web: Merge branch -- Stale notifications, synchronized context objects, rendering fixes (#19141 )

* web: Fix stale notifications. * Fix overlap of API and notifications drawers. * Fix issues surrounding duplicate context controller values. * Clean up drawer events, alignment. * Export parts. Fix z-index, colors. * Fix formatting, alignment. repeated renders. * Fix indent. * Fix progress bar fade out, positioning, labels. * Fix clickable area. * Ignore clickable icons. * Clean up logging. * Fix width. * Move event listeners into decorator. * Fix double counting of notifications. * Fix ARIA lables. * Fix empty state ARIA. * Fix order of locale updating. * Fix rebase. * web: fix notification count update * Update selector. * web: Fix CAPTCHA locale. * Clean up logging. --------- Co-authored-by: macmoritz <tratarmoritz@gmail.com>
root: codespell: ignore Python virtual env, group patterns. (#19180 )
2026-05-06 07:02:51 +02:00 · 2026-01-05 15:54:50 -05:00 · 2026-01-05 19:24:51 +00:00 · 2026-01-05 08:49:14 -08:00 · 2026-01-05 17:44:07 +01:00 · 2026-01-05 17:25:41 +01:00
469 changed files with 11195 additions and 6575 deletions
--- a/.devcontainer/Dockerfile
+++ b/.devcontainer/Dockerfile
@@ -1,63 +0,0 @@
-# syntax=docker/dockerfile:1
-
-# Start from the same FIPS Python base as production (python-base stage)
-FROM ghcr.io/goauthentik/fips-python:3.13.9-slim-trixie-fips@sha256:700fc8c1e290bd14e5eaca50b1d8e8c748c820010559cbfb4c4f8dfbe2c4c9ff
-
-USER root
-
-# Setup environment matching production python-base stage
-ENV VENV_PATH="/ak-root/.venv" \
-    PATH="/lifecycle:/ak-root/.venv/bin:$PATH" \
-    UV_COMPILE_BYTECODE=1 \
-    UV_LINK_MODE=copy \
-    UV_NATIVE_TLS=1 \
-    UV_PYTHON_DOWNLOADS=0
-
-WORKDIR /ak-root
-
-# Copy uv package manager
-COPY --from=ghcr.io/astral-sh/uv:0.9.7@sha256:ba4857bf2a068e9bc0e64eed8563b065908a4cd6bfb66b531a9c424c8e25e142 /uv /uvx /bin/
-
-# Install build dependencies
-RUN rm -f /etc/apt/apt.conf.d/docker-clean && \
-    echo 'Binary::apt::APT::Keep-Downloaded-Packages "true";' > /etc/apt/apt.conf.d/keep-cache && \
-    apt-get update && \
-    apt-get install -y --no-install-recommends \
-    # Build essentials
-    build-essential pkg-config libffi-dev git binutils \
-    # cryptography
-    curl \
-    # libxml
-    libxslt-dev zlib1g-dev \
-    # postgresql
-    libpq-dev \
-    # python-kadmin-rs and kerberos testing
-    clang libkrb5-dev sccache krb5-kdc krb5-admin-server \
-    # xmlsec
-    libltdl-dev \
-    # runit (for chpst command used by lifecycle/ak)
-    runit \
-    # sudo (required by devcontainer features)
-    sudo && \
-    rm -rf /var/lib/apt/lists/*
-
-# Environment for building native Python packages
-ENV UV_NO_BINARY_PACKAGE="cryptography lxml python-kadmin-rs xmlsec" \
-    RUSTUP_PERMIT_COPY_RENAME="true"
-
-# Create authentik user with proper home directory (required for devcontainer features)
-RUN adduser --disabled-password --gecos "" --uid 1000 --home /home/authentik authentik && \
-    mkdir -p /certs /media /ak-root && \
-    chown -R authentik:authentik /certs /media /ak-root /home/authentik && \
-    echo "authentik ALL=(ALL) NOPASSWD:ALL" >> /etc/sudoers.d/authentik
-
-# FIPS configuration for Go development
-# Don't set GOFIPS/GOFIPS140 globally to avoid breaking Go tools like docker-compose
-# These will be set when building/running authentik Go code (see lifecycle/ak and Makefile)
-ENV CGO_ENABLED=1
-
-# Set TMPDIR for PID files and temp data
-# Use /tmp instead of /dev/shm for development because go run needs to execute binaries
-ENV TMPDIR=/tmp
-
-USER authentik
--- a/.devcontainer/devcontainer.json
+++ b/.devcontainer/devcontainer.json
@@ -1,68 +0,0 @@
-{
-    "name": "authentik",
-    "dockerComposeFile": "docker-compose.yml",
-    "service": "app",
-    "workspaceFolder": "/ak-root",
-    "containerUser": "authentik",
-    "remoteUser": "authentik",
-    "shutdownAction": "stopCompose",
-    "containerEnv": {
-        "LOCAL_PROJECT_DIR": "/ak-root"
-    },
-    "features": {
-        "ghcr.io/devcontainers/features/go:1": {
-            "version": "1.24"
-        },
-        "ghcr.io/devcontainers/features/node:1": {
-            "version": "24"
-        },
-        "ghcr.io/devcontainers/features/rust:1": {
-            "version": "latest"
-        },
-        "ghcr.io/devcontainers/features/docker-in-docker:2": {
-            "version": "latest",
-            "moby": false
-        }
-    },
-    "mounts": [],
-    "forwardPorts": [9000, 9443],
-    "portsAttributes": {
-        "8000": {
-            "onAutoForward": "ignore"
-        },
-        "3963": {
-            "onAutoForward": "ignore"
-        },
-        "35151": {
-            "onAutoForward": "ignore"
-        },
-        "9901": {
-            "onAutoForward": "ignore"
-        }
-    },
-    "postCreateCommand": "bash .devcontainer/setup.sh",
-    "customizations": {
-        "vscode": {
-            "extensions": [
-                "EditorConfig.EditorConfig",
-                "bashmish.es6-string-css",
-                "dbaeumer.vscode-eslint",
-                "esbenp.prettier-vscode",
-                "golang.go",
-                "Gruntfuggly.todo-tree",
-                "ms-python.black-formatter",
-                "ms-python.isort",
-                "ms-python.pylint",
-                "ms-python.python",
-                "ms-python.vscode-pylance",
-                "redhat.vscode-yaml",
-                "Tobermory.es6-string-html",
-                "charliermarsh.ruff"
-            ],
-            "settings": {
-                "python.defaultInterpreterPath": "/ak-root/.venv/bin/python",
-                "python.terminal.activateEnvironment": true
-            }
-        }
-    }
-}
--- a/.devcontainer/docker-compose.yml
+++ b/.devcontainer/docker-compose.yml
@@ -1,50 +0,0 @@
-services:
-  app:
-    build:
-      context: ..
-      dockerfile: .devcontainer/Dockerfile
-    user: authentik
-    privileged: true
-    volumes:
-      - ../:/ak-root
-    entrypoint: []
-    command: sleep infinity
-    depends_on:
-      postgresql:
-        condition: service_healthy
-    env_file: .env
-    environment:
-      PATH: "/ak-root/.venv/bin:${PATH}"
-    ports:
-      - "9000:9000"
-      - "9443:9443"
-
-  postgresql:
-    image: docker.io/library/postgres:16
-    restart: unless-stopped
-    healthcheck:
-      test: ["CMD-SHELL", "pg_isready -d authentik -U postgres"]
-      interval: 10s
-      timeout: 5s
-      retries: 5
-      start_period: 20s
-    volumes:
-      - postgres-data:/var/lib/postgresql/data
-    env_file: .env
-    command: ["postgres", "-c", "log_statement=all", "-c", "log_destination=stderr"]
-
-  s3:
-    image: docker.io/zenko/cloudserver
-    env_file: .env
-    environment:
-      REMOTE_MANAGEMENT_DISABLE: "1"
-    ports:
-      - "8020:8000"
-    volumes:
-      - s3-data:/usr/src/app/localData
-      - s3-metadata:/usr/src/app/localMetadata
-
-volumes:
-  postgres-data:
-  s3-data:
-  s3-metadata:
--- a/.devcontainer/setup.sh
+++ b/.devcontainer/setup.sh
@@ -1,37 +0,0 @@
-#!/usr/bin/env bash
-set -e
-
-echo "======================================"
-echo "Running authentik devcontainer setup"
-echo "======================================"
-
-echo ""
-echo "Step 1/5: Installing dependencies"
-make install
-
-echo ""
-echo "Step 2/5: Generating development config"
-make gen-dev-config
-
-echo ""
-echo "Step 3/5: Running database migrations"
-make migrate
-
-echo ""
-echo "Step 4/5: Generating API clients"
-make gen
-
-echo ""
-echo "Step 5/5: Building web assets"
-make web
-
-echo ""
-echo "======================================"
-echo "Setup complete!"
-echo "======================================"
-echo ""
-echo "You can now run:"
-echo "  - 'make run-server' to start the backend server"
-echo "  - 'make run-worker' to start the worker (must be ran once after initial setup)"
-echo "  - 'make web-watch' for live web development"
-echo ""
--- a/.github/actions/setup/action.yml
+++ b/.github/actions/setup/action.yml
@@ -12,16 +12,17 @@ inputs:
 runs:
  using: "composite"
  steps:
-    - name: Install apt deps
+    - name: Install apt deps & cleanup
      if: ${{ contains(inputs.dependencies, 'system') || contains(inputs.dependencies, 'python') }}
      shell: bash
      run: |
        sudo apt-get remove --purge man-db
        sudo apt-get update
        sudo apt-get install --no-install-recommends -y libpq-dev openssl libxmlsec1-dev pkg-config gettext libkrb5-dev krb5-kdc krb5-user krb5-admin-server
+        sudo rm -rf /usr/local/lib/android
    - name: Install uv
      if: ${{ contains(inputs.dependencies, 'python') }}
-      uses: astral-sh/setup-uv@ed21f2f24f8dd64503750218de024bcf64c7250a # v5
+      uses: astral-sh/setup-uv@681c641aba71e4a1c380be3ab5e12ad51f415867 # v5
      with:
        enable-cache: true
    - name: Setup python
@@ -50,13 +51,13 @@ runs:
      if: ${{ contains(inputs.dependencies, 'runtime') }}
      uses: AndreKurait/docker-cache@0fe76702a40db986d9663c24954fc14c6a6031b7
      with:
-        key: docker-images-${{ runner.os }}-${{ hashFiles('.github/actions/setup/docker-compose.yml', 'Makefile') }}-${{ inputs.postgresql_version }}
+        key: docker-images-${{ runner.os }}-${{ hashFiles('.github/actions/setup/compose.yml', 'Makefile') }}-${{ inputs.postgresql_version }}
    - name: Setup dependencies
      if: ${{ contains(inputs.dependencies, 'runtime') }}
      shell: bash
      run: |
        export PSQL_TAG=${{ inputs.postgresql_version }}
-        docker compose -f .github/actions/setup/docker-compose.yml up -d
+        docker compose -f .github/actions/setup/compose.yml up -d
        cd web && npm i
    - name: Generate config
      if: ${{ contains(inputs.dependencies, 'python') }}
--- a/.github/actions/setup/docker-compose.yml
+++ b/.github/actions/setup/docker-compose.yml
@@ -11,11 +11,6 @@ services:
    ports:
      - 5432:5432
    restart: always
-  redis:
-    image: docker.io/library/redis:7
-    ports:
-      - 6379:6379
-    restart: always
  s3:
    container_name: s3
    image: docker.io/zenko/cloudserver
--- a/.github/actions/test-results/action.yml
+++ b/.github/actions/test-results/action.yml
@@ -12,15 +12,15 @@ runs:
      with:
        flags: ${{ inputs.flags }}
        use_oidc: true
-    - uses: codecov/test-results-action@47f89e9acb64b76debcd5ea40642d25a4adced9f # v1
+    - uses: codecov/codecov-action@671740ac38dd9b0130fbe1cec585b89eea48d3de # v5
      with:
        flags: ${{ inputs.flags }}
-        file: unittest.xml
        use_oidc: true
+        report_type: test_results
    - name: PostgreSQL Logs
      shell: bash
      run: |
-        if [[ $ACTIONS_RUNNER_DEBUG == 'true' || $ACTIONS_STEP_DEBUG == 'true' ]]; then
+        if [[ $RUNNER_DEBUG == '1' ]]; then
          docker stop setup-postgresql-1
          echo "::group::PostgreSQL Logs"
          docker logs setup-postgresql-1
--- a/.github/workflows/_reusable-docker-build-single.yml
+++ b/.github/workflows/_reusable-docker-build-single.yml
@@ -44,7 +44,7 @@ jobs:
    steps:
      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v5
      - uses: docker/setup-qemu-action@c7c53464625b32c7a7e944ae62b3e17d2b600130 # v3.7.0
-      - uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3
+      - uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3
      - name: prepare variables
        uses: ./.github/actions/docker-push-variables
        id: ev
@@ -85,6 +85,7 @@ jobs:
        id: push
        with:
          context: .
+          file: lifecycle/container/Dockerfile
          push: ${{ steps.ev.outputs.shouldPush == 'true' }}
          secrets: |
            GEOIPUPDATE_ACCOUNT_ID=${{ secrets.GEOIPUPDATE_ACCOUNT_ID }}
@@ -95,7 +96,7 @@ jobs:
          platforms: linux/${{ inputs.image_arch }}
          cache-from: type=registry,ref=${{ steps.ev.outputs.attestImageNames }}:buildcache-${{ inputs.image_arch }}
          cache-to: ${{ steps.ev.outputs.cacheTo }}
-      - uses: actions/attest-build-provenance@977bb373ede98d70efdf65b84cb5f73e068dcc2a # v3
+      - uses: actions/attest-build-provenance@00014ed6ed5efc5b1ab7f7f34a39eb55d41aa4f8 # v3
        id: attest
        if: ${{ steps.ev.outputs.shouldPush == 'true' }}
        with:
--- a/.github/workflows/_reusable-docker-build.yml
+++ b/.github/workflows/_reusable-docker-build.yml
@@ -90,14 +90,14 @@ jobs:
          registry: ghcr.io
          username: ${{ github.repository_owner }}
          password: ${{ secrets.GITHUB_TOKEN }}
-      - uses: int128/docker-manifest-create-action@b60433fd4312d7a64a56d769b76ebe3f45cf36b4 # v2
+      - uses: int128/docker-manifest-create-action@6cdd53a8337cd50bc3ef8c7016579d8d460edd94 # v2
        id: build
        with:
          tags: ${{ matrix.tag }}
          sources: |
            ${{ steps.ev.outputs.attestImageNames }}@${{ needs.build-server-amd64.outputs.image-digest }}
            ${{ steps.ev.outputs.attestImageNames }}@${{ needs.build-server-arm64.outputs.image-digest }}
-      - uses: actions/attest-build-provenance@977bb373ede98d70efdf65b84cb5f73e068dcc2a # v3
+      - uses: actions/attest-build-provenance@00014ed6ed5efc5b1ab7f7f34a39eb55d41aa4f8 # v3
        id: attest
        with:
          subject-name: ${{ steps.ev.outputs.attestImageNames }}
--- a/.github/workflows/ci-api-docs.yml
+++ b/.github/workflows/ci-api-docs.yml
@@ -41,7 +41,7 @@ jobs:
      - working-directory: website/
        name: Install Dependencies
        run: npm ci
-      - uses: actions/cache@a7833574556fa59680c1b7cb190c1735db73ebf0 # v4
+      - uses: actions/cache@9255dc7a253b0ccc959486e2bca901246202afeb # v4
        with:
          path: |
            ${{ github.workspace }}/website/api/.docusaurus
@@ -55,7 +55,7 @@ jobs:
        env:
          NODE_ENV: production
        run: npm run build -w api
-      - uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v4
+      - uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v4
        with:
          name: api-docs
          path: website/api/build
@@ -67,7 +67,7 @@ jobs:
      - build
    steps:
      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v5
-      - uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v5
+      - uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v5
        with:
          name: api-docs
          path: website/api/build
--- a/.github/workflows/ci-docs.yml
+++ b/.github/workflows/ci-docs.yml
@@ -75,7 +75,7 @@ jobs:
      - name: Set up QEMU
        uses: docker/setup-qemu-action@c7c53464625b32c7a7e944ae62b3e17d2b600130 # v3.7.0
      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3
+        uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3
      - name: prepare variables
        uses: ./.github/actions/docker-push-variables
        id: ev
@@ -101,7 +101,7 @@ jobs:
          context: .
          cache-from: type=registry,ref=ghcr.io/goauthentik/dev-docs:buildcache
          cache-to: ${{ steps.ev.outputs.shouldPush == 'true' && 'type=registry,ref=ghcr.io/goauthentik/dev-docs:buildcache,mode=max' || '' }}
-      - uses: actions/attest-build-provenance@977bb373ede98d70efdf65b84cb5f73e068dcc2a # v3
+      - uses: actions/attest-build-provenance@00014ed6ed5efc5b1ab7f7f34a39eb55d41aa4f8 # v3
        id: attest
        if: ${{ steps.ev.outputs.shouldPush == 'true' }}
        with:
--- a/.github/workflows/ci-main-daily.yml
+++ b/.github/workflows/ci-main-daily.yml
@@ -24,5 +24,5 @@ jobs:
          dir="/tmp/authentik/${{ matrix.version }}"
          mkdir -p $dir
          cd $dir
-          wget https://${{ matrix.version }}.goauthentik.io/docker-compose.yml
+          wget https://${{ matrix.version }}.goauthentik.io/compose.yml
          ${current}/scripts/test_docker.sh
--- a/.github/workflows/ci-main.yml
+++ b/.github/workflows/ci-main.yml
@@ -193,15 +193,17 @@ jobs:
            glob: tests/e2e/test_source_scim*
          - name: flows
            glob: tests/e2e/test_flows*
+          - name: endpoints
+            glob: tests/e2e/test_endpoints_*
    steps:
      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v5
      - name: Setup authentik env
        uses: ./.github/actions/setup
      - name: Setup e2e env (chrome, etc)
        run: |
-          docker compose -f tests/e2e/docker-compose.yml up -d --quiet-pull
+          docker compose -f tests/e2e/compose.yml up -d --quiet-pull
      - id: cache-web
-        uses: actions/cache@a7833574556fa59680c1b7cb190c1735db73ebf0 # v4
+        uses: actions/cache@9255dc7a253b0ccc959486e2bca901246202afeb # v4
        with:
          path: web/dist
          key: ${{ runner.os }}-web-${{ hashFiles('web/package-lock.json', 'package-lock.json', 'web/src/**', 'web/packages/sfe/src/**') }}-b
@@ -221,6 +223,54 @@ jobs:
        if: ${{ always() }}
        with:
          flags: e2e
+  test-openid-conformance:
+    name: test-openid-conformance (${{ matrix.job.name }})
+    runs-on: ubuntu-latest
+    timeout-minutes: 30
+    strategy:
+      fail-fast: false
+      matrix:
+        job:
+          - name: basic
+            glob: tests/openid_conformance/test_basic.py
+          - name: implicit
+            glob: tests/openid_conformance/test_implicit.py
+    steps:
+      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v5
+      - name: Setup authentik env
+        uses: ./.github/actions/setup
+      - name: Setup e2e env (chrome, etc)
+        run: |
+          docker compose -f tests/e2e/compose.yml up -d --quiet-pull
+      - name: Setup conformance suite
+        run: |
+          docker compose -f tests/openid_conformance/compose.yml up -d --quiet-pull
+      - id: cache-web
+        uses: actions/cache@9255dc7a253b0ccc959486e2bca901246202afeb # v4
+        with:
+          path: web/dist
+          key: ${{ runner.os }}-web-${{ hashFiles('web/package-lock.json', 'web/src/**', 'web/packages/sfe/src/**') }}-b
+      - name: prepare web ui
+        if: steps.cache-web.outputs.cache-hit != 'true'
+        working-directory: web
+        run: |
+          npm ci
+          make -C .. gen-client-ts
+          npm run build
+          npm run build:sfe
+      - name: run conformance
+        run: |
+          uv run coverage run manage.py test ${{ matrix.job.glob }}
+          uv run coverage xml
+      - uses: ./.github/actions/test-results
+        if: ${{ always() }}
+        with:
+          flags: conformance
+      - if: ${{ !cancelled() }}
+        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6
+        with:
+          name: conformance-certification-${{ matrix.job.name }}
+          path: tests/openid_conformance/exports/
  ci-core-mark:
    if: always()
    needs:
--- a/.github/workflows/ci-outpost.yml
+++ b/.github/workflows/ci-outpost.yml
@@ -92,7 +92,7 @@ jobs:
      - name: Set up QEMU
        uses: docker/setup-qemu-action@c7c53464625b32c7a7e944ae62b3e17d2b600130 # v3.7.0
      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3
+        uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3
      - name: prepare variables
        uses: ./.github/actions/docker-push-variables
        id: ev
@@ -114,7 +114,7 @@ jobs:
        uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6
        with:
          tags: ${{ steps.ev.outputs.imageTags }}
-          file: ${{ matrix.type }}.Dockerfile
+          file: lifecycle/container/${{ matrix.type }}.Dockerfile
          push: ${{ steps.ev.outputs.shouldPush == 'true' }}
          build-args: |
            GIT_BUILD_HASH=${{ steps.ev.outputs.sha }}
@@ -122,7 +122,7 @@ jobs:
          context: .
          cache-from: type=registry,ref=ghcr.io/goauthentik/dev-${{ matrix.type }}:buildcache
          cache-to: ${{ steps.ev.outputs.shouldPush == 'true' && format('type=registry,ref=ghcr.io/goauthentik/dev-{0}:buildcache,mode=max', matrix.type) || '' }}
-      - uses: actions/attest-build-provenance@977bb373ede98d70efdf65b84cb5f73e068dcc2a # v3
+      - uses: actions/attest-build-provenance@00014ed6ed5efc5b1ab7f7f34a39eb55d41aa4f8 # v3
        id: attest
        if: ${{ steps.ev.outputs.shouldPush == 'true' }}
        with:
--- a/.github/workflows/release-publish.yml
+++ b/.github/workflows/release-publish.yml
@@ -35,7 +35,7 @@ jobs:
      - name: Set up QEMU
        uses: docker/setup-qemu-action@c7c53464625b32c7a7e944ae62b3e17d2b600130 # v3.7.0
      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3
+        uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3
      - name: prepare variables
        uses: ./.github/actions/docker-push-variables
        id: ev
@@ -58,7 +58,7 @@ jobs:
          push: true
          platforms: linux/amd64,linux/arm64
          context: .
-      - uses: actions/attest-build-provenance@977bb373ede98d70efdf65b84cb5f73e068dcc2a # v3
+      - uses: actions/attest-build-provenance@00014ed6ed5efc5b1ab7f7f34a39eb55d41aa4f8 # v3
        id: attest
        if: true
        with:
@@ -90,7 +90,7 @@ jobs:
      - name: Set up QEMU
        uses: docker/setup-qemu-action@c7c53464625b32c7a7e944ae62b3e17d2b600130 # v3.7.0
      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3
+        uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3
      - name: prepare variables
        uses: ./.github/actions/docker-push-variables
        id: ev
@@ -121,10 +121,10 @@ jobs:
          build-args: |
            VERSION=${{ github.ref }}
          tags: ${{ steps.ev.outputs.imageTags }}
-          file: ${{ matrix.type }}.Dockerfile
+          file: lifecycle/container/${{ matrix.type }}.Dockerfile
          platforms: linux/amd64,linux/arm64
          context: .
-      - uses: actions/attest-build-provenance@977bb373ede98d70efdf65b84cb5f73e068dcc2a # v3
+      - uses: actions/attest-build-provenance@00014ed6ed5efc5b1ab7f7f34a39eb55d41aa4f8 # v3
        id: attest
        with:
          subject-name: ${{ steps.ev.outputs.attestImageNames }}
@@ -232,7 +232,7 @@ jobs:
          container=$(docker container create ${{ steps.ev.outputs.imageMainName }})
          docker cp ${container}:web/ .
      - name: Create a Sentry.io release
-        uses: getsentry/action-release@128c5058bbbe93c8e02147fe0a9c713f166259a6 # v3
+        uses: getsentry/action-release@dab6548b3c03c4717878099e43782cf5be654289 # v3
        continue-on-error: true
        env:
          SENTRY_AUTH_TOKEN: ${{ secrets.SENTRY_AUTH_TOKEN }}
--- a/.github/workflows/release-tag.yml
+++ b/.github/workflows/release-tag.yml
@@ -49,8 +49,12 @@ jobs:
  test:
    name: Pre-release test
    runs-on: ubuntu-latest
+    needs:
+      - check-inputs
    steps:
      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v5
+        with:
+          ref: "version-${{ needs.check-inputs.outputs.major_version }}"
      - run: make test-docker
  bump-authentik:
    name: Bump authentik version
--- a/.gitignore
+++ b/.gitignore
@@ -211,4 +211,5 @@ source_docs/
 /vendor/

