frontchannel_logout_url = None
+        if self.provider.logout_method == OAuth2LogoutMethod.FRONTCHANNEL:
+            frontchannel_logout_url = build_frontchannel_logout_url(
+                self.provider, request, session_key
+            )
+
+        # Handle backchannel logout
+        if (
+            self.provider.logout_method == OAuth2LogoutMethod.BACKCHANNEL
+            and self.provider.logout_uri
+        ):
+            # Find access token to get iss and sub for the logout token
+            access_token = AccessToken.objects.filter(
+                user=request.user,
+                provider=self.provider,
+                session=auth_session,
+            ).first()
+            if access_token and access_token.id_token:
+                send_backchannel_logout_request.send(
+                    self.provider.pk,
+                    access_token.id_token.iss,
+                    access_token.id_token.sub,
+                    session_key,
+                )
+                # Delete the token to prevent duplicate backchannel logout
+                # when UserLogoutStage triggers the session deletion signal
+                access_token.delete()
+
+        if frontchannel_logout_url:
+            context[PLAN_CONTEXT_OIDC_LOGOUT_IFRAME_SESSIONS] = [
+                {
+                    "url": frontchannel_logout_url,
+                    "provider_name": self.provider.name,
+                    "binding": OAUTH2_BINDING,
+                    "provider_type": (
+                        f"{self.provider._meta.app_label}.{self.provider._meta.model_name}"
+                    ),
+                }
+            ]
+
+        plan = planner.plan(request, context)
+
+        # Inject iframe logout stage if frontchannel logout is configured
+        if frontchannel_logout_url:
+            plan.insert_stage(in_memory_stage(IframeLogoutStageView))
+
        plan.append_stage(in_memory_stage(SessionEndStage))
        return plan.to_redirect(self.request, self.flow)
+
+    def post(self, request: HttpRequest, *args, **kwargs) -> HttpResponse:
+        """Handle POST requests for logout (same as GET per OIDC spec)"""
+        return self.get(request, *args, **kwargs)
--- a/authentik/providers/oauth2/views/provider.py
+++ b/authentik/providers/oauth2/views/provider.py
@@ -74,6 +74,8 @@ class ProviderInfoView(View):
            ),
            "backchannel_logout_supported": True,
            "backchannel_logout_session_supported": True,
+            "frontchannel_logout_supported": True,
+            "frontchannel_logout_session_supported": True,
            "response_types_supported": [
                ResponseTypes.CODE,
                ResponseTypes.ID_TOKEN,
--- a/authentik/providers/oauth2/views/token.py
+++ b/authentik/providers/oauth2/views/token.py
@@ -241,7 +241,7 @@ class TokenParams:
            raise TokenError("invalid_grant")

    def __check_redirect_uri(self, request: HttpRequest):
-        allowed_redirect_urls = self.provider.redirect_uris
+        allowed_redirect_urls = self.provider.authorization_redirect_uris
        # At this point, no provider should have a blank redirect_uri, in case they do
        # this will check an empty array and raise an error

--- a/authentik/providers/saml/api/providers.py
+++ b/authentik/providers/saml/api/providers.py
@@ -232,8 +232,8 @@ class SAMLProviderSerializer(ProviderSerializer):
 class SAMLMetadataSerializer(PassiveSerializer):
    """SAML Provider Metadata serializer"""

-    metadata = CharField(read_only=True)
-    download_url = CharField(read_only=True, required=False)
+    metadata = CharField()
+    download_url = CharField(required=False, allow_null=True)


 class SAMLProviderImportSerializer(PassiveSerializer):
@@ -315,7 +315,7 @@ class SAMLProviderViewSet(UsedByMixin, ModelViewSet):
                return response
            return Response({"metadata": metadata}, content_type="application/json")
        except Provider.application.RelatedObjectDoesNotExist:
-            return Response({"metadata": ""}, content_type="application/json")
+            raise Http404 from None

    @permission_required(
        None,
--- a/authentik/providers/saml/tests/test_api.py
+++ b/authentik/providers/saml/tests/test_api.py
@@ -157,7 +157,7 @@ class TestSAMLProviderAPI(APITestCase):
        response = self.client.get(
            reverse("authentik_api:samlprovider-metadata", kwargs={"pk": provider.pk}),
        )
-        self.assertEqual(200, response.status_code)
+        self.assertEqual(404, response.status_code)
        response = self.client.get(
            reverse("authentik_api:samlprovider-metadata", kwargs={"pk": "abc"}),
        )
--- a/authentik/providers/saml/tests/test_idp_logout.py
+++ b/authentik/providers/saml/tests/test_idp_logout.py
@@ -5,6 +5,10 @@ from unittest.mock import Mock

 from django.test import RequestFactory, TestCase

+from authentik.common.oauth.constants import (
+    OAUTH2_BINDING,
+    PLAN_CONTEXT_OIDC_LOGOUT_IFRAME_SESSIONS,
+)
 from authentik.common.saml.constants import (
    RSA_SHA256,
    SAML_NAME_ID_FORMAT_EMAIL,
@@ -17,6 +21,7 @@ from authentik.providers.iframe_logout import (
    IframeLogoutChallenge,
    IframeLogoutStageView,
 )
+from authentik.providers.oauth2.models import OAuth2Provider
 from authentik.providers.saml.models import SAMLLogoutMethods, SAMLProvider
 from authentik.providers.saml.native_logout import (
    NativeLogoutChallenge,
@@ -295,14 +300,14 @@ class TestIframeLogoutStageView(TestCase):
            },
        ]
        # OIDC sessions (pre-processed)
-        from authentik.common.oauth.constants import PLAN_CONTEXT_OIDC_LOGOUT_IFRAME_SESSIONS
-
        plan.context[PLAN_CONTEXT_OIDC_LOGOUT_IFRAME_SESSIONS] = [
            {
                "url": "https://oidc.example.com/logout?iss=authentik&sid=abc123",
                "provider_name": "oidc-provider",
-                "binding": "redirect",
-                "provider_type": "oidc",
+                "binding": OAUTH2_BINDING,
+                "provider_type": (
+                    f"{OAuth2Provider._meta.app_label}" f".{OAuth2Provider._meta.model_name}"
+                ),
            },
        ]
        stage_view = IframeLogoutStageView(
--- a/authentik/providers/saml/tests/test_views_sp_slo.py
+++ b/authentik/providers/saml/tests/test_views_sp_slo.py
@@ -93,32 +93,33 @@ class TestSPInitiatedSLOViews(TestCase):
        self.assertEqual(logout_request.issuer, self.provider.issuer)
        self.assertEqual(logout_request.session_index, "test-session-123")

