providers/oauth2: avoid deadlock during session migration (cherry-pick #16361 ) (#16380 )

Co-authored-by: Marc 'risson' Schmitt <marc.schmitt@risson.space>
providers/rac: fix AuthenticatedSession migration (cherry-pick #16400 ) (#16417 )
2026-05-06 07:02:51 +02:00 · 2025-08-29 14:11:17 +02:00 · 2025-08-28 21:49:22 +02:00 · 2025-07-22 14:28:03 +02:00 · 2025-07-22 14:25:29 +02:00 · 2025-07-14 00:38:52 +02:00
143 changed files with 12922 additions and 6339 deletions
--- a/.bumpversion.cfg
+++ b/.bumpversion.cfg
@@ -1,5 +1,5 @@
 [bumpversion]
-current_version = 2025.2.4
+current_version = 2025.4.4
 tag = True
 commit = True
 parse = (?P<major>\d+)\.(?P<minor>\d+)\.(?P<patch>\d+)(?:-(?P<rc_t>[a-zA-Z-]+)(?P<rc_n>[1-9]\\d*))?
--- a/.github/actions/setup/action.yml
+++ b/.github/actions/setup/action.yml
@@ -36,7 +36,7 @@ runs:
      with:
        go-version-file: "go.mod"
    - name: Setup docker cache
-      uses: ScribeMD/docker-cache@0.5.0
+      uses: AndreKurait/docker-cache@0fe76702a40db986d9663c24954fc14c6a6031b7
      with:
        key: docker-images-${{ runner.os }}-${{ hashFiles('.github/actions/setup/docker-compose.yml', 'Makefile') }}-${{ inputs.postgresql_version }}
    - name: Setup dependencies
--- a/.github/workflows/ci-main.yml
+++ b/.github/workflows/ci-main.yml
@@ -70,22 +70,18 @@ jobs:
      - name: checkout stable
        run: |
          # Copy current, latest config to local
-          # Temporarly comment the .github backup while migrating to uv
          cp authentik/lib/default.yml local.env.yml
-          # cp -R .github ..
+          cp -R .github ..
          cp -R scripts ..
          git checkout $(git tag --sort=version:refname | grep '^version/' | grep -vE -- '-rc[0-9]+$' | tail -n1)
-          # rm -rf .github/ scripts/
-          # mv ../.github ../scripts .
-          rm -rf scripts/
-          mv ../scripts .
+          rm -rf .github/ scripts/
+          mv ../.github ../scripts .
      - name: Setup authentik env (stable)
        uses: ./.github/actions/setup
        with:
          postgresql_version: ${{ matrix.psql }}
-        continue-on-error: true
      - name: run migrations to stable
-        run: poetry run python -m lifecycle.migrate
+        run: uv run python -m lifecycle.migrate
      - name: checkout current code
        run: |
          set -x
--- a/.github/workflows/packages-npm-publish.yml
+++ b/.github/workflows/packages-npm-publish.yml
@@ -3,10 +3,10 @@ on:
  push:
    branches: [main]
    paths:
-      - packages/docusaurus-config
-      - packages/eslint-config
-      - packages/prettier-config
-      - packages/tsconfig
+      - packages/docusaurus-config/**
+      - packages/eslint-config/**
+      - packages/prettier-config/**
+      - packages/tsconfig/**
  workflow_dispatch:
 jobs:
  publish:
--- a/3
+++ b/3
@@ -40,7 +40,8 @@ COPY ./web /work/web/
 COPY ./website /work/website/
 COPY ./gen-ts-api /work/web/node_modules/@goauthentik/api

-RUN npm run build
+RUN npm run build && \
+    npm run build:sfe

 # Stage 3: Build go proxy
 FROM --platform=${BUILDPLATFORM} docker.io/library/golang:1.24-bookworm AS go-builder
--- a/SECURITY.md
+++ b/SECURITY.md
@@ -20,8 +20,8 @@ Even if the issue is not a CVE, we still greatly appreciate your help in hardeni

 | Version   | Supported |
 | --------- | --------- |
-| 2024.12.x | ✅        |
 | 2025.2.x  | ✅        |
+| 2025.4.x  | ✅        |

 ## Reporting a Vulnerability

--- a/authentik/init.py
+++ b/authentik/init.py
@@ -2,7 +2,7 @@

 from os import environ

-__version__ = "2025.2.4"
+__version__ = "2025.4.4"
 ENV_GIT_HASH_KEY = "GIT_BUILD_HASH"


--- a/authentik/brands/migrations/0008_brand_branding_custom_css.py
+++ b/authentik/brands/migrations/0008_brand_branding_custom_css.py
@@ -16,7 +16,7 @@ def migrate_custom_css(apps: Apps, schema_editor: BaseDatabaseSchemaEditor):
    if not path.exists():
        return
    css = path.read_text()
-    Brand.objects.using(db_alias).update(branding_custom_css=css)
+    Brand.objects.using(db_alias).all().update(branding_custom_css=css)


 class Migration(migrations.Migration):
--- a/authentik/core/api/groups.py
+++ b/authentik/core/api/groups.py
@@ -99,18 +99,17 @@ class GroupSerializer(ModelSerializer):
            if superuser
            else "authentik_core.disable_group_superuser"
        )
-        has_perm = user.has_perm(perm)
-        if self.instance and not has_perm:
-            has_perm = user.has_perm(perm, self.instance)
-        if not has_perm:
-            raise ValidationError(
-                _(
-                    (
-                        "User does not have permission to set "
-                        "superuser status to {superuser_status}."
-                    ).format_map({"superuser_status": superuser})
+        if self.instance or superuser:
+            has_perm = user.has_perm(perm) or user.has_perm(perm, self.instance)
+            if not has_perm:
+                raise ValidationError(
+                    _(
+                        (
+                            "User does not have permission to set "
+                            "superuser status to {superuser_status}."
+                        ).format_map({"superuser_status": superuser})
+                    )
                )
-            )
        return superuser

    class Meta:
--- a/authentik/core/management/commands/repair_permissions.py
+++ b/authentik/core/management/commands/repair_permissions.py
@@ -2,6 +2,7 @@

 from django.apps import apps
 from django.contrib.auth.management import create_permissions
+from django.core.management import call_command
 from django.core.management.base import BaseCommand, no_translations
 from guardian.management import create_anonymous_user

@@ -16,6 +17,10 @@ class Command(BaseCommand):
        """Check permissions for all apps"""
        for tenant in Tenant.objects.filter(ready=True):
            with tenant:
+                # See https://code.djangoproject.com/ticket/28417
+                # Remove potential lingering old permissions
+                call_command("remove_stale_contenttypes", "--no-input")
+
                for app in apps.get_app_configs():
                    self.stdout.write(f"Checking app {app.name} ({app.label})\n")
                    create_permissions(app, verbosity=0)
--- a/authentik/core/middleware.py
+++ b/authentik/core/middleware.py
@@ -5,6 +5,7 @@ from contextvars import ContextVar
 from functools import partial
 from uuid import uuid4

+from django.contrib.auth import logout
 from django.contrib.auth.models import AnonymousUser
 from django.core.exceptions import ImproperlyConfigured
 from django.http import HttpRequest, HttpResponse
@@ -58,6 +59,11 @@ class AuthenticationMiddleware(MiddlewareMixin):
        request.user = SimpleLazyObject(lambda: get_user(request))
        request.auser = partial(aget_user, request)

+        user = request.user
+        if user and user.is_authenticated and not user.is_active:
+            logout(request)
+            raise AssertionError()
+

 class ImpersonateMiddleware:
    """Middleware to impersonate users"""
--- a/authentik/core/migrations/0046_session_and_more.py
+++ b/authentik/core/migrations/0046_session_and_more.py
@@ -31,7 +31,10 @@ class PickleSerializer:

    def loads(self, data):
        """Unpickle data to be loaded from redis"""
-        return pickle.loads(data)  # nosec
+        try:
+            return pickle.loads(data)  # nosec
+        except Exception:
+            return {}


 def _migrate_session(
@@ -76,6 +79,7 @@ def _migrate_session(
        AuthenticatedSession.objects.using(db_alias).create(
            session=session,
            user=old_auth_session.user,
+            uuid=old_auth_session.uuid,
        )


--- a/authentik/core/migrations/0048_delete_oldauthenticatedsession_content_type.py
+++ b/authentik/core/migrations/0048_delete_oldauthenticatedsession_content_type.py
@@ -0,0 +1,103 @@
+# Generated by Django 5.1.9 on 2025-05-14 11:15
+
+from django.apps.registry import Apps, apps as global_apps
+from django.db import migrations
+from django.contrib.contenttypes.management import create_contenttypes
+from django.contrib.auth.management import create_permissions
+from django.db.backends.base.schema import BaseDatabaseSchemaEditor
+
+
+def migrate_authenticated_session_permissions(apps: Apps, schema_editor: BaseDatabaseSchemaEditor):
+    """Migrate permissions from OldAuthenticatedSession to AuthenticatedSession"""
+    db_alias = schema_editor.connection.alias
+
+    # `apps` here is just an instance of `django.db.migrations.state.AppConfigStub`, we need the
+    # real config for creating permissions and content types
+    authentik_core_config = global_apps.get_app_config("authentik_core")
+    # These are only ran by django after all migrations, but we need them right now.
+    # `global_apps` is needed,
+    create_permissions(authentik_core_config, using=db_alias, verbosity=1)
+    create_contenttypes(authentik_core_config, using=db_alias, verbosity=1)
+
+    # But from now on, this is just a regular migration, so use `apps`
+    Permission = apps.get_model("auth", "Permission")
+    ContentType = apps.get_model("contenttypes", "ContentType")
+
+    try:
+        old_ct = ContentType.objects.using(db_alias).get(
+            app_label="authentik_core", model="oldauthenticatedsession"
+        )
+        new_ct = ContentType.objects.using(db_alias).get(
+            app_label="authentik_core", model="authenticatedsession"
+        )
+    except ContentType.DoesNotExist:
+        # This should exist at this point, but if not, let's cut our losses
+        return
+
+    # Get all permissions for the old content type
+    old_perms = Permission.objects.using(db_alias).filter(content_type=old_ct)
+
+    # Create equivalent permissions for the new content type
+    for old_perm in old_perms:
+        new_perm = (
+            Permission.objects.using(db_alias)
+            .filter(
+                content_type=new_ct,
+                codename=old_perm.codename,
+            )
+            .first()
+        )
+        if not new_perm:
+            # This should exist at this point, but if not, let's cut our losses
+            continue
+
+        # Global user permissions
+        User = apps.get_model("authentik_core", "User")
+        User.user_permissions.through.objects.using(db_alias).filter(
+            permission=old_perm
+        ).all().update(permission=new_perm)
+
+        # Global role permissions
+        DjangoGroup = apps.get_model("auth", "Group")
+        DjangoGroup.permissions.through.objects.using(db_alias).filter(
+            permission=old_perm
+        ).all().update(permission=new_perm)
+
+        # Object user permissions
+        UserObjectPermission = apps.get_model("guardian", "UserObjectPermission")
+        UserObjectPermission.objects.using(db_alias).filter(permission=old_perm).all().update(
+            permission=new_perm, content_type=new_ct
+        )
+
+        # Object role permissions
+        GroupObjectPermission = apps.get_model("guardian", "GroupObjectPermission")
+        GroupObjectPermission.objects.using(db_alias).filter(permission=old_perm).all().update(
+            permission=new_perm, content_type=new_ct
+        )
+
+
+def remove_old_authenticated_session_content_type(
+    apps: Apps, schema_editor: BaseDatabaseSchemaEditor
+):
+    db_alias = schema_editor.connection.alias
+    ContentType = apps.get_model("contenttypes", "ContentType")
+
+    ContentType.objects.using(db_alias).filter(model="oldauthenticatedsession").delete()
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ("authentik_core", "0047_delete_oldauthenticatedsession"),
+    ]
+
+    operations = [
+        migrations.RunPython(
+            code=migrate_authenticated_session_permissions,
+            reverse_code=migrations.RunPython.noop,
+        ),
+        migrations.RunPython(
+            code=remove_old_authenticated_session_content_type,
+            reverse_code=migrations.RunPython.noop,
+        ),
+    ]
--- a/authentik/core/tests/test_groups_api.py
+++ b/authentik/core/tests/test_groups_api.py
@@ -124,6 +124,16 @@ class TestGroupsAPI(APITestCase):
            {"is_superuser": ["User does not have permission to set superuser status to True."]},
        )

+    def test_superuser_no_perm_no_superuser(self):
+        """Test creating a group without permission and without superuser flag"""
+        assign_perm("authentik_core.add_group", self.login_user)
+        self.client.force_login(self.login_user)
+        res = self.client.post(
+            reverse("authentik_api:group-list"),
+            data={"name": generate_id(), "is_superuser": False},
+        )
+        self.assertEqual(res.status_code, 201)
+
    def test_superuser_update_no_perm(self):
        """Test updating a superuser group without permission"""
        group = Group.objects.create(name=generate_id(), is_superuser=True)
--- a/authentik/enterprise/license.py
+++ b/authentik/enterprise/license.py
@@ -132,13 +132,14 @@ class LicenseKey:
        """Get a summarized version of all (not expired) licenses"""
        total = LicenseKey(get_license_aud(), 0, "Summarized license", 0, 0)
        for lic in License.objects.all():
-            total.internal_users += lic.internal_users
-            total.external_users += lic.external_users
+            if lic.is_valid:
+                total.internal_users += lic.internal_users
+                total.external_users += lic.external_users
+                total.license_flags.extend(lic.status.license_flags)
            exp_ts = int(mktime(lic.expiry.timetuple()))
            if total.exp == 0:
                total.exp = exp_ts
            total.exp = max(total.exp, exp_ts)
-            total.license_flags.extend(lic.status.license_flags)
        return total

    @staticmethod
--- a/authentik/enterprise/models.py
+++ b/authentik/enterprise/models.py
@@ -39,6 +39,10 @@ class License(SerializerModel):
    internal_users = models.BigIntegerField()
    external_users = models.BigIntegerField()

+    @property
+    def is_valid(self) -> bool:
+        return self.expiry >= now()
+
    @property
    def serializer(self) -> type[BaseSerializer]:
        from authentik.enterprise.api import LicenseSerializer
--- a/authentik/enterprise/tests/test_license.py
+++ b/authentik/enterprise/tests/test_license.py
@@ -8,6 +8,7 @@ from django.test import TestCase
 from django.utils.timezone import now
 from rest_framework.exceptions import ValidationError

+from authentik.core.models import User
 from authentik.enterprise.license import LicenseKey
 from authentik.enterprise.models import (
    THRESHOLD_READ_ONLY_WEEKS,
@@ -71,9 +72,9 @@ class TestEnterpriseLicense(TestCase):
    )
    def test_valid_multiple(self):
        """Check license verification"""
-        lic = License.objects.create(key=generate_id())
+        lic = License.objects.create(key=generate_id(), expiry=expiry_valid)
        self.assertTrue(lic.status.status().is_valid)
-        lic2 = License.objects.create(key=generate_id())
+        lic2 = License.objects.create(key=generate_id(), expiry=expiry_valid)
        self.assertTrue(lic2.status.status().is_valid)
        total = LicenseKey.get_total()
        self.assertEqual(total.internal_users, 200)
@@ -232,7 +233,9 @@ class TestEnterpriseLicense(TestCase):
    )
    def test_expiry_expired(self):
        """Check license verification"""
-        License.objects.create(key=generate_id())
+        User.objects.all().delete()
+        License.objects.all().delete()
+        License.objects.create(key=generate_id(), expiry=expiry_expired)
        self.assertEqual(LicenseKey.get_total().summary().status, LicenseUsageStatus.EXPIRED)

    @patch(
--- a/authentik/flows/templates/if/flow-sfe.html
+++ b/authentik/flows/templates/if/flow-sfe.html
@@ -15,6 +15,7 @@
        {% endblock %}
        <link rel="stylesheet" type="text/css" href="{% static 'dist/sfe/bootstrap.min.css' %}">
        <meta name="sentry-trace" content="{{ sentry_trace }}" />
+        <link rel="prefetch" href="{{ flow_background_url }}" />
        {% include "base/header_js.html" %}
        <style>
          html,
@@ -22,7 +23,7 @@
            height: 100%;
          }
          body {
-            background-image: url("{{ flow.background_url }}");
+            background-image: url("{{ flow_background_url }}");
            background-repeat: no-repeat;
            background-size: cover;
          }
--- a/authentik/flows/templates/if/flow.html
+++ b/authentik/flows/templates/if/flow.html
@@ -5,7 +5,7 @@

 {% block head_before %}
 {{ block.super }}
-<link rel="prefetch" href="{{ flow.background_url }}" />
+<link rel="prefetch" href="{{ flow_background_url }}" />
 {% if flow.compatibility_mode and not inspector %}
 <script>ShadyDOM = { force: !navigator.webdriver };</script>
 {% endif %}
@@ -21,7 +21,7 @@ window.authentik.flow = {
 <script src="{% versioned_script 'dist/flow/FlowInterface-%v.js' %}" type="module"></script>
 <style>
 :root {
-    --ak-flow-background: url("{{ flow.background_url }}");
+    --ak-flow-background: url("{{ flow_background_url }}");
 }
 </style>
 {% endblock %}
--- a/authentik/flows/views/interface.py
+++ b/authentik/flows/views/interface.py
@@ -13,7 +13,9 @@ class FlowInterfaceView(InterfaceView):
    """Flow interface"""

    def get_context_data(self, **kwargs: Any) -> dict[str, Any]:
-        kwargs["flow"] = get_object_or_404(Flow, slug=self.kwargs.get("flow_slug"))
+        flow = get_object_or_404(Flow, slug=self.kwargs.get("flow_slug"))
+        kwargs["flow"] = flow
+        kwargs["flow_background_url"] = flow.background_url(self.request)
        kwargs["inspector"] = "inspector" in self.request.GET
        return super().get_context_data(**kwargs)

--- a/authentik/lib/config.py
+++ b/authentik/lib/config.py
@@ -363,6 +363,9 @@ def django_db_config(config: ConfigLoader | None = None) -> dict:
        pool_options = config.get_dict_from_b64_json("postgresql.pool_options", True)
        if not pool_options:
            pool_options = True
+    # FIXME: Temporarily force pool to be deactivated.
+    # See https://github.com/goauthentik/authentik/issues/14320
+    pool_options = False

    db = {
        "default": {
--- a/authentik/lib/tests/test_config.py
+++ b/authentik/lib/tests/test_config.py
@@ -494,86 +494,88 @@ class TestConfig(TestCase):
            },
        )

-    def test_db_pool(self):
-        """Test DB Config with pool"""
-        config = ConfigLoader()
-        config.set("postgresql.host", "foo")
-        config.set("postgresql.name", "foo")
-        config.set("postgresql.user", "foo")
-        config.set("postgresql.password", "foo")
-        config.set("postgresql.port", "foo")
-        config.set("postgresql.test.name", "foo")
-        config.set("postgresql.use_pool", True)
-        conf = django_db_config(config)
-        self.assertEqual(
-            conf,
-            {
-                "default": {
-                    "ENGINE": "authentik.root.db",
-                    "HOST": "foo",
-                    "NAME": "foo",
-                    "OPTIONS": {
-                        "pool": True,
-                        "sslcert": None,
-                        "sslkey": None,
-                        "sslmode": None,
-                        "sslrootcert": None,
-                    },
-                    "PASSWORD": "foo",
-                    "PORT": "foo",
-                    "TEST": {"NAME": "foo"},
-                    "USER": "foo",
-                    "CONN_MAX_AGE": 0,
-                    "CONN_HEALTH_CHECKS": False,
-                    "DISABLE_SERVER_SIDE_CURSORS": False,
-                }
-            },
-        )
+    # FIXME: Temporarily force pool to be deactivated.
+    # See https://github.com/goauthentik/authentik/issues/14320
+    # def test_db_pool(self):
+    #     """Test DB Config with pool"""
+    #     config = ConfigLoader()
+    #     config.set("postgresql.host", "foo")
+    #     config.set("postgresql.name", "foo")
+    #     config.set("postgresql.user", "foo")
+    #     config.set("postgresql.password", "foo")
+    #     config.set("postgresql.port", "foo")
+    #     config.set("postgresql.test.name", "foo")
+    #     config.set("postgresql.use_pool", True)
+    #     conf = django_db_config(config)
+    #     self.assertEqual(
+    #         conf,
+    #         {
+    #             "default": {
+    #                 "ENGINE": "authentik.root.db",
+    #                 "HOST": "foo",
+    #                 "NAME": "foo",
+    #                 "OPTIONS": {
+    #                     "pool": True,
+    #                     "sslcert": None,
+    #                     "sslkey": None,
+    #                     "sslmode": None,
+    #                     "sslrootcert": None,
+    #                 },
+    #                 "PASSWORD": "foo",
+    #                 "PORT": "foo",
+    #                 "TEST": {"NAME": "foo"},
+    #                 "USER": "foo",
+    #                 "CONN_MAX_AGE": 0,
+    #                 "CONN_HEALTH_CHECKS": False,
+    #                 "DISABLE_SERVER_SIDE_CURSORS": False,
+    #             }
+    #         },
+    #     )

-    def test_db_pool_options(self):
-        """Test DB Config with pool"""
-        config = ConfigLoader()
-        config.set("postgresql.host", "foo")
-        config.set("postgresql.name", "foo")
-        config.set("postgresql.user", "foo")
-        config.set("postgresql.password", "foo")
-        config.set("postgresql.port", "foo")
-        config.set("postgresql.test.name", "foo")
-        config.set("postgresql.use_pool", True)
-        config.set(
-            "postgresql.pool_options",
-            base64.b64encode(
-                dumps(
-                    {
-                        "max_size": 15,
-                    }
-                ).encode()
-            ).decode(),
-        )
-        conf = django_db_config(config)
-        self.assertEqual(
-            conf,
-            {
-                "default": {
-                    "ENGINE": "authentik.root.db",
-                    "HOST": "foo",
-                    "NAME": "foo",
-                    "OPTIONS": {
-                        "pool": {
-                            "max_size": 15,
-                        },
-                        "sslcert": None,
-                        "sslkey": None,
-                        "sslmode": None,
-                        "sslrootcert": None,
-                    },
-                    "PASSWORD": "foo",
-                    "PORT": "foo",
-                    "TEST": {"NAME": "foo"},
-                    "USER": "foo",
-                    "CONN_MAX_AGE": 0,
-                    "CONN_HEALTH_CHECKS": False,
-                    "DISABLE_SERVER_SIDE_CURSORS": False,
-                }
-            },
-        )
+    # def test_db_pool_options(self):
+    #     """Test DB Config with pool"""
+    #     config = ConfigLoader()
+    #     config.set("postgresql.host", "foo")
+    #     config.set("postgresql.name", "foo")
+    #     config.set("postgresql.user", "foo")
+    #     config.set("postgresql.password", "foo")
+    #     config.set("postgresql.port", "foo")
+    #     config.set("postgresql.test.name", "foo")
+    #     config.set("postgresql.use_pool", True)
+    #     config.set(
+    #         "postgresql.pool_options",
+    #         base64.b64encode(
+    #             dumps(
+    #                 {
+    #                     "max_size": 15,
+    #                 }
+    #             ).encode()
+    #         ).decode(),
+    #     )
+    #     conf = django_db_config(config)
+    #     self.assertEqual(
+    #         conf,
+    #         {
+    #             "default": {
+    #                 "ENGINE": "authentik.root.db",
+    #                 "HOST": "foo",
+    #                 "NAME": "foo",
+    #                 "OPTIONS": {
+    #                     "pool": {
+    #                         "max_size": 15,
+    #                     },
+    #                     "sslcert": None,
+    #                     "sslkey": None,
+    #                     "sslmode": None,
+    #                     "sslrootcert": None,
+    #                 },
+    #                 "PASSWORD": "foo",
+    #                 "PORT": "foo",
+    #                 "TEST": {"NAME": "foo"},
+    #                 "USER": "foo",
+    #                 "CONN_MAX_AGE": 0,
+    #                 "CONN_HEALTH_CHECKS": False,
+    #                 "DISABLE_SERVER_SIDE_CURSORS": False,
+    #             }
+    #         },
+    #     )
--- a/authentik/outposts/models.py
+++ b/authentik/outposts/models.py
@@ -74,6 +74,8 @@ class OutpostConfig:
    kubernetes_ingress_annotations: dict[str, str] = field(default_factory=dict)
    kubernetes_ingress_secret_name: str = field(default="authentik-outpost-tls")
    kubernetes_ingress_class_name: str | None = field(default=None)
+    kubernetes_httproute_annotations: dict[str, str] = field(default_factory=dict)
+    kubernetes_httproute_parent_refs: list[dict[str, str]] = field(default_factory=list)
    kubernetes_service_type: str = field(default="ClusterIP")
    kubernetes_disabled_components: list[str] = field(default_factory=list)
    kubernetes_image_pull_secrets: list[str] = field(default_factory=list)
--- a/authentik/providers/oauth2/migrations/0028_migrate_session.py
+++ b/authentik/providers/oauth2/migrations/0028_migrate_session.py
@@ -11,7 +11,8 @@ def migrate_sessions(apps, schema_editor, model):
    AuthenticatedSession = apps.get_model("authentik_core", "AuthenticatedSession")
    db_alias = schema_editor.connection.alias