 ### Docker ###
-docker-compose.override.yml
+tests/openid_conformance/exports/*.zip
+compose.override.yml
--- a/6
+++ b/6
@@ -16,10 +16,8 @@ go.sum                                  @goauthentik/backend
 # Infrastructure
 .github/                                @goauthentik/infrastructure
 lifecycle/aws/                          @goauthentik/infrastructure
-Dockerfile                              @goauthentik/infrastructure
-*Dockerfile                             @goauthentik/infrastructure
+lifecycle/container/                    @goauthentik/infrastructure
 .dockerignore                           @goauthentik/infrastructure
-docker-compose.yml                      @goauthentik/infrastructure
 Makefile                                @goauthentik/infrastructure
 .editorconfig                           @goauthentik/infrastructure
 CODEOWNERS                              @goauthentik/infrastructure
@@ -40,7 +38,7 @@ packages/tsconfig                       @goauthentik/frontend
 # Web
 web/                                    @goauthentik/frontend
 # Locale
-locale/                                 @goauthentik/backend @goauthentik/frontend
+/locale/                                @goauthentik/backend @goauthentik/frontend
 web/xliff/                              @goauthentik/backend @goauthentik/frontend
 # Docs
 website/                                @goauthentik/docs
--- a/33
+++ b/33
@@ -9,6 +9,13 @@ NPM_VERSION = $(shell python -m scripts.generate_semver)
 PY_SOURCES = authentik packages tests scripts lifecycle .github
 DOCKER_IMAGE ?= "authentik:test"

+UNAME_S := $(shell uname -s)
+ifeq ($(UNAME_S),Darwin)
+	SED_INPLACE = sed -i ''
+else
+	SED_INPLACE = sed -i
+endif
+
 GEN_API_TS = gen-ts-api
 GEN_API_PY = gen-py-api
 GEN_API_GO = gen-go-api
@@ -46,7 +53,7 @@ help:  ## Show this help
 	@echo ""

 go-test:
-	GOFIPS140=latest CGO_ENABLED=1 go test -timeout 0 -v -race -cover ./...
+	go test -timeout 0 -v -race -cover ./...

 test: ## Run the server tests and produce a coverage report (locally)
 	$(KRB_PATH) uv run coverage run manage.py test --keepdb $(or $(filter-out $@,$(MAKECMDGOALS)),authentik)
@@ -119,8 +126,8 @@ bump:  ## Bump authentik version. Usage: make bump version=20xx.xx.xx
 ifndef version
 	$(error Usage: make bump version=20xx.xx.xx )
 endif
-	sed -i 's/^version = ".*"/version = "$(version)"/' pyproject.toml
-	sed -i 's/^VERSION = ".*"/VERSION = "$(version)"/' authentik/__init__.py
+	$(SED_INPLACE) 's/^version = ".*"/version = "$(version)"/' pyproject.toml
+	$(SED_INPLACE) 's/^VERSION = ".*"/VERSION = "$(version)"/' authentik/__init__.py
 	$(MAKE) gen-build gen-compose aws-cfn
 	npm version --no-git-tag-version --allow-same-version $(version)
 	cd ${PWD}/web && npm version --no-git-tag-version --allow-same-version $(version)
@@ -134,14 +141,10 @@ gen-build:  ## Extract the schema from the database
 	AUTHENTIK_DEBUG=true \
 		AUTHENTIK_TENANTS__ENABLED=true \
 		AUTHENTIK_OUTPOSTS__DISABLE_EMBEDDED_OUTPOST=true \
-		uv run ak make_blueprint_schema --file blueprints/schema.json
-	AUTHENTIK_DEBUG=true \
-		AUTHENTIK_TENANTS__ENABLED=true \
-		AUTHENTIK_OUTPOSTS__DISABLE_EMBEDDED_OUTPOST=true \
-		uv run ak spectacular --file schema.yml
+		uv run ak build_schema

 gen-compose:
-	uv run scripts/generate_docker_compose.py
+	uv run scripts/generate_compose.py

 gen-changelog:  ## (Release) generate the changelog based from the commits since the last tag
 	git log --pretty=format:" - %s" $(shell git describe --tags $(shell git rev-list --tags --max-count=1))...$(shell git branch --show-current) | sort > changelog.md
@@ -149,14 +152,14 @@ gen-changelog:  ## (Release) generate the changelog based from the commits since

 gen-diff:  ## (Release) generate the changelog diff between the current schema and the last tag
 	git show $(shell git describe --tags $(shell git rev-list --tags --max-count=1)):schema.yml > schema-old.yml
-	docker compose -f scripts/api/docker-compose.yml run --rm --user "${UID}:${GID}" diff \
+	docker compose -f scripts/api/compose.yml run --rm --user "${UID}:${GID}" diff \
 		--markdown \
 		/local/diff.md \
 		/local/schema-old.yml \
 		/local/schema.yml
 	rm schema-old.yml
-	sed -i 's/{/&#123;/g' diff.md
-	sed -i 's/}/&#125;/g' diff.md
+	$(SED_INPLACE) 's/{/&#123;/g' diff.md
+	$(SED_INPLACE) 's/}/&#125;/g' diff.md
 	npx prettier --write diff.md

 gen-clean-ts:  ## Remove generated API client for TypeScript
@@ -172,7 +175,7 @@ gen-clean-go:  ## Remove generated API client for Go
 gen-clean: gen-clean-ts gen-clean-go gen-clean-py  ## Remove generated API clients

 gen-client-ts: gen-clean-ts  ## Build and install the authentik API for Typescript into the authentik UI Application
-	docker compose -f scripts/api/docker-compose.yml run --rm --user "${UID}:${GID}" gen \
+	docker compose -f scripts/api/compose.yml run --rm --user "${UID}:${GID}" gen \
 		generate \
 		-i /local/schema.yml \
 		-g typescript-fetch \
@@ -293,7 +296,7 @@ docs-api-clean: ## Clean generated API documentation

 docker:  ## Build a docker image of the current source tree
 	mkdir -p ${GEN_API_TS}
-	DOCKER_BUILDKIT=1 docker build . --progress plain --tag ${DOCKER_IMAGE}
+	DOCKER_BUILDKIT=1 docker build . -f lifecycle/container/Dockerfile --progress plain --tag ${DOCKER_IMAGE}

 test-docker:
 	BUILD=true ${PWD}/scripts/test_docker.sh
@@ -327,6 +330,6 @@ ci-pending-migrations: ci--meta-debug
 	uv run ak makemigrations --check

 ci-test: ci--meta-debug
-	uv run coverage run manage.py test --keepdb --randomly-seed ${CI_TEST_SEED} authentik
+	uv run coverage run manage.py test --keepdb authentik
 	uv run coverage report
 	uv run coverage xml
--- a/authentik/admin/api/version.py
+++ b/authentik/admin/api/version.py
@@ -37,7 +37,7 @@ class VersionSerializer(PassiveSerializer):

    def get_version_latest(self, _) -> str:
        """Get latest version from cache"""
-        if get_current_tenant().schema_name == get_public_schema_name():
+        if get_current_tenant().schema_name != get_public_schema_name():
            return authentik_version()
        version_in_cache = cache.get(VERSION_CACHE_KEY)
        if not version_in_cache:  # pragma: no cover
--- a/authentik/admin/files/api.py
+++ b/authentik/admin/files/api.py
@@ -240,7 +240,9 @@ class FileUsedByView(APIView):
            for field in fields:
                q |= Q(**{field: params.get("name")})

-            objs = get_objects_for_user(request.user, f"{app}.view_{model_name}", model)
+            objs = get_objects_for_user(
+                request.user, f"{app}.view_{model_name}", model.objects.all()
+            )
            objs = objs.filter(q)
            for obj in objs:
                serializer = UsedBySerializer(
--- a/authentik/admin/files/apps.py
+++ b/authentik/admin/files/apps.py
@@ -1,9 +1,4 @@
-from pathlib import Path
-
-from django.conf import settings
-
 from authentik.blueprints.apps import ManagedAppConfig
-from authentik.lib.config import CONFIG


 class AuthentikFilesConfig(ManagedAppConfig):
@@ -11,20 +6,3 @@ class AuthentikFilesConfig(ManagedAppConfig):
    label = "authentik_admin_files"
    verbose_name = "authentik Files"
    default = True
-
-    @ManagedAppConfig.reconcile_global
-    def check_for_media_mount(self):
-        if settings.TEST:
-            return
-
-        from authentik.events.models import Event, EventAction
-
-        if (
-            CONFIG.get("storage.media.backend", CONFIG.get("storage.backend", "file")) == "file"
-            and Path("/media").exists()
-        ):
-            Event.new(
-                EventAction.CONFIGURATION_ERROR,
-                message="/media has been moved to /data/media. "
-                "Check the release notes for migration steps.",
-            ).save()
--- a/authentik/admin/files/backends/tests/test_s3_backend.py
+++ b/authentik/admin/files/backends/tests/test_s3_backend.py
@@ -1,10 +1,13 @@
+from unittest import skipUnless
+
 from django.test import TestCase

-from authentik.admin.files.tests.utils import FileTestS3BackendMixin
+from authentik.admin.files.tests.utils import FileTestS3BackendMixin, s3_test_server_available
 from authentik.admin.files.usage import FileUsage
 from authentik.lib.config import CONFIG


+@skipUnless(s3_test_server_available(), "S3 test server not available")
 class TestS3Backend(FileTestS3BackendMixin, TestCase):
    """Test S3 backend functionality"""

--- a/authentik/admin/files/tests/test_manager.py
+++ b/authentik/admin/files/tests/test_manager.py
@@ -1,10 +1,16 @@
 """Test file service layer"""

+from unittest import skipUnless
+
 from django.http import HttpRequest
 from django.test import TestCase

 from authentik.admin.files.manager import FileManager
-from authentik.admin.files.tests.utils import FileTestFileBackendMixin, FileTestS3BackendMixin
+from authentik.admin.files.tests.utils import (
+    FileTestFileBackendMixin,
+    FileTestS3BackendMixin,
+    s3_test_server_available,
+)
 from authentik.admin.files.usage import FileUsage
 from authentik.lib.config import CONFIG

@@ -81,6 +87,7 @@ class TestResolveFileUrlFileBackend(FileTestFileBackendMixin, TestCase):
        self.assertEqual(result, "http://example.com/files/media/public/test.png")


+@skipUnless(s3_test_server_available(), "S3 test server not available")
 class TestResolveFileUrlS3Backend(FileTestS3BackendMixin, TestCase):
    @CONFIG.patch("storage.media.s3.custom_domain", "s3.test:8080/test")
    @CONFIG.patch("storage.media.s3.secure_urls", False)
--- a/authentik/admin/files/tests/utils.py
+++ b/authentik/admin/files/tests/utils.py
@@ -1,11 +1,26 @@
 import shutil
+import socket
 from tempfile import mkdtemp
+from urllib.parse import urlparse

 from authentik.admin.files.backends.s3 import S3Backend
 from authentik.admin.files.usage import FileUsage
 from authentik.lib.config import CONFIG, UNSET
 from authentik.lib.generators import generate_id

+S3_TEST_ENDPOINT = "http://localhost:8020"
+
+
+def s3_test_server_available() -> bool:
+    """Check if the S3 test server is reachable."""
+
+    parsed = urlparse(S3_TEST_ENDPOINT)
+    try:
+        with socket.create_connection((parsed.hostname, parsed.port), timeout=2):
+            return True
+    except OSError:
+        return False
+

 class FileTestFileBackendMixin:
    def setUp(self):
@@ -57,7 +72,7 @@ class FileTestS3BackendMixin:
        for key in s3_config_keys:
            self.original_media_s3_settings[key] = CONFIG.get(f"storage.media.s3.{key}", UNSET)
        self.media_s3_bucket_name = f"authentik-test-{generate_id(10)}".lower()
-        CONFIG.set("storage.media.s3.endpoint", "http://localhost:8020")
+        CONFIG.set("storage.media.s3.endpoint", S3_TEST_ENDPOINT)
        CONFIG.set("storage.media.s3.access_key", "accessKey1")
        CONFIG.set("storage.media.s3.secret_key", "secretKey1")
        CONFIG.set("storage.media.s3.bucket_name", self.media_s3_bucket_name)
@@ -70,7 +85,7 @@ class FileTestS3BackendMixin:
        for key in s3_config_keys:
            self.original_reports_s3_settings[key] = CONFIG.get(f"storage.reports.s3.{key}", UNSET)
        self.reports_s3_bucket_name = f"authentik-test-{generate_id(10)}".lower()
-        CONFIG.set("storage.reports.s3.endpoint", "http://localhost:8020")
+        CONFIG.set("storage.reports.s3.endpoint", S3_TEST_ENDPOINT)
        CONFIG.set("storage.reports.s3.access_key", "accessKey1")
        CONFIG.set("storage.reports.s3.secret_key", "secretKey1")
        CONFIG.set("storage.reports.s3.bucket_name", self.reports_s3_bucket_name)
--- a/authentik/api/management/init.py
+++ b/authentik/api/management/init.py
--- a/authentik/api/management/commands/init.py
+++ b/authentik/api/management/commands/init.py
--- a/authentik/api/management/commands/build_schema.py
+++ b/authentik/api/management/commands/build_schema.py
@@ -0,0 +1,45 @@
+from json import dumps
+
+from django.core.management.base import BaseCommand, no_translations
+from drf_spectacular.drainage import GENERATOR_STATS
+from drf_spectacular.generators import SchemaGenerator
+from drf_spectacular.renderers import OpenApiYamlRenderer
+from drf_spectacular.validation import validate_schema
+from structlog.stdlib import get_logger
+
+from authentik.blueprints.v1.schema import SchemaBuilder
+
+
+class Command(BaseCommand):
+
+    def __init__(self, *args, **kwargs):
+        super().__init__(*args, **kwargs)
+        self.logger = get_logger()
+
+    def add_arguments(self, parser):
+        parser.add_argument("--blueprint-file", type=str, default="blueprints/schema.json")
+        parser.add_argument("--api-file", type=str, default="schema.yml")
+
+    @no_translations
+    def handle(self, *args, blueprint_file: str, api_file: str, **options):
+        self.build_blueprint(blueprint_file)
+        self.build_api(api_file)
+
+    def build_blueprint(self, file: str):
+        self.logger.debug("Building blueprint schema...", file=file)
+        blueprint_builder = SchemaBuilder()
+        blueprint_builder.build()
+        with open(file, "w") as _schema:
+            _schema.write(
+                dumps(blueprint_builder.schema, indent=4, default=SchemaBuilder.json_default)
+            )
+
+    def build_api(self, file: str):
+        self.logger.debug("Building API schema...", file=file)
+        generator = SchemaGenerator()
+        schema = generator.get_schema(request=None, public=True)
+        GENERATOR_STATS.emit_summary()
+        validate_schema(schema)
+        output = OpenApiYamlRenderer().render(schema, renderer_context={})
+        with open(file, "wb") as f:
+            f.write(output)
--- a/authentik/api/pagination.py
+++ b/authentik/api/pagination.py
@@ -15,7 +15,9 @@ class Pagination(pagination.PageNumberPagination):

    def get_page_size(self, request):
        if self.page_size_query_param in request.query_params:
-            return min(super().get_page_size(request), request.tenant.pagination_max_page_size)
+            page_size = super().get_page_size(request)
+            if page_size is not None:
+                return min(super().get_page_size(request), request.tenant.pagination_max_page_size)
        return request.tenant.pagination_default_page_size

    def get_paginated_response(self, data):
--- a/authentik/api/tests/test_schema.py
+++ b/authentik/api/tests/test_schema.py
@@ -1,9 +1,14 @@
 """Schema generation tests"""