-    def test_redirect_view_handles_logout_response_with_relay_state(self):
-        """Test that redirect view handles logout response with RelayState"""
-        # Use raw URL (no encoding needed)
-        relay_state = "https://idp.example.com/flow/return"
+    def test_redirect_view_handles_logout_response_with_plan_context(self):
+        """Test that redirect view always redirects to plan context URL, ignoring RelayState"""
+        plan_relay_state = "https://idp.example.com/flow/return"

        # Create request with SAML logout response
        request = self.factory.get(
            f"/slo/redirect/{self.application.slug}/",
            {
                "SAMLResponse": "dummy-response",
-                "RelayState": relay_state,
+                "RelayState": "https://somewhere-else.example.com/return",
            },
        )
-        request.session = {}
+        plan = FlowPlan(flow_pk="test-flow")
+        plan.context[PLAN_CONTEXT_SAML_RELAY_STATE] = plan_relay_state
+        request.session = {SESSION_KEY_PLAN: plan}
        request.brand = self.brand

        view = SPInitiatedSLOBindingRedirectView()
        view.setup(request, application_slug=self.application.slug)
        response = view.dispatch(request, application_slug=self.application.slug)

-        # Should redirect to relay state URL
+        # Should redirect to plan context URL, not the request's RelayState
        self.assertEqual(response.status_code, 302)
-        self.assertEqual(response.url, relay_state)
+        self.assertEqual(response.url, plan_relay_state)

-    def test_redirect_view_handles_logout_response_plain_relay_state(self):
-        """Test that redirect view handles logout response with plain RelayState"""
+    def test_redirect_view_ignores_relay_state_without_plan(self):
+        """Test that redirect view ignores RelayState and falls back to root when no plan context"""
        relay_state = "https://sp.example.com/plain"

        # Create request with SAML logout response
@@ -136,9 +137,9 @@ class TestSPInitiatedSLOViews(TestCase):
        view.setup(request, application_slug=self.application.slug)
        response = view.dispatch(request, application_slug=self.application.slug)

-        # Should redirect to plain relay state
+        # Should ignore relay_state and redirect to root (no plan context)
        self.assertEqual(response.status_code, 302)
-        self.assertEqual(response.url, relay_state)
+        self.assertEqual(response.url, reverse("authentik_core:root-redirect"))

    def test_redirect_view_handles_logout_response_no_relay_state_with_plan_context(self):
        """Test that redirect view uses plan context fallback when no RelayState"""
@@ -230,29 +231,30 @@ class TestSPInitiatedSLOViews(TestCase):
        self.assertEqual(logout_request.issuer, self.provider.issuer)
        self.assertEqual(logout_request.session_index, "test-session-123")

-    def test_post_view_handles_logout_response_with_relay_state(self):
-        """Test that POST view handles logout response with RelayState"""
-        # Use raw URL (no encoding needed)
-        relay_state = "https://idp.example.com/flow/return"
+    def test_post_view_handles_logout_response_with_plan_context(self):
+        """Test that POST view always redirects to plan context URL, ignoring RelayState"""
+        plan_relay_state = "https://idp.example.com/flow/return"

        # Create POST request with SAML logout response
        request = self.factory.post(
            f"/slo/post/{self.application.slug}/",
            {
                "SAMLResponse": "dummy-response",
-                "RelayState": relay_state,
+                "RelayState": "https://somewhere-else.example.com/return",
            },
        )
-        request.session = {}
+        plan = FlowPlan(flow_pk="test-flow")
+        plan.context[PLAN_CONTEXT_SAML_RELAY_STATE] = plan_relay_state
+        request.session = {SESSION_KEY_PLAN: plan}
        request.brand = self.brand

        view = SPInitiatedSLOBindingPOSTView()
        view.setup(request, application_slug=self.application.slug)
        response = view.dispatch(request, application_slug=self.application.slug)

-        # Should redirect to relay state URL
+        # Should redirect to plan context URL, not the request's RelayState
        self.assertEqual(response.status_code, 302)
-        self.assertEqual(response.url, relay_state)
+        self.assertEqual(response.url, plan_relay_state)

    def test_post_view_handles_logout_response_no_relay_state_with_plan_context(self):
        """Test that POST view uses plan context fallback when no RelayState"""
@@ -419,7 +421,7 @@ class TestSPInitiatedSLOViews(TestCase):
            view.resolve_provider_application()

    def test_relay_state_decoding_failure(self):
-        """Test handling of RelayState that's a path"""
+        """Test that arbitrary path RelayState is ignored and redirects to root"""
        # Create request with relay state that is a path
        request = self.factory.get(
            f"/slo/redirect/{self.application.slug}/",
@@ -435,9 +437,73 @@ class TestSPInitiatedSLOViews(TestCase):
        view.setup(request, application_slug=self.application.slug)
        response = view.dispatch(request, application_slug=self.application.slug)