-    for obj in Model.objects.using(db_alias).all():
+    objs = list(Model.objects.using(db_alias).select_related("old_session").all())
+    for obj in objs:
        if not obj.old_session:
            continue
        obj.session = (
--- a/authentik/providers/proxy/controllers/k8s/httproute.py
+++ b/authentik/providers/proxy/controllers/k8s/httproute.py
@@ -0,0 +1,234 @@
+from dataclasses import asdict, dataclass, field
+from typing import TYPE_CHECKING
+from urllib.parse import urlparse
+
+from dacite.core import from_dict
+from kubernetes.client import ApiextensionsV1Api, CustomObjectsApi, V1ObjectMeta
+
+from authentik.outposts.controllers.base import FIELD_MANAGER
+from authentik.outposts.controllers.k8s.base import KubernetesObjectReconciler
+from authentik.outposts.controllers.k8s.triggers import NeedsUpdate
+from authentik.outposts.controllers.kubernetes import KubernetesController
+from authentik.providers.proxy.models import ProxyMode, ProxyProvider
+
+if TYPE_CHECKING:
+    from authentik.outposts.controllers.kubernetes import KubernetesController
+
+
+@dataclass(slots=True)
+class RouteBackendRef:
+    name: str
+    port: int
+
+
+@dataclass(slots=True)
+class RouteSpecParentRefs:
+    name: str
+    sectionName: str | None = None
+    port: int | None = None
+    namespace: str | None = None
+    kind: str = "Gateway"
+    group: str = "gateway.networking.k8s.io"
+
+
+@dataclass(slots=True)
+class HTTPRouteSpecRuleMatchPath:
+    type: str
+    value: str
+
+
+@dataclass(slots=True)
+class HTTPRouteSpecRuleMatchHeader:
+    name: str
+    value: str
+    type: str = "Exact"
+
+
+@dataclass(slots=True)
+class HTTPRouteSpecRuleMatch:
+    path: HTTPRouteSpecRuleMatchPath
+    headers: list[HTTPRouteSpecRuleMatchHeader]
+
+
+@dataclass(slots=True)
+class HTTPRouteSpecRule:
+    backendRefs: list[RouteBackendRef]
+    matches: list[HTTPRouteSpecRuleMatch]
+
+
+@dataclass(slots=True)
+class HTTPRouteSpec:
+    parentRefs: list[RouteSpecParentRefs]
+    hostnames: list[str]
+    rules: list[HTTPRouteSpecRule]
+
+
+@dataclass(slots=True)
+class HTTPRouteMetadata:
+    name: str
+    namespace: str
+    annotations: dict = field(default_factory=dict)
+    labels: dict = field(default_factory=dict)
+
+
+@dataclass(slots=True)
+class HTTPRoute:
+    apiVersion: str
+    kind: str
+    metadata: HTTPRouteMetadata
+    spec: HTTPRouteSpec
+
+
+class HTTPRouteReconciler(KubernetesObjectReconciler):
+    """Kubernetes Gateway API HTTPRoute Reconciler"""
+
+    def __init__(self, controller: "KubernetesController") -> None:
+        super().__init__(controller)
+        self.api_ex = ApiextensionsV1Api(controller.client)
+        self.api = CustomObjectsApi(controller.client)
+        self.crd_group = "gateway.networking.k8s.io"
+        self.crd_version = "v1"
+        self.crd_plural = "httproutes"
+
+    @staticmethod
+    def reconciler_name() -> str:
+        return "httproute"
+
+    @property
+    def noop(self) -> bool:
+        if not self.crd_exists():
+            self.logger.debug("CRD doesn't exist")
+            return True
+        if not self.controller.outpost.config.kubernetes_httproute_parent_refs:
+            self.logger.debug("HTTPRoute parentRefs not set.")
+            return True
+        return False
+
+    def crd_exists(self) -> bool:
+        """Check if the Gateway API resources exists"""
+        return bool(
+            len(
+                self.api_ex.list_custom_resource_definition(
+                    field_selector=f"metadata.name={self.crd_plural}.{self.crd_group}"
+                ).items
+            )
+        )
+
+    def reconcile(self, current: HTTPRoute, reference: HTTPRoute):
+        super().reconcile(current, reference)
+        if current.metadata.annotations != reference.metadata.annotations:
+            raise NeedsUpdate()
+        if current.spec.parentRefs != reference.spec.parentRefs:
+            raise NeedsUpdate()
+        if current.spec.hostnames != reference.spec.hostnames:
+            raise NeedsUpdate()
+        if current.spec.rules != reference.spec.rules:
+            raise NeedsUpdate()
+
+    def get_object_meta(self, **kwargs) -> V1ObjectMeta:
+        return super().get_object_meta(
+            **kwargs,
+        )
+
+    def get_reference_object(self) -> HTTPRoute:
+        hostnames = []
+        rules = []
+
+        for proxy_provider in ProxyProvider.objects.filter(outpost__in=[self.controller.outpost]):
+            proxy_provider: ProxyProvider
+            external_host_name = urlparse(proxy_provider.external_host)
+            if proxy_provider.mode in [ProxyMode.FORWARD_SINGLE, ProxyMode.FORWARD_DOMAIN]:
+                rule = HTTPRouteSpecRule(
+                    backendRefs=[RouteBackendRef(name=self.name, port=9000)],
+                    matches=[
+                        HTTPRouteSpecRuleMatch(
+                            headers=[
+                                HTTPRouteSpecRuleMatchHeader(
+                                    name="Host",
+                                    value=external_host_name.hostname,
+                                )
+                            ],
+                            path=HTTPRouteSpecRuleMatchPath(
+                                type="PathPrefix", value="/outpost.goauthentik.io"
+                            ),
+                        )
+                    ],
+                )
+            else:
+                rule = HTTPRouteSpecRule(
+                    backendRefs=[RouteBackendRef(name=self.name, port=9000)],
+                    matches=[
+                        HTTPRouteSpecRuleMatch(
+                            headers=[
+                                HTTPRouteSpecRuleMatchHeader(
+                                    name="Host",
+                                    value=external_host_name.hostname,
+                                )
+                            ],
+                            path=HTTPRouteSpecRuleMatchPath(type="PathPrefix", value="/"),
+                        )
+                    ],
+                )
+            hostnames.append(external_host_name.hostname)
+            rules.append(rule)
+
+        return HTTPRoute(
+            apiVersion=f"{self.crd_group}/{self.crd_version}",
+            kind="HTTPRoute",
+            metadata=HTTPRouteMetadata(
+                name=self.name,
+                namespace=self.namespace,
+                annotations=self.controller.outpost.config.kubernetes_httproute_annotations,
+                labels=self.get_object_meta().labels,
+            ),
+            spec=HTTPRouteSpec(
+                parentRefs=[
+                    from_dict(RouteSpecParentRefs, spec)
+                    for spec in self.controller.outpost.config.kubernetes_httproute_parent_refs
+                ],
+                hostnames=hostnames,
+                rules=rules,
+            ),
+        )
+
+    def create(self, reference: HTTPRoute):
+        return self.api.create_namespaced_custom_object(
+            group=self.crd_group,
+            version=self.crd_version,
+            plural=self.crd_plural,
+            namespace=self.namespace,
+            body=asdict(reference),
+            field_manager=FIELD_MANAGER,
+        )
+
+    def delete(self, reference: HTTPRoute):
+        return self.api.delete_namespaced_custom_object(
+            group=self.crd_group,
+            version=self.crd_version,
+            plural=self.crd_plural,
+            namespace=self.namespace,
+            name=self.name,
+        )
+
+    def retrieve(self) -> HTTPRoute:
+        return from_dict(
+            HTTPRoute,
+            self.api.get_namespaced_custom_object(
+                group=self.crd_group,
+                version=self.crd_version,
+                plural=self.crd_plural,
+                namespace=self.namespace,
+                name=self.name,
+            ),
+        )
+
+    def update(self, current: HTTPRoute, reference: HTTPRoute):
+        return self.api.patch_namespaced_custom_object(
+            group=self.crd_group,
+            version=self.crd_version,
+            plural=self.crd_plural,
+            namespace=self.namespace,
+            name=self.name,
+            body=asdict(reference),
+            field_manager=FIELD_MANAGER,
+        )
--- a/authentik/providers/proxy/controllers/kubernetes.py
+++ b/authentik/providers/proxy/controllers/kubernetes.py
@@ -3,6 +3,7 @@
 from authentik.outposts.controllers.base import DeploymentPort
 from authentik.outposts.controllers.kubernetes import KubernetesController
 from authentik.outposts.models import KubernetesServiceConnection, Outpost
+from authentik.providers.proxy.controllers.k8s.httproute import HTTPRouteReconciler
 from authentik.providers.proxy.controllers.k8s.ingress import IngressReconciler
 from authentik.providers.proxy.controllers.k8s.traefik import TraefikMiddlewareReconciler

@@ -18,8 +19,10 @@ class ProxyKubernetesController(KubernetesController):
            DeploymentPort(9443, "https", "tcp"),
        ]
        self.reconcilers[IngressReconciler.reconciler_name()] = IngressReconciler
+        self.reconcilers[HTTPRouteReconciler.reconciler_name()] = HTTPRouteReconciler
        self.reconcilers[TraefikMiddlewareReconciler.reconciler_name()] = (
            TraefikMiddlewareReconciler
        )
        self.reconcile_order.append(IngressReconciler.reconciler_name())
+        self.reconcile_order.append(HTTPRouteReconciler.reconciler_name())
        self.reconcile_order.append(TraefikMiddlewareReconciler.reconciler_name())
--- a/authentik/providers/rac/consumer_client.py
+++ b/authentik/providers/rac/consumer_client.py
@@ -66,7 +66,10 @@ class RACClientConsumer(AsyncWebsocketConsumer):
    def init_outpost_connection(self):
        """Initialize guac connection settings"""
        self.token = (
-            ConnectionToken.filter_not_expired(token=self.scope["url_route"]["kwargs"]["token"])
+            ConnectionToken.filter_not_expired(
+                token=self.scope["url_route"]["kwargs"]["token"],
+                session__session__session_key=self.scope["session"].session_key,
+            )
            .select_related("endpoint", "provider", "session", "session__user")
            .first()
        )
--- a/authentik/providers/rac/migrations/0007_migrate_session.py
+++ b/authentik/providers/rac/migrations/0007_migrate_session.py
@@ -13,7 +13,7 @@ def migrate_sessions(apps, schema_editor):
    for token in ConnectionToken.objects.using(db_alias).all():
        token.session = (
            AuthenticatedSession.objects.using(db_alias)
-            .filter(session_key=token.old_session.session_key)
+            .filter(session__session_key=token.old_session.session_key)
            .first()
        )
        if token.session:
--- a/authentik/providers/rac/tests/test_views.py
+++ b/authentik/providers/rac/tests/test_views.py
@@ -87,3 +87,22 @@ class TestRACViews(APITestCase):
        )
        body = loads(flow_response.content)
        self.assertEqual(body["component"], "ak-stage-access-denied")
+
+    def test_different_session(self):
+        """Test request"""
+        self.client.force_login(self.user)
+        response = self.client.get(
+            reverse(
+                "authentik_providers_rac:start",
+                kwargs={"app": self.app.slug, "endpoint": str(self.endpoint.pk)},
+            )
+        )
+        self.assertEqual(response.status_code, 302)
+        flow_response = self.client.get(
+            reverse("authentik_api:flow-executor", kwargs={"flow_slug": self.flow.slug})
+        )
+        body = loads(flow_response.content)
+        next_url = body["to"]
+        self.client.logout()
+        final_response = self.client.get(next_url)
+        self.assertEqual(final_response.url, reverse("authentik_core:if-user"))
--- a/authentik/providers/rac/views.py
+++ b/authentik/providers/rac/views.py
@@ -65,7 +65,10 @@ class RACInterface(InterfaceView):

    def dispatch(self, request: HttpRequest, *args: Any, **kwargs: Any) -> HttpResponse:
        # Early sanity check to ensure token still exists
-        token = ConnectionToken.filter_not_expired(token=self.kwargs["token"]).first()
+        token = ConnectionToken.filter_not_expired(
+            token=self.kwargs["token"],
+            session__session__session_key=request.session.session_key,
+        ).first()
        if not token:
            return redirect("authentik_core:if-user")
        self.token = token
--- a/authentik/rbac/api/rbac.py
+++ b/authentik/rbac/api/rbac.py
@@ -99,6 +99,7 @@ class RBACPermissionViewSet(ReadOnlyModelViewSet):
    filterset_class = PermissionFilter
    permission_classes = [IsAuthenticated]
    search_fields = [
+        "name",
        "codename",
        "content_type__model",
        "content_type__app_label",
--- a/authentik/sources/scim/views/v2/groups.py
+++ b/authentik/sources/scim/views/v2/groups.py
@@ -97,7 +97,8 @@ class GroupsView(SCIMObjectView):
                    self.logger.warning("Invalid group member", exc=exc)
                    continue
                query |= Q(uuid=member.value)
-            group.users.set(User.objects.filter(query))
+            if query:
+                group.users.set(User.objects.filter(query))
        if not connection:
            connection, _ = SCIMSourceGroup.objects.get_or_create(
                source=self.source,
--- a/authentik/stages/authenticator_webauthn/mds/blob.jwt
+++ b/authentik/stages/authenticator_webauthn/mds/blob.jwt
--- a/authentik/stages/password/tests.py
+++ b/authentik/stages/password/tests.py
@@ -89,6 +89,29 @@ class TestPasswordStage(FlowTestCase):
        self.assertEqual(response.status_code, 200)
        self.assertStageRedirects(response, reverse("authentik_core:root-redirect"))

+    def test_valid_password_inactive(self):
+        """Test with a valid pending user and valid password"""
+        self.user.is_active = False
+        self.user.save()
+        plan = FlowPlan(flow_pk=self.flow.pk.hex, bindings=[self.binding], markers=[StageMarker()])
+        plan.context[PLAN_CONTEXT_PENDING_USER] = self.user
+        session = self.client.session
+        session[SESSION_KEY_PLAN] = plan
+        session.save()
+
+        response = self.client.post(
+            reverse("authentik_api:flow-executor", kwargs={"flow_slug": self.flow.slug}),
+            # Form data
+            {"password": self.user.username},
+        )
+
+        self.assertEqual(response.status_code, 200)
+        self.assertStageResponse(
+            response,
+            self.flow,
+            response_errors={"password": [{"string": "Invalid password", "code": "invalid"}]},
+        )
+
    def test_invalid_password(self):
        """Test with a valid pending user and invalid password"""
        plan = FlowPlan(flow_pk=self.flow.pk.hex, bindings=[self.binding], markers=[StageMarker()])
--- a/authentik/stages/user_login/stage.py
+++ b/authentik/stages/user_login/stage.py
@@ -91,6 +91,7 @@ class UserLoginStageView(ChallengeStageView):
        user: User = self.executor.plan.context[PLAN_CONTEXT_PENDING_USER]
        if not user.is_active:
            self.logger.warning("User is not active, login will not work.")
+            return self.executor.stage_invalid()
        delta = self.set_session_duration(remember)
        self.set_session_ip()
        # the `user_logged_in` signal will update the user to write the `last_login` field
--- a/authentik/stages/user_login/tests.py
+++ b/authentik/stages/user_login/tests.py
@@ -6,6 +6,7 @@ from unittest.mock import patch
 from django.urls import reverse
 from django.utils.timezone import now

+from authentik.blueprints.tests import apply_blueprint
 from authentik.core.models import AuthenticatedSession, Session
 from authentik.core.tests.utils import create_test_admin_user, create_test_flow
 from authentik.flows.markers import StageMarker
@@ -174,6 +175,7 @@ class TestUserLoginStage(FlowTestCase):
            component="ak-stage-access-denied",
        )

+    @apply_blueprint("default/flow-default-user-settings-flow.yaml")
    def test_inactive_account(self):
        """Test with a valid pending user and backend"""
        self.user.is_active = False
@@ -187,8 +189,25 @@ class TestUserLoginStage(FlowTestCase):
        response = self.client.get(
            reverse("authentik_api:flow-executor", kwargs={"flow_slug": self.flow.slug})
        )
-
        self.assertEqual(response.status_code, 200)
-        self.assertStageRedirects(response, reverse("authentik_core:root-redirect"))
+        self.assertStageResponse(
+            response, self.flow, component="ak-stage-access-denied", error_message="Unknown error"
+        )
+
+        # Check that API requests get rejected
        response = self.client.get(reverse("authentik_api:application-list"))
        self.assertEqual(response.status_code, 403)
+
+        # Check that flow requests requiring a user also get rejected
+        response = self.client.get(
+            reverse(
+                "authentik_api:flow-executor",
+                kwargs={"flow_slug": "default-user-settings-flow"},
+            )
+        )
+        self.assertStageResponse(
+            response,
+            self.flow,
+            component="ak-stage-access-denied",
+            error_message="Flow does not apply to current user.",
+        )
--- a/blueprints/schema.json
+++ b/blueprints/schema.json
@@ -2,7 +2,7 @@
    "$schema": "http://json-schema.org/draft-07/schema",
    "$id": "https://goauthentik.io/blueprints/schema.json",
    "type": "object",
-    "title": "authentik 2025.2.4 Blueprint schema",
+    "title": "authentik 2025.4.4 Blueprint schema",
    "required": [
        "version",
        "entries"
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -31,7 +31,7 @@ services:
    volumes:
      - redis:/data
  server:
-    image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2025.2.4}
+    image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2025.4.4}
    restart: unless-stopped
    command: server
    environment:
@@ -55,7 +55,7 @@ services:
      redis:
        condition: service_healthy
  worker:
-    image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2025.2.4}
+    image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2025.4.4}
    restart: unless-stopped
    command: worker
    environment:
--- a/go.mod
+++ b/go.mod
@@ -27,7 +27,7 @@ require (
 	github.com/spf13/cobra v1.9.1
 	github.com/stretchr/testify v1.10.0
 	github.com/wwt/guac v1.3.2
-	goauthentik.io/api/v3 v3.2025024.8
+	goauthentik.io/api/v3 v3.2025024.9
 	golang.org/x/exp v0.0.0-20230210204819-062eb4c674ab
 	golang.org/x/oauth2 v0.29.0
 	golang.org/x/sync v0.13.0
--- a/go.sum
+++ b/go.sum
@@ -290,8 +290,8 @@ go.opentelemetry.io/otel/trace v1.24.0 h1:CsKnnL4dUAr/0llH9FKuc698G04IrpWV0MQA/Y
 go.opentelemetry.io/otel/trace v1.24.0/go.mod h1:HPc3Xr/cOApsBI154IU0OI0HJexz+aw5uPdbs3UCjNU=
 go.uber.org/goleak v1.3.0 h1:2K3zAYmnTNqV73imy9J1T3WC+gmCePx2hEGkimedGto=
 go.uber.org/goleak v1.3.0/go.mod h1:CoHD4mav9JJNrW/WLlf7HGZPjdw8EucARQHekz1X6bE=
-goauthentik.io/api/v3 v3.2025024.8 h1:2mG4CqGSsmZq2CtRehxpDjsER43U/JQSoTOn5VC1ui4=
-goauthentik.io/api/v3 v3.2025024.8/go.mod h1:zz+mEZg8rY/7eEjkMGWJ2DnGqk+zqxuybGCGrR2O4Kw=
+goauthentik.io/api/v3 v3.2025024.9 h1:i3tbkyotE32ZpJ729BsPWTuLQUdtZ54Li4aP1amZzsM=
+goauthentik.io/api/v3 v3.2025024.9/go.mod h1:zz+mEZg8rY/7eEjkMGWJ2DnGqk+zqxuybGCGrR2O4Kw=
 golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
 golang.org/x/crypto v0.0.0-20190510104115-cbcb75029529/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
 golang.org/x/crypto v0.0.0-20190605123033-f99c8df09eb5/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
--- a/internal/constants/constants.go
+++ b/internal/constants/constants.go
@@ -29,4 +29,4 @@ func UserAgent() string {
 	return fmt.Sprintf("authentik@%s", FullVersion())
 }

-const VERSION = "2025.2.4"
+const VERSION = "2025.4.4"
--- a/ldap.Dockerfile
+++ b/ldap.Dockerfile
@@ -56,6 +56,7 @@ EXPOSE 3389 6636 9300

