idk

Signed-off-by: Jens Langhammer <jens@goauthentik.io>
initial flow support
2026-05-05 22:52:42 +02:00 · 2024-09-03 19:51:11 +02:00 · 2024-09-03 19:39:54 +02:00 · 2024-09-03 19:39:26 +02:00 · 2024-09-03 19:39:15 +02:00 · 2024-09-03 19:39:04 +02:00
3200 changed files with 158094 additions and 379232 deletions
--- a/.bumpversion.cfg
+++ b/.bumpversion.cfg
@@ -0,0 +1,32 @@
+[bumpversion]
+current_version = 2024.8.0
+tag = True
+commit = True
+parse = (?P<major>\d+)\.(?P<minor>\d+)\.(?P<patch>\d+)(?:-(?P<rc_t>[a-zA-Z-]+)(?P<rc_n>[1-9]\\d*))?
+serialize = 
+	{major}.{minor}.{patch}-{rc_t}{rc_n}
+	{major}.{minor}.{patch}
+message = release: {new_version}
+tag_name = version/{new_version}
+
+[bumpversion:part:rc_t]
+values = 
+	rc
+	final
+optional_value = final
+
+[bumpversion:file:pyproject.toml]
+
+[bumpversion:file:package.json]
+
+[bumpversion:file:docker-compose.yml]
+
+[bumpversion:file:schema.yml]
+
+[bumpversion:file:blueprints/schema.json]
+
+[bumpversion:file:authentik/__init__.py]
+
+[bumpversion:file:internal/constants/constants.go]
+
+[bumpversion:file:web/src/common/constants.ts]
--- a/.dockerignore
+++ b/.dockerignore
@@ -1,15 +1,12 @@
 htmlcov
 *.env.yml
-node_modules
 **/node_modules
 dist/**
 build/**
 build_docs/**
 *Dockerfile
-**/*Dockerfile
 blueprints/local
 .git
 !gen-ts-api/node_modules
 !gen-ts-api/dist/**
 !gen-go-api/
-.venv
--- a/.editorconfig
+++ b/.editorconfig
@@ -7,9 +7,6 @@ charset = utf-8
 trim_trailing_whitespace = true
 insert_final_newline = true

-[*.toml]
-indent_size = 2
-
 [*.html]
 indent_size = 2

--- a/.github/ISSUE_TEMPLATE/bug_report.md
+++ b/.github/ISSUE_TEMPLATE/bug_report.md
@@ -28,11 +28,7 @@ Output of docker-compose logs or kubectl logs respectively

 **Version and Deployment (please complete the following information):**

-<!--
-Notice: authentik supports installation via Docker, Kubernetes, and AWS CloudFormation only. Support is not available for other methods. For detailed installation and configuration instructions, please refer to the official documentation at https://docs.goauthentik.io/docs/install-config/.
-->
-
-   authentik version: [e.g. 2025.2.0]
+-   authentik version: [e.g. 2021.8.5]
 -   Deployment: [e.g. docker-compose, helm]

 **Additional context**
--- a/.github/ISSUE_TEMPLATE/docs_issue.md
+++ b/.github/ISSUE_TEMPLATE/docs_issue.md
@@ -1,22 +0,0 @@
---
-name: Documentation issue
-about: Suggest an improvement or report a problem
-title: ""
-labels: documentation
-assignees: ""
---
-
-**Do you see an area that can be clarified or expanded, a technical inaccuracy, or a broken link? Please describe.**
-A clear and concise description of what the problem is, or where the document can be improved. Ex. I believe we need more details about [...]
-
-**Provide the URL or link to the exact page in the documentation to which you are referring.**
-If there are multiple pages, list them all, and be sure to state the header or section where the content is.
-
-**Describe the solution you'd like**
-A clear and concise description of what you want to happen.
-
-**Additional context**
-Add any other context or screenshots about the documentation issue here.
-
-**Consider opening a PR!**
-If the issue is one that you can fix, or even make a good pass at, we'd appreciate a PR. For more information about making a contribution to the docs, and using our Style Guide and our templates, refer to ["Writing documentation"](https://docs.goauthentik.io/docs/developer-docs/docs/writing-documentation).
--- a/.github/ISSUE_TEMPLATE/question.md
+++ b/.github/ISSUE_TEMPLATE/question.md
@@ -20,12 +20,7 @@ Output of docker-compose logs or kubectl logs respectively

 **Version and Deployment (please complete the following information):**

-<!--
-Notice: authentik supports installation via Docker, Kubernetes, and AWS CloudFormation only. Support is not available for other methods. For detailed installation and configuration instructions, please refer to the official documentation at https://docs.goauthentik.io/docs/install-config/.
-->
-
-
-   authentik version: [e.g. 2025.2.0]
+-   authentik version: [e.g. 2021.8.5]
 -   Deployment: [e.g. docker-compose, helm]

 **Additional context**
--- a/.github/actions/cherry-pick/action.yml
+++ b/.github/actions/cherry-pick/action.yml
@@ -1,267 +0,0 @@
-name: "Cherry-picker"
-description: "Cherry-pick PRs based on their labels"
-
-inputs:
-  token:
-    description: "GitHub Token"
-    required: true
-  git_user:
-    description: "Git user for pushing the cherry-pick PR"
-    required: true
-  git_user_email:
-    description: "Git user email for pushing the cherry-pick PR"
-    required: true
-
-runs:
-  using: "composite"
-  steps:
-    - name: Check if workflow should run
-      id: should_run
-      shell: bash
-      env:
-        GITHUB_TOKEN: ${{ inputs.token }}
-      run: |
-        set -e -o pipefail
-        # For issues events, check if it's actually a PR
-        if [ "${{ github.event_name }}" = "issues" ]; then
-          # Check if this issue is actually a PR
-          PR_DATA=$(gh api repos/${{ github.repository }}/pulls/${{ github.event.issue.number }} 2>/dev/null || echo "null")
-          if [ "$PR_DATA" = "null" ]; then
-            echo "should_run=false" >> $GITHUB_OUTPUT
-            echo "reason=not_a_pr" >> $GITHUB_OUTPUT
-            echo "This is an issue, not a PR. Skipping."
-            exit 0
-          fi
-
-          # Get PR data
-          PR_MERGED=$(echo "$PR_DATA" | jq -r '.merged')
-          PR_NUMBER="${{ github.event.issue.number }}"
-          MERGE_COMMIT_SHA=$(echo "$PR_DATA" | jq -r '.merge_commit_sha')
-
-          # Check if it's a backport label
-          LABEL_NAME="${{ github.event.label.name }}"
-          if [[ "$LABEL_NAME" =~ ^backport/(.+)$ ]]; then
-            if [ "$PR_MERGED" = "true" ]; then
-              echo "should_run=true" >> $GITHUB_OUTPUT
-              echo "reason=label_added_to_merged_pr" >> $GITHUB_OUTPUT
-              echo "pr_number=$PR_NUMBER" >> $GITHUB_OUTPUT
-              echo "merge_commit_sha=$MERGE_COMMIT_SHA" >> $GITHUB_OUTPUT
-              exit 0
-            else
-              echo "should_run=false" >> $GITHUB_OUTPUT
-              echo "reason=label_added_to_open_pr" >> $GITHUB_OUTPUT
-              echo "Backport label added to open PR. Will run after PR is merged."
-              exit 0
-            fi
-          else
-            echo "should_run=false" >> $GITHUB_OUTPUT
-            echo "reason=non_backport_label" >> $GITHUB_OUTPUT
-            exit 0
-          fi
-        fi
-
-        # For pull_request and pull_request_target events
-        PR_NUMBER="${{ github.event.pull_request.number }}"
-        MERGE_COMMIT_SHA="${{ github.event.pull_request.merge_commit_sha }}"
-
-        # Case 1: PR was just merged (closed + merged = true)
-        if [ "${{ github.event.action }}" = "closed" ] && [ "${{ github.event.pull_request.merged }}" = "true" ]; then
-          echo "should_run=true" >> $GITHUB_OUTPUT
-          echo "reason=pr_merged" >> $GITHUB_OUTPUT
-          echo "pr_number=$PR_NUMBER" >> $GITHUB_OUTPUT
-          echo "merge_commit_sha=$MERGE_COMMIT_SHA" >> $GITHUB_OUTPUT
-          exit 0
-        fi
-
-        # Case 2: Label was added
-        if [ "${{ github.event.action }}" = "labeled" ]; then
-          LABEL_NAME="${{ github.event.label.name }}"
-          # Check if it's a backport label
-          if [[ "$LABEL_NAME" =~ ^backport/(.+)$ ]]; then
-            # Check if PR is already merged
-            if [ "${{ github.event.pull_request.merged }}" = "true" ]; then
-              echo "should_run=true" >> $GITHUB_OUTPUT
-              echo "reason=label_added_to_merged_pr" >> $GITHUB_OUTPUT
-              echo "pr_number=$PR_NUMBER" >> $GITHUB_OUTPUT
-              echo "merge_commit_sha=$MERGE_COMMIT_SHA" >> $GITHUB_OUTPUT
-              exit 0
-            else
-              echo "should_run=false" >> $GITHUB_OUTPUT
-              echo "reason=label_added_to_open_pr" >> $GITHUB_OUTPUT
-              echo "Backport label added to open PR. Will run after PR is merged."
-              exit 0
-            fi
-          else
-            echo "should_run=false" >> $GITHUB_OUTPUT
-            echo "reason=non_backport_label" >> $GITHUB_OUTPUT
-            exit 0
-          fi
-        fi
-
-        echo "should_run=false" >> $GITHUB_OUTPUT
-        echo "reason=unknown" >> $GITHUB_OUTPUT
-    - name: Configure Git
-      if: steps.should_run.outputs.should_run == 'true'
-      shell: bash
-      env:
-        user: ${{ inputs.git_user }}
-        email: ${{ inputs.git_user_email }}
-      run: |
-        git config --global user.name "${user}"
-        git config --global user.email "${email}"
-    - name: Get PR details and extract backport labels
-      if: steps.should_run.outputs.should_run == 'true'
-      id: pr_details
-      shell: bash
-      env:
-        GITHUB_TOKEN: ${{ inputs.token }}
-      run: |
-        set -e -o pipefail
-        PR_NUMBER="${{ steps.should_run.outputs.pr_number }}"
-
-        # Get PR details
-        PR_DATA=$(gh api repos/${{ github.repository }}/pulls/$PR_NUMBER)
-        PR_TITLE=$(echo "$PR_DATA" | jq -r '.title')
-        PR_AUTHOR=$(echo "$PR_DATA" | jq -r '.user.login')
-
-        echo "pr_title=$PR_TITLE" >> $GITHUB_OUTPUT
-        echo "pr_author=$PR_AUTHOR" >> $GITHUB_OUTPUT
-
-        # Determine which labels to process
-        if [ "${{ steps.should_run.outputs.reason }}" = "label_added_to_merged_pr" ]; then
-          # Only process the specific label that was just added
-          if [ "${{ github.event_name }}" = "issues" ]; then
-            LABEL_NAME="${{ github.event.label.name }}"
-          else
-            LABEL_NAME="${{ github.event.label.name }}"
-          fi
-
-          if [[ "$LABEL_NAME" =~ ^backport/(.+)$ ]]; then
-            echo "labels=$LABEL_NAME" >> $GITHUB_OUTPUT
-          else
-            echo "Label $LABEL_NAME does not match backport pattern"
-            echo "labels=" >> $GITHUB_OUTPUT
-          fi
-        else
-          # PR was just merged, process all backport labels
-          LABELS=$(gh pr view $PR_NUMBER --json labels --jq '.labels[].name' | grep '^backport/' | tr '\n' ' ' || true)
-          echo "labels=$LABELS" >> $GITHUB_OUTPUT
-        fi
-    - name: Cherry-pick to target branches
-      if: steps.should_run.outputs.should_run == 'true' && steps.pr_details.outputs.labels != ''
-      shell: bash
-      env:
-        GITHUB_TOKEN: ${{ inputs.token }}
-      run: |
-        set -e -o pipefail
-        PR_NUMBER='${{ steps.should_run.outputs.pr_number }}'
-        COMMIT_SHA='${{ steps.should_run.outputs.merge_commit_sha }}'
-        PR_TITLE='${{ steps.pr_details.outputs.pr_title }}'
-        PR_AUTHOR='${{ steps.pr_details.outputs.pr_author }}'
-        LABELS='${{ steps.pr_details.outputs.labels }}'
-
-        echo "Processing PR #$PR_NUMBER (reason: ${{ steps.should_run.outputs.reason }})"
-        echo "Found backport labels: $LABELS"
-
-        # Process each backport label
-        for label in $LABELS; do
-          if [[ "$label" =~ ^backport/(.+)$ ]]; then
-            TARGET_BRANCH="${BASH_REMATCH[1]}"
-            echo "Processing backport to branch: $TARGET_BRANCH"
-
-            # Check if target branch exists
-            if ! git ls-remote --heads origin "$TARGET_BRANCH" | grep -q "$TARGET_BRANCH"; then
-              echo "❌ Target branch $TARGET_BRANCH does not exist, skipping"
-
-              # Comment on the original PR about the missing branch
-              gh pr comment $PR_NUMBER --body "⚠️ Cannot backport to \`$TARGET_BRANCH\`: branch does not exist."
-              continue
-            fi
-
-            # Create a unique branch name for the cherry-pick
-            CHERRY_PICK_BRANCH="cherry-pick/${PR_NUMBER}-to-${TARGET_BRANCH}"
-
-            # Check if a cherry-pick PR already exists
-            EXISTING_PR=$(gh pr list --head "$CHERRY_PICK_BRANCH" --json number --jq '.[0].number' 2>/dev/null || echo "")
-            if [ -n "$EXISTING_PR" ]; then
-              echo "⚠️ Cherry-pick PR already exists: #$EXISTING_PR"
-              gh pr comment $PR_NUMBER --body "Cherry-pick to \`$TARGET_BRANCH\` already exists: #$EXISTING_PR"
-              continue
-            fi
-
-            # Fetch and checkout target branch
-            git fetch origin "$TARGET_BRANCH"
-            git checkout -b "$CHERRY_PICK_BRANCH" "origin/$TARGET_BRANCH"
-
-            # Attempt cherry-pick
-            if git cherry-pick "$COMMIT_SHA"; then
-              echo "✅ Cherry-pick successful for $TARGET_BRANCH"
-
-              # Push the cherry-pick branch
-              git push origin "$CHERRY_PICK_BRANCH"
-
-              # Create PR for the cherry-pick
-              CHERRY_PICK_TITLE="$PR_TITLE (cherry-pick #$PR_NUMBER to $TARGET_BRANCH)"
-              CHERRY_PICK_BODY="Cherry-pick of #$PR_NUMBER to \`$TARGET_BRANCH\` branch.
-
-        **Original PR:** #$PR_NUMBER
-        **Original Author:** @$PR_AUTHOR
-        **Cherry-picked commit:** $COMMIT_SHA"
-
-              NEW_PR=$(gh pr create \
-                --title "$CHERRY_PICK_TITLE" \
-                --body "$CHERRY_PICK_BODY" \
-                --base "$TARGET_BRANCH" \
-                --head "$CHERRY_PICK_BRANCH" \
-                --label "cherry-pick")
-
-              echo "✅ Created cherry-pick PR $NEW_PR for $TARGET_BRANCH"
-
-              # Comment on original PR
-              gh pr comment $PR_NUMBER --body "🍒 Cherry-pick to \`$TARGET_BRANCH\` created: $NEW_PR"
-
-            else
-              echo "⚠️ Cherry-pick failed for $TARGET_BRANCH, creating conflict resolution PR"
-
-              # Add conflicted files and commit
-              git add .
-              git commit -m "Cherry-pick #$PR_NUMBER to $TARGET_BRANCH (with conflicts)
-
-        This cherry-pick has conflicts that need manual resolution.
-
-        Original PR: #$PR_NUMBER
-        Original commit: $COMMIT_SHA"
-
-              # Push the branch with conflicts
-              git push origin "$CHERRY_PICK_BRANCH"
-
-              # Create PR with conflict notice
-              CONFLICT_TITLE="$PR_TITLE (cherry-pick #$PR_NUMBER to $TARGET_BRANCH)"
-              CONFLICT_BODY="⚠️ **This cherry-pick has conflicts that require manual resolution.**
-
-        Cherry-pick of #$PR_NUMBER to \`$TARGET_BRANCH\` branch.
-
-        **Original PR:** #$PR_NUMBER
-        **Original Author:** @$PR_AUTHOR
-        **Cherry-picked commit:** $COMMIT_SHA
-
-        **Please resolve the conflicts in this PR before merging.**"
-
-              NEW_PR=$(gh pr create \
-                --title "$CONFLICT_TITLE" \
-                --body "$CONFLICT_BODY" \
-                --base "$TARGET_BRANCH" \
-                --head "$CHERRY_PICK_BRANCH" \
-                --label "cherry-pick")
-
-              echo "⚠️ Created conflict resolution PR $NEW_PR for $TARGET_BRANCH"
-
-              # Comment on original PR
-              gh pr comment $PR_NUMBER --body "⚠️ Cherry-pick to \`$TARGET_BRANCH\` has conflicts: $NEW_PR"
-            fi
-
-            # Clean up - go back to main branch
-            git checkout main
-            git branch -D "$CHERRY_PICK_BRANCH" 2>/dev/null || true
-          fi
-        done
--- a/.github/actions/comment-pr-instructions/action.yml
+++ b/.github/actions/comment-pr-instructions/action.yml
@@ -10,14 +10,14 @@ runs:
  using: "composite"
  steps:
    - name: Find Comment
-      uses: peter-evans/find-comment@a54c31d7fa095754bfef525c0c8e5e5674c4b4b1 # v2
+      uses: peter-evans/find-comment@v2
      id: fc
      with:
        issue-number: ${{ github.event.pull_request.number }}
        comment-author: "github-actions[bot]"
        body-includes: authentik PR Installation instructions
    - name: Create or update comment
-      uses: peter-evans/create-or-update-comment@67dcc547d311b736a8e6c5c236542148a47adc3d # v2
+      uses: peter-evans/create-or-update-comment@v2
      with:
        comment-id: ${{ steps.fc.outputs.comment-id }}
        issue-number: ${{ github.event.pull_request.number }}
@@ -35,6 +35,14 @@ runs:
            AUTHENTIK_OUTPOSTS__CONTAINER_IMAGE_BASE=ghcr.io/goauthentik/dev-%(type)s:gh-%(build_hash)s
            ```

+            For arm64, use these values:
+
+            ```shell
+            AUTHENTIK_IMAGE=ghcr.io/goauthentik/dev-server
+            AUTHENTIK_TAG=${{ inputs.tag }}-arm64
+            AUTHENTIK_OUTPOSTS__CONTAINER_IMAGE_BASE=ghcr.io/goauthentik/dev-%(type)s:gh-%(build_hash)s
+            ```
+
            Afterwards, run the upgrade commands from the latest release notes.
          </details>
          <details>
@@ -52,6 +60,18 @@ runs:
                    tag: ${{ inputs.tag }}
            ```

+            For arm64, use these values:
+
+            ```yaml
+            authentik:
+                outposts:
+                    container_image_base: ghcr.io/goauthentik/dev-%(type)s:gh-%(build_hash)s
+            global:
+                image:
+                    repository: ghcr.io/goauthentik/dev-server
+                    tag: ${{ inputs.tag }}-arm64
+            ```
+
            Afterwards, run the upgrade commands from the latest release notes.
          </details>
        edit-mode: replace
--- a/.github/actions/docker-push-variables/action.yml
+++ b/.github/actions/docker-push-variables/action.yml
@@ -9,14 +9,11 @@ inputs:
  image-arch:
    required: false
    description: "Docker image arch"
-  release:
-    required: true
-    description: "True if this is a release build, false if this is a dev/PR build"

 outputs:
-  shouldPush:
-    description: "Whether to push the image or not"
-    value: ${{ steps.ev.outputs.shouldPush }}
+  shouldBuild:
+    description: "Whether to build image or not"
+    value: ${{ steps.ev.outputs.shouldBuild }}

  sha:
    description: "sha"
@@ -32,40 +29,25 @@ outputs:
  imageTags:
    description: "Docker image tags"
    value: ${{ steps.ev.outputs.imageTags }}
-  imageTagsJSON:
-    description: "Docker image tags, as a JSON array"
-    value: ${{ steps.ev.outputs.imageTagsJSON }}
  attestImageNames:
    description: "Docker image names used for attestation"
    value: ${{ steps.ev.outputs.attestImageNames }}
-  cacheTo:
-    description: "cache-to value for the docker build step"
-    value: ${{ steps.ev.outputs.cacheTo }}
  imageMainTag:
    description: "Docker image main tag"
    value: ${{ steps.ev.outputs.imageMainTag }}
  imageMainName:
    description: "Docker image main name"
    value: ${{ steps.ev.outputs.imageMainName }}
-  imageBuildArgs:
-    description: "Docker image build args"
-    value: ${{ steps.ev.outputs.imageBuildArgs }}

 runs:
  using: "composite"
  steps:
-    - name: Setup authentik env
-      uses: ./.github/actions/setup
-      with:
-        dependencies: "python"
    - name: Generate config
      id: ev
      shell: bash
      env:
        IMAGE_NAME: ${{ inputs.image-name }}
        IMAGE_ARCH: ${{ inputs.image-arch }}
-        RELEASE: ${{ inputs.release }}
        PR_HEAD_SHA: ${{ github.event.pull_request.head.sha }}
-        REF: ${{ github.ref }}
      run: |
-        uv run python3 ${{ github.action_path }}/push_vars.py
+        python3 ${{ github.action_path }}/push_vars.py
--- a/.github/actions/docker-push-variables/push_vars.py
+++ b/.github/actions/docker-push-variables/push_vars.py
@@ -1,50 +1,29 @@
 """Helper script to get the actual branch name, docker safe"""

+import configparser
 import os
-from json import dumps
-from sys import exit as sysexit
 from time import time

-from authentik import authentik_version
+parser = configparser.ConfigParser()
+parser.read(".bumpversion.cfg")

-
-def must_or_fail(input: str | None, error: str) -> str:
-    if not input:
-        print(f"::error::{error}")
-        sysexit(1)
-    return input
-
-
-# Decide if we should push the image or not
-should_push = True
-if len(os.environ.get("DOCKER_USERNAME", "")) < 1:
-    # Don't push if we don't have DOCKER_USERNAME, i.e. no secrets are available
-    should_push = False
-if (
-    must_or_fail(os.environ.get("GITHUB_REPOSITORY"), "Repo required").lower()
-    == "goauthentik/authentik-internal"
-):
-    # Don't push on the internal repo
-    should_push = False
+should_build = str(len(os.environ.get("DOCKER_USERNAME", "")) > 0).lower()

 branch_name = os.environ["GITHUB_REF"]
 if os.environ.get("GITHUB_HEAD_REF", "") != "":
    branch_name = os.environ["GITHUB_HEAD_REF"]
 safe_branch_name = branch_name.replace("refs/heads/", "").replace("/", "-").replace("'", "-")

-image_names = must_or_fail(os.getenv("IMAGE_NAME"), "Image name required").split(",")
+image_names = os.getenv("IMAGE_NAME").split(",")
 image_arch = os.getenv("IMAGE_ARCH") or None

 is_pull_request = bool(os.getenv("PR_HEAD_SHA"))
 is_release = "dev" not in image_names[0]

-sha = must_or_fail(
-    os.environ["GITHUB_SHA"] if not is_pull_request else os.getenv("PR_HEAD_SHA"),
-    "could not determine SHA",
-)
+sha = os.environ["GITHUB_SHA"] if not is_pull_request else os.getenv("PR_HEAD_SHA")

 # 2042.1.0 or 2042.1.0-rc1
-version = authentik_version()
+version = parser.get("bumpversion", "current_version")
 # 2042.1
 version_family = ".".join(version.split("-", 1)[0].split(".")[:-1])
 prerelease = "-" in version
@@ -57,11 +36,12 @@ if is_release:
        ]
        if not prerelease:
            image_tags += [
+                f"{name}:latest",
                f"{name}:{version_family}",
            ]
 else:
    suffix = ""
-    if image_arch:
+    if image_arch and image_arch != "amd64":
        suffix = f"-{image_arch}"
    for name in image_names:
        image_tags += [
@@ -73,7 +53,7 @@ else:
 image_main_tag = image_tags[0].split(":")[-1]


-def get_attest_image_names(image_with_tags: list[str]) -> str:
+def get_attest_image_names(image_with_tags: list[str]):
    """Attestation only for GHCR"""
    image_tags = []
    for image_name in set(name.split(":")[0] for name in image_with_tags):
@@ -83,30 +63,12 @@ def get_attest_image_names(image_with_tags: list[str]) -> str:
    return ",".join(set(image_tags))


-# Generate `cache-to` param
-cache_to = ""
-if should_push:
-    _cache_tag = "buildcache"
-    if image_arch:
-        _cache_tag += f"-{image_arch}"
-    cache_to = f"type=registry,ref={get_attest_image_names(image_tags)}:{_cache_tag},mode=max"
-
-
-image_build_args = []
-if os.getenv("RELEASE", "false").lower() == "true":
-    image_build_args = [f"VERSION={os.getenv('REF')}"]
-else:
-    image_build_args = [f"GIT_BUILD_HASH={sha}"]
-
 with open(os.environ["GITHUB_OUTPUT"], "a+", encoding="utf-8") as _output:
-    print(f"shouldPush={str(should_push).lower()}", file=_output)
+    print(f"shouldBuild={should_build}", file=_output)
    print(f"sha={sha}", file=_output)
    print(f"version={version}", file=_output)
    print(f"prerelease={prerelease}", file=_output)
    print(f"imageTags={','.join(image_tags)}", file=_output)
-    print(f"imageTagsJSON={dumps(image_tags)}", file=_output)
    print(f"attestImageNames={get_attest_image_names(image_tags)}", file=_output)
    print(f"imageMainTag={image_main_tag}", file=_output)
    print(f"imageMainName={image_tags[0]}", file=_output)
-    print(f"cacheTo={cache_to}", file=_output)
-    print(f"imageBuildArgs={"\n".join(image_build_args)}", file=_output)
--- a/.github/actions/docker-push-variables/test.sh
+++ b/.github/actions/docker-push-variables/test.sh
@@ -1,18 +1,7 @@
 #!/bin/bash -x
 SCRIPT_DIR=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )
-# Non-pushing PR
 GITHUB_OUTPUT=/dev/stdout \
    GITHUB_REF=ref \
    GITHUB_SHA=sha \
-    IMAGE_NAME=ghcr.io/goauthentik/server,authentik/server \
-    GITHUB_REPOSITORY=goauthentik/authentik \
-    python $SCRIPT_DIR/push_vars.py
-
-# Pushing PR/main
-GITHUB_OUTPUT=/dev/stdout \
-    GITHUB_REF=ref \
-    GITHUB_SHA=sha \
-    IMAGE_NAME=ghcr.io/goauthentik/server,authentik/server \
-    GITHUB_REPOSITORY=goauthentik/authentik \
-    DOCKER_USERNAME=foo \
+    IMAGE_NAME=ghcr.io/goauthentik/server,beryju/authentik \
    python $SCRIPT_DIR/push_vars.py
--- a/.github/actions/setup/action.yml
+++ b/.github/actions/setup/action.yml
@@ -2,9 +2,6 @@ name: "Setup authentik testing environment"
 description: "Setup authentik testing environment"

 inputs:
-  dependencies:
-    description: "List of dependencies to setup"
-    default: "system,python,node,go,runtime"
  postgresql_version:
    description: "Optional postgresql image tag"
    default: "16"
@@ -12,55 +9,36 @@ inputs:
 runs:
  using: "composite"
  steps:
-    - name: Install apt deps
-      if: ${{ contains(inputs.dependencies, 'system') || contains(inputs.dependencies, 'python') }}
+    - name: Install poetry & deps
      shell: bash
      run: |
-        sudo apt-get remove --purge man-db
+        pipx install poetry || true
        sudo apt-get update
-        sudo apt-get install --no-install-recommends -y libpq-dev openssl libxmlsec1-dev pkg-config gettext libkrb5-dev krb5-kdc krb5-user krb5-admin-server
-    - name: Install uv
-      if: ${{ contains(inputs.dependencies, 'python') }}
-      uses: astral-sh/setup-uv@d4b2f3b6ecc6e67c4457f6d3e41ec42d3d0fcb86 # v5
-      with:
-        enable-cache: true
-    - name: Setup python
-      if: ${{ contains(inputs.dependencies, 'python') }}
-      uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5
+        sudo apt-get install --no-install-recommends -y libpq-dev openssl libxmlsec1-dev pkg-config gettext
+    - name: Setup python and restore poetry
+      uses: actions/setup-python@v5
      with:
        python-version-file: "pyproject.toml"
-    - name: Install Python deps
-      if: ${{ contains(inputs.dependencies, 'python') }}
-      shell: bash
-      run: uv sync --all-extras --dev --frozen
+        cache: "poetry"
    - name: Setup node
-      if: ${{ contains(inputs.dependencies, 'node') }}
-      uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4
+      uses: actions/setup-node@v4
      with:
        node-version-file: web/package.json
        cache: "npm"
        cache-dependency-path: web/package-lock.json
-        registry-url: 'https://registry.npmjs.org'
    - name: Setup go
-      if: ${{ contains(inputs.dependencies, 'go') }}
-      uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5
+      uses: actions/setup-go@v5
      with:
        go-version-file: "go.mod"
-    - name: Setup docker cache
-      if: ${{ contains(inputs.dependencies, 'runtime') }}
-      uses: AndreKurait/docker-cache@0fe76702a40db986d9663c24954fc14c6a6031b7
-      with:
-        key: docker-images-${{ runner.os }}-${{ hashFiles('.github/actions/setup/docker-compose.yml', 'Makefile') }}-${{ inputs.postgresql_version }}
    - name: Setup dependencies
-      if: ${{ contains(inputs.dependencies, 'runtime') }}
      shell: bash
      run: |
        export PSQL_TAG=${{ inputs.postgresql_version }}
        docker compose -f .github/actions/setup/docker-compose.yml up -d
-        cd web && npm i
+        poetry install
+        cd web && npm ci
    - name: Generate config
-      if: ${{ contains(inputs.dependencies, 'python') }}
-      shell: uv run python {0}
+      shell: poetry run python {0}
      run: |
        from authentik.lib.generators import generate_id
        from yaml import safe_dump
--- a/.github/actions/setup/docker-compose.yml
+++ b/.github/actions/setup/docker-compose.yml
@@ -3,7 +3,6 @@ services:
    image: docker.io/library/postgres:${PSQL_TAG:-16}
    volumes:
      - db-data:/var/lib/postgresql/data
-    command: "-c log_statement=all"
    environment:
      POSTGRES_USER: authentik
      POSTGRES_PASSWORD: "EK-5jnKfjrGRm<77"
@@ -12,7 +11,7 @@ services:
      - 5432:5432
    restart: always
  redis:
-    image: docker.io/library/redis:7
+    image: docker.io/library/redis
    ports:
      - 6379:6379
    restart: always
--- a/.github/actions/test-results/action.yml
+++ b/.github/actions/test-results/action.yml
@@ -1,28 +0,0 @@
-name: "Process test results"
-description: Convert test results to JUnit, add them to GitHub Actions and codecov
-
-inputs:
-  flags:
-    description: Codecov flags
-
-runs:
-  using: "composite"
-  steps:
-    - uses: codecov/codecov-action@5a1091511ad55cbe89839c7260b706298ca349f7 # v5
-      with:
-        flags: ${{ inputs.flags }}
-        use_oidc: true
-    - uses: codecov/test-results-action@47f89e9acb64b76debcd5ea40642d25a4adced9f # v1
-      with:
-        flags: ${{ inputs.flags }}
-        file: unittest.xml
-        use_oidc: true
-    - name: PostgreSQL Logs
-      shell: bash
-      run: |
-        if [[ $ACTIONS_RUNNER_DEBUG == 'true' || $ACTIONS_STEP_DEBUG == 'true' ]]; then
-          docker stop setup-postgresql-1
-          echo "::group::PostgreSQL Logs"
-          docker logs setup-postgresql-1
-          echo "::endgroup::"
-        fi
--- a/.github/cherry-pick-bot.yml
+++ b/.github/cherry-pick-bot.yml
@@ -0,0 +1,2 @@
+enabled: true
+preservePullRequestTitle: true
--- a/.github/codespell-words.txt
+++ b/.github/codespell-words.txt
@@ -1,32 +1,7 @@
-akadmin
-asgi
-assertIn
-authentik
-authn
-crate
-docstrings
-entra
-goauthentik
-gunicorn
-hass
-jwe
-jwks
 keypair
 keypairs
-kubernetes
-oidc
-ontext
-openid
-passwordless
-plex
-saml
-scim
-singed
-slo
-sso
-totp
-traefik
-# https://github.com/codespell-project/codespell/issues/1224
-upToDate
+hass
 warmup
-webauthn
+ontext
+singed
+assertIn
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@@ -23,13 +23,8 @@ updates:
  - package-ecosystem: npm
    directories:
      - "/web"
-      - "/web/packages/sfe"
-      - "/web/packages/core"
-      - "/packages/esbuild-plugin-live-reload"
-      - "/packages/prettier-config"
-      - "/packages/tsconfig"
-      - "/packages/docusaurus-config"
-      - "/packages/eslint-config"
+      - "/tests/wdio"
+      - "/web/sfe"
    schedule:
      interval: daily
      time: "04:00"
@@ -49,11 +44,9 @@ updates:
          - "babel-*"
      eslint:
        patterns:
-          - "@eslint/*"
          - "@typescript-eslint/*"
-          - "eslint-*"
          - "eslint"
-          - "typescript-eslint"
+          - "eslint-*"
      storybook:
        patterns:
          - "@storybook/*"
@@ -61,12 +54,10 @@ updates:
      esbuild:
        patterns:
          - "@esbuild/*"
-          - "esbuild*"
      rollup:
        patterns:
          - "@rollup/*"
          - "rollup-*"
-          - "rollup*"
      swc:
        patterns:
          - "@swc/*"
@@ -74,15 +65,6 @@ updates:
      wdio:
        patterns:
          - "@wdio/*"
-      goauthentik:
-        patterns:
-          - "@goauthentik/*"
-      react:
-        patterns:
-          - "react"
-          - "react-dom"
-          - "@types/react"
-          - "@types/react-dom"
  - package-ecosystem: npm
    directory: "/website"
    schedule:
@@ -97,33 +79,7 @@ updates:
      docusaurus:
        patterns:
          - "@docusaurus/*"
-      build:
-        patterns:
-          - "@swc/*"
-          - "swc-*"
-          - "lightningcss*"
-          - "@rspack/binding*"
-      goauthentik:
-        patterns:
-          - "@goauthentik/*"
-      eslint:
-        patterns:
-          - "@eslint/*"
-          - "@typescript-eslint/*"
-          - "eslint-*"
-          - "eslint"
-          - "typescript-eslint"
-  - package-ecosystem: npm
-    directory: "/lifecycle/aws"
-    schedule:
-      interval: daily
-      time: "04:00"
-    open-pull-requests-limit: 10
-    commit-message:
-      prefix: "lifecycle/aws:"
-    labels:
-      - dependencies
-  - package-ecosystem: uv
+  - package-ecosystem: pip
    directory: "/"
    schedule:
      interval: daily
@@ -143,16 +99,3 @@ updates:
      prefix: "core:"
    labels:
      - dependencies
-  - package-ecosystem: docker-compose
-    directories:
-      # - /scripts # Maybe
-      - /scripts/api
-      - /tests/e2e
-    schedule:
-      interval: daily
-      time: "04:00"
-    open-pull-requests-limit: 10
-    commit-message:
-      prefix: "core:"
-    labels:
-      - dependencies
--- a/.github/pull_request_template.md
+++ b/.github/pull_request_template.md
@@ -1,7 +1,7 @@
 <!--
 👋 Hi there! Welcome.