-        # Should treat it as plain URL and redirect to it
+        # Should ignore relay_state and redirect to root (no plan context)
        self.assertEqual(response.status_code, 302)
-        self.assertEqual(response.url, "/some/invalid/path")
+        self.assertEqual(response.url, reverse("authentik_core:root-redirect"))
+
+    def test_redirect_view_blocks_external_relay_state(self):
+        """Test that redirect view ignores external malicious URL and redirects to root"""
+        request = self.factory.get(
+            f"/slo/redirect/{self.application.slug}/",
+            {
+                "SAMLResponse": "dummy-response",
+                "RelayState": "https://evil.com/phishing",
+            },
+        )
+        request.session = {}
+        request.brand = self.brand
+
+        view = SPInitiatedSLOBindingRedirectView()
+        view.setup(request, application_slug=self.application.slug)
+        response = view.dispatch(request, application_slug=self.application.slug)
+
+        # Should ignore relay_state and redirect to root (no plan context)
+        self.assertEqual(response.status_code, 302)
+        self.assertEqual(response.url, reverse("authentik_core:root-redirect"))
+
+    def test_redirect_view_ignores_relay_state_uses_plan_context(self):
+        """Test that redirect view always uses plan context URL regardless of RelayState"""
+        plan_relay_state = "https://authentik.example.com/if/flow/logout/"
+
+        request = self.factory.get(
+            f"/slo/redirect/{self.application.slug}/",
+            {
+                "SAMLResponse": "dummy-response",
+                "RelayState": "https://evil.com/phishing",
+            },
+        )
+        plan = FlowPlan(flow_pk="test-flow")
+        plan.context[PLAN_CONTEXT_SAML_RELAY_STATE] = plan_relay_state
+        request.session = {SESSION_KEY_PLAN: plan}
+        request.brand = self.brand
+
+        view = SPInitiatedSLOBindingRedirectView()
+        view.setup(request, application_slug=self.application.slug)
+        response = view.dispatch(request, application_slug=self.application.slug)
+
+        # Should always use plan context value, ignoring malicious RelayState
+        self.assertEqual(response.status_code, 302)
+        self.assertEqual(response.url, plan_relay_state)
+
+    def test_post_view_ignores_external_relay_state(self):
+        """Test that POST view ignores external RelayState and redirects to root"""
+        request = self.factory.post(
+            f"/slo/post/{self.application.slug}/",
+            {
+                "SAMLResponse": "dummy-response",
+                "RelayState": "https://evil.com/phishing",
+            },
+        )
+        request.session = {}
+        request.brand = self.brand
+
+        view = SPInitiatedSLOBindingPOSTView()
+        view.setup(request, application_slug=self.application.slug)
+        response = view.dispatch(request, application_slug=self.application.slug)
+
+        # Should ignore relay_state and redirect to root (no plan context)
+        self.assertEqual(response.status_code, 302)
+        self.assertEqual(response.url, reverse("authentik_core:root-redirect"))


 class TestSPInitiatedSLOLogoutMethods(TestCase):
--- a/authentik/providers/saml/views/sp_slo.py
+++ b/authentik/providers/saml/views/sp_slo.py
@@ -41,6 +41,24 @@ from authentik.providers.saml.views.flows import (
 LOGGER = get_logger()


+def _get_redirect_url(request: HttpRequest, relay_state: str = "") -> str:
+    """Get the safe redirect URL from the plan context, logging a warning if the
+    incoming relay_state doesn't match the stored value."""
+    stored_relay_state = ""
+    if SESSION_KEY_PLAN in request.session:
+        plan: FlowPlan = request.session[SESSION_KEY_PLAN]
+        stored_relay_state = plan.context.get(PLAN_CONTEXT_SAML_RELAY_STATE, "")
+
+    if relay_state and relay_state != stored_relay_state:
+        LOGGER.warning(
+            "SAML logout relay_state mismatch, possible open redirect attempt",
+            received_relay_state=relay_state,
+            stored_relay_state=stored_relay_state,
+        )
+
+    return stored_relay_state
+
+
 class SPInitiatedSLOView(PolicyAccessView):
    """Handle SP-initiated SAML Single Logout requests"""

@@ -203,17 +221,9 @@ class SPInitiatedSLOBindingRedirectView(SPInitiatedSLOView):
        # IDP SLO, so we want to redirect to our next provider
        if REQUEST_KEY_SAML_RESPONSE in request.GET:
            relay_state = request.GET.get(REQUEST_KEY_RELAY_STATE, "")
-            if relay_state:
-                return redirect(relay_state)
-
-            # No RelayState provided, try to get return URL from plan context
-            if SESSION_KEY_PLAN in request.session:
-                plan: FlowPlan = request.session[SESSION_KEY_PLAN]
-                relay_state = plan.context.get(PLAN_CONTEXT_SAML_RELAY_STATE)
-                if relay_state:
-                    return redirect(relay_state)
-
-            # No relay state and no plan context - redirect to root
+            redirect_url = _get_redirect_url(request, relay_state)
+            if redirect_url:
+                return redirect(redirect_url)
            return redirect("authentik_core:root-redirect")

        # For SAML logout requests, use the parent dispatch with auth checks
@@ -254,17 +264,9 @@ class SPInitiatedSLOBindingPOSTView(SPInitiatedSLOView):
        # IDP SLO, so we want to redirect to our next provider
        if REQUEST_KEY_SAML_RESPONSE in request.POST:
            relay_state = request.POST.get(REQUEST_KEY_RELAY_STATE, "")
-            if relay_state:
-                return redirect(relay_state)
-
-            # No RelayState provided, try to get return URL from plan context
-            if SESSION_KEY_PLAN in request.session:
-                plan: FlowPlan = request.session[SESSION_KEY_PLAN]
-                relay_state = plan.context.get(PLAN_CONTEXT_SAML_RELAY_STATE)
-                if relay_state:
-                    return redirect(relay_state)
-
-            # No relay state and no plan context - redirect to root
+            redirect_url = _get_redirect_url(request, relay_state)
+            if redirect_url:
+                return redirect(redirect_url)
            return redirect("authentik_core:root-redirect")

