add endpoint to start sync

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

.cargo/config.toml

@@ -1,5 +1,5 @@
 [alias]
-t = ["nextest", "run", "--workspace"]
+t = ["nextest", "run"]
 
 [build]
 rustflags = ["--cfg", "tokio_unstable"]

.cargo/deny.toml

@@ -1,6 +1,5 @@
 [licenses]
 allow = [
-  "Apache-2.0 WITH LLVM-exception",
   "Apache-2.0",
   "BSD-3-Clause",
   "CC0-1.0",

.github/actions/docker-push-variables/action.yml

@@ -54,6 +54,10 @@ outputs:
 runs:
   using: "composite"
   steps:
+    - name: Setup authentik env
+      uses: ./.github/actions/setup
+      with:
+        dependencies: "python"
     - name: Generate config
       id: ev
       shell: bash
@@ -64,4 +68,4 @@ runs:
         PR_HEAD_SHA: ${{ github.event.pull_request.head.sha }}
         REF: ${{ github.ref }}
       run: |
-        python3 ${{ github.action_path }}/push_vars.py
+        uv run python3 ${{ github.action_path }}/push_vars.py

.github/actions/docker-push-variables/push_vars.py

@@ -2,19 +2,10 @@
 
 import os
 from json import dumps
-from pathlib import Path
 from sys import exit as sysexit
 from time import time
-from typing import Any
 
-
-def authentik_version() -> str:
-    init = Path(__file__).parent.parent.parent.parent / "authentik" / "__init__.py"
-    with open(init) as f:
-        content = f.read()
-    locals: dict[str, Any] = {}
-    exec(content, None, locals)  # nosec
-    return str(locals["VERSION"])
+from authentik import authentik_version
 
 
 def must_or_fail(input: str | None, error: str) -> str:
@@ -106,7 +97,6 @@ if os.getenv("RELEASE", "false").lower() == "true":
     image_build_args = [f"VERSION={os.getenv('REF')}"]
 else:
     image_build_args = [f"GIT_BUILD_HASH={sha}"]
-image_build_args_str = "\n".join(image_build_args)
 
 with open(os.environ["GITHUB_OUTPUT"], "a+", encoding="utf-8") as _output:
     print(f"shouldPush={str(should_push).lower()}", file=_output)
@@ -119,4 +109,4 @@ with open(os.environ["GITHUB_OUTPUT"], "a+", encoding="utf-8") as _output:
     print(f"imageMainTag={image_main_tag}", file=_output)
     print(f"imageMainName={image_tags[0]}", file=_output)
     print(f"cacheTo={cache_to}", file=_output)
-    print(f"imageBuildArgs={image_build_args_str}", file=_output)
+    print(f"imageBuildArgs={"\n".join(image_build_args)}", file=_output)

.github/actions/setup-node/action.yml

@@ -1,81 +0,0 @@
-name: "Setup Node.js and NPM"
-description: "Sets up Node.js with a specific NPM version via Corepack"
-inputs:
-  working-directory:
-    description: "Path to the working directory containing the package.json file"
-    required: false
-    default: "."
-  dependencies:
-    required: false
-    description: "List of dependencies to setup"
-    default: "monorepo,working-directory"
-  node-version-file:
-    description: "Path to file containing the Node.js version"
-    required: false
-    default: "package.json"
-  cache-dependency-path:
-    description: "Path to dependency lock file for caching"
-    required: false
-    default: "package-lock.json"
-  cache:
-    description: "Package manager to cache"
-    default: "npm"
-  registry-url:
-    description: "npm registry URL"
-    default: "https://registry.npmjs.org"
-
-runs:
-  using: "composite"
-  steps:
-    - name: Setup Node.js (Corepack bootstrap)
-      uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v4
-      with:
-        node-version-file: ${{ inputs.node-version-file }}
-        registry-url: ${{ inputs.registry-url }}
-        # The setup-node action will attempt to create a cache using a version of
-        # npm that may not be compatible with the range specified in package.json.
-        # This can be enabled **after** corepack is installed and the correct npm version is available.
-        package-manager-cache: false
-    - name: Install Corepack
-      working-directory: ${{ github.workspace}}
-      shell: bash
-      run: | #shell
-        node ./scripts/node/lint-runtime.mjs
-        node ./scripts/node/setup-corepack.mjs --force
-        corepack enable
-    - name: Lint Node.js and NPM versions
-      shell: bash
-      run: node ./scripts/node/lint-runtime.mjs
-    - name: Setup Node.js (Monorepo Root)
-      uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v4
-      with:
-        node-version-file: ${{ inputs.node-version-file }}
-        cache: ${{ inputs.cache }}
-        cache-dependency-path: ${{ inputs.cache-dependency-path }}
-        registry-url: ${{ inputs.registry-url }}
-    - name: Install monorepo dependencies
-      if: ${{ contains(inputs.dependencies, 'monorepo') }}
-      shell: bash
-      run: | #shell
-        node ./scripts/node/lint-lockfile.mjs
-        corepack npm ci
-    - name: Setup Node.js (Working Directory)
-      if: ${{ contains(inputs.dependencies, 'working-directory') }}
-      uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v4
-      with:
-        node-version-file: ${{ inputs.working-directory }}/${{ inputs.node-version-file }}
-        cache: ${{ inputs.cache }}
-        cache-dependency-path: ${{ inputs.working-directory }}/${{ inputs.cache-dependency-path }}
-        registry-url: ${{ inputs.registry-url }}
-
-    - name: Install working directory dependencies
-      if: ${{ contains(inputs.dependencies, 'working-directory') }}
-      shell: bash
-      run: | # shell
-        corepack install
-
-        echo "node version: $(node --version)"
-        echo "npm version: $(corepack npm --version)"
-
-        node ./scripts/node/lint-lockfile.mjs ${{ inputs.working-directory }}
-        corepack npm ci --prefix ${{ inputs.working-directory }}

.github/actions/setup/action.yml

@@ -17,32 +17,17 @@ inputs:
 runs:
   using: "composite"
   steps:
-    - name: Cleanup apt
-      if: ${{ contains(inputs.dependencies, 'system') || contains(inputs.dependencies,
-        'python') }}
-      shell: bash
-      run: sudo apt-get remove --purge man-db
-    - name: Install apt deps
-      if: ${{ contains(inputs.dependencies, 'system') || contains(inputs.dependencies,
-        'python') }}
-      uses: gerlero/apt-install@f4fa5265092af9e750549565d28c99aec7189639
-      with:
-        packages: libpq-dev openssl libxmlsec1-dev pkg-config gettext krb5-multidev
-          libkrb5-dev heimdal-multidev libclang-dev krb5-kdc krb5-user
-          krb5-admin-server
-        update: true
-        upgrade: false
-        install-recommends: false
-    - name: Make space on disk
-      if: ${{ contains(inputs.dependencies, 'system') || contains(inputs.dependencies,
-        'python') }}
+    - name: Install apt deps & cleanup
+      if: ${{ contains(inputs.dependencies, 'system') || contains(inputs.dependencies, 'python') }}
       shell: bash
       run: |
-        sudo mkdir -p /tmp/empty/
-        sudo rsync -a --delete /tmp/empty/ /usr/local/lib/android/
+        sudo apt-get remove --purge man-db
+        sudo apt-get update
+        sudo apt-get install --no-install-recommends -y libpq-dev openssl libxmlsec1-dev pkg-config gettext krb5-multidev libkrb5-dev heimdal-multidev libclang-dev krb5-kdc krb5-user krb5-admin-server
+        sudo rm -rf /usr/local/lib/android
     - name: Install uv
       if: ${{ contains(inputs.dependencies, 'python') }}
-      uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b # v5
+      uses: astral-sh/setup-uv@cec208311dfd045dd5311c1add060b2062131d57 # v5
       with:
         enable-cache: true
     - name: Setup python
@@ -56,28 +41,43 @@ runs:
       working-directory: ${{ inputs.working-directory }}
       run: uv sync --all-extras --dev --frozen
     - name: Setup rust (stable)
-      if: ${{ contains(inputs.dependencies, 'rust') && !contains(inputs.dependencies,
-        'rust-nightly') }}
-      uses: actions-rust-lang/setup-rust-toolchain@2b1f5e9b395427c92ee4e3331786ca3c37afe2d7 # v1
+      if: ${{ contains(inputs.dependencies, 'rust') && !contains(inputs.dependencies, 'rust-nightly') }}
+      uses: actions-rust-lang/setup-rust-toolchain@150fca883cd4034361b621bd4e6a9d34e5143606 # v1
       with:
         rustflags: ""
     - name: Setup rust (nightly)
       if: ${{ contains(inputs.dependencies, 'rust-nightly') }}
-      uses: actions-rust-lang/setup-rust-toolchain@2b1f5e9b395427c92ee4e3331786ca3c37afe2d7 # v1
+      uses: actions-rust-lang/setup-rust-toolchain@150fca883cd4034361b621bd4e6a9d34e5143606 # v1
       with:
         toolchain: nightly
         components: rustfmt
         rustflags: ""
     - name: Setup rust dependencies
       if: ${{ contains(inputs.dependencies, 'rust') }}
-      uses: taiki-e/install-action@481c34c1cf3a84c68b5e46f4eccfc82af798415a # v2
+      uses: taiki-e/install-action@d858f8113943481093e02986a7586a4819a3bfd6 # v2
       with:
         tool: cargo-deny cargo-machete cargo-llvm-cov nextest
-    - name: Setup node (root, web)
+    - name: Setup node (web)
       if: ${{ contains(inputs.dependencies, 'node') }}
-      uses: ./.github/actions/setup-node
+      uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v4
       with:
-        working-directory: web
+        node-version-file: "${{ inputs.working-directory }}web/package.json"
+        cache: "npm"
+        cache-dependency-path: "${{ inputs.working-directory }}web/package-lock.json"
+        registry-url: "https://registry.npmjs.org"
+    - name: Setup node (root)
+      if: ${{ contains(inputs.dependencies, 'node') }}
+      uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v4
+      with:
+        node-version-file: "${{ inputs.working-directory }}package.json"
+        cache: "npm"
+        cache-dependency-path: "${{ inputs.working-directory }}package-lock.json"
+        registry-url: "https://registry.npmjs.org"
+    - name: Install Node deps
+      if: ${{ contains(inputs.dependencies, 'node') }}
+      shell: bash
+      working-directory: ${{ inputs.working-directory }}
+      run: npm ci
     - name: Setup go
       if: ${{ contains(inputs.dependencies, 'go') }}
       uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v5
@@ -87,9 +87,7 @@ runs:
       if: ${{ contains(inputs.dependencies, 'runtime') }}
       uses: AndreKurait/docker-cache@0fe76702a40db986d9663c24954fc14c6a6031b7
       with:
-        key: docker-images-${{ runner.os }}-${{
-          hashFiles('.github/actions/setup/compose.yml', 'Makefile') }}-${{
-          inputs.postgresql_version }}
+        key: docker-images-${{ runner.os }}-${{ hashFiles('.github/actions/setup/compose.yml', 'Makefile') }}-${{ inputs.postgresql_version }}
     - name: Setup dependencies
       if: ${{ contains(inputs.dependencies, 'runtime') }}
       shell: bash
@@ -97,7 +95,7 @@ runs:
       run: |
         export PSQL_TAG=${{ inputs.postgresql_version }}
         docker compose -f .github/actions/setup/compose.yml up -d
-        corepack npm ci --prefix web
+        cd web && npm ci
     - name: Generate config
       if: ${{ contains(inputs.dependencies, 'python') }}
       shell: uv run python {0}

.github/actions/setup/compose.yml

@@ -2,7 +2,7 @@ services:
   postgresql:
     image: docker.io/library/postgres:${PSQL_TAG:-16}
     volumes:
-      - db-data:/var/lib/postgresql
+      - db-data:/var/lib/postgresql/data
     command: "-c log_statement=all"
     environment:
       POSTGRES_USER: authentik

.github/dependabot.yml

@@ -20,8 +20,6 @@ updates:
       prefix: "ci:"
     labels:
       - dependencies
-    cooldown:
-      default-days: 3
 
   #endregion
 
@@ -37,16 +35,6 @@ updates:
       prefix: "core:"
     labels:
       - dependencies
-    cooldown:
-      default-days: 7
-      semver-major-days: 14
-      semver-patch-days: 3
-      exclude:
-        - "golang.org/x/crypto"
-        - "golang.org/x/net"
-        - "github.com/golang-jwt/jwt/*"
-        - "github.com/coreos/go-oidc/*"
-        - "github.com/go-ldap/ldap/*"
 
   #endregion
 
@@ -62,18 +50,6 @@ updates:
       prefix: "core:"
     labels:
       - dependencies
-    cooldown:
-      default-days: 7
-      semver-major-days: 14
-      semver-patch-days: 3
-      exclude:
-        - aws-lc-fips-sys
-        - aws-lc-rs
-        - aws-lc-sys
-        - rustls
-        - rustls-pki-types
-        - rustls-platform-verifier
-        - rustls-webpki
 
   - package-ecosystem: rust-toolchain
     directory: "/"
@@ -85,8 +61,6 @@ updates:
       prefix: "core:"
     labels:
       - dependencies
-    cooldown:
-      default-days: 3
 
   #endregion
 
@@ -105,10 +79,6 @@ updates:
     open-pull-requests-limit: 10
     commit-message:
       prefix: "web:"
-    cooldown:
-      default-days: 7
-      semver-major-days: 14
-      semver-patch-days: 3
     groups:
       sentry:
         patterns:
@@ -172,10 +142,6 @@ updates:
     open-pull-requests-limit: 10
     commit-message:
       prefix: "core, web:"
-    cooldown:
-      default-days: 7
-      semver-major-days: 14
-      semver-patch-days: 3
     groups:
       sentry:
         patterns:
@@ -234,10 +200,6 @@ updates:
       prefix: "website:"
     labels:
       - dependencies
-    cooldown:
-      default-days: 7
-      semver-major-days: 14
-      semver-patch-days: 3
     groups:
       docusaurus:
         patterns:
@@ -276,10 +238,6 @@ updates:
       prefix: "lifecycle/aws:"
     labels:
       - dependencies
-    cooldown:
-      default-days: 7
-      semver-major-days: 14
-      semver-patch-days: 3
 
   #endregion
 
@@ -295,18 +253,6 @@ updates:
       prefix: "core:"
     labels:
       - dependencies
-    cooldown:
-      default-days: 7
-      semver-major-days: 14
-      semver-patch-days: 3
-      exclude:
-        - "django"
-        - "cryptography"
-        - "pyjwt"
-        - "xmlsec"
-        - "lxml"
-        - "psycopg"
-        - "pyopenssl"
 
   #endregion
 
@@ -324,8 +270,6 @@ updates:
       prefix: "core:"
     labels:
       - dependencies
-    cooldown:
-      default-days: 3
   - package-ecosystem: docker-compose
     directories:
       - /packages/client-go
@@ -341,7 +285,5 @@ updates:
       prefix: "core:"
     labels:
       - dependencies
-    cooldown:
-      default-days: 3
 
   #endregion

.github/workflows/_reusable-docker-build-single.yml

@@ -67,18 +67,16 @@ jobs:
           registry: ghcr.io
           username: ${{ github.repository_owner }}
           password: ${{ secrets.GITHUB_TOKEN }}
-      - uses: ./.github/actions/setup-node
+      - uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v5
         with:
-          working-directory: web
-          dependencies: "monorepo"
-      - uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6
+          node-version-file: web/package.json
+          cache: "npm"
+          cache-dependency-path: web/package-lock.json
+      - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6
         with:
           go-version-file: "go.mod"
-      - name: Generate API Clients
-        run: |
-          make gen-client-ts
       - name: Build Docker Image
-        uses: docker/build-push-action@bcafcacb16a39f128d818304e6c9c0c18556b85f # v7.1.0
+        uses: docker/build-push-action@d08e5c354a6adb9ed34480a06d141179aa583294 # v7.0.0
         id: push
         with:
           context: .
@@ -91,8 +89,7 @@ jobs:
             ${{ steps.ev.outputs.imageBuildArgs }}
           tags: ${{ steps.ev.outputs.imageTags }}
           platforms: linux/${{ inputs.image_arch }}
-          cache-from: type=registry,ref=${{ steps.ev.outputs.attestImageNames
-            }}:buildcache-${{ inputs.image_arch }}
+          cache-from: type=registry,ref=${{ steps.ev.outputs.attestImageNames }}:buildcache-${{ inputs.image_arch }}
           cache-to: ${{ steps.ev.outputs.cacheTo }}
       - uses: actions/attest-build-provenance@a2bbfa25375fe432b6a289bc6b6cd05ecd0c4c32 # v3
         id: attest

.github/workflows/_reusable-docker-build.yml

@@ -90,7 +90,7 @@ jobs:
           registry: ghcr.io
           username: ${{ github.repository_owner }}
           password: ${{ secrets.GITHUB_TOKEN }}
-      - uses: int128/docker-manifest-create-action@7df7f9e221d927eaadf87db231ddf728047308a4 # v2
+      - uses: int128/docker-manifest-create-action@44422a4b046d55dc036df622039ed3aec43c613c # v2
         id: build
         with:
           tags: ${{ matrix.tag }}

.github/workflows/api-ts-publish.yml

@@ -1,65 +0,0 @@
----
-name: API - Publish Typescript client
-
-on:
-  push:
-    branches: [main]
-    paths:
-      - "schema.yml"
-  workflow_dispatch:
-
-permissions:
-  # Required for NPM OIDC trusted publisher
-  id-token: write
-  contents: read
-
-jobs:
-  build:
-    runs-on: ubuntu-latest
-    steps:
-      - id: generate_token
-        uses: actions/create-github-app-token@f8d387b68d61c58ab83c6c016672934102569859 # v2
-        with:
-          app-id: ${{ secrets.GH_APP_ID }}
-          private-key: ${{ secrets.GH_APP_PRIV_KEY }}
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v5
-        with:
-          token: ${{ steps.generate_token.outputs.token }}
-      - uses: ./.github/actions/setup-node
-        with:
-          working-directory: web
-      - name: Generate API Client
-        run: make gen-client-ts
-      - name: Publish package
-        working-directory: gen-ts-api/
-        run: |
-          npm i
-          npm publish --tag generated
-      - name: Upgrade /web
-        working-directory: web
-        run: |
-          export VERSION=`node -e 'import mod from "./gen-ts-api/package.json" with { type: "json" };console.log(mod.version);'`
-          npm i @goauthentik/api@$VERSION
-      - name: Upgrade /web/packages/sfe
-        working-directory: web/packages/sfe
-        run: |
-          export VERSION=`node -e 'import mod from "./gen-ts-api/package.json" with { type: "json" };console.log(mod.version);'`
-          npm i @goauthentik/api@$VERSION
-      - uses: peter-evans/create-pull-request@c0f553fe549906ede9cf27b5156039d195d2ece0 # v7
-        id: cpr
-        with:
-          token: ${{ steps.generate_token.outputs.token }}
-          branch: update-web-api-client
-          commit-message: "web: bump API Client version"
-          title: "web: bump API Client version"
-          body: "web: bump API Client version"
-          delete-branch: true
-          signoff: true
-          # ID from https://api.github.com/users/authentik-automation[bot]
-          author: authentik-automation[bot] <135050075+authentik-automation[bot]@users.noreply.github.com>
-          labels: dependencies
-      - uses: peter-evans/enable-pull-request-automerge@a660677d5469627102a1c1e11409dd063606628d # v3
-        with:
-          token: ${{ steps.generate_token.outputs.token }}
-          pull-request-number: ${{ steps.cpr.outputs.pull-request-number }}
-          merge-method: squash

.github/workflows/ci-api-docs.yml

@@ -22,20 +22,26 @@ jobs:
           - prettier-check
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v5
-      - uses: ./.github/actions/setup-node
-        with:
-          working-directory: website
+      - name: Install Dependencies
+        working-directory: website/
+        run: npm ci
       - name: Lint
-        run: corepack npm run ${{ matrix.command }} --prefix website
+        working-directory: website/
+        run: npm run ${{ matrix.command }}
   build:
     runs-on: ubuntu-latest
 
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v5
-      - uses: ./.github/actions/setup-node
+      - uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v5
         with:
-          working-directory: website
-      - uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v4
+          node-version-file: website/package.json
+          cache: "npm"
+          cache-dependency-path: website/package-lock.json
+      - working-directory: website/
+        name: Install Dependencies
+        run: npm ci
+      - uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v4
         with:
           path: |
             ${{ github.workspace }}/website/api/.docusaurus
@@ -48,8 +54,8 @@ jobs:
         working-directory: website
         env:
           NODE_ENV: production
-        run: corepack npm run build -w api
-      - uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v4
+        run: npm run build -w api
+      - uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v4
         with:
           name: api-docs
           path: website/api/build
@@ -65,9 +71,11 @@ jobs:
         with:
           name: api-docs
           path: website/api/build
-      - uses: ./.github/actions/setup-node
+      - uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v5
         with:
-          working-directory: website
+          node-version-file: website/package.json
+          cache: "npm"
+          cache-dependency-path: website/package-lock.json
       - name: Deploy Netlify (Production)
         working-directory: website/api
         if: github.event_name == 'push' && github.ref == 'refs/heads/main'

.github/workflows/ci-aws-cfn.yml

@@ -24,9 +24,14 @@ jobs:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v5
       - name: Setup authentik env
         uses: ./.github/actions/setup
-      - uses: ./.github/actions/setup-node
+      - uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v5
         with:
-          working-directory: lifecycle/aws
+          node-version-file: lifecycle/aws/package.json
+          cache: "npm"
+          cache-dependency-path: lifecycle/aws/package-lock.json
+      - working-directory: lifecycle/aws/
+        run: |
+          npm ci
       - name: Check changes have been applied
         run: |
           uv run make aws-cfn

.github/workflows/ci-docs.yml

@@ -24,34 +24,46 @@ jobs:
           - prettier-check
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v5
-      - uses: ./.github/actions/setup-node
-        with:
-          working-directory: website
+      - name: Install dependencies
+        working-directory: website/
+        run: npm ci
       - name: Lint
-        run: corepack npm run ${{ matrix.command }} --prefix website
+        working-directory: website/
+        run: npm run ${{ matrix.command }}
   build-docs:
     runs-on: ubuntu-latest
     env:
       NODE_ENV: production
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v5
-      - uses: ./.github/actions/setup-node
-        name: Setup Node.js
+      - uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v5
         with:
-          working-directory: website
+          node-version-file: website/package.json
+          cache: "npm"
+          cache-dependency-path: website/package-lock.json
+      - working-directory: website/
+        name: Install Dependencies
+        run: npm ci
       - name: Build Documentation via Docusaurus
-        run: corepack npm run build --prefix website
+        working-directory: website/
+        run: npm run build
   build-integrations:
     runs-on: ubuntu-latest
     env:
       NODE_ENV: production
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v5
-      - uses: ./.github/actions/setup-node
+      - uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v5
         with:
-          working-directory: website
+          node-version-file: website/package.json
+          cache: "npm"
+          cache-dependency-path: website/package-lock.json
+      - working-directory: website/
+        name: Install Dependencies
+        run: npm ci
       - name: Build Integrations via Docusaurus
-        run: corepack npm run build -w integrations --prefix website
+        working-directory: website/
+        run: npm run build -w integrations
   build-container:
     runs-on: ubuntu-latest
     permissions:
@@ -84,7 +96,7 @@ jobs:
           password: ${{ secrets.GITHUB_TOKEN }}
       - name: Build Docker Image
         id: push
-        uses: docker/build-push-action@bcafcacb16a39f128d818304e6c9c0c18556b85f # v7.1.0
+        uses: docker/build-push-action@d08e5c354a6adb9ed34480a06d141179aa583294 # v7.0.0
         with:
           tags: ${{ steps.ev.outputs.imageTags }}
           file: website/Dockerfile
@@ -92,9 +104,7 @@ jobs:
           platforms: linux/amd64,linux/arm64
           context: .
           cache-from: type=registry,ref=ghcr.io/goauthentik/dev-docs:buildcache
-          cache-to: ${{ steps.ev.outputs.shouldPush == 'true' &&
-            'type=registry,ref=ghcr.io/goauthentik/dev-docs:buildcache,mode=max'
-            || '' }}
+          cache-to: ${{ steps.ev.outputs.shouldPush == 'true' && 'type=registry,ref=ghcr.io/goauthentik/dev-docs:buildcache,mode=max' || '' }}
       - uses: actions/attest-build-provenance@a2bbfa25375fe432b6a289bc6b6cd05ecd0c4c32 # v3
         id: attest
         if: ${{ steps.ev.outputs.shouldPush == 'true' }}

.github/workflows/ci-main-daily.yml

@@ -20,19 +20,13 @@ jobs:
         version:
           - docs
           - version-2025-12
-          - version-2026-2
+          - version-2025-10
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v5
       - run: |
-          set -euo pipefail
           current="$(pwd)"
           dir="/tmp/authentik/${{ matrix.version }}"
-          # 2025.12 still serves the legacy docker-compose filename; newer sites use compose.yml.
-          compose_path="compose.yml"
-          if [ "${{ matrix.version }}" = "version-2025-12" ]; then
-            compose_path="docker-compose.yml"
-          fi
           mkdir -p "${dir}/lifecycle/container"
           cd "${dir}"
-          wget "https://${{ matrix.version }}.goauthentik.io/${compose_path}" -O "${dir}/lifecycle/container/compose.yml"
+          wget "https://${{ matrix.version }}.goauthentik.io/docker-compose.yml" -O "${dir}/lifecycle/container/compose.yml"
           "${current}/scripts/test_docker.sh"