-Please check the Contributing guidelines: https://docs.goauthentik.io/docs/developer-docs/#how-can-i-contribute
+Please check the Contributing guidelines: https://goauthentik.io/developer-docs/#how-can-i-contribute
 -->

 ## Details
@@ -31,4 +31,4 @@ If changes to the frontend have been made
 If applicable

 -   [ ] The documentation has been updated
-   [ ] The documentation has been formatted (`make docs`)
+-   [ ] The documentation has been formatted (`make website`)
--- a/.github/workflows/_reusable-docker-build-single.yml
+++ b/.github/workflows/_reusable-docker-build-single.yml
@@ -1,106 +0,0 @@
---
-# Re-usable workflow for a single-architecture build
-name: Reusable - Single-arch Container build
-
-on:
-  workflow_call:
-    inputs:
-      image_name:
-        required: true
-        type: string
-      image_arch:
-        required: true
-        type: string
-      runs-on:
-        required: true
-        type: string
-      registry_dockerhub:
-        default: false
-        type: boolean
-      registry_ghcr:
-        default: false
-        type: boolean
-      release:
-        default: false
-        type: boolean
-    outputs:
-      image-digest:
-        value: ${{ jobs.build.outputs.image-digest }}
-
-jobs:
-  build:
-    name: Build ${{ inputs.image_arch }}
-    runs-on: ${{ inputs.runs-on }}
-    outputs:
-      image-digest: ${{ steps.push.outputs.digest }}
-    permissions:
-      # Needed to upload container images to ghcr.io
-      packages: write
-      # Needed for attestation
-      id-token: write
-      attestations: write
-      # Needed for checkout
-      contents: read
-    steps:
-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
-      - uses: docker/setup-qemu-action@29109295f81e9208d7d86ff1c6c12d2833863392 # v3.6.0
-      - uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3
-      - name: prepare variables
-        uses: ./.github/actions/docker-push-variables
-        id: ev
-        env:
-          DOCKER_USERNAME: ${{ secrets.DOCKER_CORP_USERNAME }}
-        with:
-          image-name: ${{ inputs.image_name }}
-          image-arch: ${{ inputs.image_arch }}
-          release: ${{ inputs.release }}
-      - name: Login to Docker Hub
-        if: ${{ inputs.registry_dockerhub }}
-        uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3
-        with:
-          username: ${{ secrets.DOCKER_CORP_USERNAME }}
-          password: ${{ secrets.DOCKER_CORP_PASSWORD }}
-      - name: Login to GitHub Container Registry
-        if: ${{ inputs.registry_ghcr }}
-        uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3
-        with:
-          registry: ghcr.io
-          username: ${{ github.repository_owner }}
-          password: ${{ secrets.GITHUB_TOKEN }}
-      - name: make empty clients
-        if: ${{ inputs.release }}
-        run: |
-          mkdir -p ./gen-ts-api
-          mkdir -p ./gen-go-api
-      - name: Setup node
-        if: ${{ !inputs.release }}
-        uses: actions/setup-node@2028fbc5c25fe9cf00d9f06a71cc4710d4507903 # v5
-        with:
-          node-version-file: web/package.json
-          cache: "npm"
-          cache-dependency-path: web/package-lock.json
-      - name: generate ts client
-        if: ${{ !inputs.release }}
-        run: make gen-client-ts
-      - name: Build Docker Image
-        uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6
-        id: push
-        with:
-          context: .
-          push: ${{ steps.ev.outputs.shouldPush == 'true' }}
-          secrets: |
-            GEOIPUPDATE_ACCOUNT_ID=${{ secrets.GEOIPUPDATE_ACCOUNT_ID }}
-            GEOIPUPDATE_LICENSE_KEY=${{ secrets.GEOIPUPDATE_LICENSE_KEY }}
-          build-args: |
-            ${{ steps.ev.outputs.imageBuildArgs }}
-          tags: ${{ steps.ev.outputs.imageTags }}
-          platforms: linux/${{ inputs.image_arch }}
-          cache-from: type=registry,ref=${{ steps.ev.outputs.attestImageNames }}:buildcache-${{ inputs.image_arch }}
-          cache-to: ${{ steps.ev.outputs.cacheTo }}
-      - uses: actions/attest-build-provenance@977bb373ede98d70efdf65b84cb5f73e068dcc2a # v3
-        id: attest
-        if: ${{ steps.ev.outputs.shouldPush == 'true' }}
-        with:
-          subject-name: ${{ steps.ev.outputs.attestImageNames }}
-          subject-digest: ${{ steps.push.outputs.digest }}
-          push-to-registry: true
--- a/.github/workflows/_reusable-docker-build.yml
+++ b/.github/workflows/_reusable-docker-build.yml
@@ -1,105 +0,0 @@
---
-# Re-usable workflow for a multi-architecture build
-name: Reusable - Multi-arch container build
-
-on:
-  workflow_call:
-    inputs:
-      image_name:
-        required: true
-        type: string
-      registry_dockerhub:
-        default: false
-        type: boolean
-      registry_ghcr:
-        default: true
-        type: boolean
-      release:
-        default: false
-        type: boolean
-    outputs: {}
-
-jobs:
-  build-server-amd64:
-    uses: ./.github/workflows/_reusable-docker-build-single.yml
-    secrets: inherit
-    with:
-      image_name: ${{ inputs.image_name }}
-      image_arch: amd64
-      runs-on: ubuntu-latest
-      registry_dockerhub: ${{ inputs.registry_dockerhub }}
-      registry_ghcr: ${{ inputs.registry_ghcr }}
-      release: ${{ inputs.release }}
-  build-server-arm64:
-    uses: ./.github/workflows/_reusable-docker-build-single.yml
-    secrets: inherit
-    with:
-      image_name: ${{ inputs.image_name }}
-      image_arch: arm64
-      runs-on: ubuntu-22.04-arm
-      registry_dockerhub: ${{ inputs.registry_dockerhub }}
-      registry_ghcr: ${{ inputs.registry_ghcr }}
-      release: ${{ inputs.release }}
-  get-tags:
-    runs-on: ubuntu-latest
-    needs:
-      - build-server-amd64
-      - build-server-arm64
-    outputs:
-      tags: ${{ steps.ev.outputs.imageTagsJSON }}
-      shouldPush: ${{ steps.ev.outputs.shouldPush }}
-    steps:
-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
-      - name: prepare variables
-        uses: ./.github/actions/docker-push-variables
-        id: ev
-        env:
-          DOCKER_USERNAME: ${{ secrets.DOCKER_CORP_USERNAME }}
-        with:
-          image-name: ${{ inputs.image_name }}
-  merge-server:
-    runs-on: ubuntu-latest
-    if: ${{ needs.get-tags.outputs.shouldPush == 'true' }}
-    needs:
-      - get-tags
-      - build-server-amd64
-      - build-server-arm64
-    strategy:
-      fail-fast: false
-      matrix:
-        tag: ${{ fromJson(needs.get-tags.outputs.tags) }}
-    steps:
-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
-      - name: prepare variables
-        uses: ./.github/actions/docker-push-variables
-        id: ev
-        env:
-          DOCKER_USERNAME: ${{ secrets.DOCKER_CORP_USERNAME }}
-        with:
-          image-name: ${{ inputs.image_name }}
-      - name: Login to Docker Hub
-        if: ${{ inputs.registry_dockerhub }}
-        uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3
-        with:
-          username: ${{ secrets.DOCKER_CORP_USERNAME }}
-          password: ${{ secrets.DOCKER_CORP_PASSWORD }}
-      - name: Login to GitHub Container Registry
-        if: ${{ inputs.registry_ghcr }}
-        uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3
-        with:
-          registry: ghcr.io
-          username: ${{ github.repository_owner }}
-          password: ${{ secrets.GITHUB_TOKEN }}
-      - uses: int128/docker-manifest-create-action@b60433fd4312d7a64a56d769b76ebe3f45cf36b4 # v2
-        id: build
-        with:
-          tags: ${{ matrix.tag }}
-          sources: |
-            ${{ steps.ev.outputs.attestImageNames }}@${{ needs.build-server-amd64.outputs.image-digest }}
-            ${{ steps.ev.outputs.attestImageNames }}@${{ needs.build-server-arm64.outputs.image-digest }}
-      - uses: actions/attest-build-provenance@977bb373ede98d70efdf65b84cb5f73e068dcc2a # v3
-        id: attest
-        with:
-          subject-name: ${{ steps.ev.outputs.attestImageNames }}
-          subject-digest: ${{ steps.build.outputs.digest }}
-          push-to-registry: true
--- a/.github/workflows/api-py-publish.yml
+++ b/.github/workflows/api-py-publish.yml
@@ -0,0 +1,65 @@
+name: authentik-api-py-publish
+on:
+  push:
+    branches: [main]
+    paths:
+      - "schema.yml"
+  workflow_dispatch:
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    permissions:
+      id-token: write
+    steps:
+      - id: generate_token
+        uses: tibdex/github-app-token@v2
+        with:
+          app_id: ${{ secrets.GH_APP_ID }}
+          private_key: ${{ secrets.GH_APP_PRIVATE_KEY }}
+      - uses: actions/checkout@v4
+        with:
+          token: ${{ steps.generate_token.outputs.token }}
+      - name: Install poetry & deps
+        shell: bash
+        run: |
+          pipx install poetry || true
+          sudo apt-get update
+          sudo apt-get install --no-install-recommends -y libpq-dev openssl libxmlsec1-dev pkg-config gettext
+      - name: Setup python and restore poetry
+        uses: actions/setup-python@v5
+        with:
+          python-version-file: "pyproject.toml"
+          cache: "poetry"
+      - name: Generate API Client
+        run: make gen-client-py
+      - name: Publish package
+        working-directory: gen-py-api/
+        run: |
+          poetry build
+      - name: Publish package to PyPI
+        uses: pypa/gh-action-pypi-publish@release/v1
+        with:
+          packages-dir: gen-py-api/dist/
+      # We can't easily upgrade the API client being used due to poetry being poetry
+      # so we'll have to rely on dependabot
+      # - name: Upgrade /
+      #   run: |
+      #     export VERSION=$(cd gen-py-api && poetry version -s)
+      #     poetry add "authentik_client=$VERSION" --allow-prereleases --lock
+      # - uses: peter-evans/create-pull-request@v6
+      #   id: cpr
+      #   with:
+      #     token: ${{ steps.generate_token.outputs.token }}
+      #     branch: update-root-api-client
+      #     commit-message: "root: bump API Client version"
+      #     title: "root: bump API Client version"
+      #     body: "root: bump API Client version"
+      #     delete-branch: true
+      #     signoff: true
+      #     # ID from https://api.github.com/users/authentik-automation[bot]
+      #     author: authentik-automation[bot] <135050075+authentik-automation[bot]@users.noreply.github.com>
+      # - uses: peter-evans/enable-pull-request-automerge@v3
+      #   with:
+      #     token: ${{ steps.generate_token.outputs.token }}
+      #     pull-request-number: ${{ steps.cpr.outputs.pull-request-number }}
+      #     merge-method: squash
--- a/.github/workflows/api-ts-publish.yml
+++ b/.github/workflows/api-ts-publish.yml
@@ -1,32 +1,23 @@
---
-name: API - Publish Typescript client
-
+name: authentik-api-ts-publish
 on:
  push:
    branches: [main]
    paths:
      - "schema.yml"
  workflow_dispatch:
-
-permissions:
-  # Required for NPM OIDC trusted publisher
-  id-token: write
-  contents: read
-
 jobs:
  build:
-    if: ${{ github.repository != 'goauthentik/authentik-internal' }}
    runs-on: ubuntu-latest
    steps:
      - id: generate_token
-        uses: actions/create-github-app-token@67018539274d69449ef7c02e8e71183d1719ab42 # v2
+        uses: tibdex/github-app-token@v2
        with:
-          app-id: ${{ secrets.GH_APP_ID }}
-          private-key: ${{ secrets.GH_APP_PRIVATE_KEY }}
-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
+          app_id: ${{ secrets.GH_APP_ID }}
+          private_key: ${{ secrets.GH_APP_PRIVATE_KEY }}
+      - uses: actions/checkout@v4
        with:
          token: ${{ steps.generate_token.outputs.token }}
-      - uses: actions/setup-node@2028fbc5c25fe9cf00d9f06a71cc4710d4507903 # v5
+      - uses: actions/setup-node@v4
        with:
          node-version-file: web/package.json
          registry-url: "https://registry.npmjs.org"
@@ -35,8 +26,10 @@ jobs:
      - name: Publish package
        working-directory: gen-ts-api/
        run: |
-          npm i
-          npm publish --tag generated
+          npm ci
+          npm publish
+        env:
+          NODE_AUTH_TOKEN: ${{ secrets.NPM_PUBLISH_TOKEN }}
      - name: Upgrade /web
        working-directory: web
        run: |
@@ -47,7 +40,7 @@ jobs:
        run: |
          export VERSION=`node -e 'console.log(require("../gen-ts-api/package.json").version)'`
          npm i @goauthentik/api@$VERSION
-      - uses: peter-evans/create-pull-request@271a8d0340265f705b14b6d32b9829c1cb33d45e # v7
+      - uses: peter-evans/create-pull-request@v6
        id: cpr
        with:
          token: ${{ steps.generate_token.outputs.token }}
@@ -59,8 +52,7 @@ jobs:
          signoff: true
          # ID from https://api.github.com/users/authentik-automation[bot]
          author: authentik-automation[bot] <135050075+authentik-automation[bot]@users.noreply.github.com>
-          labels: dependencies
-      - uses: peter-evans/enable-pull-request-automerge@a660677d5469627102a1c1e11409dd063606628d # v3
+      - uses: peter-evans/enable-pull-request-automerge@v3
        with:
          token: ${{ steps.generate_token.outputs.token }}
          pull-request-number: ${{ steps.cpr.outputs.pull-request-number }}
--- a/.github/workflows/ci-api-docs.yml
+++ b/.github/workflows/ci-api-docs.yml
@@ -1,95 +0,0 @@
---
-name: CI - API Docs
-
-on:
-  push:
-    branches:
-      - main
-      - next
-      - version-*
-  pull_request:
-    branches:
-      - main
-      - version-*
-
-jobs:
-  lint:
-    runs-on: ubuntu-latest
-    strategy:
-      fail-fast: false
-      matrix:
-        command:
-          - prettier-check
-    steps:
-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
-      - name: Install Dependencies
-        working-directory: website/
-        run: npm ci
-      - name: Lint
-        working-directory: website/
-        run: npm run ${{ matrix.command }}
-  build:
-    runs-on: ubuntu-latest
-
-    steps:
-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
-      - uses: actions/setup-node@2028fbc5c25fe9cf00d9f06a71cc4710d4507903 # v5
-        with:
-          node-version-file: website/package.json
-          cache: "npm"
-          cache-dependency-path: website/package-lock.json
-      - working-directory: website/
-        name: Install Dependencies
-        run: npm ci
-      - uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4
-        with:
-          path: |
-            ${{ github.workspace }}/website/api/.docusaurus
-            ${{ github.workspace }}/website/api/**/.cache
-          key: |
-            ${{ runner.os }}-docusaurus-${{ hashFiles('**/package-lock.json') }}-${{ hashFiles('**.[jt]s', '**.[jt]sx') }}
-          restore-keys: |
-            ${{ runner.os }}-docusaurus-${{ hashFiles('**/package-lock.json') }}
-      - name: Build API Docs via Docusaurus
-        working-directory: website
-        env:
-          NODE_ENV: production
-        run: npm run build -w api
-      - uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4
-        with:
-          name: api-docs
-          path: website/api/build
-          retention-days: 7
-  deploy:
-    runs-on: ubuntu-latest
-    needs:
-      - lint
-      - build
-    steps:
-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
-      - uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0 # v5
-        with:
-          name: api-docs
-          path: website/api/build
-      - uses: actions/setup-node@2028fbc5c25fe9cf00d9f06a71cc4710d4507903 # v5
-        with:
-          node-version-file: website/package.json
-          cache: "npm"
-          cache-dependency-path: website/package-lock.json
-      - name: Deploy Netlify (Production)
-        working-directory: website/api
-        if: github.event_name == 'push' && github.ref == 'refs/heads/main'
-        env:
-          NETLIFY_SITE_ID: authentik-api-docs.netlify.app
-          NETLIFY_AUTH_TOKEN: ${{ secrets.NETLIFY_AUTH_TOKEN }}
-        run: npx netlify deploy --no-build --prod
-      - name: Deploy Netlify (Preview)
-        if: github.event_name == 'pull_request' || github.ref != 'refs/heads/main'
-        working-directory: website/api
-        env:
-          NETLIFY_SITE_ID: authentik-api-docs.netlify.app
-          NETLIFY_AUTH_TOKEN: ${{ secrets.NETLIFY_AUTH_TOKEN }}
-        run: |
-          if [ -n "${VAR}" ]; then
-            npx netlify deploy --no-build --alias=deploy-preview-${{ github.event.number }}
-          fi
--- a/.github/workflows/ci-aws-cfn.yml
+++ b/.github/workflows/ci-aws-cfn.yml
@@ -1,47 +0,0 @@
---
-name: CI - AWS cfn
-
-on:
-  push:
-    branches:
-      - main
-      - next
-      - version-*
-  pull_request:
-    branches:
-      - main
-      - version-*
-
-env:
-  POSTGRES_DB: authentik
-  POSTGRES_USER: authentik
-  POSTGRES_PASSWORD: "EK-5jnKfjrGRm<77"
-
-jobs:
-  check-changes-applied:
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
-      - name: Setup authentik env
-        uses: ./.github/actions/setup
-      - uses: actions/setup-node@2028fbc5c25fe9cf00d9f06a71cc4710d4507903 # v5
-        with:
-          node-version-file: lifecycle/aws/package.json
-          cache: "npm"
-          cache-dependency-path: lifecycle/aws/package-lock.json
-      - working-directory: lifecycle/aws/
-        run: |
-          npm ci
-      - name: Check changes have been applied
-        run: |
-          uv run make aws-cfn
-          git diff --exit-code lifecycle/aws/template.yaml
-  ci-aws-cfn-mark:
-    if: always()
-    needs:
-      - check-changes-applied
-    runs-on: ubuntu-latest
-    steps:
-      - uses: re-actors/alls-green@release/v1
-        with:
-          jobs: ${{ toJSON(needs) }}
--- a/.github/workflows/ci-docs.yml
+++ b/.github/workflows/ci-docs.yml
@@ -1,124 +0,0 @@
---
-name: CI - Docs
-
-on:
-  push:
-    branches:
-      - main
-      - next
-      - version-*
-  pull_request:
-    branches:
-      - main
-      - version-*
-
-jobs:
-  lint:
-    runs-on: ubuntu-latest
-    strategy:
-      fail-fast: false
-      matrix:
-        command:
-          - prettier-check
-    steps:
-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
-      - name: Install dependencies
-        working-directory: website/
-        run: npm ci
-      - name: Lint
-        working-directory: website/
-        run: npm run ${{ matrix.command }}
-  build-docs:
-    runs-on: ubuntu-latest
-
-    steps:
-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
-      - uses: actions/setup-node@2028fbc5c25fe9cf00d9f06a71cc4710d4507903 # v5
-        with:
-          node-version-file: website/package.json
-          cache: "npm"
-          cache-dependency-path: website/package-lock.json
-      - working-directory: website/
-        name: Install Dependencies
-        run: npm ci
-      - name: Build Documentation via Docusaurus
-        working-directory: website/
-        run: npm run build
-  build-integrations:
-    runs-on: ubuntu-latest
-
-    steps:
-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
-      - uses: actions/setup-node@2028fbc5c25fe9cf00d9f06a71cc4710d4507903 # v5
-        with:
-          node-version-file: website/package.json
-          cache: "npm"
-          cache-dependency-path: website/package-lock.json
-      - working-directory: website/
-        name: Install Dependencies
-        run: npm ci
-      - name: Build Integrations via Docusaurus
-        working-directory: website/
-        run: npm run build -w integrations
-  build-container:
-    if: ${{ github.repository != 'goauthentik/authentik-internal' }}
-    runs-on: ubuntu-latest
-    permissions:
-      # Needed to upload container images to ghcr.io
-      packages: write
-      # Needed for attestation
-      id-token: write
-      attestations: write
-    steps:
-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
-        with:
-          ref: ${{ github.event.pull_request.head.sha }}
-      - name: Set up QEMU
-        uses: docker/setup-qemu-action@29109295f81e9208d7d86ff1c6c12d2833863392 # v3.6.0
-      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3
-      - name: prepare variables
-        uses: ./.github/actions/docker-push-variables
-        id: ev
-        env:
-          DOCKER_USERNAME: ${{ secrets.DOCKER_CORP_USERNAME }}
-        with:
-          image-name: ghcr.io/goauthentik/dev-docs
-      - name: Login to Container Registry
-        if: ${{ steps.ev.outputs.shouldPush == 'true' }}
-        uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3
-        with:
-          registry: ghcr.io
-          username: ${{ github.repository_owner }}
-          password: ${{ secrets.GITHUB_TOKEN }}
-      - name: Build Docker Image
-        id: push
-        uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6
-        with:
-          tags: ${{ steps.ev.outputs.imageTags }}
-          file: website/Dockerfile
-          push: ${{ steps.ev.outputs.shouldPush == 'true' }}
-          platforms: linux/amd64,linux/arm64
-          context: .
-          cache-from: type=registry,ref=ghcr.io/goauthentik/dev-docs:buildcache
-          cache-to: ${{ steps.ev.outputs.shouldPush == 'true' && 'type=registry,ref=ghcr.io/goauthentik/dev-docs:buildcache,mode=max' || '' }}
-      - uses: actions/attest-build-provenance@977bb373ede98d70efdf65b84cb5f73e068dcc2a # v3
-        id: attest
-        if: ${{ steps.ev.outputs.shouldPush == 'true' }}
-        with:
-          subject-name: ${{ steps.ev.outputs.attestImageNames }}
-          subject-digest: ${{ steps.push.outputs.digest }}
-          push-to-registry: true
-  ci-website-mark:
-    if: always()
-    needs:
-      - lint
-      - build-docs
-      - build-integrations
-      - build-container
-    runs-on: ubuntu-latest
-    steps:
-      - uses: re-actors/alls-green@release/v1
-        with:
-          jobs: ${{ toJSON(needs) }}
-          allowed-skips: ${{ github.repository == 'goauthentik/authentik-internal' && 'build-container' || '[]' }}
--- a/.github/workflows/ci-main-daily.yml
+++ b/.github/workflows/ci-main-daily.yml
@@ -1,29 +0,0 @@
---
-name: CI - Main daily
-
-on:
-  workflow_dispatch:
-  schedule:
-    # Every night at 3am
-    - cron: "0 3 * * *"
-
-jobs:
-  test-container:
-    if: ${{ github.repository != 'goauthentik/authentik-internal' }}
-    runs-on: ubuntu-latest
-    strategy:
-      fail-fast: false
-      matrix:
-        version:
-          - docs
-          - version-2025-4
-          - version-2025-2
-    steps:
-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
-      - run: |
-          current="$(pwd)"
-          dir="/tmp/authentik/${{ matrix.version }}"
-          mkdir -p $dir
-          cd $dir
-          wget https://${{ matrix.version }}.goauthentik.io/docker-compose.yml
-          ${current}/scripts/test_docker.sh
--- a/.github/workflows/ci-main.yml
+++ b/.github/workflows/ci-main.yml
@@ -1,5 +1,5 @@
 ---
-name: CI - Main
+name: authentik-ci-main

 on:
  push:
@@ -17,12 +17,6 @@ env:
  POSTGRES_USER: authentik
  POSTGRES_PASSWORD: "EK-5jnKfjrGRm<77"