 USER 1000

-ENV GOFIPS=1
+ENV TMPDIR=/dev/shm/ \
+    GOFIPS=1

 ENTRYPOINT ["/ldap"]
--- a/lifecycle/ak
+++ b/lifecycle/ak
@@ -62,7 +62,8 @@ function prepare_debug {
    export DEBIAN_FRONTEND=noninteractive
    apt-get update
    apt-get install -y --no-install-recommends krb5-kdc krb5-user krb5-admin-server libkrb5-dev gcc
-    VIRTUAL_ENV=/ak-root/.venv uv sync --frozen
+    source "${VENV_PATH}/bin/activate"
+    uv sync --active --frozen
    touch /unittest.xml
    chown authentik:authentik /unittest.xml
 }
@@ -82,7 +83,8 @@ if [[ "$1" == "server" ]]; then
    run_authentik
 elif [[ "$1" == "worker" ]]; then
    set_mode "worker"
-    check_if_root "python -m manage worker"
+    shift
+    check_if_root "python -m manage worker $@"
 elif [[ "$1" == "worker-status" ]]; then
    wait_for_db
    celery -A authentik.root.celery flower \
@@ -96,6 +98,7 @@ elif [[ "$1" == "test-all" ]]; then
 elif [[ "$1" == "healthcheck" ]]; then
    run_authentik healthcheck $(cat $MODE_FILE)
 elif [[ "$1" == "dump_config" ]]; then
+    shift
    exec python -m authentik.lib.config $@
 elif [[ "$1" == "debug" ]]; then
    exec sleep infinity
--- a/lifecycle/aws/package-lock.json
+++ b/lifecycle/aws/package-lock.json
@@ -9,7 +9,7 @@
            "version": "0.0.0",
            "license": "MIT",
            "devDependencies": {
-                "aws-cdk": "^2.1010.0",
+                "aws-cdk": "^2.1012.0",
                "cross-env": "^7.0.3"
            },
            "engines": {
@@ -17,9 +17,9 @@
            }
        },
        "node_modules/aws-cdk": {
-            "version": "2.1010.0",
-            "resolved": "https://registry.npmjs.org/aws-cdk/-/aws-cdk-2.1010.0.tgz",
-            "integrity": "sha512-kYNzBXVUZoRrTuYxRRA2Loz/Uvay0MqHobg8KPZaWylIbw/meUDgtoATRNt+stOdJ9PHODTjWmlDKI+2/KoF+w==",
+            "version": "2.1012.0",
+            "resolved": "https://registry.npmjs.org/aws-cdk/-/aws-cdk-2.1012.0.tgz",
+            "integrity": "sha512-C6jSWkqP0hkY2Cs300VJHjspmTXDTMfB813kwZvRbd/OsKBfTBJBbYU16VoLAp1LVEOnQMf8otSlaSgzVF0X9A==",
            "dev": true,
            "license": "Apache-2.0",
            "bin": {
--- a/lifecycle/aws/package.json
+++ b/lifecycle/aws/package.json
@@ -10,7 +10,7 @@
        "node": ">=20"
    },
    "devDependencies": {
-        "aws-cdk": "^2.1010.0",
+        "aws-cdk": "^2.1012.0",
        "cross-env": "^7.0.3"
    }
 }
--- a/lifecycle/aws/template.yaml
+++ b/lifecycle/aws/template.yaml
@@ -26,7 +26,7 @@ Parameters:
    Description: authentik Docker image
  AuthentikVersion:
    Type: String
-    Default: 2025.2.4
+    Default: 2025.4.4
    Description: authentik Docker image tag
  AuthentikServerCPU:
    Type: Number
--- a/lifecycle/system_migrations/tenant_to_brand.py
+++ b/lifecycle/system_migrations/tenant_to_brand.py
@@ -3,7 +3,7 @@ from lifecycle.migrate import BaseMigration

 SQL_STATEMENT = """
 BEGIN TRANSACTION;
-ALTER TABLE authentik_tenants_tenant RENAME TO authentik_brands_brand;
+ALTER TABLE IF EXISTS authentik_tenants_tenant RENAME TO authentik_brands_brand;
 UPDATE django_migrations SET app = replace(app, 'authentik_tenants', 'authentik_brands');
 UPDATE django_content_type SET app_label = replace(app_label, 'authentik_tenants', 'authentik_brands');
 COMMIT;
--- a/locale/de/LC_MESSAGES/django.mo
+++ b/locale/de/LC_MESSAGES/django.mo
--- a/locale/de/LC_MESSAGES/django.po
+++ b/locale/de/LC_MESSAGES/django.po
@@ -8,7 +8,6 @@
 # Jens L. <jens@goauthentik.io>, 2022
 # Lars Lehmann <lars@lars-lehmann.net>, 2023
 # Johannes —/—, 2023
-# Dominic Wagner <mail@dominic-wagner.de>, 2023
 # fde4f289d99ed356ff5cfdb762dc44aa_a8a971d, 2023
 # Christian Foellmann <foellmann@foe-services.de>, 2023
 # kidhab, 2023
@@ -30,17 +29,18 @@
 # Alexander Möbius, 2025
 # Jonas, 2025
 # Niklas Kroese, 2025
-# 97cce0ae0cad2a2cc552d3165d04643e_de3d740, 2025
 # datenschmutz, 2025
+# 97cce0ae0cad2a2cc552d3165d04643e_de3d740, 2025
+# Dominic Wagner <mail@dominic-wagner.de>, 2025
 # 
 #, fuzzy
 msgid ""
 msgstr ""
 "Project-Id-Version: PACKAGE VERSION\n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2025-04-11 00:10+0000\n"
+"POT-Creation-Date: 2025-04-23 09:00+0000\n"
 "PO-Revision-Date: 2022-09-26 16:47+0000\n"
-"Last-Translator: datenschmutz, 2025\n"
+"Last-Translator: Dominic Wagner <mail@dominic-wagner.de>, 2025\n"
 "Language-Team: German (https://app.transifex.com/authentik/teams/119923/de/)\n"
 "MIME-Version: 1.0\n"
 "Content-Type: text/plain; charset=UTF-8\n"
@@ -214,6 +214,7 @@ msgid "User's display name."
 msgstr "Anzeigename"

 #: authentik/core/models.py authentik/providers/oauth2/models.py
+#: authentik/rbac/models.py
 msgid "User"
 msgstr "Benutzer"

@@ -402,6 +403,18 @@ msgstr "Eigenschaft"
 msgid "Property Mappings"
 msgstr "Eigenschaften"

+#: authentik/core/models.py
+msgid "session data"
+msgstr ""
+
+#: authentik/core/models.py
+msgid "Session"
+msgstr "Sitzung"
+
+#: authentik/core/models.py
+msgid "Sessions"
+msgstr "Sitzungen"
+
 #: authentik/core/models.py
 msgid "Authenticated Session"
 msgstr "Authentifizierte Sitzung"
@@ -511,6 +524,38 @@ msgstr "Lizenzverwendung"
 msgid "License Usage Records"
 msgstr "Lizenzverwendung Aufzeichnungen"

+#: authentik/enterprise/policies/unique_password/models.py
+#: authentik/policies/password/models.py
+msgid "Field key to check, field keys defined in Prompt stages are available."
+msgstr ""
+"Zu prüfender Feldschlüssel, die in den Aufforderungsstufen definierten "
+"Feldschlüssel sind verfügbar."
+
+#: authentik/enterprise/policies/unique_password/models.py
+msgid "Number of passwords to check against."
+msgstr ""
+
+#: authentik/enterprise/policies/unique_password/models.py
+#: authentik/policies/password/models.py
+msgid "Password not set in context"
+msgstr "Passwort nicht im Kontext festgelegt"
+
+#: authentik/enterprise/policies/unique_password/models.py
+msgid "This password has been used previously. Please choose a different one."
+msgstr ""
+
+#: authentik/enterprise/policies/unique_password/models.py
+msgid "Password Uniqueness Policy"
+msgstr ""
+
+#: authentik/enterprise/policies/unique_password/models.py
+msgid "Password Uniqueness Policies"
+msgstr ""
+
+#: authentik/enterprise/policies/unique_password/models.py
+msgid "User Password History"
+msgstr ""
+
 #: authentik/enterprise/policy.py
 msgid "Enterprise required to access this feature."
 msgstr "Enterprise ist erforderlich, um auf diese Funktion zuzugreifen."
@@ -1303,12 +1348,6 @@ msgstr "Richtlinien Cache Metriken anzeigen"
 msgid "Clear Policy's cache metrics"
 msgstr "Richtlinien Cache Metriken löschen"

-#: authentik/policies/password/models.py
-msgid "Field key to check, field keys defined in Prompt stages are available."
-msgstr ""
-"Zu prüfender Feldschlüssel, die in den Aufforderungsstufen definierten "
-"Feldschlüssel sind verfügbar."
-
 #: authentik/policies/password/models.py
 msgid "How many times the password hash is allowed to be on haveibeenpwned"
 msgstr "Wie häufig der Passwort-Hash auf haveibeenpwned vertreten sein darf"
@@ -1320,10 +1359,6 @@ msgstr ""
 "Die Richtlinie wird verweigert, wenn die zxcvbn-Bewertung gleich oder "
 "kleiner diesem Wert ist."

-#: authentik/policies/password/models.py
-msgid "Password not set in context"
-msgstr "Passwort nicht im Kontext festgelegt"
-
 #: authentik/policies/password/models.py
 msgid "Invalid password."
 msgstr "Ungültiges Passwort."
@@ -1365,20 +1400,6 @@ msgstr "Reputationswert"
 msgid "Reputation Scores"
 msgstr "Reputationswert"

-#: authentik/policies/templates/policies/buffer.html
-msgid "Waiting for authentication..."
-msgstr ""
-
-#: authentik/policies/templates/policies/buffer.html
-msgid ""
-"You're already authenticating in another tab. This page will refresh once "
-"authentication is completed."
-msgstr ""
-
-#: authentik/policies/templates/policies/buffer.html
-msgid "Authenticate in this tab"
-msgstr ""
-
 #: authentik/policies/templates/policies/denied.html
 msgid "Permission denied"
 msgstr "Erlaubnis verweigert"
@@ -2208,6 +2229,10 @@ msgstr "Rolle"
 msgid "Roles"
 msgstr "Rollen"

+#: authentik/rbac/models.py
+msgid "Initial Permissions"
+msgstr ""
+
 #: authentik/rbac/models.py
 msgid "System permission"
 msgstr "Systemberechtigung"
@@ -2478,6 +2503,22 @@ msgstr "LDAP Quelle Eigenschafts-Zuordnung"
 msgid "LDAP Source Property Mappings"
 msgstr "LDAP Quelle Eigenschafts-Zuordnungen"

+#: authentik/sources/ldap/models.py
+msgid "User LDAP Source Connection"
+msgstr ""
+
+#: authentik/sources/ldap/models.py
+msgid "User LDAP Source Connections"
+msgstr ""
+
+#: authentik/sources/ldap/models.py
+msgid "Group LDAP Source Connection"
+msgstr ""
+
+#: authentik/sources/ldap/models.py
+msgid "Group LDAP Source Connections"
+msgstr ""
+
 #: authentik/sources/ldap/signals.py
 msgid "Password does not match Active Directory Complexity."
 msgstr ""
@@ -2487,6 +2528,14 @@ msgstr ""
 msgid "No token received."
 msgstr "Kein Token empfangen."

+#: authentik/sources/oauth/models.py
+msgid "HTTP Basic Authentication"
+msgstr ""
+
+#: authentik/sources/oauth/models.py
+msgid "Include the client ID and secret as request parameters"
+msgstr ""
+
 #: authentik/sources/oauth/models.py
 msgid "Request Token URL"
 msgstr "Token-URL anfordern"
@@ -2528,6 +2577,12 @@ msgstr ""
 msgid "Additional Scopes"
 msgstr "zusätzliche Scopes"

+#: authentik/sources/oauth/models.py
+msgid ""
+"How to perform authentication during an authorization_code token request "
+"flow"
+msgstr ""
+
 #: authentik/sources/oauth/models.py
 msgid "OAuth Source"
 msgstr "Outh Quelle"
@@ -3434,6 +3489,12 @@ msgstr ""
 "Wenn aktiviert, wird die Phase auch dann erfolgreich abgeschlossen und "
 "fortgesetzt, wenn falsche Benutzerdaten eingegeben wurden."

+#: authentik/stages/identification/models.py
+msgid ""
+"Show the user the 'Remember me on this device' toggle, allowing repeat users"
+" to skip straight to entering their password."
+msgstr ""
+
 #: authentik/stages/identification/models.py
 msgid "Optional enrollment flow, which is linked at the bottom of the page."
 msgstr "Optionaler Registrierungs-Flow, der unten auf der Seite verlinkt ist."
@@ -3826,6 +3887,14 @@ msgstr ""
 "Die Ereignisse werden nach dieser Dauer gelöscht (Format: "
 "Wochen=3;Tage=2;Stunden=3,Sekunden=2)."

+#: authentik/tenants/models.py
+msgid "Reputation cannot decrease lower than this value. Zero or negative."
+msgstr ""
+
+#: authentik/tenants/models.py
+msgid "Reputation cannot increase higher than this value. Zero or positive."
+msgstr ""
+
 #: authentik/tenants/models.py
 msgid "The option configures the footer links on the flow executor pages."
 msgstr ""
--- a/locale/en/LC_MESSAGES/django.po
+++ b/locale/en/LC_MESSAGES/django.po
@@ -8,7 +8,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: PACKAGE VERSION\n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2025-04-22 13:40+0000\n"
+"POT-Creation-Date: 2025-04-23 09:00+0000\n"
 "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
 "Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
 "Language-Team: LANGUAGE <LL@li.org>\n"
@@ -1255,20 +1255,6 @@ msgstr ""
 msgid "Reputation Scores"
 msgstr ""

-#: authentik/policies/templates/policies/buffer.html
-msgid "Waiting for authentication..."
-msgstr ""
-
-#: authentik/policies/templates/policies/buffer.html
-msgid ""
-"You're already authenticating in another tab. This page will refresh once "
-"authentication is completed."
-msgstr ""
-
-#: authentik/policies/templates/policies/buffer.html
-msgid "Authenticate in this tab"
-msgstr ""
-
 #: authentik/policies/templates/policies/denied.html
 msgid "Permission denied"
 msgstr ""
--- a/locale/es/LC_MESSAGES/django.mo
+++ b/locale/es/LC_MESSAGES/django.mo
--- a/locale/es/LC_MESSAGES/django.po
+++ b/locale/es/LC_MESSAGES/django.po
@@ -15,7 +15,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: PACKAGE VERSION\n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2025-04-11 00:10+0000\n"
+"POT-Creation-Date: 2025-04-23 09:00+0000\n"
 "PO-Revision-Date: 2022-09-26 16:47+0000\n"
 "Last-Translator: Jens L. <jens@goauthentik.io>, 2025\n"
 "Language-Team: Spanish (https://app.transifex.com/authentik/teams/119923/es/)\n"
@@ -190,6 +190,7 @@ msgid "User's display name."
 msgstr "Nombre para mostrar del usuario."

 #: authentik/core/models.py authentik/providers/oauth2/models.py
+#: authentik/rbac/models.py
 msgid "User"
 msgstr "Usuario"

@@ -378,6 +379,18 @@ msgstr "Asignación de Propiedades"
 msgid "Property Mappings"
 msgstr "Asignaciones de Propiedades"

+#: authentik/core/models.py
+msgid "session data"
+msgstr ""
+
+#: authentik/core/models.py
+msgid "Session"
+msgstr "Sesión"
+
+#: authentik/core/models.py
+msgid "Sessions"
+msgstr "Sesiones"
+
 #: authentik/core/models.py
 msgid "Authenticated Session"
 msgstr "Sesión autenticada"
@@ -485,6 +498,38 @@ msgstr "Uso de Licencias"
 msgid "License Usage Records"
 msgstr "Registro de Uso de Licencias"

+#: authentik/enterprise/policies/unique_password/models.py
+#: authentik/policies/password/models.py
+msgid "Field key to check, field keys defined in Prompt stages are available."
+msgstr ""
+"Clave de campo a verificar, las claves de campo definidas en las etapas de "
+"Solicitud están disponibles."
+
+#: authentik/enterprise/policies/unique_password/models.py
+msgid "Number of passwords to check against."
+msgstr ""
+
+#: authentik/enterprise/policies/unique_password/models.py
+#: authentik/policies/password/models.py
+msgid "Password not set in context"
+msgstr "La contraseña no se ha establecido en contexto"
+
+#: authentik/enterprise/policies/unique_password/models.py
+msgid "This password has been used previously. Please choose a different one."
+msgstr ""
+
+#: authentik/enterprise/policies/unique_password/models.py
+msgid "Password Uniqueness Policy"
+msgstr ""
+
+#: authentik/enterprise/policies/unique_password/models.py
+msgid "Password Uniqueness Policies"
+msgstr ""
+
+#: authentik/enterprise/policies/unique_password/models.py
+msgid "User Password History"
+msgstr ""
+
 #: authentik/enterprise/policy.py
 msgid "Enterprise required to access this feature."
 msgstr "Se requiere de Enterprise para acceder esta característica."
@@ -1268,12 +1313,6 @@ msgstr "Ver las métricas de caché de la Política"
 msgid "Clear Policy's cache metrics"
 msgstr "Borrar las métricas de caché de la Política"

-#: authentik/policies/password/models.py
-msgid "Field key to check, field keys defined in Prompt stages are available."
-msgstr ""
-"Clave de campo a verificar, las claves de campo definidas en las etapas de "
-"Solicitud están disponibles."
-
 #: authentik/policies/password/models.py
 msgid "How many times the password hash is allowed to be on haveibeenpwned"
 msgstr ""
@@ -1287,10 +1326,6 @@ msgstr ""
 "Si la puntuación zxcvbn es igual o menor que este valor, la política "
 "fallará."

-#: authentik/policies/password/models.py
-msgid "Password not set in context"
-msgstr "La contraseña no se ha establecido en contexto"
-
 #: authentik/policies/password/models.py
 msgid "Invalid password."
 msgstr "Contraseña inválida."
@@ -1332,20 +1367,6 @@ msgstr "Puntuación de Reputacion"
 msgid "Reputation Scores"
 msgstr "Puntuaciones de Reputacion"

-#: authentik/policies/templates/policies/buffer.html
-msgid "Waiting for authentication..."
-msgstr ""
-
-#: authentik/policies/templates/policies/buffer.html
-msgid ""
-"You're already authenticating in another tab. This page will refresh once "
-"authentication is completed."
-msgstr ""
-
-#: authentik/policies/templates/policies/buffer.html
-msgid "Authenticate in this tab"
-msgstr ""
-
 #: authentik/policies/templates/policies/denied.html
 msgid "Permission denied"
 msgstr "Permiso denegado"
@@ -2175,6 +2196,10 @@ msgstr "Rol"
 msgid "Roles"
 msgstr "Roles"

+#: authentik/rbac/models.py
+msgid "Initial Permissions"
+msgstr ""
+
 #: authentik/rbac/models.py
 msgid "System permission"
 msgstr "Permiso de sistema"
@@ -2443,6 +2468,22 @@ msgstr "Asignación de Propiedades de Fuente de LDAP"
 msgid "LDAP Source Property Mappings"
 msgstr "Asignaciones de Propiedades de Fuente de LDAP"

+#: authentik/sources/ldap/models.py
+msgid "User LDAP Source Connection"
+msgstr ""
+
+#: authentik/sources/ldap/models.py
+msgid "User LDAP Source Connections"
+msgstr ""
+
+#: authentik/sources/ldap/models.py
+msgid "Group LDAP Source Connection"
+msgstr ""
+
+#: authentik/sources/ldap/models.py
+msgid "Group LDAP Source Connections"
+msgstr ""
+
 #: authentik/sources/ldap/signals.py
 msgid "Password does not match Active Directory Complexity."
 msgstr "La contraseña no coincide con la complejidad de Active Directory."
@@ -2451,6 +2492,14 @@ msgstr "La contraseña no coincide con la complejidad de Active Directory."
 msgid "No token received."
 msgstr "No se recibió ningún token."

+#: authentik/sources/oauth/models.py
+msgid "HTTP Basic Authentication"
+msgstr ""
+
+#: authentik/sources/oauth/models.py
+msgid "Include the client ID and secret as request parameters"
+msgstr ""
+
 #: authentik/sources/oauth/models.py
 msgid "Request Token URL"
 msgstr "Solicitar URL de token"
@@ -2491,6 +2540,12 @@ msgstr "URL utilizada por authentik para obtener información del usuario."
 msgid "Additional Scopes"
 msgstr "Alcances Adicionales"

+#: authentik/sources/oauth/models.py
+msgid ""
+"How to perform authentication during an authorization_code token request "
+"flow"
+msgstr ""
+
 #: authentik/sources/oauth/models.py
 msgid "OAuth Source"
 msgstr "Fuente de OAuth"
@@ -3407,6 +3462,12 @@ msgstr ""
 "Cuando está habilitado, la etapa tendrá éxito y continuará incluso cuando se"
 " ingrese información de usuario incorrecta."

+#: authentik/stages/identification/models.py
+msgid ""
+"Show the user the 'Remember me on this device' toggle, allowing repeat users"
+" to skip straight to entering their password."
+msgstr ""
+
 #: authentik/stages/identification/models.py
 msgid "Optional enrollment flow, which is linked at the bottom of the page."
 msgstr ""
@@ -3794,6 +3855,14 @@ msgstr ""
 "Los Eventos serán eliminados después de este periodo. (Formato: "
 "weeks=3;days=2;hours=3,seconds=2)."

+#: authentik/tenants/models.py
+msgid "Reputation cannot decrease lower than this value. Zero or negative."
+msgstr ""
+
+#: authentik/tenants/models.py
+msgid "Reputation cannot increase higher than this value. Zero or positive."
+msgstr ""
+
 #: authentik/tenants/models.py
 msgid "The option configures the footer links on the flow executor pages."
 msgstr ""
--- a/locale/fi/LC_MESSAGES/django.mo
+++ b/locale/fi/LC_MESSAGES/django.mo
--- a/locale/fi/LC_MESSAGES/django.po
+++ b/locale/fi/LC_MESSAGES/django.po
@@ -15,7 +15,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: PACKAGE VERSION\n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2025-04-11 00:10+0000\n"
+"POT-Creation-Date: 2025-04-23 09:00+0000\n"
 "PO-Revision-Date: 2022-09-26 16:47+0000\n"
 "Last-Translator: Ville Ranki, 2025\n"
 "Language-Team: Finnish (https://app.transifex.com/authentik/teams/119923/fi/)\n"
@@ -186,6 +186,7 @@ msgid "User's display name."
 msgstr "Käyttäjän näytettävä nimi"

 #: authentik/core/models.py authentik/providers/oauth2/models.py
+#: authentik/rbac/models.py
 msgid "User"
 msgstr "Käyttäjä"

@@ -371,6 +372,18 @@ msgstr "Ominaisuuskytkentä"
 msgid "Property Mappings"
 msgstr "Ominaisuuskytkennät"

+#: authentik/core/models.py
+msgid "session data"
+msgstr ""
+
+#: authentik/core/models.py
+msgid "Session"
+msgstr "Istunto"
+
+#: authentik/core/models.py
+msgid "Sessions"
+msgstr ""
+
 #: authentik/core/models.py
 msgid "Authenticated Session"
 msgstr "Autentikoitu istunto"
@@ -478,6 +491,38 @@ msgstr "Lisenssin käyttö"
 msgid "License Usage Records"
 msgstr "Lisenssin käyttötiedot"

+#: authentik/enterprise/policies/unique_password/models.py
+#: authentik/policies/password/models.py
+msgid "Field key to check, field keys defined in Prompt stages are available."
+msgstr ""
+"Kentän avain, joka tarkistetaan. Kysymysvaiheissa määritellyt kenttien "
+"avaimet ovat käytettävissä."
+
+#: authentik/enterprise/policies/unique_password/models.py
+msgid "Number of passwords to check against."
+msgstr ""
+
+#: authentik/enterprise/policies/unique_password/models.py
+#: authentik/policies/password/models.py
+msgid "Password not set in context"
+msgstr "Salasanaa ei ole asetettu kontekstissa"
+
+#: authentik/enterprise/policies/unique_password/models.py
+msgid "This password has been used previously. Please choose a different one."
+msgstr ""
+
+#: authentik/enterprise/policies/unique_password/models.py
+msgid "Password Uniqueness Policy"
+msgstr ""
+
+#: authentik/enterprise/policies/unique_password/models.py
+msgid "Password Uniqueness Policies"
+msgstr ""
+
+#: authentik/enterprise/policies/unique_password/models.py
+msgid "User Password History"
+msgstr ""
+
 #: authentik/enterprise/policy.py
 msgid "Enterprise required to access this feature."
 msgstr "Tämän ominaisuuden käyttöön tarvitaan Enterprise-versiota."
@@ -1251,12 +1296,6 @@ msgstr "Näytä käytäntövälimuistitilastot"
 msgid "Clear Policy's cache metrics"
 msgstr "Tyhjennä käytäntövälimuistitilastot"

-#: authentik/policies/password/models.py
-msgid "Field key to check, field keys defined in Prompt stages are available."
-msgstr ""
-"Kentän avain, joka tarkistetaan. Kysymysvaiheissa määritellyt kenttien "
-"avaimet ovat käytettävissä."
-
 #: authentik/policies/password/models.py
 msgid "How many times the password hash is allowed to be on haveibeenpwned"
 msgstr ""
@@ -1269,10 +1308,6 @@ msgstr ""
 "Jos zxcvbn-pistemäärä on tämä arvo tai pienempi, käytännön suorittaminen "
 "epäonnistuu."