.github/workflows/ci-main.yml

@@ -73,8 +73,7 @@ jobs:
       - name: generate API clients
         run: make gen-clients
       - name: ensure schema is up-to-date
-        run: git diff --exit-code -- schema.yml blueprints/schema.json
-          packages/client-go packages/client-rust packages/client-ts
+        run: git diff --exit-code -- schema.yml blueprints/schema.json packages/client-go packages/client-rust packages/client-ts
   test-migrations:
     runs-on: ubuntu-latest
     steps:
@@ -92,8 +91,7 @@ jobs:
     outputs:
       seed: ${{ steps.seed.outputs.seed }}
   test-migrations-from-stable:
-    name: test-migrations-from-stable - PostgreSQL ${{ matrix.psql }} - Run ${{
-      matrix.run_id }}/5
+    name: test-migrations-from-stable - PostgreSQL ${{ matrix.psql }} - Run ${{ matrix.run_id }}/5
     runs-on: ubuntu-latest
     timeout-minutes: 30
     needs: test-make-seed
@@ -103,7 +101,7 @@ jobs:
         psql:
           - 14-alpine
           - 18-alpine
-        run_id: [ 1, 2, 3, 4, 5 ]
+        run_id: [1, 2, 3, 4, 5]
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v5
         with:
@@ -111,13 +109,8 @@ jobs:
       - name: checkout stable
         run: |
           set -e -o pipefail
-
           cp -R .github ..
           cp -R scripts ..
-
-          mkdir -p ../packages
-          cp -R packages/logger-js ../packages/logger-js
-
           # Previous stable tag
           prev_stable=$(git tag --sort=version:refname | grep '^version/' | grep -vE -- '-rc[0-9]+$' | tail -n1)
           # Current version family based on
@@ -125,22 +118,16 @@ jobs:
           if [[ -n $current_version_family ]]; then
               prev_stable="version/${current_version_family}"
           fi
-
           echo "::notice::Checking out ${prev_stable} as stable version..."
           git checkout ${prev_stable}
-
-          rm -rf .github/ scripts/ packages/logger-js/
+          rm -rf .github/ scripts/
           mv ../.github ../scripts .
-          mv ../packages/logger-js ./packages/
       - name: Setup authentik env (stable)
         uses: ./.github/actions/setup
         with:
           postgresql_version: ${{ matrix.psql }}
       - name: run migrations to stable
-        run: |
-          docker ps
-          docker logs setup-postgresql-1
-          uv run python -m lifecycle.migrate
+        run: uv run python -m lifecycle.migrate
       - name: checkout current code
         run: |
           set -x
@@ -179,7 +166,7 @@ jobs:
         psql:
           - 14-alpine
           - 18-alpine
-        run_id: [ 1, 2, 3, 4, 5 ]
+        run_id: [1, 2, 3, 4, 5]
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v5
       - name: Setup authentik env
@@ -262,22 +249,19 @@ jobs:
           COMPOSE_PROFILES: ${{ matrix.job.profiles }}
         run: |
           docker compose -f tests/e2e/compose.yml up -d --quiet-pull
-      - uses: ./.github/actions/setup-node
       - id: cache-web
-        uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v4
+        uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v4
         if: contains(matrix.job.profiles, 'selenium')
         with:
           path: web/dist
-          key: ${{ runner.os }}-web-${{ hashFiles('web/package-lock.json',
-            'package-lock.json', 'web/src/**', 'web/packages/sfe/src/**') }}-b
+          key: ${{ runner.os }}-web-${{ hashFiles('web/package-lock.json', 'package-lock.json', 'web/src/**', 'web/packages/sfe/src/**') }}-b
       - name: prepare web ui
-        if: steps.cache-web.outputs.cache-hit != 'true' && contains(matrix.job.profiles,
-          'selenium')
+        if: steps.cache-web.outputs.cache-hit != 'true' && contains(matrix.job.profiles, 'selenium')
         working-directory: web
         run: |
-          corepack npm ci
-          corepack npm run build
-          corepack npm run build:sfe
+          npm ci
+          npm run build
+          npm run build:sfe
       - name: run e2e
         run: |
           uv run coverage run manage.py test ${{ matrix.job.glob }}
@@ -312,17 +296,17 @@ jobs:
         run: |
           docker compose -f tests/openid_conformance/compose.yml up -d --quiet-pull
       - id: cache-web
-        uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v4
+        uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v4
         with:
           path: web/dist
-          key: ${{ runner.os }}-web-${{ hashFiles('web/package-lock.json', 'web/src/**',
-            'web/packages/sfe/src/**') }}-b
+          key: ${{ runner.os }}-web-${{ hashFiles('web/package-lock.json', 'web/src/**', 'web/packages/sfe/src/**') }}-b
       - name: prepare web ui
         if: steps.cache-web.outputs.cache-hit != 'true'
+        working-directory: web
         run: |
-          corepack npm ci --prefix web
-          corepack npm run build --prefix web
-          corepack npm run build:sfe --prefix web
+          npm ci
+          npm run build
+          npm run build:sfe
       - name: run conformance
         run: |
           uv run coverage run manage.py test ${{ matrix.job.glob }}
@@ -333,7 +317,7 @@ jobs:
         with:
           flags: conformance
       - if: ${{ !cancelled() }}
-        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
+        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
         with:
           name: conformance-certification-${{ matrix.job.name }}
           path: tests/openid_conformance/exports/
@@ -345,7 +329,7 @@ jobs:
       - name: Setup authentik env
         uses: ./.github/actions/setup
         with:
-          dependencies: rust,runtime
+          dependencies: rust
       - name: run tests
         run: |
           cargo llvm-cov --no-report nextest --workspace
@@ -356,7 +340,7 @@ jobs:
           files: target/llvm-cov-target/rust.json
           flags: rust
       - if: ${{ !cancelled() }}
-        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
+        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
         with:
           name: test-rust
           path: target/llvm-cov-target/rust.json
@@ -388,9 +372,7 @@ jobs:
     uses: ./.github/workflows/_reusable-docker-build.yml
     secrets: inherit
     with:
-      image_name: ${{ github.repository == 'goauthentik/authentik-internal' &&
-        'ghcr.io/goauthentik/internal-server' ||
-        'ghcr.io/goauthentik/dev-server' }}
+      image_name: ${{ github.repository == 'goauthentik/authentik-internal' && 'ghcr.io/goauthentik/internal-server' || 'ghcr.io/goauthentik/dev-server' }}
       release: false
   pr-comment:
     needs:

.github/workflows/ci-outpost.yml

@@ -105,7 +105,7 @@ jobs:
           password: ${{ secrets.GITHUB_TOKEN }}
       - name: Build Docker Image
         id: push
-        uses: docker/build-push-action@bcafcacb16a39f128d818304e6c9c0c18556b85f # v7.1.0
+        uses: docker/build-push-action@d08e5c354a6adb9ed34480a06d141179aa583294 # v7.0.0
         with:
           tags: ${{ steps.ev.outputs.imageTags }}
           file: lifecycle/container/${{ matrix.type }}.Dockerfile
@@ -114,11 +114,8 @@ jobs:
             GIT_BUILD_HASH=${{ steps.ev.outputs.sha }}
           platforms: linux/amd64,linux/arm64
           context: .
-          cache-from: type=registry,ref=ghcr.io/goauthentik/dev-${{ matrix.type
-            }}:buildcache
-          cache-to: ${{ steps.ev.outputs.shouldPush == 'true' &&
-            format('type=registry,ref=ghcr.io/goauthentik/dev-{0}:buildcache,mode=max',
-            matrix.type) || '' }}
+          cache-from: type=registry,ref=ghcr.io/goauthentik/dev-${{ matrix.type }}:buildcache
+          cache-to: ${{ steps.ev.outputs.shouldPush == 'true' && format('type=registry,ref=ghcr.io/goauthentik/dev-{0}:buildcache,mode=max', matrix.type) || '' }}
       - uses: actions/attest-build-provenance@a2bbfa25375fe432b6a289bc6b6cd05ecd0c4c32 # v3
         id: attest
         if: ${{ steps.ev.outputs.shouldPush == 'true' }}
@@ -139,8 +136,8 @@ jobs:
           - ldap
           - radius
           - rac
-        goos: [ linux ]
-        goarch: [ amd64, arm64 ]
+        goos: [linux]
+        goarch: [amd64, arm64]
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v5
         with:
@@ -148,11 +145,16 @@ jobs:
       - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6
         with:
           go-version-file: "go.mod"
-      - uses: ./.github/actions/setup-node
+      - uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v5
         with:
-          working-directory: web
+          node-version-file: web/package.json
+          cache: "npm"
+          cache-dependency-path: web/package-lock.json
       - name: Build web
-        run: corepack npm run build-proxy --prefix web
+        working-directory: web/
+        run: |
+          npm ci
+          npm run build-proxy
       - name: Build outpost
         run: |
           set -x

.github/workflows/ci-web.yml

@@ -15,30 +15,48 @@ on:
 jobs:
   lint:
     runs-on: ubuntu-latest
+    strategy:
+      fail-fast: false
+      matrix:
+        command:
+          - lint
+          - lint:lockfile
+          - tsc
+          - prettier-check
+        project:
+          - web
+        include:
+          - command: tsc
+            project: web
+          - command: lit-analyse
+            project: web
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v5
-      - uses: ./.github/actions/setup-node
+      - uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v5
         with:
-          working-directory: web
+          node-version-file: ${{ matrix.project }}/package.json
+          cache: "npm"
+          cache-dependency-path: ${{ matrix.project }}/package-lock.json
+      - working-directory: ${{ matrix.project }}/
+        run: |
+          npm ci
       - name: Lint
-        run: corepack npm run lint --prefix web
-      - name: Check types
-        run: corepack npm run tsc --prefix web
-      - name: Check formatting
-        run: corepack npm run prettier-check --prefix web
-      - name: Lit analyse
-        run: corepack npm run lit-analyse --prefix web
-
+        working-directory: ${{ matrix.project }}/
+        run: npm run ${{ matrix.command }}
   build:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v5
-      - uses: ./.github/actions/setup-node
+      - uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v5
         with:
-          working-directory: web
+          node-version-file: web/package.json
+          cache: "npm"
+          cache-dependency-path: web/package-lock.json
+      - working-directory: web/
+        run: npm ci
       - name: build
         working-directory: web/
-        run: corepack npm run build
+        run: npm run build
   ci-web-mark:
     if: always()
     needs:
@@ -55,9 +73,13 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v5
-      - uses: ./.github/actions/setup-node
+      - uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v5
         with:
-          working-directory: web
+          node-version-file: web/package.json
+          cache: "npm"
+          cache-dependency-path: web/package-lock.json
+      - working-directory: web/
+        run: npm ci
       - name: test
         working-directory: web/
-        run: corepack npm run test || exit 0
+        run: npm run test || exit 0

.github/workflows/gen-image-compress.yml

@@ -29,7 +29,7 @@ jobs:
        github.event.pull_request.head.repo.full_name == github.repository)
     steps:
       - id: generate_token
-        uses: actions/create-github-app-token@1b10c78c7865c340bc4f6099eb2f838309f1e8c3 # v2
+        uses: actions/create-github-app-token@f8d387b68d61c58ab83c6c016672934102569859 # v2
         with:
           app-id: ${{ secrets.GH_APP_ID }}
           private-key: ${{ secrets.GH_APP_PRIV_KEY }}
@@ -38,11 +38,11 @@ jobs:
           token: ${{ steps.generate_token.outputs.token }}
       - name: Compress images
         id: compress
-        uses: calibreapp/image-actions@e2cc8db5d49c849e00844dfebf01438318e96fa2 # main
+        uses: calibreapp/image-actions@03c976c29803442fc4040a9de5509669e7759b81 # main
         with:
           GITHUB_TOKEN: ${{ steps.generate_token.outputs.token }}
           compressOnly: ${{ github.event_name != 'pull_request' }}
-      - uses: peter-evans/create-pull-request@5f6978faf089d4d20b00c7766989d076bb2fc7f1 # v7
+      - uses: peter-evans/create-pull-request@c0f553fe549906ede9cf27b5156039d195d2ece0 # v7
         if: "${{ github.event_name != 'pull_request' && steps.compress.outputs.markdown != '' }}"
         id: cpr
         with:

.github/workflows/gen-update-webauthn-mds.yml

@@ -16,7 +16,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - id: generate_token
-        uses: actions/create-github-app-token@1b10c78c7865c340bc4f6099eb2f838309f1e8c3 # v2
+        uses: actions/create-github-app-token@f8d387b68d61c58ab83c6c016672934102569859 # v2
         with:
           app-id: ${{ secrets.GH_APP_ID }}
           private-key: ${{ secrets.GH_APP_PRIV_KEY }}
@@ -26,7 +26,7 @@ jobs:
       - name: Setup authentik env
         uses: ./.github/actions/setup
       - run: uv run ak update_webauthn_mds
-      - uses: peter-evans/create-pull-request@5f6978faf089d4d20b00c7766989d076bb2fc7f1 # v7
+      - uses: peter-evans/create-pull-request@c0f553fe549906ede9cf27b5156039d195d2ece0 # v7
         id: cpr
         with:
           token: ${{ steps.generate_token.outputs.token }}

.github/workflows/gh-cherry-pick.yml

@@ -10,7 +10,7 @@ jobs:
     steps:
       - id: app-token
         name: Generate app token
-        uses: actions/create-github-app-token@1b10c78c7865c340bc4f6099eb2f838309f1e8c3 # v2
+        uses: actions/create-github-app-token@f8d387b68d61c58ab83c6c016672934102569859 # v2
         if: ${{ env.GH_APP_ID != '' }}
         with:
           app-id: ${{ secrets.GH_APP_ID }}

.github/workflows/gh-ghcr-retention.yml

@@ -16,7 +16,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - id: generate_token
-        uses: actions/create-github-app-token@1b10c78c7865c340bc4f6099eb2f838309f1e8c3 # v2
+        uses: actions/create-github-app-token@f8d387b68d61c58ab83c6c016672934102569859 # v2
         with:
           app-id: ${{ secrets.GH_APP_ID }}
           private-key: ${{ secrets.GH_APP_PRIV_KEY }}

.github/workflows/packages-npm-publish.yml

@@ -3,7 +3,7 @@ name: Packages - Publish NPM packages
 
 on:
   push:
-    branches: [ main ]
+    branches: [main]
     paths:
       - packages/tsconfig/**
       - packages/eslint-config/**
@@ -35,19 +35,22 @@ jobs:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v5
         with:
           fetch-depth: 2
-      - uses: ./.github/actions/setup-node
+      - uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v5
         with:
-          working-directory: ${{ matrix.package }}
+          node-version-file: ${{ matrix.package }}/package.json
+          registry-url: "https://registry.npmjs.org"
       - name: Get changed files
         id: changed-files
-        uses: tj-actions/changed-files@9426d40962ed5378910ee2e21d5f8c6fcbf2dd96 # 24d32ffd492484c1d75e0c0b894501ddb9d30d62
+        uses: tj-actions/changed-files@22103cc46bda19c2b464ffe86db46df6922fd323 # 24d32ffd492484c1d75e0c0b894501ddb9d30d62
         with:
           files: |
             ${{ matrix.package }}/package.json
+      - name: Install Dependencies
+        run: npm ci
       - name: Publish package
         if: steps.changed-files.outputs.any_changed == 'true'
         working-directory: ${{ matrix.package }}
         run: |
-          corepack npm ci
-          corepack npm run build
-          corepack npm publish
+          npm ci
+          npm run build
+          npm publish

.github/workflows/release-branch-off.yml

@@ -29,7 +29,7 @@ jobs:
     steps:
       - id: app-token
         name: Generate app token
-        uses: actions/create-github-app-token@1b10c78c7865c340bc4f6099eb2f838309f1e8c3 # v2
+        uses: actions/create-github-app-token@f8d387b68d61c58ab83c6c016672934102569859 # v2
         with:
           app-id: ${{ secrets.GH_APP_ID }}
           private-key: ${{ secrets.GH_APP_PRIV_KEY }}
@@ -57,7 +57,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - id: generate_token
-        uses: actions/create-github-app-token@1b10c78c7865c340bc4f6099eb2f838309f1e8c3 # v2
+        uses: actions/create-github-app-token@f8d387b68d61c58ab83c6c016672934102569859 # v2
         with:
           app-id: ${{ secrets.GH_APP_ID }}
           private-key: ${{ secrets.GH_APP_PRIV_KEY }}
@@ -73,7 +73,7 @@ jobs:
       - name: Bump version
         run: "make bump version=${{ inputs.next_version }}.0-rc1"
       - name: Create pull request
-        uses: peter-evans/create-pull-request@5f6978faf089d4d20b00c7766989d076bb2fc7f1 # v7
+        uses: peter-evans/create-pull-request@c0f553fe549906ede9cf27b5156039d195d2ece0 # v7
         with:
           token: ${{ steps.generate_token.outputs.token }}
           branch: release-bump-${{ inputs.next_version }}

.github/workflows/release-publish.yml

@@ -3,7 +3,7 @@ name: Release - On publish
 
 on:
   release:
-    types: [ published, created ]
+    types: [published, created]
 
 jobs:
   build-server:
@@ -51,7 +51,7 @@ jobs:
           password: ${{ secrets.GITHUB_TOKEN }}
       - name: Build Docker Image
         id: push
-        uses: docker/build-push-action@bcafcacb16a39f128d818304e6c9c0c18556b85f # v7.1.0
+        uses: docker/build-push-action@d08e5c354a6adb9ed34480a06d141179aa583294 # v7.0.0
         with:
           tags: ${{ steps.ev.outputs.imageTags }}
           file: website/Dockerfile
@@ -87,9 +87,11 @@ jobs:
       - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6
         with:
           go-version-file: "go.mod"
-      - uses: ./.github/actions/setup-node
+      - uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v5
         with:
-          working-directory: web
+          node-version-file: web/package.json
+          cache: "npm"
+          cache-dependency-path: web/package-lock.json
       - name: Set up QEMU
         uses: docker/setup-qemu-action@ce360397dd3f832beb865e1373c09c0e9f86d70a # v4.0.0
       - name: Set up Docker Buildx
@@ -113,7 +115,7 @@ jobs:
           username: ${{ github.repository_owner }}
           password: ${{ secrets.GITHUB_TOKEN }}
       - name: Build Docker Image
-        uses: docker/build-push-action@bcafcacb16a39f128d818304e6c9c0c18556b85f # v7.1.0
+        uses: docker/build-push-action@d08e5c354a6adb9ed34480a06d141179aa583294 # v7.0.0
         id: push
         with:
           push: true
@@ -142,16 +144,22 @@ jobs:
           - proxy
           - ldap
           - radius
-        goos: [ linux, darwin ]
-        goarch: [ amd64, arm64 ]
+        goos: [linux, darwin]
+        goarch: [amd64, arm64]
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v5
       - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6
         with:
           go-version-file: "go.mod"
-      - uses: ./.github/actions/setup-node
+      - uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v5
         with:
-          working-directory: web
+          node-version-file: web/package.json
+          cache: "npm"
+          cache-dependency-path: web/package-lock.json
+      - name: Install web dependencies
+        working-directory: web/
+        run: |
+          npm ci
       - name: Build web
         working-directory: web/
         run: |
@@ -167,10 +175,8 @@ jobs:
         uses: svenstaro/upload-release-action@29e53e917877a24fad85510ded594ab3c9ca12de # v2
         with:
           repo_token: ${{ secrets.GITHUB_TOKEN }}
-          file: ./authentik-outpost-${{ matrix.type }}_${{ matrix.goos }}_${{
-            matrix.goarch }}
-          asset_name: authentik-outpost-${{ matrix.type }}_${{ matrix.goos }}_${{
-            matrix.goarch }}
+          file: ./authentik-outpost-${{ matrix.type }}_${{ matrix.goos }}_${{ matrix.goarch }}
+          asset_name: authentik-outpost-${{ matrix.type }}_${{ matrix.goos }}_${{ matrix.goarch }}
           tag: ${{ github.ref }}
   upload-aws-cfn-template:
     permissions:
@@ -185,7 +191,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v5
-      - uses: aws-actions/configure-aws-credentials@ec61189d14ec14c8efccab744f656cffd0e33f37 # v6.1.0
+      - uses: aws-actions/configure-aws-credentials@8df5847569e6427dd6c4fb1cf565c83acfa8afa7 # v6.0.0
         with:
           role-to-assume: "arn:aws:iam::016170277896:role/github_goauthentik_authentik"
           aws-region: ${{ env.AWS_REGION }}

.github/workflows/release-tag.yml

@@ -67,7 +67,7 @@ jobs:
     steps:
       - id: app-token
         name: Generate app token
-        uses: actions/create-github-app-token@1b10c78c7865c340bc4f6099eb2f838309f1e8c3 # v2
+        uses: actions/create-github-app-token@f8d387b68d61c58ab83c6c016672934102569859 # v2
         with:
           app-id: ${{ secrets.GH_APP_ID }}
           private-key: ${{ secrets.GH_APP_PRIV_KEY }}
@@ -96,7 +96,7 @@ jobs:
           git tag "version/${{ inputs.version }}" HEAD -m "version/${{ inputs.version }}"
           git push --follow-tags
       - name: Create Release
-        uses: softprops/action-gh-release@b4309332981a82ec1c5618f44dd2e27cc8bfbfda # v3.0.0
+        uses: softprops/action-gh-release@153bb8e04406b158c6c84fc1615b65b24149a1fe # v2.6.1
         with:
           token: "${{ steps.app-token.outputs.token }}"
           tag_name: "version/${{ inputs.version }}"
@@ -115,7 +115,7 @@ jobs:
     steps:
       - id: app-token
         name: Generate app token
-        uses: actions/create-github-app-token@1b10c78c7865c340bc4f6099eb2f838309f1e8c3 # v2
+        uses: actions/create-github-app-token@f8d387b68d61c58ab83c6c016672934102569859 # v2
         with:
           app-id: ${{ secrets.GH_APP_ID }}
           private-key: ${{ secrets.GH_APP_PRIV_KEY }}
@@ -137,7 +137,7 @@ jobs:
           sed -E -i 's/[0-9]{4}\.[0-9]{1,2}\.[0-9]+$/${{ inputs.version }}/' charts/authentik/Chart.yaml
           ./scripts/helm-docs.sh
       - name: Create pull request
-        uses: peter-evans/create-pull-request@5f6978faf089d4d20b00c7766989d076bb2fc7f1 # v7
+        uses: peter-evans/create-pull-request@c0f553fe549906ede9cf27b5156039d195d2ece0 # v7
         with:
           token: "${{ steps.app-token.outputs.token }}"
           branch: bump-${{ inputs.version }}
@@ -157,7 +157,7 @@ jobs:
     steps:
       - id: app-token
         name: Generate app token
-        uses: actions/create-github-app-token@1b10c78c7865c340bc4f6099eb2f838309f1e8c3 # v2
+        uses: actions/create-github-app-token@f8d387b68d61c58ab83c6c016672934102569859 # v2
         with:
           app-id: ${{ secrets.GH_APP_ID }}
           private-key: ${{ secrets.GH_APP_PRIV_KEY }}
@@ -196,7 +196,7 @@ jobs:
             '.stable.version = $version | .stable.changelog = $changelog | .stable.changelog_url = $changelog_url | .stable.reason = $reason' version.json > version.new.json
           mv version.new.json version.json
       - name: Create pull request
-        uses: peter-evans/create-pull-request@5f6978faf089d4d20b00c7766989d076bb2fc7f1 # v7
+        uses: peter-evans/create-pull-request@c0f553fe549906ede9cf27b5156039d195d2ece0 # v7
         with:
           token: "${{ steps.app-token.outputs.token }}"
           branch: bump-${{ inputs.version }}

.github/workflows/repo-stale.yml

@@ -15,7 +15,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - id: generate_token
-        uses: actions/create-github-app-token@1b10c78c7865c340bc4f6099eb2f838309f1e8c3 # v2
+        uses: actions/create-github-app-token@f8d387b68d61c58ab83c6c016672934102569859 # v2
         with:
           app-id: ${{ secrets.GH_APP_ID }}
           private-key: ${{ secrets.GH_APP_PRIV_KEY }}

.github/workflows/translation-extract-compile.yml

@@ -21,7 +21,7 @@ jobs:
     steps:
       - id: generate_token
         if: ${{ github.event_name != 'pull_request' }}
-        uses: actions/create-github-app-token@1b10c78c7865c340bc4f6099eb2f838309f1e8c3 # v2
+        uses: actions/create-github-app-token@f8d387b68d61c58ab83c6c016672934102569859 # v2
         with:
           app-id: ${{ secrets.GH_APP_ID }}
           private-key: ${{ secrets.GH_APP_PRIV_KEY }}
@@ -42,7 +42,7 @@ jobs:
           make web-check-compile
       - name: Create Pull Request
         if: ${{ github.event_name != 'pull_request' }}
-        uses: peter-evans/create-pull-request@5f6978faf089d4d20b00c7766989d076bb2fc7f1 # v7
+        uses: peter-evans/create-pull-request@c0f553fe549906ede9cf27b5156039d195d2ece0 # v7
         with:
           token: ${{ steps.generate_token.outputs.token }}
           branch: extract-compile-backend-translation