+from pathlib import Path
+
+from django.core.management import call_command
 from django.urls import reverse
 from rest_framework.test import APITestCase
 from yaml import safe_load

+from authentik.lib.config import CONFIG
+

 class TestSchemaGeneration(APITestCase):
    """Generic admin tests"""
@@ -21,3 +26,18 @@ class TestSchemaGeneration(APITestCase):
            reverse("authentik_api:schema-browser"),
        )
        self.assertEqual(response.status_code, 200)
+
+    def test_build_schema(self):
+        """Test schema build command"""
+        blueprint_file = Path("blueprints/schema.json")
+        api_file = Path("schema.yml")
+        blueprint_file.unlink()
+        api_file.unlink()
+        with (
+            CONFIG.patch("debug", True),
+            CONFIG.patch("tenants.enabled", True),
+            CONFIG.patch("outposts.disable_embedded_outpost", True),
+        ):
+            call_command("build_schema")
+        self.assertTrue(blueprint_file.exists())
+        self.assertTrue(api_file.exists())
--- a/authentik/api/v3/config.py
+++ b/authentik/api/v3/config.py
@@ -31,6 +31,7 @@ class Capabilities(models.TextChoices):
    """Define capabilities which influence which APIs can/should be used"""

    CAN_SAVE_MEDIA = "can_save_media"
+    CAN_SAVE_REPORTS = "can_save_reports"
    CAN_GEO_IP = "can_geo_ip"
    CAN_ASN = "can_asn"
    CAN_IMPERSONATE = "can_impersonate"
@@ -70,6 +71,8 @@ class ConfigView(APIView):
        caps = []
        if get_file_manager(FileUsage.MEDIA).manageable:
            caps.append(Capabilities.CAN_SAVE_MEDIA)
+        if get_file_manager(FileUsage.REPORTS).manageable:
+            caps.append(Capabilities.CAN_SAVE_REPORTS)
        for processor in get_context_processors():
            if cap := processor.capability():
                caps.append(cap)
--- a/authentik/blueprints/tests/fixtures/conditional_fields.yaml
+++ b/authentik/blueprints/tests/fixtures/conditional_fields.yaml
@@ -8,45 +8,62 @@ metadata:
      - Application (icon)
      - Source (icon)
      - Flow (background)
+      - Endpoint Enrollment token (key)
 entries:
-  - model: authentik_core.token
-    identifiers:
-      identifier: "%(uid)s-token"
-    attrs:
-      key: "%(uid)s"
-      user: "%(user)s"
-      intent: api
-  - model: authentik_core.application
-    identifiers:
-      slug: "%(uid)s-app"
-    attrs:
-      name: "%(uid)s-app"
-      icon: https://goauthentik.io/img/icon.png
-  - model: authentik_sources_oauth.oauthsource
-    identifiers:
-      slug: "%(uid)s-source"
-    attrs:
-      name: "%(uid)s-source"
-      provider_type: azuread
-      consumer_key: "%(uid)s"
-      consumer_secret: "%(uid)s"
-      icon: https://goauthentik.io/img/icon.png
-  - model: authentik_flows.flow
-    identifiers:
-      slug: "%(uid)s-flow"
-    attrs:
-      name: "%(uid)s-flow"
-      title: "%(uid)s-flow"
-      designation: authentication
-      background: https://goauthentik.io/img/icon.png
-  - model: authentik_core.user
-    identifiers:
-      username: "%(uid)s"
-    attrs:
-      name: "%(uid)s"
-      password: "%(uid)s"
-  - model: authentik_core.user
-    identifiers:
-      username: "%(uid)s-no-password"
-    attrs:
-      name: "%(uid)s"
+  token:
+    - model: authentik_core.token
+      identifiers:
+        identifier: "%(uid)s-token"
+      attrs:
+        key: "%(uid)s"
+        user: "%(user)s"
+        intent: api
+  app:
+    - model: authentik_core.application
+      identifiers:
+        slug: "%(uid)s-app"
+      attrs:
+        name: "%(uid)s-app"
+        icon: https://goauthentik.io/img/icon.png
+  source:
+    - model: authentik_sources_oauth.oauthsource
+      identifiers:
+        slug: "%(uid)s-source"
+      attrs:
+        name: "%(uid)s-source"
+        provider_type: azuread
+        consumer_key: "%(uid)s"
+        consumer_secret: "%(uid)s"
+        icon: https://goauthentik.io/img/icon.png
+  flow:
+    - model: authentik_flows.flow
+      identifiers:
+        slug: "%(uid)s-flow"
+      attrs:
+        name: "%(uid)s-flow"
+        title: "%(uid)s-flow"
+        designation: authentication
+        background: https://goauthentik.io/img/icon.png
+  user:
+    - model: authentik_core.user
+      identifiers:
+        username: "%(uid)s"
+      attrs:
+        name: "%(uid)s"
+        password: "%(uid)s"
+    - model: authentik_core.user
+      identifiers:
+        username: "%(uid)s-no-password"
+      attrs:
+        name: "%(uid)s"
+  endpoint:
+    - model: authentik_endpoints_connectors_agent.agentconnector
+      id: connector
+      identifiers:
+        name: "%(uid)s"
+    - model: authentik_endpoints_connectors_agent.enrollmenttoken
+      identifiers:
+        name: "%(uid)s"
+      attrs:
+        key: "%(uid)s"
+        connector: !KeyOf connector
--- a/authentik/blueprints/tests/test_v1_conditional_fields.py
+++ b/authentik/blueprints/tests/test_v1_conditional_fields.py
@@ -5,6 +5,7 @@ from django.test import TransactionTestCase
 from authentik.blueprints.v1.importer import Importer
 from authentik.core.models import Token, User
 from authentik.core.tests.utils import create_test_admin_user
+from authentik.endpoints.connectors.agent.models import EnrollmentToken
 from authentik.lib.generators import generate_id
 from authentik.lib.tests.utils import load_fixture

@@ -29,12 +30,18 @@ class TestBlueprintsV1ConditionalFields(TransactionTestCase):

    def test_user(self):
        """Test user"""
-        user: User = User.objects.filter(username=self.uid).first()
+        user = User.objects.filter(username=self.uid).first()
        self.assertIsNotNone(user)
        self.assertTrue(user.check_password(self.uid))

    def test_user_null(self):
        """Test user"""
-        user: User = User.objects.filter(username=f"{self.uid}-no-password").first()
+        user = User.objects.filter(username=f"{self.uid}-no-password").first()
        self.assertIsNotNone(user)
        self.assertFalse(user.has_usable_password())
+
+    def test_enrollment_token(self):
+        """Test endpoint enrollment token"""
+        token = EnrollmentToken.objects.filter(name=self.uid).first()
+        self.assertIsNotNone(token)
+        self.assertEqual(token.key, self.uid)
--- a/authentik/blueprints/tests/test_v1_tasks.py
+++ b/authentik/blueprints/tests/test_v1_tasks.py
@@ -149,7 +149,7 @@ class TestBlueprintsV1Tasks(TransactionTestCase):
                instance.status,
                BlueprintInstanceStatus.UNKNOWN,
            )
-            apply_blueprint(instance.pk)
+            apply_blueprint.send(instance.pk).get_result(block=True)
            instance.refresh_from_db()
            self.assertEqual(instance.last_applied_hash, "")
            self.assertEqual(
--- a/authentik/blueprints/v1/importer.py
+++ b/authentik/blueprints/v1/importer.py
@@ -15,7 +15,6 @@ from django.db.models import Model
 from django.db.models.query_utils import Q
 from django.db.transaction import atomic
 from django.db.utils import IntegrityError
-from django_channels_postgres.models import GroupChannel, Message
 from guardian.models import RoleObjectPermission, UserObjectPermission
 from rest_framework.exceptions import ValidationError
 from rest_framework.serializers import BaseSerializer, Serializer
@@ -41,55 +40,17 @@ from authentik.core.models import (
    User,
    UserSourceConnection,
 )
-from authentik.endpoints.connectors.agent.models import (
-    AgentDeviceConnection,
-    AppleNonce,
-    DeviceAuthenticationToken,
-)
-from authentik.endpoints.connectors.agent.models import (
-    DeviceToken as EndpointDeviceToken,
-)
-from authentik.endpoints.models import Connector, Device, DeviceConnection, DeviceFactSnapshot
+from authentik.endpoints.models import Connector
 from authentik.enterprise.license import LicenseKey
-from authentik.enterprise.models import LicenseUsage
-from authentik.enterprise.providers.google_workspace.models import (
-    GoogleWorkspaceProviderGroup,
-    GoogleWorkspaceProviderUser,
-)
-from authentik.enterprise.providers.microsoft_entra.models import (
-    MicrosoftEntraProviderGroup,
-    MicrosoftEntraProviderUser,
-)
-from authentik.enterprise.providers.ssf.models import StreamEvent
-from authentik.enterprise.stages.authenticator_endpoint_gdtc.models import (
-    EndpointDevice,
-    EndpointDeviceConnection,
-)
 from authentik.events.logs import LogEvent, capture_logs
 from authentik.events.utils import cleanse_dict
-from authentik.flows.models import FlowToken, Stage
-from authentik.lib.models import SerializerModel
+from authentik.flows.models import Stage
+from authentik.lib.models import InternallyManagedMixin, SerializerModel
 from authentik.lib.sentry import SentryIgnoredException
 from authentik.lib.utils.reflection import get_apps
 from authentik.outposts.models import OutpostServiceConnection
 from authentik.policies.models import Policy, PolicyBindingModel
-from authentik.policies.reputation.models import Reputation
-from authentik.providers.oauth2.models import (
-    AccessToken,
-    AuthorizationCode,
-    DeviceToken,
-    RefreshToken,
-)
-from authentik.providers.proxy.models import ProxySession
-from authentik.providers.rac.models import ConnectionToken
-from authentik.providers.saml.models import SAMLSession
-from authentik.providers.scim.models import SCIMProviderGroup, SCIMProviderUser
 from authentik.rbac.models import Role
-from authentik.sources.scim.models import SCIMSourceGroup, SCIMSourceUser
-from authentik.stages.authenticator_webauthn.models import WebAuthnDeviceType
-from authentik.stages.consent.models import UserConsent
-from authentik.tasks.models import Task, TaskLog
-from authentik.tenants.models import Tenant

 # Context set when the serializer is created in a blueprint context
 # Update website/docs/customize/blueprints/v1/models.md when used
@@ -125,49 +86,16 @@ def excluded_models() -> list[type[Model]]:
        # Classes that have other dependencies
        Session,
        AuthenticatedSession,
-        # Classes which are only internally managed
-        # FIXME: these shouldn't need to be explicitly listed, but rather based off of a mixin
-        FlowToken,
-        LicenseUsage,
-        SCIMProviderGroup,
-        SCIMProviderUser,
-        Tenant,
-        Task,
-        TaskLog,
-        ConnectionToken,
-        AuthorizationCode,
-        AccessToken,
-        RefreshToken,
-        ProxySession,
-        Reputation,
-        WebAuthnDeviceType,
-        SCIMSourceUser,
-        SCIMSourceGroup,
-        GoogleWorkspaceProviderUser,
-        GoogleWorkspaceProviderGroup,
-        MicrosoftEntraProviderUser,
-        MicrosoftEntraProviderGroup,
-        EndpointDevice,
-        EndpointDeviceConnection,
-        EndpointDeviceToken,
-        Device,
-        DeviceConnection,
-        DeviceAuthenticationToken,
-        AppleNonce,
-        AgentDeviceConnection,
-        DeviceFactSnapshot,
-        DeviceToken,
-        StreamEvent,
-        UserConsent,
-        SAMLSession,
-        Message,
-        GroupChannel,
    )


 def is_model_allowed(model: type[Model]) -> bool:
    """Check if model is allowed"""
-    return model not in excluded_models() and issubclass(model, SerializerModel | BaseMetaModel)
+    return (
+        model not in excluded_models()
+        and issubclass(model, SerializerModel | BaseMetaModel)
+        and not issubclass(model, InternallyManagedMixin)
+    )


 class DoRollback(SentryIgnoredException):
--- a/authentik/blueprints/v1/meta/apply_blueprint.py
+++ b/authentik/blueprints/v1/meta/apply_blueprint.py
@@ -37,14 +37,21 @@ class ApplyBlueprintMetaSerializer(PassiveSerializer):
        return super().validate(attrs)

    def create(self, validated_data: dict) -> MetaResult:
-        from authentik.blueprints.v1.tasks import apply_blueprint
+        from authentik.blueprints.v1.importer import Importer

        if not self.blueprint_instance:
            LOGGER.info("Blueprint does not exist, but not required")
            return MetaResult()
        LOGGER.debug("Applying blueprint from meta model", blueprint=self.blueprint_instance)

-        apply_blueprint(self.blueprint_instance.pk)
+        # Apply blueprint directly using Importer to avoid task context requirements
+        # and prevent deadlocks when called from within another blueprint task
+        blueprint_content = self.blueprint_instance.retrieve()
+        importer = Importer.from_string(blueprint_content, self.blueprint_instance.context)
+        valid, logs = importer.validate()
+        [log.log() for log in logs]
+        if valid:
+            importer.apply()
        return MetaResult()


--- a/authentik/blueprints/management/commands/make_blueprint_schema.py
+++ b/authentik/blueprints/management/commands/make_blueprint_schema.py
@@ -1,9 +1,7 @@
 """Generate JSON Schema for blueprints"""

-from json import dumps
 from typing import Any

-from django.core.management.base import BaseCommand, no_translations
 from django.db.models import Model, fields
 from django.db.models.fields.related import OneToOneField
 from drf_jsonschema_serializer.convert import converter, field_to_converter
@@ -40,13 +38,12 @@ class PrimaryKeyRelatedFieldConverter:
        return {"type": "integer"}


-class Command(BaseCommand):
+class SchemaBuilder:
    """Generate JSON Schema for blueprints"""

    schema: dict

-    def __init__(self, *args, **kwargs):
-        super().__init__(*args, **kwargs)
+    def __init__(self):
        self.schema = {
            "$schema": "http://json-schema.org/draft-07/schema",
            "$id": "https://goauthentik.io/blueprints/schema.json",
@@ -93,16 +90,6 @@ class Command(BaseCommand):
            "$defs": {"blueprint_entry": {"oneOf": []}},
        }

-    def add_arguments(self, parser):
-        parser.add_argument("--file", type=str)
-
-    @no_translations
-    def handle(self, *args, file: str, **options):
-        """Generate JSON Schema for blueprints"""
-        self.build()
-        with open(file, "w") as _schema:
-            _schema.write(dumps(self.schema, indent=4, default=Command.json_default))
-
    @staticmethod
    def json_default(value: Any) -> Any:
        """Helper that handles gettext_lazy strings that JSON doesn't handle"""
@@ -124,7 +111,7 @@ class Command(BaseCommand):
                try:
                    serializer_class = model_instance.serializer
                except NotImplementedError as exc:
-                    raise NotImplementedError(model_instance) from exc
+                    raise ValueError(f"SerializerModel not implemented by {model}") from exc
            serializer = serializer_class(
                context={
                    SERIALIZER_CONTEXT_BLUEPRINT: False,
--- a/authentik/blueprints/v1/tasks.py
+++ b/authentik/blueprints/v1/tasks.py
@@ -12,7 +12,6 @@ from django.db import DatabaseError, InternalError, ProgrammingError
 from django.utils.text import slugify
 from django.utils.timezone import now
 from django.utils.translation import gettext_lazy as _
-from django_dramatiq_postgres.middleware import CurrentTaskNotFound
 from dramatiq.actor import actor
 from dramatiq.middleware import Middleware
 from structlog.stdlib import get_logger
@@ -40,7 +39,6 @@ from authentik.events.utils import sanitize_dict
 from authentik.lib.config import CONFIG
 from authentik.tasks.apps import PRIORITY_HIGH
 from authentik.tasks.middleware import CurrentTask
-from authentik.tasks.models import Task
 from authentik.tasks.schedules.models import Schedule
 from authentik.tenants.models import Tenant

@@ -191,10 +189,7 @@ def check_blueprint_v1_file(blueprint: BlueprintFile):

@actor(description=_("Apply single blueprint."))
 def apply_blueprint(instance_pk: UUID):
-    try:
-        self = CurrentTask.get_task()
-    except CurrentTaskNotFound:
-        self = Task()
+    self = CurrentTask.get_task()
    self.set_uid(str(instance_pk))
    instance: BlueprintInstance | None = None
    try:
--- a/authentik/core/api/applications.py
+++ b/authentik/core/api/applications.py
@@ -180,10 +180,10 @@ class ApplicationViewSet(UsedByMixin, ModelViewSet):
        )

    def _filter_applications_with_launch_url(
-        self, applications: QuerySet[Application]
+        self, paginated_apps: QuerySet[Application]
    ) -> list[Application]:
        applications = []
-        for app in applications:
+        for app in paginated_apps:
            if app.get_launch_url():
                applications.append(app)
        return applications
--- a/authentik/core/api/groups.py
+++ b/authentik/core/api/groups.py
@@ -33,6 +33,16 @@ from authentik.endpoints.connectors.agent.auth import AgentAuth
 from authentik.rbac.api.roles import RoleSerializer
 from authentik.rbac.decorators import permission_required