        # For SAML logout requests, use the parent dispatch with auth checks
--- a/authentik/rbac/tests/test_api_permissions_roles.py
+++ b/authentik/rbac/tests/test_api_permissions_roles.py
@@ -49,6 +49,7 @@ class TestRBACPermissionRoles(APITestCase):
        self.assertJSONEqual(
            res.content,
            {
+                "autocomplete": {},
                "pagination": {
                    "next": 0,
                    "previous": 0,
--- a/authentik/root/settings.py
+++ b/authentik/root/settings.py
@@ -208,6 +208,7 @@ SPECTACULAR_SETTINGS = {
        "authentik.api.v3.schema.response.postprocess_schema_responses",
        "authentik.api.v3.schema.query.postprocess_schema_query_params",
        "authentik.api.v3.schema.cleanup.postprocess_schema_remove_unused",
+        "authentik.api.v3.schema.search.postprocess_schema_search_autocomplete",
        "authentik.api.v3.schema.enum.postprocess_schema_enums",
    ],
 }
@@ -215,10 +216,10 @@ SPECTACULAR_SETTINGS = {
 REST_FRAMEWORK = {
    "DEFAULT_PAGINATION_CLASS": "authentik.api.pagination.Pagination",
    "DEFAULT_FILTER_BACKENDS": [
+        "authentik.api.search.ql.QLSearch",
        "authentik.rbac.filters.ObjectFilter",
        "django_filters.rest_framework.DjangoFilterBackend",
        "rest_framework.filters.OrderingFilter",
-        "rest_framework.filters.SearchFilter",
    ],
    "DEFAULT_PERMISSION_CLASSES": ("authentik.rbac.permissions.ObjectPermissions",),
    "DEFAULT_AUTHENTICATION_CLASSES": (
--- a/authentik/root/test_plugin.py
+++ b/authentik/root/test_plugin.py
@@ -1,12 +1,15 @@
 import math
 from os import environ
 from ssl import OPENSSL_VERSION
+from time import monotonic
+from typing import TextIO

 import pytest
 from cryptography.hazmat.backends.openssl.backend import backend
+from pytest import Config, Item, TerminalReporter

 from authentik import authentik_full_version
-from tests.e2e.utils import get_local_ip
+from tests.decorators import get_local_ip

 IS_CI = "CI" in environ

@@ -29,7 +32,7 @@ def pytest_report_header(*_, **__):
    ]


-def pytest_collection_modifyitems(config: pytest.Config, items: list[pytest.Item]) -> None:
+def pytest_collection_modifyitems(config: Config, items: list[Item]) -> None:
    current_id = int(environ.get("CI_RUN_ID", "0")) - 1
    total_ids = int(environ.get("CI_TOTAL_RUNS", "0"))

@@ -44,3 +47,38 @@ def pytest_collection_modifyitems(config: pytest.Config, items: list[pytest.Item
        config.hook.pytest_deselected(items=deselected_items)
        items[:] = items[start:end]
        print(f" Executing {start} - {end} tests")
+
+
+@pytest.hookimpl(trylast=True)
+def pytest_configure(config: Config):
+    # Replace the default terminal reporter
+    reporter = config.pluginmanager.get_plugin("terminalreporter")
+    if reporter:
+        config.pluginmanager.unregister(reporter)
+        config.pluginmanager.register(
+            RelativeTimeTerminalReporter(config),
+            "terminalreporter",
+        )
+
+
+class RelativeTimeTerminalReporter(TerminalReporter):
+    _start_time: None | float
+
+    def __init__(self, config: Config, file: TextIO | None = None):
+        super().__init__(config, file)
+        self._start_time = None
+
+    def pytest_runtest_logstart(self, nodeid, location):
+        # Set start time on the first test
+        if self._start_time is None:
+            self._start_time = monotonic()
+        super().pytest_runtest_logstart(nodeid, location)
+
+    def _locationline(self, nodeid, fspath, lineno, domain):
+        original = super()._locationline(nodeid, fspath, lineno, domain)
+        if self._start_time is None:
+            return original
+        elapsed = monotonic() - self._start_time
+        minutes, seconds = divmod(elapsed, 60)
+        timestamp = f"{int(minutes):02d}:{seconds:06.3f}"
+        return f"[+{timestamp}] {original}"
--- a/authentik/root/test_runner.py
+++ b/authentik/root/test_runner.py
@@ -69,8 +69,8 @@ class PytestTestRunner(DiscoverRunner):  # pragma: no cover