.gitignore

@@ -14,8 +14,6 @@ media
 # Node
 
 node_modules
-corepack.tgz
-.corepack
 
 .cspellcache
 cspell-report.*

CODEOWNERS

@@ -14,7 +14,6 @@ pyproject.toml                          @goauthentik/backend
 uv.lock                                 @goauthentik/backend
 Cargo.toml                              @goauthentik/backend
 Cargo.lock                              @goauthentik/backend
-build.rs                                @goauthentik/backend
 go.mod                                  @goauthentik/backend
 go.sum                                  @goauthentik/backend
 .cargo/                                 @goauthentik/backend

Cargo.toml

@@ -1,6 +1,5 @@
 [workspace]
 members = [
-  "packages/ak-axum",
   "packages/ak-common",
   "packages/client-rust",
   "website/scripts/docsmg",
@@ -19,37 +18,21 @@ license-file = "LICENSE"
 publish = false
 
 [workspace.dependencies]
-arc-swap = "= 1.9.1"
-argh = "= 0.1.19"
+arc-swap = "= 1.9.0"
 axum-server = { version = "= 0.8.0", features = ["tls-rustls-no-provider"] }
-aws-lc-rs = { version = "= 1.16.3", features = ["fips"] }
-axum = { version = "= 0.8.9", features = ["http2", "macros", "ws"] }
-clap = { version = "= 4.6.1", features = ["derive", "env"] }
-client-ip = { version = "0.2.1", features = ["forwarded-header"] }
-color-eyre = "= 0.6.5"
+aws-lc-rs = { version = "= 1.16.2", features = ["fips"] }
+clap = { version = "= 4.6.0", features = ["derive", "env"] }
 colored = "= 3.1.1"
 config-rs = { package = "config", version = "= 0.15.22", default-features = false, features = [
-  "json",
   "yaml",
+  "async",
 ] }
-console-subscriber = "= 0.5.0"
 dotenvy = "= 0.15.7"
-durstr = "= 0.5.1"
 eyre = "= 0.6.12"
-forwarded-header-value = "= 0.1.1"
-futures = "= 0.3.32"
 glob = "= 0.3.3"
-hyper-unix-socket = "= 0.6.1"
-hyper-util = "= 0.1.20"
-ipnet = { version = "= 2.12.0", features = ["serde"] }
-json-subscriber = "= 0.2.8"
-metrics = "= 0.24.3"
-metrics-exporter-prometheus = { version = "= 0.18.1", default-features = false }
-nix = { version = "= 0.31.2", features = ["hostname", "signal"] }
+nix = { version = "= 0.31.2", features = ["signal"] }
 notify = "= 8.2.0"
 pin-project-lite = "= 0.2.17"
-pyo3 = "= 0.28.3"
-pyo3-build-config = "= 0.28.3"
 regex = "= 1.12.3"
 reqwest = { version = "= 0.13.2", features = [
   "form",
@@ -66,57 +49,29 @@ reqwest-middleware = { version = "= 0.5.1", features = [
   "query",
   "rustls",
 ] }
-rustls = { version = "= 0.23.40", features = ["fips"] }
-sentry = { version = "= 0.47.0", default-features = false, features = [
-  "backtrace",
-  "contexts",
-  "debug-images",
-  "panic",
-  "rustls",
-  "reqwest",
-  "tower",
-  "tracing",
-] }
+rustls = { version = "= 0.23.37", features = ["fips"] }
 serde = { version = "= 1.0.228", features = ["derive"] }
 serde_json = "= 1.0.149"
 serde_repr = "= 0.1.20"
 serde_with = { version = "= 3.18.0", default-features = false, features = [
   "base64",
 ] }
-sqlx = { version = "= 0.8.6", default-features = false, features = [
-  "runtime-tokio",
-  "tls-rustls-aws-lc-rs",
-  "postgres",
-  "derive",
-  "macros",
-  "uuid",
-  "chrono",
-  "ipnet",
-  "json",
-] }
 tempfile = "= 3.27.0"
 thiserror = "= 2.0.18"
-time = { version = "= 0.3.47", features = ["macros"] }
-tokio = { version = "= 1.52.1", features = ["full", "tracing"] }
-tokio-retry2 = "= 0.9.1"
-tokio-rustls = "= 0.26.4"
+tokio = { version = "= 1.50.0", features = ["full", "tracing"] }
 tokio-util = { version = "= 0.7.18", features = ["full"] }
-tower = "= 0.5.3"
-tower-http = { version = "= 0.6.8", features = ["timeout"] }
 tracing = "= 0.1.44"
-tracing-error = "= 0.2.1"
-tracing-subscriber = { version = "= 0.3.23", features = [
-  "env-filter",
-  "json",
-  "local-time",
-  "tracing-log",
-] }
 url = "= 2.5.8"
-uuid = { version = "= 1.23.1", features = ["serde", "v4"] }
+uuid = { version = "= 1.23.0", features = ["serde", "v4"] }
 
-ak-axum = { package = "authentik-axum", version = "2026.5.0-rc1", path = "./packages/ak-axum" }
-ak-client = { package = "authentik-client", version = "2026.5.0-rc1", path = "./packages/client-rust" }
-ak-common = { package = "authentik-common", version = "2026.5.0-rc1", path = "./packages/ak-common", default-features = false }
+ak-common = { package = "authentik-common", version = "2026.5.0-rc1", path = "./packages/ak-common" }
+
+[profile.dev.package.backtrace]
+opt-level = 3
+
+[profile.release]
+lto = true
+debug = 2
 
 [workspace.lints.rust]
 ambiguous_negative_literals = "warn"
@@ -231,57 +186,3 @@ unused_trait_names = "warn"
 unwrap_in_result = "warn"
 unwrap_used = "warn"
 verbose_file_reads = "warn"
-
-[profile.dev.package.backtrace]
-opt-level = 3
-
-[profile.dev]
-panic = "abort"
-
-[profile.release]
-debug = 2
-lto = "fat"
-# Because of the async runtime, we want to die straightaway if we panic.
-panic = "abort"
-strip = true
-
-[package]
-name = "authentik"
-version.workspace = true
-authors.workspace = true
-edition.workspace = true
-readme.workspace = true
-homepage.workspace = true
-repository.workspace = true
-license-file.workspace = true
-publish.workspace = true
-
-[features]
-default = ["core", "proxy"]
-core = ["ak-common/core", "dep:pyo3", "dep:sqlx"]
-proxy = ["ak-common/proxy"]
-
-[build-dependencies]
-pyo3-build-config.workspace = true
-
-[dependencies]
-ak-axum.workspace = true
-ak-common.workspace = true
-arc-swap.workspace = true
-argh.workspace = true
-axum.workspace = true
-color-eyre.workspace = true
-eyre.workspace = true
-hyper-unix-socket.workspace = true
-hyper-util.workspace = true
-metrics.workspace = true
-metrics-exporter-prometheus.workspace = true
-nix.workspace = true
-pyo3 = { workspace = true, optional = true }
-sqlx = { workspace = true, optional = true }
-tokio.workspace = true
-tracing.workspace = true
-uuid.workspace = true
-
-[lints]
-workspace = true

Makefile

@@ -106,9 +106,8 @@ migrate: ## Run the Authentik Django server's migrations
 
 i18n-extract: core-i18n-extract web-i18n-extract  ## Extract strings that require translation into files to send to a translation service
 
-aws-cfn: node-install
-	corepack npm install --prefix lifecycle/aws
-	$(UV) run corepack npm run aws-cfn --prefix lifecycle/aws
+aws-cfn:
+	cd lifecycle/aws && npm i && $(UV) run npm run aws-cfn
 
 run-server:  ## Run the main authentik server process
 	$(UV) run ak server
@@ -116,9 +115,6 @@ run-server:  ## Run the main authentik server process
 run-worker:  ## Run the main authentik worker process
 	$(UV) run ak worker
 
-run-worker-watch:  ## Run the authentik worker, with auto reloading
-	watchexec --on-busy-update=restart --stop-signal=SIGINT --exts py,rs --no-meta --notify -- $(UV) run ak worker
-
 core-i18n-extract:
 	$(UV) run ak makemessages \
 		--add-location file \
@@ -129,7 +125,7 @@ core-i18n-extract:
 		--ignore website \
 		-l en
 
-install: node-install web-install core-install  ## Install all requires dependencies for `node`, `web` and `core`
+install: node-install docs-install core-install  ## Install all requires dependencies for `node`, `docs` and `core`
 
 dev-drop-db:
 	$(eval pg_user := $(shell $(UV) run python -m authentik.lib.config postgresql.user 2>/dev/null))
@@ -148,14 +144,8 @@ dev-create-db:
 dev-reset: dev-drop-db dev-create-db migrate  ## Drop and restore the Authentik PostgreSQL instance to a "fresh install" state.
 
 update-test-mmdb:  ## Update test GeoIP and ASN Databases
-	curl \
-		-L \
-		-o ${PWD}/tests/geoip/GeoLite2-ASN-Test.mmdb \
-		https://raw.githubusercontent.com/maxmind/MaxMind-DB/refs/heads/main/test-data/GeoLite2-ASN-Test.mmdb
-	curl \
-		-L \
-		-o ${PWD}/tests/geoip/GeoLite2-City-Test.mmdb \
-		https://raw.githubusercontent.com/maxmind/MaxMind-DB/refs/heads/main/test-data/GeoLite2-City-Test.mmdb
+	curl -L https://raw.githubusercontent.com/maxmind/MaxMind-DB/refs/heads/main/test-data/GeoLite2-ASN-Test.mmdb -o ${PWD}/tests/GeoLite2-ASN-Test.mmdb
+	curl -L https://raw.githubusercontent.com/maxmind/MaxMind-DB/refs/heads/main/test-data/GeoLite2-City-Test.mmdb -o ${PWD}/tests/GeoLite2-City-Test.mmdb
 
 bump:  ## Bump authentik version. Usage: make bump version=20xx.xx.xx
 ifndef version
@@ -209,10 +199,10 @@ gen-diff:  ## (Release) generate the changelog diff between the current schema a
 	npx prettier --write diff.md
 
 gen-client-go:  ## Build and install the authentik API for Golang
-	$(UV) run make -C "${PWD}/packages/client-go" build
+	make -C "${PWD}/packages/client-go" build
 
 gen-client-rust:  ## Build and install the authentik API for Rust
-	$(UV) run make -C "${PWD}/packages/client-rust" build version=${NPM_VERSION}
+	make -C "${PWD}/packages/client-rust" build version=${NPM_VERSION}
 	make lint-fix-rust
 
 gen-client-ts:  ## Build and install the authentik API for Typescript into the authentik UI Application
@@ -233,46 +223,38 @@ gen-dev-config:  ## Generate a local development config file
 #########################
 
 node-install:  ## Install the necessary libraries to build Node.js packages
-	node ./scripts/node/setup-corepack.mjs
-	node ./scripts/node/lint-runtime.mjs
-
-	node ./scripts/node/lint-runtime.mjs
+	npm ci
+	npm ci --prefix web
 
 #########################
 ## Web
 #########################
 
-web-install: ## Install the necessary libraries to build the Authentik UI
-	node ./scripts/node/lint-runtime.mjs web
-
-	corepack npm ci
-	corepack npm ci --prefix web
-
-web-build:  ## Build the Authentik UI
-	corepack npm run --prefix web build
+web-build: node-install  ## Build the Authentik UI
+	npm run --prefix web build
 
 web: web-lint-fix web-lint web-check-compile  ## Automatically fix formatting issues in the Authentik UI source code, lint the code, and compile it
 
 web-test: ## Run tests for the Authentik UI
-	corepack npm run --prefix web test
+	npm run --prefix web test
 
 web-watch:  ## Build and watch the Authentik UI for changes, updating automatically
-	corepack npm run --prefix web watch
+	npm run --prefix web watch
 web-storybook-watch:  ## Build and run the storybook documentation server
-	corepack npm run --prefix web storybook
+	npm run --prefix web storybook
 
 web-lint-fix:
-	corepack npm run --prefix web prettier
+	npm run --prefix web prettier
 
 web-lint:
-	corepack npm run --prefix web lint
-	corepack npm run --prefix web lit-analyse
+	npm run --prefix web lint
+	npm run --prefix web lit-analyse
 
 web-check-compile:
-	corepack npm run --prefix web tsc
+	npm run --prefix web tsc
 
 web-i18n-extract:
-	corepack npm run --prefix web extract-locales
+	npm run --prefix web extract-locales
 
 #########################
 ## Docs
@@ -280,40 +262,35 @@ web-i18n-extract:
 
 docs: docs-lint-fix docs-build  ## Automatically fix formatting issues in the Authentik docs source code, lint the code, and compile it
 
-docs-install: node-install  ## Install the necessary libraries to build the Authentik documentation
-	node ./scripts/node/lint-runtime.mjs
-
-	corepack npm ci
-
-	corepack npm ci --prefix website
+docs-install:
+	npm ci --prefix website
 
 docs-lint-fix: lint-spellcheck
-	corepack npm run --prefix website prettier
+	npm run --prefix website prettier
 
 docs-build:
-	node ./scripts/node/lint-runtime.mjs website
-	corepack npm run --prefix website build
+	npm run --prefix website build
 
 docs-watch:  ## Build and watch the topics documentation
-	corepack npm run --prefix website start
+	npm run --prefix website start
 
 integrations: docs-lint-fix integrations-build ## Fix formatting issues in the integrations source code, lint the code, and compile it
 
 integrations-build:
-	corepack npm run --prefix website -w integrations build
+	npm run --prefix website -w integrations build
 
 integrations-watch:  ## Build and watch the Integrations documentation
-	corepack npm run --prefix website -w integrations start
+	npm run --prefix website -w integrations start
 
 docs-api-build:
-	corepack npm run --prefix website -w api build
+	npm run --prefix website -w api build
 
 docs-api-watch:  ## Build and watch the API documentation
-	corepack npm run --prefix website -w api generate
-	corepack npm run --prefix website -w api start
+	npm run --prefix website -w api generate
+	npm run --prefix website -w api start
 
 docs-api-clean: ## Clean generated API documentation
-	corepack npm run --prefix website -w api build:api:clean
+	npm run --prefix website -w api build:api:clean
 
 #########################
 ## Docker
@@ -367,7 +344,7 @@ ci-lint-clippy: ci--meta-debug
 	$(CARGO) clippy --workspace -- -D warnings
 
 ci-test: ci--meta-debug
-	$(UV) run coverage run manage.py test --keepdb --parallel auto authentik
+	$(UV) run coverage run manage.py test --keepdb authentik
 	$(UV) run coverage combine
 	$(UV) run coverage report
 	$(UV) run coverage xml

SECURITY.md

@@ -18,10 +18,10 @@ Even if the issue is not a CVE, we still greatly appreciate your help in hardeni
 
 (.x being the latest patch release for each version)
 
-| Version   | Supported |
-| --------- | --------- |
-| 2025.12.x | ✅        |
-| 2026.2.x  | ✅        |
+| Version    | Supported  |
+| ---------- | ---------- |
+| 2025.12.x  | ✅         |
+| 2026.2.x   | ✅         |
 
 ## Reporting a Vulnerability
 
@@ -90,10 +90,6 @@ Prompts intentionally allow raw HTML, including script tags, so they can be used
 
 Redirects that only change navigation flow and do not expose session tokens, API keys, or other confidential data are considered acceptable and do not require reporting.
 
-- Outgoing network requests are not filtered.
-
-The destinations of outgoing network requests (HTTP, TCP, etc.) made by authentik to configurable endpoints through objects such as OAuth Sources, SSO Providers, and others are not validated. Depending on your threat model, these requests should be restricted at the network level using appropriate firewall or network policies.
-
 ## Disclosure process
 
 1. Report from Github or Issue is reported via Email as listed above.

authentik/admin/files/backends/base.py

@@ -106,7 +106,6 @@ class Backend:
         self,
         name: str,
         request: HttpRequest | None = None,
-        use_cache: bool = True,
     ) -> dict[str, str] | None:
         """
         Get URLs for each theme variant when filename contains %(theme)s.
@@ -122,7 +121,7 @@ class Backend:
             return None
 
         return {
-            theme: self.file_url(substitute_theme(name, theme), request, use_cache=use_cache)
+            theme: self.file_url(substitute_theme(name, theme), request, use_cache=True)
             for theme in get_valid_themes()
         }
 

authentik/admin/files/backends/passthrough.py

@@ -51,7 +51,6 @@ class PassthroughBackend(Backend):
         self,
         name: str,
         request: HttpRequest | None = None,
-        use_cache: bool = True,
     ) -> dict[str, str] | None:
         """Support themed URLs for external URLs with %(theme)s placeholder.
 

authentik/admin/files/backends/s3.py

@@ -1,7 +1,7 @@
 from collections.abc import Generator, Iterator
 from contextlib import contextmanager
 from tempfile import SpooledTemporaryFile
-from urllib.parse import urlsplit, urlunsplit
+from urllib.parse import urlsplit
 
 import boto3
 from botocore.config import Config
@@ -164,19 +164,16 @@ class S3Backend(ManageableBackend):
         )
 
         def _file_url(name: str, request: HttpRequest | None) -> str:
-            client = self.client
             params = {
                 "Bucket": self.bucket_name,
                 "Key": f"{self.base_path}/{name}",
             }
 
-            operation_name = "GetObject"
-            operation_model = client.meta.service_model.operation_model(operation_name)
-            request_dict = client._convert_to_request_dict(
-                params,
-                operation_model,
-                endpoint_url=client.meta.endpoint_url,
-                context={"is_presign_request": True},
+            url = self.client.generate_presigned_url(
+                "get_object",
+                Params=params,
+                ExpiresIn=expires_in,
+                HttpMethod="GET",
             )
 
             # Support custom domain for S3-compatible storage (so not AWS)
@@ -186,8 +183,9 @@ class S3Backend(ManageableBackend):
                 CONFIG.get(f"storage.{self.name}.custom_domain", None),
             )
             if custom_domain:
+                parsed = urlsplit(url)
                 scheme = "https" if use_https else "http"
-                path = request_dict["url_path"]
+                path = parsed.path
 
                 # When using path-style addressing, the presigned URL contains the bucket
                 # name in the path (e.g., /bucket-name/key). Since custom_domain must
@@ -202,22 +200,9 @@ class S3Backend(ManageableBackend):
                 if not path.startswith("/"):
                     path = f"/{path}"
 
-                custom_base = urlsplit(f"{scheme}://{custom_domain}")
+                url = f"{scheme}://{custom_domain}{path}?{parsed.query}"
 
-                # Sign the final public URL instead of signing the internal S3 endpoint and
-                # rewriting it afterwards. Presigned SigV4 URLs include the host header in the
-                # canonical request, so post-sign host changes break strict backends like RustFS.
-                public_path = f"{custom_base.path.rstrip('/')}{path}" if custom_base.path else path
-                request_dict["url_path"] = public_path
-                request_dict["url"] = urlunsplit(
-                    (custom_base.scheme, custom_base.netloc, public_path, "", "")
-                )
-
-            return client._request_signer.generate_presigned_url(
-                request_dict,
-                operation_name,
-                expires_in=expires_in,
-            )
+            return url
 
         if use_cache:
             return self._cache_get_or_set(name, request, _file_url, expires_in)

authentik/admin/files/backends/tests/test_s3_backend.py

@@ -1,5 +1,4 @@
 from unittest import skipUnless
-from urllib.parse import parse_qs, urlsplit
 
 from botocore.exceptions import UnsupportedSignatureVersionError
 from django.test import TestCase
@@ -169,44 +168,6 @@ class TestS3Backend(FileTestS3BackendMixin, TestCase):
             f"URL: {url}",
         )
 
-    @CONFIG.patch("storage.s3.secure_urls", False)
-    @CONFIG.patch("storage.s3.addressing_style", "path")
-    def test_file_url_custom_domain_resigns_for_custom_host(self):
-        """Test presigned URLs are signed for the custom domain host.
-
-        Host-changing custom domains must produce a signature query string for
-        the public host, not reuse the internal endpoint signature.
-        """
-        bucket_name = self.media_s3_bucket_name
-        key_name = "application-icons/test.svg"
-        custom_domain = f"files.example.test:8020/{bucket_name}"
-
-        endpoint_signed_url = self.media_s3_backend.client.generate_presigned_url(
-            "get_object",
-            Params={
-                "Bucket": bucket_name,
-                "Key": f"{self.media_s3_backend.base_path}/{key_name}",
-            },
-            ExpiresIn=900,
-            HttpMethod="GET",
-        )
-
-        with CONFIG.patch("storage.media.s3.custom_domain", custom_domain):
-            custom_url = self.media_s3_backend.file_url(key_name, use_cache=False)
-
-        endpoint_parts = urlsplit(endpoint_signed_url)
-        custom_parts = urlsplit(custom_url)
-
-        self.assertEqual(custom_parts.scheme, "http")
-        self.assertEqual(custom_parts.netloc, "files.example.test:8020")
-        self.assertEqual(parse_qs(custom_parts.query)["X-Amz-SignedHeaders"], ["host"])
-        self.assertNotEqual(
-            custom_parts.query,
-            endpoint_parts.query,
-            "Custom-domain URLs must be signed for the public host, not reuse the endpoint "
-            "signature query string.",
-        )
-
     def test_themed_urls_without_theme_variable(self):
         """Test themed_urls returns None when filename has no %(theme)s"""
         result = self.media_s3_backend.themed_urls("logo.png")

authentik/admin/files/manager.py

@@ -74,10 +74,6 @@ class FileManager:
     ) -> str:
         """
         Get URL for accessing the file.
-
-        Set ``use_cache=False`` when the caller needs a fresh signed URL instead
-        of a cached one, for example when serializing flow/login payloads that
-        may be refreshed after the previous JWT has expired.
         """
         if not name:
             return ""
@@ -87,7 +83,7 @@ class FileManager:
 
         for backend in self.backends:
             if backend.supports_file(name):
-                return backend.file_url(name, request, use_cache=use_cache)
+                return backend.file_url(name, request)
 
         LOGGER.warning(f"Could not find file backend for file: {name}")
         return ""
@@ -96,14 +92,10 @@ class FileManager:
         self,
         name: str | None,
         request: HttpRequest | Request | None = None,
-        use_cache: bool = True,
     ) -> dict[str, str] | None:
         """
         Get URLs for each theme variant when filename contains %(theme)s.
 