-#: authentik/policies/password/models.py
-msgid "Password not set in context"
-msgstr "Salasanaa ei ole asetettu kontekstissa"
-
 #: authentik/policies/password/models.py
 msgid "Invalid password."
 msgstr "Virheellinen salasana."
@@ -1314,20 +1349,6 @@ msgstr "Mainepistemäärä"
 msgid "Reputation Scores"
 msgstr "Mainepistemäärät"

-#: authentik/policies/templates/policies/buffer.html
-msgid "Waiting for authentication..."
-msgstr ""
-
-#: authentik/policies/templates/policies/buffer.html
-msgid ""
-"You're already authenticating in another tab. This page will refresh once "
-"authentication is completed."
-msgstr ""
-
-#: authentik/policies/templates/policies/buffer.html
-msgid "Authenticate in this tab"
-msgstr ""
-
 #: authentik/policies/templates/policies/denied.html
 msgid "Permission denied"
 msgstr "Käyttö evätty"
@@ -2155,6 +2176,10 @@ msgstr "Rooli"
 msgid "Roles"
 msgstr "Roolit"

+#: authentik/rbac/models.py
+msgid "Initial Permissions"
+msgstr ""
+
 #: authentik/rbac/models.py
 msgid "System permission"
 msgstr "Järjestelmän käyttöoikeus"
@@ -2420,6 +2445,22 @@ msgstr "LDAP-lähteen ominaisuuskytkentä"
 msgid "LDAP Source Property Mappings"
 msgstr "LDAP-lähteen ominaisuuskytkennät"

+#: authentik/sources/ldap/models.py
+msgid "User LDAP Source Connection"
+msgstr ""
+
+#: authentik/sources/ldap/models.py
+msgid "User LDAP Source Connections"
+msgstr ""
+
+#: authentik/sources/ldap/models.py
+msgid "Group LDAP Source Connection"
+msgstr ""
+
+#: authentik/sources/ldap/models.py
+msgid "Group LDAP Source Connections"
+msgstr ""
+
 #: authentik/sources/ldap/signals.py
 msgid "Password does not match Active Directory Complexity."
 msgstr "Salasana ei vastaa Active Directoryn monimutkaisuusmääritystä."
@@ -2428,6 +2469,14 @@ msgstr "Salasana ei vastaa Active Directoryn monimutkaisuusmääritystä."
 msgid "No token received."
 msgstr "Tunnistetta ei saatu."

+#: authentik/sources/oauth/models.py
+msgid "HTTP Basic Authentication"
+msgstr ""
+
+#: authentik/sources/oauth/models.py
+msgid "Include the client ID and secret as request parameters"
+msgstr ""
+
 #: authentik/sources/oauth/models.py
 msgid "Request Token URL"
 msgstr "Pyyntötunnisteen URL"
@@ -2468,6 +2517,12 @@ msgstr "URL, jota authentik käyttää käyttäjätiedon hakemiseksi."
 msgid "Additional Scopes"
 msgstr "Lisäkäyttöalueet"

+#: authentik/sources/oauth/models.py
+msgid ""
+"How to perform authentication during an authorization_code token request "
+"flow"
+msgstr ""
+
 #: authentik/sources/oauth/models.py
 msgid "OAuth Source"
 msgstr "OAuth-lähde"
@@ -3377,6 +3432,12 @@ msgstr ""
 "Kun tämä on käytössä, vaihe onnistuu ja suoritus jatkuu, vaikka olisi "
 "syötetty virheelliset käyttäjätiedot."

+#: authentik/stages/identification/models.py
+msgid ""
+"Show the user the 'Remember me on this device' toggle, allowing repeat users"
+" to skip straight to entering their password."
+msgstr ""
+
 #: authentik/stages/identification/models.py
 msgid "Optional enrollment flow, which is linked at the bottom of the page."
 msgstr ""
@@ -3754,6 +3815,14 @@ msgstr ""
 "Tapahtumat poistetaan tämän ajan jälkeen. (Muoto: "
 "weeks=3;days=2;hours=3;seconds=2)."

+#: authentik/tenants/models.py
+msgid "Reputation cannot decrease lower than this value. Zero or negative."
+msgstr ""
+
+#: authentik/tenants/models.py
+msgid "Reputation cannot increase higher than this value. Zero or positive."
+msgstr ""
+
 #: authentik/tenants/models.py
 msgid "The option configures the footer links on the flow executor pages."
 msgstr ""
--- a/locale/fr/LC_MESSAGES/django.mo
+++ b/locale/fr/LC_MESSAGES/django.mo
--- a/locale/fr/LC_MESSAGES/django.po
+++ b/locale/fr/LC_MESSAGES/django.po
@@ -9,8 +9,8 @@
 # Kyllian Delaye-Maillot, 2023
 # Manuel Viens, 2023
 # Mordecai, 2023
+# Tina, 2024
 # Charles Leclerc, 2025
-# Tina, 2025
 # nerdinator <florian.dupret@gmail.com>, 2025
 # Marc Schmitt, 2025
 # 
@@ -19,7 +19,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: PACKAGE VERSION\n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2025-04-17 00:09+0000\n"
+"POT-Creation-Date: 2025-04-23 09:00+0000\n"
 "PO-Revision-Date: 2022-09-26 16:47+0000\n"
 "Last-Translator: Marc Schmitt, 2025\n"
 "Language-Team: French (https://app.transifex.com/authentik/teams/119923/fr/)\n"
@@ -502,6 +502,38 @@ msgstr "Utilisation de la licence"
 msgid "License Usage Records"
 msgstr "Registre d'utilisation de la licence"

+#: authentik/enterprise/policies/unique_password/models.py
+#: authentik/policies/password/models.py
+msgid "Field key to check, field keys defined in Prompt stages are available."
+msgstr ""
+"Clé de champ à vérifier ; les clés de champ définies dans les étapes de "
+"d'invite sont disponibles."
+
+#: authentik/enterprise/policies/unique_password/models.py
+msgid "Number of passwords to check against."
+msgstr "Nombre de mots de passe à vérifier."
+
+#: authentik/enterprise/policies/unique_password/models.py
+#: authentik/policies/password/models.py
+msgid "Password not set in context"
+msgstr "Mot de passe non défini dans le contexte"
+
+#: authentik/enterprise/policies/unique_password/models.py
+msgid "This password has been used previously. Please choose a different one."
+msgstr "Ce mot de passe a déjà été utilisé. Veuillez en choisir un autre."
+
+#: authentik/enterprise/policies/unique_password/models.py
+msgid "Password Uniqueness Policy"
+msgstr "Politique d'unicité des mots de passe"
+
+#: authentik/enterprise/policies/unique_password/models.py
+msgid "Password Uniqueness Policies"
+msgstr "Politiques d'unicité des mots de passe"
+
+#: authentik/enterprise/policies/unique_password/models.py
+msgid "User Password History"
+msgstr "Historique des mots de passe utilisateur"
+
 #: authentik/enterprise/policy.py
 msgid "Enterprise required to access this feature."
 msgstr "Entreprise est requis pour accéder à cette fonctionnalité."
@@ -1296,12 +1328,6 @@ msgstr "Voir les métriques de cache de la politique"
 msgid "Clear Policy's cache metrics"
 msgstr "Nettoyer les métriques de cache de la politique"

-#: authentik/policies/password/models.py
-msgid "Field key to check, field keys defined in Prompt stages are available."
-msgstr ""
-"Clé de champ à vérifier ; les clés de champ définies dans les étapes de "
-"d'invite sont disponibles."
-
 #: authentik/policies/password/models.py
 msgid "How many times the password hash is allowed to be on haveibeenpwned"
 msgstr ""
@@ -1315,10 +1341,6 @@ msgstr ""
 "Si le score zxcvbn est égal ou inférieur à cette valeur, la politique "
 "échouera."

-#: authentik/policies/password/models.py
-msgid "Password not set in context"
-msgstr "Mot de passe non défini dans le contexte"
-
 #: authentik/policies/password/models.py
 msgid "Invalid password."
 msgstr "Mot de passe invalide."
@@ -1360,22 +1382,6 @@ msgstr "Score de Réputation"
 msgid "Reputation Scores"
 msgstr "Scores de Réputation"

-#: authentik/policies/templates/policies/buffer.html
-msgid "Waiting for authentication..."
-msgstr "En attente de l'authentification..."
-
-#: authentik/policies/templates/policies/buffer.html
-msgid ""
-"You're already authenticating in another tab. This page will refresh once "
-"authentication is completed."
-msgstr ""
-"Vous êtes déjà en cours d'authentification dans un autre onglet. Cette page "
-"se rafraîchira lorsque l'authentification sera terminée."
-
-#: authentik/policies/templates/policies/buffer.html
-msgid "Authenticate in this tab"
-msgstr "S'authentifier dans cet onglet"
-
 #: authentik/policies/templates/policies/denied.html
 msgid "Permission denied"
 msgstr "Permission refusée"
@@ -3485,6 +3491,15 @@ msgstr ""
 "Lorsqu'activé, l'étape réussira et continuera même lorsque les informations "
 "utilisateurs entrées sont invalides."

+#: authentik/stages/identification/models.py
+msgid ""
+"Show the user the 'Remember me on this device' toggle, allowing repeat users"
+" to skip straight to entering their password."
+msgstr ""
+"Afficher à l'utilisateur l'option \"Se souvenir de moi sur cet appareil\", "
+"afin de permettre aux utilisateurs réguliers de passer directement à la "
+"saisie de leur mot de passe."
+
 #: authentik/stages/identification/models.py
 msgid "Optional enrollment flow, which is linked at the bottom of the page."
 msgstr "Flux d'inscription facultatif, qui sera accessible en bas de page."
--- a/locale/it/LC_MESSAGES/django.po
+++ b/locale/it/LC_MESSAGES/django.po
@@ -12,17 +12,17 @@
 # tmassimi, 2024
 # Marc Schmitt, 2024
 # albanobattistella <albanobattistella@gmail.com>, 2024
-# Matteo Piccina <altermatte@gmail.com>, 2025
 # Kowalski Dragon (kowalski7cc) <kowalski.7cc@gmail.com>, 2025
+# Matteo Piccina <altermatte@gmail.com>, 2025
 # 
 #, fuzzy
 msgid ""
 msgstr ""
 "Project-Id-Version: PACKAGE VERSION\n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2025-04-11 00:10+0000\n"
+"POT-Creation-Date: 2025-04-23 09:00+0000\n"
 "PO-Revision-Date: 2022-09-26 16:47+0000\n"
-"Last-Translator: Kowalski Dragon (kowalski7cc) <kowalski.7cc@gmail.com>, 2025\n"
+"Last-Translator: Matteo Piccina <altermatte@gmail.com>, 2025\n"
 "Language-Team: Italian (https://app.transifex.com/authentik/teams/119923/it/)\n"
 "MIME-Version: 1.0\n"
 "Content-Type: text/plain; charset=UTF-8\n"
@@ -194,6 +194,7 @@ msgid "User's display name."
 msgstr "Nome visualizzato dell'utente."

 #: authentik/core/models.py authentik/providers/oauth2/models.py
+#: authentik/rbac/models.py
 msgid "User"
 msgstr "Utente"

@@ -380,6 +381,18 @@ msgstr "Mappatura della proprietà"
 msgid "Property Mappings"
 msgstr "Mappatura delle proprietà"

+#: authentik/core/models.py
+msgid "session data"
+msgstr ""
+
+#: authentik/core/models.py
+msgid "Session"
+msgstr "Sessione"
+
+#: authentik/core/models.py
+msgid "Sessions"
+msgstr "Sessioni"
+
 #: authentik/core/models.py
 msgid "Authenticated Session"
 msgstr "Sessione Autenticata"
@@ -487,6 +500,38 @@ msgstr "Utilizzo della licenza"
 msgid "License Usage Records"
 msgstr "Registri sull'utilizzo della licenza"

+#: authentik/enterprise/policies/unique_password/models.py
+#: authentik/policies/password/models.py
+msgid "Field key to check, field keys defined in Prompt stages are available."
+msgstr ""
+"Chiave di campo da verificare, sono disponibili le chiavi di campo definite "
+"nelle fasi Richiesta."
+
+#: authentik/enterprise/policies/unique_password/models.py
+msgid "Number of passwords to check against."
+msgstr ""
+
+#: authentik/enterprise/policies/unique_password/models.py
+#: authentik/policies/password/models.py
+msgid "Password not set in context"
+msgstr "Password non impostata nel contesto"
+
+#: authentik/enterprise/policies/unique_password/models.py
+msgid "This password has been used previously. Please choose a different one."
+msgstr ""
+
+#: authentik/enterprise/policies/unique_password/models.py
+msgid "Password Uniqueness Policy"
+msgstr ""
+
+#: authentik/enterprise/policies/unique_password/models.py
+msgid "Password Uniqueness Policies"
+msgstr ""
+
+#: authentik/enterprise/policies/unique_password/models.py
+msgid "User Password History"
+msgstr ""
+
 #: authentik/enterprise/policy.py
 msgid "Enterprise required to access this feature."
 msgstr "Versione Enterprise richiesta per accedere a questa funzione"
@@ -1274,12 +1319,6 @@ msgstr "Visualizza le metriche della cache della Policy"
 msgid "Clear Policy's cache metrics"
 msgstr "Cancellare le metriche della cache della Policy"

-#: authentik/policies/password/models.py
-msgid "Field key to check, field keys defined in Prompt stages are available."
-msgstr ""
-"Chiave di campo da verificare, sono disponibili le chiavi di campo definite "
-"nelle fasi Richiesta."
-
 #: authentik/policies/password/models.py
 msgid "How many times the password hash is allowed to be on haveibeenpwned"
 msgstr ""
@@ -1292,10 +1331,6 @@ msgstr ""
 "Se il punteggio zxcvbn è inferiore o uguale a questo valore, il criterio non"
 " verrà soddisfatto."

-#: authentik/policies/password/models.py
-msgid "Password not set in context"
-msgstr "Password non impostata nel contesto"
-
 #: authentik/policies/password/models.py
 msgid "Invalid password."
 msgstr "Password invalida."
@@ -1337,22 +1372,6 @@ msgstr "Punteggio di reputazione"
 msgid "Reputation Scores"
 msgstr "Punteggi di reputazione"

-#: authentik/policies/templates/policies/buffer.html
-msgid "Waiting for authentication..."
-msgstr "In attesa di autenticazione..."
-
-#: authentik/policies/templates/policies/buffer.html
-msgid ""
-"You're already authenticating in another tab. This page will refresh once "
-"authentication is completed."
-msgstr ""
-"Ti stai già autenticando in un'altra scheda. Questa pagina si aggiornerà una"
-" volta completata l'autenticazione."
-
-#: authentik/policies/templates/policies/buffer.html
-msgid "Authenticate in this tab"
-msgstr "Autenticati in questa scheda"
-
 #: authentik/policies/templates/policies/denied.html
 msgid "Permission denied"
 msgstr "Permesso negato"
@@ -2182,6 +2201,10 @@ msgstr "Ruolo"
 msgid "Roles"
 msgstr "Ruoli"

+#: authentik/rbac/models.py
+msgid "Initial Permissions"
+msgstr ""
+
 #: authentik/rbac/models.py
 msgid "System permission"
 msgstr "Autorizzazione di sistema"
@@ -2452,6 +2475,22 @@ msgstr "Mappatura delle proprietà sorgente LDAP"
 msgid "LDAP Source Property Mappings"
 msgstr "Mappature delle proprietà della sorgente LDAP"

+#: authentik/sources/ldap/models.py
+msgid "User LDAP Source Connection"
+msgstr ""
+
+#: authentik/sources/ldap/models.py
+msgid "User LDAP Source Connections"
+msgstr ""
+
+#: authentik/sources/ldap/models.py
+msgid "Group LDAP Source Connection"
+msgstr ""
+
+#: authentik/sources/ldap/models.py
+msgid "Group LDAP Source Connections"
+msgstr ""
+
 #: authentik/sources/ldap/signals.py
 msgid "Password does not match Active Directory Complexity."
 msgstr "La password non soddisfa la complessità Active Directory."
@@ -2460,6 +2499,14 @@ msgstr "La password non soddisfa la complessità Active Directory."
 msgid "No token received."
 msgstr "Nessun token ricevuto."

+#: authentik/sources/oauth/models.py
+msgid "HTTP Basic Authentication"
+msgstr ""
+
+#: authentik/sources/oauth/models.py
+msgid "Include the client ID and secret as request parameters"
+msgstr ""
+
 #: authentik/sources/oauth/models.py
 msgid "Request Token URL"
 msgstr "URL di Richiesta Token"
@@ -2500,6 +2547,12 @@ msgstr "URL utilizzato da authentik per ottenere le informazioni dell'utente."
 msgid "Additional Scopes"
 msgstr "Ambiti aggiuntivi"

+#: authentik/sources/oauth/models.py
+msgid ""
+"How to perform authentication during an authorization_code token request "
+"flow"
+msgstr ""
+
 #: authentik/sources/oauth/models.py
 msgid "OAuth Source"
 msgstr "Sorgente OAuth"
@@ -3426,6 +3479,12 @@ msgstr ""
 "Quando abilitato, la fase avrà successo e continuerà anche quando vengono "
 "inserite informazioni utente errate."

+#: authentik/stages/identification/models.py
+msgid ""
+"Show the user the 'Remember me on this device' toggle, allowing repeat users"
+" to skip straight to entering their password."
+msgstr ""
+
 #: authentik/stages/identification/models.py
 msgid "Optional enrollment flow, which is linked at the bottom of the page."
 msgstr "Flusso di iscrizione opzionale, che è collegato in fondo alla pagina."
@@ -3812,6 +3871,14 @@ msgstr ""
 "Gli eventi saranno cancellati dopo questa durata. (Formato: "
 "weeks=3;days=2;hours=3,seconds=2)."

+#: authentik/tenants/models.py
+msgid "Reputation cannot decrease lower than this value. Zero or negative."
+msgstr ""
+
+#: authentik/tenants/models.py
+msgid "Reputation cannot increase higher than this value. Zero or positive."
+msgstr ""
+
 #: authentik/tenants/models.py
 msgid "The option configures the footer links on the flow executor pages."
 msgstr ""
--- a/locale/ko/LC_MESSAGES/django.po
+++ b/locale/ko/LC_MESSAGES/django.po
@@ -12,7 +12,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: PACKAGE VERSION\n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2025-03-31 00:10+0000\n"
+"POT-Creation-Date: 2025-04-23 09:00+0000\n"
 "PO-Revision-Date: 2022-09-26 16:47+0000\n"
 "Last-Translator: NavyStack, 2023\n"
 "Language-Team: Korean (https://app.transifex.com/authentik/teams/119923/ko/)\n"
@@ -176,6 +176,7 @@ msgid "User's display name."
 msgstr "사용자의 표시 이름"

 #: authentik/core/models.py authentik/providers/oauth2/models.py
+#: authentik/rbac/models.py
 msgid "User"
 msgstr "사용자"

@@ -344,6 +345,18 @@ msgstr "속성 매핑"
 msgid "Property Mappings"
 msgstr "속성 매핑"

+#: authentik/core/models.py
+msgid "session data"
+msgstr ""
+
+#: authentik/core/models.py
+msgid "Session"
+msgstr ""
+
+#: authentik/core/models.py
+msgid "Sessions"
+msgstr ""
+
 #: authentik/core/models.py
 msgid "Authenticated Session"
 msgstr "인증된 세션"
@@ -447,6 +460,36 @@ msgstr "라이선스 사용"
 msgid "License Usage Records"
 msgstr "라이선스 사용 기록"

+#: authentik/enterprise/policies/unique_password/models.py
+#: authentik/policies/password/models.py
+msgid "Field key to check, field keys defined in Prompt stages are available."
+msgstr "확인하려는 필드 키, 프롬프트 스테이지에서 정의된 필드 키를 사용할 수 있습니다."
+
+#: authentik/enterprise/policies/unique_password/models.py
+msgid "Number of passwords to check against."
+msgstr ""
+
+#: authentik/enterprise/policies/unique_password/models.py
+#: authentik/policies/password/models.py
+msgid "Password not set in context"
+msgstr "비밀번호가 컨텍스트에 설정되지 않음"
+
+#: authentik/enterprise/policies/unique_password/models.py
+msgid "This password has been used previously. Please choose a different one."
+msgstr ""
+
+#: authentik/enterprise/policies/unique_password/models.py
+msgid "Password Uniqueness Policy"
+msgstr ""
+
+#: authentik/enterprise/policies/unique_password/models.py
+msgid "Password Uniqueness Policies"
+msgstr ""
+
+#: authentik/enterprise/policies/unique_password/models.py
+msgid "User Password History"
+msgstr ""
+
 #: authentik/enterprise/policy.py
 msgid "Enterprise required to access this feature."
 msgstr ""
@@ -1182,10 +1225,6 @@ msgstr "정책의 캐시 메트릭 보기"
 msgid "Clear Policy's cache metrics"
 msgstr "정책의 캐시 메트릭 삭제"

-#: authentik/policies/password/models.py
-msgid "Field key to check, field keys defined in Prompt stages are available."
-msgstr "확인하려는 필드 키, 프롬프트 스테이지에서 정의된 필드 키를 사용할 수 있습니다."
-
 #: authentik/policies/password/models.py
 msgid "How many times the password hash is allowed to be on haveibeenpwned"
 msgstr "비밀번호 해시가 허용되는 해시 횟수"
@@ -1195,10 +1234,6 @@ msgid ""
 "If the zxcvbn score is equal or less than this value, the policy will fail."
 msgstr "만약 zxcvbn 점수가 이 값과 같거나 이 값보다 작다면, 정책이 실패합니다."

-#: authentik/policies/password/models.py
-msgid "Password not set in context"
-msgstr "비밀번호가 컨텍스트에 설정되지 않음"
-
 #: authentik/policies/password/models.py
 msgid "Invalid password."
 msgstr ""
@@ -1240,20 +1275,6 @@ msgstr "평판 점수"
 msgid "Reputation Scores"
 msgstr "평판 점수"

-#: authentik/policies/templates/policies/buffer.html
-msgid "Waiting for authentication..."
-msgstr ""
-
-#: authentik/policies/templates/policies/buffer.html
-msgid ""
-"You're already authenticating in another tab. This page will refresh once "
-"authentication is completed."
-msgstr ""
-
-#: authentik/policies/templates/policies/buffer.html
-msgid "Authenticate in this tab"
-msgstr ""
-
 #: authentik/policies/templates/policies/denied.html
 msgid "Permission denied"
 msgstr "권한 거부됨"
@@ -2013,6 +2034,10 @@ msgstr "역할"
 msgid "Roles"
 msgstr "역할"

+#: authentik/rbac/models.py
+msgid "Initial Permissions"
+msgstr ""
+
 #: authentik/rbac/models.py
 msgid "System permission"
 msgstr "시스템 권한"
@@ -2231,6 +2256,13 @@ msgid ""
 "enabled on a single LDAP source."
 msgstr "사용자가 비밀번호를 변경하면 LDAP로 다시 동기화합니다. 이 기능은 단일의 LDAP 소스에서만 활성화할 수 있습니다."