        # Test-specific configuration
        test_config = {
-            "events.context_processors.geoip": "tests/GeoLite2-City-Test.mmdb",
-            "events.context_processors.asn": "tests/GeoLite2-ASN-Test.mmdb",
+            "events.context_processors.geoip": "tests/geoip/GeoLite2-City-Test.mmdb",
+            "events.context_processors.asn": "tests/geoip/GeoLite2-ASN-Test.mmdb",
            "blueprints_dir": "./blueprints",
            "outposts.container_image_base": f"ghcr.io/goauthentik/dev-%(type)s:{get_docker_tag()}",
            "tenants.enabled": False,
--- a/authentik/sources/ldap/api/init.py
+++ b/authentik/sources/ldap/api/init.py
--- a/authentik/sources/ldap/api/connections.py
+++ b/authentik/sources/ldap/api/connections.py
@@ -0,0 +1,42 @@
+"""Source API Views"""
+
+from rest_framework.viewsets import ModelViewSet
+
+from authentik.core.api.groups import PartialUserSerializer
+from authentik.core.api.sources import (
+    GroupSourceConnectionSerializer,
+    GroupSourceConnectionViewSet,
+    UserSourceConnectionSerializer,
+    UserSourceConnectionViewSet,
+)
+from authentik.core.api.users import PartialGroupSerializer
+from authentik.sources.ldap.models import (
+    GroupLDAPSourceConnection,
+    UserLDAPSourceConnection,
+)
+
+
+class UserLDAPSourceConnectionSerializer(UserSourceConnectionSerializer):
+    user_obj = PartialUserSerializer(source="user", read_only=True)
+
+    class Meta(UserSourceConnectionSerializer.Meta):
+        model = UserLDAPSourceConnection
+        fields = UserSourceConnectionSerializer.Meta.fields + ["user_obj"]
+
+
+class UserLDAPSourceConnectionViewSet(UserSourceConnectionViewSet, ModelViewSet):
+    queryset = UserLDAPSourceConnection.objects.all()
+    serializer_class = UserLDAPSourceConnectionSerializer
+
+
+class GroupLDAPSourceConnectionSerializer(GroupSourceConnectionSerializer):
+    group_obj = PartialGroupSerializer(source="group", read_only=True)
+
+    class Meta(GroupSourceConnectionSerializer.Meta):
+        model = GroupLDAPSourceConnection
+        fields = GroupSourceConnectionSerializer.Meta.fields + ["group_obj"]
+
+
+class GroupLDAPSourceConnectionViewSet(GroupSourceConnectionViewSet, ModelViewSet):
+    queryset = GroupLDAPSourceConnection.objects.all()
+    serializer_class = GroupLDAPSourceConnectionSerializer
--- a/authentik/sources/ldap/api/property_mappings.py
+++ b/authentik/sources/ldap/api/property_mappings.py
@@ -0,0 +1,32 @@
+from rest_framework.viewsets import ModelViewSet
+
+from authentik.core.api.property_mappings import PropertyMappingFilterSet, PropertyMappingSerializer
+from authentik.core.api.used_by import UsedByMixin
+from authentik.sources.ldap.models import (
+    LDAPSourcePropertyMapping,
+)
+
+
+class LDAPSourcePropertyMappingSerializer(PropertyMappingSerializer):
+    """LDAP PropertyMapping Serializer"""
+
+    class Meta:
+        model = LDAPSourcePropertyMapping
+        fields = PropertyMappingSerializer.Meta.fields
+
+
+class LDAPSourcePropertyMappingFilter(PropertyMappingFilterSet):
+    """Filter for LDAPSourcePropertyMapping"""
+
+    class Meta(PropertyMappingFilterSet.Meta):
+        model = LDAPSourcePropertyMapping
+
+
+class LDAPSourcePropertyMappingViewSet(UsedByMixin, ModelViewSet):
+    """LDAP PropertyMapping Viewset"""
+
+    queryset = LDAPSourcePropertyMapping.objects.all()
+    serializer_class = LDAPSourcePropertyMappingSerializer
+    filterset_class = LDAPSourcePropertyMappingFilter
+    search_fields = ["name"]
+    ordering = ["name"]
--- a/authentik/sources/ldap/api/sources.py
+++ b/authentik/sources/ldap/api/sources.py
@@ -13,23 +13,15 @@ from rest_framework.request import Request
 from rest_framework.response import Response
 from rest_framework.viewsets import ModelViewSet

-from authentik.core.api.property_mappings import PropertyMappingFilterSet, PropertyMappingSerializer
 from authentik.core.api.sources import (
-    GroupSourceConnectionSerializer,
-    GroupSourceConnectionViewSet,
    SourceSerializer,
-    UserSourceConnectionSerializer,
-    UserSourceConnectionViewSet,
 )
 from authentik.core.api.used_by import UsedByMixin
 from authentik.crypto.models import CertificateKeyPair
 from authentik.lib.sync.api import SyncStatusSerializer
 from authentik.rbac.filters import ObjectFilter
 from authentik.sources.ldap.models import (
-    GroupLDAPSourceConnection,
    LDAPSource,
-    LDAPSourcePropertyMapping,
-    UserLDAPSourceConnection,
 )
 from authentik.sources.ldap.tasks import CACHE_KEY_STATUS, SYNC_CLASSES, ldap_sync
 from authentik.tasks.models import Task, TaskStatus
@@ -224,48 +216,3 @@ class LDAPSourceViewSet(UsedByMixin, ModelViewSet):
                    obj.pop("raw_dn", None)
                    all_objects[class_name].append(obj)
        return Response(data=all_objects)
-
-
-class LDAPSourcePropertyMappingSerializer(PropertyMappingSerializer):
-    """LDAP PropertyMapping Serializer"""
-
-    class Meta:
-        model = LDAPSourcePropertyMapping
-        fields = PropertyMappingSerializer.Meta.fields
-
-
-class LDAPSourcePropertyMappingFilter(PropertyMappingFilterSet):
-    """Filter for LDAPSourcePropertyMapping"""
-
-    class Meta(PropertyMappingFilterSet.Meta):
-        model = LDAPSourcePropertyMapping
-
-
-class LDAPSourcePropertyMappingViewSet(UsedByMixin, ModelViewSet):
-    """LDAP PropertyMapping Viewset"""
-
-    queryset = LDAPSourcePropertyMapping.objects.all()
-    serializer_class = LDAPSourcePropertyMappingSerializer
-    filterset_class = LDAPSourcePropertyMappingFilter
-    search_fields = ["name"]
-    ordering = ["name"]
-
-
-class UserLDAPSourceConnectionSerializer(UserSourceConnectionSerializer):
-    class Meta(UserSourceConnectionSerializer.Meta):
-        model = UserLDAPSourceConnection
-
-
-class UserLDAPSourceConnectionViewSet(UserSourceConnectionViewSet, ModelViewSet):
-    queryset = UserLDAPSourceConnection.objects.all()
-    serializer_class = UserLDAPSourceConnectionSerializer
-
-
-class GroupLDAPSourceConnectionSerializer(GroupSourceConnectionSerializer):
-    class Meta(GroupSourceConnectionSerializer.Meta):
-        model = GroupLDAPSourceConnection
-
-
-class GroupLDAPSourceConnectionViewSet(GroupSourceConnectionViewSet, ModelViewSet):
-    queryset = GroupLDAPSourceConnection.objects.all()
-    serializer_class = GroupLDAPSourceConnectionSerializer
--- a/authentik/sources/ldap/models.py
+++ b/authentik/sources/ldap/models.py
@@ -31,6 +31,7 @@ from authentik.tasks.schedules.common import ScheduleSpec