-        ``use_cache`` has the same semantics as ``file_url()`` and allows
-        callers to force regeneration of expiring signed URLs.
-
         Returns dict mapping theme to URL if %(theme)s present, None otherwise.
         """
         if not name:
@@ -114,7 +106,7 @@ class FileManager:
 
         for backend in self.backends:
             if backend.supports_file(name):
-                return backend.themed_urls(name, request, use_cache=use_cache)
+                return backend.themed_urls(name, request)
 
         return None
 

authentik/admin/files/tests/test_manager.py

@@ -1,7 +1,6 @@
 """Test file service layer"""
 
 from unittest import skipUnless
-from unittest.mock import Mock
 from urllib.parse import urlparse
 
 from django.http import HttpRequest
@@ -54,19 +53,6 @@ class TestResolveFileUrlBasic(TestCase):
         result = manager.file_url("/static/authentik/sources/icon.svg")
         self.assertEqual(result, "/static/authentik/sources/icon.svg")
 
-    def test_file_url_forwards_use_cache(self):
-        """Test file_url forwards use_cache to backend."""
-        manager = FileManager(FileUsage.MEDIA)
-        backend = Mock()
-        backend.supports_file.return_value = True
-        backend.file_url.return_value = "/files/media/public/test.png?token=fresh"
-        manager.backends = [backend]
-
-        result = manager.file_url("test.png", use_cache=False)
-
-        self.assertEqual(result, "/files/media/public/test.png?token=fresh")
-        backend.file_url.assert_called_once_with("test.png", None, use_cache=False)
-
 
 class TestResolveFileUrlFileBackend(FileTestFileBackendMixin, TestCase):
     def test_resolve_storage_file(self):

authentik/api/pagination.py

@@ -1,18 +1,10 @@
 """Pagination which includes total pages and current page"""
 
-from typing import TYPE_CHECKING
-
 from drf_spectacular.plumbing import build_object_type
 from rest_framework import pagination
 from rest_framework.response import Response
 
-from authentik.api.search.ql import QLSearch
 from authentik.api.v3.schema.pagination import PAGINATION
-from authentik.api.v3.schema.search import AUTOCOMPLETE_SCHEMA
-
-if TYPE_CHECKING:
-    from django.db.models import QuerySet
-    from rest_framework.request import Request
 
 
 class Pagination(pagination.PageNumberPagination):
@@ -21,14 +13,14 @@ class Pagination(pagination.PageNumberPagination):
     page_query_param = "page"
     page_size_query_param = "page_size"
 
-    def get_page_size(self, request: Request) -> int:
+    def get_page_size(self, request):
         if self.page_size_query_param in request.query_params:
             page_size = super().get_page_size(request)
             if page_size is not None:
                 return min(super().get_page_size(request), request.tenant.pagination_max_page_size)
         return request.tenant.pagination_default_page_size
 
-    def get_paginated_response(self, data) -> Response:
+    def get_paginated_response(self, data):
         previous_page_number = 0
         if self.page.has_previous():
             previous_page_number = self.page.previous_page_number()
@@ -47,33 +39,16 @@ class Pagination(pagination.PageNumberPagination):
                     "end_index": self.page.end_index(),
                 },
                 "results": data,
-                "autocomplete": self.get_autocomplete(),
             }
         )
 
-    def paginate_queryset(self, queryset: QuerySet, request: Request, view=None):
-        self.view = view
-        return super().paginate_queryset(queryset, request, view)
-
-    def get_autocomplete(self):
-        schema = QLSearch().get_schema(self.request, self.view)
-        introspections = {}
-        if hasattr(self.view, "get_ql_fields"):
-            from authentik.api.search.schema import AKQLSchemaSerializer
-
-            introspections = AKQLSchemaSerializer().serialize(
-                schema(self.page.paginator.object_list.model)
-            )
-        return introspections
-
     def get_paginated_response_schema(self, schema):
         return build_object_type(
             properties={
                 "pagination": PAGINATION.ref,
                 "results": schema,
-                "autocomplete": AUTOCOMPLETE_SCHEMA.ref,
             },
-            required=["pagination", "results", "autocomplete"],
+            required=["pagination", "results"],
         )
 
 

authentik/api/tests/test_viewsets.py

@@ -1,73 +1,31 @@
 """authentik API Modelviewset tests"""
 
 from collections.abc import Callable
-from urllib.parse import urlencode
 
 from django.test import TestCase
 from rest_framework.viewsets import ModelViewSet, ReadOnlyModelViewSet
 
-from authentik.admin.api.version_history import VersionHistoryViewSet
 from authentik.api.v3.urls import router
-from authentik.core.tests.utils import RequestFactory, create_test_admin_user
-from authentik.lib.generators import generate_id
-from authentik.tenants.api.domains import DomainViewSet
-from authentik.tenants.api.tenants import TenantViewSet
-from authentik.tenants.utils import get_current_tenant
 
 
 class TestModelViewSets(TestCase):
     """Test Viewset"""
 
-    def setUp(self):
-        self.user = create_test_admin_user()
-        self.factory = RequestFactory()
 
-
-def viewset_tester_factory(test_viewset: type[ModelViewSet], full=True) -> dict[str, Callable]:
+def viewset_tester_factory(test_viewset: type[ModelViewSet]) -> Callable:
     """Test Viewset"""
 
-    def test_attrs(self: TestModelViewSets) -> None:
-        """Test attributes we require on all viewsets"""
-        self.assertIsNotNone(getattr(test_viewset, "ordering", None))
+    def tester(self: TestModelViewSets):
         self.assertIsNotNone(getattr(test_viewset, "search_fields", None))
+        self.assertIsNotNone(getattr(test_viewset, "ordering", None))
         filterset_class = getattr(test_viewset, "filterset_class", None)
         if not filterset_class:
             self.assertIsNotNone(getattr(test_viewset, "filterset_fields", None))
 
-    def test_ordering(self: TestModelViewSets) -> None:
-        """Test that all ordering fields are correct"""
-        view = test_viewset.as_view({"get": "list"})
-        for ordering_field in test_viewset.ordering:
-            with self.subTest(ordering_field):
-                req = self.factory.get(
-                    f"/?{urlencode({'ordering': ordering_field}, doseq=True)}", user=self.user
-                )
-                req.tenant = get_current_tenant()
-                res = view(req)
-                self.assertEqual(res.status_code, 200)
-
-    def test_search(self: TestModelViewSets) -> None:
-        """Test that search fields are correct"""
-        view = test_viewset.as_view({"get": "list"})
-        req = self.factory.get(
-            f"/?{urlencode({'search': generate_id()}, doseq=True)}", user=self.user
-        )
-        req.tenant = get_current_tenant()
-        res = view(req)
-        self.assertEqual(res.status_code, 200)
-
-    cases = {
-        "attrs": test_attrs,
-    }
-    if full:
-        cases["ordering"] = test_ordering
-        cases["search"] = test_search
-    return cases
+    return tester
 
 
 for _, viewset, _ in router.registry:
     if not issubclass(viewset, ModelViewSet | ReadOnlyModelViewSet):
         continue
-    full = viewset not in [VersionHistoryViewSet, DomainViewSet, TenantViewSet]
-    for test, case in viewset_tester_factory(viewset, full=full).items():
-        setattr(TestModelViewSets, f"test_viewset_{viewset.__name__}_{test}", case)
+    setattr(TestModelViewSets, f"test_viewset_{viewset.__name__}", viewset_tester_factory(viewset))

authentik/api/v3/schema/search.py

@@ -1,20 +0,0 @@
-from typing import TYPE_CHECKING
-
-from drf_spectacular.plumbing import ResolvedComponent, build_object_type
-
-if TYPE_CHECKING:
-    from drf_spectacular.generators import SchemaGenerator
-
-
-AUTOCOMPLETE_SCHEMA = ResolvedComponent(
-    name="Autocomplete",
-    object="Autocomplete",
-    type=ResolvedComponent.SCHEMA,
-    schema=build_object_type(additionalProperties={}),
-)
-
-
-def postprocess_schema_search_autocomplete(result, generator: SchemaGenerator, **kwargs):
-    generator.registry.register_on_missing(AUTOCOMPLETE_SCHEMA)
-
-    return result

authentik/blueprints/apps.py

@@ -3,6 +3,7 @@
 import traceback
 from collections.abc import Callable
 from importlib import import_module
+from inspect import ismethod
 
 from django.apps import AppConfig
 from django.conf import settings
@@ -71,19 +72,12 @@ class ManagedAppConfig(AppConfig):
 
     def _reconcile(self, prefix: str) -> None:
         for meth_name in dir(self):
-            # Check the attribute on the class to avoid evaluating @property descriptors.
-            # Using getattr(self, ...) on a @property would evaluate it, which can trigger
-            # expensive side effects (e.g. tenant_schedule_specs iterating all providers
-            # and running PolicyEngine queries for every user).
-            class_attr = getattr(type(self), meth_name, None)
-            if class_attr is None or isinstance(class_attr, property):
+            meth = getattr(self, meth_name)
+            if not ismethod(meth):
                 continue
-            if not callable(class_attr):
-                continue
-            category = getattr(class_attr, "_authentik_managed_reconcile", None)
+            category = getattr(meth, "_authentik_managed_reconcile", None)
             if category != prefix:
                 continue
-            meth = getattr(self, meth_name)
             name = meth_name.replace(prefix, "")
             try:
                 self.logger.debug("Starting reconciler", name=name)

authentik/blueprints/management/commands/apply_blueprint.py

@@ -1,6 +1,5 @@
 """Apply blueprint from commandline"""
 
-from argparse import ArgumentParser
 from sys import exit as sys_exit
 
 from django.core.management.base import BaseCommand, no_translations
@@ -32,5 +31,5 @@ class Command(BaseCommand):
                         sys_exit(1)
                     importer.apply()
 
-    def add_arguments(self, parser: ArgumentParser):
+    def add_arguments(self, parser):
         parser.add_argument("blueprints", nargs="+", type=str)

authentik/brands/models.py

@@ -101,23 +101,13 @@ class Brand(SerializerModel):
         """Get themed URLs for branding_favicon if it contains %(theme)s"""
         return get_file_manager(FileUsage.MEDIA).themed_urls(self.branding_favicon)
 
-    def branding_default_flow_background_url(self, request=None, use_cache: bool = True) -> str:
+    def branding_default_flow_background_url(self) -> str:
         """Get branding_default_flow_background URL"""
-        return get_file_manager(FileUsage.MEDIA).file_url(
-            self.branding_default_flow_background,
-            request,
-            use_cache=use_cache,
-        )
+        return get_file_manager(FileUsage.MEDIA).file_url(self.branding_default_flow_background)
 
-    def branding_default_flow_background_themed_urls(
-        self, request=None, use_cache: bool = True
-    ) -> dict[str, str] | None:
+    def branding_default_flow_background_themed_urls(self) -> dict[str, str] | None:
         """Get themed URLs for branding_default_flow_background if it contains %(theme)s"""
-        return get_file_manager(FileUsage.MEDIA).themed_urls(
-            self.branding_default_flow_background,
-            request,
-            use_cache=use_cache,
-        )
+        return get_file_manager(FileUsage.MEDIA).themed_urls(self.branding_default_flow_background)
 
     @property
     def serializer(self) -> type[Serializer]:

authentik/brands/tests.py

@@ -20,16 +20,11 @@ class TestBrands(APITestCase):
 
     def setUp(self):
         super().setUp()
+        self.default_flags = {}
+        for flag in Flag.available(visibility="public"):
+            self.default_flags[flag().key] = flag.get()
         Brand.objects.all().delete()
 
-    @property
-    def default_flags(self) -> dict[str, object]:
-        """Get current public flags.
-
-        Some tests define temporary Flag subclasses, so this can't be cached in setUp.
-        """
-        return {flag().key: flag.get() for flag in Flag.available(visibility="public")}
-
     def test_current_brand(self):
         """Test Current brand API"""
         brand = create_test_brand()

authentik/common/oauth/constants.py

@@ -5,7 +5,6 @@ from django.utils.translation import gettext_lazy as _
 
 GRANT_TYPE_AUTHORIZATION_CODE = "authorization_code"
 GRANT_TYPE_IMPLICIT = "implicit"
-GRANT_TYPE_HYBRID = "hybrid"
 GRANT_TYPE_REFRESH_TOKEN = "refresh_token"  # nosec
 GRANT_TYPE_CLIENT_CREDENTIALS = "client_credentials"
 GRANT_TYPE_PASSWORD = "password"  # nosec
@@ -22,9 +21,6 @@ PROMPT_CONSENT = "consent"
 PROMPT_LOGIN = "login"
 
 PLAN_CONTEXT_OIDC_LOGOUT_IFRAME_SESSIONS = "goauthentik.io/providers/oauth2/iframe_sessions"
-PLAN_CONTEXT_POST_LOGOUT_REDIRECT_URI = "goauthentik.io/providers/oauth2/post_logout_redirect_uri"
-
-OAUTH2_BINDING = "redirect"
 
 SCOPE_OPENID = "openid"
 SCOPE_OPENID_PROFILE = "profile"
@@ -41,9 +37,6 @@ TOKEN_TYPE = "Bearer"  # nosec
 
 SCOPE_AUTHENTIK_API = "goauthentik.io/api"
 
-# URI schemes that are forbidden for redirect URIs
-FORBIDDEN_URI_SCHEMES = {"javascript", "data", "vbscript"}
-
 # Read/write full user (including email)
 SCOPE_GITHUB_USER = "user"
 # Read user (without email)

authentik/common/saml/constants.py

@@ -30,8 +30,6 @@ SAML_BINDING_REDIRECT = "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
 
 SAML_STATUS_SUCCESS = "urn:oasis:names:tc:SAML:2.0:status:Success"
 
-DEFAULT_ISSUER = "authentik"
-
 DSA_SHA1 = "http://www.w3.org/2000/09/xmldsig#dsa-sha1"
 RSA_SHA1 = "http://www.w3.org/2000/09/xmldsig#rsa-sha1"
 # https://datatracker.ietf.org/doc/html/rfc4051#section-2.3.2

authentik/core/api/application_entitlements.py

@@ -47,8 +47,7 @@ class ApplicationEntitlementViewSet(UsedByMixin, ModelViewSet):
     search_fields = [
         "pbm_uuid",
         "name",
-        "app__name",
-        "app__slug",
+        "app",
         "attributes",
     ]
     filterset_fields = [

authentik/core/api/applications.py

@@ -36,13 +36,9 @@ from authentik.rbac.filters import ObjectFilter
 LOGGER = get_logger()
 
 
-def user_app_cache_key(
-    user_pk: str, page_number: int | None = None, only_with_launch_url: bool = False
-) -> str:
+def user_app_cache_key(user_pk: str, page_number: int | None = None) -> str:
     """Cache key where application list for user is saved"""
     key = f"{CACHE_PREFIX}app_access/{user_pk}"
-    if only_with_launch_url:
-        key += "/launch"
     if page_number:
         key += f"/{page_number}"
     return key
@@ -120,7 +116,6 @@ class ApplicationSerializer(ModelSerializer):
             "meta_publisher",
             "policy_engine_mode",
             "group",
-            "meta_hide",
         ]
         extra_kwargs = {
             "backchannel_providers": {"required": False},
@@ -279,17 +274,11 @@ class ApplicationViewSet(UsedByMixin, ModelViewSet):
         if superuser_full_list and request.user.is_superuser:
             return super().list(request)
 
-        only_with_launch_url = (
-            str(request.query_params.get("only_with_launch_url", "false")).lower()
-        ) == "true"
+        only_with_launch_url = str(
+            request.query_params.get("only_with_launch_url", "false")
+        ).lower()
 
         queryset = self._filter_queryset_for_list(self.get_queryset())
-        queryset = queryset.exclude(meta_hide=True)
-        if only_with_launch_url:
-            # Pre-filter at DB level to skip expensive per-app policy evaluation
-            # for apps that can never appear in the launcher (no meta_launch_url
-            # and no provider, so no possible launch URL).
-            queryset = queryset.exclude(meta_launch_url="", provider__isnull=True)
         paginator: Pagination = self.paginator
         paginated_apps = paginator.paginate_queryset(queryset, request)
 
@@ -306,6 +295,7 @@ class ApplicationViewSet(UsedByMixin, ModelViewSet):
             except ValueError as exc:
                 raise ValidationError from exc
             allowed_applications = self._get_allowed_applications(paginated_apps, user=for_user)
+            allowed_applications = self._expand_applications(allowed_applications)
 
             serializer = self.get_serializer(allowed_applications, many=True)
             return self.get_paginated_response(serializer.data)
@@ -315,26 +305,19 @@ class ApplicationViewSet(UsedByMixin, ModelViewSet):
             allowed_applications = self._get_allowed_applications(paginated_apps)
         if should_cache:
             allowed_applications = cache.get(
-                user_app_cache_key(
-                    self.request.user.pk, paginator.page.number, only_with_launch_url
-                )
+                user_app_cache_key(self.request.user.pk, paginator.page.number)
             )
-            if allowed_applications:
-                # Re-fetch cached applications since pickled instances lose prefetched
-                # relationships, causing N+1 queries during serialization
-                allowed_applications = self._expand_applications(allowed_applications)
-            else:
+            if not allowed_applications:
                 LOGGER.debug("Caching allowed application list", page=paginator.page.number)
                 allowed_applications = self._get_allowed_applications(paginated_apps)
                 cache.set(
-                    user_app_cache_key(
-                        self.request.user.pk, paginator.page.number, only_with_launch_url
-                    ),
+                    user_app_cache_key(self.request.user.pk, paginator.page.number),
                     allowed_applications,
                     timeout=86400,
                 )
+        allowed_applications = self._expand_applications(allowed_applications)
 
-        if only_with_launch_url:
+        if only_with_launch_url == "true":
             allowed_applications = self._filter_applications_with_launch_url(allowed_applications)
 
         serializer = self.get_serializer(allowed_applications, many=True)

authentik/core/api/groups.py

@@ -7,7 +7,6 @@ from django.http import Http404
 from django.utils.translation import gettext as _
 from django_filters.filters import CharFilter, ModelMultipleChoiceFilter
 from django_filters.filterset import FilterSet
-from djangoql.schema import BoolField, StrField
 from drf_spectacular.utils import (
     OpenApiParameter,
     OpenApiResponse,
@@ -19,16 +18,13 @@ from rest_framework.authentication import SessionAuthentication
 from rest_framework.decorators import action
 from rest_framework.fields import CharField, IntegerField, SerializerMethodField
 from rest_framework.permissions import IsAuthenticated
-from rest_framework.relations import ManyRelatedField, PrimaryKeyRelatedField
+from rest_framework.relations import PrimaryKeyRelatedField
 from rest_framework.request import Request
 from rest_framework.response import Response
 from rest_framework.serializers import ListSerializer, ValidationError
 from rest_framework.viewsets import ModelViewSet
 
 from authentik.api.authentication import TokenAuthentication
-from authentik.api.search.fields import (
-    JSONSearchField,
-)
 from authentik.api.validation import validate
 from authentik.core.api.used_by import UsedByMixin
 from authentik.core.api.utils import JSONDictField, ModelSerializer, PassiveSerializer
@@ -37,77 +33,6 @@ from authentik.endpoints.connectors.agent.auth import AgentAuth
 from authentik.rbac.api.roles import RoleSerializer
 from authentik.rbac.decorators import permission_required
 
-
-class BulkManyRelatedField(ManyRelatedField):
-    """ManyRelatedField that validates all PKs in a single query instead of one per PK."""
-
-    def to_internal_value(self, data):
-        if isinstance(data, str) or not hasattr(data, "__iter__"):
-            self.fail("not_a_list", input_type=type(data).__name__)
-        if not self.allow_empty and len(data) == 0:
-            self.fail("empty")
-
-        child = self.child_relation
-        pk_field = child.pk_field
-        # Coerce PKs through pk_field if defined
-        pk_map = {}
-        for item in data:
-            if isinstance(item, bool):
-                self.fail("incorrect_type", data_type=type(item).__name__)
-            pk = pk_field.to_internal_value(item) if pk_field else item
-            pk_map[pk] = item  # map coerced PK -> original value for error reporting
-
-        queryset = child.get_queryset()
-        # Use count to validate all PKs exist in a single query
-        found_count = queryset.filter(pk__in=pk_map.keys()).count()
-        if found_count < len(pk_map):
-            # Some PKs not found — fall back to per-PK checks for error reporting.
-            # This only runs when there's an actual validation error (rare path).
-            for pk, original in pk_map.items():
-                if not queryset.filter(pk=pk).exists():
-                    child.fail("does_not_exist", pk_value=original)
-
-        # Return raw PKs — Django's M2M set() accepts both objects and PKs,
-        # using get_prep_value() for type coercion. This avoids loading all
-        # objects into memory and avoids triggering post_init signals.
-        return list(pk_map.keys())
-
-    def to_representation(self, iterable):
-        # For non-prefetched querysets, get PKs directly without loading model instances.
-        # When prefetched, _result_cache is a list (possibly empty); when not, it's None.
-        if hasattr(iterable, "values_list") and getattr(iterable, "_result_cache", None) is None:
-            return list(iterable.values_list("pk", flat=True))
-        return super().to_representation(iterable)
-
-
-class BulkPrimaryKeyRelatedField(PrimaryKeyRelatedField):
-    """PrimaryKeyRelatedField that uses bulk validation when many=True."""
-
-    @classmethod
-    def many_init(cls, *args, **kwargs):
-        allow_empty = kwargs.pop("allow_empty", None)
-        max_length = kwargs.pop("max_length", None)
-        min_length = kwargs.pop("min_length", None)
-        child_relation = cls(*args, **kwargs)
-        list_kwargs = {
-            "child_relation": child_relation,
-        }
-        if allow_empty is not None:
-            list_kwargs["allow_empty"] = allow_empty
-        if max_length is not None:
-            list_kwargs["max_length"] = max_length
-        if min_length is not None:
-            list_kwargs["min_length"] = min_length
-        list_kwargs.update(
-            {
-                key: value
-                for key, value in kwargs.items()
-                if key in ("required", "default", "source")
-            }
-        )
-        return BulkManyRelatedField(**list_kwargs)
-
-
 PARTIAL_USER_SERIALIZER_MODEL_FIELDS = [
     "pk",
     "username",
@@ -150,7 +75,6 @@ class GroupSerializer(ModelSerializer):
     """Group Serializer"""
 
     attributes = JSONDictField(required=False)
-    users = BulkPrimaryKeyRelatedField(queryset=User.objects.all(), many=True, default=list)
     parents = PrimaryKeyRelatedField(queryset=Group.objects.all(), many=True, required=False)
     parents_obj = SerializerMethodField(allow_null=True)
     children_obj = SerializerMethodField(allow_null=True)
@@ -265,6 +189,9 @@ class GroupSerializer(ModelSerializer):
             "children_obj",
         ]
         extra_kwargs = {
+            "users": {
+                "default": list,
+            },
             "children": {
                 "required": False,
                 "default": list,
@@ -294,7 +221,6 @@ class GroupFilter(FilterSet):
     members_by_pk = ModelMultipleChoiceFilter(
         field_name="users",
         queryset=User.objects.all(),
-        distinct=False,
     )
 
     def filter_attributes(self, queryset, name, value):
@@ -339,6 +265,12 @@ class GroupViewSet(UsedByMixin, ModelViewSet):
     ]
 
     def get_ql_fields(self):
+        from djangoql.schema import BoolField, StrField
+
+        from authentik.enterprise.search.fields import (
+            JSONSearchField,
+        )
+
         return [
             StrField(Group, "name"),
             BoolField(Group, "is_superuser", nullable=True),
@@ -346,8 +278,7 @@ class GroupViewSet(UsedByMixin, ModelViewSet):
         ]
 
     def get_queryset(self):
-        # Always prefetch parents and children since their PKs are always serialized
-        base_qs = Group.objects.all().prefetch_related("roles", "parents", "children")
+        base_qs = Group.objects.all().prefetch_related("roles")
 
         if self.serializer_class(context={"request": self.request})._should_include_users:
             # Only fetch fields needed by PartialUserSerializer to reduce DB load and instantiation
@@ -358,9 +289,16 @@ class GroupViewSet(UsedByMixin, ModelViewSet):
                     queryset=User.objects.all().only(*PARTIAL_USER_SERIALIZER_MODEL_FIELDS),
                 )
             )
-        # When include_users=false, skip users prefetch entirely.
-        # BulkManyRelatedField.to_representation will use values_list to get PKs
-        # directly without loading User instances into memory.
+        else:
+            base_qs = base_qs.prefetch_related(
+                Prefetch("users", queryset=User.objects.all().only("id"))
+            )
+
+        if self.serializer_class(context={"request": self.request})._should_include_children:
+            base_qs = base_qs.prefetch_related("children")
+
+        if self.serializer_class(context={"request": self.request})._should_include_parents:
+            base_qs = base_qs.prefetch_related("parents")
 
         return base_qs
 

authentik/core/api/users.py

@@ -6,7 +6,6 @@ from typing import Any
 
 from django.contrib.auth import update_session_auth_hash
 from django.contrib.auth.models import AnonymousUser, Permission
-from django.db.models import Exists, OuterRef, Prefetch, Q
 from django.db.transaction import atomic
 from django.db.utils import IntegrityError
 from django.urls import reverse_lazy
@@ -14,7 +13,6 @@ from django.utils.http import urlencode
 from django.utils.text import slugify
 from django.utils.timezone import now
 from django.utils.translation import gettext as _
-from django.utils.translation import gettext_lazy
 from django_filters.filters import (
     BooleanFilter,
     CharFilter,
@@ -24,7 +22,6 @@ from django_filters.filters import (
     UUIDFilter,
 )
 from django_filters.filterset import FilterSet
-from djangoql.schema import BoolField, StrField
 from drf_spectacular.types import OpenApiTypes
 from drf_spectacular.utils import (
     OpenApiParameter,
@@ -58,10 +55,6 @@ from rest_framework.viewsets import ModelViewSet
 from structlog.stdlib import get_logger
 
 from authentik.api.authentication import TokenAuthentication
-from authentik.api.search.fields import (
-    ChoiceSearchField,
-    JSONSearchField,
-)
 from authentik.api.validation import validate
 from authentik.blueprints.v1.importer import SERIALIZER_CONTEXT_BLUEPRINT
 from authentik.brands.models import Brand
@@ -107,10 +100,6 @@ from authentik.stages.email.utils import TemplateEmailMessage
 
 LOGGER = get_logger()
 
-INVALID_PASSWORD_HASH_MESSAGE = gettext_lazy(
-    "Invalid password hash format. Must be a valid Django password hash."
-)
-
 
 class ParamUserSerializer(PassiveSerializer):
     """Partial serializer for query parameters to select a user"""
@@ -137,7 +126,7 @@ class PartialGroupSerializer(ModelSerializer):
 class UserSerializer(ModelSerializer):
     """User Serializer"""
 
-    is_superuser = SerializerMethodField()
+    is_superuser = BooleanField(read_only=True)
     avatar = SerializerMethodField()
     attributes = JSONDictField(required=False)
     groups = PrimaryKeyRelatedField(
@@ -174,14 +163,6 @@ class UserSerializer(ModelSerializer):
             return True
         return str(request.query_params.get("include_roles", "true")).lower() == "true"
 