+PARTIAL_USER_SERIALIZER_MODEL_FIELDS = [
+    "pk",
+    "username",
+    "name",
+    "is_active",
+    "last_login",
+    "email",
+    "attributes",
+]
+

 class PartialUserSerializer(ModelSerializer):
    """Partial User Serializer, does not include child relations."""
@@ -42,16 +52,7 @@ class PartialUserSerializer(ModelSerializer):

    class Meta:
        model = User
-        fields = [
-            "pk",
-            "username",
-            "name",
-            "is_active",
-            "last_login",
-            "email",
-            "attributes",
-            "uid",
-        ]
+        fields = PARTIAL_USER_SERIALIZER_MODEL_FIELDS + ["uid"]


 class RelatedGroupSerializer(ModelSerializer):
@@ -255,14 +256,21 @@ class GroupViewSet(UsedByMixin, ModelViewSet):
        return [
            StrField(Group, "name"),
            BoolField(Group, "is_superuser", nullable=True),
-            JSONSearchField(Group, "attributes", suggest_nested=False),
+            JSONSearchField(Group, "attributes"),
        ]

    def get_queryset(self):
        base_qs = Group.objects.all().prefetch_related("roles")

        if self.serializer_class(context={"request": self.request})._should_include_users:
-            base_qs = base_qs.prefetch_related("users")
+            # Only fetch fields needed by PartialUserSerializer to reduce DB load and instantiation
+            # time
+            base_qs = base_qs.prefetch_related(
+                Prefetch(
+                    "users",
+                    queryset=User.objects.all().only(*PARTIAL_USER_SERIALIZER_MODEL_FIELDS),
+                )
+            )
        else:
            base_qs = base_qs.prefetch_related(
                Prefetch("users", queryset=User.objects.all().only("id"))
--- a/authentik/core/api/tokens.py
+++ b/authentik/core/api/tokens.py
@@ -4,7 +4,6 @@ from typing import Any

 from django.utils.timezone import now
 from drf_spectacular.utils import OpenApiResponse, extend_schema
-from guardian.shortcuts import get_anonymous_user
 from rest_framework.decorators import action
 from rest_framework.exceptions import ValidationError
 from rest_framework.fields import CharField
@@ -145,12 +144,6 @@ class TokenViewSet(UsedByMixin, ModelViewSet):
    owner_field = "user"
    rbac_allow_create_without_perm = True

-    def get_queryset(self):
-        user = self.request.user if self.request else get_anonymous_user()
-        if user.is_superuser:
-            return super().get_queryset()
-        return super().get_queryset().filter(user=user.pk)
-
    def perform_create(self, serializer: TokenSerializer):
        if not self.request.user.is_superuser:
            instance = serializer.save(
--- a/authentik/core/api/users.py
+++ b/authentik/core/api/users.py
@@ -518,7 +518,7 @@ class UserViewSet(
            StrField(User, "path"),
            BoolField(User, "is_active", nullable=True),
            ChoiceSearchField(User, "type"),
-            JSONSearchField(User, "attributes", suggest_nested=False),
+            JSONSearchField(User, "attributes"),
        ]

    def get_queryset(self):
--- a/authentik/core/migrations/0056_user_roles.py
+++ b/authentik/core/migrations/0056_user_roles.py
@@ -18,10 +18,9 @@ def migrate_object_permissions(apps: Apps, schema_editor: BaseDatabaseSchemaEdit
    RoleModelPermission = apps.get_model("guardian", "RoleModelPermission")

    def get_role_for_user_id(user_id: int) -> Role:
-        name = f"ak-managed-role--user-{user_id}"
+        name = f"ak-migrated-role--user-{user_id}"
        role, created = Role.objects.using(db_alias).get_or_create(
            name=name,
-            managed=name,
        )
        if created:
            role.users.add(user_id)
@@ -32,11 +31,10 @@ def migrate_object_permissions(apps: Apps, schema_editor: BaseDatabaseSchemaEdit
        if not role:
            # Every django group should already have a role, so this should never happen.
            # But let's be nice.
-            name = f"ak-managed-role--group-{group_id}"
+            name = f"ak-migrated-role--group-{group_id}"
            role, created = Role.objects.using(db_alias).get_or_create(
                group_id=group_id,
                name=name,
-                managed=name,
            )
            if created:
                role.group_id = group_id
--- a/authentik/core/sessions.py
+++ b/authentik/core/sessions.py
@@ -66,9 +66,12 @@ class SessionStore(SessionBase):
    def decode(self, session_data):
        try:
            return pickle.loads(session_data)  # nosec
-        except pickle.PickleError:
-            # ValueError, unpickling exceptions. If any of these happen, just return an empty
-            # dictionary (an empty session)
+        except (pickle.PickleError, AttributeError, TypeError):
+            # PickleError, ValueError - unpickling exceptions
+            # AttributeError - can happen when Django model fields (e.g., FileField) are unpickled
+            #                  and their descriptors fail to initialize (e.g., missing storage)
+            # TypeError - can happen with incompatible pickled objects
+            # If any of these happen, just return an empty dictionary (an empty session)
            pass
        return {}

--- a/authentik/core/tasks.py
+++ b/authentik/core/tasks.py
@@ -35,8 +35,13 @@ def clean_expired_models():
        LOGGER.debug("Expired models", model=cls, amount=amount)
        self.info(f"Expired {amount} {cls._meta.verbose_name_plural}")
    clear_expired_cache()
-    Message.delete_expired()
-    GroupChannel.delete_expired()
+    for cls in [Message, GroupChannel]:
+        objects = cls.objects.all().filter(expires__lt=now())
+        amount = objects.count()
+        for obj in chunked_queryset(objects):
+            obj.delete()
+        LOGGER.debug("Expired models", model=cls, amount=amount)
+        self.info(f"Expired {amount} {cls._meta.verbose_name_plural}")


@actor(description=_("Remove temporary users created by SAML Sources."))
--- a/authentik/core/tests/test_source_property_mappings.py
+++ b/authentik/core/tests/test_source_property_mappings.py
@@ -5,9 +5,10 @@ from django.test import TestCase
 from authentik.core.models import Group, PropertyMapping, Source, User
 from authentik.core.sources.mapper import SourceMapper
 from authentik.lib.generators import generate_id
+from authentik.lib.models import InternallyManagedMixin


-class ProxySource(Source):
+class ProxySource(InternallyManagedMixin, Source):
    @property
    def property_mapping_type(self):
        return PropertyMapping
--- a/authentik/core/tests/test_token_api.py
+++ b/authentik/core/tests/test_token_api.py
@@ -183,16 +183,16 @@ class TestTokenAPI(APITestCase):
        self.assertEqual(len(body["results"]), 1)
        self.assertEqual(body["results"][0]["identifier"], token_should.identifier)

-    def test_list_admin(self):
-        """Test Token List (Test with admin auth)"""
+    def test_list_with_permission(self):
+        """Test Token List (Test with `view_token` permission)"""
        Token.objects.all().delete()
-        self.client.force_login(self.admin)
        token_should: Token = Token.objects.create(
            identifier="test", expiring=False, user=self.user
        )
        token_should_not: Token = Token.objects.create(
            identifier="test-2", expiring=False, user=get_anonymous_user()
        )
+        self.user.assign_perms_to_managed_role("authentik_core.view_token")
        response = self.client.get(reverse("authentik_api:token-list"))
        body = loads(response.content)
        self.assertEqual(len(body["results"]), 2)
--- a/authentik/crypto/api.py
+++ b/authentik/crypto/api.py
@@ -1,7 +1,5 @@
 """Crypto API Views"""

-from datetime import datetime
-
 from cryptography.hazmat.backends import default_backend
 from cryptography.hazmat.primitives.serialization import load_pem_private_key
 from cryptography.x509 import load_pem_x509_certificate
@@ -15,14 +13,12 @@ from drf_spectacular.utils import (
    OpenApiParameter,
    OpenApiResponse,
    extend_schema,
-    extend_schema_field,
 )
 from rest_framework.decorators import action
 from rest_framework.exceptions import ValidationError
 from rest_framework.fields import (
    CharField,
    ChoiceField,
-    DateTimeField,
    IntegerField,
    SerializerMethodField,
 )
@@ -51,59 +47,15 @@ LOGGER = get_logger()
 class CertificateKeyPairSerializer(ModelSerializer):
    """CertificateKeyPair Serializer"""

-    fingerprint_sha256 = SerializerMethodField()
-    fingerprint_sha1 = SerializerMethodField()
-
-    cert_expiry = SerializerMethodField()
-    cert_subject = SerializerMethodField()
    private_key_available = SerializerMethodField()
-    key_type = SerializerMethodField()

    certificate_download_url = SerializerMethodField()
    private_key_download_url = SerializerMethodField()

-    @property
-    def _should_include_details(self) -> bool:
-        request: Request = self.context.get("request", None)
-        if not request:
-            return True
-        return str(request.query_params.get("include_details", "true")).lower() == "true"
-
-    def get_fingerprint_sha256(self, instance: CertificateKeyPair) -> str | None:
-        "Get certificate Hash (SHA256)"
-        if not self._should_include_details:
-            return None
-        return instance.fingerprint_sha256
-
-    def get_fingerprint_sha1(self, instance: CertificateKeyPair) -> str | None:
-        "Get certificate Hash (SHA1)"
-        if not self._should_include_details:
-            return None
-        return instance.fingerprint_sha1
-
-    def get_cert_expiry(self, instance: CertificateKeyPair) -> datetime | None:
-        "Get certificate expiry"
-        if not self._should_include_details:
-            return None
-        return DateTimeField().to_representation(instance.certificate.not_valid_after_utc)
-
-    def get_cert_subject(self, instance: CertificateKeyPair) -> str | None:
-        """Get certificate subject as full rfc4514"""
-        if not self._should_include_details:
-            return None
-        return instance.certificate.subject.rfc4514_string()
-
    def get_private_key_available(self, instance: CertificateKeyPair) -> bool:
        """Show if this keypair has a private key configured or not"""
        return instance.key_data != "" and instance.key_data is not None

-    @extend_schema_field(ChoiceField(choices=KeyType.choices, allow_null=True))
-    def get_key_type(self, instance: CertificateKeyPair) -> str | None:
-        """Get the key algorithm type from the certificate's public key"""
-        if not self._should_include_details:
-            return None
-        return instance.key_type
-
    def get_certificate_download_url(self, instance: CertificateKeyPair) -> str:
        """Get URL to download certificate"""
        return (
@@ -175,6 +127,11 @@ class CertificateKeyPairSerializer(ModelSerializer):
            "managed": {"read_only": True},
            "key_data": {"write_only": True},
            "certificate_data": {"write_only": True},
+            "fingerprint_sha256": {"read_only": True},
+            "fingerprint_sha1": {"read_only": True},
+            "cert_expiry": {"read_only": True},
+            "cert_subject": {"read_only": True},
+            "key_type": {"read_only": True},
        }


@@ -216,17 +173,12 @@ class CertificateKeyPairFilter(FilterSet):
        return queryset.exclude(key_data__exact="")

    def filter_key_type(self, queryset, name, value):  # pragma: no cover
-        """Filter certificates by key type using the public key from the certificate"""
+        """Filter certificates by key type using the stored database field"""
        if not value:
            return queryset

        # value is a list of KeyType enum values from MultipleChoiceFilter
-        filtered_pks = []
-        for cert in queryset:
-            if cert.key_type in value:
-                filtered_pks.append(cert.pk)
-
-        return queryset.filter(pk__in=filtered_pks)
+        return queryset.filter(key_type__in=value)

    class Meta:
        model = CertificateKeyPair
@@ -263,7 +215,6 @@ class CertificateKeyPairViewSet(UsedByMixin, ModelViewSet):
                    "Can be specified multiple times (e.g. '?key_type=rsa&key_type=ec')"
                ),
            ),
-            OpenApiParameter("include_details", bool, default=True),
        ]
    )
    def list(self, request, *args, **kwargs):
--- a/authentik/crypto/migrations/0006_certificatekeypair_cert_expiry_and_more.py
+++ b/authentik/crypto/migrations/0006_certificatekeypair_cert_expiry_and_more.py
@@ -0,0 +1,120 @@
+# Generated by Django 5.2.9 on 2025-12-09 06:22
+
+from hashlib import md5
+
+from cryptography.hazmat.backends import default_backend
+from cryptography.x509 import load_pem_x509_certificate
+from django.db import migrations, models
+
+from authentik.crypto.signals import extract_certificate_metadata
+from authentik.lib.migrations import progress_bar
+
+
+def backfill_certificate_metadata(apps, schema_editor):  # noqa: ARG001
+    """Backfill certificate metadata and kid for existing records."""
+
+    db_alias = schema_editor.connection.alias
+    CertificateKeyPair = apps.get_model("authentik_crypto", "CertificateKeyPair")
+
+    print("\nStoring extra data about certificates, this might take a couple of minutes...")
+    for cert in progress_bar(CertificateKeyPair.objects.using(db_alias).all()):
+        updated_fields = []
+
+        if cert.certificate_data:
+            try:
+                certificate = load_pem_x509_certificate(
+                    cert.certificate_data.encode("utf-8"), default_backend()
+                )
+                metadata = extract_certificate_metadata(certificate)
+
+                cert.key_type = metadata["key_type"]
+                cert.cert_expiry = metadata["cert_expiry"]
+                cert.cert_subject = metadata["cert_subject"]
+                cert.fingerprint_sha256 = metadata["fingerprint_sha256"]
+                cert.fingerprint_sha1 = metadata["fingerprint_sha1"]
+                updated_fields.extend(
+                    [
+                        "key_type",
+                        "cert_expiry",
+                        "cert_subject",
+                        "fingerprint_sha256",
+                        "fingerprint_sha1",
+                    ]
+                )
+            except (ValueError, TypeError, AttributeError):
+                pass
+
+        # Backfill kid with MD5 for backwards compatibility
+        if cert.key_data:
+            cert.kid = md5(cert.key_data.encode("utf-8"), usedforsecurity=False).hexdigest()
+            updated_fields.append("kid")
+
+        if updated_fields:
+            cert.save(update_fields=updated_fields, using=db_alias)
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ("authentik_crypto", "0005_alter_certificatekeypair_options"),
+    ]
+
+    operations = [
+        migrations.AddField(
+            model_name="certificatekeypair",
+            name="cert_expiry",
+            field=models.DateTimeField(blank=True, help_text="Certificate expiry date", null=True),
+        ),
+        migrations.AddField(
+            model_name="certificatekeypair",
+            name="cert_subject",
+            field=models.TextField(
+                blank=True, help_text="Certificate subject as RFC4514 string", null=True
+            ),
+        ),
+        migrations.AddField(
+            model_name="certificatekeypair",
+            name="fingerprint_sha1",
+            field=models.CharField(
+                blank=True,
+                help_text="SHA1 fingerprint of the certificate",
+                max_length=59,
+                null=True,
+            ),
+        ),
+        migrations.AddField(
+            model_name="certificatekeypair",
+            name="fingerprint_sha256",
+            field=models.CharField(
+                blank=True,
+                help_text="SHA256 fingerprint of the certificate",
+                max_length=95,
+                null=True,
+            ),
+        ),
+        migrations.AddField(
+            model_name="certificatekeypair",
+            name="key_type",
+            field=models.CharField(
+                blank=True,
+                choices=[
+                    ("rsa", "RSA"),
+                    ("ec", "Elliptic Curve"),
+                    ("dsa", "DSA"),
+                    ("ed25519", "Ed25519"),
+                    ("ed448", "Ed448"),
+                ],
+                help_text="Key algorithm type detected from the certificate's public key",
+                max_length=16,
+                null=True,
+            ),
+        ),
+        migrations.AddField(
+            model_name="certificatekeypair",
+            name="kid",
+            field=models.CharField(
+                blank=True, help_text="Key ID generated from private key", max_length=128, null=True
+            ),
+        ),
+        migrations.RunPython(backfill_certificate_metadata, migrations.RunPython.noop),
+    ]
--- a/authentik/crypto/models.py
+++ b/authentik/crypto/models.py
@@ -1,7 +1,8 @@
 """authentik crypto models"""

+from base64 import urlsafe_b64encode
 from binascii import hexlify
-from hashlib import md5
+from hashlib import md5, sha512
 from ssl import PEM_FOOTER, PEM_HEADER
 from textwrap import wrap
 from uuid import uuid4
@@ -47,6 +48,39 @@ def fingerprint_sha256(cert: Certificate) -> str:
    return hexlify(cert.fingerprint(hashes.SHA256()), ":").decode("utf-8")


+def detect_key_type(certificate: Certificate) -> str | None:
+    """Detect the key algorithm type by parsing the certificate's public key"""
+    try:
+        public_key = certificate.public_key()
+        if isinstance(public_key, RSAPublicKey):
+            return KeyType.RSA
+        if isinstance(public_key, EllipticCurvePublicKey):
+            return KeyType.EC
+        if isinstance(public_key, DSAPublicKey):
+            return KeyType.DSA
+        if isinstance(public_key, Ed25519PublicKey):
+            return KeyType.ED25519
+        if isinstance(public_key, Ed448PublicKey):
+            return KeyType.ED448
+    except (ValueError, TypeError, AttributeError) as exc:
+        LOGGER.warning("Failed to detect key type", exc=exc)
+    return None
+
+
+def generate_key_id(key_data: str) -> str:
+    """Generate Key ID using SHA512 + urlsafe_b64encode."""
+    if not key_data:
+        return ""
+    return urlsafe_b64encode(sha512(key_data.encode("utf-8")).digest()).decode("utf-8").rstrip("=")
+
+
+def generate_key_id_legacy(key_data: str) -> str:
+    """Generate Key ID using MD5 (legacy format for backwards compatibility)."""
+    if not key_data:
+        return ""
+    return md5(key_data.encode("utf-8")).hexdigest()  # nosec
+
+
 class CertificateKeyPair(SerializerModel, ManagedModel, CreatedUpdatedModel):
    """CertificateKeyPair that can be used for signing or encrypting if `key_data`
    is set, otherwise it can be used to verify remote data."""
@@ -62,6 +96,41 @@ class CertificateKeyPair(SerializerModel, ManagedModel, CreatedUpdatedModel):
        blank=True,
        default="",
    )
+    key_type = models.CharField(
+        max_length=16,
+        choices=KeyType.choices,
+        null=True,
+        blank=True,
+        help_text=_("Key algorithm type detected from the certificate's public key"),
+    )
+    cert_expiry = models.DateTimeField(
+        null=True,
+        blank=True,
+        help_text=_("Certificate expiry date"),
+    )
+    cert_subject = models.TextField(
+        null=True,
+        blank=True,
+        help_text=_("Certificate subject as RFC4514 string"),
+    )
+    fingerprint_sha256 = models.CharField(
+        max_length=95,
+        null=True,
+        blank=True,
+        help_text=_("SHA256 fingerprint of the certificate"),
+    )
+    fingerprint_sha1 = models.CharField(
+        max_length=59,
+        null=True,
+        blank=True,
+        help_text=_("SHA1 fingerprint of the certificate"),
+    )
+    kid = models.CharField(
+        max_length=128,
+        null=True,
+        blank=True,
+        help_text=_("Key ID generated from private key"),
+    )

    _cert: Certificate | None = None
    _private_key: PrivateKeyTypes | None = None
@@ -106,41 +175,6 @@ class CertificateKeyPair(SerializerModel, ManagedModel, CreatedUpdatedModel):
                return None
        return self._private_key