 LDAP_TIMEOUT = 15
 LDAP_UNIQUENESS = "ldap_uniq"
+"""Deprecated, don't use"""
 LDAP_DISTINGUISHED_NAME = "distinguishedName"
 LOGGER = get_logger()

@@ -159,7 +160,7 @@ class LDAPSource(IncomingSyncSource):

    @property
    def serializer(self) -> type[Serializer]:
-        from authentik.sources.ldap.api import LDAPSourceSerializer
+        from authentik.sources.ldap.api.sources import LDAPSourceSerializer

        return LDAPSourceSerializer

@@ -192,6 +193,7 @@ class LDAPSource(IncomingSyncSource):

    def update_properties_with_uniqueness_field(self, properties, dn, ldap, **kwargs):
        properties.setdefault("attributes", {})[LDAP_DISTINGUISHED_NAME] = dn
+        # TODO: Remove after 2026.5, still stored for legacy
        if self.object_uniqueness_field in ldap:
            properties["attributes"][LDAP_UNIQUENESS] = flatten(
                ldap.get(self.object_uniqueness_field)
@@ -356,7 +358,7 @@ class LDAPSourcePropertyMapping(PropertyMapping):

    @property
    def serializer(self) -> type[Serializer]:
-        from authentik.sources.ldap.api import LDAPSourcePropertyMappingSerializer
+        from authentik.sources.ldap.api.property_mappings import LDAPSourcePropertyMappingSerializer

        return LDAPSourcePropertyMappingSerializer

@@ -377,7 +379,7 @@ class UserLDAPSourceConnection(UserSourceConnection):

    @property
    def serializer(self) -> type[Serializer]:
-        from authentik.sources.ldap.api import (
+        from authentik.sources.ldap.api.connections import (
            UserLDAPSourceConnectionSerializer,
        )

@@ -400,7 +402,7 @@ class GroupLDAPSourceConnection(GroupSourceConnection):

    @property
    def serializer(self) -> type[Serializer]:
-        from authentik.sources.ldap.api import (
+        from authentik.sources.ldap.api.connections import (
            GroupLDAPSourceConnectionSerializer,
        )

--- a/authentik/sources/ldap/sync/base.py
+++ b/authentik/sources/ldap/sync/base.py
@@ -7,9 +7,15 @@ from ldap3 import DEREF_ALWAYS, SUBTREE, Connection
 from structlog.stdlib import BoundLogger, get_logger

 from authentik.core.sources.mapper import SourceMapper
+from authentik.core.sources.matcher import SourceMatcher
 from authentik.lib.config import CONFIG
 from authentik.lib.sync.mapper import PropertyMappingManager
-from authentik.sources.ldap.models import LDAPSource, flatten
+from authentik.sources.ldap.models import (
+    GroupLDAPSourceConnection,
+    LDAPSource,
+    UserLDAPSourceConnection,
+    flatten,
+)
 from authentik.tasks.models import Task


@@ -28,6 +34,9 @@ class BaseLDAPSynchronizer:
        self._task = task
        self._connection = source.connection()
        self._logger = get_logger().bind(source=source, syncer=self.__class__.__name__)
+        self.matcher = SourceMatcher(
+            self._source, UserLDAPSourceConnection, GroupLDAPSourceConnection
+        )

    @staticmethod
    def name() -> str:
--- a/authentik/sources/ldap/sync/groups.py
+++ b/authentik/sources/ldap/sync/groups.py
@@ -12,8 +12,10 @@ from authentik.core.expression.exceptions import (
 )
 from authentik.core.models import Group
 from authentik.core.sources.mapper import SourceMapper
+from authentik.core.sources.matcher import Action
 from authentik.events.models import Event, EventAction
 from authentik.lib.sync.outgoing.exceptions import StopSync
+from authentik.lib.utils.errors import exception_to_dict
 from authentik.sources.ldap.models import (
    LDAP_UNIQUENESS,
    GroupLDAPSourceConnection,
@@ -88,33 +90,55 @@ class GroupLDAPSynchronizer(BaseLDAPSynchronizer):
                if "users" in defaults:
                    del defaults["users"]
                parent = defaults.pop("parent", None)
-                group, created = Group.update_or_create_attributes(
-                    {
-                        f"attributes__{LDAP_UNIQUENESS}": uniq,
-                    },
-                    defaults,
-                )
+                action, connection = self.matcher.get_group_action(uniq, defaults)
+
+                created = False
+                if action == Action.ENROLL:
+                    # Legacy fallback, in case the group only has an `ldap_uniq` attribute set, but
+                    # no source connection exists yet
+                    legacy_group = Group.objects.filter(
+                        **{
+                            f"attributes__{LDAP_UNIQUENESS}": uniq,
+                        }
+                    ).first()
+                    if legacy_group and LDAP_UNIQUENESS in legacy_group.attributes:
+                        connection = GroupLDAPSourceConnection(
+                            source=self._source,
+                            group=legacy_group,
+                            identifier=legacy_group.attributes.get(LDAP_UNIQUENESS),
+                        )
+                        group = legacy_group
+                        # Switch the action to update the attributes
+                        action = Action.AUTH
+                    else:
+                        group = Group.objects.create(**defaults)
+                        created = True
+                        connection.group = group
+                    connection.save()
+
+                if action in (Action.AUTH, Action.LINK):
+                    group = connection.group
+                    group.update_attributes(defaults)
+                elif action == Action.DENY:
+                    continue
+
                if parent:
                    group.parents.add(parent)
                self._logger.debug("Created group with attributes", **defaults)
-                if not GroupLDAPSourceConnection.objects.filter(
-                    source=self._source, identifier=uniq
-                ):
-                    GroupLDAPSourceConnection.objects.create(
-                        source=self._source, group=group, identifier=uniq
-                    )
            except SkipObjectException:
                continue
            except PropertyMappingExpressionException as exc:
                raise StopSync(exc, None, exc.mapping) from exc
            except (IntegrityError, FieldError, TypeError, AttributeError) as exc:
+                self._logger.debug("failed to create group", exc=exc)
                Event.new(
                    EventAction.CONFIGURATION_ERROR,
                    message=(
-                        f"Failed to create group: {str(exc)} "
-                        "To merge new group with existing group, set the groups's "
-                        f"Attribute '{LDAP_UNIQUENESS}' to '{uniq}'"
+                        "Failed to create group; "
+                        "To merge new group with existing group, connect it via the LDAP Source's "
+                        "'Synced Groups' tab."
                    ),
+                    exception=exception_to_dict(exc),
                    source=self._source,
                    dn=group_dn,
                ).save()
--- a/authentik/sources/ldap/sync/membership.py
+++ b/authentik/sources/ldap/sync/membership.py
@@ -8,7 +8,11 @@ from ldap3 import SUBTREE
 from ldap3.utils.conv import escape_filter_chars