-    @extend_schema_field(BooleanField)
-    def get_is_superuser(self, instance: User) -> bool:
-        """Use annotation if available to avoid N+1 query"""
-        ann = getattr(instance, "_annotated_is_superuser", None)
-        if ann is not None:
-            return ann
-        return instance.is_superuser
-
     @extend_schema_field(PartialGroupSerializer(many=True))
     def get_groups_obj(self, instance: User) -> list[PartialGroupSerializer] | None:
         if not self._should_include_groups:
@@ -195,79 +176,47 @@ class UserSerializer(ModelSerializer):
         return RoleSerializer(instance.roles, many=True).data
 
     def __init__(self, *args, **kwargs):
-        """Setting password and permissions directly is allowed only in blueprints."""
         super().__init__(*args, **kwargs)
         if SERIALIZER_CONTEXT_BLUEPRINT in self.context:
             self.fields["password"] = CharField(required=False, allow_null=True)
-            self.fields["password_hash"] = CharField(required=False, allow_null=True)
             self.fields["permissions"] = ListField(
                 required=False,
                 child=ChoiceField(choices=get_permission_choices()),
             )
 
     def create(self, validated_data: dict) -> User:
-        """Create a user, with blueprint-only password and permission writes."""
-        is_blueprint = SERIALIZER_CONTEXT_BLUEPRINT in self.context
-        if is_blueprint:
-            password = validated_data.pop("password", None)
-            password_hash = validated_data.pop("password_hash", None)
-            permissions = validated_data.pop("permissions", [])
-            self._validate_password_inputs(password, password_hash)
-
+        """If this serializer is used in the blueprint context, we allow for
+        directly setting a password. However should be done via the `set_password`
+        method instead of directly setting it like rest_framework."""
+        password = validated_data.pop("password", None)
+        perms_qs = Permission.objects.filter(
+            codename__in=[x.split(".")[1] for x in validated_data.pop("permissions", [])]
+        ).values_list("content_type__app_label", "codename")
+        perms_list = [f"{ct}.{name}" for ct, name in list(perms_qs)]
         instance: User = super().create(validated_data)
-        if is_blueprint:
-            self._set_password(instance, password, password_hash)
-            perms_qs = Permission.objects.filter(
-                codename__in=[permission.split(".")[1] for permission in permissions]
-            ).values_list("content_type__app_label", "codename")
-            perms_list = [f"{ct}.{name}" for ct, name in perms_qs]
-            instance.assign_perms_to_managed_role(perms_list)
-        self._ensure_password_not_empty(instance)
+        self._set_password(instance, password)
+        instance.assign_perms_to_managed_role(perms_list)
         return instance
 
     def update(self, instance: User, validated_data: dict) -> User:
-        """Update a user, with blueprint-only password and permission writes."""
-        is_blueprint = SERIALIZER_CONTEXT_BLUEPRINT in self.context
-        if is_blueprint:
-            password = validated_data.pop("password", None)
-            password_hash = validated_data.pop("password_hash", None)
-            permissions = validated_data.pop("permissions", [])
-            self._validate_password_inputs(password, password_hash)
-
+        """Same as `create` above, set the password directly if we're in a blueprint
+        context"""
+        password = validated_data.pop("password", None)
+        perms_qs = Permission.objects.filter(
+            codename__in=[x.split(".")[1] for x in validated_data.pop("permissions", [])]
+        ).values_list("content_type__app_label", "codename")
+        perms_list = [f"{ct}.{name}" for ct, name in list(perms_qs)]
         instance = super().update(instance, validated_data)
-        if is_blueprint:
-            self._set_password(instance, password, password_hash)
-            perms_qs = Permission.objects.filter(
-                codename__in=[permission.split(".")[1] for permission in permissions]
-            ).values_list("content_type__app_label", "codename")
-            perms_list = [f"{ct}.{name}" for ct, name in perms_qs]
-            instance.assign_perms_to_managed_role(perms_list)
-        self._ensure_password_not_empty(instance)
+        self._set_password(instance, password)
+        instance.assign_perms_to_managed_role(perms_list)
         return instance
 
-    def _validate_password_inputs(self, password: str | None, password_hash: str | None):
-        """Validate mutually-exclusive password inputs before any model mutation."""
-        if password is not None and password_hash is not None:
-            raise ValidationError(_("Cannot set both password and password_hash. Use only one."))
-        if password_hash is None:
-            return
-        try:
-            User.validate_password_hash(password_hash)
-        except ValueError as exc:
-            LOGGER.warning("Failed to identify password hash format", exc_info=exc)
-            raise ValidationError(INVALID_PASSWORD_HASH_MESSAGE) from exc
-
-    def _set_password(self, instance: User, password: str | None, password_hash: str | None = None):
-        """Set password from plain text or hash."""
-        if password_hash is not None:
-            instance.set_password_from_hash(password_hash)
-            instance.save()
-        elif password:
+    def _set_password(self, instance: User, password: str | None):
+        """Set password of user if we're in a blueprint context, and if it's an empty
+        string then use an unusable password"""
+        if SERIALIZER_CONTEXT_BLUEPRINT in self.context and password:
             instance.set_password(password)
             instance.save()
-
-    def _ensure_password_not_empty(self, instance: User):
-        """Store an explicit unusable password instead of an empty password field."""
         if len(instance.password) == 0:
             instance.set_unusable_password()
             instance.save()
@@ -436,12 +385,6 @@ class UserPasswordSetSerializer(PassiveSerializer):
     password = CharField(required=True)
 
 
-class UserPasswordHashSetSerializer(PassiveSerializer):
-    """Payload to set a users' password hash directly"""
-
-    password = CharField(required=True)
-
-
 class UserServiceAccountSerializer(PassiveSerializer):
     """Payload to create a service account"""
 
@@ -581,6 +524,13 @@ class UserViewSet(
     ]
 
     def get_ql_fields(self):
+        from djangoql.schema import BoolField, StrField
+
+        from authentik.enterprise.search.fields import (
+            ChoiceSearchField,
+            JSONSearchField,
+        )
+
         return [
             StrField(User, "username"),
             StrField(User, "name"),
@@ -593,30 +543,10 @@ class UserViewSet(
 
     def get_queryset(self):
         base_qs = User.objects.all().exclude_anonymous()
-        # Always prefetch groups since group PKs are always serialized.
-        # Use full prefetch when include_groups=true (for groups_obj), ID-only otherwise.
         if self.serializer_class(context={"request": self.request})._should_include_groups:
             base_qs = base_qs.prefetch_related("groups")
-        else:
-            base_qs = base_qs.prefetch_related(
-                Prefetch("groups", queryset=Group.objects.all().only("group_uuid"))
-            )
         if self.serializer_class(context={"request": self.request})._should_include_roles:
             base_qs = base_qs.prefetch_related("roles")
-        else:
-            base_qs = base_qs.prefetch_related(
-                Prefetch("roles", queryset=Role.objects.all().only("uuid"))
-            )
-        # Annotate is_superuser to avoid N+1 query per user
-        base_qs = base_qs.annotate(
-            _annotated_is_superuser=Exists(
-                Group.objects.filter(
-                    is_superuser=True,
-                ).filter(
-                    Q(users=OuterRef("pk")) | Q(descendant_nodes__descendant__users=OuterRef("pk"))
-                )
-            )
-        )
         return base_qs
 
     @extend_schema(
@@ -785,11 +715,6 @@ class UserViewSet(
         self.request.session.modified = True
         return Response(serializer.initial_data)
 
-    def _update_session_hash_after_password_change(self, request: Request, user: User):
-        if user.pk == request.user.pk and SESSION_KEY_IMPERSONATE_USER not in self.request.session:
-            LOGGER.debug("Updating session hash after password change")
-            update_session_auth_hash(self.request, user)
-
     @permission_required("authentik_core.reset_user_password")
     @extend_schema(
         request=UserPasswordSetSerializer,
@@ -813,45 +738,9 @@ class UserViewSet(
         except (ValidationError, IntegrityError) as exc:
             LOGGER.debug("Failed to set password", exc=exc)
             return Response(status=400)
-        self._update_session_hash_after_password_change(request, user)
-        return Response(status=204)
-
-    @permission_required("authentik_core.reset_user_password")
-    @extend_schema(
-        request=UserPasswordHashSetSerializer,
-        responses={
-            204: OpenApiResponse(description="Successfully changed password"),
-            400: OpenApiResponse(description="Bad request"),
-        },
-    )
-    @action(
-        detail=True,
-        methods=["POST"],
-        permission_classes=[IsAuthenticated],
-    )
-    @validate(UserPasswordHashSetSerializer)
-    def set_password_hash(
-        self, request: Request, pk: int, body: UserPasswordHashSetSerializer
-    ) -> Response:
-        """Set a user's password from a pre-hashed Django password value.
-
-        Submit the Django password hash in the shared ``password`` request field.
-
-        This updates authentik's local password verifier only. It does not attempt
-        to propagate the password change to LDAP or Kerberos because no raw password
-        is available from the request payload.
-        """
-        user: User = self.get_object()
-        try:
-            user.set_password_from_hash(body.validated_data["password"], request=request)
-            user.save()
-        except ValueError as exc:
-            LOGGER.debug("Failed to set password hash", exc=exc)
-            return Response(data={"password": [INVALID_PASSWORD_HASH_MESSAGE]}, status=400)
-        except (ValidationError, IntegrityError) as exc:
-            LOGGER.debug("Failed to set password hash", exc=exc)
-            return Response(status=400)
-        self._update_session_hash_after_password_change(request, user)
+        if user.pk == request.user.pk and SESSION_KEY_IMPERSONATE_USER not in self.request.session:
+            LOGGER.debug("Updating session hash after password change")
+            update_session_auth_hash(self.request, user)
         return Response(status=204)
 
     @permission_required("authentik_core.reset_user_password")

authentik/core/apps.py

@@ -7,12 +7,6 @@ from authentik.tasks.schedules.common import ScheduleSpec
 from authentik.tenants.flags import Flag
 
 
-class Setup(Flag[bool], key="setup"):
-
-    default = False
-    visibility = "system"
-
-
 class AppAccessWithoutBindings(Flag[bool], key="core_default_app_access"):
 
     default = True
@@ -32,10 +26,6 @@ class AuthentikCoreConfig(ManagedAppConfig):
     mountpoint = ""
     default = True
 
-    def import_related(self):
-        super().import_related()
-        self.import_module("authentik.core.setup.signals")
-
     @ManagedAppConfig.reconcile_tenant
     def source_inbuilt(self):
         """Reconcile inbuilt source"""

authentik/core/management/commands/hash_password.py

@@ -1,28 +0,0 @@
-"""Hash password using Django's password hashers"""
-
-from django.contrib.auth.hashers import make_password
-from django.core.management.base import BaseCommand, CommandError
-
-
-class Command(BaseCommand):
-    """Hash a password using Django's password hashers"""
-
-    help = "Hash a password for use with AUTHENTIK_BOOTSTRAP_PASSWORD_HASH"
-
-    def add_arguments(self, parser):
-        parser.add_argument(
-            "password",
-            type=str,
-            help="Password to hash",
-        )
-
-    def handle(self, *args, **options):
-        password = options["password"]
-
-        if not password:
-            raise CommandError("Password cannot be empty")
-        try:
-            hashed = make_password(password)
-            self.stdout.write(hashed)
-        except ValueError as exc:
-            raise CommandError(f"Error hashing password: {exc}") from exc

authentik/core/migrations/0058_setup.py

@@ -1,61 +0,0 @@
-# Generated by Django 5.2.13 on 2026-04-21 18:49
-from django.apps.registry import Apps
-
-from django.db.backends.base.schema import BaseDatabaseSchemaEditor
-
-from django.db import migrations
-
-
-def check_is_already_setup(apps: Apps, schema_editor: BaseDatabaseSchemaEditor):
-    from django.conf import settings
-    from authentik.flows.models import FlowAuthenticationRequirement
-
-    VersionHistory = apps.get_model("authentik_admin", "VersionHistory")
-    Flow = apps.get_model("authentik_flows", "Flow")
-    User = apps.get_model("authentik_core", "User")
-
-    db_alias = schema_editor.connection.alias
-
-    # Upgrading from a previous version
-    if not settings.TEST and VersionHistory.objects.using(db_alias).count() > 1:
-        return True
-    # OOBE flow sets itself to this authentication requirement once finished
-    if (
-        Flow.objects.using(db_alias)
-        .filter(
-            slug="initial-setup", authentication=FlowAuthenticationRequirement.REQUIRE_SUPERUSER
-        )
-        .exists()
-    ):
-        return True
-    # non-akadmin and non-guardian anonymous user exist
-    if (
-        User.objects.using(db_alias)
-        .exclude(username="akadmin")
-        .exclude(username="AnonymousUser")
-        .exists()
-    ):
-        return True
-    return False
-
-
-def update_setup_flag(apps: Apps, schema_editor: BaseDatabaseSchemaEditor):
-    from authentik.core.apps import Setup
-    from authentik.tenants.utils import get_current_tenant
-
-    is_already_setup = check_is_already_setup(apps, schema_editor)
-    if is_already_setup:
-        tenant = get_current_tenant()
-        tenant.flags[Setup().key] = True
-        tenant.save()
-
-
-class Migration(migrations.Migration):
-
-    dependencies = [
-        ("authentik_core", "0057_remove_user_groups_remove_user_user_permissions_and_more"),
-        # 0024_flow_authentication adds the `authentication` field.
-        ("authentik_flows", "0024_flow_authentication"),
-    ]
-
-    operations = [migrations.RunPython(update_setup_flag, migrations.RunPython.noop)]

authentik/core/migrations/0059_add_application_meta_hide.py

@@ -1,33 +0,0 @@
-# Generated by Django 5.2.12 on 2026-04-09 18:04
-
-from django.apps.registry import Apps
-from django.db import migrations, models
-from django.db.backends.base.schema import BaseDatabaseSchemaEditor
-
-
-def migrate_blank_launch_url(apps: Apps, schema_editor: BaseDatabaseSchemaEditor):
-    db_alias = schema_editor.connection.alias
-    Application = apps.get_model("authentik_core", "Application")
-
-    Application.objects.using(db_alias).filter(meta_launch_url="blank://blank").update(
-        meta_hide=True, meta_launch_url=""
-    )
-
-
-class Migration(migrations.Migration):
-
-    dependencies = [
-        ("authentik_core", "0058_setup"),
-    ]
-
-    operations = [
-        migrations.AddField(
-            model_name="application",
-            name="meta_hide",
-            field=models.BooleanField(
-                default=False,
-                help_text="Hide this application from the user's My applications page.",
-            ),
-        ),
-        migrations.RunPython(migrate_blank_launch_url, migrations.RunPython.noop),
-    ]

authentik/core/models.py

@@ -10,7 +10,7 @@ from uuid import uuid4
 
 import pgtrigger
 from deepmerge import always_merger
-from django.contrib.auth.hashers import check_password, identify_hasher
+from django.contrib.auth.hashers import check_password
 from django.contrib.auth.models import AbstractUser, Permission
 from django.contrib.auth.models import UserManager as DjangoUserManager
 from django.contrib.sessions.base_session import AbstractBaseSession
@@ -560,33 +560,6 @@ class User(SerializerModel, AttributesMixin, AbstractUser):
         self.password_change_date = now()
         return super().set_password(raw_password)
 
-    @staticmethod
-    def validate_password_hash(password_hash: str):
-        """Validate that the value is a recognized Django password hash."""
-        identify_hasher(password_hash)  # Raises ValueError if invalid
-
-    def set_password_from_hash(self, password_hash: str, signal=True, sender=None, request=None):
-        """Set password directly from a pre-hashed value.
-
-        Unlike set_password(), this does not hash the input again. The provided value
-        must already be a valid Django password hash, and it is stored directly on the
-        user after validation.
-
-        Because no raw password is available, downstream password sync integrations
-        such as LDAP and Kerberos cannot be updated from this code path.
-
-        Raises ValueError if the hash format is not recognized.
-        """
-        self.validate_password_hash(password_hash)
-        if self.pk and signal:
-            from authentik.core.signals import password_hash_changed
-
-            if not sender:
-                sender = self
-            password_hash_changed.send(sender=sender, user=self, request=request)
-        self.password = password_hash
-        self.password_change_date = now()
-
     def check_password(self, raw_password: str) -> bool:
         """
         Return a boolean of whether the raw_password was correct. Handles
@@ -762,9 +735,6 @@ class Application(SerializerModel, PolicyBindingModel):
     meta_icon = FileField(default="", blank=True)
     meta_description = models.TextField(default="", blank=True)
     meta_publisher = models.TextField(default="", blank=True)
-    meta_hide = models.BooleanField(
-        default=False, help_text=_("Hide this application from the user's My applications page.")
-    )
 
     objects = ApplicationQuerySet.as_manager()
 
@@ -820,13 +790,9 @@ class Application(SerializerModel, PolicyBindingModel):
 
     def get_provider(self) -> Provider | None:
         """Get casted provider instance. Needs Application queryset with_provider"""
-        if hasattr(self, "_cached_provider"):
-            return self._cached_provider
         if not self.provider:
-            self._cached_provider = None
             return None
-        self._cached_provider = get_deepest_child(self.provider)
-        return self._cached_provider
+        return get_deepest_child(self.provider)
 
     def backchannel_provider_for[T: Provider](self, provider_type: type[T], **kwargs) -> T | None:
         """Get Backchannel provider for a specific type"""
@@ -985,34 +951,21 @@ class Source(ManagedModel, SerializerModel, PolicyBindingModel):
 
     objects = InheritanceManager()
 
-    def get_icon_url(self, request=None, use_cache: bool = True) -> str | None:
-        """Get the URL to the source icon."""
-        if not self.icon:
-            return None
-        return get_file_manager(FileUsage.MEDIA).file_url(self.icon, request, use_cache=use_cache)
-
     @property
     def icon_url(self) -> str | None:
         """Get the URL to the source icon"""
-        return self.get_icon_url()
-
-    def get_icon_themed_urls(
-        self,
-        request=None,
-        use_cache: bool = True,
-    ) -> dict[str, str] | None:
-        """Get themed URLs for icon if it contains %(theme)s."""
         if not self.icon:
             return None
-        return get_file_manager(FileUsage.MEDIA).themed_urls(
-            self.icon,
-            request,
-            use_cache=use_cache,
-        )
+
+        return get_file_manager(FileUsage.MEDIA).file_url(self.icon)
 
     @property
     def icon_themed_urls(self) -> dict[str, str] | None:
-        return self.get_icon_themed_urls()
+        """Get themed URLs for icon if it contains %(theme)s"""
+        if not self.icon:
+            return None
+
+        return get_file_manager(FileUsage.MEDIA).themed_urls(self.icon)
 
     def get_user_path(self) -> str:
         """Get user path, fallback to default for formatting errors"""

authentik/core/sessions.py

@@ -72,7 +72,6 @@ class SessionStore(SessionBase):
             #                  and their descriptors fail to initialize (e.g., missing storage)
             # TypeError - can happen with incompatible pickled objects
             # If any of these happen, just return an empty dictionary (an empty session)
-            LOGGER.warning("Failed to decode session data", exc_info=True)
             pass
         return {}
 

authentik/core/setup/signals.py

@@ -1,42 +0,0 @@
-from os import getenv
-
-from django.dispatch import receiver
-from structlog.stdlib import get_logger
-
-from authentik.blueprints.models import BlueprintInstance
-from authentik.blueprints.v1.importer import Importer
-from authentik.core.apps import Setup
-from authentik.root.signals import post_startup
-from authentik.tenants.models import Tenant
-
-BOOTSTRAP_BLUEPRINT = "system/bootstrap.yaml"
-
-LOGGER = get_logger()
-
-
-@receiver(post_startup)
-def post_startup_setup_bootstrap(sender, **_):
-    if (
-        not getenv("AUTHENTIK_BOOTSTRAP_PASSWORD")
-        and not getenv("AUTHENTIK_BOOTSTRAP_PASSWORD_HASH")
-        and not getenv("AUTHENTIK_BOOTSTRAP_TOKEN")
-    ):
-        return
-    LOGGER.info("Configuring authentik through bootstrap environment variables")
-    content = BlueprintInstance(path=BOOTSTRAP_BLUEPRINT).retrieve()
-    # If we have bootstrap credentials set, run bootstrap tasks outside of main server
-    # sync, so that we can sure the first start actually has working bootstrap
-    # credentials
-    for tenant in Tenant.objects.filter(ready=True):
-        if Setup.get(tenant=tenant):
-            LOGGER.info("Tenant is already setup, skipping", tenant=tenant.schema_name)
-            continue
-        with tenant:
-            importer = Importer.from_string(content)
-            valid, logs = importer.validate()
-            if not valid:
-                LOGGER.warning("Blueprint invalid", tenant=tenant.schema_name)
-                for log in logs:
-                    log.log()
-            importer.apply()
-            Setup.set(True, tenant=tenant)

authentik/core/setup/views.py

@@ -1,80 +0,0 @@
-from functools import lru_cache
-from http import HTTPMethod, HTTPStatus
-
-from django.contrib.staticfiles import finders
-from django.db import transaction
-from django.http import HttpRequest, HttpResponse
-from django.shortcuts import redirect
-from django.urls import reverse
-from django.views import View
-from structlog.stdlib import get_logger
-
-from authentik.blueprints.models import BlueprintInstance
-from authentik.core.apps import Setup
-from authentik.flows.models import Flow, FlowAuthenticationRequirement, in_memory_stage
-from authentik.flows.planner import FlowPlanner
-from authentik.flows.stage import StageView
-
-LOGGER = get_logger()
-FLOW_CONTEXT_START_BY = "goauthentik.io/core/setup/started-by"
-
-
-@lru_cache
-def read_static(path: str) -> str | None:
-    result = finders.find(path)
-    if not result:
-        return None
-    with open(result, encoding="utf8") as _file:
-        return _file.read()
-
-
-class SetupView(View):
-
-    setup_flow_slug = "initial-setup"
-
-    def dispatch(self, request: HttpRequest, *args, **kwargs):
-        if request.method != HTTPMethod.HEAD and Setup.get():
-            return redirect(reverse("authentik_core:root-redirect"))
-        return super().dispatch(request, *args, **kwargs)
-
-    def head(self, request: HttpRequest, *args, **kwargs):
-        if Setup.get():
-            return HttpResponse(status=HTTPStatus.SERVICE_UNAVAILABLE)
-        if not Flow.objects.filter(slug=self.setup_flow_slug).exists():
-            return HttpResponse(status=HTTPStatus.SERVICE_UNAVAILABLE)
-        return HttpResponse(status=HTTPStatus.OK)
-
-    def get(self, request: HttpRequest):
-        flow = Flow.objects.filter(slug=self.setup_flow_slug).first()
-        if not flow:
-            LOGGER.info("Setup flow does not exist yet, waiting for worker to finish")
-            return HttpResponse(
-                read_static("dist/standalone/loading/startup.html"),
-                status=HTTPStatus.SERVICE_UNAVAILABLE,
-            )
-        planner = FlowPlanner(flow)
-        plan = planner.plan(request, {FLOW_CONTEXT_START_BY: "setup"})
-        plan.append_stage(in_memory_stage(PostSetupStageView))
-        return plan.to_redirect(request, flow)
-
-
-class PostSetupStageView(StageView):
-    """Run post-setup tasks"""
-
-    def post(self, request: HttpRequest, *args, **kwargs) -> HttpResponse:
-        """Wrapper when this stage gets hit with a post request"""
-        return self.get(request, *args, **kwargs)
-
-    def get(self, requeset: HttpRequest, *args, **kwargs):
-        with transaction.atomic():
-            # Remember we're setup
-            Setup.set(True)
-            # Disable OOBE Blueprints
-            BlueprintInstance.objects.filter(
-                **{"metadata__labels__blueprints.goauthentik.io/system-oobe": "true"}
-            ).update(enabled=False)
-            # Make flow inaccessible
-            Flow.objects.filter(slug="initial-setup").update(
-                authentication=FlowAuthenticationRequirement.REQUIRE_SUPERUSER
-            )
-        return self.executor.stage_ok()

authentik/core/signals.py

@@ -24,8 +24,6 @@ from authentik.root.ws.consumer import build_device_group
 
 # Arguments: user: User, password: str
 password_changed = Signal()
-# Arguments: user: User, request: HttpRequest | None
-password_hash_changed = Signal()
 # Arguments: credentials: dict[str, any], request: HttpRequest,
 #            stage: Stage, context: dict[str, any]
 login_failed = Signal()

authentik/core/templates/login/base_full.html

@@ -12,7 +12,7 @@
 {% block head %}
 <style data-id="static-styles">
     :root {
-        --ak-global--background-image: url("{{ request.brand.branding_default_flow_background_url|iriencode|safe }}");
+        --ak-global--background-image: url("{{ request.brand.branding_default_flow_background_url }}");
     }
 </style>
 

authentik/core/tests/test_applications_api.py

@@ -129,7 +129,6 @@ class TestApplicationsAPI(APITestCase):
                         "meta_icon_url": None,
                         "meta_icon_themed_urls": None,
                         "meta_description": "",
-                        "meta_hide": False,
                         "meta_publisher": "",
                         "policy_engine_mode": "any",
                     },
@@ -188,14 +187,12 @@ class TestApplicationsAPI(APITestCase):
                         "meta_icon_url": None,
                         "meta_icon_themed_urls": None,
                         "meta_description": "",
-                        "meta_hide": False,
                         "meta_publisher": "",
                         "policy_engine_mode": "any",
                     },
                     {
                         "launch_url": None,
                         "meta_description": "",
-                        "meta_hide": False,
                         "meta_icon": "",
                         "meta_icon_url": None,
                         "meta_icon_themed_urls": None,

authentik/core/tests/test_hash_password_command.py

@@ -1,28 +0,0 @@
-"""Tests for hash_password management command."""
-
-from io import StringIO
-
-from django.contrib.auth.hashers import check_password
-from django.core.management import call_command
-from django.core.management.base import CommandError
-from django.test import TestCase
-
-
-class TestHashPasswordCommand(TestCase):
-    """Test hash_password management command."""
-
-    def test_hash_password(self):
-        """Test hashing a password."""
-        out = StringIO()
-        call_command("hash_password", "test123", stdout=out)
-        hashed = out.getvalue().strip()
-
-        self.assertTrue(hashed.startswith("pbkdf2_sha256$"))
-        self.assertTrue(check_password("test123", hashed))
-
-    def test_hash_password_empty_fails(self):
-        """Test that empty password raises error."""
-        with self.assertRaises(CommandError) as ctx:
-            call_command("hash_password", "")
-
-        self.assertIn("Password cannot be empty", str(ctx.exception))

authentik/core/tests/test_interface_views.py

@@ -4,7 +4,6 @@ from django.test import TestCase
 from django.urls import reverse
 
 from authentik.brands.models import Brand
-from authentik.core.apps import Setup
 from authentik.core.models import Application, UserTypes
 from authentik.core.tests.utils import create_test_brand, create_test_user
 