-    @property
-    def fingerprint_sha256(self) -> str:
-        """Get SHA256 Fingerprint of certificate_data"""
-        return fingerprint_sha256(self.certificate)
-
-    @property
-    def fingerprint_sha1(self) -> str:
-        """Get SHA1 Fingerprint of certificate_data"""
-        return hexlify(self.certificate.fingerprint(hashes.SHA1()), ":").decode("utf-8")  # nosec
-
-    @property
-    def kid(self):
-        """Get Key ID used for JWKS"""
-        return (
-            md5(self.key_data.encode("utf-8"), usedforsecurity=False).hexdigest()
-            if self.key_data
-            else ""
-        )  # nosec
-
-    @property
-    def key_type(self) -> str | None:
-        """Get the key algorithm type from the certificate's public key"""
-        public_key = self.certificate.public_key()
-        if isinstance(public_key, RSAPublicKey):
-            return KeyType.RSA
-        if isinstance(public_key, EllipticCurvePublicKey):
-            return KeyType.EC
-        if isinstance(public_key, DSAPublicKey):
-            return KeyType.DSA
-        if isinstance(public_key, Ed25519PublicKey):
-            return KeyType.ED25519
-        if isinstance(public_key, Ed448PublicKey):
-            return KeyType.ED448
-        return None
-
    def __str__(self) -> str:
        return f"Certificate-Key Pair {self.name}"

--- a/authentik/crypto/signals.py
+++ b/authentik/crypto/signals.py
@@ -0,0 +1,70 @@
+"""authentik crypto signals"""
+
+from binascii import hexlify
+from datetime import datetime
+from ssl import CertificateError
+
+from cryptography.hazmat.primitives import hashes
+from cryptography.x509 import Certificate
+from django.db.models.signals import pre_save
+from django.dispatch import receiver
+from structlog.stdlib import get_logger
+
+from authentik.crypto.models import (
+    CertificateKeyPair,
+    detect_key_type,
+    fingerprint_sha256,
+    generate_key_id,
+    generate_key_id_legacy,
+)
+
+LOGGER = get_logger()
+
+
+def extract_certificate_metadata(certificate: Certificate) -> dict[str, str | datetime]:
+    """Extract all metadata fields from a certificate."""
+    metadata = {}
+
+    try:
+        metadata["key_type"] = detect_key_type(certificate)
+        metadata["cert_expiry"] = certificate.not_valid_after_utc
+        metadata["cert_subject"] = certificate.subject.rfc4514_string()
+        metadata["fingerprint_sha256"] = fingerprint_sha256(certificate)
+        metadata["fingerprint_sha1"] = hexlify(
+            certificate.fingerprint(hashes.SHA1()), ":"  # nosec
+        ).decode("utf-8")
+    except (ValueError, TypeError, AttributeError) as exc:
+        raise CertificateError(f"Invalid certificate metadata: {exc}") from exc
+
+    return metadata
+
+
+@receiver(pre_save, sender="authentik_crypto.CertificateKeyPair")
+def certificate_key_pair_pre_save(
+    sender: type[CertificateKeyPair], instance: CertificateKeyPair, **_
+):
+    """Automatically populate certificate metadata fields before saving"""
+
+    # Only extract metadata if certificate_data is present
+    if not instance.certificate_data:
+        return
+
+    try:
+        metadata = extract_certificate_metadata(instance.certificate)
+    except (CertificateError, ValueError, TypeError, AttributeError) as exc:
+        LOGGER.warning("Failed to extract certificate metadata", exc=exc)
+        return
+
+    instance.key_type = metadata["key_type"]
+    instance.cert_expiry = metadata["cert_expiry"]
+    instance.cert_subject = metadata["cert_subject"]
+    instance.fingerprint_sha256 = metadata["fingerprint_sha256"]
+    instance.fingerprint_sha1 = metadata["fingerprint_sha1"]
+
+    # Generate kid if not set, or regenerate if key_data has changed
+    # Preserve existing kid (MD5 or SHA512) if it matches the current key_data
+    if instance.key_data:
+        new_kid = generate_key_id(instance.key_data)
+        legacy_kid = generate_key_id_legacy(instance.key_data)
+        if instance.kid not in (new_kid, legacy_kid):
+            instance.kid = new_kid
--- a/authentik/crypto/tests.py
+++ b/authentik/crypto/tests.py
@@ -20,7 +20,7 @@ from authentik.core.tests.utils import (
 )
 from authentik.crypto.api import CertificateKeyPairSerializer
 from authentik.crypto.builder import CertificateBuilder
-from authentik.crypto.models import CertificateKeyPair
+from authentik.crypto.models import CertificateKeyPair, generate_key_id, generate_key_id_legacy
 from authentik.crypto.tasks import MANAGED_DISCOVERED, certificate_discovery
 from authentik.lib.config import CONFIG
 from authentik.lib.generators import generate_id, generate_key
@@ -173,21 +173,24 @@ class TestCrypto(APITestCase):
        self.assertEqual(api_cert["fingerprint_sha1"], cert.fingerprint_sha1)
        self.assertEqual(api_cert["fingerprint_sha256"], cert.fingerprint_sha256)

-    def test_list_without_details(self):
-        """Test API List (no details)"""
+    def test_list_always_includes_details(self):
+        """Test API List always includes certificate details"""
        cert = create_test_cert()
        self.client.force_login(create_test_admin_user())
        response = self.client.get(
            reverse(
                "authentik_api:certificatekeypair-list",
            ),
-            data={"name": cert.name, "include_details": False},
+            data={"name": cert.name},
        )
        self.assertEqual(response.status_code, 200)
        body = loads(response.content.decode())
        api_cert = [x for x in body["results"] if x["name"] == cert.name][0]
-        self.assertEqual(api_cert["fingerprint_sha1"], None)
-        self.assertEqual(api_cert["fingerprint_sha256"], None)
+        # All details should now always be included
+        self.assertEqual(api_cert["fingerprint_sha1"], cert.fingerprint_sha1)
+        self.assertEqual(api_cert["fingerprint_sha256"], cert.fingerprint_sha256)
+        self.assertIsNotNone(api_cert["cert_expiry"])
+        self.assertIsNotNone(api_cert["cert_subject"])

    def test_certificate_download(self):
        """Test certificate export (download)"""
@@ -426,3 +429,114 @@ class TestCrypto(APITestCase):
            self.assertEqual(
                1, final_count, "Should not create duplicate cert for same private key"
            )
+
+    def test_metadata_extraction_with_cert_and_key(self):
+        """Test that metadata is extracted when creating keypair with certificate and key"""
+        cert = create_test_cert()
+
+        # Verify all metadata fields are populated
+        self.assertIsNotNone(cert.key_type)
+        self.assertIsNotNone(cert.cert_expiry)
+        self.assertIsNotNone(cert.cert_subject)
+        self.assertIsNotNone(cert.fingerprint_sha256)
+        self.assertIsNotNone(cert.fingerprint_sha1)
+
+        # Verify kid is generated using SHA512 for new records
+        self.assertIsNotNone(cert.kid)
+        self.assertEqual(cert.kid, generate_key_id(cert.key_data))
+
+    def test_metadata_extraction_without_key(self):
+        """Test that metadata is extracted when creating keypair without private key"""
+        builder = CertificateBuilder(generate_id())
+        builder.build(subject_alt_names=[], validity_days=3)
+
+        # Create keypair with only certificate, no key
+        cert = CertificateKeyPair.objects.create(
+            name=generate_id(),
+            certificate_data=builder.certificate,
+            key_data="",
+        )
+
+        # Verify certificate metadata fields are populated
+        self.assertIsNotNone(cert.key_type)
+        self.assertIsNotNone(cert.cert_expiry)
+        self.assertIsNotNone(cert.cert_subject)
+        self.assertIsNotNone(cert.fingerprint_sha256)
+        self.assertIsNotNone(cert.fingerprint_sha1)
+
+        # Verify kid is empty when no key_data
+        self.assertEqual(cert.kid, None)
+
+    def test_metadata_extraction_invalid_cert(self):
+        """Test that invalid certificate data doesn't crash, just skips metadata"""
+        cert = CertificateKeyPair.objects.create(
+            name=generate_id(),
+            certificate_data="invalid certificate data",
+            key_data="",
+        )
+
+        # Verify metadata fields are None for invalid cert
+        self.assertIsNone(cert.key_type)
+        self.assertIsNone(cert.cert_expiry)
+        self.assertIsNone(cert.cert_subject)
+        self.assertIsNone(cert.fingerprint_sha256)
+        self.assertIsNone(cert.fingerprint_sha1)
+        self.assertIsNone(cert.kid)
+
+    def test_kid_legacy_preservation(self):
+        """Test that legacy MD5 kid is preserved when key_data hasn't changed"""
+        cert = create_test_cert()
+
+        # Simulate a legacy MD5 kid (as if backfilled from old system)
+        legacy_kid = generate_key_id_legacy(cert.key_data)
+        CertificateKeyPair.objects.filter(pk=cert.pk).update(kid=legacy_kid)
+        cert.refresh_from_db()
+        self.assertEqual(cert.kid, legacy_kid)
+
+        # Save the cert again (e.g., name change) - kid should be preserved
+        cert.name = generate_id()
+        cert.save()
+        cert.refresh_from_db()
+
+        self.assertEqual(cert.kid, legacy_kid)
+
+    def test_kid_regenerated_on_key_change(self):
+        """Test that kid is regenerated when key_data changes"""
+        cert = create_test_cert()
+        original_kid = cert.kid
+
+        # Generate a new key and update the keypair
+        builder = CertificateBuilder(generate_id())
+        builder.build(subject_alt_names=[], validity_days=3)
+
+        cert.key_data = builder.private_key
+        cert.certificate_data = builder.certificate
+        cert.save()
+        cert.refresh_from_db()
+
+        # Kid should be regenerated for the new key
+        self.assertNotEqual(cert.kid, original_kid)
+        self.assertEqual(cert.kid, generate_key_id(cert.key_data))
+
+    def test_kid_regenerated_on_key_change_from_legacy(self):
+        """Test that kid is regenerated from legacy MD5 when key_data changes"""
+        cert = create_test_cert()
+
+        # Simulate a legacy MD5 kid
+        legacy_kid = generate_key_id_legacy(cert.key_data)
+        CertificateKeyPair.objects.filter(pk=cert.pk).update(kid=legacy_kid)
+        cert.refresh_from_db()
+        self.assertEqual(cert.kid, legacy_kid)
+
+        # Generate a new key and update the keypair
+        builder = CertificateBuilder(generate_id())
+        builder.build(subject_alt_names=[], validity_days=3)
+
+        cert.key_data = builder.private_key
+        cert.certificate_data = builder.certificate
+        cert.save()
+        cert.refresh_from_db()
+
+        # Kid should now be SHA512 for the new key
+        self.assertNotEqual(cert.kid, legacy_kid)
+        self.assertEqual(cert.kid, generate_key_id(cert.key_data))
--- a/authentik/endpoints/connectors/agent/api/connectors.py
+++ b/authentik/endpoints/connectors/agent/api/connectors.py
@@ -1,11 +1,13 @@
 from typing import cast

+from django.utils.timezone import now
 from django.utils.translation import gettext_lazy as _
 from drf_spectacular.types import OpenApiTypes
-from drf_spectacular.utils import OpenApiResponse, extend_schema
+from drf_spectacular.utils import OpenApiParameter, OpenApiResponse, extend_schema
 from rest_framework.decorators import action
 from rest_framework.exceptions import PermissionDenied, ValidationError
 from rest_framework.fields import ChoiceField
+from rest_framework.permissions import IsAuthenticated
 from rest_framework.relations import PrimaryKeyRelatedField
 from rest_framework.request import Request
 from rest_framework.response import Response
@@ -22,6 +24,9 @@ from authentik.endpoints.connectors.agent.api.agent import (
 from authentik.endpoints.connectors.agent.auth import (
    AgentAuth,
    AgentEnrollmentAuth,
+    DeviceAuthFedAuthentication,
+    agent_auth_issue_token,
+    check_device_policies,
 )
 from authentik.endpoints.connectors.agent.controller import MDMConfigResponseSerializer
 from authentik.endpoints.connectors.agent.models import (
@@ -32,7 +37,10 @@ from authentik.endpoints.connectors.agent.models import (
 )
 from authentik.endpoints.facts import DeviceFacts, OSFamily
 from authentik.endpoints.models import Device
+from authentik.events.models import Event, EventAction
+from authentik.flows.planner import PLAN_CONTEXT_DEVICE
 from authentik.lib.utils.reflection import ConditionalInheritance
+from authentik.stages.password.stage import PLAN_CONTEXT_METHOD, PLAN_CONTEXT_METHOD_ARGS


 class AgentConnectorSerializer(ConnectorSerializer):
@@ -163,3 +171,43 @@ class AgentConnectorViewSet(
        connection: AgentDeviceConnection = token.device
        connection.create_snapshot(data.validated_data)
        return Response(status=204)
+
+    @extend_schema(
+        request=OpenApiTypes.NONE,
+        parameters=[OpenApiParameter("device", OpenApiTypes.STR, location="query", required=True)],
+        responses={
+            200: AgentTokenResponseSerializer(),
+            404: OpenApiResponse(description="Device not found"),
+        },
+    )
+    @action(
+        methods=["POST"],
+        detail=False,
+        pagination_class=None,
+        filter_backends=[],
+        permission_classes=[IsAuthenticated],
+        authentication_classes=[DeviceAuthFedAuthentication],
+    )
+    def auth_fed(self, request: Request) -> Response:
+        federated_token, device, connector = request.auth
+
+        policy_result = check_device_policies(device, federated_token.user, request._request)
+        if not policy_result.passing:
+            raise ValidationError(
+                {"policy_result": "Policy denied access", "policy_messages": policy_result.messages}
+            )
+
+        token, exp = agent_auth_issue_token(device, connector, federated_token.user)
+        rel_exp = int((exp - now()).total_seconds())
+        Event.new(
+            EventAction.LOGIN,
+            **{
+                PLAN_CONTEXT_METHOD: "jwt",
+                PLAN_CONTEXT_METHOD_ARGS: {
+                    "jwt": federated_token,
+                    "provider": federated_token.provider,
+                },
+                PLAN_CONTEXT_DEVICE: device,
+            },
+        ).from_http(request, user=federated_token.user)
+        return Response({"token": token, "expires_in": rel_exp})
--- a/authentik/endpoints/connectors/agent/api/enrollment_tokens.py
+++ b/authentik/endpoints/connectors/agent/api/enrollment_tokens.py
@@ -1,9 +1,11 @@
 from drf_spectacular.utils import OpenApiResponse, extend_schema
 from rest_framework.decorators import action
+from rest_framework.fields import CharField
 from rest_framework.request import Request
 from rest_framework.response import Response
 from rest_framework.viewsets import ModelViewSet

+from authentik.blueprints.v1.importer import SERIALIZER_CONTEXT_BLUEPRINT
 from authentik.core.api.tokens import TokenViewSerializer
 from authentik.core.api.used_by import UsedByMixin
 from authentik.core.api.utils import ModelSerializer
@@ -19,6 +21,11 @@ class EnrollmentTokenSerializer(ModelSerializer):
        source="device_group", read_only=True, required=False
    )

+    def __init__(self, *args, **kwargs) -> None:
+        super().__init__(*args, **kwargs)
+        if SERIALIZER_CONTEXT_BLUEPRINT in self.context:
+            self.fields["key"] = CharField(required=False)
+
    class Meta:
        model = EnrollmentToken
        fields = [
--- a/authentik/endpoints/connectors/agent/auth.py
+++ b/authentik/endpoints/connectors/agent/auth.py
@@ -1,13 +1,28 @@
 from typing import Any

+from django.http import HttpRequest
+from django.utils.timezone import now
+from drf_spectacular.extensions import OpenApiAuthenticationExtension
+from jwt import PyJWTError, decode, encode
 from rest_framework.authentication import BaseAuthentication, get_authorization_header
 from rest_framework.exceptions import PermissionDenied
 from rest_framework.request import Request
+from structlog.stdlib import get_logger

 from authentik.api.authentication import IPCUser, validate_auth
 from authentik.core.middleware import CTX_AUTH_VIA
 from authentik.core.models import User
-from authentik.endpoints.connectors.agent.models import DeviceToken, EnrollmentToken
+from authentik.crypto.apps import MANAGED_KEY
+from authentik.crypto.models import CertificateKeyPair
+from authentik.endpoints.connectors.agent.models import AgentConnector, DeviceToken, EnrollmentToken
+from authentik.endpoints.models import Device
+from authentik.lib.utils.time import timedelta_from_string
+from authentik.policies.engine import PolicyEngine
+from authentik.policies.models import PolicyBindingModel
+from authentik.providers.oauth2.models import AccessToken, JWTAlgorithms, OAuth2Provider
+
+LOGGER = get_logger()
+PLATFORM_ISSUER = "goauthentik.io/platform"


 class DeviceUser(IPCUser):
@@ -40,3 +55,96 @@ class AgentAuth(BaseAuthentication):
            raise PermissionDenied()
        CTX_AUTH_VIA.set("endpoint_token")
        return (DeviceUser(), device_token)
+
+
+def agent_auth_issue_token(device: Device, connector: AgentConnector, user: User, **kwargs):
+    kp = CertificateKeyPair.objects.filter(managed=MANAGED_KEY).first()
+    if not kp:
+        return None, None
+    exp = now() + timedelta_from_string(connector.auth_session_duration)
+    token = encode(
+        {
+            "iss": PLATFORM_ISSUER,
+            "aud": str(device.pk),
+            "iat": int(now().timestamp()),
+            "exp": int(exp.timestamp()),
+            "preferred_username": user.username,
+            **kwargs,
+        },
+        kp.private_key,
+        headers={
+            "kid": kp.kid,
+        },
+        algorithm=JWTAlgorithms.from_private_key(kp.private_key),
+    )
+    return token, exp
+
+
+class DeviceAuthFedAuthentication(BaseAuthentication):
+
+    def authenticate(self, request):
+        raw_token = validate_auth(get_authorization_header(request))
+        if not raw_token:
+            LOGGER.warning("Missing token")
+            return None
+        device = Device.filter_not_expired(name=request.query_params.get("device")).first()
+        if not device:
+            LOGGER.warning("Couldn't find device")
+            return None
+        connectors_for_device = AgentConnector.objects.filter(device__in=[device])
+        connector = connectors_for_device.first()
+        providers = OAuth2Provider.objects.filter(agentconnector__in=connectors_for_device)
+        federated_token = AccessToken.objects.filter(
+            token=raw_token, provider__in=providers
+        ).first()
+        if not federated_token:
+            LOGGER.warning("Couldn't lookup provider")
+            return None
+        _key, _alg = federated_token.provider.jwt_key
+        try:
+            decode(
+                raw_token,
+                _key.public_key(),
+                algorithms=[_alg],
+                options={
+                    "verify_aud": False,
+                },
+            )
+            LOGGER.info(
+                "successfully verified JWT with provider", provider=federated_token.provider.name
+            )
+            return (federated_token.user, (federated_token, device, connector))
+        except (PyJWTError, ValueError, TypeError, AttributeError) as exc:
+            LOGGER.warning("failed to verify JWT", exc=exc, provider=federated_token.provider.name)
+            return None
+
+
+class DeviceFederationAuthSchema(OpenApiAuthenticationExtension):
+    """Auth schema"""
+
+    target_class = DeviceAuthFedAuthentication
+    name = "device_federation"
+
+    def get_security_definition(self, auto_schema):
+        """Auth schema"""
+        return {"type": "http", "scheme": "bearer"}
+
+
+def check_device_policies(device: Device, user: User, request: HttpRequest):
+    """Check policies bound to device group and device"""
+    if device.access_group:
+        result = check_pbm_policies(device.access_group, user, request)
+        if result.passing:
+            return result
+    return check_pbm_policies(device, user, request)
+
+
+def check_pbm_policies(pbm: PolicyBindingModel, user: User, request: HttpRequest):
+    policy_engine = PolicyEngine(pbm, user, request)
+    policy_engine.use_cache = False
+    policy_engine.empty_result = False
+    policy_engine.mode = pbm.policy_engine_mode
+    policy_engine.build()
+    result = policy_engine.result
+    LOGGER.debug("PolicyAccessView user_has_access", user=user.username, result=result, pbm=pbm.pk)
+    return result
--- a/authentik/endpoints/connectors/agent/models.py
+++ b/authentik/endpoints/connectors/agent/models.py
@@ -16,7 +16,7 @@ from authentik.endpoints.models import (
 )
 from authentik.flows.stage import StageView
 from authentik.lib.generators import generate_key
-from authentik.lib.models import SerializerModel
+from authentik.lib.models import InternallyManagedMixin, SerializerModel
 from authentik.lib.utils.time import timedelta_string_validator

 if TYPE_CHECKING:
@@ -97,7 +97,7 @@ class AgentDeviceUserBinding(DeviceUserBinding):
    apple_enclave_key_id = models.TextField()