-permissions:
-  # Needed for checkout
-  contents: read
-  # Needed for codecov OIDC token
-  id-token: write
-
 jobs:
  lint:
    strategy:
@@ -34,48 +28,38 @@ jobs:
          - codespell
          - pending-migrations
          - ruff
-          - mypy
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
+      - uses: actions/checkout@v4
      - name: Setup authentik env
        uses: ./.github/actions/setup
      - name: run job
-        run: uv run make ci-${{ matrix.job }}
+        run: poetry run make ci-${{ matrix.job }}
  test-migrations:
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
+      - uses: actions/checkout@v4
      - name: Setup authentik env
        uses: ./.github/actions/setup
      - name: run migrations
-        run: uv run python -m lifecycle.migrate
-  test-make-seed:
-    runs-on: ubuntu-latest
-    steps:
-      - id: seed
-        run: |
-          echo "seed=$(printf "%d\n" "0x$(openssl rand -hex 4)")" >> "$GITHUB_OUTPUT"
-    outputs:
-      seed: ${{ steps.seed.outputs.seed }}
+        run: poetry run python -m lifecycle.migrate
  test-migrations-from-stable:
-    name: test-migrations-from-stable - PostgreSQL ${{ matrix.psql }} - Run ${{ matrix.run_id }}/5
+    name: test-migrations-from-stable - PostgreSQL ${{ matrix.psql }}
    runs-on: ubuntu-latest
-    timeout-minutes: 30
-    needs: test-make-seed
    strategy:
      fail-fast: false
      matrix:
        psql:
-          - 14-alpine
-          - 18-alpine
-        run_id: [1, 2, 3, 4, 5]
+          - 15-alpine
+          - 16-alpine
    steps:
-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
+      - uses: actions/checkout@v4
        with:
          fetch-depth: 0
      - name: checkout stable
        run: |
+          # Delete all poetry envs
+          rm -rf /home/runner/.cache/pypoetry
          # Copy current, latest config to local
          cp authentik/lib/default.yml local.env.yml
          cp -R .github ..
@@ -88,7 +72,7 @@ jobs:
        with:
          postgresql_version: ${{ matrix.psql }}
      - name: run migrations to stable
-        run: uv run python -m lifecycle.migrate
+        run: poetry run python -m lifecycle.migrate
      - name: checkout current code
        run: |
          set -x
@@ -96,72 +80,64 @@ jobs:
          git reset --hard HEAD
          git clean -d -fx .
          git checkout $GITHUB_SHA
+          # Delete previous poetry env
+          rm -rf /home/runner/.cache/pypoetry/virtualenvs/*
      - name: Setup authentik env (ensure latest deps are installed)
        uses: ./.github/actions/setup
        with:
          postgresql_version: ${{ matrix.psql }}
      - name: migrate to latest
        run: |
-          uv run python -m lifecycle.migrate
+          poetry run python -m lifecycle.migrate
      - name: run tests
        env:
          # Test in the main database that we just migrated from the previous stable version
          AUTHENTIK_POSTGRESQL__TEST__NAME: authentik
-          CI_TEST_SEED: ${{ needs.test-make-seed.outputs.seed }}
-          CI_RUN_ID: ${{ matrix.run_id }}
-          CI_TOTAL_RUNS: "5"
        run: |
-          uv run make ci-test
-      - uses: ./.github/actions/test-results
-        if: ${{ always() }}
-        with:
-          flags: unit-migrate
+          poetry run make test
  test-unittest:
-    name: test-unittest - PostgreSQL ${{ matrix.psql }} - Run ${{ matrix.run_id }}/5
+    name: test-unittest - PostgreSQL ${{ matrix.psql }}
    runs-on: ubuntu-latest
    timeout-minutes: 30
-    needs: test-make-seed
    strategy:
      fail-fast: false
      matrix:
        psql:
-          - 14-alpine
-          - 18-alpine
-        run_id: [1, 2, 3, 4, 5]
+          - 15-alpine
+          - 16-alpine
    steps:
-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
+      - uses: actions/checkout@v4
      - name: Setup authentik env
        uses: ./.github/actions/setup
        with:
          postgresql_version: ${{ matrix.psql }}
      - name: run unittest
-        env:
-          CI_TEST_SEED: ${{ needs.test-make-seed.outputs.seed }}
-          CI_RUN_ID: ${{ matrix.run_id }}
-          CI_TOTAL_RUNS: "5"
        run: |
-          uv run make ci-test
-      - uses: ./.github/actions/test-results
-        if: ${{ always() }}
+          poetry run make test
+          poetry run coverage xml
+      - if: ${{ always() }}
+        uses: codecov/codecov-action@v4
        with:
          flags: unit
+          token: ${{ secrets.CODECOV_TOKEN }}
  test-integration:
    runs-on: ubuntu-latest
    timeout-minutes: 30
    steps:
-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
+      - uses: actions/checkout@v4
      - name: Setup authentik env
        uses: ./.github/actions/setup
      - name: Create k8s Kind Cluster
-        uses: helm/kind-action@a1b0e391336a6ee6713a0583f8c6240d70863de3 # v1.12.0
+        uses: helm/kind-action@v1.10.0
      - name: run integration
        run: |
-          uv run coverage run manage.py test tests/integration
-          uv run coverage xml
-      - uses: ./.github/actions/test-results
-        if: ${{ always() }}
+          poetry run coverage run manage.py test tests/integration
+          poetry run coverage xml
+      - if: ${{ always() }}
+        uses: codecov/codecov-action@v4
        with:
          flags: integration
+          token: ${{ secrets.CODECOV_TOKEN }}
  test-e2e:
    name: test-e2e (${{ matrix.job.name }})
    runs-on: ubuntu-latest
@@ -187,17 +163,17 @@ jobs:
          - name: flows
            glob: tests/e2e/test_flows*
    steps:
-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
+      - uses: actions/checkout@v4
      - name: Setup authentik env
        uses: ./.github/actions/setup
      - name: Setup e2e env (chrome, etc)
        run: |
-          docker compose -f tests/e2e/docker-compose.yml up -d --quiet-pull
+          docker compose -f tests/e2e/docker-compose.yml up -d
      - id: cache-web
-        uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4
+        uses: actions/cache@v4
        with:
          path: web/dist
-          key: ${{ runner.os }}-web-${{ hashFiles('web/package-lock.json', 'package-lock.json', 'web/src/**', 'web/packages/sfe/src/**') }}-b
+          key: ${{ runner.os }}-web-${{ hashFiles('web/package-lock.json', 'web/src/**') }}
      - name: prepare web ui
        if: steps.cache-web.outputs.cache-hit != 'true'
        working-directory: web
@@ -205,17 +181,16 @@ jobs:
          npm ci
          make -C .. gen-client-ts
          npm run build
-          npm run build:sfe
      - name: run e2e
        run: |
-          uv run coverage run manage.py test ${{ matrix.job.glob }}
-          uv run coverage xml
-      - uses: ./.github/actions/test-results
-        if: ${{ always() }}
+          poetry run coverage run manage.py test ${{ matrix.job.glob }}
+          poetry run coverage xml
+      - if: ${{ always() }}
+        uses: codecov/codecov-action@v4
        with:
          flags: e2e
+          token: ${{ secrets.CODECOV_TOKEN }}
  ci-core-mark:
-    if: always()
    needs:
      - lint
      - test-migrations
@@ -225,24 +200,70 @@ jobs:
      - test-e2e
    runs-on: ubuntu-latest
    steps:
-      - uses: re-actors/alls-green@release/v1
-        with:
-          jobs: ${{ toJSON(needs) }}
+      - run: echo mark
  build:
+    strategy:
+      fail-fast: false
+      matrix:
+        arch:
+          - amd64
+          - arm64
+    needs: ci-core-mark
+    runs-on: ubuntu-latest
    permissions:
-      # Needed to upload container images to ghcr.io
+      # Needed to upload contianer images to ghcr.io
      packages: write
      # Needed for attestation
      id-token: write
      attestations: write
-      # Needed for checkout
-      contents: read
-    needs: ci-core-mark
-    uses: ./.github/workflows/_reusable-docker-build.yml
-    secrets: inherit
-    with:
-      image_name: ${{ github.repository == 'goauthentik/authentik-internal' && 'ghcr.io/goauthentik/internal-server' || 'ghcr.io/goauthentik/dev-server' }}
-      release: false
+    timeout-minutes: 120
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          ref: ${{ github.event.pull_request.head.sha }}
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v3.2.0
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+      - name: prepare variables
+        uses: ./.github/actions/docker-push-variables
+        id: ev
+        env:
+          DOCKER_USERNAME: ${{ secrets.DOCKER_USERNAME }}
+        with:
+          image-name: ghcr.io/goauthentik/dev-server
+          image-arch: ${{ matrix.arch }}
+      - name: Login to Container Registry
+        if: ${{ steps.ev.outputs.shouldBuild == 'true' }}
+        uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{ github.repository_owner }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+      - name: generate ts client
+        run: make gen-client-ts
+      - name: Build Docker Image
+        uses: docker/build-push-action@v6
+        id: push
+        with:
+          context: .
+          secrets: |
+            GEOIPUPDATE_ACCOUNT_ID=${{ secrets.GEOIPUPDATE_ACCOUNT_ID }}
+            GEOIPUPDATE_LICENSE_KEY=${{ secrets.GEOIPUPDATE_LICENSE_KEY }}
+          tags: ${{ steps.ev.outputs.imageTags }}
+          push: ${{ steps.ev.outputs.shouldBuild == 'true' }}
+          build-args: |
+            GIT_BUILD_HASH=${{ steps.ev.outputs.sha }}
+          cache-from: type=registry,ref=ghcr.io/goauthentik/dev-server:buildcache
+          cache-to: ${{ steps.ev.outputs.shouldBuild == 'true' && 'type=registry,ref=ghcr.io/goauthentik/dev-server:buildcache,mode=max' || '' }}
+          platforms: linux/${{ matrix.arch }}
+      - uses: actions/attest-build-provenance@v1
+        id: attest
+        if: ${{ steps.ev.outputs.shouldBuild == 'true' }}
+        with:
+          subject-name: ${{ steps.ev.outputs.attestImageNames }}
+          subject-digest: ${{ steps.push.outputs.digest }}
+          push-to-registry: true
  pr-comment:
    needs:
      - build
@@ -253,18 +274,18 @@ jobs:
      pull-requests: write
    timeout-minutes: 120
    steps:
-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
+      - uses: actions/checkout@v4
        with:
          ref: ${{ github.event.pull_request.head.sha }}
      - name: prepare variables
        uses: ./.github/actions/docker-push-variables
        id: ev
        env:
-          DOCKER_USERNAME: ${{ secrets.DOCKER_CORP_USERNAME }}
+          DOCKER_USERNAME: ${{ secrets.DOCKER_USERNAME }}
        with:
          image-name: ghcr.io/goauthentik/dev-server
      - name: Comment on PR
-        if: ${{ steps.ev.outputs.shouldPush == 'true' }}
+        if: ${{ steps.ev.outputs.shouldBuild == 'true' }}
        uses: ./.github/actions/comment-pr-instructions
        with:
          tag: ${{ steps.ev.outputs.imageMainTag }}
--- a/.github/workflows/ci-outpost.yml
+++ b/.github/workflows/ci-outpost.yml
@@ -1,5 +1,5 @@
 ---
-name: CI - Outpost
+name: authentik-ci-outpost

 on:
  push:
@@ -12,17 +12,12 @@ on:
      - main
      - version-*

-env:
-  POSTGRES_DB: authentik
-  POSTGRES_USER: authentik
-  POSTGRES_PASSWORD: "EK-5jnKfjrGRm<77"
-
 jobs:
  lint-golint:
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
-      - uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6
+      - uses: actions/checkout@v4
+      - uses: actions/setup-go@v5
        with:
          go-version-file: "go.mod"
      - name: Prepare and generate API
@@ -34,7 +29,7 @@ jobs:
      - name: Generate API
        run: make gen-client-go
      - name: golangci-lint
-        uses: golangci/golangci-lint-action@4afd733a84b1f43292c63897423277bb7f4313a9 # v8
+        uses: golangci/golangci-lint-action@v6
        with:
          version: latest
          args: --timeout 5000s --verbose
@@ -42,32 +37,25 @@ jobs:
  test-unittest:
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
-      - uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6
+      - uses: actions/checkout@v4
+      - uses: actions/setup-go@v5
        with:
          go-version-file: "go.mod"
      - name: Setup authentik env
        uses: ./.github/actions/setup
      - name: Generate API
        run: make gen-client-go
-      - name: prepare database
-        run: |
-          uv run make migrate
      - name: Go unittests
        run: |
          go test -timeout 0 -v -race -coverprofile=coverage.out -covermode=atomic -cover ./...
  ci-outpost-mark:
-    if: always()
    needs:
      - lint-golint
      - test-unittest
    runs-on: ubuntu-latest
    steps:
-      - uses: re-actors/alls-green@release/v1
-        with:
-          jobs: ${{ toJSON(needs) }}
+      - run: echo mark
  build-container:
-    if: ${{ github.repository != 'goauthentik/authentik-internal' }}
    timeout-minutes: 120
    needs:
      - ci-outpost-mark
@@ -81,29 +69,29 @@ jobs:
          - rac
    runs-on: ubuntu-latest
    permissions:
-      # Needed to upload container images to ghcr.io
+      # Needed to upload contianer images to ghcr.io
      packages: write
      # Needed for attestation
      id-token: write
      attestations: write
    steps:
-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
+      - uses: actions/checkout@v4
        with:
          ref: ${{ github.event.pull_request.head.sha }}
      - name: Set up QEMU
-        uses: docker/setup-qemu-action@29109295f81e9208d7d86ff1c6c12d2833863392 # v3.6.0
+        uses: docker/setup-qemu-action@v3.2.0
      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3
+        uses: docker/setup-buildx-action@v3
      - name: prepare variables
        uses: ./.github/actions/docker-push-variables
        id: ev
        env:
-          DOCKER_USERNAME: ${{ secrets.DOCKER_CORP_USERNAME }}
+          DOCKER_USERNAME: ${{ secrets.DOCKER_USERNAME }}
        with:
          image-name: ghcr.io/goauthentik/dev-${{ matrix.type }}
      - name: Login to Container Registry
-        if: ${{ steps.ev.outputs.shouldPush == 'true' }}
-        uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3
+        if: ${{ steps.ev.outputs.shouldBuild == 'true' }}
+        uses: docker/login-action@v3
        with:
          registry: ghcr.io
          username: ${{ github.repository_owner }}
@@ -112,20 +100,20 @@ jobs:
        run: make gen-client-go
      - name: Build Docker Image
        id: push
-        uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6
+        uses: docker/build-push-action@v6
        with:
          tags: ${{ steps.ev.outputs.imageTags }}
          file: ${{ matrix.type }}.Dockerfile
-          push: ${{ steps.ev.outputs.shouldPush == 'true' }}
+          push: ${{ steps.ev.outputs.shouldBuild == 'true' }}
          build-args: |
            GIT_BUILD_HASH=${{ steps.ev.outputs.sha }}
          platforms: linux/amd64,linux/arm64
          context: .
          cache-from: type=registry,ref=ghcr.io/goauthentik/dev-${{ matrix.type }}:buildcache
-          cache-to: ${{ steps.ev.outputs.shouldPush == 'true' && format('type=registry,ref=ghcr.io/goauthentik/dev-{0}:buildcache,mode=max', matrix.type) || '' }}
-      - uses: actions/attest-build-provenance@977bb373ede98d70efdf65b84cb5f73e068dcc2a # v3
+          cache-to: ${{ steps.ev.outputs.shouldBuild == 'true' && format('type=registry,ref=ghcr.io/goauthentik/dev-{0}:buildcache,mode=max', matrix.type) || '' }}
+      - uses: actions/attest-build-provenance@v1
        id: attest
-        if: ${{ steps.ev.outputs.shouldPush == 'true' }}
+        if: ${{ steps.ev.outputs.shouldBuild == 'true' }}
        with:
          subject-name: ${{ steps.ev.outputs.attestImageNames }}
          subject-digest: ${{ steps.push.outputs.digest }}
@@ -146,13 +134,13 @@ jobs:
        goos: [linux]
        goarch: [amd64, arm64]
    steps:
-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
+      - uses: actions/checkout@v4
        with:
          ref: ${{ github.event.pull_request.head.sha }}
-      - uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6
+      - uses: actions/setup-go@v5
        with:
          go-version-file: "go.mod"
-      - uses: actions/setup-node@2028fbc5c25fe9cf00d9f06a71cc4710d4507903 # v5
+      - uses: actions/setup-node@v4
        with:
          node-version-file: web/package.json
          cache: "npm"
--- a/.github/workflows/ci-web.yml
+++ b/.github/workflows/ci-web.yml
@@ -1,5 +1,4 @@
---
-name: CI - Web
+name: authentik-ci-web

 on:
  push:
@@ -25,14 +24,20 @@ jobs:
          - prettier-check
        project:
          - web
+          - tests/wdio
        include:
          - command: tsc
            project: web
          - command: lit-analyse
            project: web
+        exclude:
+          - command: lint:lockfile
+            project: tests/wdio
+          - command: tsc
+            project: tests/wdio
    steps:
-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
-      - uses: actions/setup-node@2028fbc5c25fe9cf00d9f06a71cc4710d4507903 # v5
+      - uses: actions/checkout@v4
+      - uses: actions/setup-node@v4
        with:
          node-version-file: ${{ matrix.project }}/package.json
          cache: "npm"
@@ -40,16 +45,25 @@ jobs:
      - working-directory: ${{ matrix.project }}/
        run: |
          npm ci
+          ${{ matrix.extra_setup }}
      - name: Generate API
        run: make gen-client-ts
      - name: Lint
        working-directory: ${{ matrix.project }}/
        run: npm run ${{ matrix.command }}
-  build:
+  ci-web-mark:
+    needs:
+      - lint
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
-      - uses: actions/setup-node@2028fbc5c25fe9cf00d9f06a71cc4710d4507903 # v5
+      - run: echo mark
+  build:
+    needs:
+      - ci-web-mark
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/setup-node@v4
        with:
          node-version-file: web/package.json
          cache: "npm"
@@ -61,23 +75,13 @@ jobs:
      - name: build
        working-directory: web/
        run: npm run build
-  ci-web-mark:
-    if: always()
-    needs:
-      - build
-      - lint
-    runs-on: ubuntu-latest
-    steps:
-      - uses: re-actors/alls-green@release/v1
-        with:
-          jobs: ${{ toJSON(needs) }}
  test:
    needs:
      - ci-web-mark
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
-      - uses: actions/setup-node@2028fbc5c25fe9cf00d9f06a71cc4710d4507903 # v5
+      - uses: actions/checkout@v4
+      - uses: actions/setup-node@v4
        with:
          node-version-file: web/package.json
          cache: "npm"
--- a/.github/workflows/ci-website.yml
+++ b/.github/workflows/ci-website.yml
@@ -0,0 +1,71 @@
+name: authentik-ci-website
+
+on:
+  push:
+    branches:
+      - main
+      - next
+      - version-*
+  pull_request:
+    branches:
+      - main
+      - version-*
+
+jobs:
+  lint:
+    runs-on: ubuntu-latest
+    strategy:
+      fail-fast: false
+      matrix:
+        command:
+          - lint:lockfile
+          - prettier-check
+    steps:
+      - uses: actions/checkout@v4
+      - working-directory: website/
+        run: npm ci
+      - name: Lint
+        working-directory: website/
+        run: npm run ${{ matrix.command }}
+  test:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/setup-node@v4
+        with:
+          node-version-file: website/package.json
+          cache: "npm"
+          cache-dependency-path: website/package-lock.json
+      - working-directory: website/
+        run: npm ci
+      - name: test
+        working-directory: website/
+        run: npm test
+  build:
+    runs-on: ubuntu-latest
+    name: ${{ matrix.job }}
+    strategy:
+      fail-fast: false
+      matrix:
+        job:
+          - build
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/setup-node@v4
+        with:
+          node-version-file: website/package.json
+          cache: "npm"
+          cache-dependency-path: website/package-lock.json
+      - working-directory: website/
+        run: npm ci
+      - name: build
+        working-directory: website/
+        run: npm run ${{ matrix.job }}
+  ci-website-mark:
+    needs:
+      - lint
+      - test
+      - build
+    runs-on: ubuntu-latest
+    steps:
+      - run: echo mark
--- a/.github/workflows/codeql-analysis.yml
+++ b/.github/workflows/codeql-analysis.yml
@@ -1,9 +1,8 @@
---
-name: QA - CodeQL
+name: "CodeQL"

 on:
  push:
-    branches: [main, next, version*]
+    branches: [main, "*", next, version*]
  pull_request:
    branches: [main]
  schedule:
@@ -24,14 +23,14 @@ jobs:
        language: ["go", "javascript", "python"]
    steps:
      - name: Checkout repository
-        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
+        uses: actions/checkout@v4
      - name: Setup authentik env
        uses: ./.github/actions/setup
      - name: Initialize CodeQL
-        uses: github/codeql-action/init@v4
+        uses: github/codeql-action/init@v3
        with:
          languages: ${{ matrix.language }}
      - name: Autobuild
-        uses: github/codeql-action/autobuild@v4
+        uses: github/codeql-action/autobuild@v3
      - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@v4
+        uses: github/codeql-action/analyze@v3
--- a/.github/workflows/gen-update-webauthn-mds.yml
+++ b/.github/workflows/gen-update-webauthn-mds.yml
@@ -1,10 +1,8 @@
---
-name: Gen - Webauthn MDS
-
+name: authentik-gen-update-webauthn-mds
 on:
  workflow_dispatch:
  schedule:
-    - cron: "30 1 1,15 * *"
+    - cron: '30 1 1,15 * *'

 env:
  POSTGRES_DB: authentik
@@ -13,21 +11,20 @@ env:

 jobs:
  build:
-    if: ${{ github.repository != 'goauthentik/authentik-internal' }}
    runs-on: ubuntu-latest
    steps:
      - id: generate_token
-        uses: actions/create-github-app-token@67018539274d69449ef7c02e8e71183d1719ab42 # v2
+        uses: tibdex/github-app-token@v2
        with:
-          app-id: ${{ secrets.GH_APP_ID }}
-          private-key: ${{ secrets.GH_APP_PRIVATE_KEY }}
-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
+          app_id: ${{ secrets.GH_APP_ID }}
+          private_key: ${{ secrets.GH_APP_PRIVATE_KEY }}
+      - uses: actions/checkout@v4
        with:
          token: ${{ steps.generate_token.outputs.token }}
      - name: Setup authentik env
        uses: ./.github/actions/setup
-      - run: uv run ak update_webauthn_mds
-      - uses: peter-evans/create-pull-request@271a8d0340265f705b14b6d32b9829c1cb33d45e # v7
+      - run: poetry run ak update_webauthn_mds
+      - uses: peter-evans/create-pull-request@v6
        id: cpr
        with:
          token: ${{ steps.generate_token.outputs.token }}
@@ -39,8 +36,7 @@ jobs:
          signoff: true
          # ID from https://api.github.com/users/authentik-automation[bot]
          author: authentik-automation[bot] <135050075+authentik-automation[bot]@users.noreply.github.com>
-          labels: dependencies
-      - uses: peter-evans/enable-pull-request-automerge@a660677d5469627102a1c1e11409dd063606628d # v3
+      - uses: peter-evans/enable-pull-request-automerge@v3
        with:
          token: ${{ steps.generate_token.outputs.token }}
          pull-request-number: ${{ steps.cpr.outputs.pull-request-number }}
--- a/.github/workflows/gh-cherry-pick.yml
+++ b/.github/workflows/gh-cherry-pick.yml
@@ -1,36 +0,0 @@
-name: GH - Cherry-pick
-
-on:
-  pull_request_target:
-    types: [closed, labeled]
-
-jobs:
-  cherry-pick:
-    runs-on: ubuntu-latest
-    steps:
-      - id: app-token
-        name: Generate app token
-        uses: actions/create-github-app-token@67018539274d69449ef7c02e8e71183d1719ab42 # v2
-        if: ${{ env.GH_APP_ID != '' }}
-        with:
-          app-id: ${{ secrets.GH_APP_ID }}
-          private-key: ${{ secrets.GH_APP_PRIVATE_KEY }}
-        env:
-          GH_APP_ID: ${{ secrets.GH_APP_ID }}
-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
-        if: ${{ steps.app-token.outcome != 'skipped' }}
-        with:
-          fetch-depth: 0
-          token: "${{ steps.app-token.outputs.token }}"
-      - id: get-user-id
-        if: ${{ steps.app-token.outcome != 'skipped' }}
-        name: Get GitHub app user ID
-        run: echo "user-id=$(gh api "/users/${{ steps.app-token.outputs.app-slug }}[bot]" --jq .id)" >> "$GITHUB_OUTPUT"
-        env:
-          GH_TOKEN: "${{ steps.app-token.outputs.token }}"
-      - uses: ./.github/actions/cherry-pick
-        if: ${{ steps.app-token.outcome != 'skipped' }}
-        with:
-          token: ${{ steps.app-token.outputs.token }}
-          git_user: ${{ steps.app-token.outputs.app-slug }}[bot]
-          git_user_email: '${{ steps.get-user-id.outputs.user-id }}+${{ steps.app-token.outputs.app-slug }}[bot]@users.noreply.github.com'
--- a/.github/workflows/gh-gha-cache-cleanup.yml
+++ b/.github/workflows/gh-gha-cache-cleanup.yml
@@ -1,7 +1,6 @@
 ---
 # See https://docs.github.com/en/actions/using-workflows/caching-dependencies-to-speed-up-workflows#force-deleting-cache-entries
-name: GH - Cleanup actions cache after PR is closed
-
+name: Cleanup cache after PR is closed
 on:
  pull_request:
    types:
@@ -16,7 +15,7 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - name: Check out code
-        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
+        uses: actions/checkout@v4

      - name: Cleanup
        run: |
--- a/.github/workflows/gh-ghcr-retention.yml
+++ b/.github/workflows/gh-ghcr-retention.yml
@@ -1,5 +1,4 @@
---
-name: GH - GHCR retention
+name: ghcr-retention

 on:
  # schedule:
@@ -8,17 +7,16 @@ on:

 jobs:
  clean-ghcr:
-    if: ${{ github.repository != 'goauthentik/authentik-internal' }}
    name: Delete old unused container images
    runs-on: ubuntu-latest
    steps:
      - id: generate_token
-        uses: actions/create-github-app-token@67018539274d69449ef7c02e8e71183d1719ab42 # v2
+        uses: tibdex/github-app-token@v2
        with:
-          app-id: ${{ secrets.GH_APP_ID }}
-          private-key: ${{ secrets.GH_APP_PRIVATE_KEY }}
+          app_id: ${{ secrets.GH_APP_ID }}
+          private_key: ${{ secrets.GH_APP_PRIVATE_KEY }}
      - name: Delete 'dev' containers older than a week
-        uses: snok/container-retention-policy@3b0972b2276b171b212f8c4efbca59ebba26eceb # v2
+        uses: snok/container-retention-policy@v2
        with:
          image-names: dev-server,dev-ldap,dev-proxy
          cut-off: One week ago UTC
--- a/.github/workflows/gen-image-compress.yml
+++ b/.github/workflows/gen-image-compress.yml
@@ -1,5 +1,5 @@
 ---
-name: Gen - Compress images
+name: authentik-compress-images

 on:
  push:
@@ -29,32 +29,31 @@ jobs:
       github.event.pull_request.head.repo.full_name == github.repository)
    steps:
      - id: generate_token
-        uses: actions/create-github-app-token@67018539274d69449ef7c02e8e71183d1719ab42 # v2
+        uses: tibdex/github-app-token@v2
        with:
-          app-id: ${{ secrets.GH_APP_ID }}
-          private-key: ${{ secrets.GH_APP_PRIVATE_KEY }}
-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
+          app_id: ${{ secrets.GH_APP_ID }}
+          private_key: ${{ secrets.GH_APP_PRIVATE_KEY }}
+      - uses: actions/checkout@v4
        with:
          token: ${{ steps.generate_token.outputs.token }}
      - name: Compress images
        id: compress
-        uses: calibreapp/image-actions@05b1cf44e88c3b041b841452482df9497f046ef7 # main
+        uses: calibreapp/image-actions@main
        with:
-          GITHUB_TOKEN: ${{ steps.generate_token.outputs.token }}
+          githubToken: ${{ steps.generate_token.outputs.token }}
          compressOnly: ${{ github.event_name != 'pull_request' }}
-      - uses: peter-evans/create-pull-request@271a8d0340265f705b14b6d32b9829c1cb33d45e # v7
+      - uses: peter-evans/create-pull-request@v6
        if: "${{ github.event_name != 'pull_request' && steps.compress.outputs.markdown != '' }}"
        id: cpr
        with:
          token: ${{ steps.generate_token.outputs.token }}
          title: "*: Auto compress images"
          branch-suffix: timestamp
-          commit-message: "*: compress images"
+          commit-messsage: "*: compress images"
          body: ${{ steps.compress.outputs.markdown }}
          delete-branch: true
          signoff: true
-          labels: dependencies
-      - uses: peter-evans/enable-pull-request-automerge@a660677d5469627102a1c1e11409dd063606628d # v3
+      - uses: peter-evans/enable-pull-request-automerge@v3
        if: "${{ github.event_name != 'pull_request' && steps.compress.outputs.markdown != '' }}"
        with:
          token: ${{ steps.generate_token.outputs.token }}
--- a/.github/workflows/packages-npm-publish.yml
+++ b/.github/workflows/packages-npm-publish.yml
@@ -1,53 +0,0 @@
---
-name: Packages - Publish NPM packages
-
-on:
-  push:
-    branches: [main]
-    paths:
-      - packages/docusaurus-config/**
-      - packages/eslint-config/**
-      - packages/prettier-config/**
-      - packages/tsconfig/**
-      - packages/esbuild-plugin-live-reload/**
-  workflow_dispatch:
-
-permissions:
-  # Required for NPM OIDC trusted publisher
-  id-token: write
-  contents: read
-
-jobs:
-  publish:
-    if: ${{ github.repository != 'goauthentik/authentik-internal' }}
-    runs-on: ubuntu-latest
-    strategy:
-      fail-fast: false
-      matrix:
-        package:
-          - packages/docusaurus-config
-          - packages/eslint-config
-          - packages/prettier-config
-          - packages/tsconfig
-          - packages/esbuild-plugin-live-reload
-    steps:
-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
-        with:
-          fetch-depth: 2
-      - uses: actions/setup-node@2028fbc5c25fe9cf00d9f06a71cc4710d4507903 # v5
-        with:
-          node-version-file: ${{ matrix.package }}/package.json
-          registry-url: "https://registry.npmjs.org"
-      - name: Get changed files
-        id: changed-files
-        uses: tj-actions/changed-files@24d32ffd492484c1d75e0c0b894501ddb9d30d62 # 24d32ffd492484c1d75e0c0b894501ddb9d30d62
-        with:
-          files: |
-            ${{ matrix.package }}/package.json
-      - name: Publish package
-        if: steps.changed-files.outputs.any_changed == 'true'
-        working-directory: ${{ matrix.package }}
-        run: |
-          npm ci
-          npm run build
-          npm publish
--- a/.github/workflows/publish-source-docs.yml
+++ b/.github/workflows/publish-source-docs.yml
@@ -1,5 +1,4 @@
---
-name: CI - Source code docs
+name: authentik-publish-source-docs

 on:
  push:
@@ -13,21 +12,20 @@ env:

 jobs:
  publish-source-docs:
-    if: ${{ github.repository != 'goauthentik/authentik-internal' }}
    runs-on: ubuntu-latest
    timeout-minutes: 120
    steps:
-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
+      - uses: actions/checkout@v4
      - name: Setup authentik env
        uses: ./.github/actions/setup
      - name: generate docs
        run: |
-          uv run make migrate
-          uv run ak build_source_docs
+          poetry run make migrate
+          poetry run ak build_source_docs
      - name: Publish
+        uses: netlify/actions/cli@master
+        with:
+          args: deploy --dir=source_docs --prod
        env:
          NETLIFY_SITE_ID: eb246b7b-1d83-4f69-89f7-01a936b4ca59
          NETLIFY_AUTH_TOKEN: ${{ secrets.NETLIFY_AUTH_TOKEN }}
-        run: |
-          npm install -g netlify-cli
-          netlify deploy --dir=source_docs --prod
--- a/.github/workflows/qa-semgrep.yml
+++ b/.github/workflows/qa-semgrep.yml
@@ -1,30 +0,0 @@
---
-name: QA - Semgrep
-
-on:
-  workflow_dispatch: {}
-  pull_request: {}
-  push:
-    branches:
-      - main
-      - master
-    paths:
-      - .github/workflows/qa-semgrep.yml
-  schedule:
-    # random HH:MM to avoid a load spike on GitHub Actions at 00:00
-    - cron: '12 15 * * *'
-
-jobs:
-  semgrep:
-    name: semgrep/ci
-    runs-on: ubuntu-latest
-    permissions:
-      contents: read
-    env:
-      SEMGREP_APP_TOKEN: ${{ secrets.SEMGREP_APP_TOKEN }}
-    container:
-      image: semgrep/semgrep
-    if: (github.actor != 'dependabot[bot]')
-    steps:
-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
-      - run: semgrep ci
--- a/.github/workflows/release-branch-off.yml
+++ b/.github/workflows/release-branch-off.yml
@@ -1,86 +0,0 @@
---
-name: Release - Branch-off
-
-on:
-  workflow_dispatch:
-    inputs:
-      next_version:
-        description: Next major version (for example, if releasing 2042.2, this is 2042.4)
-        required: true
-        type: string
-
-env:
-  POSTGRES_DB: authentik
-  POSTGRES_USER: authentik
-  POSTGRES_PASSWORD: "EK-5jnKfjrGRm<77"
-
-jobs:
-  check-inputs:
-    name: Check inputs validity
-    runs-on: ubuntu-latest
-    steps:
-      - run: |
-          echo "${{ inputs.next_version }}" | grep -E "^[0-9]{4}\.[0-9]{1,2}$"
-  branch-off:
-    name: Branch-off
-    needs:
-      - check-inputs
-    runs-on: ubuntu-latest
-    steps:
-      - id: app-token
-        name: Generate app token
-        uses: actions/create-github-app-token@67018539274d69449ef7c02e8e71183d1719ab42 # v2
-        with:
-          app-id: ${{ secrets.GH_APP_ID }}
-          private-key: ${{ secrets.GH_APP_PRIVATE_KEY }}
-      - name: Checkout main
-        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
-        with:
-          ref: main
-          token: "${{ steps.app-token.outputs.token }}"
-      - name: Setup authentik env
-        uses: ./.github/actions/setup
-        with:
-          dependencies: python
-      - name: Create version branch
-        env:
-          GH_TOKEN: "${{ steps.app-token.outputs.token }}"
-        run: |
-          current_major_version="$(uv version --short | grep -oE "^[0-9]{4}\.[0-9]{1,2}")"
-          git checkout -b "version-${current_major_version}"
-          git push origin "version-${current_major_version}"
-          gh label create "backport/version-${current_major_version}" --description "Add this label to PRs to backport changes to version-${current_major_version}" --color "fbca04"
-  bump-version-pr:
-    name: Open version bump PR
-    needs:
-      - branch-off
-    runs-on: ubuntu-latest
-    steps:
-      - id: generate_token
-        uses: actions/create-github-app-token@67018539274d69449ef7c02e8e71183d1719ab42 # v2
-        with:
-          app-id: ${{ secrets.GH_APP_ID }}
-          private-key: ${{ secrets.GH_APP_PRIVATE_KEY }}
-      - name: Checkout main
-        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
-        with:
-          ref: main
-          token: ${{ steps.generate_token.outputs.token }}
-      - name: Setup authentik env
-        uses: ./.github/actions/setup
-      - name: Run migrations
-        run: make migrate
-      - name: Bump version
-        run: "make bump version=${{ inputs.next_version }}.0-rc1"
-      - name: Create pull request
-        uses: peter-evans/create-pull-request@271a8d0340265f705b14b6d32b9829c1cb33d45e # v7
-        with:
-          token: ${{ steps.generate_token.outputs.token }}
-          branch: release-bump-${{ inputs.next_version }}
-          commit-message: "root: bump version to ${{ inputs.next_version }}.0-rc1"
-          title: "root: bump version to ${{ inputs.next_version }}.0-rc1"
-          body: "root: bump version to ${{ inputs.next_version }}.0-rc1"
-          delete-branch: true
-          signoff: true
-          # ID from https://api.github.com/users/authentik-automation[bot]
-          author: authentik-automation[bot] <135050075+authentik-automation[bot]@users.noreply.github.com>
--- a/.github/workflows/release-next-branch.yml
+++ b/.github/workflows/release-next-branch.yml
@@ -1,5 +1,4 @@
---
-name: Release - Update next branch
+name: authentik-on-release-next-branch

 on:
  schedule:
@@ -12,11 +11,10 @@ permissions:

 jobs:
  update-next:
-    if: ${{ github.repository != 'goauthentik/authentik-internal' }}
    runs-on: ubuntu-latest
    environment: internal-production
    steps:
-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
+      - uses: actions/checkout@v4
        with:
          ref: main
      - run: |
--- a/.github/workflows/release-publish.yml
+++ b/.github/workflows/release-publish.yml
@@ -1,5 +1,5 @@
 ---
-name: Release - On publish
+name: authentik-on-release

 on:
  release:
@@ -7,60 +7,56 @@ on:

 jobs:
  build-server:
-    uses: ./.github/workflows/_reusable-docker-build.yml
-    secrets: inherit
-    permissions:
-      contents: read
-      # Needed to upload container images to ghcr.io
-      packages: write
-      # Needed for attestation
-      id-token: write
-      attestations: write
-    with:
-      image_name: ghcr.io/goauthentik/server,authentik/server
-      release: true
-      registry_dockerhub: true
-      registry_ghcr: true
-  build-docs:
    runs-on: ubuntu-latest
    permissions:
-      contents: read
-      # Needed to upload container images to ghcr.io
+      # Needed to upload contianer images to ghcr.io
      packages: write
      # Needed for attestation
      id-token: write
      attestations: write
    steps:
-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
+      - uses: actions/checkout@v4
      - name: Set up QEMU
-        uses: docker/setup-qemu-action@29109295f81e9208d7d86ff1c6c12d2833863392 # v3.6.0
+        uses: docker/setup-qemu-action@v3.2.0
      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3
+        uses: docker/setup-buildx-action@v3
      - name: prepare variables
        uses: ./.github/actions/docker-push-variables
        id: ev
        env:
-          DOCKER_USERNAME: ${{ secrets.DOCKER_CORP_USERNAME }}
+          DOCKER_USERNAME: ${{ secrets.DOCKER_USERNAME }}
        with:
-          image-name: ghcr.io/goauthentik/docs
+          image-name: ghcr.io/goauthentik/server,beryju/authentik
+      - name: Docker Login Registry
+        uses: docker/login-action@v3
+        with:
+          username: ${{ secrets.DOCKER_USERNAME }}
+          password: ${{ secrets.DOCKER_PASSWORD }}
      - name: Login to GitHub Container Registry
-        uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3
+        uses: docker/login-action@v3
        with:
          registry: ghcr.io
          username: ${{ github.repository_owner }}
          password: ${{ secrets.GITHUB_TOKEN }}
+      - name: make empty clients
+        run: |
+          mkdir -p ./gen-ts-api
+          mkdir -p ./gen-go-api
      - name: Build Docker Image
+        uses: docker/build-push-action@v6
        id: push
-        uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6
        with:
-          tags: ${{ steps.ev.outputs.imageTags }}
-          file: website/Dockerfile
-          push: true
-          platforms: linux/amd64,linux/arm64
          context: .
-      - uses: actions/attest-build-provenance@977bb373ede98d70efdf65b84cb5f73e068dcc2a # v3
+          push: true
+          secrets: |
+            GEOIPUPDATE_ACCOUNT_ID=${{ secrets.GEOIPUPDATE_ACCOUNT_ID }}
+            GEOIPUPDATE_LICENSE_KEY=${{ secrets.GEOIPUPDATE_LICENSE_KEY }}
+          build-args: |
+            VERSION=${{ github.ref }}
+          tags: ${{ steps.ev.outputs.imageTags }}
+          platforms: linux/amd64,linux/arm64
+      - uses: actions/attest-build-provenance@v1
        id: attest
-        if: true
        with:
          subject-name: ${{ steps.ev.outputs.attestImageNames }}
          subject-digest: ${{ steps.push.outputs.digest }}
@@ -68,8 +64,7 @@ jobs:
  build-outpost:
    runs-on: ubuntu-latest
    permissions:
-      contents: read
-      # Needed to upload container images to ghcr.io
+      # Needed to upload contianer images to ghcr.io
      packages: write
      # Needed for attestation
      id-token: write
@@ -83,38 +78,38 @@ jobs:
          - radius
          - rac
    steps:
-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
-      - uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6
+      - uses: actions/checkout@v4
+      - uses: actions/setup-go@v5
        with:
          go-version-file: "go.mod"
      - name: Set up QEMU
-        uses: docker/setup-qemu-action@29109295f81e9208d7d86ff1c6c12d2833863392 # v3.6.0
+        uses: docker/setup-qemu-action@v3.2.0
      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3
+        uses: docker/setup-buildx-action@v3
      - name: prepare variables
        uses: ./.github/actions/docker-push-variables
        id: ev
        env:
-          DOCKER_USERNAME: ${{ secrets.DOCKER_CORP_USERNAME }}
+          DOCKER_USERNAME: ${{ secrets.DOCKER_USERNAME }}
        with:
-          image-name: ghcr.io/goauthentik/${{ matrix.type }},authentik/${{ matrix.type }}
+          image-name: ghcr.io/goauthentik/${{ matrix.type }},beryju/authentik-${{ matrix.type }}
      - name: make empty clients
        run: |
          mkdir -p ./gen-ts-api
          mkdir -p ./gen-go-api
      - name: Docker Login Registry
-        uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3
+        uses: docker/login-action@v3
        with:
-          username: ${{ secrets.DOCKER_CORP_USERNAME }}
-          password: ${{ secrets.DOCKER_CORP_PASSWORD }}
+          username: ${{ secrets.DOCKER_USERNAME }}
+          password: ${{ secrets.DOCKER_PASSWORD }}
      - name: Login to GitHub Container Registry
-        uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3
+        uses: docker/login-action@v3
        with:
          registry: ghcr.io
          username: ${{ github.repository_owner }}
          password: ${{ secrets.GITHUB_TOKEN }}
      - name: Build Docker Image
-        uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6
+        uses: docker/build-push-action@v6
        id: push
        with:
          push: true
@@ -124,7 +119,7 @@ jobs:
          file: ${{ matrix.type }}.Dockerfile
          platforms: linux/amd64,linux/arm64
          context: .
-      - uses: actions/attest-build-provenance@977bb373ede98d70efdf65b84cb5f73e068dcc2a # v3
+      - uses: actions/attest-build-provenance@v1
        id: attest
        with:
          subject-name: ${{ steps.ev.outputs.attestImageNames }}
@@ -146,11 +141,11 @@ jobs:
        goos: [linux, darwin]
        goarch: [amd64, arm64]
    steps:
-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
-      - uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6
+      - uses: actions/checkout@v4
+      - uses: actions/setup-go@v5
        with:
          go-version-file: "go.mod"
-      - uses: actions/setup-node@2028fbc5c25fe9cf00d9f06a71cc4710d4507903 # v5
+      - uses: actions/setup-node@v4
        with:
          node-version-file: web/package.json
          cache: "npm"
@@ -168,33 +163,12 @@ jobs:
          export CGO_ENABLED=0
          go build -tags=outpost_static_embed -v -o ./authentik-outpost-${{ matrix.type }}_${{ matrix.goos }}_${{ matrix.goarch }} ./cmd/${{ matrix.type }}
      - name: Upload binaries to release
-        uses: svenstaro/upload-release-action@81c65b7cd4de9b2570615ce3aad67a41de5b1a13 # v2
+        uses: svenstaro/upload-release-action@v2
        with:
          repo_token: ${{ secrets.GITHUB_TOKEN }}
          file: ./authentik-outpost-${{ matrix.type }}_${{ matrix.goos }}_${{ matrix.goarch }}
          asset_name: authentik-outpost-${{ matrix.type }}_${{ matrix.goos }}_${{ matrix.goarch }}
          tag: ${{ github.ref }}
-  upload-aws-cfn-template:
-    permissions:
-      # Needed for AWS login
-      id-token: write
-      contents: read
-    needs:
-      - build-server
-      - build-outpost
-    env:
-      AWS_REGION: eu-central-1
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
-      - uses: aws-actions/configure-aws-credentials@00943011d9042930efac3dcd3a170e4273319bc8 # v5
-        with:
-          role-to-assume: "arn:aws:iam::016170277896:role/github_goauthentik_authentik"
-          aws-region: ${{ env.AWS_REGION }}
-      - name: Upload template
-        run: |
-          aws s3 cp --acl=public-read lifecycle/aws/template.yaml s3://authentik-cloudformation-templates/authentik.ecs.${{ github.ref }}.yaml
-          aws s3 cp --acl=public-read lifecycle/aws/template.yaml s3://authentik-cloudformation-templates/authentik.ecs.latest.yaml
  test-release:
    needs:
      - build-server
@@ -202,14 +176,14 @@ jobs:
      - build-outpost-binary
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
+      - uses: actions/checkout@v4
      - name: Run test suite in final docker images
        run: |
          echo "PG_PASS=$(openssl rand 32 | base64 -w 0)" >> .env
          echo "AUTHENTIK_SECRET_KEY=$(openssl rand 32 | base64 -w 0)" >> .env
          docker compose pull -q
          docker compose up --no-start
-          docker compose start postgresql
+          docker compose start postgresql redis
          docker compose run -u root server test-all
  sentry-release:
    needs:
@@ -218,12 +192,12 @@ jobs:
      - build-outpost-binary
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
+      - uses: actions/checkout@v4
      - name: prepare variables
        uses: ./.github/actions/docker-push-variables
        id: ev
        env:
-          DOCKER_USERNAME: ${{ secrets.DOCKER_CORP_USERNAME }}
+          DOCKER_USERNAME: ${{ secrets.DOCKER_USERNAME }}
        with:
          image-name: ghcr.io/goauthentik/server
      - name: Get static files from docker image
@@ -232,13 +206,13 @@ jobs:
          container=$(docker container create ${{ steps.ev.outputs.imageMainName }})
          docker cp ${container}:web/ .
      - name: Create a Sentry.io release
-        uses: getsentry/action-release@4f502acc1df792390abe36f2dcb03612ef144818 # v3
+        uses: getsentry/action-release@v1
        continue-on-error: true
        env:
          SENTRY_AUTH_TOKEN: ${{ secrets.SENTRY_AUTH_TOKEN }}
          SENTRY_ORG: authentik-security-inc
          SENTRY_PROJECT: authentik
        with:
-          release: authentik@${{ steps.ev.outputs.version }}
+          version: authentik@${{ steps.ev.outputs.version }}
          sourcemaps: "./web/dist"
          url_prefix: "~/static/dist"
--- a/.github/workflows/release-tag.yml
+++ b/.github/workflows/release-tag.yml
@@ -1,195 +1,48 @@
 ---
-name: Release - Tag new version
+name: authentik-on-tag

 on:
-  workflow_dispatch:
-    inputs:
-      version:
-        description: Version
-        required: true
-        type: string
-      release_reason:
-        description: Release reason
-        required: true
-        type: choice
-        options:
-          - bugfix
-          - feature
-          - security
-          - other
-          - prerelease
-
-env:
-  POSTGRES_DB: authentik
-  POSTGRES_USER: authentik
-  POSTGRES_PASSWORD: "EK-5jnKfjrGRm<77"
+  push:
+    tags:
+      - "version/*"

 jobs:
-  check-inputs:
-    name: Check inputs validity
+  build:
+    name: Create Release from Tag
    runs-on: ubuntu-latest
    steps:
-      - id: check
+      - uses: actions/checkout@v4
+      - name: Pre-release test
        run: |
-          echo "${{ inputs.version }}" | grep -E '^[0-9]{4}\.(0?[1-9]|1[0-2])\.[0-9]+(-rc[0-9]+)?$'
-          echo "major_version=${{ inputs.version }}" | grep -oE "^major_version=[0-9]{4}\.[0-9]{1,2}" >> "$GITHUB_OUTPUT"
-      - id: changelog-url
-        run: |
-          if [ "${{ inputs.release_reason }}" = "feature" ] || [ "${{ inputs.release_reason }}" = "prerelease" ]; then
-            changelog_url="https://docs.goauthentik.io/docs/releases/${{ steps.check.outputs.major_version }}"
-          else
-            changelog_url="https://docs.goauthentik.io/docs/releases/${{ steps.check.outputs.major_version }}#fixed-in-$(echo -n ${{ inputs.version }} | sed 's/\.//g')"
-          fi
-          echo "changelog_url=${changelog_url}" >> "$GITHUB_OUTPUT"
-    outputs:
-      major_version: "${{ steps.check.outputs.major_version }}"
-      changelog_url: "${{ steps.changelog-url.outputs.changelog_url }}"
-  test:
-    name: Pre-release test
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
-      - run: make test-docker
-  bump-authentik:
-    name: Bump authentik version
-    needs:
-      - check-inputs
-      - test
-    runs-on: ubuntu-latest
-    steps:
-      - id: app-token
-        name: Generate app token
-        uses: actions/create-github-app-token@67018539274d69449ef7c02e8e71183d1719ab42 # v2
+          echo "PG_PASS=$(openssl rand 32 | base64 -w 0)" >> .env
+          echo "AUTHENTIK_SECRET_KEY=$(openssl rand 32 | base64 -w 0)" >> .env
+          docker buildx install
+          mkdir -p ./gen-ts-api
+          docker build -t testing:latest .
+          echo "AUTHENTIK_IMAGE=testing" >> .env
+          echo "AUTHENTIK_TAG=latest" >> .env
+          docker compose up --no-start
+          docker compose start postgresql redis
+          docker compose run -u root server test-all
+      - id: generate_token
+        uses: tibdex/github-app-token@v2
        with:
-          app-id: ${{ secrets.GH_APP_ID }}
-          private-key: ${{ secrets.GH_APP_PRIVATE_KEY }}
-      - id: get-user-id
-        name: Get GitHub app user ID
-        run: echo "user-id=$(gh api "/users/${{ steps.app-token.outputs.app-slug }}[bot]" --jq .id)" >> "$GITHUB_OUTPUT"
+          app_id: ${{ secrets.GH_APP_ID }}
+          private_key: ${{ secrets.GH_APP_PRIVATE_KEY }}
+      - name: prepare variables
+        uses: ./.github/actions/docker-push-variables
+        id: ev
        env:
-          GH_TOKEN: "${{ steps.app-token.outputs.token }}"
-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
+          DOCKER_USERNAME: ${{ secrets.DOCKER_USERNAME }}
        with:
-          ref: "version-${{ needs.check-inputs.outputs.major_version }}"
-          token: "${{ steps.app-token.outputs.token }}"
-      - name: Setup authentik env
-        uses: ./.github/actions/setup
-      - name: Run migrations
-        run: make migrate
-      - name: Bump version
-        run: "make bump version=${{ inputs.version }}"
-      - name: Commit and push
-        run: |
-          # ID from https://api.github.com/users/authentik-automation[bot]
-          git config --global user.name '${{ steps.app-token.outputs.app-slug }}[bot]'
-          git config --global user.email '${{ steps.get-user-id.outputs.user-id }}+${{ steps.app-token.outputs.app-slug }}[bot]@users.noreply.github.com'
-          git commit -a -m "release: ${{ inputs.version }}" --allow-empty
-          git tag "version/${{ inputs.version }}" HEAD -m "version/${{ inputs.version }}"
-          git push --follow-tags
+          image-name: ghcr.io/goauthentik/server
      - name: Create Release
-        uses: softprops/action-gh-release@6da8fa9354ddfdc4aeace5fc48d7f679b5214090 # v2
+        id: create_release
+        uses: actions/create-release@v1.1.4
+        env:
+          GITHUB_TOKEN: ${{ steps.generate_token.outputs.token }}
        with:
-          token: "${{ steps.app-token.outputs.token }}"
-          tag_name: "version/${{ inputs.version }}"
-          name: Release ${{ inputs.version }}
+          tag_name: ${{ github.ref }}
+          release_name: Release ${{ steps.ev.outputs.version }}
          draft: true
-          prerelease: ${{ inputs.release_reason == 'prerelease' }}
-          generate_release_notes: true
-          body: |
-            See ${{ needs.check-inputs.outputs.changelog_url }}
-  bump-helm:
-    name: Bump Helm version
-    if: ${{ inputs.release_reason != 'prerelease' }}
-    needs:
-      - bump-authentik
-    runs-on: ubuntu-latest
-    steps:
-      - id: app-token
-        name: Generate app token
-        uses: actions/create-github-app-token@67018539274d69449ef7c02e8e71183d1719ab42 # v2
-        with:
-          app-id: ${{ secrets.GH_APP_ID }}
-          private-key: ${{ secrets.GH_APP_PRIVATE_KEY }}
-          repositories: helm
-      - id: get-user-id
-        name: Get GitHub app user ID
-        run: echo "user-id=$(gh api "/users/${{ steps.app-token.outputs.app-slug }}[bot]" --jq .id)" >> "$GITHUB_OUTPUT"
-        env:
-          GH_TOKEN: "${{ steps.app-token.outputs.token }}"
-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
-        with:
-          repository: "${{ github.repository_owner }}/helm"
-          token: "${{ steps.app-token.outputs.token }}"
-      - name: Bump version
-        run: |
-          sed -i 's/^version: .*/version: ${{ inputs.version }}/' charts/authentik/Chart.yaml
-          sed -i 's/^appVersion: .*/appVersion: ${{ inputs.version }}/' charts/authentik/Chart.yaml
-          sed -i 's/upgrade to authentik .*/upgrade to authentik ${{ inputs.version }}/' charts/authentik/Chart.yaml
-          sed -E -i 's/[0-9]{4}\.[0-9]{1,2}\.[0-9]+$/${{ inputs.version }}/' charts/authentik/Chart.yaml
-          ./scripts/helm-docs.sh
-      - name: Create pull request
-        uses: peter-evans/create-pull-request@271a8d0340265f705b14b6d32b9829c1cb33d45e # v7
-        with:
-          token: "${{ steps.app-token.outputs.token }}"
-          branch: bump-${{ inputs.version }}
-          commit-message: "charts/authentik: bump to ${{ inputs.version }}"
-          title: "charts/authentik: bump to ${{ inputs.version }}"
-          body: "charts/authentik: bump to ${{ inputs.version }}"
-          delete-branch: true
-          signoff: true
-          author: "${{ steps.app-token.outputs.app-slug }}[bot] <${{ steps.get-user-id.outputs.user-id }}+${{ steps.app-token.outputs.app-slug }}[bot]@users.noreply.github.com>"
-  bump-version:
-    name: Bump version repository
-    if: ${{ inputs.release_reason != 'prerelease' }}
-    needs:
-      - check-inputs
-      - bump-authentik
-    runs-on: ubuntu-latest
-    steps:
-      - id: app-token
-        name: Generate app token
-        uses: actions/create-github-app-token@67018539274d69449ef7c02e8e71183d1719ab42 # v2
-        with:
-          app-id: ${{ secrets.GH_APP_ID }}
-          private-key: ${{ secrets.GH_APP_PRIVATE_KEY }}
-          repositories: version
-      - id: get-user-id
-        name: Get GitHub app user ID
-        run: echo "user-id=$(gh api "/users/${{ steps.app-token.outputs.app-slug }}[bot]" --jq .id)" >> "$GITHUB_OUTPUT"
-        env:
-          GH_TOKEN: "${{ steps.app-token.outputs.token }}"
-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
-        with:
-          repository: "${{ github.repository_owner }}/version"
-          token: "${{ steps.app-token.outputs.token }}"
-      - name: Bump version
-        if: "${{ inputs.release_reason == 'feature' }}"
-        run: |
-          changelog_url="https://docs.goauthentik.io/docs/releases/${{ needs.check-inputs.outputs.major_version }}"
-          jq \
-            --arg version "${{ inputs.version }}" \
-            --arg changelog "See ${changelog_url}" \
-            --arg changelog_url "${changelog_url}" \
-            '.stable.version = $version | .stable.changelog = $changelog | .stable.changelog_url = $changelog_url' version.json > version.new.json
-          mv version.new.json version.json
-      - name: Bump version
-        if: "${{ inputs.release_reason != 'feature' }}"
-        run: |
-          changelog_url="https://docs.goauthentik.io/docs/releases/${{ needs.check-inputs.outputs.major_version }}#fixed-in-$(echo -n ${{ inputs.version}} | sed 's/\.//g')"
-          jq \
-            --arg version "${{ inputs.version }}" \
-            --arg changelog "See ${changelog_url}" \
-            --arg changelog_url "${changelog_url}" \
-            '.stable.version = $version | .stable.changelog = $changelog | .stable.changelog_url = $changelog_url' version.json > version.new.json
-          mv version.new.json version.json
-      - name: Create pull request
-        uses: peter-evans/create-pull-request@271a8d0340265f705b14b6d32b9829c1cb33d45e # v7
-        with:
-          token: "${{ steps.app-token.outputs.token }}"
-          branch: bump-${{ inputs.version }}
-          commit-message: "version: bump to ${{ inputs.version }}"
-          title: "version: bump to ${{ inputs.version }}"
-          body: "version: bump to ${{ inputs.version }}"
-          delete-branch: true
-          signoff: true
-          author: "${{ steps.app-token.outputs.app-slug }}[bot] <${{ steps.get-user-id.outputs.user-id }}+${{ steps.app-token.outputs.app-slug }}[bot]@users.noreply.github.com>"
+          prerelease: ${{ steps.ev.outputs.prerelease == 'true' }}
--- a/.github/workflows/repo-mirror-cleanup.yml
+++ b/.github/workflows/repo-mirror-cleanup.yml
@@ -1,22 +0,0 @@
---
-name: Repo - Cleanup internal mirror
-
-on:
-  workflow_dispatch:
-
-jobs:
-  to_internal:
-    if: ${{ github.repository != 'goauthentik/authentik-internal' }}
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
-        with:
-          fetch-depth: 0
-      - if: ${{ env.MIRROR_KEY != '' }}
-        uses: BeryJu/repository-mirroring-action@5cf300935bc2e068f73ea69bcc411a8a997208eb # 5cf300935bc2e068f73ea69bcc411a8a997208eb
-        with:
-          target_repo_url: git@github.com:goauthentik/authentik-internal.git
-          ssh_private_key: ${{ secrets.GH_MIRROR_KEY }}
-          args: --tags --force --prune
-        env:
-          MIRROR_KEY: ${{ secrets.GH_MIRROR_KEY }}
--- a/.github/workflows/repo-mirror.yml
+++ b/.github/workflows/repo-mirror.yml
@@ -1,21 +0,0 @@
---
-name: Repo - Mirror to internal
-
-on: [push, delete]
-
-jobs:
-  to_internal:
-    if: ${{ github.repository != 'goauthentik/authentik-internal' }}
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
-        with:
-          fetch-depth: 0
-      - if: ${{ env.MIRROR_KEY != '' }}
-        uses: BeryJu/repository-mirroring-action@5cf300935bc2e068f73ea69bcc411a8a997208eb # 5cf300935bc2e068f73ea69bcc411a8a997208eb
-        with:
-          target_repo_url: git@github.com:goauthentik/authentik-internal.git
-          ssh_private_key: ${{ secrets.GH_MIRROR_KEY }}
-          args: --tags --force
-        env:
-          MIRROR_KEY: ${{ secrets.GH_MIRROR_KEY }}
--- a/.github/workflows/repo-stale.yml
+++ b/.github/workflows/repo-stale.yml
@@ -1,9 +1,8 @@
---
-name: Repo - Mark and close stale issues
+name: 'authentik-repo-stale'

 on:
  schedule:
-    - cron: "30 1 * * *"
+    - cron: '30 1 * * *'
  workflow_dispatch:

 permissions:
@@ -12,21 +11,20 @@ permissions:

 jobs:
  stale:
-    if: ${{ github.repository != 'goauthentik/authentik-internal' }}
    runs-on: ubuntu-latest
    steps:
      - id: generate_token
-        uses: actions/create-github-app-token@67018539274d69449ef7c02e8e71183d1719ab42 # v2
+        uses: tibdex/github-app-token@v2
        with:
-          app-id: ${{ secrets.GH_APP_ID }}
-          private-key: ${{ secrets.GH_APP_PRIVATE_KEY }}
-      - uses: actions/stale@5f858e3efba33a5ca4407a664cc011ad407f2008 # v10
+          app_id: ${{ secrets.GH_APP_ID }}
+          private_key: ${{ secrets.GH_APP_PRIVATE_KEY }}
+      - uses: actions/stale@v9
        with:
          repo-token: ${{ steps.generate_token.outputs.token }}
          days-before-stale: 60
          days-before-close: 7
          exempt-issue-labels: pinned,security,pr_wanted,enhancement,bug/confirmed,enhancement/confirmed,question,status/reviewing
-          stale-issue-label: status/stale
+          stale-issue-label: wontfix
          stale-issue-message: >
            This issue has been automatically marked as stale because it has not had
            recent activity. It will be closed if no further activity occurs. Thank you
--- a/.github/workflows/translation-advice.yml
+++ b/.github/workflows/translation-advice.yml
@@ -1,5 +1,4 @@
---
-name: Translation - Post advice
+name: authentik-translation-advice

 on:
  pull_request:
@@ -20,14 +19,14 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - name: Find Comment
-        uses: peter-evans/find-comment@b30e6a3c0ed37e7c023ccd3f1db5c6c0b0c23aad # v4
+        uses: peter-evans/find-comment@v3
        id: fc
        with:
          issue-number: ${{ github.event.pull_request.number }}
          comment-author: "github-actions[bot]"
          body-includes: authentik translations instructions
      - name: Create or update comment
-        uses: peter-evans/create-or-update-comment@e8674b075228eee787fea43ef493e45ece1004c9 # v5
+        uses: peter-evans/create-or-update-comment@v4
        with:
          comment-id: ${{ steps.fc.outputs.comment-id }}
          issue-number: ${{ github.event.pull_request.number }}
--- a/.github/workflows/translation-extract-compile.yml
+++ b/.github/workflows/translation-extract-compile.yml
@@ -1,14 +1,9 @@
 ---
-name: Translation - Extract and compile
-
+name: authentik-backend-translate-extract-compile
 on:
  schedule:
    - cron: "0 0 * * *" # every day at midnight
  workflow_dispatch:
-  pull_request:
-    branches:
-      - main
-      - version-*

 env:
  POSTGRES_DB: authentik
@@ -17,35 +12,27 @@ env:

 jobs:
  compile:
-    if: ${{ github.repository != 'goauthentik/authentik-internal' }}
    runs-on: ubuntu-latest
    steps:
      - id: generate_token
-        if: ${{ github.event_name != 'pull_request' }}
-        uses: actions/create-github-app-token@67018539274d69449ef7c02e8e71183d1719ab42 # v2
+        uses: tibdex/github-app-token@v2
        with:
-          app-id: ${{ secrets.GH_APP_ID }}
-          private-key: ${{ secrets.GH_APP_PRIVATE_KEY }}
-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
-        if: ${{ github.event_name != 'pull_request' }}
+          app_id: ${{ secrets.GH_APP_ID }}
+          private_key: ${{ secrets.GH_APP_PRIVATE_KEY }}
+      - uses: actions/checkout@v4
        with:
          token: ${{ steps.generate_token.outputs.token }}
-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
-        if: ${{ github.event_name == 'pull_request' }}
      - name: Setup authentik env
        uses: ./.github/actions/setup
-      - name: Generate API
-        run: make gen-client-ts
      - name: run extract
        run: |
-          uv run make i18n-extract
+          poetry run make i18n-extract
      - name: run compile
        run: |
-          uv run ak compilemessages
+          poetry run ak compilemessages
          make web-check-compile
      - name: Create Pull Request
-        if: ${{ github.event_name != 'pull_request' }}
-        uses: peter-evans/create-pull-request@271a8d0340265f705b14b6d32b9829c1cb33d45e # v7
+        uses: peter-evans/create-pull-request@v6
        with:
          token: ${{ steps.generate_token.outputs.token }}
          branch: extract-compile-backend-translation
@@ -54,6 +41,3 @@ jobs:
          body: "core, web: update translations"
          delete-branch: true
          signoff: true
-          labels: dependencies
-          # ID from https://api.github.com/users/authentik-automation[bot]
-          author: authentik-automation[bot] <135050075+authentik-automation[bot]@users.noreply.github.com>
--- a/.github/workflows/translation-rename.yml
+++ b/.github/workflows/translation-rename.yml
@@ -1,7 +1,6 @@
---
 # Rename transifex pull requests to have a correct naming
 # Also enables auto squash-merge
-name: Translation - Auto-rename Transifex PRs
+name: authentik-translation-transifex-rename

 on:
  pull_request:
@@ -16,25 +15,34 @@ jobs:
    runs-on: ubuntu-latest
    if: ${{ github.event.pull_request.user.login == 'transifex-integration[bot]'}}
    steps:
-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
      - id: generate_token
-        uses: actions/create-github-app-token@67018539274d69449ef7c02e8e71183d1719ab42 # v2
+        uses: tibdex/github-app-token@v2
        with:
-          app-id: ${{ secrets.GH_APP_ID }}
-          private-key: ${{ secrets.GH_APP_PRIVATE_KEY }}
+          app_id: ${{ secrets.GH_APP_ID }}
+          private_key: ${{ secrets.GH_APP_PRIVATE_KEY }}
      - name: Get current title
        id: title
        env:
          GH_TOKEN: ${{ steps.generate_token.outputs.token }}
        run: |
-          title=$(gh pr view ${{ github.event.pull_request.number }} --json  "title" -q ".title")
+          title=$(curl -q -L \
+            -H "Accept: application/vnd.github+json" \
+            -H "Authorization: Bearer ${GH_TOKEN}" \
+            -H "X-GitHub-Api-Version: 2022-11-28" \
+            https://api.github.com/repos/${GITHUB_REPOSITORY}/pulls/${{ github.event.pull_request.number }} | jq -r .title)
          echo "title=${title}" >> "$GITHUB_OUTPUT"
      - name: Rename
        env:
          GH_TOKEN: ${{ steps.generate_token.outputs.token }}
        run: |
-          gh pr edit ${{ github.event.pull_request.number }} -t "translate: ${{ steps.title.outputs.title }}" --add-label dependencies
-      - uses: peter-evans/enable-pull-request-automerge@a660677d5469627102a1c1e11409dd063606628d # v3
+          curl -L \
+            -X PATCH \
+            -H "Accept: application/vnd.github+json" \
+            -H "Authorization: Bearer ${GH_TOKEN}" \
+            -H "X-GitHub-Api-Version: 2022-11-28" \
+            https://api.github.com/repos/${GITHUB_REPOSITORY}/pulls/${{ github.event.pull_request.number }} \
+            -d "{\"title\":\"translate: ${{ steps.title.outputs.title }}\"}"
+      - uses: peter-evans/enable-pull-request-automerge@v3
        with:
          token: ${{ steps.generate_token.outputs.token }}
          pull-request-number: ${{ github.event.pull_request.number }}
--- a/.gitignore
+++ b/.gitignore
@@ -11,10 +11,6 @@ local_settings.py
 db.sqlite3
 media

-# Node
-
-node_modules
-
 # If your build process includes running collectstatic, then you probably don't need or want to include staticfiles/
 # in your Git repository. Update and uncomment the following line accordingly.
 # <django-project-name>/staticfiles/
@@ -37,7 +33,6 @@ eggs/
 lib64/
 parts/
 dist/
-out/
 sdist/
 var/
 wheels/
@@ -72,7 +67,7 @@ unittest.xml

 # Translations
 # Have to include binary mo files as they are annoying to compile at build time
-# since a full postgres instance is required
+# since a full postgres and redis instance are required
 # *.mo

 # Django stuff:
@@ -100,6 +95,9 @@ ipython_config.py
 # pyenv
 .python-version

+# celery beat schedule file
+celerybeat-schedule
+
 # SageMath parsed files
 *.sage.py