+#: authentik/sources/ldap/models.py
+msgid ""
+"Lookup group membership based on a user attribute instead of a group "
+"attribute. This allows nested group resolution on systems like FreeIPA and "
+"Active Directory"
+msgstr ""
+
 #: authentik/sources/ldap/models.py
 msgid "LDAP Source"
 msgstr "LDAP 소스"
@@ -2247,6 +2279,22 @@ msgstr ""
 msgid "LDAP Source Property Mappings"
 msgstr ""

+#: authentik/sources/ldap/models.py
+msgid "User LDAP Source Connection"
+msgstr ""
+
+#: authentik/sources/ldap/models.py
+msgid "User LDAP Source Connections"
+msgstr ""
+
+#: authentik/sources/ldap/models.py
+msgid "Group LDAP Source Connection"
+msgstr ""
+
+#: authentik/sources/ldap/models.py
+msgid "Group LDAP Source Connections"
+msgstr ""
+
 #: authentik/sources/ldap/signals.py
 msgid "Password does not match Active Directory Complexity."
 msgstr "비밀번호가 Active Directory 복잡도와 일치하지 않습니다."
@@ -2255,6 +2303,14 @@ msgstr "비밀번호가 Active Directory 복잡도와 일치하지 않습니다.
 msgid "No token received."
 msgstr "수신된 토큰이 없습니다."

+#: authentik/sources/oauth/models.py
+msgid "HTTP Basic Authentication"
+msgstr ""
+
+#: authentik/sources/oauth/models.py
+msgid "Include the client ID and secret as request parameters"
+msgstr ""
+
 #: authentik/sources/oauth/models.py
 msgid "Request Token URL"
 msgstr "토큰 요청 URL"
@@ -2293,6 +2349,12 @@ msgstr "사용자 정보를 가져오기 위해 authentik에서 사용하는 URL
 msgid "Additional Scopes"
 msgstr "추가 스코프"

+#: authentik/sources/oauth/models.py
+msgid ""
+"How to perform authentication during an authorization_code token request "
+"flow"
+msgstr ""
+
 #: authentik/sources/oauth/models.py
 msgid "OAuth Source"
 msgstr "OAuth 소스"
@@ -3149,6 +3211,12 @@ msgid ""
 "info is entered."
 msgstr "활성화되면 잘못된 사용자 정보가 입력되더라도 단계가 성공하고 계속됩니다."

+#: authentik/stages/identification/models.py
+msgid ""
+"Show the user the 'Remember me on this device' toggle, allowing repeat users"
+" to skip straight to entering their password."
+msgstr ""
+
 #: authentik/stages/identification/models.py
 msgid "Optional enrollment flow, which is linked at the bottom of the page."
 msgstr "페이지 하단에 링크된,  선택적 등록 플로우를 참조하세요."
@@ -3500,6 +3568,14 @@ msgid ""
 "weeks=3;days=2;hours=3,seconds=2)."
 msgstr "이 기간이 지나면 이벤트가 삭제됩니다. (서식: hours=-1;minutes=-2;seconds=-3)"

+#: authentik/tenants/models.py
+msgid "Reputation cannot decrease lower than this value. Zero or negative."
+msgstr ""
+
+#: authentik/tenants/models.py
+msgid "Reputation cannot increase higher than this value. Zero or positive."
+msgstr ""
+
 #: authentik/tenants/models.py
 msgid "The option configures the footer links on the flow executor pages."
 msgstr ""
--- a/locale/pl/LC_MESSAGES/django.po
+++ b/locale/pl/LC_MESSAGES/django.po
@@ -7,18 +7,18 @@
 # Bartosz Karpiński, 2023
 # Michał Jastrzębski, 2024
 # Tomci 12 <drizztes@gmail.com>, 2024
+# Darek “NeroPcStation” NeroPcStation <dareknowacki2001@gmail.com>, 2024
 # Marc Schmitt, 2025
 # Jens L. <jens@goauthentik.io>, 2025
-# Darek “NeroPcStation” NeroPcStation <dareknowacki2001@gmail.com>, 2025
 # 
 #, fuzzy
 msgid ""
 msgstr ""
 "Project-Id-Version: PACKAGE VERSION\n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2025-04-11 00:10+0000\n"
+"POT-Creation-Date: 2025-04-23 09:00+0000\n"
 "PO-Revision-Date: 2022-09-26 16:47+0000\n"
-"Last-Translator: Darek “NeroPcStation” NeroPcStation <dareknowacki2001@gmail.com>, 2025\n"
+"Last-Translator: Jens L. <jens@goauthentik.io>, 2025\n"
 "Language-Team: Polish (https://app.transifex.com/authentik/teams/119923/pl/)\n"
 "MIME-Version: 1.0\n"
 "Content-Type: text/plain; charset=UTF-8\n"
@@ -189,6 +189,7 @@ msgid "User's display name."
 msgstr "Wyświetlana nazwa użytkownika."

 #: authentik/core/models.py authentik/providers/oauth2/models.py
+#: authentik/rbac/models.py
 msgid "User"
 msgstr "Użytkownik"

@@ -371,6 +372,18 @@ msgstr "Mapowanie właściwości"
 msgid "Property Mappings"
 msgstr "Mapowanie właściwości"

+#: authentik/core/models.py
+msgid "session data"
+msgstr ""
+
+#: authentik/core/models.py
+msgid "Session"
+msgstr "Sesja"
+
+#: authentik/core/models.py
+msgid "Sessions"
+msgstr "Sesje"
+
 #: authentik/core/models.py
 msgid "Authenticated Session"
 msgstr "Sesja uwierzytelniona"
@@ -479,6 +492,38 @@ msgstr "Wykorzystanie licencji"
 msgid "License Usage Records"
 msgstr "Rejestr wykorzystania licencji"

+#: authentik/enterprise/policies/unique_password/models.py
+#: authentik/policies/password/models.py
+msgid "Field key to check, field keys defined in Prompt stages are available."
+msgstr ""
+"Klucz pola do sprawdzenia, dostępne są klucze pola zdefiniowane w etapach "
+"monitu."
+
+#: authentik/enterprise/policies/unique_password/models.py
+msgid "Number of passwords to check against."
+msgstr ""
+
+#: authentik/enterprise/policies/unique_password/models.py
+#: authentik/policies/password/models.py
+msgid "Password not set in context"
+msgstr "Hasło nie jest ustawione w kontekście"
+
+#: authentik/enterprise/policies/unique_password/models.py
+msgid "This password has been used previously. Please choose a different one."
+msgstr ""
+
+#: authentik/enterprise/policies/unique_password/models.py
+msgid "Password Uniqueness Policy"
+msgstr ""
+
+#: authentik/enterprise/policies/unique_password/models.py
+msgid "Password Uniqueness Policies"
+msgstr ""
+
+#: authentik/enterprise/policies/unique_password/models.py
+msgid "User Password History"
+msgstr ""
+
 #: authentik/enterprise/policy.py
 msgid "Enterprise required to access this feature."
 msgstr "Wymagane jest konto Enterprise, aby uzyskać dostęp do tej funkcji."
@@ -1257,12 +1302,6 @@ msgstr "Wyświetl metryki pamięci podręcznej Zasady"
 msgid "Clear Policy's cache metrics"
 msgstr "Wyczyść metryki pamięci podręcznej Zasady"

-#: authentik/policies/password/models.py
-msgid "Field key to check, field keys defined in Prompt stages are available."
-msgstr ""
-"Klucz pola do sprawdzenia, dostępne są klucze pola zdefiniowane w etapach "
-"monitu."
-
 #: authentik/policies/password/models.py
 msgid "How many times the password hash is allowed to be on haveibeenpwned"
 msgstr "Ile razy skrót hasła może być na haveibeenpwned"
@@ -1274,10 +1313,6 @@ msgstr ""
 "Jeśli wynik zxcvbn jest równy lub mniejszy od tej wartości, zasada zakończy "
 "się niepowodzeniem."

-#: authentik/policies/password/models.py
-msgid "Password not set in context"
-msgstr "Hasło nie jest ustawione w kontekście"
-
 #: authentik/policies/password/models.py
 msgid "Invalid password."
 msgstr ""
@@ -1319,20 +1354,6 @@ msgstr "Punkty reputacji"
 msgid "Reputation Scores"
 msgstr "Punkty reputacji"

-#: authentik/policies/templates/policies/buffer.html
-msgid "Waiting for authentication..."
-msgstr "Oczekiwanie na uwierzytelnienie..."
-
-#: authentik/policies/templates/policies/buffer.html
-msgid ""
-"You're already authenticating in another tab. This page will refresh once "
-"authentication is completed."
-msgstr ""
-
-#: authentik/policies/templates/policies/buffer.html
-msgid "Authenticate in this tab"
-msgstr ""
-
 #: authentik/policies/templates/policies/denied.html
 msgid "Permission denied"
 msgstr "Odmowa uprawnień"
@@ -2141,6 +2162,10 @@ msgstr "Rola"
 msgid "Roles"
 msgstr "Role"

+#: authentik/rbac/models.py
+msgid "Initial Permissions"
+msgstr ""
+
 #: authentik/rbac/models.py
 msgid "System permission"
 msgstr "Uprawnienie systemowe"
@@ -2390,6 +2415,22 @@ msgstr ""
 msgid "LDAP Source Property Mappings"
 msgstr ""

+#: authentik/sources/ldap/models.py
+msgid "User LDAP Source Connection"
+msgstr ""
+
+#: authentik/sources/ldap/models.py
+msgid "User LDAP Source Connections"
+msgstr ""
+
+#: authentik/sources/ldap/models.py
+msgid "Group LDAP Source Connection"
+msgstr ""
+
+#: authentik/sources/ldap/models.py
+msgid "Group LDAP Source Connections"
+msgstr ""
+
 #: authentik/sources/ldap/signals.py
 msgid "Password does not match Active Directory Complexity."
 msgstr "Hasło nie pasuje do złożoności usługi Active Directory."
@@ -2398,6 +2439,14 @@ msgstr "Hasło nie pasuje do złożoności usługi Active Directory."
 msgid "No token received."
 msgstr "Nie otrzymano tokena."

+#: authentik/sources/oauth/models.py
+msgid "HTTP Basic Authentication"
+msgstr ""
+
+#: authentik/sources/oauth/models.py
+msgid "Include the client ID and secret as request parameters"
+msgstr ""
+
 #: authentik/sources/oauth/models.py
 msgid "Request Token URL"
 msgstr "URL żądania tokena"
@@ -2440,6 +2489,12 @@ msgstr "URL używany przez authentik do uzyskania informacji o użytkowniku."
 msgid "Additional Scopes"
 msgstr "Dodatkowe zakresy"

+#: authentik/sources/oauth/models.py
+msgid ""
+"How to perform authentication during an authorization_code token request "
+"flow"
+msgstr ""
+
 #: authentik/sources/oauth/models.py
 msgid "OAuth Source"
 msgstr "Źródło OAuth"
@@ -3344,6 +3399,12 @@ msgstr ""
 "Po włączeniu tej opcji etap zakończy się powodzeniem i będzie kontynuowany "
 "nawet po wprowadzeniu nieprawidłowych danych użytkownika."

+#: authentik/stages/identification/models.py
+msgid ""
+"Show the user the 'Remember me on this device' toggle, allowing repeat users"
+" to skip straight to entering their password."
+msgstr ""
+
 #: authentik/stages/identification/models.py
 msgid "Optional enrollment flow, which is linked at the bottom of the page."
 msgstr ""
@@ -3727,6 +3788,14 @@ msgstr ""
 "Zdarzenia zostaną usunięte po upływie tego czasu. (Format: "
 "weeks=3;days=2;hours=3,seconds=2)."

+#: authentik/tenants/models.py
+msgid "Reputation cannot decrease lower than this value. Zero or negative."
+msgstr ""
+
+#: authentik/tenants/models.py
+msgid "Reputation cannot increase higher than this value. Zero or positive."
+msgstr ""
+
 #: authentik/tenants/models.py
 msgid "The option configures the footer links on the flow executor pages."
 msgstr "Opcja ta konfiguruje łącza stopki na stronach wykonawców przepływu."
--- a/locale/pt_BR/LC_MESSAGES/django.po
+++ b/locale/pt_BR/LC_MESSAGES/django.po
@@ -18,7 +18,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: PACKAGE VERSION\n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2025-04-11 00:10+0000\n"
+"POT-Creation-Date: 2025-04-23 09:00+0000\n"
 "PO-Revision-Date: 2022-09-26 16:47+0000\n"
 "Last-Translator: Gil Poiares-Oliveira, 2025\n"
 "Language-Team: Portuguese (Brazil) (https://app.transifex.com/authentik/teams/119923/pt_BR/)\n"
@@ -192,6 +192,7 @@ msgid "User's display name."
 msgstr "Nome de exibição do usuário."

 #: authentik/core/models.py authentik/providers/oauth2/models.py
+#: authentik/rbac/models.py
 msgid "User"
 msgstr "Usuário"

@@ -376,6 +377,18 @@ msgstr "Mapeamento de propriedades"
 msgid "Property Mappings"
 msgstr "Mapeamentos de propriedades"

+#: authentik/core/models.py
+msgid "session data"
+msgstr ""
+
+#: authentik/core/models.py
+msgid "Session"
+msgstr ""
+
+#: authentik/core/models.py
+msgid "Sessions"
+msgstr ""
+
 #: authentik/core/models.py
 msgid "Authenticated Session"
 msgstr "Sessão Autenticada"
@@ -483,6 +496,38 @@ msgstr "Uso de licença"
 msgid "License Usage Records"
 msgstr "Registros de uso de licença"

+#: authentik/enterprise/policies/unique_password/models.py
+#: authentik/policies/password/models.py
+msgid "Field key to check, field keys defined in Prompt stages are available."
+msgstr ""
+"Chave de campo para verificar, as chaves de campo definidas nos estágios de "
+"prompt estão disponíveis."
+
+#: authentik/enterprise/policies/unique_password/models.py
+msgid "Number of passwords to check against."
+msgstr ""
+
+#: authentik/enterprise/policies/unique_password/models.py
+#: authentik/policies/password/models.py
+msgid "Password not set in context"
+msgstr "Senha não definida no contexto"
+
+#: authentik/enterprise/policies/unique_password/models.py
+msgid "This password has been used previously. Please choose a different one."
+msgstr ""
+
+#: authentik/enterprise/policies/unique_password/models.py
+msgid "Password Uniqueness Policy"
+msgstr ""
+
+#: authentik/enterprise/policies/unique_password/models.py
+msgid "Password Uniqueness Policies"
+msgstr ""
+
+#: authentik/enterprise/policies/unique_password/models.py
+msgid "User Password History"
+msgstr ""
+
 #: authentik/enterprise/policy.py
 msgid "Enterprise required to access this feature."
 msgstr "Entrerprise é necessário para acessar essa funcionalidade"
@@ -1252,12 +1297,6 @@ msgstr ""
 msgid "Clear Policy's cache metrics"
 msgstr ""

-#: authentik/policies/password/models.py
-msgid "Field key to check, field keys defined in Prompt stages are available."
-msgstr ""
-"Chave de campo para verificar, as chaves de campo definidas nos estágios de "
-"prompt estão disponíveis."
-
 #: authentik/policies/password/models.py
 msgid "How many times the password hash is allowed to be on haveibeenpwned"
 msgstr "Quantas vezes o hash da senha pode estar em haveibeenpwned"
@@ -1268,10 +1307,6 @@ msgid ""
 msgstr ""
 "Se a pontuação zxcvbn for igual ou menor que esse valor, a política falhará."

-#: authentik/policies/password/models.py
-msgid "Password not set in context"
-msgstr "Senha não definida no contexto"
-
 #: authentik/policies/password/models.py
 msgid "Invalid password."
 msgstr ""
@@ -1313,20 +1348,6 @@ msgstr "Pontuação de reputação"
 msgid "Reputation Scores"
 msgstr "Pontuações de reputação"

-#: authentik/policies/templates/policies/buffer.html
-msgid "Waiting for authentication..."
-msgstr ""
-
-#: authentik/policies/templates/policies/buffer.html
-msgid ""
-"You're already authenticating in another tab. This page will refresh once "
-"authentication is completed."
-msgstr ""
-
-#: authentik/policies/templates/policies/buffer.html
-msgid "Authenticate in this tab"
-msgstr ""
-
 #: authentik/policies/templates/policies/denied.html
 msgid "Permission denied"
 msgstr "Permissão negada"
@@ -2141,6 +2162,10 @@ msgstr ""
 msgid "Roles"
 msgstr ""

+#: authentik/rbac/models.py
+msgid "Initial Permissions"
+msgstr ""
+
 #: authentik/rbac/models.py
 msgid "System permission"
 msgstr "Permissão do sistema"
@@ -2387,6 +2412,22 @@ msgstr ""
 msgid "LDAP Source Property Mappings"
 msgstr ""

+#: authentik/sources/ldap/models.py
+msgid "User LDAP Source Connection"
+msgstr ""
+
+#: authentik/sources/ldap/models.py
+msgid "User LDAP Source Connections"
+msgstr ""
+
+#: authentik/sources/ldap/models.py
+msgid "Group LDAP Source Connection"
+msgstr ""
+
+#: authentik/sources/ldap/models.py
+msgid "Group LDAP Source Connections"
+msgstr ""
+
 #: authentik/sources/ldap/signals.py
 msgid "Password does not match Active Directory Complexity."
 msgstr "A senha não corresponde à complexidade do Active Directory."
@@ -2395,6 +2436,14 @@ msgstr "A senha não corresponde à complexidade do Active Directory."
 msgid "No token received."
 msgstr "Nenhum token recebido."

+#: authentik/sources/oauth/models.py
+msgid "HTTP Basic Authentication"
+msgstr ""
+
+#: authentik/sources/oauth/models.py
+msgid "Include the client ID and secret as request parameters"
+msgstr ""
+
 #: authentik/sources/oauth/models.py
 msgid "Request Token URL"
 msgstr "URL do token de solicitação"
@@ -2435,6 +2484,12 @@ msgstr "URL usado pelo authentik para obter informações do usuário."
 msgid "Additional Scopes"
 msgstr "Escopos Adicionais"

+#: authentik/sources/oauth/models.py
+msgid ""
+"How to perform authentication during an authorization_code token request "
+"flow"
+msgstr ""
+
 #: authentik/sources/oauth/models.py
 msgid "OAuth Source"
 msgstr "Fonte OAuth"
@@ -3318,6 +3373,12 @@ msgid ""
 "info is entered."
 msgstr ""

+#: authentik/stages/identification/models.py
+msgid ""
+"Show the user the 'Remember me on this device' toggle, allowing repeat users"
+" to skip straight to entering their password."
+msgstr ""
+
 #: authentik/stages/identification/models.py
 msgid "Optional enrollment flow, which is linked at the bottom of the page."
 msgstr "Optional enrollment flow, which is linked at the bottom of the page."
@@ -3678,6 +3739,14 @@ msgstr ""
 "Os eventos serão excluídos após esta duração.(Formato: "
 "semanas=3;dias=2;horas=3,segundos=2)."

+#: authentik/tenants/models.py
+msgid "Reputation cannot decrease lower than this value. Zero or negative."
+msgstr ""
+
+#: authentik/tenants/models.py
+msgid "Reputation cannot increase higher than this value. Zero or positive."
+msgstr ""
+
 #: authentik/tenants/models.py
 msgid "The option configures the footer links on the flow executor pages."
 msgstr ""
--- a/locale/ru/LC_MESSAGES/django.po
+++ b/locale/ru/LC_MESSAGES/django.po
@@ -18,7 +18,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: PACKAGE VERSION\n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2025-04-11 00:10+0000\n"
+"POT-Creation-Date: 2025-04-23 09:00+0000\n"
 "PO-Revision-Date: 2022-09-26 16:47+0000\n"
 "Last-Translator: Marc Schmitt, 2025\n"
 "Language-Team: Russian (https://app.transifex.com/authentik/teams/119923/ru/)\n"
@@ -191,6 +191,7 @@ msgid "User's display name."
 msgstr "Отображаемое имя пользователя."

 #: authentik/core/models.py authentik/providers/oauth2/models.py
+#: authentik/rbac/models.py
 msgid "User"
 msgstr "Пользователь"

@@ -379,6 +380,18 @@ msgstr "Сопоставление свойств"
 msgid "Property Mappings"
 msgstr "Сопоставление свойств"

+#: authentik/core/models.py
+msgid "session data"
+msgstr ""
+
+#: authentik/core/models.py
+msgid "Session"
+msgstr ""
+
+#: authentik/core/models.py
+msgid "Sessions"
+msgstr ""
+
 #: authentik/core/models.py
 msgid "Authenticated Session"
 msgstr "Аутентифицированная Сессия"
@@ -487,6 +500,37 @@ msgstr "Использование лицензии"
 msgid "License Usage Records"
 msgstr "Записи использования лицензии"

+#: authentik/enterprise/policies/unique_password/models.py
+#: authentik/policies/password/models.py
+msgid "Field key to check, field keys defined in Prompt stages are available."
+msgstr ""
+"Ключ поля для проверки, доступны ключи поля, определенные в этапах запроса."
+
+#: authentik/enterprise/policies/unique_password/models.py
+msgid "Number of passwords to check against."
+msgstr ""
+
+#: authentik/enterprise/policies/unique_password/models.py
+#: authentik/policies/password/models.py
+msgid "Password not set in context"
+msgstr "Пароль не задан в контексте"
+
+#: authentik/enterprise/policies/unique_password/models.py
+msgid "This password has been used previously. Please choose a different one."
+msgstr ""
+
+#: authentik/enterprise/policies/unique_password/models.py
+msgid "Password Uniqueness Policy"
+msgstr ""
+
+#: authentik/enterprise/policies/unique_password/models.py
+msgid "Password Uniqueness Policies"
+msgstr ""
+
+#: authentik/enterprise/policies/unique_password/models.py
+msgid "User Password History"
+msgstr ""
+
 #: authentik/enterprise/policy.py
 msgid "Enterprise required to access this feature."
 msgstr "Для доступа к этой функции требуется Enterprise."
@@ -1267,11 +1311,6 @@ msgstr "Просмотр показателей кэша политики"
 msgid "Clear Policy's cache metrics"
 msgstr "Очистка показателей кэша политики"

-#: authentik/policies/password/models.py
-msgid "Field key to check, field keys defined in Prompt stages are available."
-msgstr ""
-"Ключ поля для проверки, доступны ключи поля, определенные в этапах запроса."
-
 #: authentik/policies/password/models.py
 msgid "How many times the password hash is allowed to be on haveibeenpwned"
 msgstr "Как часто хэш пароля может быть представлен на haveibeenpwned"
@@ -1283,10 +1322,6 @@ msgstr ""
 "Если показатель zxcvbn равен или меньше этого значения, политика будет "
 "провалена."

-#: authentik/policies/password/models.py
-msgid "Password not set in context"
-msgstr "Пароль не задан в контексте"
-
 #: authentik/policies/password/models.py
 msgid "Invalid password."
 msgstr "Неправильный пароль"
@@ -1328,20 +1363,6 @@ msgstr "Оценка репутации"
 msgid "Reputation Scores"
 msgstr "Оценка репутации"

-#: authentik/policies/templates/policies/buffer.html
-msgid "Waiting for authentication..."
-msgstr ""
-
-#: authentik/policies/templates/policies/buffer.html
-msgid ""
-"You're already authenticating in another tab. This page will refresh once "
-"authentication is completed."
-msgstr ""
-
-#: authentik/policies/templates/policies/buffer.html
-msgid "Authenticate in this tab"
-msgstr ""
-
 #: authentik/policies/templates/policies/denied.html
 msgid "Permission denied"
 msgstr "Доступ запрещен"
@@ -2164,6 +2185,10 @@ msgstr "Роль"
 msgid "Roles"
 msgstr "Роли"

+#: authentik/rbac/models.py
+msgid "Initial Permissions"
+msgstr ""
+
 #: authentik/rbac/models.py
 msgid "System permission"
 msgstr "Системное разрешение"
@@ -2421,6 +2446,22 @@ msgstr "Сопоставление свойства LDAP источника"
 msgid "LDAP Source Property Mappings"
 msgstr "Сопоставление свойств LDAP источника"

+#: authentik/sources/ldap/models.py
+msgid "User LDAP Source Connection"
+msgstr ""
+
+#: authentik/sources/ldap/models.py
+msgid "User LDAP Source Connections"
+msgstr ""
+
+#: authentik/sources/ldap/models.py
+msgid "Group LDAP Source Connection"
+msgstr ""
+
+#: authentik/sources/ldap/models.py
+msgid "Group LDAP Source Connections"
+msgstr ""
+
 #: authentik/sources/ldap/signals.py
 msgid "Password does not match Active Directory Complexity."
 msgstr "Пароль не соответствует сложности Active Directory."
@@ -2429,6 +2470,14 @@ msgstr "Пароль не соответствует сложности Active D
 msgid "No token received."
 msgstr "Токен не был получен."