@@ -13,7 +12,6 @@ class TestInterfaceRedirects(TestCase):
     """Test RootRedirectView and BrandDefaultRedirectView redirect logic by user type"""
 
     def setUp(self):
-        Setup.set(True)
         self.app = Application.objects.create(name="test-app", slug="test-app")
         self.brand: Brand = create_test_brand(default_application=self.app)
 

authentik/core/tests/test_models.py

@@ -2,7 +2,6 @@
 
 from collections.abc import Callable
 from datetime import timedelta
-from unittest.mock import patch
 
 from django.test import RequestFactory, TestCase
 from django.utils.timezone import now
@@ -11,7 +10,6 @@ from guardian.shortcuts import get_anonymous_user
 
 from authentik.core.models import Provider, Source, Token
 from authentik.events.models import Event, EventAction
-from authentik.flows.models import Flow
 from authentik.lib.generators import generate_id
 from authentik.lib.utils.reflection import all_subclasses
 
@@ -49,58 +47,6 @@ class TestModels(TestCase):
             event.context["deprecation"], "authentik.core.models.Token.filter_not_expired"
         )
 
-    @patch("authentik.core.models.get_file_manager")
-    def test_source_icon_url_can_bypass_cache(self, get_file_manager):
-        request = RequestFactory().get("/")
-        manager = get_file_manager.return_value
-        manager.file_url.return_value = "/files/media/public/source-icons/icon.svg?token=fresh"
-
-        source = Source(icon="source-icons/icon.svg")
-
-        self.assertEqual(
-            source.get_icon_url(request, use_cache=False),
-            "/files/media/public/source-icons/icon.svg?token=fresh",
-        )
-        manager.file_url.assert_called_once_with(
-            "source-icons/icon.svg",
-            request,
-            use_cache=False,
-        )
-
-    @patch("authentik.flows.models.get_file_manager")
-    def test_flow_background_urls_can_bypass_cache(self, get_file_manager):
-        request = RequestFactory().get("/")
-        manager = get_file_manager.return_value
-        manager.file_url.return_value = "/files/media/public/background.svg?token=fresh"
-        manager.themed_urls.return_value = {
-            "light": "/files/media/public/background-light.svg?token=fresh",
-            "dark": "/files/media/public/background-dark.svg?token=fresh",
-        }
-
-        flow = Flow(background="background-%(theme)s.svg")
-
-        self.assertEqual(
-            flow.background_url(request, use_cache=False),
-            "/files/media/public/background.svg?token=fresh",
-        )
-        self.assertEqual(
-            flow.background_themed_urls(request, use_cache=False),
-            {
-                "light": "/files/media/public/background-light.svg?token=fresh",
-                "dark": "/files/media/public/background-dark.svg?token=fresh",
-            },
-        )
-        manager.file_url.assert_called_once_with(
-            "background-%(theme)s.svg",
-            request,
-            use_cache=False,
-        )
-        manager.themed_urls.assert_called_once_with(
-            "background-%(theme)s.svg",
-            request,
-            use_cache=False,
-        )
-
 
 def source_tester_factory(test_model: type[Source]) -> Callable:
     """Test source"""

authentik/core/tests/test_setup.py

@@ -1,174 +0,0 @@
-from http import HTTPStatus
-from os import environ
-
-from django.contrib.auth.hashers import make_password
-from django.urls import reverse
-
-from authentik.blueprints.tests import apply_blueprint
-from authentik.core.apps import Setup
-from authentik.core.models import Token, TokenIntents, User
-from authentik.flows.models import Flow
-from authentik.flows.tests import FlowTestCase
-from authentik.lib.generators import generate_id
-from authentik.root.signals import post_startup, pre_startup
-from authentik.tenants.flags import patch_flag
-
-
-class TestSetup(FlowTestCase):
-    def tearDown(self):
-        environ.pop("AUTHENTIK_BOOTSTRAP_PASSWORD", None)
-        environ.pop("AUTHENTIK_BOOTSTRAP_PASSWORD_HASH", None)
-        environ.pop("AUTHENTIK_BOOTSTRAP_TOKEN", None)
-
-    @patch_flag(Setup, True)
-    def test_setup(self):
-        """Test existing instance"""
-        res = self.client.get(reverse("authentik_core:root-redirect"))
-        self.assertEqual(res.status_code, HTTPStatus.FOUND)
-        self.assertRedirects(
-            res,
-            reverse("authentik_flows:default-authentication") + "?next=/",
-            fetch_redirect_response=False,
-        )
-
-        res = self.client.head(reverse("authentik_core:setup"))
-        self.assertEqual(res.status_code, HTTPStatus.SERVICE_UNAVAILABLE)
-
-        res = self.client.get(reverse("authentik_core:setup"))
-        self.assertEqual(res.status_code, HTTPStatus.FOUND)
-        self.assertRedirects(
-            res,
-            reverse("authentik_core:root-redirect"),
-            fetch_redirect_response=False,
-        )
-
-    @patch_flag(Setup, False)
-    def test_not_setup_no_flow(self):
-        """Test case on initial startup; setup flag is not set and oobe flow does
-        not exist yet"""
-        Flow.objects.filter(slug="initial-setup").delete()
-        res = self.client.get(reverse("authentik_core:root-redirect"))
-        self.assertEqual(res.status_code, HTTPStatus.FOUND)
-        self.assertRedirects(res, reverse("authentik_core:setup"), fetch_redirect_response=False)
-        # Flow does not exist, hence 503
-        res = self.client.get(reverse("authentik_core:setup"))
-        self.assertEqual(res.status_code, HTTPStatus.SERVICE_UNAVAILABLE)
-        res = self.client.head(reverse("authentik_core:setup"))
-        self.assertEqual(res.status_code, HTTPStatus.SERVICE_UNAVAILABLE)
-
-    @patch_flag(Setup, False)
-    @apply_blueprint("default/flow-oobe.yaml")
-    def test_not_setup(self):
-        """Test case for when worker comes up, and has created flow"""
-        res = self.client.get(reverse("authentik_core:root-redirect"))
-        self.assertEqual(res.status_code, HTTPStatus.FOUND)
-        self.assertRedirects(res, reverse("authentik_core:setup"), fetch_redirect_response=False)
-        # Flow does not exist, hence 503
-        res = self.client.head(reverse("authentik_core:setup"))
-        self.assertEqual(res.status_code, HTTPStatus.OK)
-        res = self.client.get(reverse("authentik_core:setup"))
-        self.assertEqual(res.status_code, HTTPStatus.FOUND)
-        self.assertRedirects(
-            res,
-            reverse("authentik_core:if-flow", kwargs={"flow_slug": "initial-setup"}),
-            fetch_redirect_response=False,
-        )
-
-    @apply_blueprint("default/flow-oobe.yaml")
-    @apply_blueprint("system/bootstrap.yaml")
-    def test_setup_flow_full(self):
-        """Test full setup flow"""
-        Setup.set(False)
-
-        res = self.client.get(reverse("authentik_core:setup"))
-        self.assertEqual(res.status_code, HTTPStatus.FOUND)
-        self.assertRedirects(
-            res,
-            reverse("authentik_core:if-flow", kwargs={"flow_slug": "initial-setup"}),
-            fetch_redirect_response=False,
-        )
-
-        res = self.client.get(
-            reverse("authentik_api:flow-executor", kwargs={"flow_slug": "initial-setup"}),
-        )
-        self.assertEqual(res.status_code, HTTPStatus.OK)
-        self.assertStageResponse(res, component="ak-stage-prompt")
-
-        pw = generate_id()
-        res = self.client.post(
-            reverse("authentik_api:flow-executor", kwargs={"flow_slug": "initial-setup"}),
-            {
-                "email": f"{generate_id()}@t.goauthentik.io",
-                "password": pw,
-                "password_repeat": pw,
-                "component": "ak-stage-prompt",
-            },
-        )
-        self.assertEqual(res.status_code, HTTPStatus.FOUND)
-
-        res = self.client.get(
-            reverse("authentik_api:flow-executor", kwargs={"flow_slug": "initial-setup"}),
-        )
-        self.assertEqual(res.status_code, HTTPStatus.FOUND)
-
-        res = self.client.get(
-            reverse("authentik_api:flow-executor", kwargs={"flow_slug": "initial-setup"}),
-        )
-        self.assertEqual(res.status_code, HTTPStatus.FOUND)
-
-        res = self.client.get(
-            reverse("authentik_api:flow-executor", kwargs={"flow_slug": "initial-setup"}),
-        )
-        self.assertEqual(res.status_code, HTTPStatus.OK)
-
-        self.assertTrue(Setup.get())
-        user = User.objects.get(username="akadmin")
-        self.assertTrue(user.check_password(pw))
-
-    @patch_flag(Setup, False)
-    @apply_blueprint("default/flow-oobe.yaml")
-    @apply_blueprint("system/bootstrap.yaml")
-    def test_setup_flow_direct(self):
-        """Test setup flow, directly accessing the flow"""
-        res = self.client.get(
-            reverse("authentik_api:flow-executor", kwargs={"flow_slug": "initial-setup"})
-        )
-        self.assertStageResponse(
-            res,
-            component="ak-stage-access-denied",
-            error_message="Access the authentik setup by navigating to http://testserver/",
-        )
-
-    def test_setup_bootstrap_env(self):
-        """Test setup with env vars"""
-        User.objects.filter(username="akadmin").delete()
-        Setup.set(False)
-
-        environ["AUTHENTIK_BOOTSTRAP_PASSWORD"] = generate_id()
-        environ["AUTHENTIK_BOOTSTRAP_TOKEN"] = generate_id()
-        pre_startup.send(sender=self)
-        post_startup.send(sender=self)
-
-        self.assertTrue(Setup.get())
-        user = User.objects.get(username="akadmin")
-        self.assertTrue(user.check_password(environ["AUTHENTIK_BOOTSTRAP_PASSWORD"]))
-
-        token = Token.objects.filter(identifier="authentik-bootstrap-token").first()
-        self.assertEqual(token.intent, TokenIntents.INTENT_API)
-        self.assertEqual(token.key, environ["AUTHENTIK_BOOTSTRAP_TOKEN"])
-
-    def test_setup_bootstrap_env_password_hash(self):
-        """Test setup with password hash env var"""
-        User.objects.filter(username="akadmin").delete()
-        Setup.set(False)
-
-        password = generate_id()
-        password_hash = make_password(password)
-        environ["AUTHENTIK_BOOTSTRAP_PASSWORD_HASH"] = password_hash
-        pre_startup.send(sender=self)
-        post_startup.send(sender=self)
-
-        self.assertTrue(Setup.get())
-        user = User.objects.get(username="akadmin")
-        self.assertEqual(user.password, password_hash)
-        self.assertTrue(user.check_password(password))

authentik/core/tests/test_users.py

@@ -1,15 +1,8 @@
 """user tests"""
 
-from unittest.mock import patch
-
-from django.contrib.auth.hashers import make_password
 from django.test.testcases import TestCase
-from rest_framework.exceptions import ValidationError
 
-from authentik.blueprints.v1.importer import SERIALIZER_CONTEXT_BLUEPRINT
-from authentik.core.api.users import UserSerializer
 from authentik.core.models import User
-from authentik.core.signals import password_changed, password_hash_changed
 from authentik.events.models import Event
 from authentik.lib.generators import generate_id
 
@@ -40,99 +33,3 @@ class TestUsers(TestCase):
         self.assertEqual(Event.objects.count(), 1)
         user.ak_groups.all()
         self.assertEqual(Event.objects.count(), 1)
-
-    def test_set_password_from_hash_signal_skips_source_sync_receivers(self):
-        """Test hash password updates do not expose a raw password to sync receivers."""
-        user = User.objects.create(
-            username=generate_id(),
-            attributes={"distinguishedName": "cn=test,ou=users,dc=example,dc=com"},
-        )
-        password_changed_captured = []
-        password_hash_changed_captured = []
-        dispatch_uid = generate_id()
-        hash_dispatch_uid = generate_id()
-
-        def password_changed_receiver(sender, **kwargs):
-            password_changed_captured.append(kwargs)
-
-        def password_hash_changed_receiver(sender, **kwargs):
-            password_hash_changed_captured.append(kwargs)
-
-        password_changed.connect(password_changed_receiver, dispatch_uid=dispatch_uid)
-        password_hash_changed.connect(
-            password_hash_changed_receiver, dispatch_uid=hash_dispatch_uid
-        )
-        try:
-            with (
-                patch(
-                    "authentik.sources.ldap.signals.LDAPSource.objects.filter"
-                ) as ldap_sources_filter,
-                patch(
-                    "authentik.sources.kerberos.signals."
-                    "UserKerberosSourceConnection.objects.select_related"
-                ) as kerberos_connections_select,
-            ):
-                user.set_password_from_hash(make_password("new-password"))  # nosec
-                user.save()
-        finally:
-            password_changed.disconnect(dispatch_uid=dispatch_uid)
-            password_hash_changed.disconnect(dispatch_uid=hash_dispatch_uid)
-
-        self.assertEqual(password_changed_captured, [])
-        self.assertEqual(len(password_hash_changed_captured), 1)
-        ldap_sources_filter.assert_not_called()
-        kerberos_connections_select.assert_not_called()
-
-
-class TestUserSerializerPasswordHash(TestCase):
-    """Test UserSerializer password_hash support in blueprint context."""
-
-    def test_password_hash_sets_password_directly(self):
-        """Test a valid password hash is stored without re-hashing."""
-        password = "test-password-123"  # nosec
-        password_hash = make_password(password)
-        serializer = UserSerializer(
-            data={
-                "username": generate_id(),
-                "name": "Test User",
-                "password_hash": password_hash,
-            },
-            context={SERIALIZER_CONTEXT_BLUEPRINT: True},
-        )
-
-        self.assertTrue(serializer.is_valid(), serializer.errors)
-        user = serializer.save()
-
-        self.assertEqual(user.password, password_hash)
-        self.assertTrue(user.check_password(password))
-        self.assertIsNotNone(user.password_change_date)
-
-    def test_password_hash_rejects_invalid_format(self):
-        """Test invalid password hash values are rejected."""
-        serializer = UserSerializer(
-            data={
-                "username": generate_id(),
-                "name": "Test User",
-                "password_hash": "not-a-valid-hash",
-            },
-            context={SERIALIZER_CONTEXT_BLUEPRINT: True},
-        )
-
-        self.assertTrue(serializer.is_valid(), serializer.errors)
-        with self.assertRaises(ValidationError) as ctx:
-            serializer.save()
-
-        self.assertIn("Invalid password hash format", str(ctx.exception))
-
-    def test_password_hash_ignored_outside_blueprint_context(self):
-        """Test password_hash is not accepted by the regular serializer."""
-        serializer = UserSerializer(
-            data={
-                "username": generate_id(),
-                "name": "Test User",
-                "password_hash": make_password("test"),  # nosec
-            }
-        )
-
-        self.assertTrue(serializer.is_valid(), serializer.errors)
-        self.assertNotIn("password_hash", serializer.validated_data)

authentik/core/tests/test_users_api.py

@@ -3,7 +3,6 @@
 from datetime import datetime, timedelta
 from json import loads
 
-from django.contrib.auth.hashers import make_password
 from django.urls.base import reverse
 from django.utils.timezone import now
 from rest_framework.test import APITestCase
@@ -27,9 +26,6 @@ from authentik.flows.models import FlowAuthenticationRequirement, FlowDesignatio
 from authentik.lib.generators import generate_id, generate_key
 from authentik.stages.email.models import EmailStage
 
-INVALID_PASSWORD_HASH = "not-a-valid-hash"
-INVALID_PASSWORD_HASH_ERROR = "Invalid password hash format. Must be a valid Django password hash."
-
 
 class TestUsersAPI(APITestCase):
     """Test Users API"""
@@ -38,20 +34,6 @@ class TestUsersAPI(APITestCase):
         self.admin = create_test_admin_user()
         self.user = create_test_user()
 
-    def _set_password_hash(self, user: User, password_hash: str, client=None):
-        return (client or self.client).post(
-            reverse("authentik_api:user-set-password-hash", kwargs={"pk": user.pk}),
-            data={"password": password_hash},
-        )
-
-    def _assert_password_hash_set(
-        self, user: User, password: str, password_hash: str, response
-    ) -> None:
-        self.assertEqual(response.status_code, 204, response.data)
-        user.refresh_from_db()
-        self.assertEqual(user.password, password_hash)
-        self.assertTrue(user.check_password(password))
-
     def test_filter_type(self):
         """Test API filtering by type"""
         self.client.force_login(self.admin)
@@ -131,26 +113,6 @@ class TestUsersAPI(APITestCase):
         self.assertEqual(response.status_code, 400)
         self.assertJSONEqual(response.content, {"password": ["This field may not be blank."]})
 
-    def test_set_password_hash(self):
-        """Test setting a user's password from a hash."""
-        self.client.force_login(self.admin)
-        password = generate_key()
-        password_hash = make_password(password)
-        response = self._set_password_hash(self.user, password_hash)
-
-        self._assert_password_hash_set(self.user, password, password_hash, response)
-
-    def test_set_password_hash_invalid(self):
-        """Test invalid password hashes are rejected."""
-        self.client.force_login(self.admin)
-        response = self._set_password_hash(self.user, INVALID_PASSWORD_HASH)
-
-        self.assertEqual(response.status_code, 400)
-        self.assertJSONEqual(
-            response.content,
-            {"password": [INVALID_PASSWORD_HASH_ERROR]},
-        )
-
     def test_recovery(self):
         """Test user recovery link"""
         flow = create_test_flow(
@@ -299,29 +261,6 @@ class TestUsersAPI(APITestCase):
         self.assertTrue(token_filter.exists())
         self.assertTrue(token_filter.first().expiring)
 
-    def test_service_account_set_password_hash(self):
-        """Service account password hash can be set through the API."""
-        self.client.force_login(self.admin)
-        response = self.client.post(
-            reverse("authentik_api:user-service-account"),
-            data={
-                "name": "test-sa",
-                "create_group": False,
-            },
-        )
-        self.assertEqual(response.status_code, 200, response.data)
-        body = loads(response.content)
-
-        user = User.objects.get(pk=body["user_pk"])
-        self.assertEqual(user.type, UserTypes.SERVICE_ACCOUNT)
-        self.assertFalse(user.has_usable_password())
-
-        password = generate_key()
-        password_hash = make_password(password)
-        response = self._set_password_hash(user, password_hash)
-
-        self._assert_password_hash_set(user, password, password_hash, response)
-
     def test_service_account_no_expire(self):
         """Service account creation without token expiration"""
         self.client.force_login(self.admin)

authentik/core/urls.py

@@ -1,6 +1,7 @@
 """authentik URL Configuration"""
 
 from django.conf import settings
+from django.contrib.auth.decorators import login_required
 from django.urls import path
 
 from authentik.core.api.application_entitlements import ApplicationEntitlementViewSet
@@ -18,7 +19,6 @@ from authentik.core.api.sources import (
 from authentik.core.api.tokens import TokenViewSet
 from authentik.core.api.transactional_applications import TransactionalApplicationView
 from authentik.core.api.users import UserViewSet
-from authentik.core.setup.views import SetupView
 from authentik.core.views.apps import RedirectToAppLaunch
 from authentik.core.views.debug import AccessDeniedView
 from authentik.core.views.interface import (
@@ -35,7 +35,7 @@ from authentik.tenants.channels import TenantsAwareMiddleware
 urlpatterns = [
     path(
         "",
-        RootRedirectView.as_view(),
+        login_required(RootRedirectView.as_view()),
         name="root-redirect",
     ),
     path(
@@ -62,11 +62,6 @@ urlpatterns = [
         FlowInterfaceView.as_view(),
         name="if-flow",
     ),
-    path(
-        "setup",
-        SetupView.as_view(),
-        name="setup",
-    ),
     # Fallback for WS
     path("ws/outpost/<uuid:pk>/", InterfaceView.as_view(template_name="if/admin.html")),
     path(

authentik/core/views/interface.py

@@ -3,7 +3,6 @@
 from json import dumps
 from typing import Any
 
-from django.contrib.auth.mixins import AccessMixin
 from django.http import HttpRequest
 from django.http.response import HttpResponse
 from django.shortcuts import redirect
@@ -15,13 +14,12 @@ from authentik.admin.tasks import LOCAL_VERSION
 from authentik.api.v3.config import ConfigView
 from authentik.brands.api import CurrentBrandSerializer
 from authentik.brands.models import Brand
-from authentik.core.apps import Setup
 from authentik.core.models import UserTypes
 from authentik.lib.config import CONFIG
 from authentik.policies.denied import AccessDeniedResponse
 
 
-class RootRedirectView(AccessMixin, RedirectView):
+class RootRedirectView(RedirectView):
     """Root redirect view, redirect to brand's default application if set"""
 
     pattern_name = "authentik_core:if-user"
@@ -42,10 +40,6 @@ class RootRedirectView(AccessMixin, RedirectView):
         return None
 
     def dispatch(self, request: HttpRequest, *args: Any, **kwargs: Any) -> HttpResponse:
-        if not Setup.get():
-            return redirect("authentik_core:setup")
-        if not request.user.is_authenticated:
-            return self.handle_no_permission()
         if redirect_response := RootRedirectView().redirect_to_app(request):
             return redirect_response
         return super().dispatch(request, *args, **kwargs)

authentik/endpoints/connectors/agent/controller.py

@@ -138,7 +138,13 @@ class AgentConnectorController(BaseController[AgentConnector]):
                             "AllowDeviceIdentifiersInAttestation": True,
                             "AuthenticationMethod": "UserSecureEnclaveKey",
                             "EnableAuthorization": True,
+                            "EnableCreateUserAtLogin": True,
+                            "FileVaultPolicy": ["RequireAuthentication"],
+                            "LoginPolicy": ["RequireAuthentication"],
+                            "NewUserAuthorizationMode": "Standard",
+                            "UnlockPolicy": ["RequireAuthentication"],
                             "UseSharedDeviceKeys": True,
+                            "UserAuthorizationMode": "Standard",
                         },
                     },
                 ],

authentik/endpoints/connectors/agent/migrations/0005_appleindependentsecureenclave.py

@@ -1,54 +0,0 @@
-# Generated by Django 5.2.12 on 2026-03-06 14:38
-
-import django.db.models.deletion
-import uuid
-from django.conf import settings
-from django.db import migrations, models
-
-
-class Migration(migrations.Migration):
-
-    dependencies = [
-        (
-            "authentik_endpoints_connectors_agent",
-            "0004_agentconnector_challenge_idle_timeout_and_more",
-        ),
-        migrations.swappable_dependency(settings.AUTH_USER_MODEL),
-    ]
-
-    operations = [
-        migrations.CreateModel(
-            name="AppleIndependentSecureEnclave",
-            fields=[
-                ("created", models.DateTimeField(auto_now_add=True)),
-                ("last_updated", models.DateTimeField(auto_now=True)),
-                (
-                    "name",
-                    models.CharField(
-                        help_text="The human-readable name of this device.", max_length=64
-                    ),
-                ),
-                (
-                    "confirmed",
-                    models.BooleanField(default=True, help_text="Is this device ready for use?"),
-                ),
-                ("last_used", models.DateTimeField(null=True)),
-                ("uuid", models.UUIDField(default=uuid.uuid4, primary_key=True, serialize=False)),
-                ("apple_secure_enclave_key", models.TextField()),
-                ("apple_enclave_key_id", models.TextField()),
-                ("device_type", models.TextField()),
-                (
-                    "user",
-                    models.ForeignKey(
-                        help_text="The user that this device belongs to.",
-                        on_delete=django.db.models.deletion.CASCADE,
-                        to=settings.AUTH_USER_MODEL,
-                    ),
-                ),
-            ],
-            options={
-                "verbose_name": "Apple Independent Secure Enclave",
-                "verbose_name_plural": "Apple Independent Secure Enclaves",
-            },
-        ),
-    ]

authentik/endpoints/connectors/agent/models.py

@@ -19,7 +19,6 @@ from authentik.flows.stage import StageView
 from authentik.lib.generators import generate_key
 from authentik.lib.models import InternallyManagedMixin, SerializerModel
 from authentik.lib.utils.time import timedelta_string_validator
-from authentik.stages.authenticator.models import Device as Authenticator
 
 if TYPE_CHECKING:
     from authentik.endpoints.connectors.agent.controller import AgentConnectorController
@@ -173,17 +172,3 @@ class AppleNonce(InternallyManagedMixin, ExpiringModel):
     class Meta(ExpiringModel.Meta):
         verbose_name = _("Apple Nonce")
         verbose_name_plural = _("Apple Nonces")
-
-
-class AppleIndependentSecureEnclave(Authenticator):
-    """A device-independent secure enclave key, used by Tap-to-login"""
-
-    uuid = models.UUIDField(primary_key=True, default=uuid4)
-
-    apple_secure_enclave_key = models.TextField()
-    apple_enclave_key_id = models.TextField()
-    device_type = models.TextField()
-
-    class Meta:
-        verbose_name = _("Apple Independent Secure Enclave")
-        verbose_name_plural = _("Apple Independent Secure Enclaves")

authentik/endpoints/tests/test_api.py

@@ -1,12 +1,10 @@
-from unittest.mock import PropertyMock, patch
-
 from django.urls import reverse
 from rest_framework.test import APITestCase
 
 from authentik.core.tests.utils import create_test_admin_user
 from authentik.endpoints.connectors.agent.models import AgentConnector
-from authentik.endpoints.controller import BaseController
 from authentik.endpoints.models import StageMode
+from authentik.enterprise.endpoints.connectors.fleet.models import FleetConnector
 from authentik.lib.generators import generate_id
 