@@ -163,6 +161,8 @@ dmypy.json

 # pyenv

+# celery beat schedule file
+
 # SageMath parsed files

 # Environments
@@ -209,6 +209,3 @@ source_docs/

 ### Golang ###
 /vendor/
-
-### Docker ###
-docker-compose.override.yml
--- a/.prettierignore
+++ b/.prettierignore
@@ -1,48 +0,0 @@
-# Prettier Ignorefile
-
-## Static Files
-**/LICENSE
-
-authentik/stages/**/*
-
-## Build asset directories
-coverage
-dist
-out
-.docusaurus
-# TODO Replace after moving website to docs
-website/api/reference
-
-## Environment
-*.env
-
-## Secrets
-*.secrets
-
-## Yarn
-.yarn/**/*
-
-## Node
-node_modules
-coverage
-
-## Configs
-*.log
-*.yaml
-*.yml
-
-# Templates
-# TODO: Rename affected files to *.template.* or similar.
-*.html
-*.mdx
-*.md
-
-## Import order matters
-poly.ts
-src/locale-codes.ts
-src/locales/
-
-# Storybook
-storybook-static/
-.storybook/css-import-maps*
-
--- a/.vscode/extensions.json
+++ b/.vscode/extensions.json
@@ -2,7 +2,6 @@
    "recommendations": [
        "bashmish.es6-string-css",
        "bpruitt-goddard.mermaid-markdown-syntax-highlighting",
-        "charliermarsh.ruff",
        "dbaeumer.vscode-eslint",
        "EditorConfig.EditorConfig",
        "esbenp.prettier-vscode",
@@ -11,12 +10,12 @@
        "Gruntfuggly.todo-tree",
        "mechatroner.rainbow-csv",
        "ms-python.black-formatter",
-        "ms-python.black-formatter",
-        "ms-python.debugpy",
+        "charliermarsh.ruff",
        "ms-python.python",
        "ms-python.vscode-pylance",
+        "ms-python.black-formatter",
        "redhat.vscode-yaml",
        "Tobermory.es6-string-html",
-        "unifiedjs.vscode-mdx",
+        "unifiedjs.vscode-mdx"
    ]
 }
--- a/.vscode/launch.json
+++ b/.vscode/launch.json
@@ -2,76 +2,26 @@
    "version": "0.2.0",
    "configurations": [
        {
-            "name": "Debug: Attach Server Core",
-            "type": "debugpy",
+            "name": "Python: PDB attach Server",
+            "type": "python",
            "request": "attach",
            "connect": {
                "host": "localhost",
-                "port": 9901
+                "port": 6800
            },
-            "pathMappings": [
-                {
-                    "localRoot": "${workspaceFolder}",
-                    "remoteRoot": "."
-                }
-            ],
+            "justMyCode": true,
            "django": true
        },
        {
-            "name": "Debug: Attach Worker",
-            "type": "debugpy",
+            "name": "Python: PDB attach Worker",
+            "type": "python",
            "request": "attach",
            "connect": {
                "host": "localhost",
-                "port": 9901
+                "port": 6900
            },
-            "pathMappings": [
-                {
-                    "localRoot": "${workspaceFolder}",
-                    "remoteRoot": "."
-                }
-            ],
+            "justMyCode": true,
            "django": true
-        },
-        {
-            "name": "Debug: Start Server Router",
-            "type": "go",
-            "request": "launch",
-            "mode": "auto",
-            "program": "${workspaceFolder}/cmd/server",
-            "cwd": "${workspaceFolder}"
-        },
-        {
-            "name": "Debug: Start LDAP Outpost",
-            "type": "go",
-            "request": "launch",
-            "mode": "auto",
-            "program": "${workspaceFolder}/cmd/ldap",
-            "cwd": "${workspaceFolder}"
-        },
-        {
-            "name": "Debug: Start Proxy Outpost",
-            "type": "go",
-            "request": "launch",
-            "mode": "auto",
-            "program": "${workspaceFolder}/cmd/proxy",
-            "cwd": "${workspaceFolder}"
-        },
-        {
-            "name": "Debug: Start RAC Outpost",
-            "type": "go",
-            "request": "launch",
-            "mode": "auto",
-            "program": "${workspaceFolder}/cmd/rac",
-            "cwd": "${workspaceFolder}"
-        },
-        {
-            "name": "Debug: Start Radius Outpost",
-            "type": "go",
-            "request": "launch",
-            "mode": "auto",
-            "program": "${workspaceFolder}/cmd/radius",
-            "cwd": "${workspaceFolder}"
        }
    ]
 }
--- a/.vscode/settings.json
+++ b/.vscode/settings.json
@@ -1,16 +1,25 @@
 {
-    "[css]": {
-        "editor.minimap.markSectionHeaderRegex": "#\\bregion\\s*(?<separator>-?)\\s*(?<label>.*)\\*/$"
-    },
-    "[makefile]": {
-        "editor.minimap.markSectionHeaderRegex": "^#{25}\n##\\s\\s*(?<separator>-?)\\s*(?<label>[^\n]*)\n#{25}$"
-    },
-    "[dockerfile]": {
-        "editor.minimap.markSectionHeaderRegex": "\\bStage\\s*\\d:(?<separator>-?)\\s*(?<label>.*)$"
-    },
-    "[jsonc]": {
-        "editor.minimap.markSectionHeaderRegex": "#\\bregion\\s*(?<separator>-?)\\s*(?<label>.*)$"
-    },
+    "cSpell.words": [
+        "akadmin",
+        "asgi",
+        "authentik",
+        "authn",
+        "entra",
+        "goauthentik",
+        "jwks",
+        "kubernetes",
+        "oidc",
+        "openid",
+        "passwordless",
+        "plex",
+        "saml",
+        "scim",
+        "slo",
+        "sso",
+        "totp",
+        "traefik",
+        "webauthn"
+    ],
    "todo-tree.tree.showCountsInTree": true,
    "todo-tree.tree.showBadges": true,
    "yaml.customTags": [
@@ -18,22 +27,16 @@
        "!Context scalar",
        "!Enumerate sequence",
        "!Env scalar",
-        "!Env sequence",
-        "!File scalar",
-        "!File sequence",
        "!Find sequence",
-        "!FindObject sequence",
        "!Format sequence",
        "!If sequence",
        "!Index scalar",
        "!KeyOf scalar",
-        "!Value scalar",
-        "!AtIndex scalar",
-        "!ParseJSON scalar"
+        "!Value scalar"
    ],
    "typescript.preferences.importModuleSpecifier": "non-relative",
    "typescript.preferences.importModuleSpecifierEnding": "index",
-    "typescript.tsdk": "./node_modules/typescript/lib",
+    "typescript.tsdk": "./web/node_modules/typescript/lib",
    "typescript.enablePromptUseWorkspaceTsdk": true,
    "yaml.schemas": {
        "./blueprints/schema.json": "blueprints/**/*.yaml"
@@ -46,12 +49,7 @@
            "ignoreCase": false
        }
    ],
-    "go.testFlags": [
-        "-count=1"
-    ],
-    "go.testEnvVars": {
-        "WORKSPACE_DIR": "${workspaceFolder}"
-    },
+    "go.testFlags": ["-count=1"],
    "github-actions.workflows.pinned.workflows": [
        ".github/workflows/ci-main.yml"
    ]
--- a/.vscode/tasks.json
+++ b/.vscode/tasks.json
@@ -3,7 +3,7 @@
    "tasks": [
        {
            "label": "authentik/core: make",
-            "command": "uv",
+            "command": "poetry",
            "args": ["run", "make", "lint-fix", "lint"],
            "presentation": {
                "panel": "new"
@@ -12,7 +12,7 @@
        },
        {
            "label": "authentik/core: run",
-            "command": "uv",
+            "command": "poetry",
            "args": ["run", "ak", "server"],
            "group": "build",
            "presentation": {
@@ -43,15 +43,15 @@
            "group": "build"
        },
        {
-            "label": "authentik/docs: make",
+            "label": "authentik/website: make",
            "command": "make",
-            "args": ["docs"],
+            "args": ["website"],
            "group": "build"
        },
        {
-            "label": "authentik/docs: watch",
+            "label": "authentik/website: watch",
            "command": "make",
-            "args": ["docs-watch"],
+            "args": ["website-watch"],
            "group": "build",
            "presentation": {
                "panel": "dedicated",
@@ -60,7 +60,7 @@
        },
        {
            "label": "authentik/api: generate",
-            "command": "uv",
+            "command": "poetry",
            "args": ["run", "make", "gen"],
            "group": "build"
        }
--- a/64
+++ b/64
@@ -1,46 +1,28 @@
 # Fallback
-*                                       @goauthentik/backend @goauthentik/frontend
+*                               @goauthentik/backend @goauthentik/frontend
 # Backend
-authentik/                              @goauthentik/backend
-blueprints/                             @goauthentik/backend
-cmd/                                    @goauthentik/backend
-internal/                               @goauthentik/backend
-lifecycle/                              @goauthentik/backend
-schemas/                                @goauthentik/backend
-scripts/                                @goauthentik/backend
-tests/                                  @goauthentik/backend
-pyproject.toml                          @goauthentik/backend
-uv.lock                                 @goauthentik/backend
-go.mod                                  @goauthentik/backend
-go.sum                                  @goauthentik/backend
+authentik/                      @goauthentik/backend
+blueprints/                     @goauthentik/backend
+cmd/                            @goauthentik/backend
+internal/                       @goauthentik/backend
+lifecycle/                      @goauthentik/backend
+schemas/                        @goauthentik/backend
+scripts/                        @goauthentik/backend
+tests/                          @goauthentik/backend
+pyproject.toml                  @goauthentik/backend
+poetry.lock                     @goauthentik/backend
+go.mod                          @goauthentik/backend
+go.sum                          @goauthentik/backend
 # Infrastructure
-.github/                                @goauthentik/infrastructure
-lifecycle/aws/                          @goauthentik/infrastructure
-Dockerfile                              @goauthentik/infrastructure
-*Dockerfile                             @goauthentik/infrastructure
-.dockerignore                           @goauthentik/infrastructure
-docker-compose.yml                      @goauthentik/infrastructure
-Makefile                                @goauthentik/infrastructure
-.editorconfig                           @goauthentik/infrastructure
-CODEOWNERS                              @goauthentik/infrastructure
-# Backend packages
-packages/django-channels-postgres       @goauthentik/backend
-packages/django-postgres-cache          @goauthentik/backend
-packages/django-dramatiq-postgres       @goauthentik/backend
-# Web packages
-packages/docusaurus-config              @goauthentik/frontend
-packages/esbuild-plugin-live-reload     @goauthentik/frontend
-packages/eslint-config                  @goauthentik/frontend
-packages/prettier-config                @goauthentik/frontend
-packages/tsconfig                       @goauthentik/frontend
+.github/                        @goauthentik/infrastructure
+Dockerfile                      @goauthentik/infrastructure
+*Dockerfile                     @goauthentik/infrastructure
+.dockerignore                   @goauthentik/infrastructure
+docker-compose.yml              @goauthentik/infrastructure
 # Web
-web/                                    @goauthentik/frontend
-# Locale
-locale/                                 @goauthentik/backend @goauthentik/frontend
-web/xliff/                              @goauthentik/backend @goauthentik/frontend
-# Docs
-website/                                @goauthentik/docs
-CODE_OF_CONDUCT.md                      @goauthentik/docs
+web/                            @goauthentik/frontend
+tests/wdio/                     @goauthentik/frontend
+# Docs & Website
+website/                        @goauthentik/docs
 # Security
-SECURITY.md                             @goauthentik/security @goauthentik/docs
-website/security/                       @goauthentik/security @goauthentik/docs
+website/docs/security/          @goauthentik/security
--- a/CODE_OF_CONDUCT.md
+++ b/CODE_OF_CONDUCT.md
@@ -5,7 +5,7 @@
 We as members, contributors, and leaders pledge to make participation in our
 community a harassment-free experience for everyone, regardless of age, body
 size, visible or invisible disability, ethnicity, sex characteristics, gender
-identity and expression, level of experience, education, socioeconomic status,
+identity and expression, level of experience, education, socio-economic status,
 nationality, personal appearance, race, religion, or sexual identity
 and orientation.

--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@@ -1,4 +0,0 @@
-# Contributing to authentik
-
-Thanks for your interest in contributing! Please see our [contributing guide](https://docs.goauthentik.io/docs/developer-docs/?utm_source=github) for more information.
-
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@@ -0,0 +1 @@
+website/developer-docs/index.md
--- a/153
+++ b/153
@@ -1,7 +1,26 @@
 # syntax=docker/dockerfile:1

-# Stage 1: Build webui
-FROM --platform=${BUILDPLATFORM} docker.io/library/node:24-slim AS node-builder
+# Stage 1: Build website
+FROM --platform=${BUILDPLATFORM} docker.io/library/node:22 AS website-builder
+
+ENV NODE_ENV=production
+
+WORKDIR /work/website
+
+RUN --mount=type=bind,target=/work/website/package.json,src=./website/package.json \
+    --mount=type=bind,target=/work/website/package-lock.json,src=./website/package-lock.json \
+    --mount=type=cache,id=npm-website,sharing=shared,target=/root/.npm \
+    npm ci --include=dev
+
+COPY ./website /work/website/
+COPY ./blueprints /work/blueprints/
+COPY ./schema.yml /work/
+COPY ./SECURITY.md /work/
+
+RUN npm run build-bundled
+
+# Stage 2: Build webui
+FROM --platform=${BUILDPLATFORM} docker.io/library/node:22 AS web-builder

 ARG GIT_BUILD_HASH
 ENV GIT_BUILD_HASH=$GIT_BUILD_HASH
@@ -13,20 +32,18 @@ RUN --mount=type=bind,target=/work/web/package.json,src=./web/package.json \
    --mount=type=bind,target=/work/web/package-lock.json,src=./web/package-lock.json \
    --mount=type=bind,target=/work/web/packages/sfe/package.json,src=./web/packages/sfe/package.json \
    --mount=type=bind,target=/work/web/scripts,src=./web/scripts \
-    --mount=type=cache,id=npm-ak,sharing=shared,target=/root/.npm \
-    npm ci
+    --mount=type=cache,id=npm-web,sharing=shared,target=/root/.npm \
+    npm ci --include=dev

 COPY ./package.json /work
 COPY ./web /work/web/
-# TODO: Update this after moving website to docs
 COPY ./website /work/website/
 COPY ./gen-ts-api /work/web/node_modules/@goauthentik/api

-RUN npm run build && \
-    npm run build:sfe
+RUN npm run build

-# Stage 2: Build go proxy
-FROM --platform=${BUILDPLATFORM} docker.io/library/golang:1.25.3-bookworm AS go-builder
+# Stage 3: Build go proxy
+FROM --platform=${BUILDPLATFORM} mcr.microsoft.com/oss/go/microsoft/golang:1.23-fips-bookworm AS go-builder

 ARG TARGETOS
 ARG TARGETARCH
@@ -50,8 +67,8 @@ RUN --mount=type=bind,target=/go/src/goauthentik.io/go.mod,src=./go.mod \
 COPY ./cmd /go/src/goauthentik.io/cmd
 COPY ./authentik/lib /go/src/goauthentik.io/authentik/lib
 COPY ./web/static.go /go/src/goauthentik.io/web/static.go
-COPY --from=node-builder /work/web/robots.txt /go/src/goauthentik.io/web/robots.txt
-COPY --from=node-builder /work/web/security.txt /go/src/goauthentik.io/web/security.txt
+COPY --from=web-builder /work/web/robots.txt /go/src/goauthentik.io/web/robots.txt
+COPY --from=web-builder /work/web/security.txt /go/src/goauthentik.io/web/security.txt
 COPY ./internal /go/src/goauthentik.io/internal
 COPY ./go.mod /go/src/goauthentik.io/go.mod
 COPY ./go.sum /go/src/goauthentik.io/go.sum
@@ -59,106 +76,74 @@ COPY ./go.sum /go/src/goauthentik.io/go.sum
 RUN --mount=type=cache,sharing=locked,target=/go/pkg/mod \
    --mount=type=cache,id=go-build-$TARGETARCH$TARGETVARIANT,sharing=locked,target=/root/.cache/go-build \
    if [ "$TARGETARCH" = "arm64" ]; then export CC=aarch64-linux-gnu-gcc && export CC_FOR_TARGET=gcc-aarch64-linux-gnu; fi && \
-    CGO_ENABLED=1 GOFIPS140=latest GOARM="${TARGETVARIANT#v}" \
+    CGO_ENABLED=1 GOEXPERIMENT="systemcrypto" GOFLAGS="-tags=requirefips" GOARM="${TARGETVARIANT#v}" \
    go build -o /go/authentik ./cmd/server

-# Stage 3: MaxMind GeoIP
-FROM --platform=${BUILDPLATFORM} ghcr.io/maxmind/geoipupdate:v7.1.1 AS geoip
+# Stage 4: MaxMind GeoIP
+FROM --platform=${BUILDPLATFORM} ghcr.io/maxmind/geoipupdate:v7.0.1 AS geoip

 ENV GEOIPUPDATE_EDITION_IDS="GeoLite2-City GeoLite2-ASN"
 ENV GEOIPUPDATE_VERBOSE="1"
 ENV GEOIPUPDATE_ACCOUNT_ID_FILE="/run/secrets/GEOIPUPDATE_ACCOUNT_ID"
+ENV GEOIPUPDATE_LICENSE_KEY_FILE="/run/secrets/GEOIPUPDATE_LICENSE_KEY"

 USER root
 RUN --mount=type=secret,id=GEOIPUPDATE_ACCOUNT_ID \
    --mount=type=secret,id=GEOIPUPDATE_LICENSE_KEY \
    mkdir -p /usr/share/GeoIP && \
-    /bin/sh -c "GEOIPUPDATE_LICENSE_KEY_FILE=/run/secrets/GEOIPUPDATE_LICENSE_KEY /usr/bin/entry.sh || echo 'Failed to get GeoIP database, disabling'; exit 0"
+    /bin/sh -c "/usr/bin/entry.sh || echo 'Failed to get GeoIP database, disabling'; exit 0"

-# Stage 4: Download uv
-FROM ghcr.io/astral-sh/uv:0.9.4 AS uv
-# Stage 5: Base python image
-FROM ghcr.io/goauthentik/fips-python:3.13.7-slim-trixie-fips AS python-base
-
-ENV VENV_PATH="/ak-root/.venv" \
-    PATH="/lifecycle:/ak-root/.venv/bin:$PATH" \
-    UV_COMPILE_BYTECODE=1 \
-    UV_LINK_MODE=copy \
-    UV_NATIVE_TLS=1 \
-    UV_PYTHON_DOWNLOADS=0
-
-WORKDIR /ak-root/
-
-COPY --from=uv /uv /uvx /bin/
-
-# Stage 6: Python dependencies
-FROM python-base AS python-deps
+# Stage 5: Python dependencies
+FROM ghcr.io/goauthentik/fips-python:3.12.5-slim-bookworm-fips-full AS python-deps

 ARG TARGETARCH
 ARG TARGETVARIANT

-RUN rm -f /etc/apt/apt.conf.d/docker-clean; echo 'Binary::apt::APT::Keep-Downloaded-Packages "true";' > /etc/apt/apt.conf.d/keep-cache
+WORKDIR /ak-root/poetry

-ENV PATH="/root/.cargo/bin:$PATH"
+ENV VENV_PATH="/ak-root/venv" \
+    POETRY_VIRTUALENVS_CREATE=false \
+    PATH="/ak-root/venv/bin:$PATH"
+
+RUN rm -f /etc/apt/apt.conf.d/docker-clean; echo 'Binary::apt::APT::Keep-Downloaded-Packages "true";' > /etc/apt/apt.conf.d/keep-cache

 RUN --mount=type=cache,id=apt-$TARGETARCH$TARGETVARIANT,sharing=locked,target=/var/cache/apt \
    apt-get update && \
    # Required for installing pip packages
-    apt-get install -y --no-install-recommends \
-    # Build essentials
-    build-essential pkg-config libffi-dev git \
-    # cryptography
-    curl \
-    # libxml
-    libxslt-dev zlib1g-dev \
-    # postgresql
-    libpq-dev \
-    # python-kadmin-rs
-    clang libkrb5-dev sccache \
-    # xmlsec
-    libltdl-dev && \
-    curl https://sh.rustup.rs -sSf | sh -s -- -y
+    apt-get install -y --no-install-recommends build-essential pkg-config libpq-dev

-ENV UV_NO_BINARY_PACKAGE="cryptography lxml python-kadmin-rs xmlsec" \
-    # https://github.com/rust-lang/rustup/issues/2949
-    # Fixes issues where the rust version in the build cache is older than latest
-    # and rustup tries to update it, which fails
-    RUSTUP_PERMIT_COPY_RENAME="true"
+RUN --mount=type=bind,target=./pyproject.toml,src=./pyproject.toml \
+    --mount=type=bind,target=./poetry.lock,src=./poetry.lock \
+    --mount=type=cache,target=/root/.cache/pip \
+    --mount=type=cache,target=/root/.cache/pypoetry \
+    python -m venv /ak-root/venv/ && \
+    bash -c "source ${VENV_PATH}/bin/activate && \
+    pip3 install --upgrade pip && \
+    pip3 install poetry && \
+    poetry install --only=main --no-ansi --no-interaction --no-root && \
+    pip install --force-reinstall /wheels/*"

-RUN --mount=type=bind,target=pyproject.toml,src=pyproject.toml \
-    --mount=type=bind,target=uv.lock,src=uv.lock \
-    --mount=type=bind,target=packages,src=packages \
-    --mount=type=cache,target=/root/.cache/uv \
-    uv sync --frozen --no-install-project --no-dev
-
-# Stage 7: Run
-FROM python-base AS final-image
+# Stage 6: Run
+FROM ghcr.io/goauthentik/fips-python:3.12.5-slim-bookworm-fips-full AS final-image

 ARG VERSION
 ARG GIT_BUILD_HASH
 ENV GIT_BUILD_HASH=$GIT_BUILD_HASH

-LABEL org.opencontainers.image.authors="Authentik Security Inc." \
-    org.opencontainers.image.description="goauthentik.io Main server image, see https://goauthentik.io for more info." \
-    org.opencontainers.image.documentation="https://docs.goauthentik.io" \
-    org.opencontainers.image.licenses="https://github.com/goauthentik/authentik/blob/main/LICENSE" \
-    org.opencontainers.image.revision=${GIT_BUILD_HASH} \
-    org.opencontainers.image.source="https://github.com/goauthentik/authentik" \
-    org.opencontainers.image.title="authentik server image" \
-    org.opencontainers.image.url="https://goauthentik.io" \
-    org.opencontainers.image.vendor="Authentik Security Inc." \
-    org.opencontainers.image.version=${VERSION}
+LABEL org.opencontainers.image.url=https://goauthentik.io
+LABEL org.opencontainers.image.description="goauthentik.io Main server image, see https://goauthentik.io for more info."
+LABEL org.opencontainers.image.source=https://github.com/goauthentik/authentik
+LABEL org.opencontainers.image.version=${VERSION}
+LABEL org.opencontainers.image.revision=${GIT_BUILD_HASH}

 WORKDIR /

 # We cannot cache this layer otherwise we'll end up with a bigger image
 RUN apt-get update && \
-    apt-get upgrade -y && \
    # Required for runtime
-    apt-get install -y --no-install-recommends libpq5 libmaxminddb0 ca-certificates libkrb5-3 libkadm5clnt-mit12 libkdb5-10 libltdl7 libxslt1.1 && \
+    apt-get install -y --no-install-recommends libpq5 libmaxminddb0 ca-certificates && \
    # Required for bootstrap & healtcheck
    apt-get install -y --no-install-recommends runit && \
-    pip3 install --no-cache-dir --upgrade pip && \
    apt-get clean && \
    rm -rf /tmp/* /var/lib/apt/lists/* /var/tmp/ && \
    adduser --system --no-create-home --uid 1000 --group --home /authentik authentik && \
@@ -169,20 +154,18 @@ RUN apt-get update && \

 COPY ./authentik/ /authentik
 COPY ./pyproject.toml /
-COPY ./uv.lock /
+COPY ./poetry.lock /
 COPY ./schemas /schemas
 COPY ./locale /locale
 COPY ./tests /tests
 COPY ./manage.py /
 COPY ./blueprints /blueprints
 COPY ./lifecycle/ /lifecycle
-COPY ./authentik/sources/kerberos/krb5.conf /etc/krb5.conf
 COPY --from=go-builder /go/authentik /bin/authentik
-COPY ./packages/ /ak-root/packages
-RUN  ln -s /ak-root/packages /packages
-COPY --from=python-deps /ak-root/.venv /ak-root/.venv
-COPY --from=node-builder /work/web/dist/ /web/dist/
-COPY --from=node-builder /work/web/authentik/ /web/authentik/
+COPY --from=python-deps /ak-root/venv /ak-root/venv
+COPY --from=web-builder /work/web/dist/ /web/dist/
+COPY --from=web-builder /work/web/authentik/ /web/authentik/
+COPY --from=website-builder /work/website/build/ /website/help/
 COPY --from=geoip /usr/share/GeoIP /geoip

 USER 1000
@@ -190,7 +173,11 @@ USER 1000
 ENV TMPDIR=/dev/shm/ \
    PYTHONDONTWRITEBYTECODE=1 \
    PYTHONUNBUFFERED=1 \
-    GOFIPS=1
+    PATH="/ak-root/venv/bin:/lifecycle:$PATH" \
+    VENV_PATH="/ak-root/venv" \
+    POETRY_VIRTUALENVS_CREATE=false
+
+ENV GOFIPS=1

 HEALTHCHECK --interval=30s --timeout=30s --start-period=60s --retries=3 CMD [ "ak", "healthcheck" ]

--- a/309
+++ b/309
@@ -1,40 +1,37 @@
-.PHONY: gen dev-reset all clean test web docs
+.PHONY: gen dev-reset all clean test web website

-SHELL := /usr/bin/env bash
-.SHELLFLAGS += ${SHELLFLAGS} -e -o pipefail
+.SHELLFLAGS += ${SHELLFLAGS} -e
 PWD = $(shell pwd)
 UID = $(shell id -u)
 GID = $(shell id -g)
-NPM_VERSION = $(shell python -m scripts.generate_semver)
-PY_SOURCES = authentik packages tests scripts lifecycle .github
+NPM_VERSION = $(shell python -m scripts.npm_version)
+PY_SOURCES = authentik tests scripts lifecycle .github
 DOCKER_IMAGE ?= "authentik:test"

-GEN_API_TS = gen-ts-api
-GEN_API_PY = gen-py-api
-GEN_API_GO = gen-go-api
+GEN_API_TS = "gen-ts-api"
+GEN_API_PY = "gen-py-api"
+GEN_API_GO = "gen-go-api"

-pg_user := $(shell uv run python -m authentik.lib.config postgresql.user 2>/dev/null)
-pg_host := $(shell uv run python -m authentik.lib.config postgresql.host 2>/dev/null)
-pg_name := $(shell uv run python -m authentik.lib.config postgresql.name 2>/dev/null)
+pg_user := $(shell python -m authentik.lib.config postgresql.user 2>/dev/null)
+pg_host := $(shell python -m authentik.lib.config postgresql.host 2>/dev/null)
+pg_name := $(shell python -m authentik.lib.config postgresql.name 2>/dev/null)

-UNAME := $(shell uname)
+CODESPELL_ARGS = -D - -D .github/codespell-dictionary.txt \
+		-I .github/codespell-words.txt \
+		-S 'web/src/locales/**' \
+		-S 'website/developer-docs/api/reference/**' \
+		authentik \
+		internal \
+		cmd \
+		web/src \
+		website/src \
+		website/blog \
+		website/developer-docs \
+		website/docs \
+		website/integrations \
+		website/src

-# For macOS users, add the libxml2 installed from brew libxmlsec1 to the build path
-# to prevent SAML-related tests from failing and ensure correct pip dependency compilation
-ifeq ($(UNAME), Darwin)
-# Only add for brew users who installed libxmlsec1
-	BREW_EXISTS := $(shell command -v brew 2> /dev/null)
-	ifdef BREW_EXISTS
-		LIBXML2_EXISTS := $(shell brew list libxml2 2> /dev/null)
-		ifdef LIBXML2_EXISTS
-			BREW_LDFLAGS := -L$(shell brew --prefix libxml2)/lib $(LDFLAGS)
-			BREW_CPPFLAGS := -I$(shell brew --prefix libxml2)/include $(CPPFLAGS)
-			BREW_PKG_CONFIG_PATH := $(shell brew --prefix libxml2)/lib/pkgconfig:$(PKG_CONFIG_PATH)
-		endif
-	endif
-endif
-
-all: lint-fix lint gen web test  ## Lint, build, and test everything
+all: lint-fix lint test gen web  ## Lint, build, and test everything

 HELP_WIDTH := $(shell grep -h '^[a-z][^ ]*:.*\#\#' $(MAKEFILE_LIST) 2>/dev/null | \
 	cut -d':' -f1 | awk '{printf "%d\n", length}' | sort -rn | head -1)
@@ -49,48 +46,41 @@ help:  ## Show this help
 go-test:
 	go test -timeout 0 -v -race -cover ./...

+test-docker:  ## Run all tests in a docker-compose
+	echo "PG_PASS=$(shell openssl rand 32 | base64 -w 0)" >> .env
+	echo "AUTHENTIK_SECRET_KEY=$(shell openssl rand 32 | base64 -w 0)" >> .env
+	docker compose pull -q
+	docker compose up --no-start
+	docker compose start postgresql redis
+	docker compose run -u root server test-all
+	rm -f .env
+
 test: ## Run the server tests and produce a coverage report (locally)
-	uv run coverage run manage.py test --keepdb authentik
-	uv run coverage html
-	uv run coverage report
+	coverage run manage.py test --keepdb authentik
+	coverage html
+	coverage report

 lint-fix: lint-codespell  ## Lint and automatically fix errors in the python source code. Reports spelling errors.
-	uv run black $(PY_SOURCES)
-	uv run ruff check --fix $(PY_SOURCES)
+	black $(PY_SOURCES)
+	ruff check --fix $(PY_SOURCES)

 lint-codespell:  ## Reports spelling errors.
-	uv run codespell -w
+	codespell -w $(CODESPELL_ARGS)

 lint: ## Lint the python and golang sources
-	uv run bandit -c pyproject.toml -r $(PY_SOURCES)
+	bandit -r $(PY_SOURCES) -x web/node_modules -x tests/wdio/node_modules -x website/node_modules
 	golangci-lint run -v

 core-install:
-ifdef LIBXML2_EXISTS
-# Clear cache to ensure fresh compilation
-	uv cache clean
-# Force compilation from source for lxml and xmlsec with correct environment
-	LDFLAGS="$(BREW_LDFLAGS)" CPPFLAGS="$(BREW_CPPFLAGS)" PKG_CONFIG_PATH="$(BREW_PKG_CONFIG_PATH)" uv sync --frozen --reinstall-package lxml --reinstall-package xmlsec --no-binary-package lxml --no-binary-package xmlsec
-else
-	uv sync --frozen
-endif
+	poetry install

 migrate: ## Run the Authentik Django server's migrations
-	uv run python -m lifecycle.migrate
+	python -m lifecycle.migrate

 i18n-extract: core-i18n-extract web-i18n-extract  ## Extract strings that require translation into files to send to a translation service

-aws-cfn:
-	cd lifecycle/aws && npm i && uv run npm run aws-cfn
-
-run-server:  ## Run the main authentik server process
-	uv run ak server
-
-run-worker:  ## Run the main authentik worker process
-	uv run ak worker
-
 core-i18n-extract:
-	uv run ak makemessages \
+	ak makemessages \
 		--add-location file \
 		--no-obsolete \
 		--ignore web \
@@ -100,33 +90,19 @@ core-i18n-extract:
 		--ignore website \
 		-l en

-install: node-install docs-install core-install  ## Install all requires dependencies for `node`, `docs` and `core`
+install: web-install website-install core-install  ## Install all requires dependencies for `web`, `website` and `core`

 dev-drop-db:
-	dropdb -U ${pg_user} -h ${pg_host} ${pg_name} || true
+	dropdb -U ${pg_user} -h ${pg_host} ${pg_name}
 	# Also remove the test-db if it exists
 	dropdb -U ${pg_user} -h ${pg_host} test_${pg_name} || true
+	redis-cli -n 0 flushall

 dev-create-db:
 	createdb -U ${pg_user} -h ${pg_host} ${pg_name}

 dev-reset: dev-drop-db dev-create-db migrate  ## Drop and restore the Authentik PostgreSQL instance to a "fresh install" state.