+#: authentik/sources/oauth/models.py
+msgid "HTTP Basic Authentication"
+msgstr ""
+
+#: authentik/sources/oauth/models.py
+msgid "Include the client ID and secret as request parameters"
+msgstr ""
+
 #: authentik/sources/oauth/models.py
 msgid "Request Token URL"
 msgstr "URL-адрес запроса токена"
@@ -2471,6 +2520,12 @@ msgstr ""
 msgid "Additional Scopes"
 msgstr "Дополнительные области"

+#: authentik/sources/oauth/models.py
+msgid ""
+"How to perform authentication during an authorization_code token request "
+"flow"
+msgstr ""
+
 #: authentik/sources/oauth/models.py
 msgid "OAuth Source"
 msgstr "Источник OAuth"
@@ -3376,6 +3431,12 @@ msgstr ""
 "При включении этап будет завершаться успешно и продолжаться даже в случае "
 "ввода неправильной информации о пользователе."

+#: authentik/stages/identification/models.py
+msgid ""
+"Show the user the 'Remember me on this device' toggle, allowing repeat users"
+" to skip straight to entering their password."
+msgstr ""
+
 #: authentik/stages/identification/models.py
 msgid "Optional enrollment flow, which is linked at the bottom of the page."
 msgstr ""
@@ -3767,6 +3828,14 @@ msgstr ""
 "По истечении этого времени события будут удалены. (Формат: недели=3; дни=2; "
 "часы=3, секунды=2)."

+#: authentik/tenants/models.py
+msgid "Reputation cannot decrease lower than this value. Zero or negative."
+msgstr ""
+
+#: authentik/tenants/models.py
+msgid "Reputation cannot increase higher than this value. Zero or positive."
+msgstr ""
+
 #: authentik/tenants/models.py
 msgid "The option configures the footer links on the flow executor pages."
 msgstr ""
--- a/locale/tr/LC_MESSAGES/django.mo
+++ b/locale/tr/LC_MESSAGES/django.mo
--- a/locale/tr/LC_MESSAGES/django.po
+++ b/locale/tr/LC_MESSAGES/django.po
@@ -13,7 +13,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: PACKAGE VERSION\n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2025-03-31 00:10+0000\n"
+"POT-Creation-Date: 2025-04-23 09:00+0000\n"
 "PO-Revision-Date: 2022-09-26 16:47+0000\n"
 "Last-Translator: Jens L. <jens@goauthentik.io>, 2025\n"
 "Language-Team: Turkish (https://app.transifex.com/authentik/teams/119923/tr/)\n"
@@ -187,6 +187,7 @@ msgid "User's display name."
 msgstr "Kullanıcının görünen adı."

 #: authentik/core/models.py authentik/providers/oauth2/models.py
+#: authentik/rbac/models.py
 msgid "User"
 msgstr "Kullanıcı"

@@ -372,6 +373,18 @@ msgstr "Özellik Eşleme"
 msgid "Property Mappings"
 msgstr "Özellik Eşlemeleri"

+#: authentik/core/models.py
+msgid "session data"
+msgstr ""
+
+#: authentik/core/models.py
+msgid "Session"
+msgstr "Oturum"
+
+#: authentik/core/models.py
+msgid "Sessions"
+msgstr "Oturumlar"
+
 #: authentik/core/models.py
 msgid "Authenticated Session"
 msgstr "Kimliği Doğrulanmış Oturum"
@@ -479,6 +492,38 @@ msgstr "Lisans Kullanımı"
 msgid "License Usage Records"
 msgstr "Lisans Kullanım Kayıtları"

+#: authentik/enterprise/policies/unique_password/models.py
+#: authentik/policies/password/models.py
+msgid "Field key to check, field keys defined in Prompt stages are available."
+msgstr ""
+"Alan tuşu kontrol etmek için, İstem aşamalarında tanımlanan alan tuşları "
+"mevcuttur."
+
+#: authentik/enterprise/policies/unique_password/models.py
+msgid "Number of passwords to check against."
+msgstr ""
+
+#: authentik/enterprise/policies/unique_password/models.py
+#: authentik/policies/password/models.py
+msgid "Password not set in context"
+msgstr "Parola bağlam içinde ayarlanmamış"
+
+#: authentik/enterprise/policies/unique_password/models.py
+msgid "This password has been used previously. Please choose a different one."
+msgstr ""
+
+#: authentik/enterprise/policies/unique_password/models.py
+msgid "Password Uniqueness Policy"
+msgstr ""
+
+#: authentik/enterprise/policies/unique_password/models.py
+msgid "Password Uniqueness Policies"
+msgstr ""
+
+#: authentik/enterprise/policies/unique_password/models.py
+msgid "User Password History"
+msgstr ""
+
 #: authentik/enterprise/policy.py
 msgid "Enterprise required to access this feature."
 msgstr "Bu özelliğe erişmek için Kurumsal Paket gereklidir."
@@ -1253,12 +1298,6 @@ msgstr "İlke'nin önbellek ölçümlerini görüntüleme"
 msgid "Clear Policy's cache metrics"
 msgstr "İlke'nin önbellek ölçümlerini temizleyin"

-#: authentik/policies/password/models.py
-msgid "Field key to check, field keys defined in Prompt stages are available."
-msgstr ""
-"Alan tuşu kontrol etmek için, İstem aşamalarında tanımlanan alan tuşları "
-"mevcuttur."
-
 #: authentik/policies/password/models.py
 msgid "How many times the password hash is allowed to be on haveibeenpwned"
 msgstr ""
@@ -1271,10 +1310,6 @@ msgstr ""
 "Eğer zxcvbn puanı bu değere eşit veya daha az ise, politika başarısız "
 "olacaktır."

-#: authentik/policies/password/models.py
-msgid "Password not set in context"
-msgstr "Parola bağlam içinde ayarlanmamış"
-
 #: authentik/policies/password/models.py
 msgid "Invalid password."
 msgstr ""
@@ -1316,20 +1351,6 @@ msgstr "İtibar Puanı"
 msgid "Reputation Scores"
 msgstr "İtibar Puanları"

-#: authentik/policies/templates/policies/buffer.html
-msgid "Waiting for authentication..."
-msgstr ""
-
-#: authentik/policies/templates/policies/buffer.html
-msgid ""
-"You're already authenticating in another tab. This page will refresh once "
-"authentication is completed."
-msgstr ""
-
-#: authentik/policies/templates/policies/buffer.html
-msgid "Authenticate in this tab"
-msgstr ""
-
 #: authentik/policies/templates/policies/denied.html
 msgid "Permission denied"
 msgstr "İzin reddedildi"
@@ -2155,6 +2176,10 @@ msgstr "Rol"
 msgid "Roles"
 msgstr "Roller"

+#: authentik/rbac/models.py
+msgid "Initial Permissions"
+msgstr ""
+
 #: authentik/rbac/models.py
 msgid "System permission"
 msgstr "Sistem yetkisi"
@@ -2398,6 +2423,13 @@ msgstr ""
 "Bir kullanıcı parolasını değiştirdiğinde, parolayı LDAP ile geri eşitleyin. "
 "Bu yalnızca tek bir LDAP kaynağında etkinleştirilebilir."

+#: authentik/sources/ldap/models.py
+msgid ""
+"Lookup group membership based on a user attribute instead of a group "
+"attribute. This allows nested group resolution on systems like FreeIPA and "
+"Active Directory"
+msgstr ""
+
 #: authentik/sources/ldap/models.py
 msgid "LDAP Source"
 msgstr "LDAP Kaynağı"
@@ -2414,6 +2446,22 @@ msgstr "LDAP Kaynak Özellik Eşlemesi"
 msgid "LDAP Source Property Mappings"
 msgstr "LDAP Kaynak Özellik Eşlemeleri"

+#: authentik/sources/ldap/models.py
+msgid "User LDAP Source Connection"
+msgstr ""
+
+#: authentik/sources/ldap/models.py
+msgid "User LDAP Source Connections"
+msgstr ""
+
+#: authentik/sources/ldap/models.py
+msgid "Group LDAP Source Connection"
+msgstr ""
+
+#: authentik/sources/ldap/models.py
+msgid "Group LDAP Source Connections"
+msgstr ""
+
 #: authentik/sources/ldap/signals.py
 msgid "Password does not match Active Directory Complexity."
 msgstr "Parola Active Directory Karmaşıklığıyla eşleşmiyor."
@@ -2422,6 +2470,14 @@ msgstr "Parola Active Directory Karmaşıklığıyla eşleşmiyor."
 msgid "No token received."
 msgstr "Jeton alınmadı."

+#: authentik/sources/oauth/models.py
+msgid "HTTP Basic Authentication"
+msgstr ""
+
+#: authentik/sources/oauth/models.py
+msgid "Include the client ID and secret as request parameters"
+msgstr ""
+
 #: authentik/sources/oauth/models.py
 msgid "Request Token URL"
 msgstr "Jeton URL'si İste"
@@ -2462,6 +2518,12 @@ msgstr "Kullanıcı bilgilerini almak için authentik tarafından kullanılan UR
 msgid "Additional Scopes"
 msgstr "Ek Kapsamlar"

+#: authentik/sources/oauth/models.py
+msgid ""
+"How to perform authentication during an authorization_code token request "
+"flow"
+msgstr ""
+
 #: authentik/sources/oauth/models.py
 msgid "OAuth Source"
 msgstr "OAuth Kaynağı"
@@ -3360,6 +3422,12 @@ msgstr ""
 "Etkinleştirildiğinde, yanlış kullanıcı bilgisi girilse bile aşama başarılı "
 "olur ve devam eder."

+#: authentik/stages/identification/models.py
+msgid ""
+"Show the user the 'Remember me on this device' toggle, allowing repeat users"
+" to skip straight to entering their password."
+msgstr ""
+
 #: authentik/stages/identification/models.py
 msgid "Optional enrollment flow, which is linked at the bottom of the page."
 msgstr "Sayfanın alt kısmında bağlanan isteğe bağlı kayıt akışı."
@@ -3734,6 +3802,14 @@ msgstr ""
 "Olaylar bu süreden sonra silinecektir (Format: "
 "weeks=3;days=2;hours=3,seconds=2)."

+#: authentik/tenants/models.py
+msgid "Reputation cannot decrease lower than this value. Zero or negative."
+msgstr ""
+
+#: authentik/tenants/models.py
+msgid "Reputation cannot increase higher than this value. Zero or positive."
+msgstr ""
+
 #: authentik/tenants/models.py
 msgid "The option configures the footer links on the flow executor pages."
 msgstr ""
--- a/locale/zh-Hans/LC_MESSAGES/django.mo
+++ b/locale/zh-Hans/LC_MESSAGES/django.mo
--- a/locale/zh-Hans/LC_MESSAGES/django.po
+++ b/locale/zh-Hans/LC_MESSAGES/django.po
@@ -15,7 +15,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: PACKAGE VERSION\n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2025-04-18 00:09+0000\n"
+"POT-Creation-Date: 2025-04-23 09:00+0000\n"
 "PO-Revision-Date: 2022-09-26 16:47+0000\n"
 "Last-Translator: deluxghost, 2025\n"
 "Language-Team: Chinese Simplified (https://app.transifex.com/authentik/teams/119923/zh-Hans/)\n"
@@ -461,6 +461,36 @@ msgstr "许可证使用情况"
 msgid "License Usage Records"
 msgstr "许可证使用情况记录"

+#: authentik/enterprise/policies/unique_password/models.py
+#: authentik/policies/password/models.py
+msgid "Field key to check, field keys defined in Prompt stages are available."
+msgstr "要检查的字段键，可以使用输入阶段中定义的字段键。"
+
+#: authentik/enterprise/policies/unique_password/models.py
+msgid "Number of passwords to check against."
+msgstr "检查指定数量的密码。"
+
+#: authentik/enterprise/policies/unique_password/models.py
+#: authentik/policies/password/models.py
+msgid "Password not set in context"
+msgstr "未在上下文中设置密码"
+
+#: authentik/enterprise/policies/unique_password/models.py
+msgid "This password has been used previously. Please choose a different one."
+msgstr "此密码被使用过。请选择其他密码。"
+
+#: authentik/enterprise/policies/unique_password/models.py
+msgid "Password Uniqueness Policy"
+msgstr "密码唯一性策略"
+
+#: authentik/enterprise/policies/unique_password/models.py
+msgid "Password Uniqueness Policies"
+msgstr "密码唯一性策略"
+
+#: authentik/enterprise/policies/unique_password/models.py
+msgid "User Password History"
+msgstr "用户密码历史记录"
+
 #: authentik/enterprise/policy.py
 msgid "Enterprise required to access this feature."
 msgstr "访问此功能需要企业版。"
@@ -1190,10 +1220,6 @@ msgstr "查看策略缓存指标"
 msgid "Clear Policy's cache metrics"
 msgstr "清除策略缓存指标"

-#: authentik/policies/password/models.py
-msgid "Field key to check, field keys defined in Prompt stages are available."
-msgstr "要检查的字段键，可以使用输入阶段中定义的字段键。"
-
 #: authentik/policies/password/models.py
 msgid "How many times the password hash is allowed to be on haveibeenpwned"
 msgstr "密码哈希允许出现在 HaveIBeenPwned 中多少次"
@@ -1203,10 +1229,6 @@ msgid ""
 "If the zxcvbn score is equal or less than this value, the policy will fail."
 msgstr "如果 zxcvbn 分数小于等于此值，则策略失败。"

-#: authentik/policies/password/models.py
-msgid "Password not set in context"
-msgstr "未在上下文中设置密码"
-
 #: authentik/policies/password/models.py
 msgid "Invalid password."
 msgstr "无效密码。"
@@ -1248,20 +1270,6 @@ msgstr "信誉分数"
 msgid "Reputation Scores"
 msgstr "信誉分数"

-#: authentik/policies/templates/policies/buffer.html
-msgid "Waiting for authentication..."
-msgstr "正在等待身份验证…"
-
-#: authentik/policies/templates/policies/buffer.html
-msgid ""
-"You're already authenticating in another tab. This page will refresh once "
-"authentication is completed."
-msgstr "您正在另一个标签页中验证身份。身份验证完成后，此页面会刷新。"
-
-#: authentik/policies/templates/policies/buffer.html
-msgid "Authenticate in this tab"
-msgstr "在此标签页中验证身份"
-
 #: authentik/policies/templates/policies/denied.html
 msgid "Permission denied"
 msgstr "权限被拒绝"
--- a/locale/zh_CN/LC_MESSAGES/django.po
+++ b/locale/zh_CN/LC_MESSAGES/django.po
@@ -14,7 +14,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: PACKAGE VERSION\n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2025-04-18 00:09+0000\n"
+"POT-Creation-Date: 2025-04-23 09:00+0000\n"
 "PO-Revision-Date: 2022-09-26 16:47+0000\n"
 "Last-Translator: deluxghost, 2025\n"
 "Language-Team: Chinese (China) (https://app.transifex.com/authentik/teams/119923/zh_CN/)\n"
@@ -460,6 +460,36 @@ msgstr "许可证使用情况"
 msgid "License Usage Records"
 msgstr "许可证使用情况记录"

+#: authentik/enterprise/policies/unique_password/models.py
+#: authentik/policies/password/models.py
+msgid "Field key to check, field keys defined in Prompt stages are available."
+msgstr "要检查的字段键，可以使用输入阶段中定义的字段键。"
+
+#: authentik/enterprise/policies/unique_password/models.py
+msgid "Number of passwords to check against."
+msgstr "检查指定数量的密码。"
+
+#: authentik/enterprise/policies/unique_password/models.py
+#: authentik/policies/password/models.py
+msgid "Password not set in context"
+msgstr "未在上下文中设置密码"
+
+#: authentik/enterprise/policies/unique_password/models.py
+msgid "This password has been used previously. Please choose a different one."
+msgstr "此密码被使用过。请选择其他密码。"
+
+#: authentik/enterprise/policies/unique_password/models.py
+msgid "Password Uniqueness Policy"
+msgstr "密码唯一性策略"
+
+#: authentik/enterprise/policies/unique_password/models.py
+msgid "Password Uniqueness Policies"
+msgstr "密码唯一性策略"
+
+#: authentik/enterprise/policies/unique_password/models.py
+msgid "User Password History"
+msgstr "用户密码历史记录"
+
 #: authentik/enterprise/policy.py
 msgid "Enterprise required to access this feature."
 msgstr "访问此功能需要企业版。"
@@ -1189,10 +1219,6 @@ msgstr "查看策略缓存指标"
 msgid "Clear Policy's cache metrics"
 msgstr "清除策略缓存指标"

-#: authentik/policies/password/models.py
-msgid "Field key to check, field keys defined in Prompt stages are available."
-msgstr "要检查的字段键，可以使用输入阶段中定义的字段键。"
-
 #: authentik/policies/password/models.py
 msgid "How many times the password hash is allowed to be on haveibeenpwned"
 msgstr "密码哈希允许出现在 HaveIBeenPwned 中多少次"
@@ -1202,10 +1228,6 @@ msgid ""
 "If the zxcvbn score is equal or less than this value, the policy will fail."
 msgstr "如果 zxcvbn 分数小于等于此值，则策略失败。"

-#: authentik/policies/password/models.py
-msgid "Password not set in context"
-msgstr "未在上下文中设置密码"
-
 #: authentik/policies/password/models.py
 msgid "Invalid password."
 msgstr "无效密码。"
@@ -1247,20 +1269,6 @@ msgstr "信誉分数"
 msgid "Reputation Scores"
 msgstr "信誉分数"

-#: authentik/policies/templates/policies/buffer.html
-msgid "Waiting for authentication..."
-msgstr "正在等待身份验证…"
-
-#: authentik/policies/templates/policies/buffer.html
-msgid ""
-"You're already authenticating in another tab. This page will refresh once "
-"authentication is completed."
-msgstr "您正在另一个标签页中验证身份。身份验证完成后，此页面会刷新。"
-
-#: authentik/policies/templates/policies/buffer.html
-msgid "Authenticate in this tab"
-msgstr "在此标签页中验证身份"
-
 #: authentik/policies/templates/policies/denied.html
 msgid "Permission denied"
 msgstr "权限被拒绝"
--- a/locale/zh_TW/LC_MESSAGES/django.po
+++ b/locale/zh_TW/LC_MESSAGES/django.po
@@ -14,7 +14,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: PACKAGE VERSION\n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2025-04-11 00:10+0000\n"
+"POT-Creation-Date: 2025-04-23 09:00+0000\n"
 "PO-Revision-Date: 2022-09-26 16:47+0000\n"
 "Last-Translator: 刘松, 2025\n"
 "Language-Team: Chinese (Taiwan) (https://app.transifex.com/authentik/teams/119923/zh_TW/)\n"
@@ -178,6 +178,7 @@ msgid "User's display name."
 msgstr "使用者的顯示名稱。"

 #: authentik/core/models.py authentik/providers/oauth2/models.py
+#: authentik/rbac/models.py
 msgid "User"
 msgstr "使用者"

@@ -344,6 +345,18 @@ msgstr "屬性對應"
 msgid "Property Mappings"
 msgstr "屬性對應"

+#: authentik/core/models.py
+msgid "session data"
+msgstr ""
+
+#: authentik/core/models.py
+msgid "Session"
+msgstr "会话"
+
+#: authentik/core/models.py
+msgid "Sessions"
+msgstr "会话"
+
 #: authentik/core/models.py
 msgid "Authenticated Session"
 msgstr "已認證會談"
@@ -447,6 +460,36 @@ msgstr "授權使用情況"
 msgid "License Usage Records"
 msgstr "授權使用紀錄"

+#: authentik/enterprise/policies/unique_password/models.py
+#: authentik/policies/password/models.py
+msgid "Field key to check, field keys defined in Prompt stages are available."
+msgstr "要檢查的欄位鍵，在提示階段中有可用的已定義欄位鍵。"
+
+#: authentik/enterprise/policies/unique_password/models.py
+msgid "Number of passwords to check against."
+msgstr ""
+
+#: authentik/enterprise/policies/unique_password/models.py
+#: authentik/policies/password/models.py
+msgid "Password not set in context"
+msgstr "未在上下文中設定密碼"
+
+#: authentik/enterprise/policies/unique_password/models.py
+msgid "This password has been used previously. Please choose a different one."
+msgstr ""
+
+#: authentik/enterprise/policies/unique_password/models.py
+msgid "Password Uniqueness Policy"
+msgstr ""
+
+#: authentik/enterprise/policies/unique_password/models.py
+msgid "Password Uniqueness Policies"
+msgstr ""
+
+#: authentik/enterprise/policies/unique_password/models.py
+msgid "User Password History"
+msgstr ""
+
 #: authentik/enterprise/policy.py
 msgid "Enterprise required to access this feature."
 msgstr "企業版才能存取此功能。"
@@ -1176,10 +1219,6 @@ msgstr "檢視原則的快取指標"
 msgid "Clear Policy's cache metrics"
 msgstr "清除原則的快取指標"

-#: authentik/policies/password/models.py
-msgid "Field key to check, field keys defined in Prompt stages are available."
-msgstr "要檢查的欄位鍵，在提示階段中有可用的已定義欄位鍵。"
-
 #: authentik/policies/password/models.py
 msgid "How many times the password hash is allowed to be on haveibeenpwned"
 msgstr "密碼雜湊在 haveibeenpwned 上允許出現的次數"
@@ -1189,10 +1228,6 @@ msgid ""
 "If the zxcvbn score is equal or less than this value, the policy will fail."
 msgstr "如果 zxcvbn 分數等於或小於此值，則該政策將失敗。"

-#: authentik/policies/password/models.py
-msgid "Password not set in context"
-msgstr "未在上下文中設定密碼"
-
 #: authentik/policies/password/models.py
 msgid "Invalid password."
 msgstr ""
@@ -1234,20 +1269,6 @@ msgstr "信譽分數"
 msgid "Reputation Scores"
 msgstr "信譽分數"

-#: authentik/policies/templates/policies/buffer.html
-msgid "Waiting for authentication..."
-msgstr ""
-
-#: authentik/policies/templates/policies/buffer.html
-msgid ""
-"You're already authenticating in another tab. This page will refresh once "
-"authentication is completed."
-msgstr ""
-
-#: authentik/policies/templates/policies/buffer.html
-msgid "Authenticate in this tab"
-msgstr ""
-
 #: authentik/policies/templates/policies/denied.html
 msgid "Permission denied"
 msgstr "權限不足。"
@@ -1999,6 +2020,10 @@ msgstr "角色"
 msgid "Roles"
 msgstr "角色"

+#: authentik/rbac/models.py
+msgid "Initial Permissions"
+msgstr ""
+
 #: authentik/rbac/models.py
 msgid "System permission"
 msgstr "系統權限"
@@ -2240,6 +2265,22 @@ msgstr ""
 msgid "LDAP Source Property Mappings"
 msgstr ""