-class DeviceToken(ExpiringModel):
+class DeviceToken(InternallyManagedMixin, ExpiringModel):
    """Per-device token used for authentication."""

    token_uuid = models.UUIDField(primary_key=True, default=uuid4)
@@ -143,7 +143,7 @@ class EnrollmentToken(ExpiringModel, SerializerModel):
        ]


-class DeviceAuthenticationToken(ExpiringModel):
+class DeviceAuthenticationToken(InternallyManagedMixin, ExpiringModel):

    identifier = models.UUIDField(default=uuid4, primary_key=True)
    device = models.ForeignKey(Device, on_delete=models.CASCADE)
@@ -160,7 +160,7 @@ class DeviceAuthenticationToken(ExpiringModel):
        verbose_name_plural = _("Device authentication tokens")


-class AppleNonce(ExpiringModel):
+class AppleNonce(InternallyManagedMixin, ExpiringModel):
    nonce = models.TextField()
    device_token = models.ForeignKey(DeviceToken, on_delete=models.CASCADE)

--- a/authentik/endpoints/models.py
+++ b/authentik/endpoints/models.py
@@ -15,7 +15,7 @@ from authentik.core.models import AttributesMixin, ExpiringModel
 from authentik.flows.models import Stage
 from authentik.flows.stage import StageView
 from authentik.lib.merge import MERGE_LIST_UNIQUE
-from authentik.lib.models import InheritanceForeignKey, SerializerModel
+from authentik.lib.models import InheritanceForeignKey, InternallyManagedMixin, SerializerModel
 from authentik.lib.utils.time import timedelta_from_string, timedelta_string_validator
 from authentik.policies.models import PolicyBinding, PolicyBindingModel
 from authentik.tasks.schedules.common import ScheduleSpec
@@ -28,7 +28,7 @@ LOGGER = get_logger()
 DEVICE_FACTS_CACHE_TIMEOUT = 3600


-class Device(ExpiringModel, AttributesMixin, PolicyBindingModel):
+class Device(InternallyManagedMixin, ExpiringModel, AttributesMixin, PolicyBindingModel):
    device_uuid = models.UUIDField(default=uuid4, primary_key=True)

    name = models.TextField(unique=True)
@@ -86,7 +86,7 @@ class DeviceUserBinding(PolicyBinding):
        verbose_name_plural = _("Device User bindings")


-class DeviceConnection(SerializerModel):
+class DeviceConnection(InternallyManagedMixin, SerializerModel):
    device_connection_uuid = models.UUIDField(default=uuid4, primary_key=True)
    device = models.ForeignKey("Device", on_delete=models.CASCADE)
    connector = models.ForeignKey("Connector", on_delete=models.CASCADE)
@@ -115,7 +115,7 @@ class DeviceConnection(SerializerModel):
        verbose_name_plural = _("Device connections")


-class DeviceFactSnapshot(ExpiringModel, SerializerModel):
+class DeviceFactSnapshot(InternallyManagedMixin, ExpiringModel, SerializerModel):
    snapshot_id = models.UUIDField(primary_key=True, default=uuid4)
    connection = models.ForeignKey(DeviceConnection, on_delete=models.CASCADE)
    data = models.JSONField(default=dict)
--- a/authentik/enterprise/api.py
+++ b/authentik/enterprise/api.py
@@ -1,6 +1,8 @@
 """Enterprise API Views"""

+from collections.abc import Callable
 from datetime import timedelta
+from functools import wraps

 from django.utils.timezone import now
 from django.utils.translation import gettext as _
@@ -35,6 +37,18 @@ class EnterpriseRequiredMixin:
        return super().validate(attrs)


+def enterprise_action(func: Callable):
+    """Check permissions for a single custom action"""
+
+    @wraps(func)
+    def wrapper(*args, **kwargs) -> Response:
+        if not LicenseKey.cached_summary().status.is_valid:
+            raise ValidationError(_("Enterprise is required to use this endpoint."))
+        return func(*args, **kwargs)
+
+    return wrapper
+
+
 class LicenseSerializer(ModelSerializer):
    """License Serializer"""

--- a/authentik/enterprise/endpoints/connectors/agent/api/connectors.py
+++ b/authentik/enterprise/endpoints/connectors/agent/api/connectors.py
@@ -1,31 +1,20 @@
 from django.urls import reverse
-from django.utils.timezone import now
 from drf_spectacular.types import OpenApiTypes
-from drf_spectacular.utils import OpenApiParameter, OpenApiResponse, extend_schema
+from drf_spectacular.utils import extend_schema
 from rest_framework.decorators import action
-from rest_framework.exceptions import ValidationError
-from rest_framework.permissions import IsAuthenticated
 from rest_framework.request import Request
 from rest_framework.response import Response
 from structlog.stdlib import get_logger

 from authentik.endpoints.connectors.agent.api.agent import (
    AgentAuthenticationResponse,
-    AgentTokenResponseSerializer,
 )
 from authentik.endpoints.connectors.agent.auth import AgentAuth
 from authentik.endpoints.connectors.agent.models import (
    DeviceAuthenticationToken,
    DeviceToken,
 )
-from authentik.enterprise.endpoints.connectors.agent.auth import (
-    DeviceAuthFedAuthentication,
-    agent_auth_issue_token,
-    check_device_policies,
-)
-from authentik.events.models import Event, EventAction
-from authentik.flows.planner import PLAN_CONTEXT_DEVICE
-from authentik.stages.password.stage import PLAN_CONTEXT_METHOD, PLAN_CONTEXT_METHOD_ARGS
+from authentik.enterprise.api import enterprise_action

 LOGGER = get_logger()

@@ -37,6 +26,7 @@ class AgentConnectorViewSetMixin:
        responses=AgentAuthenticationResponse(),
    )
    @action(methods=["POST"], detail=False, authentication_classes=[AgentAuth])
+    @enterprise_action
    def auth_ia(self, request: Request) -> Response:
        token: DeviceToken = request.auth
        auth_token = DeviceAuthenticationToken.objects.create(
@@ -54,43 +44,3 @@ class AgentConnectorViewSetMixin:
                ),
            }
        )
-
-    @extend_schema(
-        request=OpenApiTypes.NONE,
-        parameters=[OpenApiParameter("device", OpenApiTypes.STR, location="query", required=True)],
-        responses={
-            200: AgentTokenResponseSerializer(),
-            404: OpenApiResponse(description="Device not found"),
-        },
-    )
-    @action(
-        methods=["POST"],
-        detail=False,
-        pagination_class=None,
-        filter_backends=[],
-        permission_classes=[IsAuthenticated],
-        authentication_classes=[DeviceAuthFedAuthentication],
-    )
-    def auth_fed(self, request: Request) -> Response:
-        federated_token, device, connector = request.auth
-
-        policy_result = check_device_policies(device, federated_token.user, request._request)
-        if not policy_result.passing:
-            raise ValidationError(
-                {"policy_result": "Policy denied access", "policy_messages": policy_result.messages}
-            )
-
-        token, exp = agent_auth_issue_token(device, connector, federated_token.user)
-        rel_exp = int((exp - now()).total_seconds())
-        Event.new(
-            EventAction.LOGIN,
-            **{
-                PLAN_CONTEXT_METHOD: "jwt",
-                PLAN_CONTEXT_METHOD_ARGS: {
-                    "jwt": federated_token,
-                    "provider": federated_token.provider,
-                },
-                PLAN_CONTEXT_DEVICE: device,
-            },
-        ).from_http(request, user=federated_token.user)
-        return Response({"token": token, "expires_in": rel_exp})
--- a/authentik/enterprise/endpoints/connectors/agent/auth.py
+++ b/authentik/enterprise/endpoints/connectors/agent/auth.py
@@ -1,113 +0,0 @@
-from django.http import HttpRequest
-from django.utils.timezone import now
-from drf_spectacular.extensions import OpenApiAuthenticationExtension
-from jwt import PyJWTError, decode, encode
-from rest_framework.authentication import BaseAuthentication
-from structlog.stdlib import get_logger
-
-from authentik.api.authentication import get_authorization_header, validate_auth
-from authentik.core.models import User
-from authentik.crypto.apps import MANAGED_KEY
-from authentik.crypto.models import CertificateKeyPair
-from authentik.endpoints.connectors.agent.models import AgentConnector
-from authentik.endpoints.models import Device
-from authentik.lib.utils.time import timedelta_from_string
-from authentik.policies.engine import PolicyEngine
-from authentik.policies.models import PolicyBindingModel
-from authentik.providers.oauth2.models import AccessToken, JWTAlgorithms, OAuth2Provider
-
-LOGGER = get_logger()
-PLATFORM_ISSUER = "goauthentik.io/platform"
-
-
-def agent_auth_issue_token(device: Device, connector: AgentConnector, user: User, **kwargs):
-    kp = CertificateKeyPair.objects.filter(managed=MANAGED_KEY).first()
-    if not kp:
-        return None, None
-    exp = now() + timedelta_from_string(connector.auth_session_duration)
-    token = encode(
-        {
-            "iss": PLATFORM_ISSUER,
-            "aud": str(device.pk),
-            "iat": int(now().timestamp()),
-            "exp": int(exp.timestamp()),
-            "preferred_username": user.username,
-            **kwargs,
-        },
-        kp.private_key,
-        headers={
-            "kid": kp.kid,
-        },
-        algorithm=JWTAlgorithms.from_private_key(kp.private_key),
-    )
-    return token, exp
-
-
-class DeviceAuthFedAuthentication(BaseAuthentication):
-
-    def authenticate(self, request):
-        raw_token = validate_auth(get_authorization_header(request))
-        if not raw_token:
-            LOGGER.warning("Missing token")
-            return None
-        device = Device.filter_not_expired(name=request.query_params.get("device")).first()
-        if not device:
-            LOGGER.warning("Couldn't find device")
-            return None
-        connectors_for_device = AgentConnector.objects.filter(device__in=[device])
-        connector = connectors_for_device.first()
-        providers = OAuth2Provider.objects.filter(agentconnector__in=connectors_for_device)
-        federated_token = AccessToken.objects.filter(
-            token=raw_token, provider__in=providers
-        ).first()
-        if not federated_token:
-            LOGGER.warning("Couldn't lookup provider")
-            return None
-        _key, _alg = federated_token.provider.jwt_key
-        try:
-            decode(
-                raw_token,
-                _key.public_key(),
-                algorithms=[_alg],
-                options={
-                    "verify_aud": False,
-                },
-            )
-            LOGGER.info(
-                "successfully verified JWT with provider", provider=federated_token.provider.name
-            )
-            return (federated_token.user, (federated_token, device, connector))
-        except (PyJWTError, ValueError, TypeError, AttributeError) as exc:
-            LOGGER.warning("failed to verify JWT", exc=exc, provider=federated_token.provider.name)
-            return None
-
-
-class DeviceFederationAuthSchema(OpenApiAuthenticationExtension):
-    """Auth schema"""
-
-    target_class = DeviceAuthFedAuthentication
-    name = "device_federation"
-
-    def get_security_definition(self, auto_schema):
-        """Auth schema"""
-        return {"type": "http", "scheme": "bearer"}
-
-
-def check_device_policies(device: Device, user: User, request: HttpRequest):
-    """Check policies bound to device group and device"""
-    if device.access_group:
-        result = check_pbm_policies(device.access_group, user, request)
-        if result.passing:
-            return result
-    return check_pbm_policies(device, user, request)
-
-
-def check_pbm_policies(pbm: PolicyBindingModel, user: User, request: HttpRequest):
-    policy_engine = PolicyEngine(pbm, user, request)
-    policy_engine.use_cache = False
-    policy_engine.empty_result = False
-    policy_engine.mode = pbm.policy_engine_mode
-    policy_engine.build()
-    result = policy_engine.result
-    LOGGER.debug("PolicyAccessView user_has_access", user=user.username, result=result, pbm=pbm.pk)
-    return result
--- a/authentik/enterprise/endpoints/connectors/agent/tests/test_connector_auth_ia.py
+++ b/authentik/enterprise/endpoints/connectors/agent/tests/test_connector_auth_ia.py
@@ -63,8 +63,21 @@ class TestConnectorAuthIA(FlowTestCase):
        )
        self.assertEqual(response.status_code, 200)

+    @patch(
+        "authentik.enterprise.license.LicenseKey.validate",
+        MagicMock(
+            return_value=LicenseKey(
+                aud="",
+                exp=expiry_valid,
+                name=generate_id(),
+                internal_users=100,
+                external_users=100,
+            )
+        ),
+    )
    @reconcile_app("authentik_crypto")
    def test_auth_ia_fulfill(self):
+        License.objects.create(key=generate_id())
        self.client.force_login(self.user)
        response = self.client.post(
            reverse("authentik_api:agentconnector-auth-ia"),
--- a/authentik/enterprise/endpoints/connectors/agent/views/auth_interactive.py
+++ b/authentik/enterprise/endpoints/connectors/agent/views/auth_interactive.py
@@ -3,12 +3,12 @@ from hmac import compare_digest

 from django.http import Http404, HttpRequest, HttpResponse, HttpResponseBadRequest, QueryDict

-from authentik.endpoints.connectors.agent.models import AgentConnector, DeviceAuthenticationToken
-from authentik.endpoints.models import Device
-from authentik.enterprise.endpoints.connectors.agent.auth import (
+from authentik.endpoints.connectors.agent.auth import (
    agent_auth_issue_token,
    check_device_policies,
 )
+from authentik.endpoints.connectors.agent.models import AgentConnector, DeviceAuthenticationToken
+from authentik.endpoints.models import Device
 from authentik.enterprise.policy import EnterprisePolicyAccessView
 from authentik.flows.exceptions import FlowNonApplicableException
 from authentik.flows.models import in_memory_stage
--- a/authentik/enterprise/models.py
+++ b/authentik/enterprise/models.py
@@ -11,7 +11,7 @@ from django.utils.translation import gettext as _
 from rest_framework.serializers import BaseSerializer

 from authentik.core.models import ExpiringModel
-from authentik.lib.models import SerializerModel
+from authentik.lib.models import InternallyManagedMixin, SerializerModel

 if TYPE_CHECKING:
    from authentik.enterprise.license import LicenseKey
@@ -81,7 +81,7 @@ class LicenseUsageStatus(models.TextChoices):
        return self in [LicenseUsageStatus.VALID, LicenseUsageStatus.EXPIRY_SOON]


-class LicenseUsage(ExpiringModel):
+class LicenseUsage(InternallyManagedMixin, ExpiringModel):
    """a single license usage record"""

    expires = models.DateTimeField(default=usage_expiry)
--- a/authentik/enterprise/providers/google_workspace/models.py
+++ b/authentik/enterprise/providers/google_workspace/models.py
@@ -18,7 +18,7 @@ from authentik.core.models import (
    User,
    UserTypes,
 )
-from authentik.lib.models import SerializerModel
+from authentik.lib.models import InternallyManagedMixin, SerializerModel
 from authentik.lib.sync.outgoing.base import BaseOutgoingSyncClient
 from authentik.lib.sync.outgoing.models import OutgoingSyncDeleteAction, OutgoingSyncProvider

@@ -32,7 +32,7 @@ def default_scopes() -> list[str]:
    ]


-class GoogleWorkspaceProviderUser(SerializerModel):
+class GoogleWorkspaceProviderUser(InternallyManagedMixin, SerializerModel):
    """Mapping of a user and provider to a Google user ID"""

    id = models.UUIDField(primary_key=True, editable=False, default=uuid4)
@@ -58,7 +58,7 @@ class GoogleWorkspaceProviderUser(SerializerModel):
        return f"Google Workspace Provider User {self.user_id} to {self.provider_id}"


-class GoogleWorkspaceProviderGroup(SerializerModel):
+class GoogleWorkspaceProviderGroup(InternallyManagedMixin, SerializerModel):
    """Mapping of a group and provider to a Google group ID"""

    id = models.UUIDField(primary_key=True, editable=False, default=uuid4)
--- a/authentik/enterprise/providers/microsoft_entra/models.py
+++ b/authentik/enterprise/providers/microsoft_entra/models.py
@@ -18,12 +18,12 @@ from authentik.core.models import (
    User,
    UserTypes,
 )
-from authentik.lib.models import SerializerModel
+from authentik.lib.models import InternallyManagedMixin, SerializerModel
 from authentik.lib.sync.outgoing.base import BaseOutgoingSyncClient
 from authentik.lib.sync.outgoing.models import OutgoingSyncDeleteAction, OutgoingSyncProvider


-class MicrosoftEntraProviderUser(SerializerModel):
+class MicrosoftEntraProviderUser(InternallyManagedMixin, SerializerModel):
    """Mapping of a user and provider to a Microsoft user ID"""

    id = models.UUIDField(primary_key=True, editable=False, default=uuid4)
@@ -49,7 +49,7 @@ class MicrosoftEntraProviderUser(SerializerModel):
        return f"Microsoft Entra Provider User {self.user_id} to {self.provider_id}"


-class MicrosoftEntraProviderGroup(SerializerModel):
+class MicrosoftEntraProviderGroup(InternallyManagedMixin, SerializerModel):
    """Mapping of a group and provider to a Microsoft group ID"""

    id = models.UUIDField(primary_key=True, editable=False, default=uuid4)
--- a/authentik/enterprise/providers/ssf/models.py
+++ b/authentik/enterprise/providers/ssf/models.py
@@ -14,7 +14,7 @@ from jwt import encode

 from authentik.core.models import BackchannelProvider, ExpiringModel, Token
 from authentik.crypto.models import CertificateKeyPair
-from authentik.lib.models import CreatedUpdatedModel
+from authentik.lib.models import CreatedUpdatedModel, InternallyManagedMixin
 from authentik.lib.utils.time import timedelta_from_string, timedelta_string_validator
 from authentik.providers.oauth2.models import JWTAlgorithms, OAuth2Provider
 from authentik.tasks.models import TasksModel
@@ -153,7 +153,7 @@ class Stream(models.Model):
        return encode(data, key, algorithm=alg, headers=headers)


-class StreamEvent(CreatedUpdatedModel, ExpiringModel):
+class StreamEvent(InternallyManagedMixin, CreatedUpdatedModel, ExpiringModel):
    """Single stream event to be sent"""

    uuid = models.UUIDField(default=uuid4, primary_key=True, editable=False)
--- a/authentik/enterprise/reports/api/reports.py
+++ b/authentik/enterprise/reports/api/reports.py
@@ -4,37 +4,35 @@ from django.urls import reverse
 from drf_spectacular.utils import extend_schema
 from rest_framework import mixins
 from rest_framework.decorators import action
-from rest_framework.fields import CharField
+from rest_framework.fields import CharField, SerializerMethodField
 from rest_framework.permissions import BasePermission
 from rest_framework.request import Request
 from rest_framework.response import Response
 from rest_framework.viewsets import GenericViewSet