-update-test-mmdb:  ## Update test GeoIP and ASN Databases
-	curl -L https://raw.githubusercontent.com/maxmind/MaxMind-DB/refs/heads/main/test-data/GeoLite2-ASN-Test.mmdb -o ${PWD}/tests/GeoLite2-ASN-Test.mmdb
-	curl -L https://raw.githubusercontent.com/maxmind/MaxMind-DB/refs/heads/main/test-data/GeoLite2-City-Test.mmdb -o ${PWD}/tests/GeoLite2-City-Test.mmdb
-
-bump:  ## Bump authentik version. Usage: make bump version=20xx.xx.xx
-ifndef version
-	$(error Usage: make bump version=20xx.xx.xx )
-endif
-	sed -i 's/^version = ".*"/version = "$(version)"/' pyproject.toml
-	sed -i 's/^VERSION = ".*"/VERSION = "$(version)"/' authentik/__init__.py
-	$(MAKE) gen-build gen-compose aws-cfn
-	npm version --no-git-tag-version --allow-same-version $(version)
-	cd ${PWD}/web && npm version --no-git-tag-version --allow-same-version $(version)
-	echo -n $(version) > ${PWD}/internal/constants/VERSION
-
 #########################
 ## API Schema
 #########################
@@ -135,157 +111,147 @@ gen-build:  ## Extract the schema from the database
 	AUTHENTIK_DEBUG=true \
 		AUTHENTIK_TENANTS__ENABLED=true \
 		AUTHENTIK_OUTPOSTS__DISABLE_EMBEDDED_OUTPOST=true \
-		uv run ak make_blueprint_schema --file blueprints/schema.json
+		ak make_blueprint_schema > blueprints/schema.json
 	AUTHENTIK_DEBUG=true \
 		AUTHENTIK_TENANTS__ENABLED=true \
 		AUTHENTIK_OUTPOSTS__DISABLE_EMBEDDED_OUTPOST=true \
-		uv run ak spectacular --file schema.yml
-
-gen-compose:
-	uv run scripts/generate_docker_compose.py
+		ak spectacular --file schema.yml

 gen-changelog:  ## (Release) generate the changelog based from the commits since the last tag
 	git log --pretty=format:" - %s" $(shell git describe --tags $(shell git rev-list --tags --max-count=1))...$(shell git branch --show-current) | sort > changelog.md
 	npx prettier --write changelog.md

 gen-diff:  ## (Release) generate the changelog diff between the current schema and the last tag
-	git show $(shell git describe --tags $(shell git rev-list --tags --max-count=1)):schema.yml > schema-old.yml
-	docker compose -f scripts/api/docker-compose.yml run --rm --user "${UID}:${GID}" diff \
-		--markdown \
-		/local/diff.md \
-		/local/schema-old.yml \
-		/local/schema.yml
-	rm schema-old.yml
+	git show $(shell git describe --tags $(shell git rev-list --tags --max-count=1)):schema.yml > old_schema.yml
+	docker run \
+		--rm -v ${PWD}:/local \
+		--user ${UID}:${GID} \
+		docker.io/openapitools/openapi-diff:2.1.0-beta.8 \
+		--markdown /local/diff.md \
+		/local/old_schema.yml /local/schema.yml
+	rm old_schema.yml
 	sed -i 's/{/&#123;/g' diff.md
 	sed -i 's/}/&#125;/g' diff.md
 	npx prettier --write diff.md

-gen-clean-ts:  ## Remove generated API client for TypeScript
-	rm -rf ${PWD}/${GEN_API_TS}/
-	rm -rf ${PWD}/web/node_modules/@goauthentik/api/
-
-gen-clean-py:  ## Remove generated API client for Python
-	rm -rf ${PWD}/${GEN_API_PY}
+gen-clean-ts:  ## Remove generated API client for Typescript
+	rm -rf ./${GEN_API_TS}/
+	rm -rf ./web/node_modules/@goauthentik/api/

 gen-clean-go:  ## Remove generated API client for Go
-	rm -rf ${PWD}/${GEN_API_GO}
+	rm -rf ./${GEN_API_GO}/
+
+gen-clean-py:  ## Remove generated API client for Python
+	rm -rf ./${GEN_API_PY}/

 gen-clean: gen-clean-ts gen-clean-go gen-clean-py  ## Remove generated API clients

 gen-client-ts: gen-clean-ts  ## Build and install the authentik API for Typescript into the authentik UI Application
-	docker compose -f scripts/api/docker-compose.yml run --rm --user "${UID}:${GID}" gen \
-		generate \
+	docker run \
+		--rm -v ${PWD}:/local \
+		--user ${UID}:${GID} \
+		docker.io/openapitools/openapi-generator-cli:v6.5.0 generate \
 		-i /local/schema.yml \
 		-g typescript-fetch \
 		-o /local/${GEN_API_TS} \
-		-c /local/scripts/api/ts-config.yaml \
+		-c /local/scripts/api-ts-config.yaml \
 		--additional-properties=npmVersion=${NPM_VERSION} \
 		--git-repo-id authentik \
 		--git-user-id goauthentik
-
-	cd ${PWD}/${GEN_API_TS} && npm i
-	cd ${PWD}/${GEN_API_TS} && npm link
-	cd ${PWD}/web && npm link @goauthentik/api
+	mkdir -p web/node_modules/@goauthentik/api
+	cd ./${GEN_API_TS} && npm i
+	\cp -rf ./${GEN_API_TS}/* web/node_modules/@goauthentik/api

 gen-client-py: gen-clean-py ## Build and install the authentik API for Python
-	mkdir -p ${PWD}/${GEN_API_PY}
-ifeq ($(wildcard ${PWD}/${GEN_API_PY}/.*),)
-	git clone --depth 1 https://github.com/goauthentik/client-python.git ${PWD}/${GEN_API_PY}
-else
-	cd ${PWD}/${GEN_API_PY} && git pull
-endif
-	cp ${PWD}/schema.yml ${PWD}/${GEN_API_PY}
-	make -C ${PWD}/${GEN_API_PY} build version=${NPM_VERSION}
+	docker run \
+		--rm -v ${PWD}:/local \
+		--user ${UID}:${GID} \
+		docker.io/openapitools/openapi-generator-cli:v7.4.0 generate \
+		-i /local/schema.yml \
+		-g python \
+		-o /local/${GEN_API_PY} \
+		-c /local/scripts/api-py-config.yaml \
+		--additional-properties=packageVersion=${NPM_VERSION} \
+		--git-repo-id authentik \
+		--git-user-id goauthentik
+	pip install ./${GEN_API_PY}

 gen-client-go: gen-clean-go  ## Build and install the authentik API for Golang
-	mkdir -p ${PWD}/${GEN_API_GO}
-ifeq ($(wildcard ${PWD}/${GEN_API_GO}/.*),)
-	git clone --depth 1 https://github.com/goauthentik/client-go.git ${PWD}/${GEN_API_GO}
-else
-	cd ${PWD}/${GEN_API_GO} && git pull
-endif
-	cp ${PWD}/schema.yml ${PWD}/${GEN_API_GO}
-	make -C ${PWD}/${GEN_API_GO} build
+	mkdir -p ./${GEN_API_GO} ./${GEN_API_GO}/templates
+	wget https://raw.githubusercontent.com/goauthentik/client-go/main/config.yaml -O ./${GEN_API_GO}/config.yaml
+	wget https://raw.githubusercontent.com/goauthentik/client-go/main/templates/README.mustache -O ./${GEN_API_GO}/templates/README.mustache
+	wget https://raw.githubusercontent.com/goauthentik/client-go/main/templates/go.mod.mustache -O ./${GEN_API_GO}/templates/go.mod.mustache
+	cp schema.yml ./${GEN_API_GO}/
+	docker run \
+		--rm -v ${PWD}/${GEN_API_GO}:/local \
+		--user ${UID}:${GID} \
+		docker.io/openapitools/openapi-generator-cli:v6.5.0 generate \
+		-i /local/schema.yml \
+		-g go \
+		-o /local/ \
+		-c /local/config.yaml
 	go mod edit -replace goauthentik.io/api/v3=./${GEN_API_GO}
+	rm -rf ./${GEN_API_GO}/config.yaml ./${GEN_API_GO}/templates/

 gen-dev-config:  ## Generate a local development config file
-	uv run scripts/generate_config.py
+	python -m scripts.generate_config

 gen: gen-build gen-client-ts

-#########################
-## Node.js
-#########################
-
-node-install:  ## Install the necessary libraries to build Node.js packages
-	npm ci
-	npm ci --prefix web
-
 #########################
 ## Web
 #########################

-web-build: node-install  ## Build the Authentik UI
-	npm run --prefix web build
+web-build: web-install  ## Build the Authentik UI
+	cd web && npm run build

-web: web-lint-fix web-lint web-check-compile  ## Automatically fix formatting issues in the Authentik UI source code, lint the code, and compile it
+web: web-lint-fix web-lint web-check-compile web-test  ## Automatically fix formatting issues in the Authentik UI source code, lint the code, and compile it
+
+web-install:  ## Install the necessary libraries to build the Authentik UI
+	cd web && npm ci

 web-test: ## Run tests for the Authentik UI
-	npm run --prefix web test
+	cd web && npm run test

 web-watch:  ## Build and watch the Authentik UI for changes, updating automatically
-	npm run --prefix web watch
+	rm -rf web/dist/
+	mkdir web/dist/
+	touch web/dist/.gitkeep
+	cd web && npm run watch
+
 web-storybook-watch:  ## Build and run the storybook documentation server
-	npm run --prefix web storybook
+	cd web && npm run storybook

 web-lint-fix:
-	npm run --prefix web prettier
+	cd web && npm run prettier

 web-lint:
-	npm run --prefix web lint
-	npm run --prefix web lit-analyse
+	cd web && npm run lint
+	cd web && npm run lit-analyse

 web-check-compile:
-	npm run --prefix web tsc
+	cd web && npm run tsc

 web-i18n-extract:
-	npm run --prefix web extract-locales
+	cd web && npm run extract-locales

 #########################
-## Docs
+## Website
 #########################

-docs: docs-lint-fix docs-build  ## Automatically fix formatting issues in the Authentik docs source code, lint the code, and compile it
+website: website-lint-fix website-build  ## Automatically fix formatting issues in the Authentik website/docs source code, lint the code, and compile it

-docs-install:
-	npm ci --prefix website
+website-install:
+	cd website && npm ci

-docs-lint-fix: lint-codespell
-	npm run --prefix website prettier
+website-lint-fix: lint-codespell
+	cd website && npm run prettier

-docs-build:
-	npm run --prefix website build
+website-build:
+	cd website && npm run build

-docs-watch:  ## Build and watch the topics documentation
-	npm run --prefix website start
-
-integrations: docs-lint-fix integrations-build ## Fix formatting issues in the integrations source code, lint the code, and compile it
-
-integrations-build:
-	npm run --prefix website -w integrations build
-
-integrations-watch:  ## Build and watch the Integrations documentation
-	npm run --prefix website -w integrations start
-
-docs-api-build:
-	npm run --prefix website -w api build
-
-docs-api-watch:  ## Build and watch the API documentation
-	npm run --prefix website -w api build:api
-	npm run --prefix website -w api start
-
-docs-api-clean: ## Clean generated API documentation
-	npm run --prefix website -w api build:api:clean
+website-watch:  ## Build and watch the documentation website, updating automatically
+	cd website && npm run watch

 #########################
 ## Docker
@@ -295,9 +261,6 @@ docker:  ## Build a docker image of the current source tree
 	mkdir -p ${GEN_API_TS}
 	DOCKER_BUILDKIT=1 docker build . --progress plain --tag ${DOCKER_IMAGE}

-test-docker:
-	BUILD=true ${PWD}/scripts/test_docker.sh
-
 #########################
 ## CI
 #########################
@@ -308,25 +271,17 @@ ci--meta-debug:
 	python -V
 	node --version

-ci-mypy: ci--meta-debug
-	uv run mypy --strict $(PY_SOURCES)
-
 ci-black: ci--meta-debug
-	uv run black --check $(PY_SOURCES)
+	black --check $(PY_SOURCES)

 ci-ruff: ci--meta-debug
-	uv run ruff check $(PY_SOURCES)
+	ruff check $(PY_SOURCES)

 ci-codespell: ci--meta-debug
-	uv run codespell -s
+	codespell $(CODESPELL_ARGS) -s

 ci-bandit: ci--meta-debug
-	uv run bandit -r $(PY_SOURCES)
+	bandit -r $(PY_SOURCES)

 ci-pending-migrations: ci--meta-debug
-	uv run ak makemigrations --check
-
-ci-test: ci--meta-debug
-	uv run coverage run manage.py test --keepdb --randomly-seed ${CI_TEST_SEED} authentik
-	uv run coverage report
-	uv run coverage xml
+	ak makemigrations --check
--- a/README.md
+++ b/README.md
@@ -9,21 +9,21 @@
 [![GitHub Workflow Status](https://img.shields.io/github/actions/workflow/status/goauthentik/authentik/ci-outpost.yml?branch=main&label=outpost%20build&style=for-the-badge)](https://github.com/goauthentik/authentik/actions/workflows/ci-outpost.yml)
 [![GitHub Workflow Status](https://img.shields.io/github/actions/workflow/status/goauthentik/authentik/ci-web.yml?branch=main&label=web%20build&style=for-the-badge)](https://github.com/goauthentik/authentik/actions/workflows/ci-web.yml)
 [![Code Coverage](https://img.shields.io/codecov/c/gh/goauthentik/authentik?style=for-the-badge)](https://codecov.io/gh/goauthentik/authentik)
-![Latest version](https://img.shields.io/docker/v/authentik/server?sort=semver&style=for-the-badge)
+![Docker pulls](https://img.shields.io/docker/pulls/beryju/authentik.svg?style=for-the-badge)
+![Latest version](https://img.shields.io/docker/v/beryju/authentik?sort=semver&style=for-the-badge)
 [![](https://img.shields.io/badge/Help%20translate-transifex-blue?style=for-the-badge)](https://www.transifex.com/authentik/authentik/)

 ## What is authentik?

-authentik is an open-source Identity Provider (IdP) for modern SSO. It supports SAML, OAuth2/OIDC, LDAP, RADIUS, and more, designed for self-hosting from small labs to large production clusters.
+authentik is an open-source Identity Provider that emphasizes flexibility and versatility, with support for a wide set of protocols.

-Our [enterprise offering](https://goauthentik.io/pricing) is available for organizations to securely replace existing IdPs such as Okta, Auth0, Entra ID, and Ping Identity for robust, large-scale identity management.
+Our [enterprise offer](https://goauthentik.io/pricing) can also be used as a self-hosted replacement for large-scale deployments of Okta/Auth0, Entra ID, Ping Identity, or other legacy IdPs for employees and B2B2C use.

 ## Installation

- Docker Compose: recommended for small/test setups. See the [documentation](https://docs.goauthentik.io/docs/install-config/install/docker-compose/).
- Kubernetes (Helm Chart): recommended for larger setups. See the [documentation](https://docs.goauthentik.io/docs/install-config/install/kubernetes/) and the Helm chart [repository](https://github.com/goauthentik/helm).
- AWS CloudFormation: deploy on AWS using our official templates. See the [documentation](https://docs.goauthentik.io/docs/install-config/install/aws/).
- DigitalOcean Marketplace: one-click deployment via the official Marketplace app. See the [app listing](https://marketplace.digitalocean.com/apps/authentik).
+For small/test setups it is recommended to use Docker Compose; refer to the [documentation](https://goauthentik.io/docs/installation/docker-compose/?utm_source=github).
+
+For bigger setups, there is a Helm Chart [here](https://github.com/goauthentik/helm). This is documented [here](https://goauthentik.io/docs/installation/kubernetes/?utm_source=github).

 ## Screenshots

@@ -32,20 +32,14 @@ Our [enterprise offering](https://goauthentik.io/pricing) is available for organ
 | ![](https://docs.goauthentik.io/img/screen_apps_light.jpg)  | ![](https://docs.goauthentik.io/img/screen_apps_dark.jpg)  |
 | ![](https://docs.goauthentik.io/img/screen_admin_light.jpg) | ![](https://docs.goauthentik.io/img/screen_admin_dark.jpg) |

-## Development and contributions
+## Development

-See the [Developer Documentation](https://docs.goauthentik.io/docs/developer-docs/) for information about setting up local build environments, testing your contributions, and our contribution process.
+See [Developer Documentation](https://goauthentik.io/developer-docs/?utm_source=github)

 ## Security

-Please see [SECURITY.md](SECURITY.md).
+See [SECURITY.md](SECURITY.md)

-## Adoption
+## Adoption and Contributions

-Using authentik? We'd love to hear your story and feature your logo. Email us at [hello@goauthentik.io](mailto:hello@goauthentik.io) or open a GitHub Issue/PR!
-
-## License
-
-[![MIT License](https://img.shields.io/badge/License-MIT-green?style=for-the-badge)](LICENSE)
-[![CC BY-SA 4.0](https://img.shields.io/badge/License-CC%20BY--SA%204.0-lightgrey?style=for-the-badge)](website/LICENSE)
-[![authentik EE License](https://img.shields.io/badge/License-EE-orange?style=for-the-badge)](authentik/enterprise/LICENSE)
+Your organization uses authentik? We'd love to add your logo to the readme and our website! Email us @ hello@goauthentik.io or open a GitHub Issue/PR! For more information on how to contribute to authentik, please refer to our [CONTRIBUTING.md file](./CONTRIBUTING.md).
--- a/SECURITY.md
+++ b/SECURITY.md
@@ -2,7 +2,7 @@ authentik takes security very seriously. We follow the rules of [responsible di

 ## Independent audits and pentests

-We are committed to engaging in regular pentesting and security audits of authentik. Defining and adhering to a cadence of external testing ensures a stronger probability that our code base, our features, and our architecture is as secure and non-exploitable as possible. For more details about specific audits and pentests, refer to "Audits and Certificates" in our [Security documentation](https://docs.goauthentik.io/docs/security).
+In May/June of 2023 [Cure53](https://cure53.de) conducted an audit and pentest. The [results](https://cure53.de/pentest-report_authentik.pdf) are published on the [Cure53 website](https://cure53.de/#publications-2023). For more details about authentik's response to the findings of the audit refer to [2023-06 Cure53 Code audit](https://goauthentik.io/docs/security/2023-06-cure53).

 ## What authentik classifies as a CVE

@@ -18,35 +18,14 @@ Even if the issue is not a CVE, we still greatly appreciate your help in hardeni

 (.x being the latest patch release for each version)

-| Version   | Supported |
-| --------- | --------- |
-| 2025.6.x  | ✅        |
-| 2025.8.x  | ✅        |
+| Version  | Supported |
+| -------- | --------- |
+| 2024.4.x | ✅        |
+| 2024.6.x | ✅        |

 ## Reporting a Vulnerability

-If you discover a potential vulnerability, please report it responsibly through one of the following channels:
-
- **Email**: [security@goauthentik.io](mailto:security@goauthentik.io)
- **GitHub**: Submit a private security advisory via our [repository’s advisory portal](https://github.com/goauthentik/authentik/security/advisories/new)
-
-When submitting a report, please include as much detail as possible, such as:
-
- **Affected version(s)**: The version of authentik where the issue was identified.
- **Steps to reproduce**: A clear description or proof of concept to help us verify the issue.
- **Impact assessment**: How the vulnerability could be exploited and its potential effect.
- **Additional information**: Logs, configuration details (if relevant), or any suggested mitigations.
-
-We kindly ask that you do not disclose the vulnerability publicly until we have confirmed and addressed the issue.
-
-Our team will:
-
- Acknowledge receipt of your report as quickly as possible.
- Keep you updated on the investigation and resolution progress.
-
-## Researcher Recognition
-
-We value contributions from the security community. For each valid report, we will publish a dedicated entry on our Security Advisory page that optionally includes the reporter’s name (or preferred alias). Please note that while we do not currently offer monetary bounties, we are committed to giving researchers appropriate credit for their efforts in keeping authentik secure.
+To report a vulnerability, send an email to [security@goauthentik.io](mailto:security@goauthentik.io). Be sure to include relevant information like which version you've found the issue in, instructions on how to reproduce the issue, and anything else that might make it easier for us to find the issue.

 ## Severity levels

--- a/authentik/init.py
+++ b/authentik/init.py
@@ -1,28 +1,20 @@
 """authentik root module"""

-from functools import lru_cache
 from os import environ

-VERSION = "2025.10.0-rc1"
+__version__ = "2024.8.0"
 ENV_GIT_HASH_KEY = "GIT_BUILD_HASH"


-@lru_cache
-def authentik_version() -> str:
-    return VERSION
-
-
-@lru_cache
-def authentik_build_hash(fallback: str | None = None) -> str:
+def get_build_hash(fallback: str | None = None) -> str:
    """Get build hash"""
    build_hash = environ.get(ENV_GIT_HASH_KEY, fallback if fallback else "")
    return fallback if build_hash == "" and fallback else build_hash


-@lru_cache
-def authentik_full_version() -> str:
+def get_full_version() -> str:
    """Get full version, with build hash appended"""
-    version = authentik_version()
-    if (build_hash := authentik_build_hash()) != "":
-        return f"{version}+{build_hash}"
+    version = __version__
+    if (build_hash := get_build_hash()) != "":
+        version += "." + build_hash
    return version
--- a/authentik/admin/api/metrics.py
+++ b/authentik/admin/api/metrics.py
@@ -0,0 +1,79 @@
+"""authentik administration metrics"""
+
+from datetime import timedelta
+
+from django.db.models.functions import ExtractHour
+from drf_spectacular.utils import extend_schema, extend_schema_field
+from guardian.shortcuts import get_objects_for_user
+from rest_framework.fields import IntegerField, SerializerMethodField
+from rest_framework.permissions import IsAuthenticated
+from rest_framework.request import Request
+from rest_framework.response import Response
+from rest_framework.views import APIView
+
+from authentik.core.api.utils import PassiveSerializer
+from authentik.events.models import EventAction
+
+
+class CoordinateSerializer(PassiveSerializer):
+    """Coordinates for diagrams"""
+
+    x_cord = IntegerField(read_only=True)
+    y_cord = IntegerField(read_only=True)
+
+
+class LoginMetricsSerializer(PassiveSerializer):
+    """Login Metrics per 1h"""
+
+    logins = SerializerMethodField()
+    logins_failed = SerializerMethodField()
+    authorizations = SerializerMethodField()
+
+    @extend_schema_field(CoordinateSerializer(many=True))
+    def get_logins(self, _):
+        """Get successful logins per 8 hours for the last 7 days"""
+        user = self.context["user"]
+        return (
+            get_objects_for_user(user, "authentik_events.view_event").filter(
+                action=EventAction.LOGIN
+            )
+            # 3 data points per day, so 8 hour spans
+            .get_events_per(timedelta(days=7), ExtractHour, 7 * 3)
+        )
+
+    @extend_schema_field(CoordinateSerializer(many=True))
+    def get_logins_failed(self, _):
+        """Get failed logins per 8 hours for the last 7 days"""
+        user = self.context["user"]
+        return (
+            get_objects_for_user(user, "authentik_events.view_event").filter(
+                action=EventAction.LOGIN_FAILED
+            )
+            # 3 data points per day, so 8 hour spans
+            .get_events_per(timedelta(days=7), ExtractHour, 7 * 3)
+        )
+
+    @extend_schema_field(CoordinateSerializer(many=True))
+    def get_authorizations(self, _):
+        """Get successful authorizations per 8 hours for the last 7 days"""
+        user = self.context["user"]
+        return (
+            get_objects_for_user(user, "authentik_events.view_event").filter(
+                action=EventAction.AUTHORIZE_APPLICATION
+            )
+            # 3 data points per day, so 8 hour spans
+            .get_events_per(timedelta(days=7), ExtractHour, 7 * 3)
+        )
+
+
+class AdministrationMetricsViewSet(APIView):
+    """Login Metrics per 1h"""
+
+    permission_classes = [IsAuthenticated]
+
+    @extend_schema(responses={200: LoginMetricsSerializer(many=False)})
+    def get(self, request: Request) -> Response:
+        """Login Metrics per 1h"""
+        serializer = LoginMetricsSerializer(True)
+        serializer.context["user"] = request.user
+        return Response(serializer.data)
--- a/authentik/admin/api/system.py
+++ b/authentik/admin/api/system.py
@@ -7,16 +7,14 @@ from sys import version as python_version
 from typing import TypedDict

 from cryptography.hazmat.backends.openssl.backend import backend
-from django.conf import settings
 from django.utils.timezone import now
-from django.views.debug import SafeExceptionReporterFilter
 from drf_spectacular.utils import extend_schema
 from rest_framework.fields import SerializerMethodField
 from rest_framework.request import Request
 from rest_framework.response import Response
 from rest_framework.views import APIView

-from authentik import authentik_full_version
+from authentik import get_full_version
 from authentik.core.api.utils import PassiveSerializer
 from authentik.enterprise.license import LicenseKey
 from authentik.lib.config import CONFIG
@@ -54,16 +52,10 @@ class SystemInfoSerializer(PassiveSerializer):
    def get_http_headers(self, request: Request) -> dict[str, str]:
        """Get HTTP Request headers"""
        headers = {}
-        raw_session = request._request.COOKIES.get(settings.SESSION_COOKIE_NAME)
        for key, value in request.META.items():
            if not isinstance(value, str):
                continue
-            actual_value = value
-            if raw_session is not None and raw_session in actual_value:
-                actual_value = actual_value.replace(
-                    raw_session, SafeExceptionReporterFilter.cleansed_substitute
-                )
-            headers[key] = actual_value
+            headers[key] = value
        return headers

    def get_http_host(self, request: Request) -> str:
@@ -78,7 +70,7 @@ class SystemInfoSerializer(PassiveSerializer):
        """Get versions"""
        return {
            "architecture": platform.machine(),
-            "authentik_version": authentik_full_version(),
+            "authentik_version": get_full_version(),
            "environment": get_env(),
            "openssl_fips_enabled": (
                backend._fips_enabled if LicenseKey.get_total().status().is_valid else None
--- a/authentik/admin/api/version.py
+++ b/authentik/admin/api/version.py
@@ -1,7 +1,6 @@
 """authentik administration overview"""

 from django.core.cache import cache
-from django_tenants.utils import get_public_schema_name
 from drf_spectacular.utils import extend_schema
 from packaging.version import parse
 from rest_framework.fields import SerializerMethodField
@@ -10,11 +9,10 @@ from rest_framework.request import Request
 from rest_framework.response import Response
 from rest_framework.views import APIView

-from authentik import authentik_build_hash, authentik_version
+from authentik import __version__, get_build_hash
 from authentik.admin.tasks import VERSION_CACHE_KEY, VERSION_NULL, update_latest_version
 from authentik.core.api.utils import PassiveSerializer
 from authentik.outposts.models import Outpost
-from authentik.tenants.utils import get_current_tenant


 class VersionSerializer(PassiveSerializer):
@@ -29,20 +27,18 @@ class VersionSerializer(PassiveSerializer):

    def get_build_hash(self, _) -> str:
        """Get build hash, if version is not latest or released"""
-        return authentik_build_hash()
+        return get_build_hash()

    def get_version_current(self, _) -> str:
        """Get current version"""
-        return authentik_version()
+        return __version__

    def get_version_latest(self, _) -> str:
        """Get latest version from cache"""
-        if get_current_tenant().schema_name == get_public_schema_name():
-            return authentik_version()
        version_in_cache = cache.get(VERSION_CACHE_KEY)
        if not version_in_cache:  # pragma: no cover
-            update_latest_version.send()
-            return authentik_version()
+            update_latest_version.delay()
+            return __version__
        return version_in_cache

    def get_version_latest_valid(self, _) -> bool:
--- a/authentik/admin/api/version_history.py
+++ b/authentik/admin/api/version_history.py
@@ -1,33 +0,0 @@
-from rest_framework.permissions import IsAdminUser
-from rest_framework.viewsets import ReadOnlyModelViewSet
-
-from authentik.admin.models import VersionHistory
-from authentik.core.api.utils import ModelSerializer
-
-
-class VersionHistorySerializer(ModelSerializer):
-    """VersionHistory Serializer"""
-
-    class Meta:
-        model = VersionHistory
-        fields = [
-            "id",
-            "timestamp",
-            "version",
-            "build",
-        ]
-
-
-class VersionHistoryViewSet(ReadOnlyModelViewSet):
-    """VersionHistory Viewset"""
-
-    queryset = VersionHistory.objects.all()
-    serializer_class = VersionHistorySerializer
-    permission_classes = [IsAdminUser]
-    filterset_fields = [
-        "version",
-        "build",
-    ]
-    search_fields = ["version", "build"]
-    ordering = ["-timestamp"]
-    pagination_class = None
--- a/authentik/admin/api/workers.py
+++ b/authentik/admin/api/workers.py
@@ -0,0 +1,26 @@
+"""authentik administration overview"""
+
+from django.conf import settings
+from drf_spectacular.utils import extend_schema, inline_serializer
+from rest_framework.fields import IntegerField
+from rest_framework.request import Request
+from rest_framework.response import Response
+from rest_framework.views import APIView
+
+from authentik.rbac.permissions import HasPermission
+from authentik.root.celery import CELERY_APP
+
+
+class WorkerView(APIView):
+    """Get currently connected worker count."""
+
+    permission_classes = [HasPermission("authentik_rbac.view_system_info")]
+
+    @extend_schema(responses=inline_serializer("Workers", fields={"count": IntegerField()}))
+    def get(self, request: Request) -> Response:
+        """Get currently connected worker count."""
+        count = len(CELERY_APP.control.ping(timeout=0.5))
+        # In debug we run with `task_always_eager`, so tasks are ran on the main process
+        if settings.DEBUG:  # pragma: no cover
+            count += 1
+        return Response({"count": count})
--- a/authentik/admin/apps.py
+++ b/authentik/admin/apps.py
@@ -1,13 +1,11 @@
 """authentik admin app config"""

-from prometheus_client import Info
+from prometheus_client import Gauge, Info

 from authentik.blueprints.apps import ManagedAppConfig
-from authentik.lib.config import CONFIG
-from authentik.lib.utils.time import fqdn_rand
-from authentik.tasks.schedules.common import ScheduleSpec

 PROM_INFO = Info("authentik_version", "Currently running authentik version")
+GAUGE_WORKERS = Gauge("authentik_admin_workers", "Currently connected workers")


 class AuthentikAdminConfig(ManagedAppConfig):
@@ -17,31 +15,3 @@ class AuthentikAdminConfig(ManagedAppConfig):
    label = "authentik_admin"
    verbose_name = "authentik Admin"
    default = True
-
-    @ManagedAppConfig.reconcile_global
-    def clear_update_notifications(self):
-        """Clear update notifications on startup if the notification was for the version
-        we're running now."""
-        from packaging.version import parse
-
-        from authentik.admin.tasks import LOCAL_VERSION
-        from authentik.events.models import EventAction, Notification
-
-        for notification in Notification.objects.filter(event__action=EventAction.UPDATE_AVAILABLE):
-            if "new_version" not in notification.event.context:
-                continue
-            notification_version = notification.event.context["new_version"]
-            if LOCAL_VERSION >= parse(notification_version):
-                notification.delete()
-
-    @property
-    def global_schedule_specs(self) -> list[ScheduleSpec]:
-        from authentik.admin.tasks import update_latest_version
-
-        return [
-            ScheduleSpec(
-                actor=update_latest_version,
-                crontab=f"{fqdn_rand('admin_latest_version')} * * * *",
-                paused=CONFIG.get_bool("disable_update_check"),
-            ),
-        ]
--- a/authentik/admin/models.py
+++ b/authentik/admin/models.py
@@ -1,22 +0,0 @@
-"""authentik admin models"""
-
-from django.db import models
-from django.utils.translation import gettext_lazy as _
-
-
-class VersionHistory(models.Model):
-    id = models.BigAutoField(primary_key=True)
-    timestamp = models.DateTimeField()
-    version = models.TextField()
-    build = models.TextField()
-
-    class Meta:
-        managed = False
-        db_table = "authentik_version_history"
-        ordering = ("-timestamp",)
-        verbose_name = _("Version history")
-        verbose_name_plural = _("Version history")
-        default_permissions = []
-
-    def __str__(self):
-        return f"{self.version}.{self.build} ({self.timestamp})"
--- a/authentik/admin/settings.py
+++ b/authentik/admin/settings.py
@@ -0,0 +1,13 @@
+"""authentik admin settings"""
+
+from celery.schedules import crontab
+
+from authentik.lib.utils.time import fqdn_rand
+
+CELERY_BEAT_SCHEDULE = {
+    "admin_latest_version": {
+        "task": "authentik.admin.tasks.update_latest_version",
+        "schedule": crontab(minute=fqdn_rand("admin_latest_version"), hour="*"),
+        "options": {"queue": "authentik_scheduled"},
+    }
+}
--- a/authentik/admin/signals.py
+++ b/authentik/admin/signals.py
@@ -1,9 +1,14 @@
+"""admin signals"""
+
 from django.dispatch import receiver

-from authentik.admin.tasks import _set_prom_info
-from authentik.root.signals import post_startup
+from authentik.admin.apps import GAUGE_WORKERS
+from authentik.root.celery import CELERY_APP
+from authentik.root.monitoring import monitoring_set


-@receiver(post_startup)
-def post_startup_admin_metrics(sender, **_):
-    _set_prom_info()
+@receiver(monitoring_set)
+def monitoring_set_workers(sender, **kwargs):
+    """Set worker gauge"""
+    count = len(CELERY_APP.control.ping(timeout=0.5))
+    GAUGE_WORKERS.set(count)
--- a/authentik/admin/tasks.py
+++ b/authentik/admin/tasks.py
@@ -1,43 +1,63 @@
 """authentik admin tasks"""

+import re
+
 from django.core.cache import cache
-from django.utils.translation import gettext_lazy as _
-from dramatiq import actor
+from django.core.validators import URLValidator
+from django.db import DatabaseError, InternalError, ProgrammingError
 from packaging.version import parse
 from requests import RequestException
 from structlog.stdlib import get_logger