+#: authentik/sources/ldap/models.py
+msgid "User LDAP Source Connection"
+msgstr ""
+
+#: authentik/sources/ldap/models.py
+msgid "User LDAP Source Connections"
+msgstr ""
+
+#: authentik/sources/ldap/models.py
+msgid "Group LDAP Source Connection"
+msgstr ""
+
+#: authentik/sources/ldap/models.py
+msgid "Group LDAP Source Connections"
+msgstr ""
+
 #: authentik/sources/ldap/signals.py
 msgid "Password does not match Active Directory Complexity."
 msgstr "密碼不符合 Active Directory 的複雜性要求。"
@@ -2248,6 +2289,14 @@ msgstr "密碼不符合 Active Directory 的複雜性要求。"
 msgid "No token received."
 msgstr "未收到權杖。"

+#: authentik/sources/oauth/models.py
+msgid "HTTP Basic Authentication"
+msgstr ""
+
+#: authentik/sources/oauth/models.py
+msgid "Include the client ID and secret as request parameters"
+msgstr ""
+
 #: authentik/sources/oauth/models.py
 msgid "Request Token URL"
 msgstr "請求權杖的網址"
@@ -2286,6 +2335,12 @@ msgstr "authentik 用來擷取使用者資訊的網址。"
 msgid "Additional Scopes"
 msgstr "附加範圍"

+#: authentik/sources/oauth/models.py
+msgid ""
+"How to perform authentication during an authorization_code token request "
+"flow"
+msgstr ""
+
 #: authentik/sources/oauth/models.py
 msgid "OAuth Source"
 msgstr "OAuth 來源"
@@ -3137,6 +3192,12 @@ msgid ""
 "info is entered."
 msgstr ""

+#: authentik/stages/identification/models.py
+msgid ""
+"Show the user the 'Remember me on this device' toggle, allowing repeat users"
+" to skip straight to entering their password."
+msgstr ""
+
 #: authentik/stages/identification/models.py
 msgid "Optional enrollment flow, which is linked at the bottom of the page."
 msgstr "可選的註冊流程，連結在頁面的底部。"
@@ -3481,6 +3542,14 @@ msgid ""
 "weeks=3;days=2;hours=3,seconds=2)."
 msgstr "事件將在此期間後刪除。（格式：weeks=3;days=2;hours=3,seconds=2）"

+#: authentik/tenants/models.py
+msgid "Reputation cannot decrease lower than this value. Zero or negative."
+msgstr ""
+
+#: authentik/tenants/models.py
+msgid "Reputation cannot increase higher than this value. Zero or positive."
+msgstr ""
+
 #: authentik/tenants/models.py
 msgid "The option configures the footer links on the flow executor pages."
 msgstr ""
--- a/package.json
+++ b/package.json
@@ -1,5 +1,5 @@
 {
    "name": "@goauthentik/authentik",
-    "version": "2025.2.4",
+    "version": "2025.4.4",
    "private": true
 }
--- a/packages/docusaurus-config/css/badges.css
+++ b/packages/docusaurus-config/css/badges.css
@@ -18,9 +18,7 @@
 }

 .badge--support-community {
-    --ifm-badge-background-color: var(
-        --ifm-color-secondary-contrast-foreground
-    );
+    --ifm-badge-background-color: var(--ifm-color-secondary-contrast-foreground);
    --ifm-badge-border-color: var(--ifm-color-secondary-dark);
    --ifm-badge-color: var(--ifm-color-secondary-contrast-background);
 }
--- a/packages/docusaurus-config/css/fonts.css
+++ b/packages/docusaurus-config/css/fonts.css
@@ -1,12 +1,12 @@
 :root {
    --ifm-font-family-base:
-        RedHatVF, system-ui, -apple-system, Segoe UI, Roboto, Ubuntu, Cantarell,
-        Noto Sans, sans-serif, BlinkMacSystemFont, "Segoe UI", Helvetica, Arial,
-        sans-serif, "Apple Color Emoji", "Segoe UI Emoji", "Segoe UI Symbol";
+        RedHatVF, system-ui, -apple-system, Segoe UI, Roboto, Ubuntu, Cantarell, Noto Sans,
+        sans-serif, BlinkMacSystemFont, "Segoe UI", Helvetica, Arial, sans-serif,
+        "Apple Color Emoji", "Segoe UI Emoji", "Segoe UI Symbol";

    --ifm-font-family-monospace:
-        RedHatMonoVF, SFMono-Regular, Menlo, Monaco, Consolas,
-        "Liberation Mono", "Courier New", monospace;
+        RedHatMonoVF, SFMono-Regular, Menlo, Monaco, Consolas, "Liberation Mono", "Courier New",
+        monospace;

    --ifm-heading-font-family: RedHatDisplayVF, var(--ifm-font-family-base);

--- a/packages/docusaurus-config/css/homepage.css
+++ b/packages/docusaurus-config/css/homepage.css
@@ -7,11 +7,7 @@
 }

 .homepage_hero__subtitle p {
-    font-size: clamp(
-        1.125rem,
-        0.9946rem + 0.6522vi,
-        1.5rem
-    ); /* Adjust font as page scales */
+    font-size: clamp(1.125rem, 0.9946rem + 0.6522vi, 1.5rem); /* Adjust font as page scales */
    max-width: 28ch; /* Apply a maximum to keep everything in the box */
    text-wrap: balance; /* Prevent widows, orphans, and runts. Doesn't work in Safari */
 }
--- a/packages/docusaurus-config/css/menu.css
+++ b/packages/docusaurus-config/css/menu.css
@@ -1,5 +1,5 @@
 :root {
-    --ifm-menu-link-padding-vertical: 1em;
+    --ifm-menu-link-padding-vertical: 0.5em;
 }

 .menu__list-item {
--- a/packages/docusaurus-config/css/navbar.css
+++ b/packages/docusaurus-config/css/navbar.css
@@ -75,17 +75,14 @@
        --ifm-navbar-item-padding-horizontal: 1rem;
    }

-    .docs-wrapper .navbar {
+    .navbar {
        margin: 0;
        padding-inline-start: 0;
    }

    .navbar__brand {
        justify-content: center;
-    }
-
-    .docs-wrapper .navbar__brand {
-        width: var(--doc-sidebar-width);
+        width: var(--doc-sidebar-width, 300px);
        margin: 0;
    }

@@ -122,12 +119,8 @@

        @media (min-width: 999px) {
            border-inline-start: 1px solid var(--ifm-hover-overlay);
-            margin-inline-start: calc(
-                var(--ifm-navbar-item-padding-horizontal) / 2
-            );
-            padding-inline-start: calc(
-                var(--ifm-navbar-item-padding-horizontal) / 2
-            );
+            margin-inline-start: calc(var(--ifm-navbar-item-padding-horizontal) / 2);
+            padding-inline-start: calc(var(--ifm-navbar-item-padding-horizontal) / 2);
        }
    }

@@ -151,19 +144,14 @@
        hsl(236.84deg 34.55% 10.78%)
    );
    --docsearch-key-shadow:
-        inset 0 -2px 0 0 hsl(233.33deg 36% 24.51%),
-        inset 0 0 1px 1px hsl(232.11deg 34.86% 57.25%),
+        inset 0 -2px 0 0 hsl(233.33deg 36% 24.51%), inset 0 0 1px 1px hsl(232.11deg 34.86% 57.25%),
        0 2px 2px 0 rgba(3, 4, 9, 0.3);
    --docsearch-key-pressed-shadow:
-        inset 0 -2px 0 0 #282d55,
-        inset 0 0 1px 1px hsl(231.82deg 21.36% 40.39%),
+        inset 0 -2px 0 0 #282d55, inset 0 0 1px 1px hsl(231.82deg 21.36% 40.39%),
        0 1px 1px 0 hsl(230deg 50% 2.35% / 30.2%);

-    padding: var(--ifm-navbar-item-padding-vertical)
-        var(--ifm-navbar-item-padding-horizontal) !important;
-    padding-inline-end: calc(
-        var(--ifm-navbar-item-padding-horizontal) * 1.25
-    ) !important;
+    padding: var(--ifm-navbar-item-padding-vertical) var(--ifm-navbar-item-padding-horizontal) !important;
+    padding-inline-end: calc(var(--ifm-navbar-item-padding-horizontal) * 1.25) !important;

    .DocSearch-Button-Placeholder {
        font-family: var(--ifm-heading-font-family);
--- a/packages/docusaurus-config/css/root.css
+++ b/packages/docusaurus-config/css/root.css
@@ -13,7 +13,3 @@

    --ifm-color-content: hsl(216 35% 3%);
 }
-
-body {
-    overscroll-behavior-x: none;
-}
--- a/packages/docusaurus-config/lib/common.js
+++ b/packages/docusaurus-config/lib/common.js
@@ -4,8 +4,8 @@
 * @import { Config as DocusaurusConfig } from "@docusaurus/types"
 * @import { UserThemeConfig } from "./theme.js"
 */
-
 import { deepmerge } from "deepmerge-ts";
+
 import { createThemeConfig } from "./theme.js";

 //#region Types
--- a/packages/docusaurus-config/lib/theme.js
+++ b/packages/docusaurus-config/lib/theme.js
@@ -4,7 +4,6 @@
 * @import { UserThemeConfig as UserThemeConfigCommon } from "@docusaurus/theme-common";
 * @import { UserThemeConfig as UserThemeConfigAlgolia } from "@docusaurus/theme-search-algolia";
 */
-
 import { deepmerge } from "deepmerge-ts";
 import { themes as prismThemes } from "prism-react-renderer";

--- a/packages/docusaurus-config/package-lock.json
+++ b/packages/docusaurus-config/package-lock.json
@@ -1,12 +1,12 @@
 {
    "name": "@goauthentik/docusaurus-config",
-    "version": "1.0.2",
+    "version": "1.0.5",
    "lockfileVersion": 3,
    "requires": true,
    "packages": {
        "": {
            "name": "@goauthentik/docusaurus-config",
-            "version": "1.0.2",
+            "version": "1.0.5",
            "license": "MIT",
            "dependencies": {
                "deepmerge-ts": "^7.1.5",
--- a/packages/docusaurus-config/package.json
+++ b/packages/docusaurus-config/package.json
@@ -1,6 +1,6 @@
 {
    "name": "@goauthentik/docusaurus-config",
-    "version": "1.0.4",
+    "version": "1.0.5",
    "description": "authentik's Docusaurus config",
    "license": "MIT",
    "scripts": {
--- a/proxy.Dockerfile
+++ b/proxy.Dockerfile
@@ -76,6 +76,7 @@ EXPOSE 9000 9300 9443

 USER 1000

-ENV GOFIPS=1
+ENV TMPDIR=/dev/shm/ \
+    GOFIPS=1

 ENTRYPOINT ["/proxy"]
--- a/pyproject.toml
+++ b/pyproject.toml
@@ -1,6 +1,6 @@
 [project]
 name = "authentik"
-version = "2025.2.4"
+version = "2025.4.4"
 description = ""
 authors = [{ name = "authentik Team", email = "hello@goauthentik.io" }]
 requires-python = "==3.12.*"
--- a/rac.Dockerfile
+++ b/rac.Dockerfile
@@ -56,6 +56,7 @@ HEALTHCHECK --interval=5s --retries=20 --start-period=3s CMD [ "/rac", "healthch

 USER 1000

-ENV GOFIPS=1
+ENV TMPDIR=/dev/shm/ \
+    GOFIPS=1

 ENTRYPOINT ["/rac"]
--- a/radius.Dockerfile
+++ b/radius.Dockerfile
@@ -56,6 +56,7 @@ EXPOSE 1812/udp 9300

 USER 1000

-ENV GOFIPS=1
+ENV TMPDIR=/dev/shm/ \
+    GOFIPS=1

 ENTRYPOINT ["/radius"]
--- a/schema.yml
+++ b/schema.yml
@@ -1,7 +1,7 @@
 openapi: 3.0.3
 info:
  title: authentik
-  version: 2025.2.4
+  version: 2025.4.4
  description: Making authentication simple.
  contact:
    email: hello@goauthentik.io
--- a/uv.lock
+++ b/uv.lock
@@ -165,7 +165,7 @@ wheels = [

 [[package]]
 name = "authentik"
-version = "2025.2.4"
+version = "2025.4.4"
 source = { editable = "." }
 dependencies = [
    { name = "argon2-cffi" },
@@ -1436,11 +1436,11 @@ wheels = [

 [[package]]
 name = "h11"
-version = "0.14.0"
+version = "0.16.0"
 source = { registry = "https://pypi.org/simple" }
-sdist = { url = "https://files.pythonhosted.org/packages/f5/38/3af3d3633a34a3316095b39c8e8fb4853a28a536e55d347bd8d8e9a14b03/h11-0.14.0.tar.gz", hash = "sha256:8f19fbbe99e72420ff35c00b27a34cb9937e902a8b810e2c88300c6f0a3b699d", size = 100418 }
+sdist = { url = "https://files.pythonhosted.org/packages/01/ee/02a2c011bdab74c6fb3c75474d40b3052059d95df7e73351460c8588d963/h11-0.16.0.tar.gz", hash = "sha256:4e35b956cf45792e4caa5885e69fba00bdbc6ffafbfa020300e549b208ee5ff1", size = 101250 }
 wheels = [
-    { url = "https://files.pythonhosted.org/packages/95/04/ff642e65ad6b90db43e668d70ffb6736436c7ce41fcc549f4e9472234127/h11-0.14.0-py3-none-any.whl", hash = "sha256:e3fe4ac4b851c468cc8363d500db52c2ead036020723024a109d37346efaa761", size = 58259 },
+    { url = "https://files.pythonhosted.org/packages/04/4b/29cac41a4d98d144bf5f6d33995617b185d14b22401f75ca86f384e87ff1/h11-0.16.0-py3-none-any.whl", hash = "sha256:63cf8bbe7522de3bf65932fda1d9c2772064ffb3dae62d55932da54b31cb6c86", size = 37515 },
 ]

 [[package]]
@@ -1467,15 +1467,15 @@ wheels = [

 [[package]]
 name = "httpcore"
-version = "1.0.8"
+version = "1.0.9"
 source = { registry = "https://pypi.org/simple" }
 dependencies = [
    { name = "certifi" },
    { name = "h11" },
 ]
-sdist = { url = "https://files.pythonhosted.org/packages/9f/45/ad3e1b4d448f22c0cff4f5692f5ed0666658578e358b8d58a19846048059/httpcore-1.0.8.tar.gz", hash = "sha256:86e94505ed24ea06514883fd44d2bc02d90e77e7979c8eb71b90f41d364a1bad", size = 85385 }
+sdist = { url = "https://files.pythonhosted.org/packages/06/94/82699a10bca87a5556c9c59b5963f2d039dbd239f25bc2a63907a05a14cb/httpcore-1.0.9.tar.gz", hash = "sha256:6e34463af53fd2ab5d807f399a9b45ea31c3dfa2276f15a2c3f00afff6e176e8", size = 85484 }
 wheels = [
-    { url = "https://files.pythonhosted.org/packages/18/8d/f052b1e336bb2c1fc7ed1aaed898aa570c0b61a09707b108979d9fc6e308/httpcore-1.0.8-py3-none-any.whl", hash = "sha256:5254cf149bcb5f75e9d1b2b9f729ea4a4b883d1ad7379fc632b727cec23674be", size = 78732 },
+    { url = "https://files.pythonhosted.org/packages/7e/f5/f66802a942d491edb555dd61e3a9961140fd64c90bce1eafd741609d334d/httpcore-1.0.9-py3-none-any.whl", hash = "sha256:2d400746a40668fc9dec9810239072b40b4484b640a8c38fd654a024c7a1bf55", size = 78784 },
 ]

 [[package]]
--- a/web/package-lock.json
+++ b/web/package-lock.json
--- a/web/package.json
+++ b/web/package.json
@@ -12,7 +12,8 @@
        "@floating-ui/dom": "^1.6.11",
        "@formatjs/intl-listformat": "^7.5.7",
        "@fortawesome/fontawesome-free": "^6.6.0",
-        "@goauthentik/api": "^2025.2.4-1745325566",
+        "@goauthentik/api": "^2025.2.4-1745519715",
+        "@lit-labs/ssr": "3.2.2",
        "@lit/context": "^1.1.2",
        "@lit/localize": "^0.12.2",
        "@lit/reactive-element": "^2.0.4",
@@ -53,7 +54,6 @@
        "remark-gfm": "^4.0.1",
        "remark-mdx-frontmatter": "^5.0.0",
        "style-mod": "^4.1.2",
-        "trusted-types": "^2.0.0",
        "ts-pattern": "^5.4.0",
        "unist-util-visit": "^5.0.0",
        "webcomponent-qr-code": "^1.2.0",
--- a/web/packages/sfe/src/index.ts
+++ b/web/packages/sfe/src/index.ts
@@ -47,7 +47,16 @@ class SimpleFlowExecutor {
        return `${ak().api.base}api/v3/flows/executor/${this.flowSlug}/?query=${encodeURIComponent(window.location.search.substring(1))}`;
    }

+    loading() {
+        this.container.innerHTML = `<div class="d-flex justify-content-center">
+            <div class="spinner-border spinner-border-md" role="status">
+                <span class="sr-only">Loading...</span>
+            </div>
+        </div>`;
+    }
+
    start() {
+        this.loading();
        $.ajax({
            type: "GET",
            url: this.apiURL,
--- a/web/src/admin/rbac/RoleObjectPermissionForm.ts
+++ b/web/src/admin/rbac/RoleObjectPermissionForm.ts
@@ -89,19 +89,24 @@ export class RoleObjectPermissionForm extends ModelForm<RoleAssignData, number>
                >
                </ak-search-select>
            </ak-form-element-horizontal>
-            ${this.modelPermissions?.results.map((perm) => {
-                return html` <ak-form-element-horizontal name="permissions.${perm.codename}">
-                    <label class="pf-c-switch">
-                        <input class="pf-c-switch__input" type="checkbox" />
-                        <span class="pf-c-switch__toggle">
-                            <span class="pf-c-switch__toggle-icon">
-                                <i class="fas fa-check" aria-hidden="true"></i>
+            ${this.modelPermissions?.results
+                .filter((perm) => {
+                    const [_app, model] = this.model?.split(".") || "";
+                    return perm.codename !== `add_${model}`;
+                })
+                .map((perm) => {
+                    return html` <ak-form-element-horizontal name="permissions.${perm.codename}">
+                        <label class="pf-c-switch">
+                            <input class="pf-c-switch__input" type="checkbox" />
+                            <span class="pf-c-switch__toggle">
+                                <span class="pf-c-switch__toggle-icon">
+                                    <i class="fas fa-check" aria-hidden="true"></i>
+                                </span>
                            </span>
-                        </span>
-                        <span class="pf-c-switch__label">${perm.name}</span>
-                    </label>
-                </ak-form-element-horizontal>`;
-            })}
+                            <span class="pf-c-switch__label">${perm.name}</span>
+                        </label>
+                    </ak-form-element-horizontal>`;
+                })}
        </form>`;
    }
 }
--- a/web/src/admin/rbac/RoleObjectPermissionTable.ts
+++ b/web/src/admin/rbac/RoleObjectPermissionTable.ts
@@ -45,7 +45,7 @@ export class RoleAssignedObjectPermissionTable extends Table<RoleAssignedObjectP
            ordering: "codename",
        });
        modelPermissions.results = modelPermissions.results.filter((value) => {
-            return !value.codename.startsWith("add_");
+            return value.codename !== `add_${this.model?.split(".")[1]}`;
        });
        this.modelPermissions = modelPermissions;
        return perms;
--- a/web/src/common/constants.ts
+++ b/web/src/common/constants.ts
@@ -3,7 +3,7 @@ export const SUCCESS_CLASS = "pf-m-success";
 export const ERROR_CLASS = "pf-m-danger";
 export const PROGRESS_CLASS = "pf-m-in-progress";
 export const CURRENT_CLASS = "pf-m-current";
-export const VERSION = "2025.2.4";
+export const VERSION = "2025.4.4";
 export const TITLE_DEFAULT = "authentik";
 export const ROUTE_SEPARATOR = ";";

--- a/web/src/common/purify.ts
+++ b/web/src/common/purify.ts
@@ -1,110 +1,26 @@
 import type { Config as DOMPurifyConfig } from "dompurify";
 import DOMPurify from "dompurify";
-import { trustedTypes } from "trusted-types";

-import { render } from "lit";
+import { render } from "@lit-labs/ssr";
+import { collectResult } from "@lit-labs/ssr/lib/render-result.js";
+import { TemplateResult, html } from "lit";
 import { unsafeHTML } from "lit/directives/unsafe-html.js";
+import { until } from "lit/directives/until.js";

-/**
- * Trusted types policy that escapes HTML content in place.
- *
- * @see {@linkcode SanitizedTrustPolicy} to strip HTML content.
- *
- * @returns {TrustedHTML} All HTML content, escaped.
- */
-export const EscapeTrustPolicy = trustedTypes.createPolicy("authentik-escape", {
-    createHTML: (untrustedHTML: string) => {
-        return DOMPurify.sanitize(untrustedHTML, {
-            RETURN_TRUSTED_TYPE: false,
-        });
-    },
-});
-
-/**
- * Trusted types policy, stripping all HTML content.
- *
- * @returns {TrustedHTML} Text content only, all HTML tags stripped.
- */
-export const SanitizedTrustPolicy = trustedTypes.createPolicy("authentik-sanitize", {
-    createHTML: (untrustedHTML: string) => {
-        return DOMPurify.sanitize(untrustedHTML, {
-            RETURN_TRUSTED_TYPE: false,
-            ALLOWED_TAGS: ["#text"],
-        });
-    },
-});
-
-/**
- * Trusted types policy, allowing a minimal set of _safe_ HTML tags supplied by
- * a trusted source, such as the brand API.
- */
-export const BrandedHTMLPolicy = trustedTypes.createPolicy("authentik-restrict", {
-    createHTML: (untrustedHTML: string) => {
-        return DOMPurify.sanitize(untrustedHTML, {
-            RETURN_TRUSTED_TYPE: false,
-            FORBID_TAGS: [
-                "script",
-                "style",
-                "iframe",
-                "link",
-                "object",
-                "embed",
-                "applet",
-                "meta",
-                "base",
-                "form",
-                "input",
-                "textarea",
-                "select",
-                "button",
-            ],
-            FORBID_ATTR: [
-                "onerror",
-                "onclick",
-                "onload",
-                "onmouseover",
-                "onmouseout",
-                "onmouseup",
-                "onmousedown",
-                "onfocus",
-                "onblur",
-                "onsubmit",
-            ],
-        });
-    },
-});
-
-export type AuthentikTrustPolicy =
-    | typeof EscapeTrustPolicy
-    | typeof SanitizedTrustPolicy
-    | typeof BrandedHTMLPolicy;
-
-/**
- * Sanitize an untrusted HTML string using a trusted types policy.
- */
-export function sanitizeHTML(trustPolicy: AuthentikTrustPolicy, untrustedHTML: string) {
-    return unsafeHTML(trustPolicy.createHTML(untrustedHTML).toString());
-}
-
-/**
- * DOMPurify configuration for strict sanitization.
- *
- * This configuration only allows text nodes and disallows all HTML tags.
- */
 export const DOM_PURIFY_STRICT = {
    ALLOWED_TAGS: ["#text"],
 } as const satisfies DOMPurifyConfig;