+from authentik.core.api.groups import PartialUserSerializer
 from authentik.core.api.utils import ModelSerializer
-from authentik.core.models import User
 from authentik.enterprise.api import EnterpriseRequiredMixin
 from authentik.enterprise.reports.models import DataExport
 from authentik.enterprise.reports.tasks import generate_export
 from authentik.rbac.permissions import HasPermission


-class RequestedBySerializer(ModelSerializer):
-    class Meta:
-        model = User
-        fields = ("pk", "username")
-
-
 class ContentTypeSerializer(ModelSerializer):
    app_label = CharField(read_only=True)
    model = CharField(read_only=True)
+    verbose_name_plural = SerializerMethodField()
+
+    def get_verbose_name_plural(self, ct: ContentType) -> str:
+        return ct.model_class()._meta.verbose_name_plural

    class Meta:
        model = ContentType
-        fields = ("id", "app_label", "model")
+        fields = ("id", "app_label", "model", "verbose_name_plural")


 class DataExportSerializer(EnterpriseRequiredMixin, ModelSerializer):
-    requested_by = RequestedBySerializer(read_only=True)
+    requested_by = PartialUserSerializer(read_only=True)
    content_type = ContentTypeSerializer(read_only=True)

    class Meta:
--- a/authentik/enterprise/search/fields.py
+++ b/authentik/enterprise/search/fields.py
@@ -7,6 +7,7 @@ from django.db import connection
 from django.db.models import Model, Q
 from djangoql.compat import text_type
 from djangoql.schema import StrField
+from djangoql.serializers import DjangoQLSchemaSerializer


 class JSONSearchField(StrField):
@@ -14,10 +15,18 @@ class JSONSearchField(StrField):

    model: Model

-    def __init__(self, model=None, name=None, nullable=None, suggest_nested=True):
+    def __init__(
+        self,
+        model=None,
+        name=None,
+        nullable=None,
+        suggest_nested=False,
+        fixed_structure: OrderedDict | None = None,
+    ):
        # Set this in the constructor to not clobber the type variable
        self.type = "relation"
        self.suggest_nested = suggest_nested
+        self.fixed_structure = fixed_structure
        super().__init__(model, name, nullable)

    def get_lookup(self, path, operator, value):
@@ -57,11 +66,23 @@ class JSONSearchField(StrField):
            )
            return (x[0] for x in cursor.fetchall())

-    def get_nested_options(self) -> OrderedDict:
+    def get_fixed_structure(self, serializer: DjangoQLSchemaSerializer) -> OrderedDict:
+        new_dict = OrderedDict()
+        if not self.fixed_structure:
+            return new_dict
+        new_dict.setdefault(self.relation(), {})
+        for key, value in self.fixed_structure.items():
+            new_dict[self.relation()][key] = serializer.serialize_field(value)
+            if isinstance(value, JSONSearchField):
+                new_dict.update(value.get_nested_options(serializer))
+        return new_dict
+
+    def get_nested_options(self, serializer: DjangoQLSchemaSerializer) -> OrderedDict:
        """Get keys of all nested objects to show autocomplete"""
        if not self.suggest_nested:
+            if self.fixed_structure:
+                return self.get_fixed_structure(serializer)
            return OrderedDict()
-        base_model_name = f"{self.model._meta.app_label}.{self.model._meta.model_name}_{self.name}"

        def recursive_function(parts: list[str], parent_parts: list[str] | None = None):
            if not parent_parts:
@@ -87,7 +108,7 @@ class JSONSearchField(StrField):
        relation_structure = defaultdict(dict)

        for relations in self.json_field_keys():
-            result = recursive_function([base_model_name] + relations)
+            result = recursive_function([self.relation()] + relations)
            for relation_key, value in result.items():
                for sub_relation_key, sub_value in value.items():
                    if not relation_structure[relation_key].get(sub_relation_key, None):
--- a/authentik/enterprise/search/schema.py
+++ b/authentik/enterprise/search/schema.py
@@ -12,7 +12,7 @@ class AKQLSchemaSerializer(DjangoQLSchemaSerializer):
            for _, field in fields.items():
                if not isinstance(field, JSONSearchField):
                    continue
-                serialization["models"].update(field.get_nested_options())
+                serialization["models"].update(field.get_nested_options(self))
        return serialization

    def serialize_field(self, field):
--- a/authentik/enterprise/stages/authenticator_endpoint_gdtc/models.py
+++ b/authentik/enterprise/stages/authenticator_endpoint_gdtc/models.py
@@ -11,7 +11,7 @@ from rest_framework.serializers import BaseSerializer, Serializer
 from authentik.core.types import UserSettingSerializer
 from authentik.flows.models import ConfigurableStage, FriendlyNamedStage, Stage
 from authentik.flows.stage import StageView
-from authentik.lib.models import DeprecatedMixin, SerializerModel
+from authentik.lib.models import DeprecatedMixin, InternallyManagedMixin, SerializerModel
 from authentik.stages.authenticator.models import Device


@@ -63,7 +63,7 @@ class AuthenticatorEndpointGDTCStage(DeprecatedMixin, ConfigurableStage, Friendl
        verbose_name_plural = _("Endpoint Authenticator Google Device Trust Connector Stages")


-class EndpointDevice(SerializerModel, Device):
+class EndpointDevice(InternallyManagedMixin, SerializerModel, Device):
    """Endpoint Device for a single user"""

    uuid = models.UUIDField(primary_key=True, default=uuid4)
@@ -91,7 +91,7 @@ class EndpointDevice(SerializerModel, Device):
        verbose_name_plural = _("Endpoint Devices")


-class EndpointDeviceConnection(models.Model):
+class EndpointDeviceConnection(InternallyManagedMixin, models.Model):
    device = models.ForeignKey(EndpointDevice, on_delete=models.CASCADE)
    stage = models.ForeignKey(AuthenticatorEndpointGDTCStage, on_delete=models.CASCADE)

--- a/authentik/events/api/events.py
+++ b/authentik/events/api/events.py
@@ -1,5 +1,6 @@
 """Events API Views"""

+from collections import OrderedDict
 from datetime import timedelta

 import django_filters
@@ -136,7 +137,7 @@ class EventViewSet(
    filterset_class = EventsFilter

    def get_ql_fields(self):
-        from djangoql.schema import DateTimeField, StrField
+        from djangoql.schema import DateTimeField, IntField, StrField

        from authentik.enterprise.search.fields import ChoiceSearchField, JSONSearchField

@@ -145,9 +146,42 @@ class EventViewSet(
            StrField(Event, "event_uuid"),
            StrField(Event, "app", suggest_options=True),
            StrField(Event, "client_ip"),
-            JSONSearchField(Event, "user", suggest_nested=False),
-            JSONSearchField(Event, "brand", suggest_nested=False),
-            JSONSearchField(Event, "context", suggest_nested=False),
+            JSONSearchField(
+                Event,
+                "user",
+                fixed_structure=OrderedDict(
+                    pk=IntField(),
+                    username=StrField(),
+                    email=StrField(),
+                ),
+            ),
+            JSONSearchField(
+                Event,
+                "brand",
+                fixed_structure=OrderedDict(
+                    pk=StrField(),
+                    app=StrField(),
+                    name=StrField(),
+                    model_name=StrField(),
+                ),
+            ),
+            JSONSearchField(
+                Event,
+                "context",
+                fixed_structure=OrderedDict(
+                    http_request=JSONSearchField(
+                        Event,
+                        "context_http_request",
+                        fixed_structure=OrderedDict(
+                            args=JSONSearchField(Event, "context_http_request_args"),
+                            path=StrField(),
+                            method=StrField(),
+                            request_id=StrField(),
+                            user_agent=StrField(),
+                        ),
+                    ),
+                ),
+            ),
            DateTimeField(Event, "created", suggest_options=True),
        ]

--- a/authentik/events/logs.py
+++ b/authentik/events/logs.py
@@ -7,7 +7,7 @@ from typing import Any
 from django.utils.timezone import now
 from rest_framework.fields import CharField, ChoiceField, DateTimeField, DictField
 from structlog import configure, get_config
-from structlog.stdlib import NAME_TO_LEVEL, ProcessorFormatter
+from structlog.stdlib import NAME_TO_LEVEL, ProcessorFormatter, get_logger
 from structlog.testing import LogCapture
 from structlog.types import EventDict

@@ -36,6 +36,9 @@ class LogEvent:
            event, log_level, item.pop("logger"), timestamp, attributes=sanitize_dict(item)
        )

+    def log(self):
+        get_logger(self.logger).log(NAME_TO_LEVEL[self.log_level], self.event, **self.attributes)
+

 class LogEventSerializer(PassiveSerializer):
    """Single log message with all context logged."""
--- a/authentik/events/middleware.py
+++ b/authentik/events/middleware.py
@@ -19,6 +19,7 @@ from authentik.blueprints.v1.importer import excluded_models
 from authentik.core.models import Group, User
 from authentik.events.models import Event, EventAction, Notification
 from authentik.events.utils import model_to_dict
+from authentik.lib.models import InternallyManagedMixin
 from authentik.lib.sentry import should_ignore_exception
 from authentik.lib.utils.errors import exception_to_dict
 from authentik.stages.authenticator_static.models import StaticToken
@@ -40,7 +41,7 @@ _CTX_REQUEST = ContextVar[HttpRequest | None]("authentik_events_log_request", de

 def should_log_model(model: Model) -> bool:
    """Return true if operation on `model` should be logged"""
-    return model.__class__ not in IGNORED_MODELS
+    return model.__class__ not in IGNORED_MODELS and not isinstance(model, InternallyManagedMixin)


 def should_log_m2m(model: Model) -> bool:
--- a/authentik/events/models.py
+++ b/authentik/events/models.py
@@ -8,6 +8,8 @@ from inspect import currentframe
 from typing import Any
 from uuid import uuid4

+from asgiref.sync import async_to_sync
+from channels.layers import get_channel_layer
 from django.apps import apps
 from django.db import models
 from django.http import HttpRequest
@@ -41,6 +43,7 @@ from authentik.lib.utils.http import get_http_session
 from authentik.lib.utils.time import timedelta_from_string
 from authentik.policies.models import PolicyBindingModel
 from authentik.root.middleware import ClientIPMiddleware
+from authentik.root.ws.consumer import build_user_group
 from authentik.stages.email.models import EmailTemplates
 from authentik.stages.email.utils import TemplateEmailMessage
 from authentik.tasks.models import TasksModel
@@ -361,6 +364,15 @@ class NotificationTransport(TasksModel, SerializerModel):
                notification=notification,
            )
        notification.save()
+        layer = get_channel_layer()
+        async_to_sync(layer.group_send)(
+            build_user_group(notification.user),
+            {
+                "type": "event.notification",
+                "id": str(notification.pk),
+                "data": notification.serializer(notification).data,
+            },
+        )
        return []

    def send_webhook(self, notification: "Notification") -> list[str]:
--- a/authentik/flows/auth.py
+++ b/authentik/flows/auth.py
@@ -0,0 +1,18 @@
+from typing import cast
+
+from django.contrib.auth.models import AnonymousUser
+from rest_framework.authentication import BaseAuthentication
+from rest_framework.request import Request
+
+from authentik.flows.planner import PLAN_CONTEXT_PENDING_USER, FlowPlan
+from authentik.flows.views.executor import SESSION_KEY_PLAN
+
+
+class FlowActive(BaseAuthentication):
+    """Authenticate requests when a flow is currently active"""
+
+    def authenticate(self, request: Request):
+        plan = cast(FlowPlan | None, request.session.get(SESSION_KEY_PLAN))
+        if not plan:
+            return None
+        return (plan.context.get(PLAN_CONTEXT_PENDING_USER, AnonymousUser()), plan)
--- a/authentik/flows/models.py
+++ b/authentik/flows/models.py
@@ -20,7 +20,7 @@ from authentik.core.models import Token
 from authentik.core.types import UserSettingSerializer
 from authentik.flows.challenge import FlowLayout
 from authentik.lib.config import CONFIG
-from authentik.lib.models import InheritanceForeignKey, SerializerModel
+from authentik.lib.models import InheritanceForeignKey, InternallyManagedMixin, SerializerModel
 from authentik.lib.utils.reflection import class_to_path
 from authentik.policies.models import PolicyBindingModel

@@ -301,7 +301,7 @@ class FriendlyNamedStage(models.Model):
        abstract = True


-class FlowToken(Token):
+class FlowToken(InternallyManagedMixin, Token):
    """Subclass of a standard Token, stores the currently active flow plan upon creation.
    Can be used to later resume a flow."""

--- a/authentik/flows/tests/init.py
+++ b/authentik/flows/tests/init.py
@@ -48,6 +48,9 @@ class FlowTestCase(APITestCase):
            self.assertEqual(raw_response[key], expected)
        return raw_response

+    def get_flow_plan(self) -> FlowPlan | None:
+        return self.client.session.get(SESSION_KEY_PLAN)
+
    def assertStageRedirects(self, response: HttpResponse, to: str) -> dict[str, Any]:
        """Wrapper around assertStageResponse that checks for a redirect"""
        return self.assertStageResponse(response, component="xak-flow-redirect", to=to)
--- a/authentik/flows/views/executor.py
+++ b/authentik/flows/views/executor.py
@@ -147,6 +147,8 @@ class FlowExecutorView(APIView):
                token.delete()
        if not isinstance(plan, FlowPlan):
            return None
+        if existing_plan := self.request.session.get(SESSION_KEY_PLAN):
+            plan.context.update(existing_plan.context)
        plan.context[PLAN_CONTEXT_IS_RESTORED] = token
        self._logger.debug("f(exec): restored flow plan from token", plan=plan)
        return plan
--- a/authentik/lib/logging.py
+++ b/authentik/lib/logging.py
@@ -111,6 +111,7 @@ def get_logger_config():
        "hpack": "WARNING",
        "httpx": "WARNING",
        "azure": "WARNING",
+        "httpcore": "WARNING",
    }
    for handler_name, level in handler_level_map.items():
        base_config["loggers"][handler_name] = {
--- a/authentik/lib/models.py
+++ b/authentik/lib/models.py
@@ -64,6 +64,10 @@ class DeprecatedMixin:
    """Mixin for classes that are deprecated"""


+class InternallyManagedMixin:
+    """Mixin for models that should _not_ be manageable via blueprint."""
+
+
 class DomainlessURLValidator(URLValidator):
    """Subclass of URLValidator which doesn't check the domain
    (to allow hostnames without domain)"""
--- a/authentik/lib/sync/outgoing/exceptions.py
+++ b/authentik/lib/sync/outgoing/exceptions.py
@@ -1,25 +1,61 @@
+from json import JSONDecodeError
+
 from authentik.lib.sentry import SentryIgnoredException


 class BaseSyncException(SentryIgnoredException):
    """Base class for all sync exceptions"""

+    error_prefix = "Sync error"
+    error_default = "Error communicating with remote system"
+
+    def __init__(self, response=None):
+        super().__init__()
+        self.response = response
+
+    def __str__(self):
+        if self.response is not None:
+            if hasattr(self.response, "json"):
+                try:
+                    return f"{self.error_prefix}: {self.response.json()}"
+                except JSONDecodeError:
+                    pass
+            if hasattr(self.response, "text"):
+                return f"{self.error_prefix}: {self.response.text}"
+            return f"{self.error_prefix}: {self.response}"
+        return self.error_default
+
+    def __repr__(self):
+        return self.__str__()
+

 class TransientSyncException(BaseSyncException):
    """Transient sync exception which may be caused by network blips, etc"""

+    error_prefix = "Network error"
+    error_default = "Network error communicating with remote system"
+

 class NotFoundSyncException(BaseSyncException):
    """Exception when an object was not found in the remote system"""

+    error_prefix = "Object not found"
+    error_default = "Object not found in remote system"
+

 class ObjectExistsSyncException(BaseSyncException):
    """Exception when an object already exists in the remote system"""

+    error_prefix = "Object exists"
+    error_default = "Object exists in remote system"
+

 class BadRequestSyncException(BaseSyncException):
    """Exception when invalid data was sent to the remote system"""

+    error_prefix = "Bad request"
+    error_default = "Bad request to remote system"
+

 class DryRunRejected(BaseSyncException):
    """When dry_run is enabled and a provider dropped a mutating request"""
--- a/authentik/lib/sync/outgoing/models.py
+++ b/authentik/lib/sync/outgoing/models.py
@@ -84,7 +84,7 @@ class OutgoingSyncProvider(ScheduledModel, Model):
        raise NotImplementedError

    def sync_dispatch(self) -> None:
-        for schedule in self.schedules:
+        for schedule in self.schedules.all():
            schedule.send()

    @property
--- a/authentik/lib/utils/db.py
+++ b/authentik/lib/utils/db.py
@@ -1,16 +1,17 @@
 """authentik database utilities"""

 import gc
+from collections.abc import Generator

 from django.db import reset_queries
-from django.db.models import QuerySet
+from django.db.models import Model, QuerySet


-def chunked_queryset(queryset: QuerySet, chunk_size: int = 1_000):
+def chunked_queryset[T: Model](queryset: QuerySet[T], chunk_size: int = 1_000) -> Generator[T]:
    if not queryset.exists():
        return []

-    def get_chunks(qs: QuerySet):
+    def get_chunks(qs: QuerySet) -> Generator[QuerySet[T]]:
        qs = qs.order_by("pk")
        pks = qs.values_list("pk", flat=True)
        start_pk = pks[0]
--- a/authentik/outposts/models.py
+++ b/authentik/outposts/models.py
@@ -86,7 +86,7 @@ class OutpostConfig:
 class OutpostModel(Model):
    """Base model for providers that need more objects than just themselves"""

-    def get_required_objects(self) -> Iterable[models.Model | str]:
+    def get_required_objects(self) -> Iterable[models.Model | str | tuple[str, models.Model]]:
        """Return a list of all required objects"""
        return [self]