 
@@ -27,22 +25,16 @@ class TestAPI(APITestCase):
         )
         self.assertEqual(res.status_code, 201)
 
-    def test_endpoint_stage_agent_no_stage(self):
-        connector = AgentConnector.objects.create(name=generate_id())
-
-        class controller(BaseController):
-            def capabilities(self):
-                return []
-
-        with patch.object(AgentConnector, "controller", PropertyMock(return_value=controller)):
-            res = self.client.post(
-                reverse("authentik_api:stages-endpoint-list"),
-                data={
-                    "name": generate_id(),
-                    "connector": str(connector.pk),
-                    "mode": StageMode.REQUIRED,
-                },
-            )
+    def test_endpoint_stage_fleet(self):
+        connector = FleetConnector.objects.create(name=generate_id())
+        res = self.client.post(
+            reverse("authentik_api:stages-endpoint-list"),
+            data={
+                "name": generate_id(),
+                "connector": str(connector.pk),
+                "mode": StageMode.REQUIRED,
+            },
+        )
         self.assertEqual(res.status_code, 400)
         self.assertJSONEqual(
             res.content, {"connector": ["Selected connector is not compatible with this stage."]}

authentik/enterprise/endpoints/connectors/agent/api/secure_enclave.py

@@ -1,28 +0,0 @@
-from rest_framework.viewsets import ModelViewSet
-
-from authentik.core.api.used_by import UsedByMixin
-from authentik.core.api.utils import ModelSerializer
-from authentik.endpoints.connectors.agent.models import AppleIndependentSecureEnclave
-
-
-class AppleIndependentSecureEnclaveSerializer(ModelSerializer):
-    class Meta:
-        model = AppleIndependentSecureEnclave
-        fields = [
-            "uuid",
-            "user",
-            "apple_secure_enclave_key",
-            "apple_enclave_key_id",
-            "device_type",
-        ]
-
-
-class AppleIndependentSecureEnclaveViewSet(UsedByMixin, ModelViewSet):
-    queryset = AppleIndependentSecureEnclave.objects.all()
-    serializer_class = AppleIndependentSecureEnclaveSerializer
-    search_fields = [
-        "name",
-        "user__name",
-    ]
-    ordering = ["uuid"]
-    filterset_fields = ["user", "apple_enclave_key_id"]

authentik/enterprise/endpoints/connectors/agent/tests/test_apple_token.py

@@ -11,7 +11,6 @@ from authentik.endpoints.connectors.agent.models import (
     AgentConnector,
     AgentDeviceConnection,
     AgentDeviceUserBinding,
-    AppleIndependentSecureEnclave,
     AppleNonce,
     DeviceToken,
     EnrollmentToken,
@@ -26,7 +25,7 @@ class TestAppleToken(TestCase):
 
     def setUp(self):
         self.apple_sign_key = create_test_cert(PrivateKeyAlg.ECDSA)
-        self.sign_key_pem = self.apple_sign_key.public_key.public_bytes(
+        sign_key_pem = self.apple_sign_key.public_key.public_bytes(
             encoding=serialization.Encoding.PEM,
             format=serialization.PublicFormat.SubjectPublicKeyInfo,
         ).decode()
@@ -51,7 +50,7 @@ class TestAppleToken(TestCase):
             device=self.device,
             connector=self.connector,
             apple_sign_key_id=self.apple_sign_key.kid,
-            apple_signing_key=self.sign_key_pem,
+            apple_signing_key=sign_key_pem,
             apple_encryption_key=self.enc_pub,
         )
         self.user = create_test_user()
@@ -60,7 +59,7 @@ class TestAppleToken(TestCase):
             user=self.user,
             order=0,
             apple_enclave_key_id=self.apple_sign_key.kid,
-            apple_secure_enclave_key=self.sign_key_pem,
+            apple_secure_enclave_key=sign_key_pem,
         )
         self.device_token = DeviceToken.objects.create(device=self.connection)
 
@@ -114,62 +113,3 @@ class TestAppleToken(TestCase):
         ).first()
         self.assertIsNotNone(event)
         self.assertEqual(event.context["device"]["name"], self.device.name)
-
-    @reconcile_app("authentik_crypto")
-    def test_token_independent(self):
-        nonce = generate_id()
-
-        AgentDeviceUserBinding.objects.all().delete()
-        AppleIndependentSecureEnclave.objects.create(
-            user=self.user,
-            apple_enclave_key_id=self.apple_sign_key.kid,
-            apple_secure_enclave_key=self.sign_key_pem,
-        )
-
-        AppleNonce.objects.create(
-            device_token=self.device_token,
-            nonce=nonce,
-        )
-        embedded = encode(
-            {"iss": str(self.connector.pk), "aud": str(self.device.pk), "request_nonce": nonce},
-            self.apple_sign_key.private_key,
-            headers={
-                "kid": self.apple_sign_key.kid,
-            },
-            algorithm=JWTAlgorithms.from_private_key(self.apple_sign_key.private_key),
-        )
-        assertion = encode(
-            {
-                "iss": str(self.connector.pk),
-                "aud": "http://testserver/endpoints/agent/psso/token/",
-                "request_nonce": nonce,
-                "assertion": embedded,
-                "jwe_crypto": {
-                    "apv": (
-                        "AAAABUFwcGxlAAAAQQTFgZOospN6KbkhXhx1lfa-AKYxjEfJhTJrkpdEY_srMmkPzS7VN0Bzt2AtNBEXE"
-                        "aphDONiP2Mq6Oxytv5JKOxHAAAAJDgyOThERkY5LTVFMUUtNEUwMS04OEUwLUI3QkQzOUM4QjA3Qw"
-                    )
-                },
-            },
-            self.apple_sign_key.private_key,
-            headers={
-                "kid": self.apple_sign_key.kid,
-            },
-            algorithm=JWTAlgorithms.from_private_key(self.apple_sign_key.private_key),
-        )
-        res = self.client.post(
-            reverse("authentik_enterprise_endpoints_connectors_agent:psso-token"),
-            data={
-                "assertion": assertion,
-                "platform_sso_version": "1.0",
-                "grant_type": "urn:ietf:params:oauth:grant-type:jwt-bearer",
-            },
-        )
-
-        self.assertEqual(res.status_code, 200)
-        event = Event.objects.filter(
-            action=EventAction.LOGIN,
-            app="authentik.endpoints.connectors.agent",
-        ).first()
-        self.assertIsNotNone(event)
-        self.assertEqual(event.context["device"]["name"], self.device.name)

authentik/enterprise/endpoints/connectors/agent/urls.py

@@ -1,8 +1,5 @@
 from django.urls import path
 
-from authentik.enterprise.endpoints.connectors.agent.api.secure_enclave import (
-    AppleIndependentSecureEnclaveViewSet,
-)
 from authentik.enterprise.endpoints.connectors.agent.views.apple_jwks import AppleJWKSView
 from authentik.enterprise.endpoints.connectors.agent.views.apple_nonce import NonceView
 from authentik.enterprise.endpoints.connectors.agent.views.apple_register import (
@@ -26,7 +23,6 @@ urlpatterns = [
 ]
 
 api_urlpatterns = [
-    ("endpoints/agents/psso/ise", AppleIndependentSecureEnclaveViewSet),
     path(
         "endpoints/agents/psso/register/device/",
         RegisterDeviceView.as_view(),

authentik/enterprise/endpoints/connectors/agent/views/apple_token.py

@@ -19,7 +19,6 @@ from authentik.endpoints.connectors.agent.models import (
     AgentConnector,
     AgentDeviceConnection,
     AgentDeviceUserBinding,
-    AppleIndependentSecureEnclave,
     AppleNonce,
     DeviceAuthenticationToken,
 )
@@ -104,9 +103,7 @@ class TokenView(View):
         nonce.delete()
         return decoded
 
-    def validate_embedded_assertion(
-        self, assertion: str
-    ) -> tuple[AgentDeviceUserBinding | AppleIndependentSecureEnclave, dict]:
+    def validate_embedded_assertion(self, assertion: str) -> tuple[AgentDeviceUserBinding, dict]:
         """Decode an embedded assertion and validate it by looking up the matching device user"""
         decode_unvalidated = get_unverified_header(assertion)
         expected_kid = decode_unvalidated["kid"]
@@ -115,13 +112,8 @@ class TokenView(View):
             target=self.device_connection.device, apple_enclave_key_id=expected_kid
         ).first()
         if not device_user:
-            independent_user = AppleIndependentSecureEnclave.objects.filter(
-                apple_enclave_key_id=expected_kid
-            ).first()
-            if not independent_user:
-                LOGGER.warning("Could not find device user binding or independent enclave for user")
-                raise ValidationError("Invalid request")
-            device_user = independent_user
+            LOGGER.warning("Could not find device user binding for user")
+            raise ValidationError("Invalid request")
         decoded: dict[str, Any] = decode(
             assertion,
             device_user.apple_secure_enclave_key,

authentik/enterprise/endpoints/connectors/fleet/controller.py

@@ -1,15 +1,11 @@
 import re
-from plistlib import loads
 from typing import Any
 
-from cryptography.hazmat.primitives import serialization
-from cryptography.x509 import load_der_x509_certificate
 from django.db import transaction
 from requests import RequestException
 from rest_framework.exceptions import ValidationError
 
 from authentik.core.models import User
-from authentik.crypto.models import CertificateKeyPair
 from authentik.endpoints.controller import BaseController, Capabilities, ConnectorSyncException
 from authentik.endpoints.facts import (
     DeviceFacts,
@@ -48,7 +44,7 @@ class FleetController(BaseController[DBC]):
         return "fleetdm.com"
 
     def capabilities(self) -> list[Capabilities]:
-        return [Capabilities.STAGE_ENDPOINTS, Capabilities.ENROLL_AUTOMATIC_API]
+        return [Capabilities.ENROLL_AUTOMATIC_API]
 
     def _url(self, path: str) -> str:
         return f"{self.connector.url}{path}"
@@ -80,44 +76,8 @@ class FleetController(BaseController[DBC]):
         except RequestException as exc:
             raise ConnectorSyncException(exc) from exc
 
-    @property
-    def mtls_ca_managed(self) -> str:
-        return f"goauthentik.io/endpoints/connectors/fleet/{self.connector.pk}"
-
-    def _sync_mtls_ca(self):
-        """Sync conditional access Root CA for mTLS"""
-        try:
-            # Fleet doesn't have an API to just get the Conditional Access Root CA Cert (yet),
-            # hence we fetch the apple config profile and extract it
-            res = self._session.get(self._url("/api/v1/fleet/conditional_access/idp/apple/profile"))
-            res.raise_for_status()
-            profile = loads(res.text).get("PayloadContent", [])
-            raw_cert = None
-            for payload in profile:
-                if payload.get("PayloadIdentifier", "") != "com.fleetdm.conditional-access-ca":
-                    continue
-                raw_cert = payload.get("PayloadContent")
-            if not raw_cert:
-                raise ConnectorSyncException("Failed to get conditional acccess CA")
-        except RequestException as exc:
-            raise ConnectorSyncException(exc) from exc
-        cert = load_der_x509_certificate(raw_cert)
-        CertificateKeyPair.objects.update_or_create(
-            managed=self.mtls_ca_managed,
-            defaults={
-                "name": f"Fleet Endpoint connector {self.connector.name}",
-                "certificate_data": cert.public_bytes(
-                    encoding=serialization.Encoding.PEM,
-                ).decode("utf-8"),
-            },
-        )
-
     @transaction.atomic
     def sync_endpoints(self) -> None:
-        try:
-            self._sync_mtls_ca()
-        except ConnectorSyncException as exc:
-            self.logger.warning("Failed to sync conditional access CA", exc=exc)
         for host in self._paginate_hosts():
             serial = host["hardware_serial"]
             device, _ = Device.objects.get_or_create(
@@ -238,8 +198,6 @@ class FleetController(BaseController[DBC]):
                         for policy in host.get("policies", [])
                     ],
                     "agent_version": fleet_version,
-                    # Host UUID is required for conditional access matching
-                    "uuid": host.get("uuid", "").lower(),
                 },
             },
         }

authentik/enterprise/endpoints/connectors/fleet/models.py

@@ -51,12 +51,6 @@ class FleetConnector(Connector):
     def component(self) -> str:
         return "ak-endpoints-connector-fleet-form"
 
-    @property
-    def stage(self):
-        from authentik.enterprise.endpoints.connectors.fleet.stage import FleetStageView
-
-        return FleetStageView
-
     class Meta:
         verbose_name = _("Fleet Connector")
         verbose_name_plural = _("Fleet Connectors")

authentik/enterprise/endpoints/connectors/fleet/stage.py

@@ -1,51 +0,0 @@
-from cryptography.x509 import (
-    Certificate,
-    Extension,
-    SubjectAlternativeName,
-    UniformResourceIdentifier,
-)
-from rest_framework.exceptions import PermissionDenied
-
-from authentik.crypto.models import CertificateKeyPair, fingerprint_sha256
-from authentik.endpoints.models import Device, EndpointStage, StageMode
-from authentik.enterprise.endpoints.connectors.fleet.models import FleetConnector
-from authentik.enterprise.stages.mtls.stage import PLAN_CONTEXT_CERTIFICATE, MTLSStageView
-from authentik.flows.planner import PLAN_CONTEXT_DEVICE
-
-FLEET_CONDITIONAL_ACCESS_URI_PREFIX = "urn:device:apple:uuid:"
-
-
-class FleetStageView(MTLSStageView):
-    def get_authorities(self):
-        stage: EndpointStage = self.executor.current_stage
-        connector = FleetConnector.objects.filter(pk=stage.connector_id).first()
-        controller = connector.controller(connector)
-        kp = CertificateKeyPair.objects.filter(managed=controller.mtls_ca_managed).first()
-        return [kp] if kp else None
-
-    def lookup_device(self, cert: Certificate, mode: StageMode):
-        san_ext: Extension[SubjectAlternativeName] = cert.extensions.get_extension_for_oid(
-            SubjectAlternativeName.oid
-        )
-        raw_values = san_ext.value.get_values_for_type(UniformResourceIdentifier)
-        values = [x.removeprefix(FLEET_CONDITIONAL_ACCESS_URI_PREFIX).lower() for x in raw_values]
-        self.logger.debug("Looking for devices with uuid", fleet_device_uuid=values)
-        device = Device.objects.filter(
-            **{"deviceconnection__devicefactsnapshot__data__vendor__fleetdm.com__uuid__in": values}
-        ).first()
-        if not device and mode == StageMode.REQUIRED:
-            raise PermissionDenied("Failed to find device")
-        self.executor.plan.context[PLAN_CONTEXT_DEVICE] = device
-        self.executor.plan.context[PLAN_CONTEXT_CERTIFICATE] = self._cert_to_dict(cert)
-        return self.executor.stage_ok()
-
-    def dispatch(self, request, *args, **kwargs):
-        stage: EndpointStage = self.executor.current_stage
-        try:
-            cert = self.get_cert(stage.mode)
-            if not cert:
-                return self.executor.stage_ok()
-            self.logger.debug("Received certificate", cert=fingerprint_sha256(cert))
-            return self.lookup_device(cert, stage.mode)
-        except PermissionDenied as exc:
-            return self.executor.stage_invalid(error_message=exc.detail)

authentik/enterprise/endpoints/connectors/fleet/tests/fixtures/cond_acc_host.pem

@@ -1,23 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIDwDCCAqigAwIBAgIBBDANBgkqhkiG9w0BAQsFADBpMQkwBwYDVQQGEwAxJDAi
-BgNVBAoTG0xvY2FsIGNlcnRpZmljYXRlIGF1dGhvcml0eTEQMA4GA1UECxMHU0NF
-UCBDQTEkMCIGA1UEAxMbRmxlZXQgY29uZGl0aW9uYWwgYWNjZXNzIENBMB4XDTI2
-MDMxODExMTc1NFoXDTI3MDQyMDExMjc1NFowLDEqMCgGA1UEAxMhRmxlZXQgY29u
-ZGl0aW9uYWwgYWNjZXNzIGZvciBPa3RhMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A
-MIIBCgKCAQEA3xuKxQQ8JSA4qCJ6RfOB7tbQurhwXiaJSLUDG7R5ncdRcd9LH/9y
-5ZyI5kQACOwfICHmv02zR4/CrurfzXabo3CCpvcMdS7JI/FzP1GIIZ5RsR7oPFC6
-JJg3m5BHuoHsUtCD7w0D52WiE7XVfbw47h2ChKmGMhkSrBvQnp3dHFEt8ntbl1/q
-zCSuQaLeR2sQFurBDVBdinEgsvb1YHaYHi4tdFx5joG64Q/nJXyA2OM4hO9uBF+G
-c4UVTzubx5sxwONcPhC9H+eLMpF1VHeU9gAGBlruVusUEYDmlqYQuA+bW5fTr4Zd
-ZmJ5e+CzzUBYHduAML9a5S+1jbxSPZFBSwIDAQABo4GvMIGsMA4GA1UdDwEB/wQE
-AwIHgDATBgNVHSUEDDAKBggrBgEFBQcDAjAdBgNVHQ4EFgQUPrc1+LvbR9WoJIWZ
-7YQa/3IX2w8wHwYDVR0jBBgwFoAUfl92kU2qcH4e+hypez4kEnqMbk4wRQYDVR0R
-BD4wPIY6dXJuOmRldmljZTphcHBsZTp1dWlkOjVCRjQyMkQ2LTZFQUItNTE1Ni1B
-QzVBLTlFQURDOTUyNDcxMzANBgkqhkiG9w0BAQsFAAOCAQEAGfxJ/u4271tnUUTB
-J39YU6z2Ciav+9G3BtbvxBXI57Po7zCE6Z1sVkvYq6Xd0CcItPWRjbSPEy78ZzS0
-By+gPy5fkKc8HHJ5I1wK890xbLBUS1P4EbdVBzI9ggouEa3B2asE10asnzLoKE4C
-0FYWQwrzCsso8yxsJj1S8RKtd6MMbCis/9OQSC8om2tu6cLO+OftVn5DHtNWFidw
-tAl/oHn2cZPUfZGpJGrHNZlp5w1c1dYfQeiPayoQIbsF+8eMV424G76z/8UPhMBs
-R23LByv4TlUOPAGn2TRa2WtLIXs7FgqXRIFW4CjsPsEpXSVNlkYcn/VHY7Jl13zz
-CRQ1Pg==
------END CERTIFICATE-----

authentik/enterprise/endpoints/connectors/fleet/tests/fixtures/cond_acc_profile.mobileconfig

@@ -1,46 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
-<plist version="1.0">
-    <dict>
-        <key>PayloadContent</key>
-        <array>
-            <!-- Trusted CA certificate -->
-            <dict>
-                <key>PayloadCertificateFileName</key>
-                <string>conditional_access_ca.der</string>
-                <key>PayloadContent</key>
-                <data>MIIDjzCCAnegAwIBAgIBATANBgkqhkiG9w0BAQsFADBpMQkwBwYDVQQGEwAxJDAiBgNVBAoTG0xvY2FsIGNlcnRpZmljYXRlIGF1dGhvcml0eTEQMA4GA1UECxMHU0NFUCBDQTEkMCIGA1UEAxMbRmxlZXQgY29uZGl0aW9uYWwgYWNjZXNzIENBMB4XDTI1MTIwOTEyMjI1MVoXDTM1MTIwOTEyMjI1MVowaTEJMAcGA1UEBhMAMSQwIgYDVQQKExtMb2NhbCBjZXJ0aWZpY2F0ZSBhdXRob3JpdHkxEDAOBgNVBAsTB1NDRVAgQ0ExJDAiBgNVBAMTG0ZsZWV0IGNvbmRpdGlvbmFsIGFjY2VzcyBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANrgCcpzQci2UhH+Dn0eHopnnbx3HbMabMCHXm6xteMVFLrdQJDTFrZCQzcexUgbpPJ0az6mn4szo+E3stn0y2PPWsiAiVhFwp5M9HwNg18rPgDmITv2pM3l/hlEsfggjq6TEVO2gRcq4NujEGagcYX6kp6nWxh6bbRngQ/hlK6mXItWV3x0G9eTcbFObwZhbuC2dNbccytdqbVEIpBjp6fftQnQwAaUVjoyZBFlf1C1cDV4+1jpaVsIj11U1olA33GJCHcZQ4CJEsgh8yiSsvkH5RNf94CGINB5ixsMfppjSXV/vNkWDKEfmUXW2q4ft7KK/L/SRq8QSB4VqTAp2GsCAwEAAaNCMEAwDgYDVR0PAQH/BAQDAgGGMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFH5fdpFNqnB+HvocqXs+JBJ6jG5OMA0GCSqGSIb3DQEBCwUAA4IBAQAJr4bTGlrANoHStu4Y+OXjGbEQjZOe546Bcln4eWrEB16eaVzfKuZgjJYdcOmp36/v34QY/OCXEIsixrBU5aW/Sr53IK6UQSZV3O3xbBc4Aert7AbeJ4NVGZyelfVQo/5G0qM6k9p0+zpIZqNAzFbhcSPIzuE7ig2OGsFoQU+bXhzk09bsZ+u4BXibzVNfMuMG+DHNv0PRjll272nEPI3bGwHF5tdrnfJG6e9t+qK9j9UqmSlBknHQJNeU5o8IDcmWYjWtOuBzecYsg8pZzXabJqlHTBIz/h7waRe7jtrK+XopK3jghRf9JTL+i0Y8NbVjoNkIoS3xMeRhnNbR9lw1</data>
-                <key>PayloadDescription</key>
-                <string>Fleet conditional access CA certificate</string>
-                <key>PayloadDisplayName</key>
-                <string>Fleet conditional access CA</string>
-                <key>PayloadIdentifier</key>
-                <string>com.fleetdm.conditional-access-ca</string>
-                <key>PayloadType</key>
-                <string>com.apple.security.root</string>
-                <key>PayloadUUID</key>
-                <string>ef1b2231-ad80-5511-9893-1f9838295147</string>
-                <key>PayloadVersion</key>
-                <integer>1</integer>
-            </dict>
-        </array>
-        <key>PayloadDescription</key>
-        <string>Configures SCEP enrollment for Okta conditional access</string>
-        <key>PayloadDisplayName</key>
-        <string>Fleet conditional access for Okta</string>
-        <key>PayloadIdentifier</key>
-        <string>com.fleetdm.conditional-access-okta</string>
-        <key>PayloadOrganization</key>
-        <string>Fleet Device Management</string>
-        <key>PayloadRemovalDisallowed</key>
-        <false/>
-        <key>PayloadScope</key>
-        <string>User</string>
-        <key>PayloadType</key>
-        <string>Configuration</string>
-        <key>PayloadUUID</key>
-        <string>6fa509a3-feca-56f7-a283-d6a81c733ed2</string>
-        <key>PayloadVersion</key>
-        <integer>1</integer>
-    </dict>
-</plist>