-from authentik import authentik_build_hash, authentik_version
+from authentik import __version__, get_build_hash
 from authentik.admin.apps import PROM_INFO
-from authentik.events.models import Event, EventAction
+from authentik.events.models import Event, EventAction, Notification
+from authentik.events.system_tasks import SystemTask, TaskStatus, prefill_task
 from authentik.lib.config import CONFIG
 from authentik.lib.utils.http import get_http_session
-from authentik.tasks.middleware import CurrentTask
+from authentik.root.celery import CELERY_APP

 LOGGER = get_logger()
 VERSION_NULL = "0.0.0"
 VERSION_CACHE_KEY = "authentik_latest_version"
 VERSION_CACHE_TIMEOUT = 8 * 60 * 60  # 8 hours
-LOCAL_VERSION = parse(authentik_version())
+# Chop of the first ^ because we want to search the entire string
+URL_FINDER = URLValidator.regex.pattern[1:]
+LOCAL_VERSION = parse(__version__)


 def _set_prom_info():
    """Set prometheus info for version"""
    PROM_INFO.info(
        {
-            "version": authentik_version(),
+            "version": __version__,
            "latest": cache.get(VERSION_CACHE_KEY, ""),
-            "build_hash": authentik_build_hash(),
+            "build_hash": get_build_hash(),
        }
    )


-@actor(description=_("Update latest version info."))
-def update_latest_version():
-    self = CurrentTask.get_task()
+@CELERY_APP.task(
+    throws=(DatabaseError, ProgrammingError, InternalError),
+)
+def clear_update_notifications():
+    """Clear update notifications on startup if the notification was for the version
+    we're running now."""
+    for notification in Notification.objects.filter(event__action=EventAction.UPDATE_AVAILABLE):
+        if "new_version" not in notification.event.context:
+            continue
+        notification_version = notification.event.context["new_version"]
+        if LOCAL_VERSION >= parse(notification_version):
+            notification.delete()
+
+
+@CELERY_APP.task(bind=True, base=SystemTask)
+@prefill_task
+def update_latest_version(self: SystemTask):
+    """Update latest version info"""
    if CONFIG.get_bool("disable_update_check"):
        cache.set(VERSION_CACHE_KEY, VERSION_NULL, VERSION_CACHE_TIMEOUT)
-        self.info("Version check disabled.")
+        self.set_status(TaskStatus.WARNING, "Version check disabled.")
        return
    try:
        response = get_http_session().get(
@@ -47,7 +67,7 @@ def update_latest_version():
        data = response.json()
        upstream_version = data.get("stable", {}).get("version")
        cache.set(VERSION_CACHE_KEY, upstream_version, VERSION_CACHE_TIMEOUT)
-        self.info("Successfully updated latest Version")
+        self.set_status(TaskStatus.SUCCESSFUL, "Successfully updated latest Version")
        _set_prom_info()
        # Check if upstream version is newer than what we're running,
        # and if no event exists yet, create one.
@@ -58,16 +78,13 @@ def update_latest_version():
                context__new_version=upstream_version,
            ).exists():
                return
-            Event.new(
-                EventAction.UPDATE_AVAILABLE,
-                message=_(
-                    "New version {version} available!".format(
-                        version=upstream_version,
-                    )
-                ),
-                new_version=upstream_version,
-                changelog=data.get("stable", {}).get("changelog_url"),
-            ).save()
+            event_dict = {"new_version": upstream_version}
+            if match := re.search(URL_FINDER, data.get("stable", {}).get("changelog", "")):
+                event_dict["message"] = f"Changelog: {match.group()}"
+            Event.new(EventAction.UPDATE_AVAILABLE, **event_dict).save()
    except (RequestException, IndexError) as exc:
        cache.set(VERSION_CACHE_KEY, VERSION_NULL, VERSION_CACHE_TIMEOUT)
-        raise exc
+        self.set_error(exc)
+
+
+_set_prom_info()
--- a/authentik/admin/tests/test_api.py
+++ b/authentik/admin/tests/test_api.py
@@ -5,7 +5,7 @@ from json import loads
 from django.test import TestCase
 from django.urls import reverse

-from authentik import authentik_version
+from authentik import __version__
 from authentik.blueprints.tests import reconcile_app
 from authentik.core.models import Group, User
 from authentik.lib.generators import generate_id
@@ -27,7 +27,19 @@ class TestAdminAPI(TestCase):
        response = self.client.get(reverse("authentik_api:admin_version"))
        self.assertEqual(response.status_code, 200)
        body = loads(response.content)
-        self.assertEqual(body["version_current"], authentik_version())
+        self.assertEqual(body["version_current"], __version__)
+
+    def test_workers(self):
+        """Test Workers API"""
+        response = self.client.get(reverse("authentik_api:admin_workers"))
+        self.assertEqual(response.status_code, 200)
+        body = loads(response.content)
+        self.assertEqual(body["count"], 0)
+
+    def test_metrics(self):
+        """Test metrics API"""
+        response = self.client.get(reverse("authentik_api:admin_metrics"))
+        self.assertEqual(response.status_code, 200)

    def test_apps(self):
        """Test apps API"""
--- a/authentik/admin/tests/test_tasks.py
+++ b/authentik/admin/tests/test_tasks.py
@@ -1,12 +1,12 @@
 """test admin tasks"""

-from django.apps import apps
 from django.core.cache import cache
 from django.test import TestCase
 from requests_mock import Mocker

 from authentik.admin.tasks import (
    VERSION_CACHE_KEY,
+    clear_update_notifications,
    update_latest_version,
 )
 from authentik.events.models import Event, EventAction
@@ -17,7 +17,6 @@ RESPONSE_VALID = {
    "stable": {
        "version": "99999999.9999999",
        "changelog": "See https://goauthentik.io/test",
-        "changelog_url": "https://goauthentik.io/test",
        "reason": "bugfix",
    },
 }
@@ -30,23 +29,23 @@ class TestAdminTasks(TestCase):
        """Test Update checker with valid response"""
        with Mocker() as mocker, CONFIG.patch("disable_update_check", False):
            mocker.get("https://version.goauthentik.io/version.json", json=RESPONSE_VALID)
-            update_latest_version.send()
+            update_latest_version.delay().get()
            self.assertEqual(cache.get(VERSION_CACHE_KEY), "99999999.9999999")
            self.assertTrue(
                Event.objects.filter(
                    action=EventAction.UPDATE_AVAILABLE,
                    context__new_version="99999999.9999999",
-                    context__message="New version 99999999.9999999 available!",
+                    context__message="Changelog: https://goauthentik.io/test",
                ).exists()
            )
            # test that a consecutive check doesn't create a duplicate event
-            update_latest_version.send()
+            update_latest_version.delay().get()
            self.assertEqual(
                len(
                    Event.objects.filter(
                        action=EventAction.UPDATE_AVAILABLE,
                        context__new_version="99999999.9999999",
-                        context__message="New version 99999999.9999999 available!",
+                        context__message="Changelog: https://goauthentik.io/test",
                    )
                ),
                1,
@@ -56,7 +55,7 @@ class TestAdminTasks(TestCase):
        """Test Update checker with invalid response"""
        with Mocker() as mocker:
            mocker.get("https://version.goauthentik.io/version.json", status_code=400)
-            update_latest_version.send()
+            update_latest_version.delay().get()
            self.assertEqual(cache.get(VERSION_CACHE_KEY), "0.0.0")
            self.assertFalse(
                Event.objects.filter(
@@ -67,19 +66,17 @@ class TestAdminTasks(TestCase):
    def test_version_disabled(self):
        """Test Update checker while its disabled"""
        with CONFIG.patch("disable_update_check", True):
-            update_latest_version.send()
+            update_latest_version.delay().get()
            self.assertEqual(cache.get(VERSION_CACHE_KEY), "0.0.0")

    def test_clear_update_notifications(self):
        """Test clear of previous notification"""
-        admin_config = apps.get_app_config("authentik_admin")
        Event.objects.create(
-            action=EventAction.UPDATE_AVAILABLE,
-            context={"new_version": "99999999.9999999.9999999"},
+            action=EventAction.UPDATE_AVAILABLE, context={"new_version": "99999999.9999999.9999999"}
        )
        Event.objects.create(action=EventAction.UPDATE_AVAILABLE, context={"new_version": "1.1.1"})
        Event.objects.create(action=EventAction.UPDATE_AVAILABLE, context={})
-        admin_config.clear_update_notifications()
+        clear_update_notifications()
        self.assertFalse(
            Event.objects.filter(
                action=EventAction.UPDATE_AVAILABLE, context__new_version="1.1"
--- a/authentik/admin/urls.py
+++ b/authentik/admin/urls.py
@@ -3,14 +3,20 @@
 from django.urls import path

 from authentik.admin.api.meta import AppsViewSet, ModelViewSet
+from authentik.admin.api.metrics import AdministrationMetricsViewSet
 from authentik.admin.api.system import SystemView
 from authentik.admin.api.version import VersionView
-from authentik.admin.api.version_history import VersionHistoryViewSet
+from authentik.admin.api.workers import WorkerView

 api_urlpatterns = [
    ("admin/apps", AppsViewSet, "apps"),
    ("admin/models", ModelViewSet, "models"),
+    path(
+        "admin/metrics/",
+        AdministrationMetricsViewSet.as_view(),
+        name="admin_metrics",
+    ),
    path("admin/version/", VersionView.as_view(), name="admin_version"),
-    ("admin/version/history", VersionHistoryViewSet, "version_history"),
+    path("admin/workers/", WorkerView.as_view(), name="admin_workers"),
    path("admin/system/", SystemView.as_view(), name="admin_system"),
 ]
--- a/authentik/api/apps.py
+++ b/authentik/api/apps.py
@@ -1,13 +1,12 @@
 """authentik API AppConfig"""

-from authentik.blueprints.apps import ManagedAppConfig
+from django.apps import AppConfig


-class AuthentikAPIConfig(ManagedAppConfig):
+class AuthentikAPIConfig(AppConfig):
    """authentik API Config"""

    name = "authentik.api"
    label = "authentik_api"
    mountpoint = "api/"
    verbose_name = "authentik API"
-    default = True
--- a/authentik/api/authentication.py
+++ b/authentik/api/authentication.py
@@ -1,12 +1,9 @@
 """API Authentication"""

 from hmac import compare_digest
-from pathlib import Path
-from tempfile import gettempdir
 from typing import Any

 from django.conf import settings
-from django.contrib.auth.models import AnonymousUser
 from drf_spectacular.extensions import OpenApiAuthenticationExtension
 from rest_framework.authentication import BaseAuthentication, get_authorization_header
 from rest_framework.exceptions import AuthenticationFailed
@@ -14,17 +11,11 @@ from rest_framework.request import Request
 from structlog.stdlib import get_logger

 from authentik.core.middleware import CTX_AUTH_VIA
-from authentik.core.models import Token, TokenIntents, User, UserTypes
+from authentik.core.models import Token, TokenIntents, User
 from authentik.outposts.models import Outpost
 from authentik.providers.oauth2.constants import SCOPE_AUTHENTIK_API

 LOGGER = get_logger()
-_tmp = Path(gettempdir())
-try:
-    with open(_tmp / "authentik-core-ipc.key") as _f:
-        ipc_key = _f.read()
-except OSError:
-    ipc_key = None


 def validate_auth(header: bytes) -> str | None:
@@ -82,11 +73,6 @@ def auth_user_lookup(raw_header: bytes) -> User | None:
    if user:
        CTX_AUTH_VIA.set("secret_key")
        return user
-    # then try to auth via secret key (for embedded outpost/etc)
-    user = token_ipc(auth_credentials)
-    if user:
-        CTX_AUTH_VIA.set("ipc")
-        return user
    raise AuthenticationFailed("Token invalid/expired")


@@ -104,43 +90,6 @@ def token_secret_key(value: str) -> User | None:
    return outpost.user


-class IPCUser(AnonymousUser):
-    """'Virtual' user for IPC communication between authentik core and the authentik router"""
-
-    username = "authentik:system"
-    is_active = True
-    is_superuser = True
-
-    @property
-    def type(self):
-        return UserTypes.INTERNAL_SERVICE_ACCOUNT
-
-    def has_perm(self, perm, obj=None):
-        return True
-
-    def has_perms(self, perm_list, obj=None):
-        return True
-
-    def has_module_perms(self, module):
-        return True
-
-    @property
-    def is_anonymous(self):
-        return False
-
-    @property
-    def is_authenticated(self):
-        return True
-
-
-def token_ipc(value: str) -> User | None:
-    """Check if the token is the secret key
-    and return the service account for the managed outpost"""
-    if not ipc_key or not compare_digest(value, ipc_key):
-        return None
-    return IPCUser()
-
-
 class TokenAuthentication(BaseAuthentication):
    """Token-based authentication using HTTP Bearer authentication"""

--- a/authentik/api/authorization.py
+++ b/authentik/api/authorization.py
@@ -0,0 +1,67 @@
+"""API Authorization"""
+
+from django.conf import settings
+from django.db.models import Model
+from django.db.models.query import QuerySet
+from django_filters.rest_framework import DjangoFilterBackend
+from rest_framework.authentication import get_authorization_header
+from rest_framework.filters import BaseFilterBackend
+from rest_framework.permissions import BasePermission
+from rest_framework.request import Request
+
+from authentik.api.authentication import validate_auth
+from authentik.rbac.filters import ObjectFilter
+
+
+class OwnerFilter(BaseFilterBackend):
+    """Filter objects by their owner"""
+
+    owner_key = "user"
+
+    def filter_queryset(self, request: Request, queryset: QuerySet, view) -> QuerySet:
+        if request.user.is_superuser:
+            return queryset
+        return queryset.filter(**{self.owner_key: request.user})
+
+
+class SecretKeyFilter(DjangoFilterBackend):
+    """Allow access to all objects when authenticated with secret key as token.
+
+    Replaces both DjangoFilterBackend and ObjectFilter"""
+
+    def filter_queryset(self, request: Request, queryset: QuerySet, view) -> QuerySet:
+        auth_header = get_authorization_header(request)
+        token = validate_auth(auth_header)
+        if token and token == settings.SECRET_KEY:
+            return queryset
+        queryset = ObjectFilter().filter_queryset(request, queryset, view)
+        return super().filter_queryset(request, queryset, view)
+
+
+class OwnerPermissions(BasePermission):
+    """Authorize requests by an object's owner matching the requesting user"""
+
+    owner_key = "user"
+
+    def has_permission(self, request: Request, view) -> bool:
+        """If the user is authenticated, we allow all requests here. For listing, the
+        object-level permissions are done by the filter backend"""
+        return request.user.is_authenticated
+
+    def has_object_permission(self, request: Request, view, obj: Model) -> bool:
+        """Check if the object's owner matches the currently logged in user"""
+        if not hasattr(obj, self.owner_key):
+            return False
+        owner = getattr(obj, self.owner_key)
+        if owner != request.user:
+            return False
+        return True
+
+
+class OwnerSuperuserPermissions(OwnerPermissions):
+    """Similar to OwnerPermissions, except always allow access for superusers"""
+
+    def has_object_permission(self, request: Request, view, obj: Model) -> bool:
+        if request.user.is_superuser:
+            return True
+        return super().has_object_permission(request, view, obj)
--- a/authentik/api/pagination.py
+++ b/authentik/api/pagination.py
@@ -1,10 +1,44 @@
 """Pagination which includes total pages and current page"""

-from drf_spectacular.plumbing import build_object_type
 from rest_framework import pagination
 from rest_framework.response import Response

-from authentik.api.v3.schema.response import PAGINATION
+PAGINATION_COMPONENT_NAME = "Pagination"
+PAGINATION_SCHEMA = {
+    "type": "object",
+    "properties": {
+        "next": {
+            "type": "number",
+        },
+        "previous": {
+            "type": "number",
+        },
+        "count": {
+            "type": "number",
+        },
+        "current": {
+            "type": "number",
+        },
+        "total_pages": {
+            "type": "number",
+        },
+        "start_index": {
+            "type": "number",
+        },
+        "end_index": {
+            "type": "number",
+        },
+    },
+    "required": [
+        "next",
+        "previous",
+        "count",
+        "current",
+        "total_pages",
+        "start_index",
+        "end_index",
+    ],
+}


 class Pagination(pagination.PageNumberPagination):
@@ -36,13 +70,14 @@ class Pagination(pagination.PageNumberPagination):
        )

    def get_paginated_response_schema(self, schema):
-        return build_object_type(
-            properties={
-                "pagination": PAGINATION.ref,
+        return {
+            "type": "object",
+            "properties": {
+                "pagination": {"$ref": f"#/components/schemas/{PAGINATION_COMPONENT_NAME}"},
                "results": schema,
            },
-            required=["pagination", "results"],
-        )
+            "required": ["pagination", "results"],
+        }


 class SmallerPagination(Pagination):
--- a/authentik/api/schema.py
+++ b/authentik/api/schema.py
@@ -1,60 +1,96 @@
 """Error Response schema, from https://github.com/axnsan12/drf-yasg/issues/224"""

-from collections.abc import Callable
-from typing import Any
-
+from django.utils.translation import gettext_lazy as _
 from drf_spectacular.generators import SchemaGenerator
-from drf_spectacular.plumbing import ResolvedComponent
-from drf_spectacular.renderers import OpenApiJsonRenderer
+from drf_spectacular.plumbing import (
+    ResolvedComponent,
+    build_array_type,
+    build_basic_type,
+    build_object_type,
+)
 from drf_spectacular.settings import spectacular_settings
-from structlog.stdlib import get_logger
+from drf_spectacular.types import OpenApiTypes
+from rest_framework.settings import api_settings

 from authentik.api.apps import AuthentikAPIConfig
-from authentik.api.v3.schema.query import QUERY_PARAMS
-from authentik.api.v3.schema.response import (
-    GENERIC_ERROR,
-    GENERIC_ERROR_RESPONSE,
-    PAGINATION,
-    VALIDATION_ERROR,
-    VALIDATION_ERROR_RESPONSE,
+from authentik.api.pagination import PAGINATION_COMPONENT_NAME, PAGINATION_SCHEMA
+
+
+def build_standard_type(obj, **kwargs):
+    """Build a basic type with optional add owns."""
+    schema = build_basic_type(obj)
+    schema.update(kwargs)
+    return schema
+
+
+GENERIC_ERROR = build_object_type(
+    description=_("Generic API Error"),
+    properties={
+        "detail": build_standard_type(OpenApiTypes.STR),
+        "code": build_standard_type(OpenApiTypes.STR),
+    },
+    required=["detail"],
+)
+VALIDATION_ERROR = build_object_type(
+    description=_("Validation Error"),
+    properties={
+        api_settings.NON_FIELD_ERRORS_KEY: build_array_type(build_standard_type(OpenApiTypes.STR)),
+        "code": build_standard_type(OpenApiTypes.STR),
+    },
+    required=[],
+    additionalProperties={},
 )

-LOGGER = get_logger()
+
+def create_component(generator: SchemaGenerator, name, schema, type_=ResolvedComponent.SCHEMA):
+    """Register a component and return a reference to it."""
+    component = ResolvedComponent(
+        name=name,
+        type=type_,
+        schema=schema,
+        object=name,
+    )
+    generator.registry.register_on_missing(component)
+    return component


-def preprocess_schema_exclude_non_api(endpoints: list[tuple[str, Any, Any, Callable]], **kwargs):
-    """Filter out all API Views which are not mounted under /api"""
-    return [
-        (path, path_regex, method, callback)
-        for path, path_regex, method, callback in endpoints
-        if path.startswith("/" + AuthentikAPIConfig.mountpoint)
-    ]
+def postprocess_schema_responses(result, generator: SchemaGenerator, **kwargs):  # noqa: W0613
+    """Workaround to set a default response for endpoints.
+    Workaround suggested at
+    <https://github.com/tfranzel/drf-spectacular/issues/119#issuecomment-656970357>
+    for the missing drf-spectacular feature discussed in
+    <https://github.com/tfranzel/drf-spectacular/issues/101>.
+    """

+    create_component(generator, PAGINATION_COMPONENT_NAME, PAGINATION_SCHEMA)

-def postprocess_schema_register(
-    result: dict[str, Any], generator: SchemaGenerator, **kwargs
-) -> dict[str, Any]:
-    """Register custom schema components"""
-    LOGGER.debug("Registering custom schemas")
-    generator.registry.register_on_missing(PAGINATION)
-    generator.registry.register_on_missing(GENERIC_ERROR)
-    generator.registry.register_on_missing(GENERIC_ERROR_RESPONSE)
-    generator.registry.register_on_missing(VALIDATION_ERROR)
-    generator.registry.register_on_missing(VALIDATION_ERROR_RESPONSE)
-    for query in QUERY_PARAMS.values():
-        generator.registry.register_on_missing(query)
-    return result
+    generic_error = create_component(generator, "GenericError", GENERIC_ERROR)
+    validation_error = create_component(generator, "ValidationError", VALIDATION_ERROR)

-
-def postprocess_schema_responses(
-    result: dict[str, Any], generator: SchemaGenerator, **kwargs
-) -> dict[str, Any]:
-    """Default error responses"""
-    LOGGER.debug("Adding default error responses")
    for path in result["paths"].values():
        for method in path.values():
-            method["responses"].setdefault("400", VALIDATION_ERROR_RESPONSE.ref)
-            method["responses"].setdefault("403", GENERIC_ERROR_RESPONSE.ref)
+            method["responses"].setdefault(
+                "400",
+                {
+                    "content": {
+                        "application/json": {
+                            "schema": validation_error.ref,
+                        }
+                    },
+                    "description": "",
+                },
+            )
+            method["responses"].setdefault(
+                "403",
+                {
+                    "content": {
+                        "application/json": {
+                            "schema": generic_error.ref,
+                        }
+                    },
+                    "description": "",
+                },
+            )

    result["components"] = generator.registry.build(spectacular_settings.APPEND_COMPONENTS)

@@ -68,36 +104,10 @@ def postprocess_schema_responses(
    return result


-def postprocess_schema_query_params(
-    result: dict[str, Any], generator: SchemaGenerator, **kwargs
-) -> dict[str, Any]:
-    """Optimise pagination parameters, instead of redeclaring parameters for each endpoint
-    declare them globally and refer to them"""
-    LOGGER.debug("Deduplicating query parameters")
-    for path in result["paths"].values():
-        for method in path.values():
-            for idx, param in enumerate(method.get("parameters", [])):
-                if param["name"] not in QUERY_PARAMS:
-                    continue
-                method["parameters"][idx] = QUERY_PARAMS[param["name"]].ref
-    return result
-
-
-def postprocess_schema_remove_unused(
-    result: dict[str, Any], generator: SchemaGenerator, **kwargs
-) -> dict[str, Any]:
-    """Remove unused components"""
-    # To check if the schema is used, render it to JSON and then substring check that
-    # less efficient than walking through the tree but a lot simpler and no
-    # possibility that we miss something
-    raw = OpenApiJsonRenderer().render(result, renderer_context={}).decode()
-    count = 0
-    for key in result["components"][ResolvedComponent.SCHEMA].keys():
-        schema_usages = raw.count(f"#/components/{ResolvedComponent.SCHEMA}/{key}")
-        if schema_usages >= 1:
-            continue
-        del generator.registry[(key, ResolvedComponent.SCHEMA)]
-        count += 1
-    LOGGER.debug("Removing unused components", count=count)
-    result["components"] = generator.registry.build(spectacular_settings.APPEND_COMPONENTS)
-    return result
+def preprocess_schema_exclude_non_api(endpoints, **kwargs):
+    """Filter out all API Views which are not mounted under /api"""
+    return [
+        (path, path_regex, method, callback)
+        for path, path_regex, method, callback in endpoints
+        if path.startswith("/" + AuthentikAPIConfig.mountpoint)
+    ]
--- a/authentik/api/templates/api/browser.html
+++ b/authentik/api/templates/api/browser.html
@@ -7,7 +7,9 @@ API Browser - {{ brand.branding_title }}
 {% endblock %}

 {% block head %}
-<script src="{% versioned_script 'dist/standalone/api-browser/index-%v.js' %}" type="module"></script>
+{% versioned_script "dist/standalone/api-browser/index-%v.js" %}
+<meta name="theme-color" content="#151515" media="(prefers-color-scheme: light)">
+<meta name="theme-color" content="#151515" media="(prefers-color-scheme: dark)">
 {% endblock %}

 {% block body %}
--- a/authentik/api/v3/config.py
+++ b/authentik/api/v3/config.py
@@ -56,6 +56,7 @@ class ConfigSerializer(PassiveSerializer):
    cache_timeout = IntegerField(required=True)
    cache_timeout_flows = IntegerField(required=True)
    cache_timeout_policies = IntegerField(required=True)
+    cache_timeout_reputation = IntegerField(required=True)


 class ConfigView(APIView):
@@ -102,6 +103,7 @@ class ConfigView(APIView):
                "cache_timeout": CONFIG.get_int("cache.timeout"),
                "cache_timeout_flows": CONFIG.get_int("cache.timeout_flows"),
                "cache_timeout_policies": CONFIG.get_int("cache.timeout_policies"),
+                "cache_timeout_reputation": CONFIG.get_int("cache.timeout_reputation"),
            }
        )

--- a/authentik/api/v3/schema/query.py
+++ b/authentik/api/v3/schema/query.py
@@ -1,65 +0,0 @@
-from django.utils.translation import gettext_lazy as _
-from drf_spectacular.plumbing import (
-    ResolvedComponent,
-    build_basic_type,
-    build_parameter_type,
-)
-from drf_spectacular.types import OpenApiTypes
-
-QUERY_PARAMS = {
-    "ordering": ResolvedComponent(
-        name="QueryPaginationOrdering",
-        type=ResolvedComponent.PARAMETER,
-        object="QueryPaginationOrdering",
-        schema=build_parameter_type(
-            name="ordering",
-            schema=build_basic_type(OpenApiTypes.STR),
-            location="query",
-            description=_("Which field to use when ordering the results."),
-        ),
-    ),
-    "page": ResolvedComponent(
-        name="QueryPaginationPage",
-        type=ResolvedComponent.PARAMETER,
-        object="QueryPaginationPage",
-        schema=build_parameter_type(
-            name="page",
-            schema=build_basic_type(OpenApiTypes.INT),
-            location="query",
-            description=_("A page number within the paginated result set."),
-        ),
-    ),
-    "page_size": ResolvedComponent(
-        name="QueryPaginationPageSize",
-        type=ResolvedComponent.PARAMETER,
-        object="QueryPaginationPageSize",
-        schema=build_parameter_type(
-            name="page_size",
-            schema=build_basic_type(OpenApiTypes.INT),
-            location="query",
-            description=_("Number of results to return per page."),
-        ),
-    ),
-    "search": ResolvedComponent(
-        name="QuerySearch",
-        type=ResolvedComponent.PARAMETER,
-        object="QuerySearch",
-        schema=build_parameter_type(
-            name="search",
-            schema=build_basic_type(OpenApiTypes.STR),
-            location="query",
-            description=_("A search term."),
-        ),
-    ),
-    # Not related to pagination but a very common query param
-    "name": ResolvedComponent(
-        name="QueryName",
-        type=ResolvedComponent.PARAMETER,
-        object="QueryName",
-        schema=build_parameter_type(
-            name="name",
-            schema=build_basic_type(OpenApiTypes.STR),
-            location="query",
-        ),
-    ),
-}
--- a/authentik/api/v3/schema/response.py
+++ b/authentik/api/v3/schema/response.py
@@ -1,84 +0,0 @@
-from django.utils.translation import gettext_lazy as _
-from drf_spectacular.plumbing import (
-    ResolvedComponent,
-    build_array_type,
-    build_basic_type,
-    build_object_type,
-)
-from drf_spectacular.types import OpenApiTypes
-from rest_framework.settings import api_settings
-
-GENERIC_ERROR = ResolvedComponent(
-    name="GenericError",
-    type=ResolvedComponent.SCHEMA,
-    object="GenericError",
-    schema=build_object_type(
-        description=_("Generic API Error"),
-        properties={
-            "detail": build_basic_type(OpenApiTypes.STR),
-            "code": build_basic_type(OpenApiTypes.STR),
-        },
-        required=["detail"],
-    ),
-)
-GENERIC_ERROR_RESPONSE = ResolvedComponent(
-    name="GenericErrorResponse",
-    type=ResolvedComponent.RESPONSE,
-    object="GenericErrorResponse",
-    schema={
-        "content": {"application/json": {"schema": GENERIC_ERROR.ref}},
-        "description": "",
-    },
-)
-VALIDATION_ERROR = ResolvedComponent(
-    "ValidationError",
-    object="ValidationError",
-    type=ResolvedComponent.SCHEMA,
-    schema=build_object_type(
-        description=_("Validation Error"),
-        properties={
-            api_settings.NON_FIELD_ERRORS_KEY: build_array_type(build_basic_type(OpenApiTypes.STR)),
-            "code": build_basic_type(OpenApiTypes.STR),
-        },
-        required=[],
-        additionalProperties={},
-    ),
-)
-VALIDATION_ERROR_RESPONSE = ResolvedComponent(
-    name="ValidationErrorResponse",
-    type=ResolvedComponent.RESPONSE,
-    object="ValidationErrorResponse",
-    schema={
-        "content": {
-            "application/json": {
-                "schema": VALIDATION_ERROR.ref,
-            }
-        },
-        "description": "",
-    },
-)
-PAGINATION = ResolvedComponent(
-    name="Pagination",
-    type=ResolvedComponent.SCHEMA,
-    object="Pagination",
-    schema=build_object_type(
-        properties={
-            "next": build_basic_type(OpenApiTypes.NUMBER),
-            "previous": build_basic_type(OpenApiTypes.NUMBER),
-            "count": build_basic_type(OpenApiTypes.NUMBER),
-            "current": build_basic_type(OpenApiTypes.NUMBER),
-            "total_pages": build_basic_type(OpenApiTypes.NUMBER),
-            "start_index": build_basic_type(OpenApiTypes.NUMBER),
-            "end_index": build_basic_type(OpenApiTypes.NUMBER),
-        },
-        required=[
-            "next",
-            "previous",
-            "count",
-            "current",
-            "total_pages",
-            "start_index",
-            "end_index",
-        ],
-    ),
-)
--- a/authentik/blueprints/api.py
+++ b/authentik/blueprints/api.py
@@ -7,7 +7,7 @@ from rest_framework.exceptions import ValidationError
 from rest_framework.fields import CharField, DateTimeField
 from rest_framework.request import Request
 from rest_framework.response import Response
-from rest_framework.serializers import ListSerializer
+from rest_framework.serializers import ListSerializer, ModelSerializer
 from rest_framework.viewsets import ModelViewSet

 from authentik.blueprints.models import BlueprintInstance
@@ -15,7 +15,7 @@ from authentik.blueprints.v1.importer import Importer
 from authentik.blueprints.v1.oci import OCI_PREFIX
 from authentik.blueprints.v1.tasks import apply_blueprint, blueprints_find_dict
 from authentik.core.api.used_by import UsedByMixin
-from authentik.core.api.utils import JSONDictField, ModelSerializer, PassiveSerializer
+from authentik.core.api.utils import JSONDictField, PassiveSerializer
 from authentik.rbac.decorators import permission_required


@@ -39,7 +39,7 @@ class BlueprintInstanceSerializer(ModelSerializer):
        """Ensure the path (if set) specified is retrievable"""
        if path == "" or path.startswith(OCI_PREFIX):
            return path
-        files: list[dict] = blueprints_find_dict.send().get_result(block=True)
+        files: list[dict] = blueprints_find_dict.delay().get()
        if path not in [file["path"] for file in files]:
            raise ValidationError(_("Blueprint file does not exist"))
        return path
@@ -51,11 +51,9 @@ class BlueprintInstanceSerializer(ModelSerializer):
        context = self.instance.context if self.instance else {}
        valid, logs = Importer.from_string(content, context).validate()
        if not valid:
+            text_logs = "\n".join([x["event"] for x in logs])
            raise ValidationError(
-                [
-                    _("Failed to validate blueprint"),
-                    *[f"- {x.event}" for x in logs],
-                ]
+                _("Failed to validate blueprint: {logs}".format_map({"logs": text_logs}))
            )
        return content