@@ -332,41 +332,35 @@ class Outpost(ScheduledModel, SerializerModel, ManagedModel):
        """Create per-object and global permissions for outpost service-account"""
        # To ensure the user only has the correct permissions, we delete all of them and re-add
        # the ones the user needs
-        with transaction.atomic():
-            user.remove_all_perms_from_managed_role()
-            for model_or_perm in self.get_required_objects():
-                if isinstance(model_or_perm, models.Model):
-                    model_or_perm: models.Model
-                    code_name = (
-                        f"{model_or_perm._meta.app_label}.view_{model_or_perm._meta.model_name}"
-                    )
-                    try:
-                        user.assign_perms_to_managed_role(code_name, model_or_perm)
-                    except (Permission.DoesNotExist, AttributeError) as exc:
-                        LOGGER.warning(
-                            "permission doesn't exist",
-                            code_name=code_name,
-                            user=user,
-                            model=model_or_perm,
+        try:
+            with transaction.atomic():
+                user.remove_all_perms_from_managed_role()
+                for model_or_perm in self.get_required_objects():
+                    if isinstance(model_or_perm, models.Model):
+                        code_name = (
+                            f"{model_or_perm._meta.app_label}.view_{model_or_perm._meta.model_name}"
                        )
-                        Event.new(
-                            action=EventAction.SYSTEM_EXCEPTION,
-                            message=(
-                                "While setting the permissions for the service-account, a "
-                                "permission was not found: Check "
-                                "https://docs.goauthentik.io/troubleshooting/missing_permission"
-                            ),
-                        ).with_exception(exc).set_user(user).save()
-                else:
-                    app_label, perm = model_or_perm.split(".")
-                    permission = Permission.objects.filter(
-                        codename=perm,
-                        content_type__app_label=app_label,
-                    )
-                    if not permission.exists():
-                        LOGGER.warning("permission doesn't exist", perm=model_or_perm)
-                        continue
-                    user.assign_perms_to_managed_role(permission.first())
+                        user.assign_perms_to_managed_role(code_name, model_or_perm)
+                    elif isinstance(model_or_perm, tuple):
+                        perm, obj = model_or_perm
+                        user.assign_perms_to_managed_role(perm, obj)
+                    else:
+                        user.assign_perms_to_managed_role(model_or_perm)
+        except (Permission.DoesNotExist, AttributeError) as exc:
+            LOGGER.warning(
+                "permission doesn't exist",
+                code_name=code_name,
+                user=user,
+                model=model_or_perm,
+            )
+            Event.new(
+                action=EventAction.SYSTEM_EXCEPTION,
+                message=(
+                    "While setting the permissions for the service-account, a "
+                    "permission was not found: Check "
+                    "https://docs.goauthentik.io/troubleshooting/missing_permission"
+                ),
+            ).with_exception(exc).set_user(user).save()
        LOGGER.debug(
            "Updated service account's permissions",
            obj_perms=user.get_all_obj_perms_on_managed_role(),
@@ -431,7 +425,7 @@ class Outpost(ScheduledModel, SerializerModel, ManagedModel):
            Token.objects.filter(identifier=self.token_identifier).delete()
            return self.token

-    def get_required_objects(self) -> Iterable[models.Model | str]:
+    def get_required_objects(self) -> Iterable[models.Model | str | tuple[str, models.Model]]:
        """Get an iterator of all objects the user needs read access to"""
        objects: list[models.Model | str] = [
            self,
@@ -445,7 +439,9 @@ class Outpost(ScheduledModel, SerializerModel, ManagedModel):
        if self.managed:
            for brand in Brand.objects.filter(web_certificate__isnull=False):
                objects.append(brand)
-                objects.append(brand.web_certificate)
+                objects.append(("view_certificatekeypair", brand.web_certificate))
+                objects.append(("view_certificatekeypair_certificate", brand.web_certificate))
+                objects.append(("view_certificatekeypair_key", brand.web_certificate))
        return objects

    def __str__(self) -> str:
--- a/authentik/outposts/tests/test_sa.py
+++ b/authentik/outposts/tests/test_sa.py
@@ -51,10 +51,12 @@ class OutpostTests(TestCase):
        permissions = outpost.user.get_all_obj_perms_on_managed_role().order_by(
            "content_type__model"
        )
-        self.assertEqual(len(permissions), 3)
+        self.assertEqual(len(permissions), 5)
        self.assertEqual(permissions[0].object_pk, str(keypair.pk))
-        self.assertEqual(permissions[1].object_pk, str(outpost.pk))
-        self.assertEqual(permissions[2].object_pk, str(provider.pk))
+        self.assertEqual(permissions[1].object_pk, str(keypair.pk))
+        self.assertEqual(permissions[2].object_pk, str(keypair.pk))
+        self.assertEqual(permissions[3].object_pk, str(outpost.pk))
+        self.assertEqual(permissions[4].object_pk, str(provider.pk))

        # Remove provider from outpost, user should only have access to outpost
        outpost.providers.remove(provider)
--- a/authentik/policies/event_matcher/models.py
+++ b/authentik/policies/event_matcher/models.py
@@ -9,6 +9,7 @@ from rest_framework.serializers import BaseSerializer
 from structlog.stdlib import get_logger

 from authentik.blueprints.v1.importer import is_model_allowed
+from authentik.blueprints.v1.meta.registry import BaseMetaModel
 from authentik.events.models import Event, EventAction
 from authentik.policies.models import Policy
 from authentik.policies.types import PolicyRequest, PolicyResult
@@ -31,7 +32,7 @@ def model_choices() -> list[tuple[str, str]]:
    Returns a list of tuples containing (dotted.model.path, name)"""
    choices = []
    for model in apps.get_models():
-        if not is_model_allowed(model):
+        if not is_model_allowed(model) or issubclass(model, BaseMetaModel):
            continue
        name = f"{model._meta.app_label}.{model._meta.model_name}"
        choices.append((name, model._meta.verbose_name))
--- a/authentik/policies/reputation/models.py
+++ b/authentik/policies/reputation/models.py
@@ -14,7 +14,7 @@ from structlog import get_logger

 from authentik.core.models import ExpiringModel
 from authentik.lib.config import CONFIG
-from authentik.lib.models import SerializerModel
+from authentik.lib.models import InternallyManagedMixin, SerializerModel
 from authentik.policies.models import Policy
 from authentik.policies.types import PolicyRequest, PolicyResult
 from authentik.root.middleware import ClientIPMiddleware
@@ -69,7 +69,7 @@ class ReputationPolicy(Policy):
        verbose_name_plural = _("Reputation Policies")


-class Reputation(ExpiringModel, SerializerModel):
+class Reputation(InternallyManagedMixin, ExpiringModel, SerializerModel):
    """Reputation for user and or IP."""

    objects = PostgresManager()
--- a/authentik/providers/ldap/models.py
+++ b/authentik/providers/ldap/models.py
@@ -93,11 +93,13 @@ class LDAPProvider(OutpostModel, BackchannelProvider):
    def __str__(self):
        return f"LDAP Provider {self.name}"

-    def get_required_objects(self) -> Iterable[models.Model | str]:
-        required_models = [self, "authentik_core.view_user", "authentik_core.view_group"]
+    def get_required_objects(self) -> Iterable[models.Model | str | tuple[str, models.Model]]:
+        required = [self, "authentik_core.view_user", "authentik_core.view_group"]
        if self.certificate is not None:
-            required_models.append(self.certificate)
-        return required_models
+            required.append(("view_certificatekeypair", self.certificate))
+            required.append(("view_certificatekeypair_certificate", self.certificate))
+            required.append(("view_certificatekeypair_key", self.certificate))
+        return required

    class Meta:
        verbose_name = _("LDAP Provider")
--- a/authentik/providers/oauth2/models.py
+++ b/authentik/providers/oauth2/models.py
@@ -42,7 +42,7 @@ from authentik.core.models import (
 )
 from authentik.crypto.models import CertificateKeyPair
 from authentik.lib.generators import generate_code_fixed_length, generate_id, generate_key
-from authentik.lib.models import DomainlessURLValidator, SerializerModel
+from authentik.lib.models import DomainlessURLValidator, InternallyManagedMixin, SerializerModel
 from authentik.lib.utils.time import timedelta_string_validator
 from authentik.providers.oauth2.constants import SubModes
 from authentik.sources.oauth.models import OAuthSource
@@ -462,7 +462,7 @@ class BaseGrantModel(models.Model):
        self._scope = " ".join(value)


-class AuthorizationCode(SerializerModel, ExpiringModel, BaseGrantModel):
+class AuthorizationCode(InternallyManagedMixin, SerializerModel, ExpiringModel, BaseGrantModel):
    """OAuth2 Authorization Code"""

    code = models.CharField(max_length=255, unique=True, verbose_name=_("Code"))
@@ -497,7 +497,7 @@ class AuthorizationCode(SerializerModel, ExpiringModel, BaseGrantModel):
        )


-class AccessToken(SerializerModel, ExpiringModel, BaseGrantModel):
+class AccessToken(InternallyManagedMixin, SerializerModel, ExpiringModel, BaseGrantModel):
    """OAuth2 access token, non-opaque using a JWT as identifier"""

    token = models.TextField()
@@ -545,7 +545,7 @@ class AccessToken(SerializerModel, ExpiringModel, BaseGrantModel):
        return TokenModelSerializer


-class RefreshToken(SerializerModel, ExpiringModel, BaseGrantModel):
+class RefreshToken(InternallyManagedMixin, SerializerModel, ExpiringModel, BaseGrantModel):
    """OAuth2 Refresh Token, opaque"""

    token = models.TextField(default=generate_client_secret)
@@ -585,7 +585,7 @@ class RefreshToken(SerializerModel, ExpiringModel, BaseGrantModel):
        return TokenModelSerializer


-class DeviceToken(ExpiringModel):
+class DeviceToken(InternallyManagedMixin, ExpiringModel):
    """Temporary device token for OAuth device flow"""

    user = models.ForeignKey(
--- a/authentik/providers/proxy/models.py
+++ b/authentik/providers/proxy/models.py
@@ -13,7 +13,7 @@ from rest_framework.serializers import Serializer

 from authentik.core.models import ExpiringModel
 from authentik.crypto.models import CertificateKeyPair
-from authentik.lib.models import DomainlessURLValidator
+from authentik.lib.models import DomainlessURLValidator, InternallyManagedMixin
 from authentik.outposts.models import OutpostModel
 from authentik.providers.oauth2.models import (
    ClientTypes,
@@ -27,7 +27,7 @@ SCOPE_AK_PROXY = "ak_proxy"
 OUTPOST_CALLBACK_SIGNATURE = "X-authentik-auth-callback"


-class ProxySession(ExpiringModel):
+class ProxySession(InternallyManagedMixin, ExpiringModel):
    """Session storage for proxyv2 outposts using PostgreSQL"""

    uuid = models.UUIDField(default=uuid4, primary_key=True)
@@ -179,11 +179,13 @@ class ProxyProvider(OutpostModel, OAuth2Provider):
    def __str__(self):
        return f"Proxy Provider {self.name}"

-    def get_required_objects(self) -> Iterable[models.Model | str]:
-        required_models = [self]
+    def get_required_objects(self) -> Iterable[models.Model | str | tuple[str, models.Model]]:
+        required = [self]
        if self.certificate is not None:
-            required_models.append(self.certificate)
-        return required_models
+            required.append(("view_certificatekeypair", self.certificate))
+            required.append(("view_certificatekeypair_certificate", self.certificate))
+            required.append(("view_certificatekeypair_key", self.certificate))
+        return required

    class Meta:
        verbose_name = _("Proxy Provider")
--- a/authentik/providers/proxy/tests.py
+++ b/authentik/providers/proxy/tests.py
@@ -1,10 +1,14 @@
 """proxy provider tests"""

+from json import loads
+
 from django.urls import reverse
 from rest_framework.test import APITestCase

-from authentik.core.tests.utils import create_test_admin_user, create_test_flow
+from authentik.core.models import Application
+from authentik.core.tests.utils import create_test_admin_user, create_test_cert, create_test_flow
 from authentik.lib.generators import generate_id
+from authentik.outposts.models import Outpost, OutpostType
 from authentik.providers.oauth2.models import ClientTypes
 from authentik.providers.proxy.models import ProxyMode, ProxyProvider

@@ -127,3 +131,55 @@ class ProxyProviderTests(APITestCase):
        self.assertEqual(response.status_code, 200)
        provider: ProxyProvider = ProxyProvider.objects.get(name=name)
        self.assertEqual(provider.client_type, ClientTypes.CONFIDENTIAL)
+
+    def test_sa_fetch(self):
+        """Test fetching the outpost config as the service account"""
+        outpost = Outpost.objects.create(name=generate_id(), type=OutpostType.PROXY)
+        provider = ProxyProvider.objects.create(name=generate_id())
+        Application.objects.create(name=generate_id(), slug=generate_id(), provider=provider)
+        outpost.providers.add(provider)
+
+        res = self.client.get(
+            reverse("authentik_api:proxyprovideroutpost-list"),
+            HTTP_AUTHORIZATION=f"Bearer {outpost.token.key}",
+        )
+        body = loads(res.content)
+        self.assertEqual(body["pagination"]["count"], 1)
+
+    def test_sa_perms_cert(self):
+        """Test permissions to access a configured certificate"""
+        cert = create_test_cert()
+        outpost = Outpost.objects.create(name=generate_id(), type=OutpostType.PROXY)
+        provider = ProxyProvider.objects.create(name=generate_id(), certificate=cert)
+        Application.objects.create(name=generate_id(), slug=generate_id(), provider=provider)
+        outpost.providers.add(provider)
+
+        res = self.client.get(
+            reverse("authentik_api:proxyprovideroutpost-list"),
+            HTTP_AUTHORIZATION=f"Bearer {outpost.token.key}",
+        )
+        body = loads(res.content)
+        self.assertEqual(body["pagination"]["count"], 1)
+        cert_id = body["results"][0]["certificate"]
+        self.assertEqual(cert_id, str(cert.pk))
+
+        res = self.client.get(
+            reverse(
+                "authentik_api:certificatekeypair-view-certificate",
+                kwargs={
+                    "pk": cert_id,
+                },
+            ),
+            HTTP_AUTHORIZATION=f"Bearer {outpost.token.key}",
+        )
+        self.assertEqual(res.status_code, 200)
+        # res = self.client.get(
+        #     reverse(
+        #         "authentik_api:certificatekeypair-view-private-key",
+        #         kwargs={
+        #             "pk": cert_id,
+        #         },
+        #     ),
+        #     HTTP_AUTHORIZATION=f"Bearer {outpost.token.key}",
+        # )
+        # self.assertEqual(res.status_code, 200)
--- a/authentik/providers/rac/models.py
+++ b/authentik/providers/rac/models.py
@@ -15,7 +15,7 @@ from structlog.stdlib import get_logger
 from authentik.core.expression.exceptions import PropertyMappingExpressionException
 from authentik.core.models import ExpiringModel, PropertyMapping, Provider, User, default_token_key
 from authentik.events.models import Event, EventAction
-from authentik.lib.models import SerializerModel
+from authentik.lib.models import InternallyManagedMixin, SerializerModel
 from authentik.lib.utils.time import timedelta_string_validator
 from authentik.outposts.models import OutpostModel
 from authentik.policies.models import PolicyBindingModel
@@ -145,7 +145,7 @@ class RACPropertyMapping(PropertyMapping):
        verbose_name_plural = _("RAC Provider Property Mappings")


-class ConnectionToken(ExpiringModel):
+class ConnectionToken(InternallyManagedMixin, ExpiringModel):
    """Token for a single connection to a specified endpoint"""

    connection_token_uuid = models.UUIDField(default=uuid4, primary_key=True)
--- a/authentik/providers/radius/models.py
+++ b/authentik/providers/radius/models.py
@@ -64,10 +64,12 @@ class RadiusProvider(OutpostModel, Provider):

        return RadiusProviderSerializer

-    def get_required_objects(self) -> Iterable[models.Model | str]:
+    def get_required_objects(self) -> Iterable[models.Model | str | tuple[str, models.Model]]:
        required = [self, "authentik_stages_mtls.pass_outpost_certificate"]
        if self.certificate is not None:
-            required.append(self.certificate)
+            required.append(("view_certificatekeypair", self.certificate))
+            required.append(("view_certificatekeypair_certificate", self.certificate))
+            required.append(("view_certificatekeypair_key", self.certificate))
        return required

    def __str__(self):
--- a/authentik/providers/saml/models.py
+++ b/authentik/providers/saml/models.py
@@ -18,7 +18,7 @@ from authentik.core.models import (
    User,
 )
 from authentik.crypto.models import CertificateKeyPair
-from authentik.lib.models import DomainlessURLValidator, SerializerModel
+from authentik.lib.models import DomainlessURLValidator, InternallyManagedMixin, SerializerModel
 from authentik.lib.utils.time import timedelta_string_validator
 from authentik.sources.saml.models import SAMLNameIDPolicy
 from authentik.sources.saml.processors.constants import (
@@ -303,7 +303,7 @@ class SAMLProviderImportModel(CreatableType, Provider):
        verbose_name_plural = _("SAML Providers from Metadata")


-class SAMLSession(SerializerModel, ExpiringModel):
+class SAMLSession(InternallyManagedMixin, SerializerModel, ExpiringModel):
    """Track active SAML sessions for Single Logout support"""

    saml_session_id = models.UUIDField(default=uuid4, primary_key=True)
--- a/authentik/providers/scim/clients/exceptions.py
+++ b/authentik/providers/scim/clients/exceptions.py
@@ -14,6 +14,7 @@ class SCIMRequestException(TransientSyncException):
    _message: str | None

    def __init__(self, response: Response | None = None, message: str | None = None) -> None:
+        super().__init__(response)
        self._response = response
        self._message = message

--- a/authentik/providers/scim/models.py
+++ b/authentik/providers/scim/models.py
@@ -13,7 +13,7 @@ from rest_framework.serializers import Serializer
 from structlog.stdlib import get_logger

 from authentik.core.models import BackchannelProvider, Group, PropertyMapping, User, UserTypes
-from authentik.lib.models import SerializerModel
+from authentik.lib.models import InternallyManagedMixin, SerializerModel
 from authentik.lib.sync.outgoing.base import BaseOutgoingSyncClient
 from authentik.lib.sync.outgoing.models import OutgoingSyncProvider
 from authentik.lib.utils.time import timedelta_from_string, timedelta_string_validator
@@ -22,7 +22,7 @@ from authentik.providers.scim.clients.auth import SCIMTokenAuth
 LOGGER = get_logger()


-class SCIMProviderUser(SerializerModel):
+class SCIMProviderUser(InternallyManagedMixin, SerializerModel):
    """Mapping of a user and provider to a SCIM user ID"""

    id = models.UUIDField(primary_key=True, editable=False, default=uuid4)
@@ -44,7 +44,7 @@ class SCIMProviderUser(SerializerModel):
        return f"SCIM Provider User {self.user_id} to {self.provider_id}"


-class SCIMProviderGroup(SerializerModel):
+class SCIMProviderGroup(InternallyManagedMixin, SerializerModel):
    """Mapping of a group and provider to a SCIM user ID"""

    id = models.UUIDField(primary_key=True, editable=False, default=uuid4)
--- a/authentik/root/asgi_middleware.py
+++ b/authentik/root/asgi_middleware.py
@@ -50,7 +50,7 @@ def get_user(scope):
            "Cannot find session in scope. You should wrap your consumer in SessionMiddleware."
        )
    user = None
-    if (authenticated_session := scope["session"].get("authenticated_session", None)) is not None:
+    if (authenticated_session := scope["session"].get("authenticatedsession", None)) is not None:
        user = authenticated_session.user
    return user or AnonymousUser()

--- a/authentik/root/test_runner.py
+++ b/authentik/root/test_runner.py
@@ -96,6 +96,9 @@ class PytestTestRunner(DiscoverRunner):  # pragma: no cover
    def add_arguments(cls, parser: ArgumentParser):
        """Add more pytest-specific arguments"""
        DiscoverRunner.add_arguments(parser)
+        default_seed = None
+        if seed := os.getenv("CI_TEST_SEED"):
+            default_seed = int(seed)
        parser.add_argument(
            "--randomly-seed",
            type=int,
@@ -103,6 +106,7 @@ class PytestTestRunner(DiscoverRunner):  # pragma: no cover
            "to reuse the seed from the previous run."
            "Default behaviour: use random.Random().getrandbits(32), so the seed is"
            "different on each run.",
+            default=default_seed,
        )
        parser.add_argument(
            "--no-capture",
--- a/authentik/root/tests/init.py
+++ b/authentik/root/tests/init.py
--- a/authentik/root/tests/test_views.py
+++ b/authentik/root/tests/test_views.py
--- a/Show More
+++ b/Show More