 from authentik.core.models import Group, User
-from authentik.sources.ldap.models import LDAP_DISTINGUISHED_NAME, LDAP_UNIQUENESS, LDAPSource
+from authentik.sources.ldap.models import (
+    LDAP_DISTINGUISHED_NAME,
+    GroupLDAPSourceConnection,
+    LDAPSource,
+)
 from authentik.sources.ldap.sync.base import BaseLDAPSynchronizer
 from authentik.tasks.models import Task

@@ -104,7 +108,9 @@ class MembershipLDAPSynchronizer(BaseLDAPSynchronizer):
                return None
            group_uniq = group_uniq[0]
        if group_uniq not in self.group_cache:
-            groups = Group.objects.filter(**{f"attributes__{LDAP_UNIQUENESS}": group_uniq})
+            groups = GroupLDAPSourceConnection.objects.filter(identifier=group_uniq).select_related(
+                "group"
+            )
            if not groups.exists():
                if self._source.sync_groups:
                    self._task.info(
@@ -112,5 +118,5 @@ class MembershipLDAPSynchronizer(BaseLDAPSynchronizer):
                        group=group_dn,
                    )
                return None
-            self.group_cache[group_uniq] = groups.first()
+            self.group_cache[group_uniq] = groups.first().group
        return self.group_cache[group_uniq]
--- a/authentik/sources/ldap/sync/users.py
+++ b/authentik/sources/ldap/sync/users.py
@@ -12,8 +12,10 @@ from authentik.core.expression.exceptions import (
 )
 from authentik.core.models import User
 from authentik.core.sources.mapper import SourceMapper
+from authentik.core.sources.matcher import Action
 from authentik.events.models import Event, EventAction
 from authentik.lib.sync.outgoing.exceptions import StopSync
+from authentik.lib.utils.errors import exception_to_dict
 from authentik.sources.ldap.models import (
    LDAP_UNIQUENESS,
    LDAPSource,
@@ -86,27 +88,50 @@ class UserLDAPSynchronizer(BaseLDAPSynchronizer):
                self._logger.debug("Writing user with attributes", **defaults)
                if "username" not in defaults:
                    raise IntegrityError("Username was not set by propertymappings")
-                ak_user, created = User.update_or_create_attributes(
-                    {f"attributes__{LDAP_UNIQUENESS}": uniq}, defaults
-                )
-                if not UserLDAPSourceConnection.objects.filter(
-                    source=self._source, identifier=uniq
-                ):
-                    UserLDAPSourceConnection.objects.create(
-                        source=self._source, user=ak_user, identifier=uniq
-                    )
+                action, connection = self.matcher.get_user_action(uniq, defaults)
+                created = False
+                if action == Action.ENROLL:
+                    # Legacy fallback, in case the user only has an `ldap_uniq` attribute set, but
+                    # no source connection exists yet
+                    legacy_user = User.objects.filter(
+                        **{
+                            f"attributes__{LDAP_UNIQUENESS}": uniq,
+                        }
+                    ).first()
+                    if legacy_user and LDAP_UNIQUENESS in legacy_user.attributes:
+                        connection = UserLDAPSourceConnection(
+                            source=self._source,
+                            user=legacy_user,
+                            identifier=legacy_user.attributes.get(LDAP_UNIQUENESS),
+                        )
+                        ak_user = legacy_user
+                        # Switch the action to update the attributes
+                        action = Action.AUTH
+                    else:
+                        ak_user = User.objects.create(**defaults)
+                        created = True
+                        connection.user = ak_user
+                    connection.save()
+
+                if action in (Action.AUTH, Action.LINK):
+                    ak_user = connection.user
+                    ak_user.update_attributes(defaults)
+                elif action == Action.DENY:
+                    continue
            except PropertyMappingExpressionException as exc:
                raise StopSync(exc, None, exc.mapping) from exc
            except SkipObjectException:
                continue
            except (IntegrityError, FieldError, TypeError, AttributeError) as exc:
+                self._logger.debug("failed to create user", exc=exc)
                Event.new(
                    EventAction.CONFIGURATION_ERROR,
                    message=(
-                        f"Failed to create user: {str(exc)} "
-                        "To merge new user with existing user, set the user's "
-                        f"Attribute '{LDAP_UNIQUENESS}' to '{uniq}'"
+                        "Failed to create user; "
+                        "To merge new user with existing user, connect it via the LDAP Source's "
+                        "'Synced Users' tab."
                    ),
+                    exception=exception_to_dict(exc),
                    source=self._source,
                    dn=user_dn,
                ).save()
--- a/authentik/sources/ldap/tests/fixtures/ms_ad_2025/entries.json
+++ b/authentik/sources/ldap/tests/fixtures/ms_ad_2025/entries.json