@@ -115,7 +113,7 @@ class BlueprintInstanceViewSet(UsedByMixin, ModelViewSet):
    @action(detail=False, pagination_class=None, filter_backends=[])
    def available(self, request: Request) -> Response:
        """Get blueprints"""
-        files: list[dict] = blueprints_find_dict.send().get_result(block=True)
+        files: list[dict] = blueprints_find_dict.delay().get()
        return Response(files)

    @permission_required("authentik_blueprints.view_blueprintinstance")
@@ -129,5 +127,5 @@ class BlueprintInstanceViewSet(UsedByMixin, ModelViewSet):
    def apply(self, request: Request, *args, **kwargs) -> Response:
        """Apply a blueprint"""
        blueprint = self.get_object()
-        apply_blueprint.send_with_options(args=(blueprint.pk,), rel_obj=blueprint)
+        apply_blueprint.delay(str(blueprint.pk)).get()
        return self.retrieve(request, *args, **kwargs)
--- a/authentik/blueprints/apps.py
+++ b/authentik/blueprints/apps.py
@@ -6,12 +6,9 @@ from inspect import ismethod

 from django.apps import AppConfig
 from django.db import DatabaseError, InternalError, ProgrammingError
-from dramatiq.broker import get_broker
 from structlog.stdlib import BoundLogger, get_logger

-from authentik.lib.utils.time import fqdn_rand
 from authentik.root.signals import startup
-from authentik.tasks.schedules.common import ScheduleSpec


 class ManagedAppConfig(AppConfig):
@@ -37,7 +34,7 @@ class ManagedAppConfig(AppConfig):

    def import_related(self):
        """Automatically import related modules which rely on just being imported
-        to register themselves (mainly django signals and tasks)"""
+        to register themselves (mainly django signals and celery tasks)"""

        def import_relative(rel_module: str):
            try:
@@ -83,16 +80,6 @@ class ManagedAppConfig(AppConfig):
        func._authentik_managed_reconcile = ManagedAppConfig.RECONCILE_GLOBAL_CATEGORY
        return func

-    @property
-    def tenant_schedule_specs(self) -> list[ScheduleSpec]:
-        """Get a list of schedule specs that must exist in each tenant"""
-        return []
-
-    @property
-    def global_schedule_specs(self) -> list[ScheduleSpec]:
-        """Get a list of schedule specs that must exist in the default tenant"""
-        return []
-
    def _reconcile_tenant(self) -> None:
        """reconcile ourselves for tenanted methods"""
        from authentik.tenants.models import Tenant
@@ -113,12 +100,8 @@ class ManagedAppConfig(AppConfig):
        """
        from django_tenants.utils import get_public_schema_name, schema_context

-        try:
-            with schema_context(get_public_schema_name()):
-                self._reconcile(self.RECONCILE_GLOBAL_CATEGORY)
-        except (DatabaseError, ProgrammingError, InternalError) as exc:
-            self.logger.debug("Failed to access database to run reconcile", exc=exc)
-            return
+        with schema_context(get_public_schema_name()):
+            self._reconcile(self.RECONCILE_GLOBAL_CATEGORY)


 class AuthentikBlueprintsConfig(ManagedAppConfig):
@@ -129,29 +112,19 @@ class AuthentikBlueprintsConfig(ManagedAppConfig):
    verbose_name = "authentik Blueprints"
    default = True

+    @ManagedAppConfig.reconcile_global
+    def load_blueprints_v1_tasks(self):
+        """Load v1 tasks"""
+        self.import_module("authentik.blueprints.v1.tasks")
+
+    @ManagedAppConfig.reconcile_tenant
+    def blueprints_discovery(self):
+        """Run blueprint discovery"""
+        from authentik.blueprints.v1.tasks import blueprints_discovery, clear_failed_blueprints
+
+        blueprints_discovery.delay()
+        clear_failed_blueprints.delay()
+
    def import_models(self):
        super().import_models()
        self.import_module("authentik.blueprints.v1.meta.apply_blueprint")
-
-    @ManagedAppConfig.reconcile_global
-    def tasks_middlewares(self):
-        from authentik.blueprints.v1.tasks import BlueprintWatcherMiddleware
-
-        get_broker().add_middleware(BlueprintWatcherMiddleware())
-
-    @property
-    def tenant_schedule_specs(self) -> list[ScheduleSpec]:
-        from authentik.blueprints.v1.tasks import blueprints_discovery, clear_failed_blueprints
-
-        return [
-            ScheduleSpec(
-                actor=blueprints_discovery,
-                crontab=f"{fqdn_rand('blueprints_v1_discover')} * * * *",
-                send_on_startup=True,
-            ),
-            ScheduleSpec(
-                actor=clear_failed_blueprints,
-                crontab=f"{fqdn_rand('blueprints_v1_cleanup')} * * * *",
-                send_on_startup=True,
-            ),
-        ]
--- a/authentik/blueprints/management/commands/blueprint_shell.py
+++ b/authentik/blueprints/management/commands/blueprint_shell.py
@@ -1,68 +0,0 @@
-"""Test and debug Blueprints"""
-
-import atexit
-import readline
-from pathlib import Path
-from pprint import pformat
-from sys import exit as sysexit
-from textwrap import indent
-
-from django.core.management.base import BaseCommand, no_translations
-from structlog.stdlib import get_logger
-from yaml import load
-
-from authentik.blueprints.v1.common import BlueprintLoader, EntryInvalidError
-from authentik.core.management.commands.shell import get_banner_text
-from authentik.lib.utils.errors import exception_to_string
-
-LOGGER = get_logger()
-
-
-class Command(BaseCommand):
-    """Test and debug Blueprints"""
-
-    lines = []
-
-    def __init__(self, *args, **kwargs) -> None:
-        super().__init__(*args, **kwargs)
-        histfolder = Path("~").expanduser() / Path(".local/share/authentik")
-        histfolder.mkdir(parents=True, exist_ok=True)
-        histfile = histfolder / Path("blueprint_shell_history")
-        readline.parse_and_bind("tab: complete")
-        readline.parse_and_bind("set editing-mode vi")
-
-        try:
-            readline.read_history_file(str(histfile))
-        except FileNotFoundError:
-            pass
-
-        atexit.register(readline.write_history_file, str(histfile))
-
-    @no_translations
-    def handle(self, *args, **options):
-        """Interactively debug blueprint files"""
-        self.stdout.write(get_banner_text("Blueprint shell"))
-        self.stdout.write("Type '.eval' to evaluate previously entered statement(s).")
-
-        def do_eval():
-            yaml_input = "\n".join([line for line in self.lines if line])
-            data = load(yaml_input, BlueprintLoader)
-            self.stdout.write(pformat(data))
-            self.lines = []
-
-        while True:
-            try:
-                line = input("> ")
-                if line == ".eval":
-                    do_eval()
-                else:
-                    self.lines.append(line)
-            except EntryInvalidError as exc:
-                self.stdout.write("Failed to evaluate expression:")
-                self.stdout.write(indent(exception_to_string(exc), prefix="  "))
-            except EOFError:
-                break
-            except KeyboardInterrupt:
-                self.stdout.write()
-                sysexit(0)
-        self.stdout.write()
--- a/authentik/blueprints/management/commands/make_blueprint_schema.py
+++ b/authentik/blueprints/management/commands/make_blueprint_schema.py
@@ -11,7 +11,7 @@ from rest_framework.relations import PrimaryKeyRelatedField
 from rest_framework.serializers import Serializer
 from structlog.stdlib import get_logger

-from authentik import authentik_version
+from authentik import __version__
 from authentik.blueprints.v1.common import BlueprintEntryDesiredState
 from authentik.blueprints.v1.importer import SERIALIZER_CONTEXT_BLUEPRINT, is_model_allowed
 from authentik.blueprints.v1.meta.registry import BaseMetaModel, registry
@@ -48,7 +48,7 @@ class Command(BaseCommand):
            "$schema": "http://json-schema.org/draft-07/schema",
            "$id": "https://goauthentik.io/blueprints/schema.json",
            "type": "object",
-            "title": f"authentik {authentik_version()} Blueprint schema",
+            "title": f"authentik {__version__} Blueprint schema",
            "required": ["version", "entries"],
            "properties": {
                "version": {
@@ -72,33 +72,20 @@ class Command(BaseCommand):
                    "additionalProperties": True,
                },
                "entries": {
-                    "anyOf": [
-                        {
-                            "type": "array",
-                            "items": {"$ref": "#/$defs/blueprint_entry"},
-                        },
-                        {
-                            "type": "object",
-                            "additionalProperties": {
-                                "type": "array",
-                                "items": {"$ref": "#/$defs/blueprint_entry"},
-                            },
-                        },
-                    ],
+                    "type": "array",
+                    "items": {
+                        "oneOf": [],
+                    },
                },
            },
-            "$defs": {"blueprint_entry": {"oneOf": []}},
+            "$defs": {},
        }

-    def add_arguments(self, parser):
-        parser.add_argument("--file", type=str)
-
    @no_translations
-    def handle(self, *args, file: str, **options):
+    def handle(self, *args, **options):
        """Generate JSON Schema for blueprints"""
        self.build()
-        with open(file, "w") as _schema:
-            _schema.write(dumps(self.schema, indent=4, default=Command.json_default))
+        self.stdout.write(dumps(self.schema, indent=4, default=Command.json_default))

    @staticmethod
    def json_default(value: Any) -> Any:
@@ -125,7 +112,7 @@ class Command(BaseCommand):
                }
            )
            model_path = f"{model._meta.app_label}.{model._meta.model_name}"
-            self.schema["$defs"]["blueprint_entry"]["oneOf"].append(
+            self.schema["properties"]["entries"]["items"]["oneOf"].append(
                self.template_entry(model_path, model, serializer)
            )

@@ -139,7 +126,7 @@ class Command(BaseCommand):
        def_name_perm = f"model_{model_path}_permissions"
        def_path_perm = f"#/$defs/{def_name_perm}"
        self.schema["$defs"][def_name_perm] = self.model_permissions(model)
-        template = {
+        return {
            "type": "object",
            "required": ["model", "identifiers"],
            "properties": {
@@ -147,7 +134,7 @@ class Command(BaseCommand):
                "id": {"type": "string"},
                "state": {
                    "type": "string",
-                    "enum": sorted([s.value for s in BlueprintEntryDesiredState]),
+                    "enum": [s.value for s in BlueprintEntryDesiredState],
                    "default": "present",
                },
                "conditions": {"type": "array", "items": {"type": "boolean"}},
@@ -156,11 +143,6 @@ class Command(BaseCommand):
                "identifiers": {"$ref": def_path},
            },
        }
-        # Meta models don't require identifiers, as there's no matching database model to find
-        if issubclass(model, BaseMetaModel):
-            del template["properties"]["identifiers"]
-            template["required"].remove("identifiers")
-        return template

    def field_to_jsonschema(self, field: Field) -> dict:
        """Convert a single field to json schema"""
@@ -218,7 +200,7 @@ class Command(BaseCommand):
                "type": "object",
                "required": ["permission"],
                "properties": {
-                    "permission": {"type": "string", "enum": sorted(perms)},
+                    "permission": {"type": "string", "enum": perms},
                    "user": {"type": "integer"},
                    "role": {"type": "string"},
                },
--- a/authentik/blueprints/migrations/0001_initial.py
+++ b/authentik/blueprints/migrations/0001_initial.py
@@ -29,7 +29,9 @@ def check_blueprint_v1_file(BlueprintInstance: type, db_alias, path: Path):
        if version != 1:
            return
        blueprint_file.seek(0)
-    instance = BlueprintInstance.objects.using(db_alias).filter(path=path).first()
+    instance: BlueprintInstance = (
+        BlueprintInstance.objects.using(db_alias).filter(path=path).first()
+    )
    rel_path = path.relative_to(Path(CONFIG.get("blueprints_dir")))
    meta = None
    if metadata:
--- a/authentik/blueprints/models.py
+++ b/authentik/blueprints/models.py
@@ -3,7 +3,6 @@
 from pathlib import Path
 from uuid import uuid4

-from django.contrib.contenttypes.fields import GenericRelation
 from django.contrib.postgres.fields import ArrayField
 from django.db import models
 from django.utils.translation import gettext_lazy as _
@@ -72,13 +71,6 @@ class BlueprintInstance(SerializerModel, ManagedModel, CreatedUpdatedModel):
    enabled = models.BooleanField(default=True)
    managed_models = ArrayField(models.TextField(), default=list)

-    # Manual link to tasks instead of using TasksModel because of loop imports
-    tasks = GenericRelation(
-        "authentik_tasks.Task",
-        content_type_field="rel_obj_content_type",
-        object_id_field="rel_obj_id",
-    )
-
    class Meta:
        verbose_name = _("Blueprint Instance")
        verbose_name_plural = _("Blueprint Instances")
--- a/authentik/blueprints/settings.py
+++ b/authentik/blueprints/settings.py
@@ -0,0 +1,18 @@
+"""blueprint Settings"""
+
+from celery.schedules import crontab
+
+from authentik.lib.utils.time import fqdn_rand
+
+CELERY_BEAT_SCHEDULE = {
+    "blueprints_v1_discover": {
+        "task": "authentik.blueprints.v1.tasks.blueprints_discovery",
+        "schedule": crontab(minute=fqdn_rand("blueprints_v1_discover"), hour="*"),
+        "options": {"queue": "authentik_scheduled"},
+    },
+    "blueprints_v1_cleanup": {
+        "task": "authentik.blueprints.v1.tasks.clear_failed_blueprints",
+        "schedule": crontab(minute=fqdn_rand("blueprints_v1_cleanup"), hour="*"),
+        "options": {"queue": "authentik_scheduled"},
+    },
+}
--- a/authentik/blueprints/tasks.py
+++ b/authentik/blueprints/tasks.py
@@ -1,2 +0,0 @@
-# Import all v1 tasks for auto task discovery
-from authentik.blueprints.v1.tasks import *  # noqa: F403
--- a/authentik/blueprints/tests/fixtures/state_present.yaml
+++ b/authentik/blueprints/tests/fixtures/state_present.yaml
@@ -1,11 +1,10 @@
 version: 1
 entries:
-  foo:
-      - identifiers:
-            name: "%(id)s"
-            slug: "%(id)s"
-        model: authentik_flows.flow
-        state: present
-        attrs:
-            designation: stage_configuration
-            title: foo
+    - identifiers:
+          name: "%(id)s"
+          slug: "%(id)s"
+      model: authentik_flows.flow
+      state: present
+      attrs:
+          designation: stage_configuration
+          title: foo
--- a/authentik/blueprints/tests/fixtures/tags.yaml
+++ b/authentik/blueprints/tests/fixtures/tags.yaml
@@ -12,8 +12,8 @@ context:
    context1: context-nested-value
    context2: !Context context1
 entries:
-    - model: !Format ["%%s", authentik_sources_oauth.oauthsource]
-      state: !Format ["%%s", present]
+    - model: !Format ["%s", authentik_sources_oauth.oauthsource]
+      state: !Format ["%s", present]
      identifiers:
          slug: test
      attrs:
@@ -27,23 +27,19 @@ entries:
                  [slug, default-source-authentication],
              ]
          enrollment_flow:
-              !Find [!Format  ["%%s", authentik_flows.Flow], [slug, default-source-enrollment]]
+              !Find [!Format  ["%s", authentik_flows.Flow], [slug, default-source-enrollment]]
    - attrs:
          expression: return True
      identifiers:
-          name: !Format [foo-%%s-%%s-%%s, !Context foo, !Context bar, qux]
+          name: !Format [foo-%s-%s-%s, !Context foo, !Context bar, qux]
      id: policy
      model: authentik_policies_expression.expressionpolicy
    - attrs:
          attributes:
              env_null: !Env [bar-baz, null]
-              file_content: !File '%(file_name)s'
-              file_default: !File ['%(file_default_name)s', 'default']
-              file_non_existent: !File '/does-not-exist'
-              json_parse: !ParseJSON '{"foo": "bar"}'
              policy_pk1:
                  !Format [
-                      "%%s-%%s",
+                      "%s-%s",
                      !Find [
                          authentik_policies_expression.expressionpolicy,
                          [
@@ -54,29 +50,29 @@ entries:
                      ],
                      suffix,
                  ]
-              policy_pk2: !Format ["%%s-%%s", !KeyOf policy, suffix]
+              policy_pk2: !Format ["%s-%s", !KeyOf policy, suffix]
              boolAnd:
-                  !Condition [AND, !Context foo, !Format ["%%s", "a_string"], 1]
+                  !Condition [AND, !Context foo, !Format ["%s", "a_string"], 1]
              boolNand:
-                  !Condition [NAND, !Context foo, !Format ["%%s", "a_string"], 1]
+                  !Condition [NAND, !Context foo, !Format ["%s", "a_string"], 1]
              boolOr:
                  !Condition [
                      OR,
                      !Context foo,
-                      !Format ["%%s", "a_string"],
+                      !Format ["%s", "a_string"],
                      null,
                  ]
              boolNor:
                  !Condition [
                      NOR,
                      !Context foo,
-                      !Format ["%%s", "a_string"],
+                      !Format ["%s", "a_string"],
                      null,
                  ]
              boolXor:
-                  !Condition [XOR, !Context foo, !Format ["%%s", "a_string"], 1]
+                  !Condition [XOR, !Context foo, !Format ["%s", "a_string"], 1]
              boolXnor:
-                  !Condition [XNOR, !Context foo, !Format ["%%s", "a_string"], 1]
+                  !Condition [XNOR, !Context foo, !Format ["%s", "a_string"], 1]
              boolComplex:
                  !Condition [
                      XNOR,
@@ -92,7 +88,7 @@ entries:
                              {
                                  with: { keys: "and_values" },
                                  and_nested_custom_tags:
-                                      !Format ["foo-%%s", !Context foo],
+                                      !Format ["foo-%s", !Context foo],
                              },
                      },
                      null,
@@ -101,7 +97,7 @@ entries:
                  !If [
                      !Condition [AND, false],
                      null,
-                      [list, with, items, !Format ["foo-%%s", !Context foo]],
+                      [list, with, items, !Format ["foo-%s", !Context foo]],
                  ]
              if_true_simple: !If [!Context foo, true, text]
              if_short: !If [!Context foo]
@@ -109,22 +105,22 @@ entries:
              enumerate_mapping_to_mapping: !Enumerate [
                  !Context mapping,
                  MAP,
-                  [!Format ["prefix-%%s", !Index 0], !Format ["other-prefix-%%s", !Value 0]]
+                  [!Format ["prefix-%s", !Index 0], !Format ["other-prefix-%s", !Value 0]]
              ]
              enumerate_mapping_to_sequence: !Enumerate [
                  !Context mapping,
                  SEQ,
-                  !Format ["prefixed-pair-%%s-%%s", !Index 0, !Value 0]
+                  !Format ["prefixed-pair-%s-%s", !Index 0, !Value 0]
              ]
              enumerate_sequence_to_sequence: !Enumerate [
                  !Context sequence,
                  SEQ,
-                  !Format ["prefixed-items-%%s-%%s", !Index 0, !Value 0]
+                  !Format ["prefixed-items-%s-%s", !Index 0, !Value 0]
              ]
              enumerate_sequence_to_mapping: !Enumerate [
                  !Context sequence,
                  MAP,
-                  [!Format ["index: %%d", !Index 0], !Value 0]
+                  [!Format ["index: %d", !Index 0], !Value 0]
              ]
              nested_complex_enumeration: !Enumerate [
                  !Context sequence,
@@ -135,9 +131,9 @@ entries:
                          !Context mapping,
                          MAP,
                          [
-                              !Format ["%%s", !Index 0],
+                              !Format ["%s", !Index 0],
                              [
-                                  !Enumerate [!Value 2, SEQ, !Format ["prefixed-%%s", !Value 0]],
+                                  !Enumerate [!Value 2, SEQ, !Format ["prefixed-%s", !Value 0]],
                                  {
                                    outer_value: !Value 1,
                                    outer_index: !Index 1,
@@ -150,11 +146,6 @@ entries:
                  ]
              ]
              nested_context: !Context context2
-              at_index_sequence: !AtIndex [!Context sequence, 0]
-              at_index_sequence_default: !AtIndex [!Context sequence, 100, "non existent"]
-              at_index_mapping: !AtIndex [!Context mapping, "key2"]
-              at_index_mapping_default: !AtIndex [!Context mapping, "invalid", "non existent"]
-              find_object: !AtIndex [!FindObject [authentik_providers_oauth2.scopemapping, [scope_name, openid]], managed]
      identifiers:
          name: test
      conditions:
--- a/authentik/blueprints/tests/test_managed_app_config.py
+++ b/authentik/blueprints/tests/test_managed_app_config.py
@@ -1,14 +0,0 @@
-from django.test import TestCase
-
-from authentik.blueprints.apps import ManagedAppConfig
-from authentik.enterprise.apps import EnterpriseConfig
-from authentik.lib.utils.reflection import get_apps
-
-
-class TestManagedAppConfig(TestCase):
-    def test_apps_use_managed_app_config(self):
-        for app in get_apps():
-            if app.name.startswith("authentik.enterprise"):
-                self.assertIn(EnterpriseConfig, app.__class__.__bases__)
-            else:
-                self.assertIn(ManagedAppConfig, app.__class__.__bases__)
--- a/authentik/blueprints/tests/test_packaged.py
+++ b/authentik/blueprints/tests/test_packaged.py
@@ -27,14 +27,13 @@ def blueprint_tester(file_name: Path) -> Callable:
        base = Path("blueprints/")
        rel_path = Path(file_name).relative_to(base)
        importer = Importer.from_string(BlueprintInstance(path=str(rel_path)).retrieve())
-        validation, logs = importer.validate()
-        self.assertTrue(validation, logs)
+        self.assertTrue(importer.validate()[0])
        self.assertTrue(importer.apply())

    return tester


 for blueprint_file in Path("blueprints/").glob("**/*.yaml"):
-    if "local" in str(blueprint_file) or "testing" in str(blueprint_file):
+    if "local" in str(blueprint_file):
        continue
    setattr(TestPackaged, f"test_blueprint_{blueprint_file}", blueprint_tester(blueprint_file))
--- a/authentik/blueprints/tests/test_serializer_models.py
+++ b/authentik/blueprints/tests/test_serializer_models.py
@@ -5,6 +5,7 @@ from collections.abc import Callable
 from django.apps import apps
 from django.test import TestCase

+from authentik.blueprints.v1.importer import is_model_allowed
 from authentik.lib.models import SerializerModel
 from authentik.providers.oauth2.models import RefreshToken

@@ -21,13 +22,10 @@ def serializer_tester_factory(test_model: type[SerializerModel]) -> Callable:
            return
        model_class = test_model()
        self.assertTrue(isinstance(model_class, SerializerModel))
-        # Models that have subclasses don't have to have a serializer
-        if len(test_model.__subclasses__()) > 0:
-            return
        self.assertIsNotNone(model_class.serializer)
        if model_class.serializer.Meta().model == RefreshToken:
            return
-        self.assertTrue(issubclass(test_model, model_class.serializer.Meta().model))
+        self.assertEqual(model_class.serializer.Meta().model, test_model)

    return tester

@@ -36,6 +34,6 @@ for app in apps.get_app_configs():
    if not app.label.startswith("authentik"):
        continue
    for model in app.get_models():
-        if not issubclass(model, SerializerModel):
+        if not is_model_allowed(model):
            continue
        setattr(TestModels, f"test_{app.label}_{model.__name__}", serializer_tester_factory(model))
--- a/authentik/blueprints/tests/test_v1.py
+++ b/authentik/blueprints/tests/test_v1.py
@@ -1,11 +1,9 @@
 """Test blueprints v1"""

-from os import chmod, environ, unlink, write
-from tempfile import mkstemp
+from os import environ

 from django.test import TransactionTestCase

-from authentik.blueprints.tests import apply_blueprint
 from authentik.blueprints.v1.exporter import FlowExporter
 from authentik.blueprints.v1.importer import Importer, transaction_rollback
 from authentik.core.models import Group
@@ -128,119 +126,97 @@ class TestBlueprintsV1(TransactionTestCase):

        self.assertEqual(Prompt.objects.filter(field_key="username").count(), count_before)

-    @apply_blueprint("system/providers-oauth2.yaml")
    def test_import_yaml_tags(self):
        """Test some yaml tags"""
        ExpressionPolicy.objects.filter(name="foo-bar-baz-qux").delete()
        Group.objects.filter(name="test").delete()
        environ["foo"] = generate_id()
-        file, file_name = mkstemp()
-        write(file, b"foo")
-        _, file_default_name = mkstemp()
-        chmod(file_default_name, 0o000)  # Remove all permissions so we can't read the file
-        importer = Importer.from_string(
-            load_fixture(
-                "fixtures/tags.yaml",
-                file_name=file_name,
-                file_default_name=file_default_name,
-            ),
-            {"bar": "baz"},
-        )
+        importer = Importer.from_string(load_fixture("fixtures/tags.yaml"), {"bar": "baz"})
        self.assertTrue(importer.validate()[0])
        self.assertTrue(importer.apply())
        policy = ExpressionPolicy.objects.filter(name="foo-bar-baz-qux").first()
        self.assertTrue(policy)
-        group = Group.objects.filter(name="test").first()
-        self.assertIsNotNone(group)
-        self.assertEqual(
-            group.attributes,
-            {
-                "policy_pk1": str(policy.pk) + "-suffix",
-                "policy_pk2": str(policy.pk) + "-suffix",
-                "boolAnd": True,
-                "boolNand": False,
-                "boolOr": True,
-                "boolNor": False,
-                "boolXor": True,
-                "boolXnor": False,
-                "boolComplex": True,
-                "if_true_complex": {
-                    "dictionary": {
-                        "with": {"keys": "and_values"},
-                        "and_nested_custom_tags": "foo-bar",
-                    }
-                },
-                "if_false_complex": ["list", "with", "items", "foo-bar"],
-                "if_true_simple": True,
-                "if_short": True,
-                "if_false_simple": 2,
-                "enumerate_mapping_to_mapping": {
-                    "prefix-key1": "other-prefix-value",
-                    "prefix-key2": "other-prefix-2",
-                },
-                "enumerate_mapping_to_sequence": [
-                    "prefixed-pair-key1-value",
-                    "prefixed-pair-key2-2",
-                ],
-                "enumerate_sequence_to_sequence": [
-                    "prefixed-items-0-foo",
-                    "prefixed-items-1-bar",
-                ],
-                "enumerate_sequence_to_mapping": {"index: 0": "foo", "index: 1": "bar"},
-                "nested_complex_enumeration": {
-                    "0": {
-                        "key1": [
-                            ["prefixed-f", "prefixed-o", "prefixed-o"],
-                            {
-                                "outer_value": "foo",
-                                "outer_index": 0,
-                                "middle_value": "value",
-                                "middle_index": "key1",
-                            },
-                        ],
-                        "key2": [
-                            ["prefixed-f", "prefixed-o", "prefixed-o"],
-                            {
-                                "outer_value": "foo",
-                                "outer_index": 0,
-                                "middle_value": 2,
-                                "middle_index": "key2",
-                            },
-                        ],
+        self.assertTrue(
+            Group.objects.filter(
+                attributes={
+                    "policy_pk1": str(policy.pk) + "-suffix",
+                    "policy_pk2": str(policy.pk) + "-suffix",
+                    "boolAnd": True,
+                    "boolNand": False,
+                    "boolOr": True,
+                    "boolNor": False,
+                    "boolXor": True,
+                    "boolXnor": False,
+                    "boolComplex": True,
+                    "if_true_complex": {
+                        "dictionary": {
+                            "with": {"keys": "and_values"},
+                            "and_nested_custom_tags": "foo-bar",
+                        }
                    },
-                    "1": {
-                        "key1": [
-                            ["prefixed-b", "prefixed-a", "prefixed-r"],
-                            {
-                                "outer_value": "bar",
-                                "outer_index": 1,
-                                "middle_value": "value",
-                                "middle_index": "key1",
-                            },
-                        ],
-                        "key2": [
-                            ["prefixed-b", "prefixed-a", "prefixed-r"],
-                            {
-                                "outer_value": "bar",
-                                "outer_index": 1,
-                                "middle_value": 2,
-                                "middle_index": "key2",
-                            },
-                        ],
+                    "if_false_complex": ["list", "with", "items", "foo-bar"],
+                    "if_true_simple": True,
+                    "if_short": True,
+                    "if_false_simple": 2,
+                    "enumerate_mapping_to_mapping": {
+                        "prefix-key1": "other-prefix-value",
+                        "prefix-key2": "other-prefix-2",
                    },
-                },
-                "nested_context": "context-nested-value",
-                "env_null": None,
-                "file_content": "foo",
-                "file_default": "default",
-                "file_non_existent": None,
-                "json_parse": {"foo": "bar"},
-                "at_index_sequence": "foo",
-                "at_index_sequence_default": "non existent",
-                "at_index_mapping": 2,
-                "at_index_mapping_default": "non existent",
-                "find_object": "goauthentik.io/providers/oauth2/scope-openid",
-            },
+                    "enumerate_mapping_to_sequence": [
+                        "prefixed-pair-key1-value",
+                        "prefixed-pair-key2-2",
+                    ],
+                    "enumerate_sequence_to_sequence": [
+                        "prefixed-items-0-foo",
+                        "prefixed-items-1-bar",
+                    ],
+                    "enumerate_sequence_to_mapping": {"index: 0": "foo", "index: 1": "bar"},
+                    "nested_complex_enumeration": {
+                        "0": {
+                            "key1": [
+                                ["prefixed-f", "prefixed-o", "prefixed-o"],
+                                {
+                                    "outer_value": "foo",
+                                    "outer_index": 0,
+                                    "middle_value": "value",
+                                    "middle_index": "key1",
+                                },
+                            ],
+                            "key2": [
+                                ["prefixed-f", "prefixed-o", "prefixed-o"],
+                                {
+                                    "outer_value": "foo",
+                                    "outer_index": 0,
+                                    "middle_value": 2,
+                                    "middle_index": "key2",
+                                },
+                            ],
+                        },
+                        "1": {
+                            "key1": [
+                                ["prefixed-b", "prefixed-a", "prefixed-r"],
+                                {
+                                    "outer_value": "bar",
+                                    "outer_index": 1,
+                                    "middle_value": "value",
+                                    "middle_index": "key1",
+                                },
+                            ],
+                            "key2": [
+                                ["prefixed-b", "prefixed-a", "prefixed-r"],
+                                {
+                                    "outer_value": "bar",
+                                    "outer_index": 1,
+                                    "middle_value": 2,
+                                    "middle_index": "key2",
+                                },
+                            ],
+                        },
+                    },
+                    "nested_context": "context-nested-value",
+                    "env_null": None,
+                }
+            ).exists()
        )
        self.assertTrue(
            OAuthSource.objects.filter(
@@ -248,8 +224,6 @@ class TestBlueprintsV1(TransactionTestCase):
                consumer_key=environ["foo"],
            )
        )
-        unlink(file_name)
-        unlink(file_default_name)

    def test_export_validate_import_policies(self):
        """Test export and validate it"""
--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
Jens Langhammer	a407d903ab	idk Signed-off-by: Jens Langhammer <jens@goauthentik.io>	2024-09-03 19:51:11 +02:00
Jens Langhammer	7e6f36b0b4	initial flow support Signed-off-by: Jens Langhammer <jens@goauthentik.io>	2024-09-03 19:39:54 +02:00
Jens Langhammer	8dd7b0569c	ws support Signed-off-by: Jens Langhammer <jens@goauthentik.io>	2024-09-03 19:39:26 +02:00
Jens Langhammer	616be78e10	fallback for error reporting Signed-off-by: Jens Langhammer <jens@goauthentik.io>	2024-09-03 19:39:15 +02:00
Jens Langhammer	7125db1fbd	cleanup Signed-off-by: Jens Langhammer <jens@goauthentik.io>	2024-09-03 19:39:04 +02:00
Jens Langhammer	8c7c7c3fee	separate cors middleware Signed-off-by: Jens Langhammer <jens@goauthentik.io>	2024-09-03 19:11:09 +02:00
Jens Langhammer	bbbd00db22	make flows kinda work with bearer token Signed-off-by: Jens Langhammer <jens@goauthentik.io>	2024-09-03 19:11:09 +02:00
Jens Langhammer	6d60c5f7c7	terrible cors for testing Signed-off-by: Jens Langhammer <jens@goauthentik.io>	2024-09-03 19:11:09 +02:00
Jens Langhammer	accf25a626	web/sdk: embed authentik settings into anything the web part Signed-off-by: Jens Langhammer <jens@goauthentik.io>	2024-09-03 19:11:09 +02:00