authentik/enterprise/endpoints/connectors/fleet/tests/fixtures/host_macos.json

@@ -1,27 +1,27 @@
 {
-    "created_at": "2026-02-18T16:31:34Z",
-    "updated_at": "2026-03-18T11:29:18Z",
+    "created_at": "2025-06-25T22:21:35Z",
+    "updated_at": "2025-12-20T11:42:09Z",
     "software": null,
-    "software_updated_at": "2026-03-18T11:29:17Z",
-    "id": 19,
-    "detail_updated_at": "2026-03-18T11:29:18Z",
-    "label_updated_at": "2026-03-18T11:29:18Z",
-    "policy_updated_at": "2026-03-18T11:29:18Z",
-    "last_enrolled_at": "2026-02-18T16:31:45Z",
-    "seen_time": "2026-03-18T11:31:34Z",
+    "software_updated_at": "2025-10-22T02:24:25Z",
+    "id": 1,
+    "detail_updated_at": "2025-10-23T23:30:31Z",
+    "label_updated_at": "2025-10-23T23:30:31Z",
+    "policy_updated_at": "2025-10-23T23:02:11Z",
+    "last_enrolled_at": "2025-06-25T22:21:37Z",
+    "seen_time": "2025-10-23T23:59:08Z",
     "refetch_requested": false,
     "hostname": "jens-mac-vm.local",
-    "uuid": "5BF422D6-6EAB-5156-AC5A-9EADC9524713",
+    "uuid": "C8B98348-A0A6-5838-A321-57B59D788269",
     "platform": "darwin",
-    "osquery_version": "5.21.0",
+    "osquery_version": "5.19.0",
     "orbit_version": null,
     "fleet_desktop_version": null,
     "scripts_enabled": null,
-    "os_version": "macOS 26.3",
-    "build": "25D125",
+    "os_version": "macOS 26.0.1",
+    "build": "25A362",
     "platform_like": "darwin",
     "code_name": "",
-    "uptime": 653014000000000,
+    "uptime": 256356000000000,
     "memory": 4294967296,
     "cpu_type": "arm64e",
     "cpu_subtype": "ARM64E",
@@ -31,41 +31,38 @@
     "hardware_vendor": "Apple Inc.",
     "hardware_model": "VirtualMac2,1",
     "hardware_version": "",
-    "hardware_serial": "ZV35VFDD50",
+    "hardware_serial": "Z5DDF07GK6",
     "computer_name": "jens-mac-vm",
-    "timezone": null,
     "public_ip": "92.116.179.252",
-    "primary_ip": "192.168.64.7",
-    "primary_mac": "5e:72:1c:89:98:29",
+    "primary_ip": "192.168.85.3",
+    "primary_mac": "e6:9d:21:c2:2f:19",
     "distributed_interval": 10,
     "config_tls_refresh": 60,
     "logger_tls_period": 10,
-    "team_id": 5,
+    "team_id": 2,
     "pack_stats": null,
-    "team_name": "dev",
-    "gigs_disk_space_available": 16.52,
-    "percent_disk_space_available": 26,
+    "team_name": "prod",
+    "gigs_disk_space_available": 23.82,
+    "percent_disk_space_available": 37,
     "gigs_total_disk_space": 62.83,
     "gigs_all_disk_space": null,
     "issues": {
         "failing_policies_count": 1,
-        "critical_vulnerabilities_count": 0,
-        "total_issues_count": 1
+        "critical_vulnerabilities_count": 2,
+        "total_issues_count": 3
     },
     "device_mapping": null,
     "mdm": {
         "enrollment_status": "On (manual)",
         "dep_profile_error": false,
-        "server_url": "https://fleet.beryjuio-prod.k8s.beryju.io/mdm/apple/mdm",
+        "server_url": "https://fleet.beryjuio-home.k8s.beryju.io/mdm/apple/mdm",
         "name": "Fleet",
         "encryption_key_available": false,
         "connected_to_fleet": true
     },
     "refetch_critical_queries_until": null,
-    "last_restarted_at": "2026-03-10T22:05:44.00887Z",
-    "status": "online",
+    "last_restarted_at": "2025-10-21T00:17:55Z",
+    "status": "offline",
     "display_text": "jens-mac-vm.local",
-    "display_name": "jens-mac-vm",
-    "fleet_id": 5,
-    "fleet_name": "dev"
+    "display_name": "jens-mac-vm"
 }

authentik/enterprise/endpoints/connectors/fleet/tests/test_connector.py

@@ -21,19 +21,12 @@ TEST_HOST = {"hosts": [TEST_HOST_UBUNTU, TEST_HOST_MACOS, TEST_HOST_WINDOWS, TES
 class TestFleetConnector(APITestCase):
     def setUp(self):
         self.connector = FleetConnector.objects.create(
-            name=generate_id(),
-            url="http://localhost",
-            token=generate_id(),
-            map_teams_access_group=True,
+            name=generate_id(), url="http://localhost", token=generate_id()
         )
 
     def test_sync(self):
         controller = self.connector.controller(self.connector)
         with Mocker() as mock:
-            mock.get(
-                "http://localhost/api/v1/fleet/conditional_access/idp/apple/profile",
-                text=load_fixture("fixtures/cond_acc_profile.mobileconfig"),
-            )
             mock.get(
                 "http://localhost/api/v1/fleet/hosts?order_key=hardware_serial&page=0&per_page=50&device_mapping=true&populate_software=true&populate_users=true",
                 json=TEST_HOST,
@@ -47,9 +40,6 @@ class TestFleetConnector(APITestCase):
             identifier="VMware-56 4d 4a 5a b0 22 7b d7-9b a5 0b dc 8f f2 3b 60"
         ).first()
         self.assertIsNotNone(device)
-        group = device.access_group
-        self.assertIsNotNone(group)
-        self.assertEqual(group.name, "prod")
         self.assertEqual(
             device.cached_facts.data,
             {
@@ -60,13 +50,7 @@ class TestFleetConnector(APITestCase):
                     "version": "24.04.3 LTS",
                 },
                 "disks": [],
-                "vendor": {
-                    "fleetdm.com": {
-                        "policies": [],
-                        "agent_version": "",
-                        "uuid": "5a4a4d56-22b0-d77b-9ba5-0bdc8ff23b60",
-                    }
-                },
+                "vendor": {"fleetdm.com": {"policies": [], "agent_version": ""}},
                 "network": {"hostname": "ubuntu-desktop", "interfaces": []},
                 "hardware": {
                     "model": "VMware20,1",
@@ -88,10 +72,6 @@ class TestFleetConnector(APITestCase):
         self.connector.save()
         controller = self.connector.controller(self.connector)
         with Mocker() as mock:
-            mock.get(
-                "http://localhost/api/v1/fleet/conditional_access/idp/apple/profile",
-                text=load_fixture("fixtures/cond_acc_profile.mobileconfig"),
-            )
             mock.get(
                 "http://localhost/api/v1/fleet/hosts?order_key=hardware_serial&page=0&per_page=50&device_mapping=true&populate_software=true&populate_users=true",
                 json=TEST_HOST,
@@ -101,13 +81,11 @@ class TestFleetConnector(APITestCase):
                 json={"hosts": []},
             )
             controller.sync_endpoints()
-        self.assertEqual(mock.call_count, 3)
+        self.assertEqual(mock.call_count, 2)
         self.assertEqual(mock.request_history[0].method, "GET")
         self.assertEqual(mock.request_history[0].headers["foo"], "bar")
         self.assertEqual(mock.request_history[1].method, "GET")
         self.assertEqual(mock.request_history[1].headers["foo"], "bar")
-        self.assertEqual(mock.request_history[2].method, "GET")
-        self.assertEqual(mock.request_history[2].headers["foo"], "bar")
 
     def test_map_host_linux(self):
         controller = self.connector.controller(self.connector)
@@ -150,6 +128,6 @@ class TestFleetConnector(APITestCase):
                 "arch": "arm64e",
                 "family": OSFamily.macOS,
                 "name": "macOS",
-                "version": "26.3",
+                "version": "26.0.1",
             },
         )

authentik/enterprise/endpoints/connectors/fleet/tests/test_stage.py

@@ -1,84 +0,0 @@
-from json import loads
-from ssl import PEM_FOOTER, PEM_HEADER
-
-from django.urls import reverse
-from requests_mock import Mocker
-
-from authentik.core.tests.utils import (
-    create_test_flow,
-)
-from authentik.endpoints.models import Device, EndpointStage, StageMode
-from authentik.enterprise.endpoints.connectors.fleet.models import FleetConnector
-from authentik.enterprise.stages.mtls.stage import PLAN_CONTEXT_CERTIFICATE
-from authentik.flows.models import FlowDesignation, FlowStageBinding
-from authentik.flows.planner import PLAN_CONTEXT_DEVICE
-from authentik.flows.tests import FlowTestCase
-from authentik.lib.generators import generate_id
-from authentik.lib.tests.utils import load_fixture
-
-
-class FleetConnectorStageTests(FlowTestCase):
-    def setUp(self):
-        super().setUp()
-        self.connector = FleetConnector.objects.create(
-            name=generate_id(), url="http://localhost", token=generate_id()
-        )
-
-        controller = self.connector.controller(self.connector)
-        with Mocker() as mock:
-            mock.get(
-                "http://localhost/api/v1/fleet/conditional_access/idp/apple/profile",
-                text=load_fixture("fixtures/cond_acc_profile.mobileconfig"),
-            )
-            mock.get(
-                "http://localhost/api/v1/fleet/hosts?order_key=hardware_serial&page=0&per_page=50&device_mapping=true&populate_software=true&populate_users=true",
-                json={"hosts": [loads(load_fixture("fixtures/host_macos.json"))]},
-            )
-            mock.get(
-                "http://localhost/api/v1/fleet/hosts?order_key=hardware_serial&page=1&per_page=50&device_mapping=true&populate_software=true&populate_users=true",
-                json={"hosts": []},
-            )
-            controller.sync_endpoints()
-
-        self.flow = create_test_flow(FlowDesignation.AUTHENTICATION)
-        self.stage = EndpointStage.objects.create(
-            name=generate_id(),
-            mode=StageMode.REQUIRED,
-            connector=self.connector,
-        )
-
-        self.binding = FlowStageBinding.objects.create(target=self.flow, stage=self.stage, order=0)
-
-        self.host_cert = load_fixture("fixtures/cond_acc_host.pem")
-
-    def _format_traefik(self, cert: str | None = None):
-        cert = cert if cert else self.host_cert
-        return cert.replace(PEM_HEADER, "").replace(PEM_FOOTER, "").replace("\n", "")
-
-    def test_assoc(self):
-        dev = Device.objects.get(identifier="ZV35VFDD50")
-        with self.assertFlowFinishes() as plan:
-            res = self.client.get(
-                reverse("authentik_api:flow-executor", kwargs={"flow_slug": self.flow.slug}),
-                headers={"X-Forwarded-TLS-Client-Cert": self._format_traefik()},
-            )
-            self.assertEqual(res.status_code, 200)
-        plan = plan()
-        self.assertEqual(plan.context[PLAN_CONTEXT_DEVICE], dev)
-        self.assertEqual(
-            plan.context[PLAN_CONTEXT_CERTIFICATE]["subject"],
-            "CN=Fleet conditional access for Okta",
-        )
-
-    def test_assoc_not_found(self):
-        dev = Device.objects.get(identifier="ZV35VFDD50")
-        dev.delete()
-        with self.assertFlowFinishes() as plan:
-            res = self.client.get(
-                reverse("authentik_api:flow-executor", kwargs={"flow_slug": self.flow.slug}),
-                headers={"X-Forwarded-TLS-Client-Cert": self._format_traefik()},
-            )
-            self.assertEqual(res.status_code, 200)
-            self.assertStageResponse(res, self.flow, component="ak-stage-access-denied")
-        plan = plan()
-        self.assertNotIn(PLAN_CONTEXT_DEVICE, plan.context)

authentik/enterprise/providers/ssf/signals.py

@@ -12,7 +12,7 @@ from authentik.core.models import (
     User,
     UserTypes,
 )
-from authentik.core.signals import password_changed, password_hash_changed
+from authentik.core.signals import password_changed
 from authentik.enterprise.providers.ssf.models import (
     EventTypes,
     SSFProvider,
@@ -84,13 +84,14 @@ def ssf_user_session_delete_session_revoked(sender, instance: AuthenticatedSessi
     )
 
 
-def _send_password_credential_change(user: User, change_type: str):
+@receiver(password_changed)
+def ssf_password_changed_cred_change(sender, user: User, password: str | None, **_):
     """Credential change trigger (password changed)"""
     send_ssf_events(
         EventTypes.CAEP_CREDENTIAL_CHANGE,
         {
             "credential_type": "password",
-            "change_type": change_type,
+            "change_type": "revoke" if password is None else "update",
         },
         sub_id={
             "format": "complex",
@@ -102,16 +103,6 @@ def _send_password_credential_change(user: User, change_type: str):
     )
 
 
-@receiver(password_hash_changed)
-@receiver(password_changed)
-def ssf_password_changed_cred_change(signal, sender, user: User, password: str | None = None, **_):
-    """Credential change trigger (password changed)"""
-    if signal is password_hash_changed:
-        _send_password_credential_change(user, "update")
-        return
-    _send_password_credential_change(user, "revoke" if password is None else "update")
-
-
 device_type_map = {
     StaticDevice: "pin",
     TOTPDevice: "pin",

authentik/enterprise/providers/ssf/tests/test_signals.py

@@ -1,6 +1,5 @@
 from uuid import uuid4
 
-from django.contrib.auth.hashers import make_password
 from django.urls import reverse
 from rest_framework.test import APITestCase
 
@@ -53,21 +52,6 @@ class TestSignals(APITestCase):
         )
         self.assertEqual(res.status_code, 201, res.content)
 
-    def _assert_password_credential_change(self, user, change_type: str):
-        stream = Stream.objects.filter(provider=self.provider).first()
-        self.assertIsNotNone(stream)
-        event = StreamEvent.objects.filter(stream=stream).first()
-        self.assertIsNotNone(event)
-        self.assertEqual(event.status, SSFEventStatus.PENDING_FAILED)
-        event_payload = event.payload["events"][
-            "https://schemas.openid.net/secevent/caep/event-type/credential-change"
-        ]
-        self.assertEqual(event_payload["change_type"], change_type)
-        self.assertEqual(event_payload["credential_type"], "password")
-        self.assertEqual(event.payload["sub_id"]["format"], "complex")
-        self.assertEqual(event.payload["sub_id"]["user"]["format"], "email")
-        self.assertEqual(event.payload["sub_id"]["user"]["email"], user.email)
-
     def test_signal_logout(self):
         """Test user logout"""
         user = create_test_user()
@@ -95,25 +79,19 @@ class TestSignals(APITestCase):
         user.set_password(generate_id())
         user.save()
 
-        self._assert_password_credential_change(user, "update")
-
-    def test_signal_password_change_from_hash(self):
-        """Test user password change from a pre-hashed password."""
-        user = create_test_user()
-        self.client.force_login(user)
-        user.set_password_from_hash(make_password(generate_id()))
-        user.save()
-
-        self._assert_password_credential_change(user, "update")
-
-    def test_signal_password_revoke(self):
-        """Test explicit password revoke."""
-        user = create_test_user()
-        self.client.force_login(user)
-        user.set_password(None)
-        user.save()
-
-        self._assert_password_credential_change(user, "revoke")
+        stream = Stream.objects.filter(provider=self.provider).first()
+        self.assertIsNotNone(stream)
+        event = StreamEvent.objects.filter(stream=stream).first()
+        self.assertIsNotNone(event)
+        self.assertEqual(event.status, SSFEventStatus.PENDING_FAILED)
+        event_payload = event.payload["events"][
+            "https://schemas.openid.net/secevent/caep/event-type/credential-change"
+        ]
+        self.assertEqual(event_payload["change_type"], "update")
+        self.assertEqual(event_payload["credential_type"], "password")
+        self.assertEqual(event.payload["sub_id"]["format"], "complex")
+        self.assertEqual(event.payload["sub_id"]["user"]["format"], "email")
+        self.assertEqual(event.payload["sub_id"]["user"]["email"], user.email)
 
     def test_signal_authenticator_added(self):
         """Test authenticator creation signal"""

authentik/enterprise/search/apps.py

@@ -0,0 +1,12 @@
+"""Enterprise app config"""
+
+from authentik.enterprise.apps import EnterpriseConfig
+
+
+class AuthentikEnterpriseSearchConfig(EnterpriseConfig):
+    """Enterprise app config"""
+
+    name = "authentik.enterprise.search"
+    label = "authentik_search"
+    verbose_name = "authentik Enterprise.Search"
+    default = True

authentik/enterprise/search/pagination.py

@@ -0,0 +1,51 @@
+from rest_framework.response import Response
+
+from authentik.api.pagination import Pagination
+from authentik.enterprise.search.ql import AUTOCOMPLETE_SCHEMA, QLSearch
+
+
+class AutocompletePagination(Pagination):
+
+    def paginate_queryset(self, queryset, request, view=None):
+        self.view = view
+        return super().paginate_queryset(queryset, request, view)
+
+    def get_autocomplete(self):
+        schema = QLSearch().get_schema(self.request, self.view)
+        introspections = {}
+        if hasattr(self.view, "get_ql_fields"):
+            from authentik.enterprise.search.schema import AKQLSchemaSerializer
+
+            introspections = AKQLSchemaSerializer().serialize(
+                schema(self.page.paginator.object_list.model)
+            )
+        return introspections
+
+    def get_paginated_response(self, data):
+        previous_page_number = 0
+        if self.page.has_previous():
+            previous_page_number = self.page.previous_page_number()
+        next_page_number = 0
+        if self.page.has_next():
+            next_page_number = self.page.next_page_number()
+        return Response(
+            {
+                "pagination": {
+                    "next": next_page_number,
+                    "previous": previous_page_number,
+                    "count": self.page.paginator.count,
+                    "current": self.page.number,
+                    "total_pages": self.page.paginator.num_pages,
+                    "start_index": self.page.start_index(),
+                    "end_index": self.page.end_index(),
+                },
+                "results": data,
+                "autocomplete": self.get_autocomplete(),
+            }
+        )
+
+    def get_paginated_response_schema(self, schema):
+        final_schema = super().get_paginated_response_schema(schema)
+        final_schema["properties"]["autocomplete"] = AUTOCOMPLETE_SCHEMA.ref
+        final_schema["required"].append("autocomplete")
+        return final_schema

authentik/enterprise/search/ql.py

@@ -1,17 +1,25 @@
 """DjangoQL search"""
 
+from django.apps import apps
 from django.db.models import QuerySet
 from djangoql.ast import Name
 from djangoql.exceptions import DjangoQLError
 from djangoql.queryset import apply_search
 from djangoql.schema import DjangoQLSchema
+from drf_spectacular.plumbing import ResolvedComponent, build_object_type
 from rest_framework.filters import SearchFilter
 from rest_framework.request import Request
 from structlog.stdlib import get_logger
 
-from authentik.api.search.fields import JSONSearchField
+from authentik.enterprise.search.fields import JSONSearchField
 
 LOGGER = get_logger()
+AUTOCOMPLETE_SCHEMA = ResolvedComponent(
+    name="Autocomplete",
+    object="Autocomplete",
+    type=ResolvedComponent.SCHEMA,
+    schema=build_object_type(additionalProperties={}),
+)
 
 
 class BaseSchema(DjangoQLSchema):
@@ -40,6 +48,10 @@ class QLSearch(SearchFilter):
         super().__init__()
         self._fallback = SearchFilter()
 
+    @property
+    def enabled(self):
+        return apps.get_app_config("authentik_enterprise").enabled()
+
     def get_search_terms(self, request: Request) -> str:
         """Search terms are set by a ?search=... query parameter,
         and may be comma and/or whitespace delimited."""
@@ -61,7 +73,7 @@ class QLSearch(SearchFilter):
     def filter_queryset(self, request: Request, queryset: QuerySet, view) -> QuerySet:
         search_query = self.get_search_terms(request)
         schema = self.get_schema(request, view)
-        if len(search_query) == 0:
+        if len(search_query) == 0 or not self.enabled:
             return self._fallback.filter_queryset(request, queryset, view)
         try:
             return apply_search(queryset, search_query, schema=schema)

authentik/enterprise/search/schema.py

@@ -1,6 +1,8 @@
 from djangoql.serializers import DjangoQLSchemaSerializer
+from drf_spectacular.generators import SchemaGenerator
 
-from authentik.api.search.fields import JSONSearchField
+from authentik.enterprise.search.fields import JSONSearchField
+from authentik.enterprise.search.ql import AUTOCOMPLETE_SCHEMA
 
 
 class AKQLSchemaSerializer(DjangoQLSchemaSerializer):
@@ -18,3 +20,9 @@ class AKQLSchemaSerializer(DjangoQLSchemaSerializer):
         if isinstance(field, JSONSearchField):
             result["relation"] = field.relation()
         return result
+
+
+def postprocess_schema_search_autocomplete(result, generator: SchemaGenerator, **kwargs):
+    generator.registry.register_on_missing(AUTOCOMPLETE_SCHEMA)
+
+    return result

authentik/enterprise/search/settings.py

@@ -0,0 +1,20 @@
+SPECTACULAR_SETTINGS = {
+    "POSTPROCESSING_HOOKS": [
+        "authentik.api.v3.schema.response.postprocess_schema_register",
+        "authentik.api.v3.schema.response.postprocess_schema_responses",
+        "authentik.api.v3.schema.query.postprocess_schema_query_params",
+        "authentik.api.v3.schema.cleanup.postprocess_schema_remove_unused",
+        "authentik.enterprise.search.schema.postprocess_schema_search_autocomplete",
+        "authentik.api.v3.schema.enum.postprocess_schema_enums",
+    ],
+}
+
+REST_FRAMEWORK = {
+    "DEFAULT_PAGINATION_CLASS": "authentik.enterprise.search.pagination.AutocompletePagination",
+    "DEFAULT_FILTER_BACKENDS": [
+        "authentik.enterprise.search.ql.QLSearch",
+        "authentik.rbac.filters.ObjectFilter",
+        "django_filters.rest_framework.DjangoFilterBackend",
+        "rest_framework.filters.OrderingFilter",
+    ],
+}

authentik/enterprise/search/tests.py

@@ -1,4 +1,5 @@
 from json import loads
+from unittest.mock import PropertyMock, patch
 from urllib.parse import urlencode
 
 from django.urls import reverse
@@ -7,6 +8,10 @@ from rest_framework.test import APITestCase
 from authentik.core.tests.utils import create_test_admin_user
 
 
+@patch(
+    "authentik.enterprise.audit.middleware.EnterpriseAuditMiddleware.enabled",
+    PropertyMock(return_value=True),
+)
 class QLTest(APITestCase):
 
     def setUp(self):

authentik/enterprise/settings.py

@@ -14,6 +14,7 @@ TENANT_APPS = [
     "authentik.enterprise.providers.ssf",
     "authentik.enterprise.providers.ws_federation",
     "authentik.enterprise.reports",
+    "authentik.enterprise.search",
     "authentik.enterprise.stages.authenticator_endpoint_gdtc",
     "authentik.enterprise.stages.mtls",
     "authentik.enterprise.stages.source",

authentik/enterprise/stages/mtls/stage.py

@@ -15,7 +15,6 @@ from cryptography.x509 import (
 )
 from cryptography.x509.verification import PolicyBuilder, Store, VerificationError
 from django.utils.translation import gettext_lazy as _
-from rest_framework.exceptions import PermissionDenied
 
 from authentik.brands.models import Brand
 from authentik.core.models import User
@@ -26,6 +25,7 @@ from authentik.enterprise.stages.mtls.models import (
     MutualTLSStage,
     UserAttributes,
 )
+from authentik.flows.challenge import AccessDeniedChallenge
 from authentik.flows.models import FlowDesignation
 from authentik.flows.planner import PLAN_CONTEXT_PENDING_USER
 from authentik.flows.stage import ChallengeStageView
@@ -102,7 +102,7 @@ class MTLSStageView(ChallengeStageView):
             return []
         certs = []
         for cert in ftcc_raw.split(","):
-            certs.extend(self.__parse_single_cert(cert, ParseOptions.FORMAT))
+            certs.extend(self.__parse_single_cert(cert, ParseOptions.UNQUOTE, ParseOptions.FORMAT))
         return certs
 
     def _parse_cert_outpost(self) -> list[Certificate]:
@@ -217,7 +217,8 @@ class MTLSStageView(ChallengeStageView):
             return None
         return str(_cert_attr[0])
 
-    def get_cert(self, mode: StageMode):
+    def dispatch(self, request, *args, **kwargs):
+        stage: MutualTLSStage = self.executor.current_stage
         certs = [
             *self._parse_cert_xfcc(),
             *self._parse_cert_nginx(),
@@ -227,26 +228,21 @@ class MTLSStageView(ChallengeStageView):
         authorities = self.get_authorities()
         if not authorities:
             self.logger.warning("No Certificate authority found")
-            if mode == StageMode.OPTIONAL:
-                return None
-            if mode == StageMode.REQUIRED:
-                raise PermissionDenied("Unknown error")
+            if stage.mode == StageMode.OPTIONAL:
+                return self.executor.stage_ok()
+            if stage.mode == StageMode.REQUIRED:
+                return super().dispatch(request, *args, **kwargs)
         cert = self.validate_cert(authorities, certs)
-        if not cert and mode == StageMode.REQUIRED:
+        if not cert and stage.mode == StageMode.REQUIRED:
             self.logger.warning("Client certificate required but no certificates given")
-            raise PermissionDenied(str(_("Certificate required but no certificate was given.")))
-        if not cert and mode == StageMode.OPTIONAL:
+            return super().dispatch(
+                request,
+                *args,
+                error_message=_("Certificate required but no certificate was given."),
+                **kwargs,
+            )
+        if not cert and stage.mode == StageMode.OPTIONAL:
             self.logger.info("No certificate given, continuing")
-            return None
-        return cert
-
-    def dispatch(self, request, *args, **kwargs):
-        stage: MutualTLSStage = self.executor.current_stage
-        try:
-            cert = self.get_cert(stage.mode)
-        except PermissionDenied as exc:
-            return self.executor.stage_invalid(error_message=exc.detail)
-        if not cert:
             return self.executor.stage_ok()
         self.logger.debug("Received certificate", cert=fingerprint_sha256(cert))
         existing_user = self.check_if_user(cert)
@@ -255,5 +251,15 @@ class MTLSStageView(ChallengeStageView):
         elif existing_user:
             self.auth_user(existing_user, cert)
         else:
-            return self.executor.stage_invalid(_("No user found for certificate."))
+            return super().dispatch(
+                request, *args, error_message=_("No user found for certificate."), **kwargs
+            )
         return self.executor.stage_ok()
+
+    def get_challenge(self, *args, error_message: str | None = None, **kwargs):
+        return AccessDeniedChallenge(
+            data={
+                "component": "ak-stage-access-denied",
+                "error_message": str(error_message or "Unknown error"),
+            }
+        )