--- a/authentik/sources/ldap/tests/fixtures/ms_ad_2025/info.json
+++ b/authentik/sources/ldap/tests/fixtures/ms_ad_2025/info.json
@@ -0,0 +1,154 @@
+{
+    "raw": {
+        "altServer": [],
+        "configurationNamingContext": [
+            "CN=Configuration,DC=t,DC=goauthentik,DC=io"
+        ],
+        "currentTime": [
+            "20260331161910.0Z"
+        ],
+        "defaultNamingContext": [
+            "DC=t,DC=goauthentik,DC=io"
+        ],
+        "dnsHostName": [
+            "ak-dc.t.goauthentik.io"
+        ],
+        "domainControllerFunctionality": [
+            "10"
+        ],
+        "domainFunctionality": [
+            "10"
+        ],
+        "dsServiceName": [
+            "CN=NTDS Settings,CN=AK-DC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=t,DC=goauthentik,DC=io"
+        ],
+        "forestFunctionality": [
+            "10"
+        ],
+        "highestCommittedUSN": [
+            "20594"
+        ],
+        "isGlobalCatalogReady": [
+            "TRUE"
+        ],
+        "isSynchronized": [
+            "TRUE"
+        ],
+        "ldapServiceName": [
+            "t.goauthentik.io:ak-dc$@T.GOAUTHENTIK.IO"
+        ],
+        "namingContexts": [
+            "DC=t,DC=goauthentik,DC=io",
+            "CN=Configuration,DC=t,DC=goauthentik,DC=io",
+            "CN=Schema,CN=Configuration,DC=t,DC=goauthentik,DC=io",
+            "DC=DomainDnsZones,DC=t,DC=goauthentik,DC=io",
+            "DC=ForestDnsZones,DC=t,DC=goauthentik,DC=io"
+        ],
+        "rootDomainNamingContext": [
+            "DC=t,DC=goauthentik,DC=io"
+        ],
+        "schemaNamingContext": [
+            "CN=Schema,CN=Configuration,DC=t,DC=goauthentik,DC=io"
+        ],
+        "serverName": [
+            "CN=AK-DC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=t,DC=goauthentik,DC=io"
+        ],
+        "subschemaSubentry": [
+            "CN=Aggregate,CN=Schema,CN=Configuration,DC=t,DC=goauthentik,DC=io"
+        ],
+        "supportedCapabilities": [
+            "1.2.840.113556.1.4.800",
+            "1.2.840.113556.1.4.1670",
+            "1.2.840.113556.1.4.1791",
+            "1.2.840.113556.1.4.1935",
+            "1.2.840.113556.1.4.2080",
+            "1.2.840.113556.1.4.2237"
+        ],
+        "supportedControl": [
+            "1.2.840.113556.1.4.319",
+            "1.2.840.113556.1.4.801",
+            "1.2.840.113556.1.4.473",
+            "1.2.840.113556.1.4.528",
+            "1.2.840.113556.1.4.417",
+            "1.2.840.113556.1.4.619",
+            "1.2.840.113556.1.4.841",
+            "1.2.840.113556.1.4.529",
+            "1.2.840.113556.1.4.805",
+            "1.2.840.113556.1.4.521",
+            "1.2.840.113556.1.4.970",
+            "1.2.840.113556.1.4.1338",
+            "1.2.840.113556.1.4.474",
+            "1.2.840.113556.1.4.1339",
+            "1.2.840.113556.1.4.1340",
+            "1.2.840.113556.1.4.1413",
+            "2.16.840.1.113730.3.4.9",
+            "2.16.840.1.113730.3.4.10",
+            "1.2.840.113556.1.4.1504",
+            "1.2.840.113556.1.4.1852",
+            "1.2.840.113556.1.4.802",
+            "1.2.840.113556.1.4.1907",
+            "1.2.840.113556.1.4.1948",
+            "1.2.840.113556.1.4.1974",
+            "1.2.840.113556.1.4.1341",
+            "1.2.840.113556.1.4.2026",
+            "1.2.840.113556.1.4.2064",
+            "1.2.840.113556.1.4.2065",
+            "1.2.840.113556.1.4.2066",
+            "1.2.840.113556.1.4.2090",
+            "1.2.840.113556.1.4.2205",
+            "1.2.840.113556.1.4.2204",
+            "1.2.840.113556.1.4.2206",
+            "1.2.840.113556.1.4.2211",
+            "1.2.840.113556.1.4.2239",
+            "1.2.840.113556.1.4.2255",
+            "1.2.840.113556.1.4.2256",
+            "1.2.840.113556.1.4.2309",
+            "1.2.840.113556.1.4.2330",
+            "1.2.840.113556.1.4.2354"
+        ],
+        "supportedExtension": [
+            "1.3.6.1.4.1.1466.20037",
+            "1.3.6.1.4.1.1466.101.119.1",
+            "1.2.840.113556.1.4.1781",
+            "1.3.6.1.4.1.4203.1.11.3",
+            "1.2.840.113556.1.4.2212"
+        ],
+        "supportedFeatures": [],
+        "supportedLDAPPolicies": [
+            "MaxPoolThreads",
+            "MaxPercentDirSyncRequests",
+            "MaxDatagramRecv",
+            "MaxReceiveBuffer",
+            "InitRecvTimeout",
+            "MaxConnections",
+            "MaxConnIdleTime",
+            "MaxPageSize",
+            "MaxBatchReturnMessages",
+            "MaxQueryDuration",
+            "MaxDirSyncDuration",
+            "MaxTempTableSize",
+            "MaxResultSetSize",
+            "MinResultSets",
+            "MaxResultSetsPerConn",
+            "MaxNotificationPerConn",
+            "MaxValRange",
+            "MaxValRangeTransitive",
+            "ThreadMemoryLimit",
+            "SystemMemoryLimitPercent",
+            "SecurityDescriptorWarningSize"
+        ],
+        "supportedLDAPVersion": [
+            "3",
+            "2"
+        ],
+        "supportedSASLMechanisms": [
+            "GSSAPI",
+            "GSS-SPNEGO",
+            "EXTERNAL",
+            "DIGEST-MD5"
+        ],
+        "vendorName": [],
+        "vendorVersion": []
+    },
+    "type": "DsaInfo"
+}
--- a/Show More
+++ b/Show More