-/**
- * Render untrusted HTML to a string without escaping it.
- *
- * @returns {string} The rendered HTML string.
- */
-export function renderStaticHTMLUnsafe(untrustedHTML: unknown): string {
-    const container = document.createElement("html");
-    render(untrustedHTML, container);
-
-    const result = container.innerHTML;
-
-    return result;
+export async function renderStatic(input: TemplateResult): Promise<string> {
+    return await collectResult(render(input));
+}
+
+export function purify(input: TemplateResult): TemplateResult {
+    return html`${until(
+        (async () => {
+            const rendered = await renderStatic(input);
+            const purified = DOMPurify.sanitize(rendered);
+            return html`${unsafeHTML(purified)}`;
+        })(),
+    )}`;
 }
--- a/web/src/elements/charts/Chart.ts
+++ b/web/src/elements/charts/Chart.ts
@@ -85,7 +85,6 @@ export abstract class AKChart<T> extends AKElement {
                .container {
                    height: 100%;
                    width: 100%;
-                    aspect-ratio: 1 / 1;

                    display: flex;
                    justify-content: center;
--- a/web/src/elements/utils/iframe.ts
+++ b/web/src/elements/utils/iframe.ts
@@ -1,55 +0,0 @@
-/**
- * @file IFrame Utilities
- */
-
-interface IFrameLoadResult {
-    contentWindow: Window;
-    contentDocument: Document;
-}
-
-export function pluckIFrameContent(iframe: HTMLIFrameElement) {
-    const contentWindow = iframe.contentWindow;
-    const contentDocument = iframe.contentDocument;
-
-    if (!contentWindow) {
-        throw new Error("Iframe contentWindow is not accessible");
-    }
-
-    if (!contentDocument) {
-        throw new Error("Iframe contentDocument is not accessible");
-    }
-
-    return {
-        contentWindow,
-        contentDocument,
-    };
-}
-
-export function resolveIFrameContent(iframe: HTMLIFrameElement): Promise<IFrameLoadResult> {
-    if (iframe.contentDocument?.readyState === "complete") {
-        return Promise.resolve(pluckIFrameContent(iframe));
-    }
-
-    return new Promise((resolve) => {
-        iframe.addEventListener("load", () => resolve(pluckIFrameContent(iframe)), { once: true });
-    });
-}
-
-/**
- * Creates a minimal HTML wrapper for an iframe.
- *
- * @deprecated Use the `contentDocument.body` directly instead.
- */
-export function createIFrameHTMLWrapper(bodyContent: string): string {
-    const html = String.raw;
-
-    return html`<!doctype html>
-        <html>
-            <head>
-                <meta charset="utf-8" />
-            </head>
-            <body style="display:flex;flex-direction:row;justify-content:center;">
-                ${bodyContent}
-            </body>
-        </html>`;
-}
--- a/web/src/flow/components/ak-brand-footer.ts
+++ b/web/src/flow/components/ak-brand-footer.ts
@@ -1,4 +1,4 @@
-import { BrandedHTMLPolicy, sanitizeHTML } from "@goauthentik/common/purify";
+import { purify } from "@goauthentik/common/purify";
 import { AKElement } from "@goauthentik/elements/Base.js";

 import { msg } from "@lit/localize";
@@ -21,6 +21,8 @@ const styles = css`
    }
 `;

+const poweredBy: FooterLink = { name: msg("Powered by authentik"), href: null };
+
@customElement("ak-brand-links")
 export class BrandLinks extends AKElement {
    static get styles() {
@@ -31,21 +33,13 @@ export class BrandLinks extends AKElement {
    links: FooterLink[] = [];

    render() {
-        const links = [...(this.links ?? [])];
-
+        const links = [...(this.links ?? []), poweredBy];
        return html` <ul class="pf-c-list pf-m-inline">
-            ${map(links, (link) => {
-                const children = sanitizeHTML(BrandedHTMLPolicy, link.name);
-
-                if (link.href) {
-                    return html`<li><a href="${link.href}">${children}</a></li>`;
-                }
-
-                return html`<li>
-                    <span> ${children} </span>
-                </li>`;
-            })}
-            <li><span>${msg("Powered by authentik")}</span></li>
+            ${map(links, (link) =>
+                link.href
+                    ? purify(html`<li><a href="${link.href}">${link.name}</a></li>`)
+                    : html`<li><span>${link.name}</span></li>`,
+            )}
        </ul>`;
    }
 }
--- a/web/src/flow/stages/captcha/CaptchaStage.ts
+++ b/web/src/flow/stages/captcha/CaptchaStage.ts
@@ -1,16 +1,15 @@
-/// <reference types="@hcaptcha/types"/>
-/// <reference types="turnstile-types"/>
-import { renderStaticHTMLUnsafe } from "@goauthentik/common/purify";
+///<reference types="@hcaptcha/types"/>
+import { renderStatic } from "@goauthentik/common/purify";
 import "@goauthentik/elements/EmptyState";
 import { akEmptyState } from "@goauthentik/elements/EmptyState";
 import { bound } from "@goauthentik/elements/decorators/bound";
 import "@goauthentik/elements/forms/FormElement";
-import { createIFrameHTMLWrapper } from "@goauthentik/elements/utils/iframe";
 import { ListenerController } from "@goauthentik/elements/utils/listenerController.js";
 import { randomId } from "@goauthentik/elements/utils/randomId";
 import "@goauthentik/flow/FormStatic";
 import { BaseStage } from "@goauthentik/flow/stages/base";
 import { P, match } from "ts-pattern";
+import type * as _ from "turnstile-types";

 import { msg } from "@lit/localize";
 import { CSSResult, PropertyValues, TemplateResult, css, html, nothing } from "lit";
@@ -57,36 +56,40 @@ type CaptchaHandler = {
 // a resize. Because the Captcha is itself in an iframe, the reported height is often off by some
 // margin, so adding 2rem of height to our container adds padding and prevents scroll bars or hidden
 // rendering.
-function iframeTemplate(children: TemplateResult, challengeURL: string): TemplateResult {
-    return html` ${children}
-        <script>
-            new ResizeObserver((entries) => {
-                const height =
-                    document.body.offsetHeight +
-                    parseFloat(getComputedStyle(document.body).fontSize) * 2;

-                window.parent.postMessage({
-                    message: "resize",
-                    source: "goauthentik.io",
-                    context: "flow-executor",
-                    size: { height },
-                });
-            }).observe(document.querySelector(".ak-captcha-container"));
-        </script>
-
-        <script src=${challengeURL}></script>
-
-        <script>
-            function callback(token) {
-                window.parent.postMessage({
-                    message: "captcha",
-                    source: "goauthentik.io",
-                    context: "flow-executor",
-                    token,
-                });
-            }
-        </script>`;
-}
+const iframeTemplate = (captchaElement: TemplateResult, challengeUrl: string) =>
+    html`<!doctype html>
+        <head>
+            <html>
+                <body style="display:flex;flex-direction:row;justify-content:center;">
+                    ${captchaElement}
+                    <script>
+                        new ResizeObserver((entries) => {
+                            const height =
+                                document.body.offsetHeight +
+                                parseFloat(getComputedStyle(document.body).fontSize) * 2;
+                            window.parent.postMessage({
+                                message: "resize",
+                                source: "goauthentik.io",
+                                context: "flow-executor",
+                                size: { height },
+                            });
+                        }).observe(document.querySelector(".ak-captcha-container"));
+                    </script>
+                    <script src=${challengeUrl}></script>
+                    <script>
+                        function callback(token) {
+                            window.parent.postMessage({
+                                message: "captcha",
+                                source: "goauthentik.io",
+                                context: "flow-executor",
+                                token: token,
+                            });
+                        }
+                    </script>
+                </body>
+            </html>
+        </head>`;

@customElement("ak-stage-captcha")
 export class CaptchaStage extends BaseStage<CaptchaChallenge, CaptchaChallengeResponseRequest> {
@@ -302,25 +305,11 @@ export class CaptchaStage extends BaseStage<CaptchaChallenge, CaptchaChallengeRe
    }

    async renderFrame(captchaElement: TemplateResult) {
-        const { contentDocument } = this.captchaFrame || {};
-
-        if (!contentDocument) {
-            console.debug(
-                "authentik/stages/captcha: unable to render captcha frame, no contentDocument",
-            );
-
-            return;
-        }
-
-        contentDocument.open();
-
-        contentDocument.write(
-            createIFrameHTMLWrapper(
-                renderStaticHTMLUnsafe(iframeTemplate(captchaElement, this.challenge.jsUrl)),
-            ),
+        this.captchaFrame.contentWindow?.document.open();
+        this.captchaFrame.contentWindow?.document.write(
+            await renderStatic(iframeTemplate(captchaElement, this.challenge.jsUrl)),
        );
-
-        contentDocument.close();
+        this.captchaFrame.contentWindow?.document.close();
    }

    renderBody() {
--- a/web/xliff/de.xlf
+++ b/web/xliff/de.xlf
@@ -1091,7 +1091,7 @@
      </trans-unit>
      <trans-unit id="sd62cfc27ad4aa33b">
        <source>Based on the User's Email</source>
-        <target>Basierend auf der E-Mail Adresse des Benutzers</target>
+        <target>Basierend auf der E-Mail-Adresse des Benutzers</target>
        
      </trans-unit>
      <trans-unit id="s55eb75bedf96be0f">
@@ -2361,6 +2361,7 @@
      </trans-unit>
      <trans-unit id="s9307f3dbb07a73b5">
        <source>Only fail the policy, don't invalidate user's password</source>
+        <target>Nur die Richtlinie fehlschlagen lassen, das Passwort des Benutzers nicht ungültig machen.</target>
        
      </trans-unit>
      <trans-unit id="scea1f16238093e35">
@@ -2809,6 +2810,7 @@ doesn't pass when either or both of the selected options are equal or above the
      </trans-unit>
      <trans-unit id="sfbc59ff17a73503d">
        <source>User path</source>
+        <target>Nutzerpfad</target>
        
      </trans-unit>
      <trans-unit id="sd18170637295bace">
@@ -2878,6 +2880,7 @@ doesn't pass when either or both of the selected options are equal or above the
      </trans-unit>
      <trans-unit id="s995535e7af30d754">
        <source>Use the user's email address, but deny enrollment when the email address already exists</source>
+        <target>Verwende die E-Mail-Adresse des Benutzers, aber verweigere die Registrierung, wenn die E-Mail-Adresse bereits existiert.</target>
        
      </trans-unit>
      <trans-unit id="s542ecb4130f6cea5">
@@ -2886,6 +2889,7 @@ doesn't pass when either or both of the selected options are equal or above the
      </trans-unit>
      <trans-unit id="s2a1debf34e5aeba4">
        <source>Use the user's username, but deny enrollment when the username already exists</source>
+        <target>Verwende den Anmeldenamen des Benutzers, aber verweigere die Registrierung von der Anmeldename bereits existiert.</target>
        
      </trans-unit>
      <trans-unit id="s81ce0d54727f42d2">
@@ -3740,6 +3744,9 @@ doesn't pass when either or both of the selected options are equal or above the
      </trans-unit>
      <trans-unit id="s14401ff4a0cba208">
        <source>Failed to update <x id="0" equiv-text="${this.objectLabel}"/>: <x id="1" equiv-text="${pluckErrorDetail(parsedError)}"/></source>
+        <target>Aktualisieren von 
+        <x id="0" equiv-text="${this.objectLabel}"/>fehlgeschlagen: 
+        <x id="1" equiv-text="${e.toString()}"/></target>
        
      </trans-unit>
      <trans-unit id="sa95a538bfbb86111">
@@ -4951,7 +4958,7 @@ doesn't pass when either or both of the selected options are equal or above the
      </trans-unit>
      <trans-unit id="se50a08ab71bb96ed">
        <source>When a valid username/email has been entered, and this option is enabled, the user's username and avatar will be shown. Otherwise, the text that the user entered will be shown.</source>
-        <target>Sofern eine gültige E-Mailadresse oder Benutzername angegeben wurde und diese Option aktiviert ist, wird das Profilbild und der Benutzername des Benutzers angezeigt. Ansonsten wird der vom Benutzer eingegebene Text angezeigt.</target>
+        <target>Sofern eine gültige E-Mail-Adresse oder Benutzername angegeben wurde und diese Option aktiviert ist, wird das Profilbild und der Benutzername des Benutzers angezeigt. Ansonsten wird der vom Benutzer eingegebene Text angezeigt.</target>
        
      </trans-unit>
      <trans-unit id="s0295ce5d6f635d75">
@@ -6245,7 +6252,7 @@ Bindings to groups/users are checked against the user of the event.</source>
      </trans-unit>
      <trans-unit id="s670ad066cc0e50a3">
        <source>Login to continue to <x id="0" equiv-text="${this.challenge.applicationPre}"/>.</source>
-        <target>Anmelden um mit <x id="0" equiv-text="${this.challenge.applicationPre}"/>  fortzufahren.</target>
+        <target>Anmelden, um mit <x id="0" equiv-text="${this.challenge.applicationPre}"/>  fortzufahren.</target>
        
      </trans-unit>
      <trans-unit id="scf5ce91bfba10a61">
@@ -7451,6 +7458,7 @@ Bindings to groups/users are checked against the user of the event.</source>
 </trans-unit>
 <trans-unit id="s28b99b59541f54ca">
  <source>Connection failed after <x id="0" equiv-text="${this.connectionAttempt}"/> attempts.</source>
+  <target>Verbindung nach <x id="0" equiv-text="${this.connectionAttempt}"/> Versuch(en) fehlgeschlagen.</target>
 </trans-unit>
 <trans-unit id="s7c7d956418e1c8c8">
  <source>Re-connecting in <x id="0" equiv-text="${Math.max(1, delay / 1000)}"/> second(s).</source>
@@ -7572,11 +7580,11 @@ Bindings to groups/users are checked against the user of the event.</source>
 </trans-unit>
 <trans-unit id="s456d88f3679190fd">
  <source>Allow users to change email</source>
-  <target>Benutzer können E-Mail ändern</target>
+  <target>Benutzer können E-Mail-Adresse ändern</target>
 </trans-unit>
 <trans-unit id="s5fc6c14d106f40d3">
  <source>Enable the ability for users to change their email.</source>
-  <target>Benutzer haben die Möglichkeit, ihre E-Mail zu ändern.</target>
+  <target>Benutzer haben die Möglichkeit, ihre E-Mail-Adresse zu ändern.</target>
 </trans-unit>
 <trans-unit id="s628e414bb2367057">
  <source>Allow users to change username</source>
@@ -7801,7 +7809,7 @@ Bindings to groups/users are checked against the user of the event.</source>
 </trans-unit>
 <trans-unit id="s8cc0075913c67566">
  <source>Enter the email associated with your account, and we'll send you a link to reset your password.</source>
-  <target>Gib die Email deines Accounts ein und du erhältst einen Link zum zurücksetzen des Passworts.</target>
+  <target>Gib die E-Mail-Adresse deines Accounts ein und du erhältst einen Link zum zurücksetzen des Passworts.</target>
 </trans-unit>
 <trans-unit id="s06bfe45ffef2cf60">
  <source>Stage name: <x id="0" equiv-text="${this.challenge.name}"/></source>
@@ -7885,6 +7893,7 @@ Bindings to groups/users are checked against the user of the event.</source>
 </trans-unit>
 <trans-unit id="sc1673c93148583ba">
  <source>Request failed. Please try again later.</source>
+  <target>Anfrage fehlgeschlagen. Bitte versuchen Sie es später erneut.</target>
 </trans-unit>
 <trans-unit id="s85be1f5e7a0fa3b1">
  <source>Available Roles</source>
@@ -8277,7 +8286,6 @@ Bindings to groups/users are checked against the user of the event.</source>
 </trans-unit>
 <trans-unit id="s354405ae02cb262d">
  <source>Last seen: <x id="0" equiv-text="${formatElapsedTime(lastSeen)}"/> (<x id="1" equiv-text="${lastSeen.toLocaleTimeString()}"/>)</source>
-  <target>Zuletzt gesehen: <x id="0" equiv-text="${getRelativeTime(lastSeen)}"/> (<x id="1" equiv-text="${lastSeen.toLocaleTimeString()}"/>)</target>
 </trans-unit>
 <trans-unit id="s5aebe06e3ddf6ca9">
  <source>Sign assertions</source>
@@ -8849,9 +8857,11 @@ Bindings to groups/users are checked against the user of the event.</source>
 </trans-unit>
 <trans-unit id="s61ffea061fae0af4">
  <source>No notifications found.</source>
+  <target>Keine Benachrichtigungen gefunden.</target>
 </trans-unit>
 <trans-unit id="scf8d5cdc8b434982">
  <source>You don't have any notifications currently.</source>
+  <target>Sie haben zur Zeit keine Benachrichtigungen.</target>
 </trans-unit>
 <trans-unit id="s358e08de4fbebf51">
  <source>Version <x id="0" equiv-text="${this.version?.versionCurrent || &quot;&quot;}"/></source>
--- a/web/xliff/fi.xlf
+++ b/web/xliff/fi.xlf
@@ -9602,6 +9602,81 @@ Liitokset käyttäjiin/ryhmiin tarkistetaan tapahtuman käyttäjästä.</target>
 </trans-unit>
 <trans-unit id="s17359123e1f24504">
  <source>Field which contains DNs of groups the user is a member of. This field is used to lookup groups from users, e.g. 'memberOf'. To lookup nested groups in an Active Directory environment use 'memberOf:1.2.840.113556.1.4.1941:'.</source>
+</trans-unit>
+<trans-unit id="s891cd64acabf23bf">
+  <source>Initial Permissions</source>
+</trans-unit>
+<trans-unit id="sedb57bf4b42a8e40">
+  <source>Unknown Initial Permissions mode</source>
+</trans-unit>
+<trans-unit id="s6ea6a64acb45dfdf">
+  <source>Successfully updated initial permissions.</source>
+</trans-unit>
+<trans-unit id="sfddf7896ab5938b6">
+  <source>Successfully created initial permissions.</source>
+</trans-unit>
+<trans-unit id="s5c5f240cbb6d0bae">
+  <source>When a user with the selected Role creates an object, the Initial Permissions will be applied to that object.</source>
+</trans-unit>
+<trans-unit id="sbf27294eef56ac81">
+  <source>The Initial Permissions can either be placed on the User creating the object, or the Role selected in the previous field.</source>
+</trans-unit>
+<trans-unit id="s93f04537efda1b24">
+  <source>Available Permissions</source>
+</trans-unit>
+<trans-unit id="s297bc57f9e494470">
+  <source>Selected Permissions</source>
+</trans-unit>
+<trans-unit id="s0ea71d53764d781c">
+  <source>Permissions to grant when a new object is created.</source>
+</trans-unit>
+<trans-unit id="s06fc21a40f5d7de1">
+  <source>Set initial permissions for newly created objects.</source>
+</trans-unit>
+<trans-unit id="sc7104a4d0fc35c7c">
+  <source>Update Initial Permissions</source>
+</trans-unit>
+<trans-unit id="s83fa005829a65be9">
+  <source>Create Initial Permissions</source>
+</trans-unit>
+<trans-unit id="se37ac6cf9c72f21a">
+  <source>Reputation: lower limit</source>
+</trans-unit>
+<trans-unit id="sa634ffa797037aac">
+  <source>Reputation cannot decrease lower than this value. Zero or negative.</source>
+</trans-unit>
+<trans-unit id="s862986ce8e70edd7">
+  <source>Reputation: upper limit</source>
+</trans-unit>
+<trans-unit id="sdd04913b3b46cf30">
+  <source>Reputation cannot increase higher than this value. Zero or positive.</source>
+</trans-unit>
+<trans-unit id="s4d5cb134999b50df">
+  <source>HTTP Basic Auth</source>
+</trans-unit>
+<trans-unit id="s6927635d1c339cfc">
+  <source>Include the client ID and secret as request parameters</source>
+</trans-unit>
+<trans-unit id="s4fca384c634e1a92">
+  <source>Authorization code authentication method</source>
+</trans-unit>
+<trans-unit id="sdc02c276ed429008">
+  <source>How to perform authentication during an authorization_code token request flow</source>
+</trans-unit>
+<trans-unit id="s844baf19a6c4a9b4">
+  <source>Enable &quot;Remember me on this device&quot;</source>
+</trans-unit>
+<trans-unit id="sfa72bca733f40692">
+  <source>When enabled, the user can save their username in a cookie, allowing them to skip directly to entering their password.</source>
+</trans-unit>
+<trans-unit id="s1c336c2d6cef77b3">
+  <source>Remember me on this device</source>
+</trans-unit>
+<trans-unit id="s86cf007b861152ca">
+  <source>Ensure that the user's new password is different from their previous passwords. The number of past passwords to check is configurable.</source>
+</trans-unit>
+<trans-unit id="s79b3fcd40dd63921">
+  <source>Number of previous passwords to check</source>
 </trans-unit>
    </body>
  </file>
--- a/web/xliff/fr.xlf
+++ b/web/xliff/fr.xlf
@@ -9788,18 +9788,23 @@ Les liaisons avec les groupes/utilisateurs sont vérifiées par rapport à l'uti
 </trans-unit>
 <trans-unit id="s844baf19a6c4a9b4">
  <source>Enable "Remember me on this device"</source>
+  <target>Activer "Se souvenir de moi sur cet appareil"</target>
 </trans-unit>
 <trans-unit id="sfa72bca733f40692">
  <source>When enabled, the user can save their username in a cookie, allowing them to skip directly to entering their password.</source>
+  <target>Si cette option est activée, l'utilisateur peut enregistrer son nom d'utilisateur dans un cookie, ce qui lui permet de passer directement à la saisie de son mot de passe.</target>
 </trans-unit>
 <trans-unit id="s1c336c2d6cef77b3">
  <source>Remember me on this device</source>
+  <target>Se souvenir de moi sur cet appareil</target>
 </trans-unit>
 <trans-unit id="s86cf007b861152ca">
  <source>Ensure that the user's new password is different from their previous passwords. The number of past passwords to check is configurable.</source>
+  <target>Vérifiez que le nouveau mot de passe de l'utilisateur est différent de ses mots de passe précédents. Le nombre d'anciens mots de passe à vérifier est configurable.</target>
 </trans-unit>
 <trans-unit id="s79b3fcd40dd63921">
  <source>Number of previous passwords to check</source>
+  <target>Nombre d'anciens mots de passe à vérifier</target>
 </trans-unit>
    </body>
  </file>
--- a/web/xliff/it.xlf
+++ b/web/xliff/it.xlf
@@ -9700,6 +9700,7 @@ Bindings to groups/users are checked against the user of the event.</source>
 </trans-unit>
 <trans-unit id="s1d47b4f61ca53e8e">
  <source>Lookup using user attribute</source>
+  <target>Ricerca tramite attributo utente</target>
 </trans-unit>
 <trans-unit id="s17359123e1f24504">
  <source>Field which contains DNs of groups the user is a member of. This field is used to lookup groups from users, e.g. 'memberOf'. To lookup nested groups in an Active Directory environment use 'memberOf:1.2.840.113556.1.4.1941:'.</source>
--- a/web/xliff/tr.xlf
+++ b/web/xliff/tr.xlf
@@ -8620,7 +8620,6 @@ Gruplara/kullanıcılara yapılan bağlamalar, etkinliğin kullanıcısına kar
 </trans-unit>
 <trans-unit id="s354405ae02cb262d">
  <source>Last seen: <x id="0" equiv-text="${formatElapsedTime(lastSeen)}"/> (<x id="1" equiv-text="${lastSeen.toLocaleTimeString()}"/>)</source>
-  <target>Son görülme: <x id="0" equiv-text="${getRelativeTime(lastSeen)}"/> (<x id="1" equiv-text="${lastSeen.toLocaleTimeString()}"/>)</target>
 </trans-unit>
 <trans-unit id="s5aebe06e3ddf6ca9">
  <source>Sign assertions</source>
--- a/Show More
+++ b/Show More